Securing a Windows® XP Desktop
This document provides instructions for securing a Windows® XP desktop computer. Please be careful when modifying settings. Gigatek cannot be responsible for problems caused by the following changes. Use the following information at your own risk.
No matter what operating system you're using, the basic steps for securing it are the same:
• Install all operating system patches.
• Verify user account security.
• Eliminate unnecessary applications and network services.
• Install and configure necessary applications and network services.
• Configure system logging to record significant events.
• Keep applications and operating system patches up to date.
Install the latest patches
It's imperative that you connect to the internet and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Un-patched machines are frequently exploited within minutes of being attached to an open network.
Once you've booted your Windows® XP computer to the Internet, select the Start button in the lower left hand corner of the screen. Select the Windows® Update menu item, and follow the instructions. Install at least the critical updates that Windows® Update discovers. Be sure you've installed all the updates for Internet Explorer, too. IE is an integral part of the Windows® operating system, and must be patched at the same time other security fixes are applied.
Verify user account security
• Disable the Guest
account. Windows® operating
systems include a Guest account designed for temporary users.
That's usually not a good idea, and in the vast majority of cases
the Guest account should be disabled. On Windows®
XP Home Edition, disabling the Guest account is not possible.
Set a strong password for it instead. For Windows®
XP Professional, confirm or disable the Guest account using the
1. Select the Start button on the lower left-hand corner of the screen.
2. Select Settings --> Control Panel.
3. Select User Accounts.
4. Confirm that it says Guest account is off.
• Make sure all accounts have passwords set. Many Windows® systems still have administrator or other accounts without any passwords set, or have very simple passwords. Check all accounts in the User Accounts screen as noted above and make sure passwords have been set. Make sure that all accounts have good passwords that are not based on dictionary words.
• Limit Administrative Privileges. Many computer users login to their Windows® system as administrator for all their day-to-day activity, or they create user accounts with administrative privilege levels. Many e-mail and web-based attacks take advantage of this by hijacking the security context of the logged-in user (the poor person who's accidentally clicked on that executable program they should have left alone). It's far safer to assign most users the Limited account type. Any user can use the Run As feature (hold shift while right-clicking an application to see the Run As option) to temporarily become the Administrator, if necessary, for instance to install software. Follow these steps for creating an Administrative account and lowering your default account privileges:
1. To create new users, open Control Panel and click on User Accounts.
2. Click Create an new account and fill in an account name. Make sure it is an easy to remember Administrative name for you, such as your username Admin. Click the next button.
3. Select the Computer Administrator radio button. Then click Create account.
4. Click on the icon for that new account, and select Create a password to set a password for this account.
5. After entering a password, click the Back button and select your default user account icon.
6. Select Change my account type and click the Limited radio button.
6. Click on the Change account type button to commit and you are finished.
Eliminate unnecessary applications and network services
Many services should be disabled by default, including file sharing. What follows are instructions for verifying and disabling any services that need to be done one by one. Make sure you disable Alerter; ClipBook; HP Web Jetadmin; Messenger; Netmeeting Remote Desktop Sharing; Network Dynamic Data Exchange; Network DDE DSDM; Remote Registry Service; Routing and Remote Access; telnet; and Universal Plug and Play Device Host, if they are enabled.
1. Select the Start button
on the lower, left-hand corner of the screen.
2. Select Settings --> Control Panel.
3. Double-click the Administrative Tools icon.
4. Double-click the Services icon.
5. Scroll down to the service in question and double-click it.
6. Change the Startup type to Disabled instead of either Manual or Automatic.
7. Reboot your computer after all desired service changes are made.
But note! Some Gigatek clients with Windows® client/server networks may need to turn on several of the "riskier" remote management tools, in order to allow their systems to be managed effectively. This risk is reduced by the fact that the domain controllers themselves can secure the individual workstations, making this a reasonable action for domain members. Ask your administrator about whether or not remote management tools are required. If they are, you'll want to leave the services they require enabled. These are probably Remote Registry Service and Application Management, but may include others.
More information about Disabling unnecessary and potentially dangerous services.
Disable Remote Assistance. This facility allows for remote control of your desktop for troubleshooting purposes, which isn't what we want by default. Go to Control Panel, double-click on the System icon, find the Remote tab, select Settings, and unselect the Allow this computer to be controlled remotely checkbox. But note! If your machine is a member of a Windows® domain, ask your administrator about whether or not to disable Remote Assistance.
Disable Windows® Simple File Sharing. Simple File Sharing shares files anonymously without any user access security, and shouldn't ever be used.
1. Click Start and then
2. Click the Folder Options icon
3. Select the View tab
4. Go to the Advanced Settings section of the window
5. Unselect the Use Simple File Sharing box
6. Click Apply
Install anti-virus software
Most PC's include Symantec's™ Norton Antivirus™ for desktop protection. All users are strongly encouraged to install it and to run LiveUpdate regularly (this is Norton's mechanism for updating virus signatures).
Configure system logging
System logs are invaluable when administrators need to troubleshoot a problem or recover a system that's been hacked. By default, Windows leaves all logging disabled, but you can set it yourself. Click on the Start button, then Settings, then Control Panel. Double click on Administrative Tools. Double click on Local Security Settings, and select Local Policies --> Audit Policy. Here's the audit policy configuration we recommend for stand-alone Windows® XP desktops:
To change the setting on an individual policy, highlight it, then right-click. Under the Properties item, you'll be able to select for success and/or failure audits. Note that if your machine is a member of a domain, its audit policy may be controlled by the Domain Controller.
Microsoft® allows a whopping 512 kb of storage space for Event Log records, and overwrites old records when that limit is reached. In most cases, that's a reasonable configuration (it should allow your machine to retain at least a few days of activity). But you can increase the amount of storage space available. From the Control Panel, double click on Administrative Tools, and then double click on Event Viewer. You'll see the three subsets of the Event Log, the Application, Security and System Logs. Access the properties of these logs by selecting one, right clicking on it, and bringing up the Properties. Log size is controlled here. We recommend leaving the default configuration of When maximum log size is reached to avoid inadvertently disabling your desktop system should you run out of log space.
Optional: Use the Windows® XP built-in firewall
Windows® XP includes a new feature, the Internet Connection Firewall. The ICF restricts access to services running on your machine, so it can prevent many kinds of attacks. It's especially valuable if you're using a laptop or a PC from home. ICF can interfere with the performance of some network-based applications, so run it at your own risk. To enable the Internet Connection Firewall:
1. Click Start then
2. Double-click Network Connections
3. Click show all connections if necessary
4. Right click your Local Area Connection then click Properties
5. Click the Advanced tab
6. Click the check box next to Protect my computer and network by limiting or preventing access to this computer from the Internet.
7. Click OK
Keep application and operating system patches up to date
Use Windows® Update. Default configurations of Windows® XP rely on the Windows® Update mechanism to notify users of new critical patches, and to manage the download and installation of those patches. To be sure you've got it running:
1. Click on the Start button
in the lower left hand corner of your screen.
2. Select the Control Panel.
3. Double-click on System.
4. Select the Automatic Updates tab.
5. Be sure that Keep my computer up to date is selected, and pick the notification and install option that best suits your needs (Notify me before installing updates, Install updates automatically, Install updates at the time I've selected)
Other Resources and Links
Windows® XP Security Checklist
Microsoft®: Windows® XP Baseline Security Checklist
Microsoft®: Protect your PC