Secure Computing: Best Practices for Windows XP
Securing a Windows XP Desktop
This document provides instructions for building a secure Windows XP desktop computer for the Stanford environment.
No matter what operating system you're using, the basic steps for securing it are the same:
- Install all operating system patches.
- Verify user account security.
- Eliminate unnecessary applications and network services.
- Install and configure necessary applications and network services.
- Configure system logging to record significant events.
- Keep applications and operating system patches up to date.
Install the latest patches
It's imperative that you connect to the network and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Unpatched machines are frequently exploited within minutes of being attached to an open network like Stanford's.
Once you've booted your WinXP box onto the Stanford network, select the Start button in the lower left hand corner of the screen. Select the Windows Update menu item, and follow the instructions. Install at least the critical updates that Windows Update discovers. Be sure you've installed all the updates for Internet Explorer, too. IE is an integral part of the Windows operating system, and must be patched at the same time other security fixes are applied. In addition to installing the latest OS patches, the user should also enable automatic updates for the OS, and for any other apps that allow for it, such as Adobe Reader, Adobe Flash player, MS Office, Firefox, Java, and any chat clients that they use.
Verify user account security
Disable Guest Account if necessary. Windows operating systems include a Guest account designed for temporary users. That's usually not a good idea, and in the vast majority of cases the Guest account should be disabled. On Windows XP Home Edition, disabling the Guest account is not possible. Set a strong password for it instead. For WinXP Professional, confirm or disable the Guest account with this:
- Select the Start button on the lower left-hand corner of the screen.
- Select Settings --> Control Panel.
- Select User Accounts.
- Confirm that it says Guest
account is off.
Make sure all accounts have passwords set. Many Windows systems still have administrator or other accounts without any passwords set, or have very simple passwords. Check all accounts in the User Accounts screen as noted above and make sure passwords have been set. Make sure that all accounts have good passwords that are not based on dictionary words.
Limit Administrative Privileges. Many computer users login to their Windows system as administrator for all their day-to-day activity, or they create user accounts with administrative privilege levels. Many email and Web-based attacks take advantage of this by hijacking the security context of the logged-in user (the poor person who's accidentally clicked on that executable program they should have left alone). It's far safer to assign most users the Limited account type. Any user can use the Run As feature (hold shift while right-clicking an application to see the Run As option) to temporarily become the Administrator, if necessary, for instance to install software. Follow these steps for creating an Administrative account and lowering your default account privileges:
- To create new users, open Control Panel and click on User Accounts.
- Then click Create an new account and fill in an account name. Make sure it is an easy to remember Administrative name for you, such as your username Admin. Click the next button.
- Select the Computer Administrator radio button. Then click Create account.
- Now click on the icon for that new account, and select Create a password to set a password for this account.
- After entering a password, click the Back button and select your default user account icon.
- Select Change my account type and click the Limited radio button.
- Click on the Change account type button to commit and you are done.
Eliminate unnecessary applications and network services
Many services should be disabled by default, including file sharing. What follows are instructions for verifying and disabling any services that need to be done one by one. Make sure you disable Alerter; ClipBook; HP Web Jetadmin; Messenger; Netmeeting Remote Desktop Sharing; Network Dynamic Data Exchange; Network DDE DSDM; Remote Registry Service; Routing and Remote Access; telnet; and Universal Plug and Play Device Host, if they are enabled.
- Select the Start button on the lower, left-hand corner of the screen.
- Select Settings --> Control Panel.
- Double-click the Administrative Tools icon.
- Double-click the Services icon.
- Scroll down to the service in question and double-click it.
- Change the Startup type to Disabled instead of either Manual or Automatic.
your computer after all desired service changes are made.
But note! Members of Stanford Windows domains (including but not limited to the WIN, IT, SU, SU-GSB, FAC, GSB, LAWSU, and STANFORD-NT domains) may need to turn on several of the "riskier" remote management tools, in order to allow their systems to be managed effectively. This risk is reduced by the fact that the domain controllers themselves can secure the individual workstations, making this a reasonable action for domain members. If you're in one of those groups (or smaller domains not specifically mentioned here), ask your administrator about whether or not remote management tools are required. If they are, you'll want to leave the services they require enabled. These are probably Remote Registry Service and Application Management, but may include others.
Disable Remote Assistance. This facility allows for remote control of your desktop for troubleshooting purposes, which isn't what we want by default. Go to Control Panel, double-click on the System icon, find the Remote tab, select Settings, and unselect the Allow this computer to be controlled remotely checkbox. But note! If your machine is a member of a Windows domain, ask your administrator about whether or not to disable Remote Assistance.
Disable Windows Simple File Sharing. Simple File Sharing shares files anonymously without any user access security, and shouldn't ever be used.
- Click Start and then Control Panel
- Click the Folder Options icon
- Select the View tab
- Go to the Advanced Settings section of the window
- Unselect the Use Simple File Sharing box
- Click Apply
Install necessary applications: Kerberos for Windows
Kerberos for Windows provides secure authentication for various services at Stanford,such as the Sundial calendar and Stanford OpenAFS. It includes a utility called Network Identity Manager, which provides the graphical user interface for managing Kerberos functions.
Install necessary services: file sharing
Stanford provides the AFS file system as the primary mechanism for sharing files between members of the SUNet community. AFS support is included in PC-Leland on WinXP. But if for some reason you need to enable PC-based file sharing -- that is, network-based access to the documents on your local system's hard drive -- here's how to do it as securely as possible:
Windows XP Home only supports Simple File Sharing, which includes no access control and should not be used within the Stanford network
Allowing Anonymous connections to your shared folders allows everyone on the Stanford network to browse your systems without having a local user account, which is undesirable in most cases.. Limiting users on each share to Authenticated Users makes this more difficult. On a WinXP Professional system, replace the Everyone group with Authenticated Users on all file shares:
- Click on My Computer
- For each drive icon, right click it and select Sharing And Security
- Click on the Security tab
- Click Add and in the window type Authenticated Users.
- Click Ok to get back to the user list screen
- Select Everyone and click the remove button
- Click Apply
and then click Ok when it finishes.
To fully protect your system from anonymous file system browsing, on WinXP Professional, configure the RestrictAnonymous registry key, as follows. Go to Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Install anti-virus software
Stanford licenses Sophos Anti-Virus for desktop protection. All users are strongly encouraged to install it. This software can be downloaded from http://ess.stanford.edu/pc/sophos.html.
Configure system logging
Although Stanford makes no attempt to collect system logs from every desktop computer on its network, those logs are invaluable when administrators need to troubleshoot a problem or recover a system that's been hacked. By default, Windows leaves all logging disabled, but you can set it yourself. Click on the Start button, then Settings, then Control Panel. Double click on Administrative Tools. Double click on Local Security Settings, and select Local Policies --> Audit Policy. Here's the audit policy configuration we recommend for stand-alone WinXP desktops:
To change the setting on an individual policy, highlight it, then right-click. Under the Properties item, you'll be able to select for success and/or failure audits. Note that if your machine is a member of a domain, its audit policy may be controlled by the Domain Controller.
Microsoft allows a whopping 512 kb of storage space for Event Log records, and overwrites old records when that limit is reached. In most cases, that's a reasonable configuration (it should allow your machine to retain at least a few days of activity). But you can increase the amount of storage space available. From the Control Panel, double click on Administrative Tools, and then double click on Event Viewer. You'll see the three subsets of the Event Log, the Application, Security and System Logs. Access the properties of these logs by selecting one, right clicking on it, and bringing up the Properties. Log size is controlled here. We recommend leaving the default configuration of When maximum log size is reached to avoid inadvertently disabling your desktop system should you run out of log space.
Use the WinXP built-in firewall
Windows XP includes a new feature, the Internet Connection Firewall (Windows Firewall in SP3 and later). The Windows Firewall restricts access to services running on your machine, so it can prevent many kinds of attacks. It's especially valuable if you're using a laptop or a PC from home, which may be exposed to a more hostile environment than the Stanford network itself. Windows Firewall or other host based firewalls can interfere with the performance of some network-based applications, so run it at your own risk.
Here's detailed information on configuring the Windows Firewall to permit the correct functioning of Stanford Web Authentication and file sharing.
Keep application and operating system patches up to date
Use WindowsUpdate. Default configurations of WindowsXP rely on the WindowsUpdate mechanism to notify users of new critical patches, and to manage the download and installation of those patches. To be sure you've got it running:
- Click on the Start button in the lower left hand corner of your screen.
- Select the Control Panel.
- Double-click on System.
- Select the Automatic Updates tab.
sure that Keep my computer up to date is
selected, and pick the notification and install option that best suits
your needs (Notify me before installing updates, Install
updates automatically, Install updates at the time I've selected)
Install and use the Security Self-Test. Install the Security Self-Test to make sure your system meets a good standard for security. This tool checks for many of the above conditions, as well as what software you have installed. Passing this test confirms that the changes you've made have been successful, and that your computer is ready for the Stanford network..
Other Resources and Links
- Disable autorun when a CD is inserted or a USB drive is attached.
- Windows Security at Stanford
- Stanford's Windows News page
- Windows XP Security Checklist
- Securing the Personal Computer -- Windows XP
- Windows PC Security (on campus)