Docstoc

Windows XP Secure User Manual

Document Sample
Windows XP Secure User Manual Powered By Docstoc
					Digital Aegis




   Windows XP Secure User
         Manual
     Protecting your computer from the world
                   Jesse Ksenych




                                           2010
                                                     Windows XP Secure User Manual 2010

Table of Contents
Basic Configurations...................................................................................................................................... 4
   Service Packs and Security Updates.......................................................................................................... 4
   Disable the Guest Account ........................................................................................................................ 4
   Change How Users Logon ......................................................................................................................... 4
   Remote Assistance .................................................................................................................................... 4
   Windows Firewall...................................................................................................................................... 5
   Bios Settings .............................................................................................................................................. 5
User Account Policies and Password Policies ............................................................................................... 5
   Account ..................................................................................................................................................... 5
   Lockouts .................................................................................................................................................... 6
   Audit Policy ............................................................................................................................................... 6
Security Settings............................................................................................................................................ 7
Registry Key Settings ................................................................................................................................... 10
Services to Disable ...................................................................................................................................... 12
User Rights .................................................................................................................................................. 13
File System Permissions .............................................................................................................................. 14
Internet Explorer Settings ........................................................................................................................... 16
   .Net Framework-Reliant Components .................................................................................................... 16
   ActiveX Control and Plug-In .................................................................................................................... 16
   Downloads .............................................................................................................................................. 16
   Miscellaneous ......................................................................................................................................... 17
   Scripting .................................................................................................................................................. 17
   User Authentication ................................................................................................................................ 17
   Browsing ................................................................................................................................................. 17
   Security ................................................................................................................................................... 17
Group Policy Object Settings ...................................................................................................................... 17
   How to get to it ....................................................................................................................................... 18
   Computer Administrative Template ....................................................................................................... 18
       Internet Explorer ................................................................................................................................. 18
       Application Compatibility.................................................................................................................... 18
       Internet Information Services ............................................................................................................. 18
       Task Scheduler .................................................................................................................................... 18
       Terminal Services ................................................................................................................................ 18


Page 2 of 24                                                                                                                                Jesse Ksenych
                                                    Windows XP Secure User Manual 2010
       Windows Installer ............................................................................................................................... 18
       Windows Messenger........................................................................................................................... 19
       System-Logon ...................................................................................................................................... 19
       Remote Assistance .............................................................................................................................. 19
       System Restore ................................................................................................................................... 19
       Error Reporting ................................................................................................................................... 19
       Network Connections ......................................................................................................................... 19
   User Administrative Templates............................................................................................................... 19
       Task Scheduler .................................................................................................................................... 19
       Windows Installer ............................................................................................................................... 19
       Windows Messenger........................................................................................................................... 19
       System-Logon ...................................................................................................................................... 19
       Application Compatibility.................................................................................................................... 20
       Windows Components, Internet Explorer, Internet Control Panel .................................................... 20
       Windows Components, Internet Explorer, Offline Pages ................................................................... 20
       Windows Components, Internet Explorer, Browser Menu ................................................................ 20
       Windows Components, Internet Explorer, Browser Menu ................................................................ 20
       Windows Components, Internet Explorer, Browser Menu ................................................................ 20
       Windows Components, Internet Explorer .......................................................................................... 20
       Windows Components, Internet Explorer .......................................................................................... 20
       Windows Explorer ............................................................................................................................... 20
       Windows Explorer ............................................................................................................................... 20
       Windows Explorer ............................................................................................................................... 20
       Microsoft Management Console ........................................................................................................ 21
       Windows Media, User Interface ......................................................................................................... 21
       Windows Media Player, Networking .................................................................................................. 21
       Start Menu and Task Bar ..................................................................................................................... 21
       Start Menu and Task Bar ..................................................................................................................... 21
       Start Menu and Task Bar ..................................................................................................................... 21
       Control Panel, Add/Remove Programs ............................................................................................... 21
       Network, Network Connections.......................................................................................................... 21
       System, Power Management .............................................................................................................. 21
Disable Running CD’s and USB Storage Devices ......................................................................................... 22
GPO Administrator Account Removal......................................................................................................... 22
Bibliography ................................................................................................................................................ 24

Page 3 of 24                                                                                                                              Jesse Ksenych
                                  Windows XP Secure User Manual 2010



Basic Configurations
       This section will outline small changes that can be made to the windows XP operating system
       with limited knowledge of the OS. This includes removing guest accounts and setting up
       automated updates; these tasks are fairly simple and can be done through easy to use GUI
       interfaces.

       Service Packs and Security Updates
       Insure that the Windows OS is fully updated and that any critical or optional security updates
       have been installed

               Process: open the run prompt and start “wupdmgr.exe”, follow the instructions on the
               website installing the applications that Windows requires to run its updates. Do not use
               express updates use custom and install the optional application updates since most of
               these are security updates

               Follow up: Start Menu > Control Panel > Windows Security Center > Automatic
               Updates (down at the bottom)

               Note: Set the automatic updates to a time that makes sense for your business, a time
               when most machines are on but not being used, possible times include between shifts or
               at the end of the day

       Disable the Guest Account
       In most cases this is disabled by default but is always something to check

               Process: Start Menu > Control Panel > Administrative Tools > Computer Management >
               Local Users and Groups > Users > Right Click on Guest > Properties (insure that
               “Account is disabled” is selected)

       In the same location as above delete the ASP.Net account, and the other 2 accounts, so that the
       only ones that remain are Administrator, the account you created, and guest
       Disable the default admin account after creating your own local admin account

       Change How Users Logon
       Change the logon window back to the default window not the windows XP welcome screen.
       Control Panel > Users > Change How Users Log On > uncheck “welcome screen”

       Remote Assistance
       Start Menu > right click on “My Computer” > Properties > Remote

               Disable remote assistance and any other remote access.

Page 4 of 24                                                                               Jesse Ksenych
                                   Windows XP Secure User Manual 2010


       Windows Firewall
       Start Menu > Control Panel > Windows Firewall

                Set firewall to “ON”, and check “do not allow exceptions”

                Go to the advanced tab under “logging”
                     i. Check “log dropped packets”
                    ii. Check “log successful connections”


       Bios Settings

       Set Bios to no longer allow for USB or CD booting and set a password

           a.   On boot before windows screen press F2
           b.   Go to the “boot menu”
           c.   Use the “–“ key to move everything down so that hard drive is at the top of the boot list
           d.   Then go to the security tab
           e.   Set admin password to a secure 8 digit code



User Account Policies and Password Policies
       This section outlines the user account and password polices that need to be set to both secure
       the user accounts as well as securing how the users log in. This includes not only how long a
       password needs to be or how complex the password needs to be, but also audit settings that
       include what events should be logged and for how long. Lastly it includes lockout settings which
       limited password attacks that can be used on the local system by locking a user from logging on
       after a set number of attempts.

       Account
       Start Menu > Control Panel > Administrative Tools > Local Security Policy> Account Policy >
       Password Policy

       Min password length – set the minimum password length to something that makes sense for
       you, in our case we choose 14 characters because most script kitty password crackers work on 12
       char or less easily

       Max password age - select Maximum password age and change to 90 days.
       Reason: we recommend 90 days since this project is aimed at small businesses and it’s unlikely
       that they will want to change passwords more often than that




Page 5 of 24                                                                                 Jesse Ksenych
                                   Windows XP Secure User Manual 2010
       Password History - select “Enforce password history” and insure its set to 5
       Reason: this remembers the users last 5 passwords to insure they do not try to reuse an old one,
       the reason its set to 5 is that it’s unrealistic for a small business to require more than 5 different
       passwords

       Password Complexity - select “Password must meet complexity settings” and enable it


       Lockouts
       Start Menu > Control Panel > Administrative Tools > Local Security Policy> Account Policy >
       Account Lockout Policy

       Lockout Threshold - select “Account Lockout Threshold” and set to 10
       Reason: in a small business environment it’s unlikely a user would try more than 10 times and if
       they did its unlikely they would remember their password

       Duration - select “lockout duration” and set to 15 min

       Reset - will auto set to 15 min (can be set in server AD settings to not remove lock until admin
       removes lock)


       Audit Policy
       Start Menu > Control Panel > Administrative Tools > Local Security Policy> Local Policy >
       Audit Policy

       Audit account login events
       Process: select audit account login events and check success and failure

       Audit account management
       Process: select audit account management and check success and failure

       Directory service access
       Process: select directory service access and insure neither are checked

       Logon events
       Process: select Logon events and check success and failure

       Object access
       Process: select Object access and check failure

       Policy change
       Process: select Policy change and check success

       Privilege use
       Process: select Privilege use and check failure



Page 6 of 24                                                                                    Jesse Ksenych
                                   Windows XP Secure User Manual 2010
       Process tracking
       Process: select Process tracking and check success

       System events
       Process: select System events and check success


Security Settings
       This section describes local policy settings that need to be set in the security options field. These
       settings control what the OS is allowed to do, security settings that don’t belong in any other
       specific settings, and settings that help to limit the effect users can have on the OS.

       Start mMenu > Control Panel > Administrative Tools > Local Security Policy> Local Policy >
       Security Options

       Network Access: Allow Anonymous SID/Name Translation:
       Process: select the above setting and check disabled

       Network Access: Do not allow Anonymous Enumeration of SAM Accounts
       Process: select the above setting and check enabled

       Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares
       Process: select the above setting and check enabled

       Data Execution Protection
       Process: Control Panel > System > Advanced > Performance> turn on DEP for all programs

       Accounts: Administrator Account Status
       Process: select the above setting and check (disable later)

       Accounts: Guest Account Status
       Process: select the above setting and check disabled

       Accounts: Limit local account use of blank passwords to console logon only
       Process: select the above setting and check enabled

       Audit: Shut Down system immediately if unable to log security alerts
       Process: select the above setting and check disabled

       Devices: Allow undock without having to log on
       Process: select the above setting and check disabled

       Devices: Allowed to format and eject removable media
       Process: select the above setting and check Administrators

       Devices: Prevent users from installing printer drivers
       Process: select the above setting and check enabled



Page 7 of 24                                                                                  Jesse Ksenych
                                 Windows XP Secure User Manual 2010
       Devices: Restrict CD-ROM Access to Locally Logged-On User Only
       Process: select the above setting and check disabled

       Devices: Restrict Floppy Access to Locally Logged-On User Only
       Process: select the above setting and check disabled

       Devices: Unsigned Driver Installation Behavior
       Process: select the above setting and check warn but allow

       Domain Member: Digitally Encrypt or Sign Secure Channel Data
       Process: select the above setting and check enable

       Domain Member: Digitally Encrypt Secure Channel Data
       Process: select the above setting and check enable

       Domain Member: Digitally Sign Secure Channel Data
       Process: select the above setting and check enable

       Domain Member: Require Strong (Windows 2000 or later) Session Key
       Process: select the above setting and check enable

       Interactive Logon: Do Not Display Last User Name
       Process: select the above setting and check enable

       Interactive Logon: Do not require CTRL+ALT+DEL
       Process: select the above setting and check disabled

       Interactive Logon: Message Text for Users Attempting to Log On
       Process: select the above setting and (adjust to company specs)

       Interactive Logon: Message Title for Users Attempting to Log On
       Process: select the above setting and (adjust to company specs)

       Interactive Logon: Number of Previous Logons to Cache
       Process: select the above setting and set to 0

       Interactive Logon: Prompt User to Change Password Before Expiration
       Process: select the above setting and check 7 days

       Interactive Logon: Require Domain Controller authentication to unlock workstation
       Process: select the above setting and check disabled

       Interactive Logon: Smart Card Removal Behavior
       Process: select the above setting and check lock workstation

       Microsoft Network Client: Digitally sign communications
       Process: select the above setting and check enabled

       Microsoft Network Client: Unencrypted Password to Connect to Third-Party SMB Server
       Process: select the above setting and check disabled

Page 8 of 24                                                                      Jesse Ksenych
                                 Windows XP Secure User Manual 2010

       Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session
       Process: select the above setting and set 15 min

       Microsoft Network Server: Digitally sign communications (always)
       Process: select the above setting and check enable

       Microsoft Network Server: Enabled digitally sign communications (if client agrees)
       Process: select the above setting and check enable

       Microsoft Network Server: Disconnect clients when logon hours expire
       Process: select the above setting and check enable

       Network Access: Do not allow storage of credentials or .NET passports for network
       authentication
       Process: select the above setting and check enable

       Network Access: Let Everyone permissions apply to anonymous users
       Process: select the above setting and check disable

       Network Access: Sharing and security model for local accounts
       Process: select the above setting and check classic

       Network Security: Do not store LAN Manager Password hash value on next password
       change
       Process: select the above setting and check enabled

       Network Security: Force logoff when logon hours expire
       Process: select the above setting and check enabled

       Network Security: LAN Manager Authentication Level
       Process: select the above setting and check Send NTLMv2, refuse LM and NTLM

       Network Security: LDAP client signing requirements
       Process: select the above setting and check negotiate signing

       Network Security: Minimum session security for NTLM SSP based (including secure RPC)
       clients
       Process: select the above setting and check all

       Network Security: Minimum session security for NTLM SSP based (including secure RPC)
       servers
       Process: select the above setting and check all

       Recovery Console: Allow Automatic Administrative Logon
       Process: select the above setting and check disabled

       Recovery Console: Allow Floppy Copy and Access to All
       Process: select the above setting and check disabled


Page 9 of 24                                                                         Jesse Ksenych
                                 Windows XP Secure User Manual 2010
       Shutdown: Allow System to be shut Down Without Having to Log On
       Process: select the above setting and check disabled

       Shutdown: Clear Virtual Memory Page file
       Process: select the above setting and check enabled

       System objects: Default owner for objects created by members of the Administrators group
       Process: select the above setting and check object creator

       System objects: Require case insensitivity for non-Windows subsystems
       Process: select the above setting and check enabled

       System objects: Strengthen default permissions of internal system objects
       Process: select the above setting and check enabled

Registry Key Settings
       This section outlines the Registry settings that need to be set using “regedit”. This section
       involves directly editing the registry with values that help to apply security settings to the
       operating system.
       Note: Since these settings are directly applied to the registry they should not be applied by a
       user unfamiliar with the registry and the registry should always be backed up first.

       Start Menu > Run > regedit

       Suppress Dr. Watson Crash Dumps: (REG_DWORD) 0
       HKLM\Software\Microsoft\DrWatson\CreateCrashDump

       Disable Automatic Execution of the System Debugger: (REG_DWORD) 0
       HKLM\Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto

       Disable auto play from any disk type, regardless of application: (REG_DWORD) 255
       HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

       Disable auto play for current user: (REG_DWORD) 255
       HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

       Disable auto play for the default profile: (REG_DWORD) 255
       HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeA
       utoRun

       Disable automatic reboots after a Blue Screen of Death: (REG_DWORD) 0
       HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot

       Disable CD Auto run: (REG_DWORD) 0
       HKLM\System\CurrentControlSet\Services\CDrom\Autorun

       Remove administrative shares on workstation (Professional): (REG_DWORD) 0
       HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks


Page 10 of 24                                                                           Jesse Ksenych
                                 Windows XP Secure User Manual 2010
       Protect against source-routing spoofing: (REG_DWORD) 2
       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting

       Protect the Default Gateway network setting: (REG_DWORD) 0
       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DeadGWDetectDefault

       Ensure ICMP Routing via shortest path first: (REG_DWORD) 0
       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect

       Manage Keep-alive times: (REG_DWORD) 300000
       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

       Protect Against Malicious Name-Release Attacks: (REG_DWORD) 1
       HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

       Ensure Router Discovery is Disabled: (REG_DWORD) 0
       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery

       Protect against SYN Flood attacks: (REG_DWORD) 2
       HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

       Enable IPSec to protect Kerberos RSVP Traffic: (REG_DWORD) 1
       HKLM\System\CurrentControlSet\Services\IPSEC\ NoDefaultExempt

       Hide workstation from Network Browser listing: (REG_DWORD) 1
       HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

       Enable Safe DLL Search Mode: (REG_DWORD) 1
       HKLM\System\CurrentControlSet\Control\SessionManager\SafeDllSearchMode

       Disable WebDAV basic authentication: (REG_DWORD) 1
       HKLM\System\CurrentControlSet\Services\WebClient\Parameters\UseBasicAuth

       Disable basic authentication over a clear channel: (REG_DWORD) 1
       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\DisableBasicOverClea
       rChannel

       USB Block Storage Device Policy: (REG_DWORD) 1
       HKLM\System\CurrentControlSet\Control\StorageDevicePolicies

       Deleting the Optional, POSIX, values at
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Subsystems

       Stopping USB flash drives from loading: (DWORD) 4 (3 to turn it back on) (note that you need to
       have tried to connect a usb device for this key to appear) (after you have edited this key make
       the file system permissions related to it below)
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\start




Page 11 of 24                                                                           Jesse Ksenych
                                 Windows XP Secure User Manual 2010

Services to Disable
       This section outlines the services that are not required for this implementation of windows XP
       and should be disabled and not allowed to start up.

       Control Panel > Administrative Tools > Services

       Alerter
       Application Layer Gateway Service
       Application Management
       ASP .NET State Service
       Automatic Updates
       Background Intelligent Transfer Service
       Clip Book
       Computer Browser
       Distributed Link Tracking Client
       Distributed Transaction Coordinator
       Error Reporting Service
       Help and Support
       Human Interface Device Access
       IMAP CD-Burning COM Service
       Indexing Service
       Messenger
       NetMeeting Remote Desktop Sharing
       Network DDE (DSDM)
       Portable Media Serial Number
       QOS RSVP
       Remote Access Auto Connection
       Manager
       Remote Access Connection Manager
       Remote Desktop Help Session Manager
       Remote Procedure Call Locator Service
       Removable Storage
       Routing and Remote Access
       Secondary Logon (Run As)
       Shell Hardware Detection
       Smart Card
       Task Scheduler
       Telephony
       Telnet
       Web Client
       Windows Audio
       Windows Image Acquisition (WIA)
       Wireless Configuration




Page 12 of 24                                                                             Jesse Ksenych
                                   Windows XP Secure User Manual 2010

User Rights
       This section goes through settings that need to be applied in the local policy editor to limit the
       functions and operations that users are allowed to perform.

       Start Menu > Control Panel > Administrative Tools > Local Security Policy> Local Policy >
       Security Options

       Access from network
       Process: select Access this computer from the network and set to only administrator

       Act as part of the OS
       Process: select Act as part of the operating system and insure no one is added

       Allow Login through Terminal Services
       Process: select the above setting and allow only administrators

       Back up Files and Directories
       Process: select the above setting and allow only administrators

       Change the System Time
       Process: select the above setting and allow only administrators

       Debug Programs
       Process: select the above setting and remove administrator and all other users

       Deny access to this computer from the network
       Process: select the above settings and add the following users
              Anonymous login
              Default admin account

       Deny logon as a batch job
       Process: select the above setting and add the guest account

       Deny logon through terminal services
       Process: select the above setting and add the guest account and the anonymous account

       Impersonate a client after authentication
       Process: select the above setting and insure that only administrator and service are added

       Log on Locally
       Process: select the above setting and remove all but administrators and Users

       Profile Single Process
       Process: select the above setting and only add Administrators

       Remove computer from docking station
       Process: select the above setting and only allow administrators and users


Page 13 of 24                                                                                 Jesse Ksenych
                                  Windows XP Secure User Manual 2010
       Restore Files and Directories
       Process: select the above setting and only allow administrators

       Shut down the system
       Process: select the above setting and only allow administrators and users


File System Permissions
       This section outlines specific file permissions that need to be applied on the windows XP
       machine to insure that only administrators have access to built-in system tools that could be
       dangerous in the average user’s hands, or could prove security risks in the hands of a dangerous
       individual.

       %System Root%\system32\at.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\attrib.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\cacls.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\debug.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\drwatson.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\drwtsn32.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\edlin.exe
       Permissions: Admin = Full, System =Full, Interactive = Full

       %System Root%\system32\eventcreate.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\eventtriggers.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\ftp.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\net.exe
       Permissions: Admin = Full, System =Full



Page 14 of 24                                                                            Jesse Ksenych
                                 Windows XP Secure User Manual 2010

       %System Root%\system32\net1.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\netsh.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\rcp.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\reg.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\regedt32.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\regsvr32.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\rexec.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\rsh.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\runas.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\sc.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\subst.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\telnet.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\tftp.exe
       Permissions: Admin = Full, System =Full

       %System Root%\system32\tlntsvr.exe
       Permissions: Admin = Full, System =Full

       %System Root%\Inf\Usbstor.pnf and %System Root%\Inf\Usbstor.inf
       Permissions: deny to all but admin




Page 15 of 24                                                            Jesse Ksenych
                                   Windows XP Secure User Manual 2010
       %System Root%\system32\cmd.exe
       Permissions: Admin = Full, System = Full

Internet Explorer Settings
       This section explains the settings that an administrator should apply to their internet explorer
       options that will then be applied to all users that log on locally to that machine. The reason for
       these settings is to help secure internet explorer to close off security holes known to exist in it.
       These settings also limit what users are allowed to do in Internet Explorer like downloading
       potentially dangerous files for example.
       Set to medium or medium low then change the following

       .Net Framework-Reliant Components

       Run components not signed with Authenticode: disabled
       Run components signed with Authenticode: disabled

       ActiveX Control and Plug-In

       Allow previously unused scripts: disabled
       Allows scriptlets: disabled
       Automatic prompting: disabled
       Binary and script behaviors: disabled
       Display video and animation: disabled
       Download signed active x controls: disabled
       Download unsigned active x controls: disabled
       Initialize and script ActiveX controls not marked as safe: disabled
       Run ActiveX controls and plug-ins: disabled
       Script ActiveX controls marked safe for scripting: disabled

       Downloads

       File Download: disabled
       Automatic prompting for file download: disabled
       Font Download: disabled




Page 16 of 24                                                                                   Jesse Ksenych
                                  Windows XP Secure User Manual 2010
       Miscellaneous

       Access data sources across domains: disabled
       Allow META REFRESH: disabled
       Allow scripting of Internet Net Explorer Web browser control: disabled
       Display mixed content: Prompt
       Don't prompt for client certificate selection when no certificate or only one certificate exists:
       disabled
       Drag and drop or copy and paste files: Prompt
       Installation of desktop items: disabled
       Launching applications and unsafe files: prompt
       Launching programs and files in an IFRAME: disabled
       Navigate sub frames across different domains: disabled
       Submit non-encrypted form data: prompt
       User data persistence: disabled

       Scripting

       Active scripting: disabled
       Allow programmatic clipboard access: disabled
       Scripting of Java applets: disabled

       User Authentication

       Logon: Prompt for username and password

       Browsing

       Disable script debugging: check
       Enable third-party browser extensions: unchecked

       Security

       All items that begin with allow: check


Group Policy Object Settings
       This section explains settings that need to be applied in the Local GPO in windows XP. These
       settings cover a lot of ground in windows XP and include everything from limiting what the user
       can do in the control panel to effecting what applications can run on the OS. These settings are
       very important to the security of a windows XP box and should be carefully implemented to
       insure none are missed.




Page 17 of 24                                                                              Jesse Ksenych
                                  Windows XP Secure User Manual 2010
       How to get to it
       1.   Click Start, and then click Run
       2.   In the Open box, type gpedit.msc, and then click OK
       3.   Open computer configuration
       4.   Right click on admin templates
       5.   Select add/remove templates
       6.   Click add
       7.   Select and open system.adm and inetres.adm
       8.   Open them and close

       Computer Administrative Template
                Internet Explorer

                Security Zones: Do not allow users to change policies: Enabled
                Security Zones: Do not allow users to add/delete sites: Enabled
                Disable automatic install of components: Enabled



                Application Compatibility

                Prevent access to 16bit apps: Enabled

                Internet Information Services

                Prevent IIS installation: Enabled

                Task Scheduler

                All settings: Enable

                Terminal Services

                Client Server data Redirection, All settings: enable/disable to restrict redirection of
                anything
                Encryption and security, RPC Security Policy, Secure server: Enabled
                Encryption and Security
                Always prompt client for password upon connection: Enabled
                Set Client connection encryption level: Enabled (High)

                Windows Installer

                Disable Windows Installer: Enabled “for non-managed apps only”
                Always installed with elevated privileges: Enabled
                Remove browse dialog box for new source: Enabled
                Cache transforms in secure location on workstation: Enabled




Page 18 of 24                                                                               Jesse Ksenych
                                  Windows XP Secure User Manual 2010


                Windows Messenger

                Do not allows windows messenger to be run: Enabled
                Do not allows windows messenger to start at logon: Enabled

                System-Logon

                Do not process the run once list: Enabled

                Remote Assistance

                Solicited Remote Assistance: Disabled
                Offer Remote assistance: disabled

                System Restore

                Turn off configuration: enabled

                Error Reporting

                Report Errors: disabled

                Network Connections

                Prohibit use of Internet Connection sharing on your DNS: enabled
                Prohibit installation and Configuration of Network Bridge: enabled

       User Administrative Templates
                Instead of setting these in “Computer Configuration” as above, they are applied in the
                admin templates in “User Configuration”

                Task Scheduler

                All settings: Enabled

                Windows Installer

                Always installed with elevated privileges: Enabled

                Windows Messenger

                Do not allows windows messenger to be run: enabled
                Do not allow windows messenger to run at start: enabled

                System-Logon

                Do not process the run once list: enabled



Page 19 of 24                                                                               Jesse Ksenych
                                  Windows XP Secure User Manual 2010
                Application Compatibility

                Prevent access to 16-bit applications: Enable

                Windows Components, Internet Explorer, Internet Control Panel

                Disable all pages (not general): Enable

                Windows Components, Internet Explorer, Offline Pages

                Disable adding channels: Enable

                Windows Components, Internet Explorer, Browser Menu

                Tools menu: Disable Internet Options menu option: Enable

                Windows Components, Internet Explorer, Browser Menu

                Help menu: Remove “Send Feedback” menu option: Enable

                Windows Components, Internet Explorer, Browser Menu

                Disable Context menu: Enable

                Windows Components, Internet Explorer

                Disable changing certificate settings: Enable

                Windows Components, Internet Explorer

                Configure Outlook Express: Enable and check “Block attachments that could contain a
                virus”

                Windows Explorer

                Remove “Map Network Drive” and “Disconnect Network Drive”: Enable

                Windows Explorer

                Remove Security tab: Enable

                Windows Explorer

                Remove CD burning features: Enable




Page 20 of 24                                                                          Jesse Ksenych
                                  Windows XP Secure User Manual 2010
                Microsoft Management Console

                Restrict the user from entering author mode: Enable
                Restrict users to the explicitly permitted list of snap-ins
                Enable and use the “Restricted/Permitted snap-ins” folder to designate permitted snap-
                ins

                Windows Media, User Interface

                All settings: Enabled

                Windows Media Player, Networking

                Hide Network tab: Enable

                Start Menu and Task Bar

                Remove links and access to Windows Update: Enable

                Start Menu and Task Bar

                Remove programs on Settings menu: Enable

                Start Menu and Task Bar

                Remove Run menu from Start menu: Enable

                Control Panel, Add/Remove Programs

                Remove Add/Remove Programs: Enable
                Hide the Set Program Access and Defaults page: Enable

                Network, Network Connections

                Prohibit TCP/IP advanced configuration, and Prohibit access to properties of a LAN
                connection: Enable

                System, Power Management

                Prompt for password on resume from hibernate/suspend: Enable




Page 21 of 24                                                                            Jesse Ksenych
                                   Windows XP Secure User Manual 2010

Disable Running CD’s and USB Storage Devices
       This section of this user manual describes how to disable CD and USB storage devices on the
       windows XP box. The reason for this is because CDs and USB’s are often the easiest entry point
       for an attacker and in a small business setting its unlikely that users will need to install or use
       anything from USB or CD.

           1.   In the local GPO right click on administrative templates
           2.   Click add new template
           3.   Select the “USB/CD remove” file that will be supplied with the final product
           4.   Go to the new section created under administrative templates
           5.   Set all settings in this new area to Enabled, then inside the enabled window to disabled.


GPO Administrator Account Removal
       This section explains using an article from Microsoft’s TechNet how to insure that the
       administrator account is not affected by the GPO settings we just implemented. Unfortunately
       on a local box the GPO will apply all its settings to average users and administrators alike. This
       can result in the admin not being able to affect the OS in the ways they may need to; this
       process is required to give them the access they need. This is kind of a sour spot in windows XP
       and not well implemented and this step will be required each time you make a change to the
       GPO from now on so try to do all the settings at once for simplicity. (HOW TO: Apply Local
       Policies to All Users Except Administrators on Windows Server 2003 in a Workgroup Setting,
       2006)
       Use following technique to give back all access to the admin only

       1. Log on to the computer as an administrator.

       2. Open your local security policy. To do this, do one of the following:
             o Click Start, click Run, type gpedit.msc, and then press ENTER.
                  -or-
             o Click Start, click Run, type mmc, press ENTER, add the Group Policy Object
                  Editor, and then configure it for the local security policy.
             If the removal of the run command is one of the policies that you want, Microsoft
             recommends that you edit the policy by means of Microsoft Management Console
             (MMC), and then save the results as an icon. Then, you do not need the run command to
             reopen the policy.

       3. Expand the User Configuration object, and then expand the Administrative
          Templates object.

       4. Enable whatever policies that you want (for example, Desktop for "Hide My Network Places"
          or "Hide Internet Explorer Icon on Desktop").

           NOTE: Make sure that you select the correct policies; otherwise, you may restrict the ability
           of the administrator to log on to the computer (and to complete the necessary steps to
           configure the computer). Microsoft recommends that you record any changes that you make
           (you can also use this information for step 10).

Page 22 of 24                                                                                Jesse Ksenych
                                  Windows XP Secure User Manual 2010

       5. Close the Gpedit.msc Group Policy snap-in. Or, if you use MMC, save the console as an icon
          to make it accessible later, and then log off the computer.

       6. Log on to the computer as an administrator.

           You can verify in this logon session the policy changes that were made earlier, because, by
           default, the local policies apply to all users, which includes administrators.

       7. Log off the computer, and then log on to the computer as all of the other users for this
          computer for whom you want these policies to apply. The policies are implemented for all of
          these users and the administrator.

           NOTE: Any user account that is not logged on to the computer at this step cannot have the
           policies implemented for that account.

       8. Log on to the computer as an administrator.

       9. Click Start, point to Control Panel, and then click Folder Options. Click the View tab,
          click Show Hidden Files and Folders, and then click OK so that you can view the Group
          Policy hidden folder. Or, open Windows Explorer; click Tools, and then click Folder
          Options to view these settings.

       10. Copy the Registry.pol file that is located in the %Systemroot%\System32\GroupPolicy\User
           folder to a backup location (for example, to a different hard disk, floppy disk, or folder).

       11. Open your local policy again by using either the Gpedit.msc Group Policy snap-in or your
           MMC icon, and then enable the exact features that were disabled in the original policy that
           was created for that computer.

           NOTE: When you do this, Policy Editor creates a new Registry.pol file.

       12. Close your policy editor, and then copy the backup Registry.pol file that you created in step
           10 back into the %Systemroot%\System32\GroupPolicy\User folder.

           When you are prompted to replace the existing file, click yes.

       13. Log off the computer, and then log on as an administrator.

           You can verify that the changes that were originally made are not implemented for you
           because you have logged on to the computer as an administrator.

       14. Log off the computer, and then log on as another user (or users).

           You can verify that the changes that were originally made are implemented for you because
           you have logged on to the computer as a user (not an administrator) to that computer.

       15. Log on to the computer as an administrator to verify that the local policy does not affect you
           as the local administrator to that computer.


Page 23 of 24                                                                               Jesse Ksenych
                                  Windows XP Secure User Manual 2010

Bibliography
Bragg, R. (2004). Hardening Windows Systems. Retrieved April 6, 2010, from Books24x7:
http://library.books24x7.com.libresources.sait.ab.ca/toc.asp?bookid=8162

HOW TO: Apply Local Policies to All Users Except Administrators on Windows Server 2003 in a
Workgroup Setting. (2006, October 30). Retrieved April 6, 2010, from Microsoft Support:
http://support.microsoft.com/default.aspx?scid=kb;en-us;325351

Jeff Shawgo, Sidney Faber, Nancy Whitney. (August, 2005). Windows XP Professional Operating System
Legacy, Enterprise,and Specialized Security Benchmark Consensus Baseline Security Settings. The Center
for Internet Security (http://www.cisecurity.org).




Page 24 of 24                                                                            Jesse Ksenych

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:139
posted:8/13/2011
language:English
pages:24