<<
Back to Windows Security
_____________
Introduction
Preface: Please note while these recommendations
are still applicable, the implementation in the manual method
below is outdated. These items can be accomplished much easier
by joining
Active Directory.
Microsoft Windows XP is a Lab-supported operating system being
used by a growing number of users. Windows XP is potentially
much more conducive to security than its predecessors such
as Windows 95 and 98—a good reason for you to upgrade
your desktop system to Windows XP if you have not already
done so. This checklist describes the measures you will need
to take to achieve baseline security in your Windows XP system.
Windows XP is currently in two releases: Windows XP Home
Edition and Windows XP Professional. Although both of these
are workstation products, the former is designed for the casual
user who needs considerable functionality without having to
deal with many details of the operating system and its control
functions. Windows XP Home Edition is not supported here at
the Lab—a good reason to avoid using it. Windows XP
Professional, on the other hand, is not as simple to use,
but it is considerably more conducive to security than is
the Home Edition. Regardless of the version considered, the
good news is that, in general, less effort is generally required
to secure workstations than to secure servers; Windows XP
is a workstation product. The bad news is that although Microsoft
seems to keep improving the out-of-the-box security level
of its operating-system products with each subsequent operating
system product, Windows XP, like Microsoft's previous operating
systems, is not all that secure right after you install it.
You'll thus have to make numerous changes to boost the level
of this operating system's security.
The primary purpose of these guidelines is to describe the
most basic measures needed to secure a Windows XP system that
has a classic view or interface. This checklist is designed
to make your Windows XP system sufficiently secure, and to
enable it to defend against most attacks, but is not intended
to enable you to lock down your system(s) so thoroughly that
a successful attack would be impossible.
Baseline Security
Measures
Your system will achieve a baseline level of security if
you deploy the following measures:
- Use only Windows XP Professional. Windows XP Home has
too many major security flaws (e.g., in XP Home every default
account has superuser privileges and cannot belong to any
domain) to enable it to achieve even a baseline level of
security.
- Install Windows XP only from trusted media.
- Ensure that your system's hard drive has a minimum of
two partitions, C and D. Partition C, which contains system
directories and files, should be the installation drive.
Allocate 10 gigabytes to this partition and avoid creating
any user shares to it. Partition D should be reserved for
user space and nonsystem applications. Any user shares should
connect to D.
- Ensure that every partition is an NTFS partition [fn2].
If any volume is FAT-formatted, enter
convert <partition
letter>: /fs:ntfs
For example, to convert the D partition into an NTFS
partition, enter
convert d: /fs:ntfs
and then reboot your system.
- To elevate the level of security on your Windows XP system,
apply the LBNL security template for Windows XP. Download
this template from here.
Place it in your system's c:\%systemroot%\security\templates
directory with the name IT-SecureBaseline1.inf. Bring up
a command prompt, cd to c:\%systemroot%\security\templates,
and then enter:
secedit /configure /cfg IT-SecureBaseline1.inf /db %TEMP%\secedit.adb
/log %TEMP%\seclog.txt /verbose
- Check to see whether Service Pack 2 (SP2) has been installed
by going from Start to Run, then entering winver.
If SP2 is not installed, go to http://www.lbl.gov/download/
to download it, and then install it.
- Install the latest post-SP2 hotfixes. Download from the
LBNL
download page. Click on "Windows XP Pro post SP2
Hot Fixes.
- Ensure that your Windows XP system is part of a domain.
Belonging to a domain helps ensure that security settings
within Group Policy Objects (GPOs) on domain controllers
apply to every workstation in the domain. If your machine
is not part of a domain, it automatically is a member of
a default workgroup. Workgroups have no significant security
capabilities; every member of a workgroup is at elevated
risk. To determine whether your system belongs to a domain
or workgroup, go to My Computer and right click to Properties,
then click on the Computer Name tab. You can click on the
Change box to switch to domain membership, but first contact
HELP by dialing HELP or sending email to help@lbl.gov
to have your workstation admitted to LBNL's central Windows
domain. There is no charge for LBNL domain membership. (Note:
XP Home Edition workstations cannot belong to Windows domains!)
- Lock-down access to the system drive. In Windows XP there
are five standard file permissions (allow or deny) [fn3]:
- Full Control: Allows reading, executing,
modifying, deleting, and changing owner
- Modify: Allows executing, changing, and
deleting
- Read & Execute: Allows reading and
executing
- Read: Allows executing
- Write: Allows executing, modifying, and
deleting
- Check the permissions on system folders (particularly
c:\%systemroot%, which is normally c:\windows, and c:\%systemroot%\system32)
and their contents (by right clicking on each fold or file
in your Windows Explorer and then clicking on the Security
tab at the top) to ensure that, in general:
- Nobody but Administrators, SYSTEM and
Creator Owner can in any way modify, change permissions
for, or take ownership of any system file or other critical
file or folder.
- Authenticated Users rather than Everyone
are given access to any file or folder that is not used
on behalf of the system when universal access is necessary.
- A "share" is a mechanism that allows a user
to connect to file systems, printers, and other devices
on other systems. Shares are convenient, but are also dangerous,
so if you do not need to share your system's files and folders
with others, do not share any folder. (Note that you can
disable all sharing by going to My Computer and double-clicking
to My Network Places and then double-clicking to View Network
Connections. Right click on View Network Connections to
Properties. Right click on Local Area Connection to Properies,
then highlight File and Printer Sharing for Microsoft Networks
and then click on Uninstall. If you do this, be sure to
restart the Server service by going from Start => Control
Panel => Administrative Tools => Services => Server.
Double-click on Server, and make sure that this service
has started and that its Startup Type is Automatic.)
- An "unprotected share" is a share that permits
everyone to connect to it; the worst case is a share that
allows Everyone to assume full control or to write and delete.
Many Windows systems users have unprotected shares. The
result is greater likelihood that their systems will be
successfully attacked by hackers, worms, etc. Unprotected
shares are one of the major causes of security-related incidents
in Windows systems.
- Go to the Control Panel, Administrative Tools, Computer
Management, System Tools, Shared Folders, then Shares. Highlight
the name of each nondefault share, i.e., each share that
does not end with a "$," then right click to Properties,
and then click on Share Permissions tab. The following share
permissions are generally appropriate:
- Administrators and Creator Owners:
Full Control-Allow
- Authenticated Users: Read-Allow (or
even is generally best, but whatever you do, avoid giving
Full Control-Allow to either Everyone or Authenticated
Users).
- Secure the built-in accounts (which constitute much greater
than average targets of attack) by going to the Control
Panel, Administrative Tools, Computer Management, System
Tools, Local Users and Groups, then Users:
- Rename the default Administrator account
to a nonconspicuous name, change the account description
to "User account," and enter a very long (up
to 104 characters) and as difficult-to-guess a password
as possible. Record the password on the piece of paper
that you place in an extremely secure location, e.g.,
in your wallet or purse. Do not share this password
with anyone else and do not leave the slip of paper
on which the password is written where anyone else might
see it. Use the built-in Administrator account, which
in Windows XP (as in Windows 2000) does not lock after
excessive bad logon attempts, only for emergency access.
- Create one additional local account
that is a member of the Administrators group for yourself
and another for each person who needs to administer
your system. Create an unprivileged local account for
each Administrator, also. Use the unprivileged account
when you are engaged in normal activities such as web
surfing, obtaining ftp access, and downloading mail.
Use the privileged account only when you are performing
system administration tasks.
- Create a new, unprivileged account
named "Administrator," a decoy account designed
to deflect attacks designed to give unauthorized access
to the Administrator account. Ensure that this account
is in only the Guest group. Enter the description of
"Built-in account for administering the system"
(even though this is not true). Inspect your Event Logs
often to determine whether people are trying to logon
to this account.
- Leave the Guest account disabled. Double-click
on this account name and ensure that "Account is
Disabled" is checked.
- Unless you want to use the very dangerous
Remote Assistant function to enable others to remotely
troubleshoot your system, disable the HelpAssistant
account. Double-click on each account name and check
"Account is Disabled." (Alternatively, you
can disable the Remote Assistant by right clicking on
My computer, to Properties, then choosing Remote, and
unchecking "Allow Remote Assistant invitations
to be sent" and "Allow users to connect remotely
to this computer."
- Go to the Control Panel, then to Administrative Tools,
then Local Security Policy, then to Security Settings, then
to Account Policies, and finally to Password Policy to set
the following parameter values:
- Enforce password history: 24
- Maximum password age: 180 days
- Minimum password age: 1 day
- Minimum password length: 8 characters
- Passwords must meet complexity requirements:
Enabled
- Store passwords using reversible encryption:
No [fn4]
- Go to the Control Panel, then to Administrative Tools,
then Local Security Policy, then to Security Settings, then
to Account Policies, then Account Lockout Policy to set
the following parameters:
- Account lockout duration: 60 min
- Account lockout threshold: 5
- Reset account lockout after: 60 min
- Go to the Control Panel, then to Administrative Tools,
Computer Management, System Tools, Local Users and Groups,
then Users. For each user account, set the following Account
Options:
- Avoid running the Remote Access Service (RAS) on your
workstation! If you need dial-in access, have your system
administrator set up a secure dial-in access capability
for you.
- Observe the "least privilege principle" when
assigning rights to others who need access to your Windows
XP system. Check User Rights by going to the Control Panel,
then Administrative Tools, then Local Security Policy, then
to Security Settings, then to Local Policies, and then to
User Rights. Double-click on the User Rights container.
To give or take away a right, double-click on the right
of your choice, then add or remove the right to/from the
user or group of your choice. The table
below outlines recommended user's rights.
Recommended
Rights for Users
|
RIGHT
|
ASSIGNED TO
|
| Access this computer from network
|
Administrators, Users, Power Users, Backup Operators
(but not IUSR_ and IWAM_ unless your XP system is
hosting Web services) |
| Act as part of the operating system |
—
|
| Add workstations to domain |
—
|
| Adjust memory quotas for a process |
Local Service, Administrators |
| Allow logon through Terminal
Services |
Administrators (and, if you allow
Services Remote Desktop access, Remote
Desktop Users) |
| Back up files and directories Administrators |
Administrators |
| Bypass traverse checking |
Administrators, Users, Power Users |
| Change the system time |
Administrators, Power Users |
| Create a pagefile |
Administrators |
| Create a token object |
—
|
| Create permanent shared objects |
—
|
| Debug programs |
Administrators |
| Deny access to this computer from the network |
Support_, Guest |
| Deny logon as a batch job |
—
|
| Deny logon as a service |
—
|
| Deny logon locally |
Support_, Guest |
| Deny logon through Terminal Services |
—
|
Enable computer and user accounts to be trusted
for
delegation |
—
|
| Force shutdown from a remote system |
Administrators |
| Generate security audits |
Local Service, Network Service |
| Increase scheduling priority |
Administrators |
| Load and unload device drivers |
Administrators |
| Lock pages in memory |
—
|
| Log on as a batch job |
Support_, “logged on user” (but not
IUSR_ and IWAM_) |
| Log on as a service |
Network Service |
| Log on locally |
Administrators, Users, Power Users
(but not IUSR_ and IWAM_ unless
your XP system is hosting web
services) |
| Manage auditing and security log |
Administrators |
| Modify firmware environment values |
Administrators |
| Perform volume maintenance tasks |
Administrators |
| Profile single process |
Administrators, Power Users |
| Profile system performance |
Administrators |
| Remove computer from docking |
Administrators, Users, Power Users station |
| Replace a process level token |
Local Service, Network Service,
IWAM_ |
| Restore files and directories |
Administrators |
| Shut down the system |
Administrators, Users, Power Users |
| Synchronize directory service data |
—
|
| Take ownership of files and other objects |
Administrators |
- Modify firmware environment variables.
- Replace a process level token.
- Restore files and directories.
- Shut down the system.
- Take ownership of files and objects.
- Set the secure logon feature. This forces a password
to be entered every time someone attempts to logon to
your system, even if the password is blank (something
you should not allow in the first place. Under the Advanced
tab in the User Accounts area of the Control Panel,
you can check the box under the "Secure Logon"
section. If your machine is a member of a domain, the
Ctrl+Alt+Del screen will be enabled by default.
- Enable a baseline of logging. Go to the Control Panel,
Administrative Tools, Local Security Policy, Security
Settings, Local Policies, and then to Audit Policy.
Double-click on the Audit Policy container to view the
audit options. To enable any type of auditing, double-click
on the name and in the sheet that will appear (under
Audit these Attempts) click on both Success and Failure.
Enable:
- “Audit Account Logon Events”
(success and failure)
- “Account Management”
(success and failure)
- “Audit Logon Events”
(success and failure)
- “Audit Policy Change”
(success and failure)
- “System Events” (success
and failure)
- Set the Security Log properties so that security
logging will run properly. Go to the Control Panel,
Administrative Tools, Local Security Policy, Security
Settings, Local Policies and then to Event Viewer. Right
click on Security Log and go to Properties.
- Select the following settings:
- Maximum Size-set the maximum size
of the System and Application Logs to 4,096K and
the maximum size of the Security Log to 10,240K.
The default of 512K for each log is much too small.
- Retention Method (you have three
choices):
- Overwrite events as needed: The
oldest events will be overwritten independently
of any time requirements (best).
- Overwrite events by days: Event
data that are older than the retention period are
overwritten; if the log fills before the retention
period expires, there will be a gap in logging.
- Do not overwrite events (clear log
manually): In general, do not choose this option,
because your system's Event Logger will stop if
you have forgotten to manually purge your Security
Log, and it fills up.
- Check your system's logs regularly (daily, if possible)
to determine whether your system has been attacked.
If your system appears to have been attacked, contact
your Computer Protection Division Liaison as soon as
possible. Visit https://www.lbl.gov/ITSD/Security/CPP/people/cpic.html
to find out who your liaison is.
- Activate the screen saver. This will help protect
against unauthorized physical access. Go to the Control
Panel, then Display, then Screen Saver (or right click
on the desktop to Properties and click on the Screen
Saver tab). Be sure to password-enable the screen saver
and also to set the activation period to 30 minutes.
- Ensure that your system's time is correct. Time synchronization
is extremely important in interfacing with Native Mode
W2K domain services (e.g., Kerberos authentication),
because if the time is incorrect, it could cause logon
failures or could expose accounts on your system to
a special kind of attack, a "replay attack,"
in which an attacker captures and replays the Kerberos
authentication sequence to gain unauthorized access.
Go to your Control Panel and then to Date/Time and then
Adjust Date/Time and then Internet Time. The names of
several Internet time servers will appear, but it is
best to type in cuckoo.lbl.gov,
a local Lab time server.
- Go to Security Options (Control Panel, Administrative
Tools, Local Security Policy, Security Settings, Local
Policies, Security Options) and ensure that:
- The "Additional restrictions
for anonymous: Do not allow enumeration of SAM and
shares" option is enabled (this stops certain
kinds of reconnaissance attacks against your system).
- The "Recovery console: Allow
automatic administrative logon" option is not
enabled (if this option is set and your system reboots,
the first person who reaches your workstation will
have access to a session with full Administrator
privileges).
- Be sure to run Symantec AntiVirus on your system,
and to keep its signatures updated every day.
- To check whether you have Symantec
AV go to Programs. If Symantec AntiVirus is one
of the selections, your system is running this program.
To download Symantec AV, visit http://www.lbl.gov/ITSD/Security/vulnerabilities/.
- To update Symantec AV, go from Start
to Programs to Symantec AntiVirus Corporate Edition
to Symantec Anti-Virus Corporate Edition to Live
Update. Click on Live Update and follow the instructions.
You will now have the latest updates to Symantec
Anti-Virus, which is the best all around defense
against virus and worm infections.
- Ensure that your system is backed up as frequently
as operational needs dictate. We recommend that you
sign up for the LBNL backup service. Visit http://recharge.lbl.gov/backups/setup.cgi
or write-up a Help
Desk ticket.
Conclusion
As mentioned earlier, these guidelines are designed
to provide a baseline level of security in Windows XP.
Please send any feedback you have to cppm@lbl.gov.
________
Footnotes
1. These guidelines were developed
by Gene Schultz. Jim Smithwick, Jay Krous, John Phelan,
Dan Peterson, and Christian Kohler helped by reviewing
a draft copy and providing feedback.
2. The main downside of having only
the NTFS file system is that 16-bit applications may not
run properly on NTFS partitions. If you have 16-bit applications
that need to run in the Windows XP environment, create
another small FAT32 partition dedicated to these applications.
Never jeopardize other applications, however, by putting
them on this FAT32 partition — FAT32 offers no access
control at all.
3. There are also many special (advanced)
permissions, including Full Control, Traverse Folder/Execute
File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, Create Files/Write Data, Create Folders/Append
Data, Write Attributes, Write Extended Attributes, Delete,
and Read Permissions. Special permissions are more granular
than the standard permissions, and are thus more conducive
to security, but the former are also more complicated
and harder to use.
4. Reversible encryption is the inferior
type of encryption (based on the DES encryption algorithm,
which has now been cracked innumerable times) in Windows
systems. If no other system needs to connect to shares
or to authenticate to your Windows XP system, you can
choose No for this setting — something that is considerably
better for security. But if other systems need share or
authentication connections, you would do better to choose
Yes here to prevent unnecessary inconvenience to other
users.
|
