Chapter 3: Security Settings for Windows XP Clients
Chapter 3: Security Settings for Windows XP Clients
Windows XP Security Guide
Chapter 3: Security Settings for Windows XP Clients
Updated: April 13, 2006 OverviewThis chapter describes in detail the primary security settings that are configured through Group Policy in a Microsoft(R) Windows(R) 2000 or Windows Server(TM) 2003 Active Directory(R) directory service domain. Implement the prescribed policy settings to ensure that the desktop and laptop computers in your organization that run Microsoft Windows XP Professional with Service Pack 2 (SP2) are configured securely. Guidance is not provided for all available policy settings in Windows XP, just those that are directly relevant to the security of the computer.As described in Chapter 1, "Introduction to the Windows XP Security Guide," the guidance that is presented in this chapter is specific to the Enterprise Client (EC) and the Specialized Security – Limited Functionality (SSLF) environments that are defined in this guide. In some instances, this chapter recommends policy settings for laptops that are different than those for desktops because portable computers are mobile and not always connected to domain controllers in your environment through your organization’s network. It is also assumed that laptop users sometimes work at different times when on-site technical support is not available. For these reasons, policy settings that require connectivity to a domain controller or that govern logon hours are different for laptop client computers.Policy settings that are not specified for specific environments are sometimes defined at the domain level, as described in Chapter 2, "Configuring the Active Directory Domain Infrastructure." Other policy settings that are listed as Not Defined in this chapter are treated in this manner because the default value is sufficiently secure for that particular environment. Also, undefined policy settings in these Group Policy objects (GPOs) facilitate the deployment of applications that need to modify settings during installation. For example, enterprise management tools may need to assign specific user rights to the local service accounts on managed computers. The guidance in this chapter consists of recommendations, and you should always carefully consider your business needs before you make any changes in your environment.The following table defines the infrastructure (.inf) files that are available with this guidance. The files contain all of the baseline security setting prescriptions for the two environments that are discussed in this chapter.Table 3.1 Baseline Security TemplatesDescriptionECSSLFBaseline security templates for desktopsEC-Desktop.infSSLF-Desktop.infBaseline security templates for laptopsEC-Laptop.infSSLF-Laptop.infFor more detailed information about the policy settings that are discussed in this chapter, see the companion guide,
, which is available for download at http://go.microsoft.com/fwlink/?LinkId=15159.Account Policy SettingsAccount policy setting information is not provided in this chapter. These settings are discussed in Chapter 2, "Configuring the Active Directory Domain Infrastructure," of this guide.Local Policy SettingsLocal policy settings may be configured on any computer that runs Windows XP Professional through either the Local Security Policy Console or through the Active Directory domain-based GPOs. Local policy settings include those for Audit policy, user rights assignments, and security options.Audit Policy SettingsAn Audit policy determines the security events to report to administrators so that user or system activity in specified event categories is recorded. The administrator can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.However, before you implement an Audit policy you must decide which event categories need to be audited in your environment. The audit settings you choose within the event categories define your Audit policy. When you define audit settings for specific event categories, an administrator can create an Audit policy that will meet the security needs of your organization.If no audit settings are configured, it will be difficult or impossible to determine what took place during a security incident. However, if audit settings are configured so that too many authorized activities generate events, the Security event log will fill up with useless data. The information in the following sections is designed to help you decide what to monitor and how to collect relevant audit data for your organization.You can configure the Audit policy settings in Windows XP at the following location in the Group Policy Object Editor:Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit PolicyThe following table summarizes the Audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter. The Enterprise Client environment is referred to as EC, and the Specialized Security – Limited Functionality environment is referred to as SSLF. You should review these recommendations and adjust them as appropriate for your organization. However, be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for Audit privilege use, so many audit events will be generated that it may not be feasible to find other types of entries in the Security event log. Such a configuration could also have a significant impact on performance. More detailed information about each of the settings is provided in the following subsections.Table 3.2 Audit Policy Setting RecommendationsSettingEC desktopEC laptopSSLF desktopSSLF laptopAudit account logon eventsSuccessSuccessSuccess, FailureSuccess, FailureAudit account managementSuccessSuccessSuccess, FailureSuccess, FailureAudit directory service accessNot DefinedNot DefinedNot DefinedNot DefinedAudit logon eventsSuccessSuccessSuccess, FailureSuccess, FailureAudit object accessNo AuditingNo AuditingFailureFailureAudit policy changeSuccessSuccessSuccessSuccessAudit privilege useNo AuditingNo AuditingFailureFailureAudit process trackingNo AuditingNo AuditingNo AuditingNo AuditingAudit system eventsSuccessSuccessSuccessSuccessAudit account logon eventsIf this policy setting is enabled, events for credential validation are generated. These events occur on the computer that is authoritative for the credentials. For domain accounts the domain controller is authoritative, and for local accounts the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization depending on the accounts that are used to log on.In this guidance, the Audit account logon events setting is configured to Success only for the EC environment and to Success and Failure for the SSLF environment.Audit account managementThis policy setting is used to track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.The Audit account management setting is configured to Success for the EC environment and to Success and Failure for the SSLF environment.Audit directory service accessThis policy setting can only be enabled to perform audit tasks on domain controllers. For this reason, the setting is not defined at the workstation level. This policy setting does not apply to computers that run Windows XP Professional. Therefore, ensure that the Audit directory service access setting is configured to Not Defined for the two environments that are discussed in this chapter.Audit logon eventsThis policy setting generates events that record the creation and destruction of logon sessions. These events occur on the computer that is accessed. For interactive logons, these events would be generated on the computer that was logged on to. If a network logon was performed to access a share, these events would be generated on the computer that hosts the resource that was accessed.If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which user has either accessed or attempted to access computers in the organization.The Audit logon events setting is configured to log Success events for the EC environment. This policy setting is configured to Success and Failure events for the SSLF environment.Audit object accessBy itself, this policy setting will not cause any events to be audited. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL).A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information:The security principal (user, computer, or group) to be audited.The specific access type to be audited, called an access mask.A flag to indicate whether to audit failed access events, successful access events, or both.If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user unsuccessfully attempts to access an object with a specified SACL.Organizations should define only the actions they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.The Audit object access setting is configured to No Auditing for the EC environment and to Failure for the SSLF environment. You must enable this setting for the following procedures to take effect.The following procedures detail how to manually set up audit rules on a file or folder and how to test each audit rule for each object in the specified file or folder. The testing procedure may be automated by means of a script file.To define an audit rule for a file or folderLocate the file or folder using Windows Explorer and select it.Click the File menu and select Properties.Click the Security tab, and then click the Advanced button.Click the Auditing tab.Click the Add button, and the Select User, Computer, or Group dialog box will display.Click the Object Types... button, and in the Object Types dialog box select the object types you want to find.Note: The User, Group, and Built-in security principal object types are selected by default.Click the Locations... button, and in the Location: dialog box select either your domain or local computer.In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and click OK. The Auditing Entry dialog box will display.Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.Note: Remember that each access may generate multiple events in the event log and cause it to grow rapidly.In the Auditing Entry dialog box, next to List Folder / Read Data, select Successful and Failed, and then click OK.The audit entries you have enabled will display under the Auditing tab of the Advanced Security Setting dialog box.Click OK to close the Properties dialog box.To test an audit rule for the file or folderOpen the file or folder.Close the file or folder.Start the Event Viewer. Several Object Access events with Event ID 560 will appear in the Security event log.Double-click the events as needed to view their details.Audit policy changeThis policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, by adding the Debug programs privilege or the Back up files and directories privilege.The Audit policy change setting is configured to Success for the two environments that are discussed in this chapter. The setting value for Failure is not included because it will not provide meaningful access information in the Security event log.Audit privilege useThis policy setting determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records.The Audit privilege use setting is configured to No Auditing for computers in the EC environment and to Failure for the SSLF environment to audit all unsuccessful attempts to use privileges.Audit process trackingThis policy setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so typically it is set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched.The Audit process tracking setting is configured to No Auditing for the two environments that are discussed in this chapter.Audit system eventsThis policy setting is very important because it allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.The Audit system events setting is configured to Success for both of the environments that are discussed in this chapter.User Rights Assignment SettingsIn conjunction with many of the privileged groups in Windows XP Professional, a number of user rights may be assigned to certain users or groups that typical users do not have.To set the value of a user right to No One, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting.You can configure the user rights assignment settings in Windows XP at the following location in the Group Policy Object Editor:Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights AssignmentThe following table summarizes user rights assignment setting recommendations for user rights that begin with the letters A through E. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter. More detailed information about each of the settings is provided in the following subsections.Recommendations for user rights that begin with the rest of the letters in the alphabet are summarized in Table 3.4, and additional detailed information about those user rights is provided in the subsections that follow that table.Note: Many features in Internet Information Server (IIS) require certain accounts such as IIS_WPG, IIS IUSR_&ComputerName&, andIWAM_&ComputerName& to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, see “
” at http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx.User Rights A – ETable 3.3 User Rights Assignment Setting Recommendations – Part 1SettingEC desktopEC laptopSSLF desktopSSLF laptopAccess this computer from networkNot DefinedNot DefinedAdministratorsAdministratorsAct as part of the operating systemNo OneNo OneNo OneNo OneAdjust memory quotas for a processNot DefinedNot DefinedAdministrators, Local Service, Network ServiceAdministrators, Local Service, Network ServiceAllow log on locallyUsers, AdministratorsUsers, AdministratorsUsers, AdministratorsUsers, AdministratorsAllow log on through Terminal ServicesNot DefinedNot DefinedNo OneNo OneBack up files and directoriesNot DefinedNot DefinedAdministratorsAdministratorsBypass traverse checkingNot DefinedNot DefinedAdministrators, UsersAdministrators, UsersChange the system timeAdministratorsAdministratorsAdministratorsAdministratorsCreate a pagefileAdministratorsAdministratorsAdministratorsAdministratorsCreate permanent shared objectsNot DefinedNot DefinedNo OneNo OneCreate a token objectNot DefinedNot DefinedNo OneNo OneDebug programsAdministratorsAdministratorsNo OneNo OneDeny access to this computer from the networkSupport_, GuestSupport_, GuestSupport_, GuestSupport_, GuestDeny log on as a batch jobNot DefinedNot DefinedSupport_, GuestSupport_, GuestDeny log on locallyNot DefinedNot DefinedSupport_, Guest, any service accountsSupport_, Guest, any service accountsDeny log on through Terminal ServicesNot DefinedNot DefinedEveryoneEveryoneEnable computer and user accounts to be trusted for delegationNot DefinedNot DefinedNo OneNo OneAccess this computer from networkThis policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)–based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).The Access this computer from network setting is configured to Not Defined for the EC environment and to Administrators for the SSLF environment.Act as part of the operating systemThis policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.For this reason, the Act as part of the operating system setting is restricted to No One for both of the environments that are discussed in this chapter.Adjust memory quotas for a processThis policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service for both computer types for the SSLF environment and configured to Not Defined for computers for the EC environment.Allow log on locallyThis policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or Microsoft Internet Information Services (IIS) also require this user right.The Guest account is assigned this user right by default. Although this account is disabled by default, Microsoft recommends that you enable this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to the Backup Operators group if your organization requires that they have this capability.The Allow log on locally setting is restricted to the Users and Administrators groups for the two environments that are discussed in this chapter.Allow log on through Terminal ServicesThis policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, then assign this user right only to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group.Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the new Remote Assistance feature in Windows XP Professional.The Allow log on through Terminal Services setting is configured to Not Defined for the EC environment. For additional security this policy setting is configured to No One for the SSLF environment.Backup files and directoriesThis policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.The Back up files and directories setting is configured to Not Defined for computers in the EC environment. This policy setting is configured to the Administrators group for the SSLF environment.Bypass traverse checkingThis policy setting allows users who do not have the special “Traverse Folder” access permission to “pass through” folders when they navigate an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.The Bypass traverse checking setting is configured to Not Defined for computers in the EC environment. It is configured to the Administrators and Users groups for the SSLF environment.Change the system timeThis policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, not the actual time that the events occurred.The Change the system time setting is configured to the Administrators group for both of the environments that are discussed in this chapter.Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers.Create a pagefileThis policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.The Create a pagefile setting is configured to the Administrators for all computers for both the EC environment and the SSLF environment.Create permanent shared objectsThis policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.The Create permanent shared objects setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.Create a token objectThis policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments where security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.The Create a token object setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.Debug programsThis policy setting determines which users can attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. This user right is required when administrators want to take advantage of patches that support “in-memory patching,” also known as “hotpatching.” For more information about the latest features in the Microsoft Package Installer, see “
” at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx. Because an attacker could exploit this user right, it is assigned only to the Administrators group by default.Note: Microsoft released several security patches in October 2003 that used a version of Update.exe that required the administrator to have the Debug programs user right. Administrators who did not have this user right were unable to install these patches until they reconfigured their user rights. For more information, see the Microsoft Knowledge Base article “
” at http://support.microsoft.com/default.aspx?kbid=830846.The Debug programs user right is very powerful. Therefore, this policy setting is configured to Administrators for the EC environment and maintained at its default setting of No One for the SSLF environment.Deny access to this computer from the networkThis policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In a high security environment, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers.The Deny access to this computer from the network setting is configured to the Support_ and Guest accounts for computers in both of the environments that are discussed in this chapter.Deny log on as a batch jobThis policy setting prohibits user logon through a batch-queue facility, a feature in Windows Server 2003 that is used to schedule jobs to run automatically one or more times in the future.The Deny log on as a batch job setting is configured to Not Defined for the EC environment and to Support_ and Guest for the SSLF environment.Deny log on locallyThis policy setting prohibits users from local logon to the computer console. If unauthorized users could log on locally to a computer, they could download malicious code or elevate their privileges on the computer. (If attackers have physical access to the console, there are other risks to consider.) This user right should not be assigned to those users who need physical access to the computer console.The Deny log on locally setting is configured to Not Defined for the EC environment and to Support_ and Guest for the SSLF environment. Also, any service accounts for the SSLF environment that are added to the computer should be assigned this user right to prevent their abuse.Deny log on through Terminal ServicesThis policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.The Deny log on through Terminal Services setting is configured to Not Defined for the EC environment and to the Everyone group for the SSLF environment.Enable computer and user accounts to be trusted for delegationThis policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.For this reason, the Enable computer and user accounts to be trusted for delegation setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.User Rights F –TTable 3.4 User Rights Assignment Setting Recommendations – Part 2SettingEC desktopEC laptopSSLF desktopSSLF laptopForce shutdown from a remote systemAdministratorsAdministratorsAdministratorsAdministratorsGenerate Security AuditsLocal Service, Network ServiceLocal Service, Network ServiceLocal Service, Network ServiceLocal Service, Network ServiceIncrease scheduling priorityAdministratorsAdministratorsAdministratorsAdministratorsLoad and unload device driversAdministratorsAdministratorsAdministratorsAdministratorsLock pages in memoryNo OneNo OneNo OneNo OneLog on as a batch jobNot DefinedNot DefinedNo OneNo OneLog on as a serviceNot DefinedNot DefinedNetwork Service, Local ServiceNetwork Service, Local ServiceManage auditing and security logAdministratorsAdministratorsAdministratorsAdministratorsModify firmware environment variablesAdministratorsAdministratorsAdministratorsAdministratorsPerform volume maintenance tasksAdministratorsAdministratorsAdministratorsAdministratorsProfile single processNot DefinedNot DefinedAdministratorsAdministratorsProfile system performanceAdministratorsAdministratorsAdministratorsAdministratorsRemove computer from docking stationAdministrators, UsersAdministrators, UsersAdministrators, UsersAdministrators, UsersReplace a process level tokenLocal Service, Network ServiceLocal Service, Network ServiceLocal Service, Network ServiceLocal Service, Network ServiceRestore files and directoriesNot DefinedNot DefinedAdministratorsAdministratorsShut down the systemAdministrators, UsersAdministrators, UsersAdministrators, UsersAdministrators, UsersTake ownership of files or other objectsAdministratorsAdministratorsAdministratorsAdministratorsThis table summarizes user rights assignment setting recommendations for user rights that begin with the letters F through T. More detailed information about each of the settings is provided in the following subsections.Force shutdown from a remote systemThis policy setting allows users to shut down Windows XP–based computers from remote locations on the network. Anyone that has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recommends that only highly trusted administrators be assigned this user right.The Force shutdown from a remote system setting is configured to the Administrators group for both of the environments that are discussed in this chapter.Generate Security AuditsThis policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.For this reason, the Generate Security Audits setting is configured to the Local Service and Network Service groups for both of the environments that are discussed in this chapter.Increase scheduling priorityThis policy setting allows users to change the amount of processor time that a process utilizes. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service condition for a computer.For this reason, the Increase scheduling priority setting is configured to the Administrators group for both of the environments that are discussed in this chapter.Load and unload device driversThis policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right and membership in either the Power Users group or the Administrators group is required for users to add local printers or printer drivers in Windows XP.Because this user right could be used by an attacker, the Load and unload device drivers setting is configured to the Administrators group for both of the environments that are discussed in this chapter.Lock pages in memoryThis policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur.For this reason, the Lock pages in memory setting is configured to No One for both of the environments that are discussed in this chapter.Log on as a batch jobThis policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in the EC environment. However, its use should be restricted in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.Therefore, the Log on as a batch job user right is configured to Not Defined for the EC environment and to No One for the SSLF environment.Log on as a serviceThis policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a SSLF environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an EC environment.The Log on as a service setting is configured to Not Defined for the EC environment and to Network Service and Local Service for the SSLF environment.Manage auditing and security logThis policy setting determines which users can change the auditing options for files and directories as well as clear the Security log.Because this capability represents a relatively small threat, the Manage auditing and security log setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.Modify firmware environment variablesThis policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of service condition.Because this capability represents a relatively small threat, the Modify firmware environment variables setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.Perform volume maintenance tasksThis policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial of service condition.The Perform volume maintenance tasks setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.Profile single processThis policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that could be used to mount an attack on the system.The Profile single process setting is configured to Not defined for computers in the EC environment and to the Administrators group for the SSLF environment.Profile system performanceThis policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer.The Profile system performance setting enforces the default of the Administrators group for both of the environments that are discussed in this chapter.Remove computer from docking stationThis policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer.The Remove computer from docking station setting is configured to the Administrators and Users groups for both of the environments that are discussed in this chapter.Replace a process level tokenThis policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.The Replace a process level token setting is configured to the default values of Local Service and Network Service for both of the environments that are discussed in this chapter.Restore files and directoriesThis policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows XP in your environment. This user right also determines which users can set valid security princip it is similar to the Back up files and directories user right.The Restore files and directories setting is configured to Not Defined for the EC environment and to the Administrators group for the SSLF environment.Shut down the systemThis policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. In high security environments, Microsoft recommends that this right only be assigned to the Administrators and Users groups.The Shut down the system setting is configured to the Administrators and Users groups for both of the environments that are discussed in this chapter.Take ownership of files or other objectsThis policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user.The Take ownership of files or other objects setting is configured to the default value of the Administrators group for both of the environments that are discussed in this chapter.Security Option SettingsThe security option settings that are applied through Group Policy on computers that run Windows XP in your environment are used to enable or disable capabilities and features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings are also used to configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works.You can configure the security option settings in the following location in the Group Policy Object Editor:Computer Configuration\Windows Settings\Security Settings\Local Policies\Security OptionsNot all of the settings that are included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the prescribed settings will take full effect.The following sections provide security option setting recommendations, and are grouped by type of object. Each section includes a table that summarizes the settings, and detailed information is provided in the subsections that follow each table. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment.AccountsThe following table summarizes the recommended security option settings for accounts. Additional information is provided in the subsections that follow the table.Table 3.5 Security Option Setting Recommendations – AccountsSettingEC desktopEC laptopSSLF desktopSSLF laptopAccounts: Administrator account statusNot DefinedNot DefinedEnabledEnabledAccounts: Guest account statusDisabledDisabledDisabledDisabledAccounts: Limit local account use of blank passwords to console logon onlyEnabledEnabledEnabledEnabledAccounts: Rename administrator accountRecommendedRecommendedRecommendedRecommendedAccounts: Rename guest accountRecommendedRecommendedRecommendedRecommendedAccounts: Administrator account statusThis policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured.The Accounts: Administrator account status setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.Accounts: Guest account statusThis policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system.The Accounts: Guest account status security option setting is configured to Disabled for the two environments that are discussed in this chapter.Accounts: Limit local account use of blank passwords to console logon onlyThis policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts with blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer.The Accounts: Limit local account use of blank passwords to console logon only setting is configured to Enabled for the two environments that are discussed in this chapter.Accounts: Rename administrator accountThe built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends that you choose another name for this account, and that you avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console).The recommendation to use the Accounts: Rename administrator account setting applies to both of the environments that are discussed in this chapter.Note: This policy setting is not configured in the security templates, nor is a new username for the account suggested in this guidance. Suggested usernames are omitted to ensure that organizations that implement this guidance will not use the same new username in their environments.Accounts: Rename guest accountThe built-in local guest account is another well-known name to hackers. Microsoft also recommends that you rename this account to something that does not indicate its purpose. Even if you disable this account (which is recommended), ensure that you rename it for added security.The recommendation to use the Accounts: Rename guest account setting applies to both of the environments that are discussed in this chapter.Note: This policy setting is not configured in the security templates, nor is a new username for the account suggested here. Suggested usernames are omitted to ensure that organizations that implement this guidance will not use the same new username in their environments.AuditThe following table summarizes the recommended Audit settings. Additional information is provided in the subsections that follow the table.Table 3.6 Security Option Setting Recommendations – AuditSettingEC desktopEC laptopSSLF desktopSSLF laptopAudit: Audit the access of global system objectsNot DefinedNot DefinedDisabledDisabledAudit: Audit the use of Backup and Restore privilegeNot DefinedNot DefinedDisabledDisabledAudit: Shut down system immediately if unable to log security auditsNot DefinedNot DefinedNot DefinedNot DefinedAudit: Audit the access of global system objectsThis policy setting creates a default System Access Control List (SACL) for system objects such as mutexes, events, semaphores, and MS-DOS(R) devices, and causes access to these system objects to be audited.If the Audit: Audit the access of global system objects setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured to Not Defined for the EC environment and Disabled for the SSLF environment.Audit: Audit the use of Backup and Restore privilegeThis policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored.If the Audit: Audit the use of Backup and Restore privilege setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured to Not Defined for the EC environment and Disabled for the SSLF environment.Audit: Shut down system immediately if unable to log security auditsThis policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason.If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. Therefore, this policy setting is configured to Not Defined for both of the environments that are discussed in this chapter.DevicesThe following table summarizes the recommended security option settings for devices. Additional information is provided in the subsections that follow the table.Table 3.7 Security Option Setting Recommendations – DevicesSettingEC desktopEC laptopSSLF desktopSSLF laptopDevices: Allow undock without having to log onNot DefinedNot DefinedDisabledDisabledDevices: Allowed to format and eject removable mediaAdministrator, Interactive UsersAdministrator, Interactive UsersAdministratorsAdministratorsDevices: Prevent users from installing printer driversEnabledDisabledEnabledDisabledDevices: Restrict CD-ROM access to locally logged on user onlyNot DefinedNot DefinedDisabledDisabledDevices: Restrict floppy access to locally logged on user onlyNot DefinedNot DefinedDisabledDisabledDevices: Unsigned driver installation behaviorWarn but allow installationWarn but allow installationWarn but allow installationWarn but allow installationDevices: Allow undock without having to log onThis policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user who is not logged on must have been assigned the Remove computer from docking station user right (not defined in this guidance).The Devices: Allow undock without having to log on setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.Devices: Allowed to format and eject removable mediaThis policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges.The Devices: Allow to format and eject removable media setting is restricted to the Administrators and Interactive Users groups for the EC environment, and to the Administrators group only for the SSLF environment for added security.Devices: Prevent users from installing printer driversIt is feasible for a hacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possibility of such an event, only administrators should be allowed to install printer drivers. However, because laptops are mobile devices, laptop users may need to occasionally install a printer driver from a remote source in order to continue their work. Therefore, this policy setting should be disabled for laptop users, but always enabled for desktop users.The Devices: Prevent users from installing printer drivers setting is configured to Enabled for desktops in both of the environments that are discussed in this chapter and to Disabled for laptop users in both of the environments.Devices: Restrict CD-ROM access to locally logged on user onlyThis policy setting determines whether the CD-ROM drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access media from the CD-ROM drive. When this policy setting is enabled and no one is logged on, the CD-ROM drive can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.The Devices: Restrict CD-ROM access to locally logged on user only setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.Devices: Restrict floppy access to locally logged on user onlyThis policy setting determines whether the floppy drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access floppy drive media. When this policy setting is enabled and no one is logged on, floppy drive media can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.The Devices: Restrict floppy access to locally logged on user only setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.Devices: Unsigned driver installation behaviorThis policy setting determines what happens when an attempt is made to install a device driver (by means of the Setup API) that has not been approved and signed by the Windows Hardware Quality Lab (WHQL). This option prevents the installation of unsigned drivers or warns the administrator that an unsigned driver is about to be installed, which can prevent installation of drivers that have not been certified to run on Windows XP. If you configure this policy setting to the Warn but allow installation value, one potential problem is that unattended installation scripts will fail when they attempt to install unsigned drivers.For this reason, the Devices: Unsigned driver installation behavior setting is configured to the Warn but allow installation for both of the environments that are discussed in this chapter.Note: If you implement this policy setting, the client computers should be fully configured with all of your standard software applications before Group Policy is applied to mitigate the risk of installation errors that are caused by the setting.Domain MemberThe following table summarizes the recommended security option settings for domain members. Additional information is provided in the subsections that follow the table.Table 3.8 Security Option Setting Recommendations – Domain MemberSettingEC desktopEC laptopSSLF desktopSSLF laptopDomain member: Digitally encrypt or sign secure channel data (always)EnabledEnabledEnabledEnabledDomain member: Digitally encrypt secure channel data (when possible)EnabledEnabledEnabledEnabledDomain member: Digitally sign secure channel data (when possible)EnabledEnabledEnabledEnabledDomain member: Disable machine account password changesDisabledDisabledDisabledDisabledDomain member: Maximum machine account password age30 days30 days30 days30 daysDomain member: Require strong (Windows 2000 or later) session keyEnabledEnabledEnabledEnabledDomain member: Digitally encrypt or sign secure channel data (always)This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, then it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data is signed and encrypted.The Domain member: Digitally encrypt or sign secure channel data (always) setting is configured to Enabled for both of the environments that are discussed in this chapter.Domain member: Digitally encrypt secure channel data (when possible)This policy setting determines whether a domain member may attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain member will be prevented from negotiating secure channel encryption.The Domain member: Digitally encrypt secure channel data (when possible) setting is configured to Enabled for both of the environments that are discussed in this chapter.Domain member: Digitally sign secure channel data (when possible)This policy setting determines whether a domain member may attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network.The Domain member: Digitally sign secure channel data (when possible) setting is configured to Enabled for both of the environments that are discussed in this chapter.Domain member: Disable machine account password changesThis policy setting determines whether a domain member may periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its computer account password as specified by the Domain Member: Maximum machine account password age setting, which by default is every 30 days. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker may be able to determine the password for the system's domain account.Therefore, the Domain member: Disable machine account password changes setting is configured to Disabled for both of the environments that are discussed in this chapter.Domain member: Maximum machine account password ageThis policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.Therefore, the Domain member: Maximum machine account password age setting is configured to 30 days for both of the environments that are discussed in this chapter.Domain member: Require strong (Windows 2000 or later) session keyWhen this policy setting is enabled, a secure channel may only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key.To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel data with a strong key, which means all domain controllers must be running Microsoft Windows 2000 or later. If communication to non-Windows 2000 domains is required, Microsoft recommends that you disable this policy setting.The Domain member: Require strong (Windows 2000 or later) session key setting is configured to Enabled for both of the environments that are discussed in this chapter.Interactive LogonThe following table summarizes the recommended security option settings for interactive logon. Additional information is provided in the subsections that follow the table.Table 3.9 Security Option Setting Recommendations – Interactive LogonSettingEC desktopEC laptopSSLF desktopSSLF laptopInteractive Logon: Do not display last user nameEnabledEnabledEnabledEnabledInteractive Logon: Do not require CTRL+ALT+DELDisabledDisabledDisabledDisabledInteractive Logon: Message text for users attempting to log onThis system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.Interactive Logon: Message title for users attempting to log onIT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA-TION.IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA-TION.IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA-TION.IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA-TION.Interactive Logon: Number of previous logons to cache (in case domain controller is not available)2202Interactive Logon: Prompt user to change password before expiration14 days14 days14 days14 daysInteractive Logon: Require Domain Controller authentication to unlock workstationEnabledDisabledEnabledDisabledInteractive Logon: Smart card removal behaviorLock WorkstationLock WorkstationLock WorkstationLock WorkstationInteractive Logon: Do not display last user nameThis policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.The Interactive logon: Do not display last user name setting is configured to Enabled for the two environments that are discussed in this chapter.Interactive Logon: Do not require CTRL+ALT+DELThe CTRL+ALT+DEL key combination establishes a trusted path to the operating system when a user enters a username and password. When this policy setting is enabled, users are not required to use this key combination to log on to the network. However, this configuration poses a security risk because it provides an opportunity for users to log on with weaker logon credentials.The Interactive logon: Do not require CTRL+ALT+DEL setting is configured to Disabled for the two environments that are discussed in this chapter.Interactive Logon: Message text for users attempting to log onThis policy setting specifies a text message that displays to users when they log on. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. The message text that is specified in the previous table is a recommended example for both the EC and SSLF environments.The Interactive Logon: Message text for users attempting to log on setting is enabled with suitable text for both of the environments that are discussed in this chapter.Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly.Interactive Logon: Message title for users attempting to log onThis policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. The reason for this policy setting is the same as for the previous message text setting. Organizations that do not use this policy setting are more legally vulnerable to trespassers who attack the system.Therefore, the Interactive Logon: Message title for users attempting to log on setting is enabled with suitable text for both of the environments that are discussed in this chapter.Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly.Interactive Logon: Number of previous logons to cache (in case domain controller is not available)This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. The default value for this policy setting is 10. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to 2 for both desktop and laptop computers in the EC environment and for the laptop computers in the SSLF environment. However, this policy setting is configured to 0 for desktops in the SSLF environment because these computers should always be securely connected to the organization’s network.Interactive Logon: Prompt user to change password before expirationThis policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.The Interactive logon: Prompt user to change password before expiration setting is configured to 14 days for both of the environments that are discussed in this chapter.Interactive Logon: Require Domain Controller authentication to unlock workstationWhen this policy setting is enabled, a domain controller must authenticate the domain account used to unlock the computer. When this policy setting is disabled, cached credentials can be used to unlock the computer. Microsoft recommends that this policy setting be disabled for laptop users in both environments, because mobile users do not have network access to domain controllers.The Interactive logon: Require Domain Controller authentication to unlock workstation setting is configured to Enabled for desktop computers in both the EC and SSLF environments. However, this policy setting is configured to Disabled for laptops in both of the environments, which allows these users to work when they are away from the office.Interactive Logon: Smart card removal behaviorThis policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader. When configured to Lock Workstation, this policy setting locks the workstation when the smart card is removed, which allows users to leave the area, take their smart cards with them, and automatically lock their workstations. If you configure this policy setting to Force Logoff, users will be automatically logged off when the smart card is removed.The Interactive logon: Smart card removal behavior setting is configured to the Lock Workstation option for both of the environments that are discussed in this chapter.Microsoft Network ClientThe following table summarizes the recommended security option settings for Microsoft network client computers. Additional information is provided in the subsections that follow the table.Table 3.10 Security Option Setting Recommendations – Microsoft Network ClientSettingEC desktopEC laptopSSLF desktopSSLF laptopMicrosoft network client: Digitally sign communications (always)EnabledEnabledEnabledEnabledMicrosoft network client: Digitally sign communications (if}