Windows XP Security Measures

Status
Not open for further replies.

readermaniax

Ambassador of Buzz
Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. This checklist is partially based on our popular Windows 2000 security checklist and covers both Windows XP Professional and XP Home Edition. Unfortunately, Windows XP Home Edition doesn't have all of the security features of XP Professional, so not all of the options are available for both versions. If you're concerned about your data, we strongly recommend upgrading to XP Professional as soon as possible. When implementing these recommendations, keep in mind that there is a trade off between increased security levels and usability for any Operating System. To help you decide how much security you need, we've divided the checklist into Basic, Intermediate, and Advanced Security options. You should assess your potential security risks, determine the value of your data, and balance your needs accordingly.

Basic Security Measures

Provide Physical Security for the machine
It may seem basic, but we didn't want you to overlook the obvious. The simple fact is that most security breaches in corporate environments occur from the inside. Keep your workstation in an office that locks, install a lock on the CPU case, keep it locked, and store the key safely away from the computer at a secure location. (i.e. a locked cabinet in the server room)

Use NTFS on all your partitions
The FAT16/FAT32 file systems that were shipped with Windows 95/98/ME offered no security for your data and left your system wide open to attacks. The NTFS file system is faster than FAT32 and allows you to set permissions down to the file level. If you're unsure of how your system is configured, open My Computer, right click on the drive letter you want to check, and select "Properties" from the menu. If your Windows XP system was preconfigued with the FAT16 or FAT32 file system, you can convert the partitions quickly and easily using the convert.exe utility. (If you choose to convert to NTFS, you cannot go back to the FAT or FAT32 file system unless you reinstall XP) In addition, using NTFS on Windows XP Professional allows you to encrypt files and folders using the Encrypting File System (EFS). If you are dual booting Windows XP and Windows 9x/Me, keep in mind that these operating systems cannot read NTFS partitions, and you won't be able to access the files when you are in Windows 9x/ME

Disable Simple File Sharing
Both Windows XP Home Edition and XP Professional workstations that are not part of a domain, use a network access model called "Simple File Sharing," where all attempts to log on to the computer from across the network are forced to use the Guest account (to prevent them from using a local Administrator account that wasn't configured with a password) This means that if you're connected to the internet and don't use a secure firewall, your files contained within those shares are available to just about anybody.
Code:
[color=brown]To disable Simple File Sharing on XP Professional:[/color]
 	Click Start > My Computer > Tools > Folder Options
	Select the View tab
	Go to Advanced Settings, 
	clear the Use Simple File Sharing box
	click Apply
Unfortunately, XP Home Edition doesn't allow you to disable Simple File Sharing and is unable to join a domain, so the best you can hope for is to make sure you set your shared folders to be read only, hide the file shares by using a $ sign after the folder name, or if your using the NTFS file system, use the 'Make Private" option in the folder properties. Windows XP Professional workstations that are part of a domain or that have Simple File Sharing disabled, use the "Classic" NT security model that requires all users to authenticate before granting access to shared folders.

Use passwords on all user accounts
Both Windows XP Professional and Home Edition allow user accounts to utilize blank passwords to log into their local workstations, although in XP Professional, accounts with blank passwords can no longer be used to log on to the computer remotely over the network. Obviously, blank passwords are a bad idea if you care about security. Make sure you assign passwords to all accounts, especially the Administrator account and any accounts with Administrator privileges. By the way, in XP Home Edition all user accounts have administrative privileges and no password by default. Make sure you close this hole as soon as possible

Use the Administrator Group with care
It's very common for home users and small business administrators to simply give all local accounts full Administrator privileges in order eliminate the inconvenience of logging into another account. However this practice gives a hacker the opportunity to try to crack a greater number of administrator level accounts and increases his/her chance for success. It also increases the odds that malicious code executed via an e-mail attachment or other vector can do more damage to your files. In a workgroup consider placing local users with a greater need for control in the local Power Users group, instead of the Administrators group. And avoid the temptation of using the local administrator account as your default login account.

Disable the Guest Account
The guest account has always been a huge hacker hole, and should be disabled as soon as you install your workstation. Unfortunately, this setting recommendation only applies to Windows XP Professional computers that belong to a domain, or to computers that do not use the Simple File Sharing model. Windows XP Home Edition will not allow you to disable the Guest account. When you disable the Guest account in Windows XP Home Edition via the Control Panel, it only removes the listing of the Guest account from the Fast User Switching Welcome screen, and the Log-On Local right. The network credentials will remain intact and guest users will still be able to connect to shared resources of the affected machine across a network.

Use a firewall if you have a full time internet connection
Having instant, high speed access to the internet is a real convenience but it also puts your data at risk. Although XP comes with a built in firewall (called ICF), it is not enabled by default, and it only filters incoming traffic without attempting to manage or restrict outbound connections at all. While this may be fine for most users, we highly recommend using a third party personal firewall such as if you're concerned about your data. For corporate users already behind a firewall, consider using Group Policy to enable ICF and disable specific ports when users are not connected to the corporate network. For more information on ICF, see: *support.microsoft.com/?kbid=283673

Use a router instead of ICS
The Internet Connection Sharing feature within XP allows a user to connect one PC to the internet and then share that connection with the rest of the computers within his home or small office network. While it was generally a good idea when it was conceived, if you have a high speed connection a real router is a faster, easier to configure, and more secure. For small home or office, we strongly recommended the Linksys Cable/DSL Routers, which are usually under Rs4500.00

Install AntiVirus Software on all workstations
Viruses and other forms of malicious software have been around for years, but today's malware utilizes the internet and e-mail systems to spread globally in a matter of hours. Installing AntiVirus software is a basic step in protecting your data, but it's near useless if the definitions aren't updated.

Keep up to date with hotfixes and service packs
Windows XP is a complex operating system and is not immune to its own bugs and security holes. Its common tactic for hackers to use the latest known security hole to break into a system and work backward from there until they find an open door that gives them full access. In fact 99% of system breaches are executed using known security vulnerabilities that were never patched. Use the Windows Update feature or automatic update to keep your system up to date. You can also use the Microsoft Baseline Security Analyzer to check your system for known vulnerabilities. availible from *www.microsoft.com/technet/security/tools/Tools/mbsahome.asp


Code:
To enable automatic update in Windows XP:
	Click Start, click Control Panel, click Performance and Maintenance, and then click System.
	On the Automatic Updates tab, click the setting of your choice

Password protect the screensaver
Once again this is a basic security step that is often circumvented by users. Make sure all of your workstations have this feature enabled to prevent an internal threat from taking advantage of an unlocked console. For best results, choose the blank screensaver or logon screensaver. Avoid the OpenGL and graphic intensive program that eat CPU cycles and memory. Make sure the wait setting is appropriate for your business. If you can get your users in the habit of manually locking their workstations when they walk away from their desks, you can probably get away with an idle time of 15 minutes or more. You can keep users from changing this setting via Group Policy or the local security policy.

Secure your wireless network
The new 802.11 wireless standard allows you to roam freely without cables and make anywhere your virtual office. This also gives hackers another open door to your data if you fail to lock it. A recent survey in the U.K found that of 5,000 wireless networks that were discovered by simply driving around the city with a wireless enabled laptop, 92% were wide open. As "drive by" hacking and warchalking are becoming common practice, any hacker with a laptop and a Pringles can could potentially compromise your network. We could go into a whole new checklist on securing your wireless network but KB Article Q309369 is a good place to start.

Secure your Backup tapes
t's amazing how many organizations implement excellent platform security, and then don't encrypt and/or lock up their backup tapes containing the same data. It's also a good idea to keep your Emergency Repair Disks locked up and stored away from your workstations as well.

Intermediate Security Measures

Use the Security Configuration Manager and templates provided with XP Professional
The Security Configuration Manager (SCM) set of tools allows security administrators to define security templates that can be applied to individual machines or any number of machines via group policy. Security templates can contain password policies, lockout policies, Kerberos policies, audit policies, event log settings, registry values, service startup modes, service permissions, user rights, group membership restrictions, registry permissions and file system permissions. Microsoft provides a number of predefined security templates to help you lock down your PC via Group Policy. These templates represent low, medium, and high security configurations, which can be customized to meet your specific security needs. The security relevant registry values configurable by SCM appear under Local Policies\Security Options when using SCM tools such as the security templates snap-in, the security configuration and analysis snap-in, or the security settings extension to Group Policy. Note: This feature is not available on Windows XP Home Edition

Password Security
A good password policy is essential to your network security, but is often overlooked. In large organizations there is a huge temptation for lazy administrators to create all local Administrator accounts (or worse, a common domain level administrator account) that uses a variation of the company name, computer name, or advertising tag line. i.e. %companyname%#1, win2k%companyname%, etc. Even worse are new user accounts with simple passwords such as "welcome", "letmein", "new2you", that aren't required to changed the password after the first logon. Use complex passwords that are changed at least every 60 -90 days. Use Group Policy or the local computer policy to set restriction on password age, length, complexity, lockout duration, and number of bad attempts. (Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options ) Passwords should contain at least eight characters, and preferably nine (recent security information reports that many cracking programs are using the eight character standard as a starting point). Also, each password must follow the standards set for strong passwords. The basic goal is that the password should be complex enough to foil hacker attempts, and not so complex that users will have difficulty remembering their passwords and end up writing them on sticky notes pasted to the bottom of their keyboards.

Use software restriction policies
Using a software restriction policy, you can prevent unwanted programs from running; this includes viruses and Trojan horses, or other software that is known to cause conflicts when installed. Software restriction policies can also be used on a standalone computer by configuring the local security policy, or can integrate with Group Policy and Active Directory. (Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies )
Note: This feature is not available on Windows XP Home Edition

Limit the number of unnecessary accounts
Eliminate any duplicate user accounts, test accounts, shared accounts, general department accounts, etc., Use group policies to assign permissions as needed, and audit your accounts regularly. These generic accounts are famous for having weak passwords (and lots of access) and are at the top of every hacker's list of accounts to crack first. This can be a big problem at larger companies with understaffed IT departments. An audit at a Fortune 10 company I worked for revealed that 3,000 of their 15,000 active user accounts were assigned to employees who no longer worked for the company. To make matters worse, we were able to crack the passwords on more than half of those inactive accounts.

Rename the Administrator Account
Many hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.

Consider creating a dummy Administrator account
Another strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.

Replace the "Everyone" Group with "Authenticated Users" on file shares
Everyone" in the context of Windows XP security, means anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.

Prevent the last logged-in user name from being displayed
Prevent the last logged-in user name from being displayed
When you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled via the Group Policy snap in. (Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options )

Make sure that Remote Desktop is disabled
Make sure that Remote Desktop is disabled
Remote Desktop is a new feature in Windows XP Professional that allows you to connect to your computer remotely and work as though you are sitting at the console. While this may be convenient for some users, it also makes it easier for a hacker who has compromised one of your user accounts to log in directly to your machine from a remote location. Fortunately, remote desktop is not enabled by default on Windows XP Professional, and is not available for Windows XP Home Edition.

Advanced Security Settings

Enable Auditing on your Workstations
While this is a fairly normal practice for servers, it isn't usually performed on workstations unless there is a high risk of data theft. Our philosophy is that the time to fix the roof is before it starts to rain. By selectively auditing a few key actions, you'll have a place to start investigating theft or destruction of data if someone ever does compromise your workstation. We recommend auditing the following actions:

Event ------------- Level of Auditing
Account logon events ----------- Success, failure
Account management --------- Success, failure
Logon events --------- Success, failure
Object access ------------- Success
Policy change -------- Success, failure
Privilege use ----------- Success, failure
System events ---------- Success, failure

For more information see KB article Q310399 : *support.microsoft.com/?kbid=310399

Disable default shares
Windows XP automatically creates a number hidden administrative shares that the operating system uses to manage the computer environment on the network. These default shares can be disabled via the Computer Management console in the Control Panel, but they are re-enabled by the system after you restart your computer. To prevent shares from being created at startup, open RegEdit and edit the following key:
HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\ParametersCreate a DWORD value called AutoShareWks and set the parameter to 0. (Note: This does not disable the IPC$ share in our tests, we're still working on a solution). You should test the functionality of your programs and services after you disable the default administrative shares. Some Windows services depend on the existence of these shares. In addition, some third-party programs may require that some of the administrative shares exist. For example, some backup programs may require these shares. You may be able to restore functionality by manually creating the required shares.
A dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the
Disable Dump File CreationControl Panel > System > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files

Disable the ability to boot from a floppy or CD ROM on physically unsecured systems.
There are a number of 3rd party utilities that pose a security risk if used via a boot disk (including resetting the local administrator password.) If your security needs are more extreme, consider removing the floppy and CD drives entirely. As an alternative, store the CPU in a locked external case that still provides adequate ventilation. You can also restrict access to the floppy and CD-ROM drives in Windows XP Professional via the Local Computer Policy in the MMC (Click Start > Run > type GPEDIT.MSC > Go to Computer Configuration > Windows Settings > Security Settings > Local Policy > Security Options )

Disable AutoRun for the CD-ROM
Disable AutoRun for the CD-ROM
One of the easiest ways for a hacker with physical access to a company's PC's to distribute malicious code is via the CD-ROM. By creating a custom CD with a payload set to launch from the autorun feature in any machine, a hacker can affect any number of unlocked systems without ever leaving a fingerprint or touching a keyboard. Or he/she can simply leave a few of these lying around the office marked "MP3's", or "Payroll Data" and wait for an unsuspecting user to simply pick it up and insert it into their machine. You can disable this function in Windows XP Professional by clicking Start > Run > and type GPEDIT.MSC Then go to Computer Configuration > Administrative Templates > System > Locate the entry for Turn autoplay off

Consider using SmartCard or Biometric devices instead of passwords.
The more stringent your password policy is, the more likely your users will begin keeping paper password lists in their desk drawers, or taped to the bottom of their keyboard. Windows 2000 supports these devices, so consider the costs vs. risks of your most sensitive data. When using smart cards please make sure to apply configure your workstation to lock if you remove the smart card. Under Local Policies > Security Options > Interactive logon > Smart card removal behavior > Lock Workstation setting

Consider implementing IPSec
Basically, IPSec provides encryption for network sessions using the Internet Protocol (IP) and promises to offer transparent and automatic encryption of network connections. For more information, click: *labmice.techtarget.com/networking/ipsec.htm


c ya
 

anandk

Distinguished Member
Make your WinXP still safer ! Plug these holes ! :)
click *www.thinkdigit.com/forum/viewtopic.php?t=23938&highlight=safer
 

dIgItaL_BrAt

Cyborg Agent
this ain't an original post,copied from *labmice.techtarget.com/articles/winxpsecuritychecklist.htm

@readermaniax:atleast post the source!
 
C

cybermanas

Guest
@readermaniax
dIgItaL_BrAt is right.Quote the source if you are copy pasting data from a website.
 
Status
Not open for further replies.
Top Bottom