Hardening For Windows Xp Prof
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Hardening For Windows Xp Prof as PDF for free.
More details
- Words: 4,512
- Pages: 25
OS Hardening Document for Windows XP Professional
OS Hardening Document for Windows XP Professional Version 1.0
A.M. MOHAMED SAFI, Security Operations Team, MAY 2005. (E-mail:- [email protected])
Security Operations
Confidential 1
OS Hardening Document for Windows XP Professional
Disclaimer Recommendations contained in this document are generic and involves consensus from Security Specialists of the Security Operations Team. The Recommendations are intended towards improving the Security Aspects of the network, systems, and devices. Proper use of these recommendations requires careful analysis by the implementer based on his/her environment and requirements.
About This Guide is focused on creating a baseline security policy for windows XP Professional.
Who should read this Document? This guide is primarily intended for Machine owners, systems architects, and IT Professionals who are responsible deployment of Windows XP Professional.
Caution The hardening guidelines should be followed before installing any applications on the OS.
Document Version Details
Date
27-5-2005
Version
1.0
Security Operations
Changes Made
Prepared by
Reviewed by
Rebuilding and A.M. G.S. Hardening MOHAMED Jayakaran for SAFI Paul Windows XP Professional
Approved by
Ravi Sogi
Confidential 2
OS Hardening Document for Windows XP Professional
I. Introduction This guide for rebuilding and hardening Windows XP Professional machines consists of two parts, and an appendix. The first part contains a number of critical steps which everybody should take in order to prevent being infected with currently common worms. Other than the initial installation of Windows and running Windows Update, the hardening steps as described in the first part should take less than 30 minutes to do. The second part consists of recommended changes, as well some additional tips and tweaks which you may or may not wish to take depending on your own situation. Critical steps are marked with a *Critical*, and suggested steps have a little blurb describing why you may or may not choose to implement the suggestion. The entire first part is considered critical.
The majority of the guide is targeted towards XP machines which are: 1. Not part of a domain, 2. Do not have a remote systems administrator, 3. Are not dual booting with another OS? 4. Not running any servers, and 5. Do not need to transfer files directly with Windows 95/98/ME machines. Most of this guide is still applicable even if your computer does not fall cleanly into the above categories, but you may wish to be more careful when implementing some of the suggested steps. Any time you encounter an optional step which you are not familiar with, or not sure about the result of, you should check up on the results of the step before implementing it. While following this guide step for step will result in an XP system with greatly improved security, it is no substitute for ongoing attention to good computing security, including keeping up with patches, maintaining an up-to-date virus definition list, and exercising care with email attachments.
Security Operations
Confidential 3
OS Hardening Document for Windows XP Professional
*Critical* If you are rebuilding a machine, be sure to back up any data that you want to keep! Good choices for backing up include burning data onto CDs or DVDs, external hard drives, or tape drives. This guide assumes that you will be formatting your hard drive to perform a clean install of XP, which results in the loss of any data you may currently have on the hard drive.
Security Operations
Confidential 4
OS Hardening Document for Windows XP Professional
II. Checklist *Critical* Before you start on this guide, you should have: 1. A printed copy of this guide 2. Have the Windows XP Professional installation disc on hand, as well as the registration codes. 3. Have the latest Symantec Antivirus (currently version 9.0) installation disc on hand. Please note that Symantec has also been known as Norton. For the sake of consistency throughout this guide, we will refer to the company and product as Symantec. 4. Have the latest virus definition files for Symantec burnt onto a CD or downloaded onto a USB jump drive . The latest virus definition files can be downloaded from http://ec-ls3.wipro.com/intelligentupdater/ 5. If you are rebuilding a machine, be sure to have backed up any of your old data before you start! 6. Make a note of your network settings before you rebuild, particularly with the following info: a. Static or DHCP IP address (if static, note the actual IP, as well as the gateway and subnet mask) b. DNS Server (typically 10.200.50.100 and 10.200.52.100)
Security Operations
Confidential 5
OS Hardening Document for Windows XP Professional
III. Rebuilding and Securing XP *Critical* (All new rebuilds should go through these steps) 1. Leave your network cable unplugged while initially installing XP. *Critical* Depending on when you're rebuilding, you can get infected before you even log in the first time -- the record for fastest re-infection of a newly rebuilt machine during the highest point of MS Blaster activity back in Sept '03 was 27 seconds.
2. When asked how you would like to format your hard drive, choose ‘Format the partition using the NTFS file system’ There are conditions under which you may want to choose FAT32 instead. If you have a Windows 95/98/ME machine which will need to access files stored on this XP machine, or you are dual-booting with Linux, then you will need to have at least one FAT32 partition. In general, though, NTFS is a better and more secure choice than FAT32.
3. Type in a strong Administrator password if (when) queried for it. In no event should you use a blank password or a ‘generic’ password such as ‘administrator’, ‘password’, etc. Many current worms will attempt to guess passwords on mapped drives, and of course will go through many generic passwords. A strong password is at least 8 characters long, has both letters and non-letter characters, and mixed upper and lower case, preferably something that’ll mean something to you (i.e., TG2reBxp0).
Security Operations
Confidential 6
OS Hardening Document for Windows XP Professional
4. Since your network cable is unplugged, just accept the default networking info. Unless you know that you are part of a domain, just select being part of a workgroup.
5. When prompted, select LAN, then (most likely) DHCP (Obtain IP automatically) and obtain DNS automatically. If you have a static IP, you should enter the information from Step 6 of the check list here
6. When asked to input usernames just input one for now. It’s easier to add more lately than to add them now, since it doesn’t prompt you for any password if you make them now, and it’s easier just to make the entire account later after you have the proper security settings set up.
7. At this point, you should be past the entire initial configuration windows, and have the default (and insecure!) installation of Windows XP. If you prefer other graphical settings than the default, go ahead and change them at the end of the guide since all the screenshots are taken with the default screens.
8. Put passwords on user accounts Click on Start->Control Panel->User Accounts, double click on your user account, and click on ‘Create a password’. Be sure to choose a strong password, and be sure to have a password for every account on your computer.
Security Operations
Confidential 7
OS Hardening Document for Windows XP Professional
9. Install Symantec AV from ls3.wipro.com/intelligentupdater/ or CD
http://ec-
Choose ‘Install Client’, and ‘Unmanaged’, unless you know you are specifically supposed to do otherwise.
10. Run the Intelligent Updater from ls3.wipro.com/intelligentupdater/ or CD
http://ec-
This is from the additional CD which you burnt for yourself, or which the Help Desk gave you. These are crucial virus definition files which have been added since Symantec AV was first released – if you don’t do this step, Symantec will not be able to catch most viruses and worms.
11. Schedule automatic Live Updates Click on the little golden shield icon on the lower right hand corner of the screen. You should see the below screenshot.
Check to make sure that the date after ‘Version: ‘is no later than the previous Wednesday (although it should probably be the date that you downloaded the Updater). While we’re here, we might as well schedule future updates to happen automatically on a daily basis. Choose a time where you think that your machine will be online daily, and preferably when you won’t be particularly busy working on it. Security Operations
Confidential 8
OS Hardening Document for Windows XP Professional
12. be sure you have real time protection enabled Check by going to Configure->File System Real Time Protection, and make sure the box marked ‘Enable file system real time protection is checked. Make sure that you only select your local hard drive(s) (most likely just the C: drive). A weekly scan should be sufficient (feel free to modify to either a daily or monthly) – pick a time when your computer will be on, but you won’t be using it extensively. This should not be the same time as when you download your updates.
14. Schedule regular Symantec scans
13. Configure your network connection without the network cable plugged in Yes, your network cable should still be unplugged at this point. It’s possible that Windows XP may already have a network configuration correctly set up for you, especially you use DHCP, but you should still go through and check. Start->Control Panel->Network and Internet Connections->Network Connections (lower right hand area)
Security Operations
Confidential 9
OS Hardening Document for Windows XP Professional
14. Turn off bridging You may have bridging set up by default, such as for Fire wire. This may cause the network port you are connected to automatically disable itself, depending on which building you are in.
15. Turn off Windows File and Printer sharing (optional) Right click on your network connection(s), select Properties. You should be on the ‘General’ tab – uncheck the ‘File and Printer Sharing’ box, then continue to the next step to turn on your firewall.
16. Turn on ICF for your network connections Right click on your network connection(s), select Properties (if you didn’t already do so from the previous step). Select the ‘Advanced’ tab, check the ‘Protect my computer...’ box, then click ‘OK’. Your machine may freeze momentarily when you first turn on the firewall. You may want to get a different firewall later, but having ICF on in the meantime is better than nothing.
Security Operations
Confidential 10
OS Hardening Document for Windows XP Professional
If you want to look into free firewalls available for personal use, you can check some of the references.
17. Plug your network cable in, and reboot your computer Your computer is still insecure, but you’ll need to get on the network to get the latest Windows patches. Patching your computer regularly is crucial, since new bugs and exploits are found regularly and fixed by new patches from http://patch.wipro.com
18. Revealing hidden files and extensions Click on Start -> My Computer, then on Tools->Folder Options, Go to the ‘View’ tab, and unselect ‘Automatically search for network folders and printers’, select ‘Show hidden files and folders’, unselect ‘Hide extensions for known file types’, ‘Hide protected operating system files’, and ‘Use simple file sharing’, then click ‘Apply’, and ’OK’. Security Operations
Confidential 11
OS Hardening Document for Windows XP Professional
19. Set Internet Explorer to at least Medium Security Start Internet Explorer (Start->Internet Explorer), and select Tools>Internet Options. Select the ‘Security’ Tab, and be sure that the ‘Security Level’ of the ‘Internet’ zone is set to at least ‘Medium’. Click ‘Apply’, and ‘OK’.
Security Operations
Confidential 12
OS Hardening Document for Windows XP Professional
Security Operations
Confidential 13
OS Hardening Document for Windows XP Professional
IV. Additional Security Measures Instructions and screenshots for these steps will be up in a few hours. Please check back. In the meantime, here is a list of other suggested steps for hardening your Windows XP system:
1. Turn off unnecessary services Start ->Run -> services.msc (Or) Start -> Settings -> Control Panel -> Administrative Tools -> Services Disable all the Non Essential Services i.e. services that are not required for your environment.
Security Operations
Confidential 14
OS Hardening Document for Windows XP Professional
2. Change policies and audits
By default windows start certain services over which we do not have any control, during the installation phase. We begin the build process by disabling services, which are not required. Note: You may find a need to run the following services if you plan on using Microsoft Networking tools or sharing resources Server (when sharing resources) Workstation (when connecting to resources)
Note: Ensure the services listed in the Non-Essential Services column are the only services are set to Disabled.
Security Operations
Confidential 15
OS Hardening Document for Windows XP Professional
Non-essential Services
Service Description
Alerter
Notifies selected users and computers of administrative alerts.
ClipBook
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
Computer Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
DHCP Client
Manages network configuration by registering and updating IP addresses and DNS names.
DHCP Server
This service allocates IP addresses and allows the advanced configuration of network settings such as DNS servers, WINS servers, and so on to DHCP clients automatically. If the DHCP Server service is turned off, DHCP clients will not receive IP addresses or network settings automatically.
Fax Service
Helps to send and receive faxes
File Replication
Maintains file synchronization of file directory contents among multiple servers.
File Server Macintosh
for Enables Macintosh users to store and access files on this Windows server machine. If this service is turned off, Macintosh clients will not be able to view any NTFS shares.
Internet Connection Provides network address translation, addressing, and name Sharing resolution services for all computers on your home network through a dial-up connection. Intersite Messaging
Allows sending and receiving messages between Windows Advanced Server sites.
Kerberos Key Generates session keys and grants service tickets for mutual Distribution Center client/server authentication. IPSEC Policy Agent
Manages IP security policy and start the ISAKMP/Oakley (IKE) and the IP security driver.
Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
NetLogon
Supports pass-through authentication of account logon events for computers in a domain.
Netmeeting Remote Allows authorized people to remotely access your Windows Desktop Sharing desktop using NetMeeting. Network DDE
Security Operations
Provides network transport and security for dynamic data
Confidential 16
OS Hardening Document for Windows XP Professional exchange (DDE). Network DDE DSDM Print Server Macintosh
for Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 Server. If this service is stopped, printing will be unavailable to Macintosh clients.
Print Spooler QoS Control
Manages shared dynamic data exchange and is used by Network DDE
Loads files to memory for later printing.
Admission Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access
Creates a network connection.
Connection Manager Remote Service
Registry Allows remote registry manipulation.
Removable Storage
Manages removable media, drives, and libraries.
Routing and Remote Access
Offers routing services to businesses in local area and wide area network environments.
RunAs Service
Enables starting processes under alternate credentials The SMTP service is used as an e-mail submission and relay agent. It can accept and queue e-mail for remote destinations and retry at specified intervals. Windows domain controllers use the SMTP service for intersite e-mail-based replication. The Collaboration Data Objects (CDO) for Windows 2000 COM component can use the SMTP Service to submit and queue outbound e -mail.
SMTP
Other applications may use the SMTP Service as the basis for the SMTP support in their product, for example, Microsoft Exchange 2000 Server. • Simple Services
TCP/IP •
Security Operations
•
Echo (port 7, RFC 862) Discard (port 9, RFC 863) Character Generator (port 19, RFC 864)
Confidential 17
OS Hardening Document for Windows XP Professional
Simple Services
•
Daytime (port 13, RFC 867)
•
Quote of the Day (port 17, RFC 865)
Once the service is enabled, all five protocols are enabled on TCP/IP all adapters. There is no provision for selectively enabling specific services or enabling this service on per-adapter basis. Disabling the service has no effect on the rest of the operating system.
Smart Card
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
Smart Card Helper
Provides support for legacy smart card readers attached to the computer.
TCP/IP Print Server
Enables TCP/IP-based printing using the Line Printer Daemon protocol. If this service is stopped, TCP/IP-based printing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Telephony
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Enables NetBIOS name resolution. Presence of the WINS server(s) is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory and all computers on the network are running Windows 2000. Disabling or turning off WINS results in the following: • Location of the Windows NT 4 domains fails.
WINS
•
Location of Windows 2000 Active Directory domains by Windows NT 4 clients fails.
NetBIOS name resolution fails unless a device whose name should be resolved is on the same subnet as the device attempting name resolution and the latter is configured to attempt NetBIOS name resolution using broadcast. WMI WMI Extensions
Provides system management information. Driver Provides systems management information to and from drivers.
Task Scheduler
Security Operations
Enables a program to run at a designated time. (Disable this service only of it’s not required for this particular server)
Confidential 18
OS Hardening Document for Windows XP Professional
a. Account Policies/Password Policies: Click on Start -> Run -> SECPOL.MSC then click on the plus sign next to Account Policy -> Password Policy and change the settings as given in the Password Policy table below
Policy Recommended Settings Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store password using reversible encryption
Policy Recommended Settings
10 passwords remembered 30 days 7 days 8 Enabled Disabled
b. Account Policies/Account Lockout Policy Click on Start -> Run -> SECPOL.MSC then click on the plus sign next to Account Policy -> Account Lockout Policy and change the settings as given in the table below
Policy
Recommended Settings
Account Lockout Duration 0 minutes Account lockout threshold 3 invalid login attempts Reset account lockout counter after 30 minutes
c. Local Policies/Audit Policy To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC -> Local Policy -> Audit Policy and configure the policies based on the table below.
Security Operations
Confidential 19
OS Hardening Document for Windows XP Professional
Policy
Recommended Settings
Audit account logon events Audit account management Audit directory service Access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events
SUCCESS, FAILURE SUCCESS, FAILURE No Auditing SUCCESS, FAILURE No Auditing SUCCESS SUCCESS, FAILURE No Auditing SUCCESS
d. Local Policies/User Rights Assignment To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC then go to Local Policy -> User Right Assignments and configure the settings as shown in the table below.
Policy
Recommended Settings
Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on through Terminal Services Change the system time Debug programs
Administrators, Authenticated Users Revoke all security accounts Administrators Administrators,
groups
and
Administrators
Administrators Revoke all security groups and accounts(this can prevent windows 2003 using windows update) Deny access to this computer As per requirement(For Example from the network adding Anonymous logons, Guest) Deny log on as a batch job As per requirement (For Example add Guests to deny the rights) Deny log on through Terminal As per requirement Services Force shutdown from a remote Administrators system Generate security audits LOCALSERVICE,NETWORK,SERVICE Security Operations
Confidential 20
OS Hardening Document for Windows XP Professional Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as a batch job
LOCAL SERVICE, NETWORK, SERVICE, Administrators Administrators Administrators Revoke all security groups and accounts Manage auditing and security log Administrators Modify firmware environment Administrators values Perform volume maintenance Administrators tasks Profile single process Administrators Profile system performance Administrators Remove computer from docking Administrators station Replace a process level token LOCAL SERVICE, NETWORK, SERVICE, Restore files and directories Administrators Shut down the system Administrators Synchronize directory service Revoke all security groups data and accounts Take ownership of files and other Administrators objects
e. Local Policies/Security Options To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC -> then go to Local Policy -> Security Options and configure the settings as shown in the table below
Policy
Recommended Settings
Accounts: Guest account status Disabled Accounts: Limit local account use of blank passwords to console Enabled logon only Audit: Audit the access of global system objects (Need to restart the Disabled server for the configuration to take affect) Audit: Audit the use of Backup and Security Operations
Confidential 21
OS Hardening Document for Windows XP Professional Restore privilege(Need to restart the server for the configuration to take affect) Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD – ROM access to locally logged – on user only Devices: Restrict floppy access to locally logged – on user only Devices: Unsigned driver installation behavior Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL
Disabled
Disabled Disabled Administrators Enabled Enabled Enabled Do not Allow installation Enabled Disabled
This system is for the use of authorized Wipro personnel only and by accessing this system you hereby consent to the system being monitored by Wipro. Any unauthorized use will be onsidered Interactive logon: Message text for a breach of Wipro’s Information users attempting to log on Security policies and may also be unlawful under law. Wipro reserves the right to take any action including disciplinary action or legal proceedings in a court of law against persons involved in the violation of the access restrictions herein. Interactive logon: Message title for !!!WARNING!!! users attempting to log on Interactive logon: Number of previous logons to cache (in case 0 domain controller is not available) Interactive logon: Prompt user to 7days change password before expiration Interactive logon: Require Domain Security Operations
Confidential 22
OS Hardening Document for Windows XP Professional Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory page file
Disabled Disabled Disabled Enabled Disabled Enabled
f. Event Log Start -> Run -> eventvwr.msc and then click on plus sign next to System Tools -> Event Viewer -> Right click on Application log on the right hand side and click on properties, then configure the settings as given in the table below
Event Maximum application log size Maximum security log size Maximum system log size Retention Method
Settings
1,02,400 KB 1,02,400 KB 1,02,400 KB Do not overwrite events (clear log manually)
g. Registry Settings To configure the registry settings got to Start -> Run -> REGEDIT The following Registry Values have to be added to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \Tcpip\Parameters\registry key. Note: Security Operations strongly recommends backing up registry before any changes are made to it. Security Operations
Confidential 23
OS Hardening Document for Windows XP Professional
Sub key Registry Value Format Entry
Recommended Value (Decimal)
EnableICMPRedirect SynAttackProtect EnableDeadGWDetect EnablePMTUDiscovery KeepAliveTime DisableIPSourceRouting TcpMaxConnectResponseRetrans missions DWORD 2 TcpMaxDataRetransmissions PerformRouterDiscovery TCPMaxPortsExhausted
DWORD DWORD DWORD DWORD DWORD DWORD DWORD
0 1 0 0 300,000 2 2
DWORD DWORD DWORD
3 0 5
Network security: LAN Manger authentication level Importing a security template will take care of some or all of these: 1. Password policies, account lockouts, audit policy, LMhash, NTLM2, access memory, SAM accounts, force ctrl-alt-del 2. Make a user account which will be your primary user account, with less than admin privileges. Change your admin password, now that you have your policies set. 3. Secure passwords, especially making sure that the admin password is secure 4. Change the settings so you can see file extensions and hidden files. This is a lot more important than it used to be, now that many viruses use ‘double extensions’ (i.e., hi.txt.exe to make an executable look like a text file). 5. Turn off NetBIOS 6. Password protect your BIOS 7. Run the MS Baseline security analyzer 8. Look into getting a firewall other than ICF 9. Set Start Menu Security Security Operations
Confidential 24
OS Hardening Document for Windows XP Professional
Appendix A: 1. Net logon Service: Enable the service if it is required in Services. 2. SNMP Service: Enable if it is required, and have a complex Community Strings 3. If you are facing problems in installing unsigned drivers, and you now that the device drivers is valid then enable the policy under Security Options which says Devices: Unsigned driver installation behavior, you can configure it to Warn but allow installation. 4. Increase the event log size based on your requirements if necessary.
Appendix B: 1. Signature Verification when installing new software on your computer, system files and device driver. To check for unsigned files Go to Start -> Run -> sigverif 2. Security Operations recommends using a central SYSLOG Server to store all the logs from different servers. 3. Do not use any third party remote access tools, use terminal services for all purposes. 4. Enable ports that are required only by Server. This can be done as shown below Go to Network Connections -> Right Click Local Area Connection -> Internet Protocol (TCP/IP) -> Properties -> Advanced -> Options -> Properties -> Click on Permit only and add the ports for TCP, UDP, and IP. 5. NTP Synchronization: Synchronize the server with BLR-ECDC5.wipro.com NTP Server; this can be done as shown below Go to Control Panel -> Date and Time -> Internet Time -> check the box which says automatically synchronizes with an Internet Time Server and for the server type in the blr-ec-dc5.wipro.com.
Appendix C: 1. Emergency repair disk (ERD): Use the backup utility program to create the emergency Repair Disk (ERD) after installation of OS and also when changes are made to the system. 2. Click -> Start -> Run -> type ‘ntbackup’ and choose Emergency Repair Disk.
Security Operations
Confidential 25
OS Hardening Document for Windows XP Professional Version 1.0
A.M. MOHAMED SAFI, Security Operations Team, MAY 2005. (E-mail:- [email protected])
Security Operations
Confidential 1
OS Hardening Document for Windows XP Professional
Disclaimer Recommendations contained in this document are generic and involves consensus from Security Specialists of the Security Operations Team. The Recommendations are intended towards improving the Security Aspects of the network, systems, and devices. Proper use of these recommendations requires careful analysis by the implementer based on his/her environment and requirements.
About This Guide is focused on creating a baseline security policy for windows XP Professional.
Who should read this Document? This guide is primarily intended for Machine owners, systems architects, and IT Professionals who are responsible deployment of Windows XP Professional.
Caution The hardening guidelines should be followed before installing any applications on the OS.
Document Version Details
Date
27-5-2005
Version
1.0
Security Operations
Changes Made
Prepared by
Reviewed by
Rebuilding and A.M. G.S. Hardening MOHAMED Jayakaran for SAFI Paul Windows XP Professional
Approved by
Ravi Sogi
Confidential 2
OS Hardening Document for Windows XP Professional
I. Introduction This guide for rebuilding and hardening Windows XP Professional machines consists of two parts, and an appendix. The first part contains a number of critical steps which everybody should take in order to prevent being infected with currently common worms. Other than the initial installation of Windows and running Windows Update, the hardening steps as described in the first part should take less than 30 minutes to do. The second part consists of recommended changes, as well some additional tips and tweaks which you may or may not wish to take depending on your own situation. Critical steps are marked with a *Critical*, and suggested steps have a little blurb describing why you may or may not choose to implement the suggestion. The entire first part is considered critical.
The majority of the guide is targeted towards XP machines which are: 1. Not part of a domain, 2. Do not have a remote systems administrator, 3. Are not dual booting with another OS? 4. Not running any servers, and 5. Do not need to transfer files directly with Windows 95/98/ME machines. Most of this guide is still applicable even if your computer does not fall cleanly into the above categories, but you may wish to be more careful when implementing some of the suggested steps. Any time you encounter an optional step which you are not familiar with, or not sure about the result of, you should check up on the results of the step before implementing it. While following this guide step for step will result in an XP system with greatly improved security, it is no substitute for ongoing attention to good computing security, including keeping up with patches, maintaining an up-to-date virus definition list, and exercising care with email attachments.
Security Operations
Confidential 3
OS Hardening Document for Windows XP Professional
*Critical* If you are rebuilding a machine, be sure to back up any data that you want to keep! Good choices for backing up include burning data onto CDs or DVDs, external hard drives, or tape drives. This guide assumes that you will be formatting your hard drive to perform a clean install of XP, which results in the loss of any data you may currently have on the hard drive.
Security Operations
Confidential 4
OS Hardening Document for Windows XP Professional
II. Checklist *Critical* Before you start on this guide, you should have: 1. A printed copy of this guide 2. Have the Windows XP Professional installation disc on hand, as well as the registration codes. 3. Have the latest Symantec Antivirus (currently version 9.0) installation disc on hand. Please note that Symantec has also been known as Norton. For the sake of consistency throughout this guide, we will refer to the company and product as Symantec. 4. Have the latest virus definition files for Symantec burnt onto a CD or downloaded onto a USB jump drive . The latest virus definition files can be downloaded from http://ec-ls3.wipro.com/intelligentupdater/ 5. If you are rebuilding a machine, be sure to have backed up any of your old data before you start! 6. Make a note of your network settings before you rebuild, particularly with the following info: a. Static or DHCP IP address (if static, note the actual IP, as well as the gateway and subnet mask) b. DNS Server (typically 10.200.50.100 and 10.200.52.100)
Security Operations
Confidential 5
OS Hardening Document for Windows XP Professional
III. Rebuilding and Securing XP *Critical* (All new rebuilds should go through these steps) 1. Leave your network cable unplugged while initially installing XP. *Critical* Depending on when you're rebuilding, you can get infected before you even log in the first time -- the record for fastest re-infection of a newly rebuilt machine during the highest point of MS Blaster activity back in Sept '03 was 27 seconds.
2. When asked how you would like to format your hard drive, choose ‘Format the partition using the NTFS file system’ There are conditions under which you may want to choose FAT32 instead. If you have a Windows 95/98/ME machine which will need to access files stored on this XP machine, or you are dual-booting with Linux, then you will need to have at least one FAT32 partition. In general, though, NTFS is a better and more secure choice than FAT32.
3. Type in a strong Administrator password if (when) queried for it. In no event should you use a blank password or a ‘generic’ password such as ‘administrator’, ‘password’, etc. Many current worms will attempt to guess passwords on mapped drives, and of course will go through many generic passwords. A strong password is at least 8 characters long, has both letters and non-letter characters, and mixed upper and lower case, preferably something that’ll mean something to you (i.e., TG2reBxp0).
Security Operations
Confidential 6
OS Hardening Document for Windows XP Professional
4. Since your network cable is unplugged, just accept the default networking info. Unless you know that you are part of a domain, just select being part of a workgroup.
5. When prompted, select LAN, then (most likely) DHCP (Obtain IP automatically) and obtain DNS automatically. If you have a static IP, you should enter the information from Step 6 of the check list here
6. When asked to input usernames just input one for now. It’s easier to add more lately than to add them now, since it doesn’t prompt you for any password if you make them now, and it’s easier just to make the entire account later after you have the proper security settings set up.
7. At this point, you should be past the entire initial configuration windows, and have the default (and insecure!) installation of Windows XP. If you prefer other graphical settings than the default, go ahead and change them at the end of the guide since all the screenshots are taken with the default screens.
8. Put passwords on user accounts Click on Start->Control Panel->User Accounts, double click on your user account, and click on ‘Create a password’. Be sure to choose a strong password, and be sure to have a password for every account on your computer.
Security Operations
Confidential 7
OS Hardening Document for Windows XP Professional
9. Install Symantec AV from ls3.wipro.com/intelligentupdater/ or CD
http://ec-
Choose ‘Install Client’, and ‘Unmanaged’, unless you know you are specifically supposed to do otherwise.
10. Run the Intelligent Updater from ls3.wipro.com/intelligentupdater/ or CD
http://ec-
This is from the additional CD which you burnt for yourself, or which the Help Desk gave you. These are crucial virus definition files which have been added since Symantec AV was first released – if you don’t do this step, Symantec will not be able to catch most viruses and worms.
11. Schedule automatic Live Updates Click on the little golden shield icon on the lower right hand corner of the screen. You should see the below screenshot.
Check to make sure that the date after ‘Version: ‘is no later than the previous Wednesday (although it should probably be the date that you downloaded the Updater). While we’re here, we might as well schedule future updates to happen automatically on a daily basis. Choose a time where you think that your machine will be online daily, and preferably when you won’t be particularly busy working on it. Security Operations
Confidential 8
OS Hardening Document for Windows XP Professional
12. be sure you have real time protection enabled Check by going to Configure->File System Real Time Protection, and make sure the box marked ‘Enable file system real time protection is checked. Make sure that you only select your local hard drive(s) (most likely just the C: drive). A weekly scan should be sufficient (feel free to modify to either a daily or monthly) – pick a time when your computer will be on, but you won’t be using it extensively. This should not be the same time as when you download your updates.
14. Schedule regular Symantec scans
13. Configure your network connection without the network cable plugged in Yes, your network cable should still be unplugged at this point. It’s possible that Windows XP may already have a network configuration correctly set up for you, especially you use DHCP, but you should still go through and check. Start->Control Panel->Network and Internet Connections->Network Connections (lower right hand area)
Security Operations
Confidential 9
OS Hardening Document for Windows XP Professional
14. Turn off bridging You may have bridging set up by default, such as for Fire wire. This may cause the network port you are connected to automatically disable itself, depending on which building you are in.
15. Turn off Windows File and Printer sharing (optional) Right click on your network connection(s), select Properties. You should be on the ‘General’ tab – uncheck the ‘File and Printer Sharing’ box, then continue to the next step to turn on your firewall.
16. Turn on ICF for your network connections Right click on your network connection(s), select Properties (if you didn’t already do so from the previous step). Select the ‘Advanced’ tab, check the ‘Protect my computer...’ box, then click ‘OK’. Your machine may freeze momentarily when you first turn on the firewall. You may want to get a different firewall later, but having ICF on in the meantime is better than nothing.
Security Operations
Confidential 10
OS Hardening Document for Windows XP Professional
If you want to look into free firewalls available for personal use, you can check some of the references.
17. Plug your network cable in, and reboot your computer Your computer is still insecure, but you’ll need to get on the network to get the latest Windows patches. Patching your computer regularly is crucial, since new bugs and exploits are found regularly and fixed by new patches from http://patch.wipro.com
18. Revealing hidden files and extensions Click on Start -> My Computer, then on Tools->Folder Options, Go to the ‘View’ tab, and unselect ‘Automatically search for network folders and printers’, select ‘Show hidden files and folders’, unselect ‘Hide extensions for known file types’, ‘Hide protected operating system files’, and ‘Use simple file sharing’, then click ‘Apply’, and ’OK’. Security Operations
Confidential 11
OS Hardening Document for Windows XP Professional
19. Set Internet Explorer to at least Medium Security Start Internet Explorer (Start->Internet Explorer), and select Tools>Internet Options. Select the ‘Security’ Tab, and be sure that the ‘Security Level’ of the ‘Internet’ zone is set to at least ‘Medium’. Click ‘Apply’, and ‘OK’.
Security Operations
Confidential 12
OS Hardening Document for Windows XP Professional
Security Operations
Confidential 13
OS Hardening Document for Windows XP Professional
IV. Additional Security Measures Instructions and screenshots for these steps will be up in a few hours. Please check back. In the meantime, here is a list of other suggested steps for hardening your Windows XP system:
1. Turn off unnecessary services Start ->Run -> services.msc (Or) Start -> Settings -> Control Panel -> Administrative Tools -> Services Disable all the Non Essential Services i.e. services that are not required for your environment.
Security Operations
Confidential 14
OS Hardening Document for Windows XP Professional
2. Change policies and audits
By default windows start certain services over which we do not have any control, during the installation phase. We begin the build process by disabling services, which are not required. Note: You may find a need to run the following services if you plan on using Microsoft Networking tools or sharing resources Server (when sharing resources) Workstation (when connecting to resources)
Note: Ensure the services listed in the Non-Essential Services column are the only services are set to Disabled.
Security Operations
Confidential 15
OS Hardening Document for Windows XP Professional
Non-essential Services
Service Description
Alerter
Notifies selected users and computers of administrative alerts.
ClipBook
Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
Computer Browser
Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
DHCP Client
Manages network configuration by registering and updating IP addresses and DNS names.
DHCP Server
This service allocates IP addresses and allows the advanced configuration of network settings such as DNS servers, WINS servers, and so on to DHCP clients automatically. If the DHCP Server service is turned off, DHCP clients will not receive IP addresses or network settings automatically.
Fax Service
Helps to send and receive faxes
File Replication
Maintains file synchronization of file directory contents among multiple servers.
File Server Macintosh
for Enables Macintosh users to store and access files on this Windows server machine. If this service is turned off, Macintosh clients will not be able to view any NTFS shares.
Internet Connection Provides network address translation, addressing, and name Sharing resolution services for all computers on your home network through a dial-up connection. Intersite Messaging
Allows sending and receiving messages between Windows Advanced Server sites.
Kerberos Key Generates session keys and grants service tickets for mutual Distribution Center client/server authentication. IPSEC Policy Agent
Manages IP security policy and start the ISAKMP/Oakley (IKE) and the IP security driver.
Messenger
Sends and receives messages transmitted by administrators or by the Alerter service.
NetLogon
Supports pass-through authentication of account logon events for computers in a domain.
Netmeeting Remote Allows authorized people to remotely access your Windows Desktop Sharing desktop using NetMeeting. Network DDE
Security Operations
Provides network transport and security for dynamic data
Confidential 16
OS Hardening Document for Windows XP Professional exchange (DDE). Network DDE DSDM Print Server Macintosh
for Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 Server. If this service is stopped, printing will be unavailable to Macintosh clients.
Print Spooler QoS Control
Manages shared dynamic data exchange and is used by Network DDE
Loads files to memory for later printing.
Admission Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access
Creates a network connection.
Connection Manager Remote Service
Registry Allows remote registry manipulation.
Removable Storage
Manages removable media, drives, and libraries.
Routing and Remote Access
Offers routing services to businesses in local area and wide area network environments.
RunAs Service
Enables starting processes under alternate credentials The SMTP service is used as an e-mail submission and relay agent. It can accept and queue e-mail for remote destinations and retry at specified intervals. Windows domain controllers use the SMTP service for intersite e-mail-based replication. The Collaboration Data Objects (CDO) for Windows 2000 COM component can use the SMTP Service to submit and queue outbound e -mail.
SMTP
Other applications may use the SMTP Service as the basis for the SMTP support in their product, for example, Microsoft Exchange 2000 Server. • Simple Services
TCP/IP •
Security Operations
•
Echo (port 7, RFC 862) Discard (port 9, RFC 863) Character Generator (port 19, RFC 864)
Confidential 17
OS Hardening Document for Windows XP Professional
Simple Services
•
Daytime (port 13, RFC 867)
•
Quote of the Day (port 17, RFC 865)
Once the service is enabled, all five protocols are enabled on TCP/IP all adapters. There is no provision for selectively enabling specific services or enabling this service on per-adapter basis. Disabling the service has no effect on the rest of the operating system.
Smart Card
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
Smart Card Helper
Provides support for legacy smart card readers attached to the computer.
TCP/IP Print Server
Enables TCP/IP-based printing using the Line Printer Daemon protocol. If this service is stopped, TCP/IP-based printing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Telephony
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Enables NetBIOS name resolution. Presence of the WINS server(s) is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory and all computers on the network are running Windows 2000. Disabling or turning off WINS results in the following: • Location of the Windows NT 4 domains fails.
WINS
•
Location of Windows 2000 Active Directory domains by Windows NT 4 clients fails.
NetBIOS name resolution fails unless a device whose name should be resolved is on the same subnet as the device attempting name resolution and the latter is configured to attempt NetBIOS name resolution using broadcast. WMI WMI Extensions
Provides system management information. Driver Provides systems management information to and from drivers.
Task Scheduler
Security Operations
Enables a program to run at a designated time. (Disable this service only of it’s not required for this particular server)
Confidential 18
OS Hardening Document for Windows XP Professional
a. Account Policies/Password Policies: Click on Start -> Run -> SECPOL.MSC then click on the plus sign next to Account Policy -> Password Policy and change the settings as given in the Password Policy table below
Policy Recommended Settings Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store password using reversible encryption
Policy Recommended Settings
10 passwords remembered 30 days 7 days 8 Enabled Disabled
b. Account Policies/Account Lockout Policy Click on Start -> Run -> SECPOL.MSC then click on the plus sign next to Account Policy -> Account Lockout Policy and change the settings as given in the table below
Policy
Recommended Settings
Account Lockout Duration 0 minutes Account lockout threshold 3 invalid login attempts Reset account lockout counter after 30 minutes
c. Local Policies/Audit Policy To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC -> Local Policy -> Audit Policy and configure the policies based on the table below.
Security Operations
Confidential 19
OS Hardening Document for Windows XP Professional
Policy
Recommended Settings
Audit account logon events Audit account management Audit directory service Access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events
SUCCESS, FAILURE SUCCESS, FAILURE No Auditing SUCCESS, FAILURE No Auditing SUCCESS SUCCESS, FAILURE No Auditing SUCCESS
d. Local Policies/User Rights Assignment To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC then go to Local Policy -> User Right Assignments and configure the settings as shown in the table below.
Policy
Recommended Settings
Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on through Terminal Services Change the system time Debug programs
Administrators, Authenticated Users Revoke all security accounts Administrators Administrators,
groups
and
Administrators
Administrators Revoke all security groups and accounts(this can prevent windows 2003 using windows update) Deny access to this computer As per requirement(For Example from the network adding Anonymous logons, Guest) Deny log on as a batch job As per requirement (For Example add Guests to deny the rights) Deny log on through Terminal As per requirement Services Force shutdown from a remote Administrators system Generate security audits LOCALSERVICE,NETWORK,SERVICE Security Operations
Confidential 20
OS Hardening Document for Windows XP Professional Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as a batch job
LOCAL SERVICE, NETWORK, SERVICE, Administrators Administrators Administrators Revoke all security groups and accounts Manage auditing and security log Administrators Modify firmware environment Administrators values Perform volume maintenance Administrators tasks Profile single process Administrators Profile system performance Administrators Remove computer from docking Administrators station Replace a process level token LOCAL SERVICE, NETWORK, SERVICE, Restore files and directories Administrators Shut down the system Administrators Synchronize directory service Revoke all security groups data and accounts Take ownership of files and other Administrators objects
e. Local Policies/Security Options To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC -> then go to Local Policy -> Security Options and configure the settings as shown in the table below
Policy
Recommended Settings
Accounts: Guest account status Disabled Accounts: Limit local account use of blank passwords to console Enabled logon only Audit: Audit the access of global system objects (Need to restart the Disabled server for the configuration to take affect) Audit: Audit the use of Backup and Security Operations
Confidential 21
OS Hardening Document for Windows XP Professional Restore privilege(Need to restart the server for the configuration to take affect) Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD – ROM access to locally logged – on user only Devices: Restrict floppy access to locally logged – on user only Devices: Unsigned driver installation behavior Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL
Disabled
Disabled Disabled Administrators Enabled Enabled Enabled Do not Allow installation Enabled Disabled
This system is for the use of authorized Wipro personnel only and by accessing this system you hereby consent to the system being monitored by Wipro. Any unauthorized use will be onsidered Interactive logon: Message text for a breach of Wipro’s Information users attempting to log on Security policies and may also be unlawful under law. Wipro reserves the right to take any action including disciplinary action or legal proceedings in a court of law against persons involved in the violation of the access restrictions herein. Interactive logon: Message title for !!!WARNING!!! users attempting to log on Interactive logon: Number of previous logons to cache (in case 0 domain controller is not available) Interactive logon: Prompt user to 7days change password before expiration Interactive logon: Require Domain Security Operations
Confidential 22
OS Hardening Document for Windows XP Professional Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory page file
Disabled Disabled Disabled Enabled Disabled Enabled
f. Event Log Start -> Run -> eventvwr.msc and then click on plus sign next to System Tools -> Event Viewer -> Right click on Application log on the right hand side and click on properties, then configure the settings as given in the table below
Event Maximum application log size Maximum security log size Maximum system log size Retention Method
Settings
1,02,400 KB 1,02,400 KB 1,02,400 KB Do not overwrite events (clear log manually)
g. Registry Settings To configure the registry settings got to Start -> Run -> REGEDIT The following Registry Values have to be added to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \Tcpip\Parameters\registry key. Note: Security Operations strongly recommends backing up registry before any changes are made to it. Security Operations
Confidential 23
OS Hardening Document for Windows XP Professional
Sub key Registry Value Format Entry
Recommended Value (Decimal)
EnableICMPRedirect SynAttackProtect EnableDeadGWDetect EnablePMTUDiscovery KeepAliveTime DisableIPSourceRouting TcpMaxConnectResponseRetrans missions DWORD 2 TcpMaxDataRetransmissions PerformRouterDiscovery TCPMaxPortsExhausted
DWORD DWORD DWORD DWORD DWORD DWORD DWORD
0 1 0 0 300,000 2 2
DWORD DWORD DWORD
3 0 5
Network security: LAN Manger authentication level Importing a security template will take care of some or all of these: 1. Password policies, account lockouts, audit policy, LMhash, NTLM2, access memory, SAM accounts, force ctrl-alt-del 2. Make a user account which will be your primary user account, with less than admin privileges. Change your admin password, now that you have your policies set. 3. Secure passwords, especially making sure that the admin password is secure 4. Change the settings so you can see file extensions and hidden files. This is a lot more important than it used to be, now that many viruses use ‘double extensions’ (i.e., hi.txt.exe to make an executable look like a text file). 5. Turn off NetBIOS 6. Password protect your BIOS 7. Run the MS Baseline security analyzer 8. Look into getting a firewall other than ICF 9. Set Start Menu Security Security Operations
Confidential 24
OS Hardening Document for Windows XP Professional
Appendix A: 1. Net logon Service: Enable the service if it is required in Services. 2. SNMP Service: Enable if it is required, and have a complex Community Strings 3. If you are facing problems in installing unsigned drivers, and you now that the device drivers is valid then enable the policy under Security Options which says Devices: Unsigned driver installation behavior, you can configure it to Warn but allow installation. 4. Increase the event log size based on your requirements if necessary.
Appendix B: 1. Signature Verification when installing new software on your computer, system files and device driver. To check for unsigned files Go to Start -> Run -> sigverif 2. Security Operations recommends using a central SYSLOG Server to store all the logs from different servers. 3. Do not use any third party remote access tools, use terminal services for all purposes. 4. Enable ports that are required only by Server. This can be done as shown below Go to Network Connections -> Right Click Local Area Connection -> Internet Protocol (TCP/IP) -> Properties -> Advanced -> Options -> Properties -> Click on Permit only and add the ports for TCP, UDP, and IP. 5. NTP Synchronization: Synchronize the server with BLR-ECDC5.wipro.com NTP Server; this can be done as shown below Go to Control Panel -> Date and Time -> Internet Time -> check the box which says automatically synchronizes with an Internet Time Server and for the server type in the blr-ec-dc5.wipro.com.
Appendix C: 1. Emergency repair disk (ERD): Use the backup utility program to create the emergency Repair Disk (ERD) after installation of OS and also when changes are made to the system. 2. Click -> Start -> Run -> type ‘ntbackup’ and choose Emergency Repair Disk.
Security Operations
Confidential 25
Related Documents
Hardening For Windows Xp Prof
July 2020 2
Hardening Windows Xp
October 2019 6
Windows Xp
November 2019 50
Windows Xp
April 2020 43
Windows Xp
October 2019 61