Guide To Securing Microsoft Windows XP (NSA)
Guide To Securing Microsoft Windows XP (NSA)
Guide To Securing Microsoft Windows XP (NSA)
Authors: R. Bickel M. Cook J. Haney M. Kerr, DISA CT01 T. Parker, USN H. Parkes
National Security Agency 9800 Savage Rd. Suite 6704 Ft. Meade, MD 20755-6704
XPGuides@nsa.gov
UNCLASSIFIED
UNCLASSIFIED
ii
UNCLASSIFIED
UNCLASSIFIED
Disclaimer
SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE EXPRESSLY DISCLAIMED. IN NO EVENT SHALL THE CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
UNCLASSIFIED
iii
UNCLASSIFIED
Acknowledgements
The authors would like to acknowledge the authors of the Guide to Securing Microsoft Windows 2000 series. The authors would also like to thank Sherri Bavis for reviewing this document and all the organizations that participated in beta testing this guide. Your comments and suggestions were invaluable.
iv
UNCLASSIFIED
UNCLASSIFIED
Trademark Information
Microsoft, MS-DOS, Windows, Windows XP, Windows 2000, Windows NT, Windows 98, Windows 95, Windows for Workgroups, and Windows 3.1 are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and other countries. All other names are registered trademarks or trademarks of their respective companies. Some parts of this document were drawn from Microsoft copyright materials with their permission.
UNCLASSIFIED
UNCLASSIFIED
Table of Contents
Table of Contents....................................................................................................................................... vi Table of Figures .......................................................................................................................................... x Table of Tables........................................................................................................................................... xi Chapter 1 Important Information on Using this Guide............................................................................ 1 Assumptions .............................................................................................................................................. 1 Warnings to Review Before Using this Guide ........................................................................................... 2 Conventions and Commonly Used Terms ................................................................................................ 2 Users and Authenticated Users.......................................................................................................... 2 System Variables................................................................................................................................ 3 Administrative Tools location.............................................................................................................. 3 About the Guide to Securing Microsoft Windows XP................................................................................ 3 Chapter 2 Whats New in Windows XP Security ...................................................................................... 7 Changes to Security Features................................................................................................................... 7 Everyone group membership ............................................................................................................. 7 Administrative ownership.................................................................................................................... 7 Installation of printers ......................................................................................................................... 7 Blank password restriction.................................................................................................................. 7 Convert.exe ........................................................................................................................................ 8 Subsystems ........................................................................................................................................ 8 Encrypting File System....................................................................................................................... 8 New Security Features .............................................................................................................................. 8 Software Restriction Policies .............................................................................................................. 8 Stored user names and passwords .................................................................................................... 9 New Service Accounts .................................................................................................................... 9 LocalSystem Account ......................................................................................................................... 9 Network Service Account ................................................................................................................... 9 Local Service Account ...................................................................................................................... 10 Chapter 3 Introduction to the Security Configuration Manager Tools................................................ 11 Security Configuration Functionality........................................................................................................ 12 The Security Configuration GUI ....................................................................................................... 12 The Security Configuration Command Line Tool ............................................................................. 12 Security Templates.................................................................................................................................. 13 Loading the Security Templates Snap-in into the MMC................................................................... 13 Viewing the Text of Security Templates ........................................................................................... 14 Security Configuration Files.............................................................................................................. 14 Default Security Templates .............................................................................................................. 15 Microsoft-provided Templates .......................................................................................................... 15 NSA Security Template .................................................................................................................... 15 Before Making Security Changes............................................................................................................ 15 Checklist for Applying the Recommendations in this Guide ................................................................... 15 Chapter 4 Modifying Account Policy Settings with Security Templates ............................................ 19 Password Policy ...................................................................................................................................... 19 Account Lockout Policy ........................................................................................................................... 22 Kerberos Policy ....................................................................................................................................... 23
vi
UNCLASSIFIED
UNCLASSIFIED
Chapter 5 Modifying Local Policy Settings with Security Templates ................................................. 25 Auditing Policy ......................................................................................................................................... 25 User Rights Assignment.......................................................................................................................... 28 Security Options ...................................................................................................................................... 32 Adding an Entry to Security Options ....................................................................................................... 47 Deleting customized options ............................................................................................................ 48 Chapter 6 Modifying Event Log Settings with Security Templates ..................................................... 49 Event Log Settings .................................................................................................................................. 49 Managing the Event Logs........................................................................................................................ 50 Saving And Clearing the Audit Logs................................................................................................. 50 Resetting the Audit Log Settings After the System Halts ................................................................. 51 Chapter 7 Managing Restricted Groups with Security Templates....................................................... 53 Modifying Restricted Groups via the Security Templates Snap-in.......................................................... 53 Chapter 8 Managing System Services with Security Templates ......................................................... 55 Modifying System Services via the Security Templates Snap-in ............................................................ 55 System Services Security........................................................................................................................ 57 Chapter 9 Modifying Registry Security Settings with Security Templates......................................... 59 Inheritance model.................................................................................................................................... 59 Registry permissions ............................................................................................................................... 59 Effective Permissions ....................................................................................................................... 61 Modifying Registry settings via the Security Templates snap-in............................................................. 61 Modifying Permissions on a Registry Key ........................................................................................ 61 Adding registry keys to the security configuration ............................................................................ 64 Excluding registry keys from the security configuration ................................................................... 65 Recommended Registry Key Permissions.............................................................................................. 65 Chapter 10 Modifying File System Security Settings with Security Templates ................................. 73 Converting to NTFS................................................................................................................................. 73 File and folder permissions ..................................................................................................................... 74 Granularity of file permissions .......................................................................................................... 74 Folder Permissions:.......................................................................................................................... 75 File Permissions: .............................................................................................................................. 76 Effective Permissions.. ..................................................................................................................... 76 Modifying File System settings via the Security Template snap-in ......................................................... 76 Modifying Permissions on a File or Folder ....................................................................................... 77 Adding files or folders to the security configuration.......................................................................... 79 Excluding files or folders from the security configuration ................................................................. 79 Recommended File and Folder Permissions .......................................................................................... 80 Chapter 11 Security Configuration and Analysis .................................................................................. 91 Loading the Security Configuration and Analysis Snap-in into the MMC ............................................... 91 Security Configuration Databases........................................................................................................... 91 Secedit Command Line Options ............................................................................................................. 93 Performing a Security Analysis ............................................................................................................... 94 Performing a Security Analysis via the Command Line ................................................................... 94 Performing a Security Analysis via the GUI ..................................................................................... 94 Configuring a System .............................................................................................................................. 95
UNCLASSIFIED
vii
UNCLASSIFIED
Configuring a System via the Command Line .................................................................................. 95 Configuring a System via the GUI .................................................................................................... 96 Chapter 12 Applying Windows XP Group Policy in a Windows 2000 Domain ................................... 97 Overview.................................................................................................................................................. 97 Security Settings Extension..................................................................................................................... 97 Creating a Window XP GPO ................................................................................................................... 98 Importing a Security Template into a GPO ............................................................................................. 98 Managing a Windows XP GPO from a Windows 2000 Domain Controller............................................. 99 Local Group Policy Object..................................................................................................................... 100 Forcing a Group Policy Update ............................................................................................................. 100 Viewing the Resultant Set of Policy ...................................................................................................... 100 RSoP Snap-in ................................................................................................................................. 100 Gpresult.exe ................................................................................................................................... 101 Known Issues ........................................................................................................................................ 101 RestrictAnonymous Setting and User must change password at next logon .............................. 101 Chapter 13 Remote Assistance/Desktop Configuration ..................................................................... 103 Remote Assistance ............................................................................................................................... 103 Solicited Remote Assistance .......................................................................................................... 103 Remote Assistance Offers.............................................................................................................. 104 Remote Desktop Connections .............................................................................................................. 105 Group Policy - Administrative Templates .............................................................................................. 107 Terminal Services ........................................................................................................................... 107 Network Configuration Recommendations............................................................................................ 110 Chapter 14 Internet Connection Firewall Configuration ..................................................................... 111 Recommended Usage........................................................................................................................... 111 Features ................................................................................................................................................ 111 Stateful packet inspection............................................................................................................... 111 Protection from port scans.............................................................................................................. 111 Security Logging............................................................................................................................. 112 What it doesnt provide ................................................................................................................... 112 Enabling the ICF.................................................................................................................................... 112 Summary ............................................................................................................................................... 117 Chapter 15 Additional Security Settings .............................................................................................. 119 Administrator Accounts Recommendations .......................................................................................... 119 Additional Administrator Accounts.................................................................................................. 119 Use of Administrator Accounts and the RunAs Command ............................................................ 120 Shared Resource Permissions.............................................................................................................. 120 Setting Share Permissions ............................................................................................................. 121 Share Security Recommendations ................................................................................................. 121 Deleting POSIX Registry Keys .............................................................................................................. 122 Additional Group Policy Settings ........................................................................................................... 122 Disabling Remote Assistance/Desktop .......................................................................................... 122 Network Initialization....................................................................................................................... 123 Disabling Media Autoplay ............................................................................................................... 124 Blocking NetBIOS at the Network Perimeter......................................................................................... 124
viii
UNCLASSIFIED
UNCLASSIFIED
Chapter 16 Modifications for Windows XP in a Windows NT Domain .............................................. 125 Lack of GroupPolicy .............................................................................................................................. 125 NTLM and LanManager Settings .......................................................................................................... 125 Strong Session Key............................................................................................................................... 125 Autoenrollment ...................................................................................................................................... 126 Appendix A Example Logon Banner..................................................................................................... 127 Appendix B References.......................................................................................................................... 128
UNCLASSIFIED
ix
UNCLASSIFIED
Table of Figures
Figure 1 Security Templates snap-in ....................................................................................................14 Figure 2 Password Policy recommendations........................................................................................20 Figure 3 Recommended Audit Policy ...................................................................................................26 Figure 4 System Services .....................................................................................................................57 Figure 5 Registry permissions configuration options ............................................................................62 Figure 6 Advanced security settings .....................................................................................................63 Figure 7 Permission Entry window for registry keys .............................................................................64 Figure 8 File permissions configuration options ...................................................................................78 Figure 9 Permission Entry window for files and folders ........................................................................79 Figure 10 Configuration File Selection..................................................................................................92 Figure 11 Results of a Security Analysis ..............................................................................................95 Figure 12 Security Settings extension in a GPO ..................................................................................99 Figure 13 RSoP snap-in......................................................................................................................101 Figure 14 Enabling ICF .......................................................................................................................113 Figure 15 Services tab ........................................................................................................................114 Figure 16 Example service setting......................................................................................................115 Figure 17 Security Logging tab ...........................................................................................................116 Figure 18 ICMP tab.............................................................................................................................117
UNCLASSIFIED
UNCLASSIFIED
Table of Tables
Table 1 Password Policy Options .........................................................................................................22 Table 2 Account Lockout Options .........................................................................................................23 Table 3 Kerberos Policy Options ..........................................................................................................24 Table 4 Audit Policy options..................................................................................................................28 Table 5 User Rights options..................................................................................................................32 Table 6 Security Options.......................................................................................................................46 Table 7 Event Log Options ...................................................................................................................50 Table 8 Registry Permissions and Descriptions ...................................................................................60 Table 9 Registry Permission Options ...................................................................................................60 Table 10 Recommended Registry Permissions....................................................................................71 Table 11 File Permissions and Descriptions.........................................................................................74 Table 12 Folder Permissions Options...................................................................................................75 Table 13 File Permissions Options .......................................................................................................76 Table 14 Recommended Folder and File Permissions.........................................................................90 Table 15 Secedit Command Line Parameters......................................................................................94 Table 16 Terminal Services Policy Options ........................................................................................109
UNCLASSIFIED
xi
UNCLASSIFIED
xii
UNCLASSIFIED
UNCLASSIFIED
Chapter
1
Important Information on Using this Guide
The purpose of this document is to inform the reader about Windows XP Professional recommended security settings. These security settings include those that can be set via the Security Configuration Manager, through Group Policy, as well as manual settings. Windows XP Professional is a client operating system only. The corresponding server version has not yet been released. Therefore, this document will address Windows XP within a Windows 2000 domain and utilizing Windows 2000 Active Directory and Group Policy. Additional security information on Group Policy Objects (GPOs) is addressed in the Guide to Securing Microsoft Windows 2000 Group Policy, which should be read prior to reading this document.
NOTE: This guide does not address security concerns of Windows XP Home Edition or standalone (i.e. not joined to a domain) Windows XP Professional
Although the primary environment addressed in this guide is Windows XP in a Windows 2000 domain, Chapter 16 discusses modifications to the security recommendations that must be made when adding Windows XP to a Windows NT 4.0 domain. Included with this document is a security template: WinXP_workstation.inf. The purpose and use of this template will be discussed later in this document. This document is intended for Windows network administrators, but should be read by anyone involved or interested in Windows XP or network security.
Assumptions
The following essential assumptions have been made to limit the scope of this document: The network consists only of machines running Microsoft Windows 2000 and Microsoft Windows XP Professional clean-installed machines (i.e., not upgraded).
NOTE: Chapter 16 discusses issues involved when adding Windows XP to a Windows NT 4.0 domain.
Windows XP machines are formatted using the NT File System (NTFS). Domain controllers are Windows 2000 machines and are running Active Directory.
NOTE: Chapter 16 discusses issues involved when Windows NT 4.0 domain controllers are present in the domain.
UNCLASSIFIED
UNCLASSIFIED
The latest Windows 2000 and Windows XP service packs and hotfixes have been installed. For further information on critical Windows updates, see the Windows Update web page http://windowsupdate.microsoft.com or search for security hotfixes by service pack at the Technet Security Bulletin Search http://www.microsoft.com/technet/security/current.asp. All network machines are Intel-based architecture. Applications are Windows XP compatible. Users of this guide have a working knowledge of Windows XP and Windows 2000 installation and basic system administration skills.
Currently, no undo function exists for deletions made within the Windows XP registry. The registry editor (Regedit.exe) prompts the user to confirm the deletions. When a registry key is being deleted, the message does not include the name of the key being deleted. Check your selection carefully before proceeding with any deletion.
UNCLASSIFIED
UNCLASSIFIED
template), the Users group is used in file and registry permissions as well as user rights assignment. This guide has chosen to follow Microsofts convention. No security should be lost if you choose to replace the Users group with the Authenticated Users group on workstations.
System Variables
The following system variables are referenced throughout this document: %SystemDrive% - The drive letter on which Windows XP is installed. This is usually C:\. %SystemRoot% - The folder containing the Windows XP operating system files. This is usually %SystemDrive%\WINDOWS. %SystemDirectory% - %SystemRoot%\system32 %ProgramFiles% - Folder in which most applications are installed. This is usually %SystemDrive%\Program Files. %AllUsersProfile% - Folder in which the All Users profile is installed. This is usually %SystemDrive%\Documents and Settings\All Users.
UNCLASSIFIED
UNCLASSIFIED
Chapter 3, Introduction to the Security Configuration Manager Tools, provides an overview of the Security Configuration Manager Tool Sets capabilities and describes how to use the Security Templates Microsoft Management Console (MMC) snap-in to implement, edit, and create new security configuration files. This chapter also introduces the security configuration file included with this document and details a checklist for configuring a network using the provided settings. Chapter 4, Modifying Account Policy Settings with Security Templates, explains how to set domain wide account policies using the Security Templates snapin. The section also covers Password Policy, Account Lockout, and Kerberos Policy. Chapter 5, Modifying Local Policy Settings with Security Templates, illustrates how to use the Security Templates snap-in to implement and modify Local Policy settings. Specifically this section describes suggested policies for Auditing, User Rights, and Security Attributes. Chapter 6, Modifying Event Log Settings with Security Templates, explains how to capture, view, and store the critical events that have occurred on the network by modify the Event Log Settings. Guidance for managing Event Logs is also included in this chapter. Chapter 7, Managing Restricted Groups with Security Templates, discusses how to manage the membership of sensitive groups using the Restricted Groups option. Chapter 8, Managing System Services with Security Templates, illustrates how to manage System Service settings such as Startup Modes and Access Control Lists using the Security Templates snap-in. This section also describes how settings are established that can control which users and/or groups can read and execute, write to, delete, start, pause, or stop a service. Chapter 9, Modifying Registry Security Settings with Security Templates, discusses how to configure access control lists for Registry Keys. Discussion includes recommendations for registry key permissions. Chapter 10, Modifying File System Security Settings with Security Templates, steps the reader through the actions required to modify file and folder permissions using the Security Templates snap-in. Additionally, this section outlines recommended file and folder permission settings. Chapter 11, Security Configuration and Analysis, explains how to perform security analysis and configuration via the Security Configuration and Analysis snapin or the command line program, once the appropriate configuration file(s) have been modified. Chapter 12, Applying Windows XP Group Policy in a Windows 2000 Domain, discusses how to push down group policy to Windows XP clients from a Windows 2000 domain controller running Active Directory. Chapter 13, Remote Assistance/Desktop Configuration, gives recommendations for using and securing the Remote Assistance and Remote Desktop features in Windows XP. Chapter 14, Internet Connection Firewall, discusses the use of Windows XPs personal firewall capability. Chapter 15, Additional Security Settings, describes other miscellaneous security recommendations such as administrator account usage and share permissions.
UNCLASSIFIED
UNCLASSIFIED
Chapter 16, Modifications for Windows XP in a Windows NT Domain, describes several recommended security settings if Windows XP is a member of a Windows NT domain.
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Chapter
2
Whats New in Windows XP Security
Windows XP has modified Windows 2000 security settings as well as introducing new security features. This chapter gives a brief overview of some of the features that are relevant to Windows XP systems in a domain environment. Features unique to stand-alone Windows XP machines will not be addressed in this document.
Administrative ownership
In Windows NT and Windows 2000, any object that is created by a member of the Administrators group is automatically assigned the whole group as the owner. In Windows XP, the administrative user that creates the object becomes the sole owner of the object.
Installation of printers
In Windows XP, a user must belong to either the Power Users or Administrators group to be able to install a local printer. Additionally, the user must be granted the Load/Unload Device Driver user right.
NOTE: Administrators have the Load/Unload Device Driver right by default.
UNCLASSIFIED
UNCLASSIFIED
Convert.exe
In Windows NT and Windows 2000, using the convert.exe command to convert FAT or FAT32 volumes to NTFS results in the Everyone group being given Full Control permissions on the converted volume. In Windows XP, however, convert.exe will automatically set default Windows XP file permissions on the volume.
Subsystems
Windows NT and Windows 2000 provide support for the OS/2 and POSIX subsystems. However, Windows XP no longer includes these subsystems. POSIX support is now included in a separate package as part of Microsoft Windows Interix 2.2. Refer to http://www.microsoft.com/windows2000/Interix for more information on Interix.
UNCLASSIFIED
UNCLASSIFIED
Hash applications can be allowed or disallowed based on the applications hashed file contents. A hash is based on the files contents and uniquely identifies the file. If the file has been modified in any way, the hash will change. Certificate applications can be allowed or disallowed based on digital certificates associated with the applications. Internet Zone applications can be allowed or disallowed based on the Internet zone from which they were downloaded. The following zones can be specified: Internet, Intranet, Restricted Sites, Trusted Sites, and My Computer. These rules apply only to Windows Installer packages. Enforcement Properties determines whether software library files (files containing common variable and function definitions) are included in the software restrictions policies. Also, this option can be used to prevent software restrictions from applying to local administrators. Designated File Types allows addition or deletion of file types from the list of what is considered to be executable code. Trusted Publishers determines which users can select trusted application publishers. For more information, see Microsoft Knowledge Base article Q310791 Description of the Software Restriction Policies in Windows XP at http://support.microsoft.com/default.asp?scid=kb;EN=US;q310791.
UNCLASSIFIED
UNCLASSIFIED
can access resources whose Access Control Lists (ACLs) allow access by the Network Service, Everyone, or Authenticated Users. Examples of services that run as Network Service are: Distributed Transaction Coordinator, DNS Client, Performance Logs and Alerts, and RPC Locator. Local Service Account The Local Service account is a predefined account that has minimum privileges on the local computer and presents anonymous credentials on the network. The Local Service account generally can access resources whose ACLs allow access by the Local Service, Everyone, or Authenticated Users. Examples of services that run as Local Service are: Alerter, Remote Registry, Smart Card, SSDP, and WebClient.
10
UNCLASSIFIED
UNCLASSIFIED
Chapter
3
Introduction to the Security Configuration Manager Tools
Windows XP includes support for the Security Configuration Manager (SCM). The SCM tool set allows system administrators to consolidate many security-related system settings into a single configuration file (called a template or inf file in this guide because of the file extension .inf). It is possible to layer security configuration files to adjust for different software applications and security settings. These security settings may then be applied to any number of Windows XP machines either as part of a Group Policy Object (GPO) or through local computer configuration. Several tools allow you to configure security settings on Windows XP Local Security Policy Security Settings extension to Group Policy The Security Configuration Manager, which consists of the following: Security Templates snap-in Security Configuration and Analysis snap-in Secedit.exe command-line tool These components allow analysis and configuration of the following security areas: Account Policies - includes Password Policy, Account Lockout Policy, and Kerberos Policy Local Policies includes Audit Policy, User Rights Assignment, and Security Options Event Log includes settings for the event logs Restricted Groups includes membership settings for sensitive groups System Services includes configurations for system services Registry includes registry key Discretionary Access Control List (DACL) settings (i.e., registry key permissions) File System includes NTFS file and folder DACLs (i.e., file and folder permissions)
UNCLASSIFIED
11
UNCLASSIFIED
Chapters 4 10 describe recommended settings and how to customize the templates, and Chapter 11 describes how to conduct a security analysis and configuration. For more detailed information on the Security Configuration Manager, refer to the Step by Step Guide to Using the Security Configuration Toolset at http://www.microsoft.com/windows2000/techinfo/planning/security/secconfsteps.asp.
12
UNCLASSIFIED
UNCLASSIFIED
Security Templates
Security templates are files that contain a set of security configurations. Templates provide an easy way to standardize security across a platform or domain. They may be applied to Windows XP computers either by being imported into a Group Policy Object, or by being directly applied to the local computer through the Security Configuration Manager. This section provides a general overview of the Security Templates snap-in and discusses the security configuration files included with the tool.
UNCLASSIFIED
13
UNCLASSIFIED
Figure 1 Security Templates snap-in To avoid having to reload the snap-in every time the MMC is exited and reopened, save the current console settings by performing the following steps: In the Console menu, select Save. By default, the file will be saved in the Administrative Tools menu of the currently logged-on user. Enter the file name under which the current console settings will be saved Click Save From then on, the console can be accessed from Start All Programs Administrative Tools as long as the users profile is configured to display the Administrative Tools on the start menu.
14
UNCLASSIFIED
UNCLASSIFIED
Default Security Templates There is a security template that contains the default security settings applied to a clean-install (non-upgraded) Windows XP machine. The default security template is especially useful when wanting to return the system to its original state after making changes. The template actually applied to a machine out-of-the-box is %SystemRoot%\security\templates as setup security.inf.
NOTE: Setup security.inf should never be applied via Group Policy from a domain controller and should only be applied to the local computer via the Security Configuration and Analysis snap-in or secedit.exe. This is because each setup template is customized during setup for that particular machine. Also, the template contains large numbers of configurations and could degrade network performance if periodically applied via a domain GPO.
stored in
Microsoft-provided Templates Within the Security Templates snap-in, Microsoft provides several templates addressing varying levels of security. Among these are compatws.inf, securews.inf, and hisecws.inf. Since this guides recommended security settings are implemented in the NSA-provided template (see section below), the details of the Microsoft templates will not be discussed here. NSA Security Template This document has an accompanying security configuration file, WinXP_workstation.inf, which complies with the recommendations found in this manual. The security template can be found at http://nsa1.www.conxion.com/.
UNCLASSIFIED
15
UNCLASSIFIED
Review and understand the warnings in Chapter 1. It is NOT recommended that the NSA-provided templates be applied blindly without thoroughly reviewing the settings in Chapters 4-10. Backup your system. Backups are the only sure-fire way to restore your system. Download the appropriate configuration file to the template directory (%Systemroot%\Security\Templates), or add another template search path to wherever the templates are stored. It is suggested that you make copies of the template files under different names if you plan to perform modifications to the recommended settings. You can do this prior to opening the files in the MMC, or by performing a Save As after making modifications to the templates. Several new security options have been added to the NSA templates. To make these options available, download the NSA sceregvl.inf file from the website into the %SystemRoot%\inf folder. You should rename the original copy of sceregvl.inf prior to copying the NSA-provided file in case you need to revert back to original configurations. To register the new security options, from the command prompt run regsvr32 scecli.dll, after having downloaded the sceregvl.inf file to the %SystemRoot%\inf folder. The end of Chapter 5 discusses how other security options can be added to the templates. Review the recommended security settings in Chapters 4 10. Via the Security Templates MMC snap-in, modify the template files according to your networks needs. Pay close attention to any notes or warnings associated with the settings. To modify the templates: Within the MMC, double-click on the Security Templates node in the left pane Double-click the default configuration file (%Systemroot%\Security\Templates). A list of configuration files is revealed.
NOTE: Template files from other directories may be loaded by right-clicking on Security Templates and choosing the New Template Search Path option.
directory available
Double-click on a specific configuration file Double-click on a specific security area Double click on a security object in the right pane Customize the security settings for your environment To save the customized configuration file under a new file name (to avoid writing over the provided templates), right-click on the file in the left pane and select Save As, specifying a new name for the modified template Several security settings are recommended, but not defined in the templates because they are environment-specific. You will have to decide on the values for the configurations. Among these settings are the following security options presented in Chapter 5: Accounts: Rename administrator account
16
UNCLASSIFIED
UNCLASSIFIED
Accounts: Rename Guest account Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Once the templates have been customized to your network environment and saved, apply the templates. If the template will be applied locally, see Chapter 11 for information on configuration options via the Security Configuration and Analysis snap-in or the secedit.exe command line tool. If the template will be imported into a Group Policy Object, please refer to Chapter 12. Perform any additional security configurations described in Chapters 13-16 as applicable
UNCLASSIFIED
17
UNCLASSIFIED
18
UNCLASSIFIED
UNCLASSIFIED
Chapter
4
Modifying Account Policy Settings with Security Templates
A key component of controlling the security in a system is the proper setting of account policies. Depending on the type of system (e.g. domain controller, workstation, member server), account policy configuration will impact the network differently. In Windows 2000 domains, account policy is set and enforced in the domains group policy. Attempts to configure domain account policies in other GPOs are ignored. Configuring account policies directly on workstations and member servers only impacts the local password or lockout policy on the machine. To ensure a consistent password and lockout policy throughout the entire domain for both local and domain logons, the same policy should be set on the domain controllers (via the domain GPO), and via Local Security Policy on member servers and XP workstations. See the Guide to Securing Microsoft Windows 2000 Group Policy for more information on importing security templates into the appropriate containers. To view account policy settings of a security template double-click the following in the MMC: Security Templates Default configuration (%SystemRoot%\Security\Templates) Specific configuration file Account Policies
NOTE: After making any modifications to the configuration files make sure the changes are saved, and then test the changes before installing them on an operational network.
file
directory
Password Policy
Before making modifications to the Account Policy dialog box, review your organizations written password security policy. The settings made in the Account Policy dialog box should comply with the written password policy. Users should read and sign statements acknowledging compliance with the organizational computer policy. Recommendations for a password policy include: Users should never write down passwords
UNCLASSIFIED
19
UNCLASSIFIED
Passwords should be difficult to guess and include uppercase, lowercase, special (e.g., punctuation and extended character set), and numeric characters. Dictionary words should not be used. Users should not transmit clear-text passwords using any form of electronic communications. To modify the password policy settings via the Security Templates snap-in, doubleclick the following path: Account Policies Password Policy specific option to view or edit current settings Table 1 lists the recommended password policy settings and Figure 2 shows the password policy as it appears in the MMC.
20
UNCLASSIFIED
UNCLASSIFIED
Password Policy Options
Enforce password history Prevents users from toggling among their favorite passwords and reduces the chance that a hacker/password cracker will discover passwords. If this option is set to 0, users can revert immediately back to a password that they previously used. Allowable values range from 0 (do not keep password history) to 24 passwords remembered. Maximum Password Age The period of time that a user is allowed to have a password before being required to change it. Allowable values include 0 (password never expires) or between 1 and 999 days. The maximum password age may be set to less than 90 days in more secure environments. Minimum Password Age The minimum password age setting specifies how long a user must wait after changing a password before changing it again. By default, users can change their passwords at any time. Therefore, a user could change their password, then immediately change it back to what it was before. Allowable values are 0 (password can be changed immediately) or between 1 and 998 days. Minimum Password Length Blank passwords and shorter-length passwords are easily guessed by password cracking tools. To lessen the chances of a password being cracked, passwords should be longer in length. Allowable values for this option are 0 (no password required) or between 1 and 14 characters.
NOTE: In actuality, Windows 2000 and XP support passwords up to 127 characters long. A password longer than 14 characters has a distinct advantage in that the LanManager hash of the password is invalid with these longer passwords, and, therefore, cannot be exploited as it normally could by password-cracking utilities. Unfortunately, the security templates interface will not allow setting of minimum password length to be greater than 14. Also, if a network contains Windows 9x or Windows NT 4.0 or earlier computers, the maximum password length cannot exceed 14 characters since those computers do not support entering passwords that long in the UI. NOTE: It is recommended that privileged users (such as administrators) have passwords longer than 12 characters. An optional method of strengthening administrative passwords is to use characters that are not in the default character sets. For example, Unicode characters 0128 through 0159 have two advantages: (1) they cause the LanMan hash to be invalid, and (2) they are not in the character set for any common password crackers. Be careful using Unicode characters, however. Certain Unicode characters, such as 0200 (), get converted into other characters, in this example 0069 (E) and then hashed, effectively weakening the password. To enter these passwords, hold the ALT key and type the number on the numeric key-pad. On a notebook, hold down the FN and ALT keys and type the number on the overlay numeric keypad.
Recommended Settings
24 Passwords
90 days
1 Day
12 Characters
UNCLASSIFIED
21
UNCLASSIFIED
Password Policy Options
Passwords must meet complexity requirements Enforces strong password requirements for all users. Stronger passwords provide some measure of defense against password guessing and dictionary attacks launched by outside intruders. Passwords must contain characters from 3 of 4 classes: upper case letters, lower case letters, numbers, and special characters (e.g., punctuation marks). Also, passwords cannot be the same as the users logon name. Complexity requirements will take effect the next time a user changes his password. Pre-existing passwords will not be affected.
NOTE: NSA provides an enhanced password complexity filter, ENPASFLT.DLL, that can be used in place of this option. ENPASFLT.DLL is available to U.S. government agencies only. This password filter enforces passwords of at least 8 characters in length containing all 4 classes of characters. Additionally, the use of the user logon name or full name as a password is not permitted. See the ENPASFLT documentation for installation procedures. If using ENPASFLT instead of this option, you may want to set this option to Disabled to avoid conflicts. NOTE: For information on creating your own custom password filter, see Microsoft Knowledge Base article Q151082 HOWTO: Password Change Filtering and Notification in Windows NT at http://support.microsoft.com/default.asp?scid=kb;EN=US;q1 51082.
Recommended Settings
Enabled
Store password using reversible encryption for all users in the domain Determines whether user passwords will be stored using a two-way hash. This option exists to provide password information to certain applications. However, storing passwords with reversible encryption is similar to storing clear-text passwords and should NOT be permitted.
Disabled
22
UNCLASSIFIED
UNCLASSIFIED
To modify the account lockout policy settings via the Security Templates snap-in, double-click the following path: Account Policies Account Lockout Policy specific option to view or edit settings Table 2 lists the recommended account lockout policy settings.
Recommended Settings
15 minutes
Account lockout threshold Prevents brute-force password cracking/guessing attacks on the system. This option specifies the number of invalid logon attempts that can be made before an account is locked out. Allowable values range from 0 (account will not lockout) to 999 attempts. Although 3 invalid attempts is recommended in this guide, any number from 3 to 5 should provide adequate protection.
NOTE: Failed logons on machines that have been locked via CTRL-ALT-DEL or a passwordprotected screen saver do not count as failed attempts.
Reset account lockout counter after Sets the number of minutes until the invalid logon count is reset. Allowable values range from 1 to 99999 minutes.
15 minutes
Kerberos Policy
Kerberos is the default authentication method used in Windows 2000 Active Directory. Since Active Directory is necessary for Kerberos authentication, the Kerberos policy only has significance for the Windows 2000 domain Group Policy Object. Therefore, for the Windows XP workstation that this document addresses, the Kerberos policies will not be defined. The following is for information purposes only. To modify Kerberos settings via the Security Templates snap-in, double-click the following path: Account Policies Kerberos Policy specific option to view or edit settings Table 3 lists the Kerberos Policy options that should be applied at the domain group policy level.
UNCLASSIFIED
23
UNCLASSIFIED
Kerberos Policy Options
Enforce user logon restrictions Forces the Key Distribution Center (KDC) to check if a user requesting a service ticket has either the Log on locally (for local machine service access) or Access this computer from the network user right on the machine running the requested service. If the user does not have the appropriate user right, a service ticket will not be issued. Enabling this option provides increased security, but may slow network access to servers. Maximum lifetime for service ticket Determines the number of minutes a Kerberos service ticket is valid. Values must be between 10 minutes and the setting for Maximum lifetime for user ticket. This value is set to 600 minutes in the default domain GPO.
NOTE: Expired service tickets are only renewed when making a new connection to a server. If a ticket expires during an established session, the session is not interrupted.
Recommended Settings
Enabled
600 minutes
Maximum lifetime for user ticket Determines the number of hours a Kerberos ticket-granting ticket (TGT) is valid. Upon expiration of the TGT, a new one must be obtained or the old one renewed. This value is set to 10 hours in the default domain GPO. Maximum lifetime for user ticket renewal Sets the maximum number of days that a users TGT can be renewed. This value is set to 7 days in the default domain GPO. Maximum tolerance for computer clock synchronization Sets the maximum number of minutes by which the KDC and client machines clocks can differ. Kerberos makes use of time stamps to determine authenticity of requests and aid in preventing replay attacks. Therefore, it is important that KDC and client clocks remain synchronized as closely as possible. This value is set to 5 minutes in the default domain GPO.
10 hours
7 days
5 minutes
24
UNCLASSIFIED
UNCLASSIFIED
Chapter
5
Modifying Local Policy Settings with Security Templates
The Local Policies section of a security template organizes security attributes for Audit Policy, User Rights Assignment, and Security Options in a central location to ease security administration. To view local policy settings of a security template, double-click the following in the MMC: Security Templates Default configuration (%SystemRoot%\Security\Templates) Specific configuration file Local Policies
NOTE: After making any modifications to the configuration files make sure the changes are saved and then test the changes before installing them on an operational network.
file
directory
Auditing Policy
Auditing is critical to maintaining the security of the domain. On Windows XP systems, auditing is not enabled by default. Each Windows XP system includes auditing capabilities that collect information about individual system usage. The logs collect information on applications, system, and security events. Each event that is audited in an audit policy is written to the security event log, which can be viewed with the Event Viewer.
WARNING: Auditing can consume a large amount of processor time and disk space. It is highly recommended that administrators check, save, and clear audit logs daily/weekly to reduce the chances of system degradation or save audit logs to a separate machine. It is also recommended that logs be kept on a separate partition.
UNCLASSIFIED
25
UNCLASSIFIED
To modify the audit policy settings via the Security Templates snap-in, double-click the following path: Local Policies Audit Policy Right-click on the specific option to view or edit Figure 3 and Table 4 list recommended Audit Policy Settings for XP Professional. Recommended settings for Windows 2000 member servers and domain controllers are detailed in the Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Tool Set.
26
UNCLASSIFIED
UNCLASSIFIED
Audit Policy Options
Audit account logon events Tracks user logon and logoff events on other computers in which the local computer was used to authenticate the account. Audit account management Tracks changes to the Security Accounts database (i.e., when accounts are created, changed, or deleted). Audit directory service access Audits users access to Active Directory objects that have their system access control list (SACL) defined. This option is similar to Audit Object Access except that it only applies to Active Directory objects and not files and registry objects. Since this option only applies to Active Directory, it has no meaning on workstations and member servers. Audit logon events Tracks users who have logged on or off, or made a network connection. Also records the type of logon requested (interactive, network, or service). This option differs from Audit Account Logon Events in that it records where the logon occurred versus where the logged-on account lives. Track failures to record possible unauthorized attempts to break into the system.
NOTE: The auditing of successful and failed logon events generates a large amount of data. Network, service, and user logons are all recorded. Auditing of success events is important for tracking users logged on during potential attacks. However, if log space is at a premium, at a minimum, failure of logon events should be recorded.
Recommended Settings
Success, Failure
Success, Failure
No auditing
Success, Failure
Audit object access Tracks unsuccessful attempts to access objects (e.g., directories, files, printers). Individual object auditing is not automatic and must be enabled in the objects properties. Audit policy change Tracks changes in security policy, such as assignment of privileges or changes in the audit policy.
NOTE: There exist problems with auditing successes of policy change. One such problem surfaces on the first system reboot after the Audit: Shut down system immediately if unable to log security audits (CrashOnAuditFail) security option is enabled. Upon reboot, the system will either blue screen or hang. Apparently, there is a problem writing a policy change event to the audit log, and thus, the system crashes. Subsequent reboots will be successful, but only an administrator can log on as designed. The administrator must then reset the CrashOnAuditFail registry key from 2 back to 0 or 1 in order for other users to access the system. This behavior does not exist if successful policy change audit is not enabled.
Failure
Success, Failure
Audit privilege use Tracks unsuccessful attempts to use privileges. Privileges indicate rights assigned to users. Tracks all user rights except Bypass Traverse Checking, Debug Programs, Create a Token Object, Replace Process Level Token, Generate Security Audits, Back Up Files and Directories, and Restore Files and Directories.
Failure
Audit use of all user rights including Backup and Restore setting under Security Options will audit those
NOTE: The user rights excluded here. However, it will fill up the security event log very quickly and so is not recommended.
UNCLASSIFIED
27
UNCLASSIFIED
Audit process tracking Detailed tracking information for events such as program activation and exits. This option is useful to record specific events in detail if your system is believed to be under attack. Audit system events Tracks events that affect the entire system or the Audit log. Records events such as restart or shutdown. No Auditing
Success, Failure
To modify the user rights settings via the Security Templates snap-in, double-click the following path: Local Policies User Rights Assignment Double-click on the desired Attribute in the right frame. To add a user or group, Add User or Group Enter user or group Add OK OK To remove a user or group, select user or group Remove OK
28
UNCLASSIFIED
UNCLASSIFIED
User Rights
Access this computer from network Allows a user to connect over the network to the computer. Act as part of the operating system Allows a process to perform as a secure, trusted part of the operating system. Some subsystems are granted this right. Add workstations to domain Allows a user to add workstations to a particular domain. This right is meaningful only on domain controllers. The Administrators and Account Operators groups have the ability to add workstations to a domain and do not have to be explicitly given this right. Adjust memory quotas for a process Determines which accounts can use a process with Write Property access to another process to increase the processor quota assigned to the other process. Allow logon through Terminal Services Determines which users or groups have the right to log on as a Terminal Services client. This right is needed for Remote Desktop users. If Remote Assistance is being used, only administrators using this new feature should have this right. Back up files and directories Allows a user to back up files and directories. This right supersedes file and directory permissions.
NOTE: If the network makes use of the Backup Operators or similar group, also assign this right to that group. Keep in mind, however, that users who have this right have the ability to bypass ACLs. Unless FullPrivilegeAuditing is turned on, such access is not logged.
Recommended Settings
Administrators Users (No one)
(No one)
Administrators
Bypass traverse checking Allows a user to change directories and access files and subdirectories even if the user has no permission to access parent directories. Change the system time Allows a user to set the time for the internal clock of the computer. Create a pagefile Allows a user to create new pagefiles for virtual memory swapping and change the size of a pagefile. Create a token object Allows a process to create access tokens that can be used to access local resources. Only the Local Security Authority should be allowed to create this object. Create permanent shared objects Allows a user to create special permanent directory objects, such as \\Device, that are used within the Windows XP object manager. Debug programs Allows a user to debug various low-level objects such as threads.
NOTE: Software developers working on the system may need this right to debug programs running as other users. Assign the right to developer users/groups only when necessary.
Users
Administrators Administrators
(No one)
(No one)
(No one)
UNCLASSIFIED
29
UNCLASSIFIED
User Rights
Deny access to this computer from the network Prevents specific users and/or groups from accessing the computer via the network. This setting supercedes the Access this computer from the network setting if an account is subject to both policies.
NOTE: By default, the Guest and SUPPORT_388945a0 users are denied this right.
Recommended Settings
(Not Defined)
Deny logon as a batch job Prevents specific users and/or groups from logging on as a batch job. This setting supercedes the Logon as a batch job setting if an account is subject to both policies. Deny logon as a service Prevents specific service accounts from registering a process as a service. This setting supercedes the Log on as a service setting if an account is subject to both policies. Deny logon locally Prevents specific users and/or groups from logging on directly at the computer. This setting supercedes the Log on locally setting if an account is subject to both policies.
NOTE: By default, the Guest and SUPPORT_388945a0 users are denied this right.
(No one)
(No one)
(Not Defined)
Deny logon through Terminal Services Determines which users and groups are prohibited from logging on as a Terminal Services client. This right is used for Remote Desktop users.
NOTE: If Terminal Services is being used on the system, the Everyone entry should be removed from this deny option.
Everyone
Enable computer and user accounts to be trusted for delegation Allows a user to set the Trusted for Delegation setting on a user or computer object. The user granted this right must have write access to the account control flags on the computer or user object. Force shutdown from a remote system Allows a user to shutdown a Windows XP computer from a remote location on the network. Generate security audits Allows a process to generate security audit log entries. Increase scheduling priority Allows a user to boost the execution priority of a process. This can be performed via the Task Manager user interface. Load and unload device drivers Allows a user to install and remove device drivers. This right is necessary for Plug and Play device driver installation. Lock pages in memory Allows a user to lock pages in physical memory so they cannot be paged out to a virtual memory on disk. Log on as a batch job Allows a user to log on by means of a batch-queue facility. In Windows XP, the Task Scheduler automatically grants this right as necessary.
(No one)
Administrators
Administrators
(No one)
(No one)
30
UNCLASSIFIED
UNCLASSIFIED
User Rights
Log on as a service Allows a process to register with the system as a service.
NOTE: Some applications such as Microsoft Exchange require a service account, which should have this right. Review the users/groups assigned this right on the system PRIOR to applying the security templates in order to determine which assignments are necessary. WARNING: The provided template files will remove all users/groups (with the exception of NETWORK SERVICE) from this right unless you modify the setting.
Recommended Settings
NETWORK SERVICE
Administrators Users
Manage auditing and security log Allows a user to view and clear the security log and specify what types of object access (such as file and registry key access) are to be audited. Users with this right can enable auditing for a specific object by editing the auditing options in the security tab of the objects Properties dialog box. Members of the Administrators group always have the ability to view and clear the security log.
NOTE: This right does not allow a user to enable file and object access auditing in general. Object auditing is enabled by setting the Audit object access item under Audit Policies.
Administrators
Modify firmware environment variables Allows a user to modify system environment variables stored in nonvolatile RAM on systems that support this type of configuration. Perform volume maintenance tasks Allows a user to run volume maintenance tasks, such as Disk Cleanup and Disk Defragmenter. Profile single process Allows a user to perform profiling (performance sampling) on a process.
NOTE: Software developers working on the system may need this right. Assign the right to developer users/groups only when necessary.
Administrators
Administrators
Administrators
Profile system performance Allows a user to perform profiling (performance sampling) on the system. Remove computer from docking station Allows a user to undock a laptop from a docking station. Replace a process-level token Allows a user to modify a processs security access token. This is a powerful right used only by the system.
UNCLASSIFIED
31
UNCLASSIFIED
User Rights
Restore files and directories Allows a user to restore backed-up files and directories. This right supercedes file and directory permissions.
NOTE: If the network makes use of a group to restore backups, also assign this right to that group.
Recommended Settings
Administrators
Shut down the system Allows a user to shut down Windows XP. Synchronize directory service data Allows users/groups to synchronize directory service data, also known as Active Directory synchronization. Take ownership of files or other objects Allows a user to take ownership of files, directories, printers, and other objects on the computer. This right supersedes permissions protecting objects.
Administrators
Security Options
The Security Templates Security Option section contains many security parameters that can be easily configured by adding or changing registry key values. Recommended Security Options settings are listed in Table 6. Customized security options added to the NSA templates are shaded in gray.
WARNING: Use the Security Configuration Tool Set when configuring Security Options. Using the registry editor incorrectly can cause serious, system-wide problems that may require reinstallation of Windows XP.
NOTE: Most security options are set via a registry key. The associated registry keys are listed for each item. Those options not containing a registry key are instead secured at the API level.
32
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Accounts: Administrator account status Controls the status of the default local Administrator account during normal operation. The Administrator account is always enabled in Safe Mode, regardless of this setting. Accounts: Guest account status Controls the status of the Guest account. Guest is disabled by default.
NOTE: If the Guest account is disabled and the security option, Network access: Sharing and security model for local accounts is set to Guest Only, network logons, such as those performed by the SMB Service, will fail.
Recommended Setting
Enabled
Disabled
Accounts: Limit local account use of blank passwords to console logon only Controls whether local accounts with blank passwords can log on from the network. If this setting is enabled, local accounts with blank passwords cannot be used to connect to the machine from across the network, including via Windows Network as well as Terminal Services.
NOTE: This setting only affects local accounts. does not affect domain accounts. It
Enabled
HKLM\System\CurrentControlSet\Control\Lsa\ LimitBlankPasswordUse = 1 Accounts: Rename administrator account The Administrator account is created by default when installing Windows XP. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account. When choosing another name for this account, avoid obvious names such as admin or root, which reveal the use of the account. After renaming the account, it is recommended that the default account description be changed or deleted.
NOTE: The provided template does not define this setting due to the environment specificity of this option. However, renaming this account is a recommended setting.
<configure locally>
NOTE: If anonymous accounts are not restricted from enumerating users on the system, renaming the administrator account will have limited benefit. However, if the anonymous user is prohibited from gathering account information, renaming the administrator account is provides much more benefit. See security options affecting anonymous privileges in the Network Access section of this table.
UNCLASSIFIED
33
UNCLASSIFIED
Security Attribute
Accounts: Rename guest account The Guest account is created by default when installing Windows XP, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account. After renaming the account, it is recommended that the default account description be changed or deleted.
NOTE: The provided template does not define this setting due to the environment specificity of this option. However, renaming this account is a recommended setting.
Recommended Setting
<configure locally>
Audit: Audit the access of global system objects Controls the ability to audit access of global system objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL).
WARNING: Enabling this option will result in large numbers of events being written to the security logs. Coupled with the fact that global system audit events are difficult to decipher, it is recommended that this option be enabled only when deemed absolutely necessary. NOTE: To audit access to system objects, the Audit object access audit policy must be enabled.
Not defined
HKLM\System\CurrentControlSet\Control\Lsa\AuditBaseObjects Audit: Audit the use of Backup and Restore privilege Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if Audit privilege use audit policy is enabled.
WARNING: Enabling this option will result in large numbers of events being written to the security log, especially during backup and restore operations. Therefore, it is recommended that this option be enabled only when deemed absolutely necessary. NOTE: To audit user rights, the Audit privilege use audit policy must be enabled.
Not defined
HKLM\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
34
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Audit: Shut down system immediately if unable to log security audits If events cannot be written to the security log, the system is halted immediately. The following Stop error appears:
STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed.
Recommended Setting
Disabled
If the system halts as a result of a full log, an administrator must log onto the system and clear the log.
NOTE: It is generally recommended that this setting be enabled; however due to a problem that exists with auditing successful policy changes we are recommending that this setting be disabled until the issue is resolved. The problem surfaces on the first system reboot after the Audit: Shut down system immediately if unable to log security audits security option is enabled. Upon reboot, the system will either blue screen or hang. Apparently, there is a problem writing a policy change event to the audit log, and thus, the system crashes. Subsequent reboots will be successful. When the machine reboots, only an administrator can log on. The administrator must then reset the CrashOnAuditFail registry key from 2 back to 0 or 1 in order for other users to access the system. This behavior does not exist if successful policy change audit is not enabled. WARNING: Enabling this option will disallow any connections to the system until the audit logs are cleared. Take caution when enabling this on critical systems. Also, enabling this option on a large number of workstations in the network may result in much overhead when the logs become full. It will also enable an attacker to effectively disable the system by simply causing the event log to fill up with garbage.
HKLM\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail =0 Devices: Allow undock without having to log on Controls if a user can remove a computer from a docking station without being logged on. Disabling this setting requires the user to log on before requesting an undock. Once logged on, the user must have the Remove computer from docking station user right assignment.
NOTE: This setting only pertains to controlled undocking, where appropriate services are stopped when the machine is undocked. There is nothing to prevent an attacker from simply ejecting the machine out of the docking station without doing a graceful disconnect.
Disabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ UndockWithoutLogon = 0 Devices: Allowed to format and eject removable media Determines who is allowed to format and eject NTFS media. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ AllocateDASD = 0
Administrators
UNCLASSIFIED
35
UNCLASSIFIED
Security Attribute
Devices: Prevent users from installing printer drivers This setting determines who is allowed to install a printer driver as part of adding a network printer. A print driver is a low-level device driver that has access to restricted system resources. A low-level device driver may perform actions that are not allowed by normal users. The administrator should install all drivers on a system after testing of the driver has been performed. Enabling this setting prevents unprivileged users from downloading and installing untrusted printer drivers.
NOTE: If the printer driver already exists on the local machine, users can add network printers even with this setting enabled.
Recommended Setting
Enabled
HKLM\System\CurrentControlSet\Control\Print\Providers\ LanMan Print Services\Servers\AddPrinterDrivers = 1 Devices: Restrict CD-ROM access to locally logged-on user only By default, any program can access the CD-ROM, possibly leaving sensitive data exposed. This setting determines whether the CD-ROM is accessible to both local and remote users simultaneously. When enabled, this setting allows only the interactively logged-on user access to the CD-ROM media. When this policy is enabled and no one is logged-on, the CD-ROM can be accessed over the network. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ AllocateCDRoms = 1 Devices: Restrict floppy access to locally logged-on user only By default any program can access the floppy drive, possibly leaving sensitive data exposed. This setting determines whether the floppy drive is accessible to both local and remote users simultaneously. When enabled, this setting allows only the interactively logged-on user access to the floppy drive media. When this policy is enabled and no one is logged-on, the floppy drive can be accessed over the network. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ AllocateFloppies = 1 Devices: Unsigned driver installation behavior This setting controls the response when an attempt is made to install a device driver (by means of Setup API) that has not been digitally signed. This setting allows for the following options: Silently succeed Warn but allow installation Do not allow installation HKLM\Software\Microsoft\Driver Signing\Policy = 1 Domain controller: Allow server operators to schedule tasks This setting determines if Server Operators are allowed to submit jobs using the AT schedule utility. This does not affect the Task Scheduler. This setting is undefined on workstations. Domain controller: LDAP server signing requirements Requires that data signing be negotiated before Lightweight Directory Access Protocol (LDAP) clients can bind with the Active Directory LDAP server. This setting is undefined on workstations.
Enabled
Enabled
Not defined
Not defined
36
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Domain controller: Refuse machine account password changes Determines whether a domain controller will accept password requests for computer accounts. This setting is undefined on workstations. Domain member: Digitally encrypt or sign secure channel data (always) This setting controls the signing and encryption of data transmitted over the secure channel. This setting should be enabled only in an environment where all domain controllers in the domain are capable of signing or encrypting all secure channel data. This means that all domain controllers must be running Windows 2000 or Windows NT 4.0 with Service Pack 4 or higher. Otherwise, this setting should be disabled or not defined. When disabled, a secure channel can be established, but the level of encryption and signing is negotiated.
NOTE: If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is automatically enabled.
Recommended Setting
Not defined
Not defined
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ RequireSignOrSeal Domain member: Digitally encrypt secure channel data (when possible) If enabled, this setting ensures that all secure channel traffic is encrypted if the partner domain controller is also capable of encrypting all secure channel traffic. HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ SealSecureChannel = 1 Domain member: Digitally sign secure channel data (when possible) If enabled, this setting ensures that all secure channel traffic is signed if both client and server can agree on a signing protocol. Digitally signing helps assure message integrity and authentication.
NOTE: If Domain member: Digitally encrypt or sign secure channel data (always) is enabled, this setting is automatically enabled.
Enabled
Enabled
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ SignSecureChannel=1 Domain member: Disable machine account password changes This setting determines the ability of a domain member to change its computer account password. This setting should be disabled so domain members will attempt to change computer account passwords as specified by the setting, Domain Member: Maximum age for machine account password. HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ DisablePasswordChange=0 Domain member: Maximum machine account password age This setting sets the maximum age for a computer account password to 7 days. The default setting is 30 days. HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ MaximumPasswordAge=7
Disabled
7 days
UNCLASSIFIED
37
UNCLASSIFIED
Security Attribute
Domain member: Require strong (Windows 2000 or later) session key When this setting is enabled, a secure channel can only be established with domain controllers that can encrypt secure channel data with a strong (128-bit) session key.
WARNING: To enable this setting, all domain controllers in the domain must be capable of encrypting secure channel data with a strong key. This means that all domain controllers must be Windows 2000 or later. If communication to nonWindows 2000 domains is required, set this option to Disabled.
Recommended Setting
Enabled
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\ RequireStrongKey=1 Interactive logon: Do not display last user name This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box.
NOTE: In certain circumstances, this option may be disabled. For example, if administrators are concerned about unauthorized physical access to a sensitive system, seeing the last user logged on could be helpful.
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DontDisplayLastUserName=1 Interactive logon: Allow Automatic Administrator Logon Allows a system to automatically logon as administrator when the machine is started. By default, this setting is disabled.
NOTE: If this option was at one time enabled, a DefaultPassword registry value may also exist in the same registry key. This value contains the administrator password in clear text and can be read across the network by any user that can connect to the registry. It should be deleted.
Disabled
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\AutoAdminLogon = 0 Interactive logon: Do not require CTRL+ALT+DEL If this option is enabled, a user is not required to press CTRL+ALT+DEL to log on. CTRL+ALT+DEL establishes a trusted path to the operating system when entering a username/password pair; therefore, disabling it poses a security risk to the users logon credentials. By default, this option is disabled on systems in a domain and enabled on stand-alone workstations. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ DisableCAD = 0 Interactive logon: Message text for users attempting to log on Systems should display a warning message before logon, indicating the private nature of the system. Many government organizations use this message box to notify potential users that their use can be monitored and they can be held legally liable if they attempt to use the computer without proper authorization. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ LegalNoticeText=Message text of your choice
Disabled
38
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Interactive logon: Message title for users attempting to log on Used in conjunction with the logon text, systems should also display a warning statement on the title bar. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ LegalNoticeCaption=Caption of your choice to be displayed on the title bar Interactive logon: Number of previous logons to cache (in case domain controller is not available) The number of cached logon credentials that the system retains is determined by this setting. Cached logon credentials enable users to log on to the system when the computer is not connected to the network or when the domain controller is not available.
WARNING: With 0 cached logons, users will not be able to log on to the domain unless connected to the network. This is not a viable setting for mobile laptop users who use domain versus local accounts to log onto the laptop while away from the office.
Recommended Setting
<Configure locally see Appendix for sample>
0 logons
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ CachedLogonsCount=0 Interactive logon: Prompt user to change password before expiration This setting determines how far in advance users are warned that their password is about to expire. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ PasswordExpiryWarning=14 Interactive logon: Require Domain Controller authentication to unlock workstation When enabled, a domain controller must authenticate the domain account that is being used to unlock the computer. When disabled, cached credentials can be used to unlock the computer.
WARNING: If a domain controller goes down while a users screen is locked, the user will not be able to unlock his workstation if this option is enabled.
14 days
Enabled
UNCLASSIFIED
39
UNCLASSIFIED
Security Attribute
Interactive logon: Smart card removal behavior This setting determines the system behavior for a logged-on user when a smart card is removed. The options follow: No Action Lock Workstation Users can remove the smart card and later return to the same session. Force Logoff Users are automatically logged off when the card is removed. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ ScRemoveOption=1 Microsoft network client: Digitally sign communications (always) When enabled, this setting forces SMB clients to always digitally sign SMB communications. Digitally signing SMB communications closes man-in-the-middle attacks and supports message authentication, which prevents active message attacks.
NOTE: It is recommended that this option be enabled in a pure Windows 2000/XP environment
Recommended Setting
Lock Workstation
Not defined
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\ Parameters\RequireSecuritySignature Microsoft network client: Digitally sign communications (if server agrees) When enabled, the SMB client performs SMB packet signing when communicating with a SMB server that is either enabled or required to perform SMB packet signing. HKLM\System\CurrentControlSet\Services\LanmanWorkstation\ Parameters\EnableSecuritySignature=1 Microsoft network client: Send unencrypted password to third-party SMB servers Disabling this setting prevents the SMB redirector from sending plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
WARNING: Enabling this will allow unencrypted (plain text) passwords to be sent across the network when authenticating to an SMB server that requests this option. This reduces the overall security of an environment and should only be done after careful consideration of the consequences of plain text passwords in your specific environment.
Enabled
Disabled
HKLM\System\CurrentControlSet\Services\LanmanWorkstation\ Parameters\EnablePlainTextPassword=0 Microsoft network server: Amount of idle time required before suspending session Determines the amount of continuous idle time that must pass in a SMB session before the session is suspended. If client activity resumes after a disconnect, the session is automatically reestablished. HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\ AutoDisconnect=15
15 minutes
40
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Microsoft network server: Digitally sign communications (always) Determines if the SMB server is required to perform SMB packet signing.
NOTE: Enabling this option could be desirable in that it will prevent downlevel clients from using the workstation as a network server.
Recommended Setting
Not defined
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\ RequireSecuritySignature Microsoft network server: Digitally sign communications (if client agrees) Determines if the SMB server performs SMB packet signing. HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\ EnableSecuritySignature=1 Microsoft network server: Disconnect clients when logon hours expire Determines whether to disconnect users who are connected to the local computer outside their user accounts valid logon hours. HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\ EnableForcedLogoff=1 Network access: Allow anonymous SID/Name translation Determines if an anonymous user can request security identifier (SID) attributes for another user or use a SID to get the corresponding username.
Enabled
Enabled
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts This setting controls the ability of anonymous users to enumerate the accounts in the SAM. This security option allows additional restrictions to be placed on anonymous connections: None. Rely on default permissions. Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. This setting is enabled by default on Windows XP.
WARNING: Enabling this option will affect an administrators ability to grant access to users in a trusted domain that does not maintain a reciprocal trust.
Enabled
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=1
UNCLASSIFIED
41
UNCLASSIFIED
Security Attribute
Network access: Do not allow anonymous enumeration of SAM accounts and shares This setting controls the ability of anonymous users to enumerate SAM accounts and shares. This option is set to Disabled by default on Windows XP.
NOTE: The system must be rebooted in order for the RestrictAnonymous setting to take effect.
Recommended Setting
Enabled
HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=1 Network access: Do not allow storage of credentials or .NET Passports This setting controls the storage of authentication credentials or passwords on the local system. HKLM\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=1 Network access: Let Everyone permissions apply to anonymous users Determines what additional permissions are granted for anonymous connections to the computer. When this setting is disabled, permissions granted to the Everyone group do not apply to anonymous users. Anonymous users can only access resources for which the anonymous user has been explicitly given permissions. This option is disabled by default on Windows XP.
NOTE: Disabling this option is the equivalent of setting RestrictAnonymous = 2 on Windows 2000.
Enabled
Disabled
HKLM\System\CurrentControlSet\Control\Lsa\ EveryoneIncludesAnonymous=0 Network access: Named Pipes that can be accessed anonymously Pipes are internal communication processes that are identified by ID numbers that vary between systems. To facilitate access, pipes are given names that do not vary among systems. This setting determines which pipes will allow anonymous access. HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\ NullSessionPipes Network access: Remotely accessible registry paths This setting specifies registry paths that will be accessible from a remote computer. HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\ AllowedPaths\Machine Network access: Shares that can be accessed anonymously This setting specifies shares that can be accessed by anonymous users. HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\ NullSessionShares
Not Defined
Not Defined
Not Defined
42
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Network access: Sharing and security model for local accounts This setting controls how network logons that use local accounts are authenticated. The Classic model forces network logons to use the local account credentials, whereas the Guest only model allows network logons to be mapped to the Guest account, regardless of the credentials presented by the user. The Classic model provides fine control over access to resources. Different types of access for a variety of users can be granted for the same resource. This option is set to Classic by default for Windows XP Professional machines joined to a domain. Standalone Windows XP machines set this option to Guest Only by default.
NOTE: Network logons using domain accounts and interactive logons performed by using services such as Telnet or Terminal Services are not affected by this setting. WARNING: The Guest only model allows any user who can access the computer over the network (including anonymous Internet users) the ability to access shared resources.
Recommended Setting
Classic: local users authenticate as themselves
HKLM\System\CurrentControlSet\Control\Lsa\ForceGuest=0 Network security: Do not store LAN Manager hash value on next password change Enabling this setting prevents the LAN Manager hash from being stored in the SAM at the next password change.
NOTE: The LAN Manager hash is used for backwards compatibility with pre-Windows NT machines and some applications. Since it is a hash of the Windows password converted to all uppercase and treated as two 7-character passwords, it is easier to crack and is the primary target in password cracking utilities. For this reason, it is recommended that the LM hash not be stored in the SAM. WARNING: Enabling this option will result in problems with communications to legacy operating systems or applications that only support LANManager authentication.
Enabled
HKLM\System\CurrentControlSet\Control\Lsa\NoLMHash=1 Network security: Force logoff when logon hours expire When this setting is enabled, client sessions with the SMB server are forcibly disconnected when the clients logon hours go beyond the user accounts valid logon hours.
Enabled
UNCLASSIFIED
43
UNCLASSIFIED
Security Attribute
Network security: LAN Manager authentication level This parameter specifies the type of challenge/response authentication to be used for network logons with non-Windows 2000/XP Windows clients. LanManager authentication (LM) is the most insecure method, allowing encrypted passwords to be easily sniffed off the network and cracked. NT LanManager (NTLM) is somewhat more secure. NTLMv2 is a more robust version of NTLM and is available with Windows XP, Windows 2000, Windows NT 4.0 Service Pack 4 and higher as well as Windows 95/98 with the optional Directory Services Client. The following options are available: Send LM & NTLM responses - Registry value = 0. Send LM & NTLM use NTLMv2 session security if negotiated Registry value = 1. Send NTLM response only - Registry value = 2. Send NTLMv2 response only - Registry value = 3. Send NTLMv2 response only\refuse LM - Registry value = 4. Send NTLMv2 response only\refuse LM and NTLM - Registry value = 5.
WARNING: Some Windows processes, such as Cluster Services, use NTLM to authenticate. Use of the recommended setting may cause these services to fail. For more information on NTLM and Cluster Services, see KB Article Q272129 http://support.microsoft.com/default.asp?scid=kb;EN=US;q 272129 WARNING: Setting this value higher than 2 on a Windows XP system could prevent some connectivity to systems that support only LM authentication (Windows 95/98 and Windows for Workgroups) or only NTLM (Windows NT 4.0 prior to Service Pack 4). The Active Directory Services client may be installed on Windows 9x machines to allow for NTLMv2 security.
Recommended Setting
Send NTLMv2 response only\refuse LM and NTLM
HKLM\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel = 5 Network security: LDAP client signing requirements This setting controls the signing requirements for LDAP clients. Requires that data signing be negotiated before Lightweight Directory Access Protocol (LDAP) clients can bind with the Active Directory LDAP server. HKLM\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=1 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This setting determines the minimum security standards for an application-to-application communications session for a client. HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\ NTLMMinClientSec=537395200
Negotiate signing
44
UNCLASSIFIED
UNCLASSIFIED
Security Attribute
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This setting determines the minimum security standards for an application-to-application communications session on a server. HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\ NTLMMinServerSec=537395200 Recovery console: Allow automatic administrative logon The recovery console is a command line environment that is used to recover from system problems. If this setting is enabled, the administrator account will be logged on automatically to the recovery console when it is invoked during startup. This setting should be disabled, thus, requiring a password from the recovery console. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\ RecoveryConsole\SecurityLevel=0 Recovery console: Allow floppy copy and access to all drives and all folders If this setting is enabled, a user has full access to all drives on the system and can copy files from the hard drive to the floppy disk. The Recovery Console SET command is available, which allows users to set the following Recovery Console environment variables: AllowWildCards, AllowAllPaths, AllowRemovableMedia, and NoCopyPrompt. When this setting is disabled, copying files from the hard drive to the floppy drive is prohibited. In addition, the directories and drives that can be accessed are also limited. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Setup\ RecoveryConsole\SetCommand=0 Shutdown: Allow system to be shut down without having to log on This setting determines if a system can be shutdown without being logged on. If this policy is enabled, the shutdown command is available on the Windows logon screen. This setting should be disabled thus restricting the ability to shut down a system to users with credentials on the system. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ ShutdownWithoutLogon=0 Shutdown: Clear virtual memory pagefile Virtual memory support uses a system pagefile to swap pages of memory to disk when not being used. When the pagefile is cleared at shutdown, any sensitive information that may be in virtual memory is not available to an unauthorized user who manages to directly access the pagefile.
NOTE: Enabling this option will result in an increased shutdown time.
Recommended Setting
Require NTLMv2 session security, Require 128-bit encryption
Disabled
Disabled
Disabled
Enabled
HKLM\System\CurrentControlSet\Control\Session Manager\ Memory Management\ClearPageFileAtShutdown=1 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing This setting ensures that the TLS/SSL Security Provider uses algorithms that are FIPS compliant for encryption, hashing, and signing. FIPS compliant algorithms are those that meet standards established by the U.S. Government. HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy=1
Enabled
UNCLASSIFIED
45
UNCLASSIFIED
Security Attribute
System objects: Default owner for objects created by members of the Administrators group This setting determines whether the Administrators group or an object creator is the default owner of any system objects that are created. For accountability, the object creator should be the default owner. HKLM\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner=1 System objects: Require case insensitivity for non-Windows subsystems This setting determines whether case insensitivity is enforced for all subsystems. When this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects. HKLM\System\CurrentControlSet\Control\Session Manager\Kernel\ ObCaseInsensitive=1 System objects: Set safe search path for DLLs This key changes the default search order when a DLL is called from Application directory Current directory System directories Path To
Recommended Setting
Object Creator
Enabled
Enabled
This protects DLLs in the system folders from spoofing by DLLs in nonsystem folders.
NOTE: In Windows XP Service Pack 1 (SP1) this becomes the default behavior, even if this setting is absent. In other words, if the setting is missing in the registry, the default behavior in Windows XP RTM is to search the current directory before the system directories, while in Windows XP SP1, it is to search the system directories before the current directory.
HKLM\System\CurrentControlSet\Control\Session Manager\ SafeDllSearchMode = 1 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabling this setting strengthens the DACLs on the global list of shared system resources (such as DOS device names, mutexes, and semaphores) so that non-administrative users can read, but not modify shared objects they did not create. HKLM\System\CurrentControlSet\Control\Session Manager\ ProtectionMode = 1
Enabled
46
UNCLASSIFIED
UNCLASSIFIED
Adding an Entry to Security Options
In the Windows XP, it is possible to add custom registry settings to the Security Configuration Tool Set. To accomplish this, perform the following actions: Copy the file %SystemRoot%\inf\sceregvl.inf to another file with a different name. This will ensure that a copy of the original exists in case of a problem. Open %SystemRoot%\inf\sceregvl.inf in Notepad, Wordpad, or another text editor Add a line in the form regpath, type, displayname, displaytype where regpath registry key value path, e.g., MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects type data type of the registry entry represented by a number. Possible values are REG_SZ (1), REG_EXPAND_SZ (2), REG_BINARY (3), REG_DWORD (4), REG_MULTISZ (7) displayname the name actually displayed in the security template, e.g., Audit the access of global system objects displaytype How the interface will display the registry value type. Possible values are Boolean (0), number (1), string (2), choices (3), multivalued (4), bitmask (5). Values 4 and 5 are available on Windows XP only. If choices are specified, the choices should then be specified in the format value1|display1,value2|display2, Re-register scecli.dll by executing regsvr32 scecli.dll at a command prompt An example line in sceregvl.inf is: MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ScRemoveOpti on,1,%ScRemove%,3,0|%ScRemove0%,1|%ScRemove1%,2|%ScRemove2% The strings listed above are defined in the [Strings] section of sceregvl.inf: %ScRemove% = Smart card removal behavior %ScRemove0% = No Action %ScRemove1% = Lock Workstation %ScRemove2% = Force Logoff
NOTE: It is only necessary to modify sceregvl.inf on the system from which the security template and/or group policy are being edited. Other machines ultimately receiving the new settings via group policy need not be changed.
For more information on how to edit the Security Configuration Manager templates, refer to Microsoft Knowledge Base article Q214752, available at http://support.microsoft.com/?scid=kb;en-us;Q214752.
UNCLASSIFIED
47
UNCLASSIFIED
Deleting customized options
The deletion of customized security options is not as simple as removing the options from the sceregvl.inf file and re-registering the DLL. To ensure that options are permanently deleted from the templates, perform the following actions: Open sceregvl.inf in a text editor (e.g. Notepad) Delete the specific security option from the sceregvl.inf file under the [Register Registry Values] section Under the sceregvl.inf section labeled delete these values from the UI, add the registry key to be removed from the templates. For example, taking the example used in the previous section, place MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winl ogon\ScRemoveOption under this section. Save and close sceregvl.inf At a command prompt, execute regsvr32 scecli.dll To confirm that the option has been deleted, open the Security Templates snap-in in the MMC and verify that the option no longer appears in the Local Policies Security Options section of the template files To clean up, edit sceregvl.inf again, remove the entry added previously under delete these values from current system, save and close the file, then run regsvr32 scecli.dll again.
48
UNCLASSIFIED
UNCLASSIFIED
Chapter
6
Modifying Event Log Settings with Security Templates
Windows XP event logs record system events as they occur. The Security, Application, and System event logs contain information generated by the specified audit settings. In addition to the audit settings enabled in the security templates, auditing of other system objects, such as specific files, registry keys, and printers, can be enabled. To view event log settings of a security template double-click the following: Security Templates Default configuration file directory (%SystemRoot%\Security\Templates) Specific configuration file Event Log
NOTE: After making any modifications to the configuration files, make sure the changes are saved and then test the changes before installing them on an operational network.
UNCLASSIFIED
49
UNCLASSIFIED
Event Log Settings
Maximum application log size Maximum security log size Maximum system log size If the event logs are too small, logs will fill up often and administrators must save and clear the event logs more frequently than required. Allowable values range from 64 KB to 4194240 KB.
NOTE: This setting will allow the log file to equal the size of the available space on the hard disk or up to 4GB, whichever is smaller.
Recommended Settings
4194240 KBytes
Restrict guest access to application Log Restrict guest access to security Log Restrict guest access to system Log Default configuration allows guests and null logons the ability to view event logs (system and application logs). While the security log is protected from guest access by default, it is viewable by users who have the Manage Audit Logs user right. This option disallows guests and null logons from viewing any of the event logs. Retain application log Retain security log Retain system log These options control how long the event logs will be retained before they are overwritten. Allowable values are between 1 and 365 days.
NOTE: To ensure that no important data is lost, especially in the event of a security breach of the system, the event logs on workstations should be periodically collected via a third-party software tool before they are overwritten.
Enabled
14 days
Retention method for application Log Retention method for security Log Retention method for system Log This option sets how the operating system handles event logs that have reached their maximum size. The event logs can be overwritten after a certain number of days, overwritten when they become full, or have to be cleared manually.
NOTE: This recommendation applies to workstations only. Server logs should be cleared manually.
By days
50
UNCLASSIFIED
UNCLASSIFIED
Click on the log to be cleared in the right pane of the Event Viewer window Select Clear All Events recommended Action menu Click Yes to save settings with unique file name Specify where the log will be saved and then click Save Click Yes to clear the log Repeat the above steps for each log
UNCLASSIFIED
51
UNCLASSIFIED
52
UNCLASSIFIED
UNCLASSIFIED
Chapter
7
Managing Restricted Groups with Security Templates
The Restricted Groups option allows the administrator to manage the membership of sensitive groups. For example, if the Administrators group is to only consist of the built-in Administrator account, the Administrators group can be added to the Restricted Groups option and Administrator can be added in the Members of Administrators column. This setting could prevent other users from elevating their privilege to the Administrators group through various attack tools and hacks. Not all groups need to be added to the Restricted Group list. It is recommended that only sensitive groups be configured through security templates. Any groups not listed will retain their membership lists. For all groups listed for this option, any groups and/or users listed which are not currently members of that group are added, and any users and/or groups currently members of the group but not listed in the configuration file are removed.
The following steps describe how to add a restricted group to the list: Right-click Restricted Groups Select Add Group Click the Browse button Double-click each group that needs to be added and OK OK Double-click newly added group in the right frame
UNCLASSIFIED
53
UNCLASSIFIED
Click Add Double-click each group and/or user who wish to be members of the group Click OK OK The recommended setting in the provided workstation template restricts the Power Users group to having no members. This is generally good security practice. However, environments using older applications or custom written line-of-business applications may require users to have additional privileges similar to the Power Users group on certain files, folders, or registry keys relating to those applications. Ideally, the needed permissions on these files and registry keys should be identified and implemented instead of adding users to the Power Users group. Under no circumstances should you add users to the Administrators group just to make your applications work.
54
UNCLASSIFIED
UNCLASSIFIED
Chapter
8
Managing System Services with Security Templates
The System Services option allows for configuration of startup modes and access control lists for all system services. Configuration options include startup settings (Automatic, Manual, or Disabled) for services such as network, file, and print services. Security settings can also be established that control which users and/or groups can read and execute, write to, delete, start, pause, or stop a service.
For example, to disable the IISADMIN service and deny all users access to it (remove any ACL), you could use the following string: IISADMIN,4,"D:ARS:AR"
Services added to this area can be configured in the same way as the built-in services included by default. In addition, administrators can use a security configuration attachment to configure service-specific settings. Such an attachment consists of a DLL, an extension snap-in, and an installation kit. For more information on creating security configuration attachments, refer to the white paper Security Configuration Toolset http://www.microsoft.com/windows2000/techinfo/howitworks/security/sctoolset.asp. To view system services settings of a security template double-click the following in the MMC:
UNCLASSIFIED
55
UNCLASSIFIED
Security Templates Default configuration (%SystemRoot%\Security\Templates) Specific configuration file System Services
NOTE: After making any modifications to the configuration files make sure the changes are saved, and then test the changes before installing them on an operational network.
file
directory
The following steps describe how to configure system service settings; Double-click the service to configure Check the Define this policy setting in the template checkbox If this is policy was previously undefined, the Security dialog box will automatically appear. Otherwise, click Edit Security Click Add (to add groups and/or users to the access list) Double-click each user or group to add and OK Check the permissions that each user or group should have for that service Click Remove (to remove groups and/or users from the access list) When finished entering the permissions, click OK Under Select service startup mode, select Automatic, Manual, or Disabled Figure 4 shows the System Services entries in the Security Templates snap-in.
56
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
57
UNCLASSIFIED
Run services with the least privilege necessary. For example, do not run a service as a domain administrator if user privileges are sufficient.
58
UNCLASSIFIED
UNCLASSIFIED
Chapter
9
Modifying Modifying Registry Security Settings with Security Templates
The Security Configuration tool set can be used to configure discretionary access control lists (DACLs) for registry keys. In order to implement adequate security in a Windows XP environment, some registry key permissions should be changed. The recommended changes can also be made manually using regedit.exe; however, this method is more time-consuming and leaves more room for error.
WARNING: By default, some protections are set on the various components of the registry that allow work to be done while providing standard-level security. For highlevel security, some access rights will be modified. This should be done with caution because programs that users need to do their jobs often require access to certain keys on the users behalf. Care should be taken to follow these steps exactly, as additional, unnecessary changes to the registry can render a system unusable and even unrecoverable.
Inheritance model
Within the Windows XP inheritance model, permissions on child objects are automatically inherited from their parent. This can be seen by the check in the Inherit from parent the permission entries that apply to child objects checkbox in the DACL editor. Other permissions can be explicitly defined for a child object in addition to those the child inherits from its parent. When the checkbox is not checked, the DACLs defined on that object apply only to that object and its children. No permissions are inherited from the parent object.
Registry permissions
To manually view permissions on a specific registry key: Run regedit.exe Right-click the desired registry key Select Permissions from the pull-down menu Only Full Control, Read, and Special Permissions appear in the permissions dialog box. However, permissions may be set with more granularity by clicking the Advanced button. Table 8 shows a list of granular registry permissions. Table 9
UNCLASSIFIED
59
UNCLASSIFIED
shows which granular permissions to select in order to achieve certain higher-level permissions.
NOTE: Any time a permission is not a pure Read or Full Control, the permission is noted as Special in the Advanced Security Settings window.
Special Permissions
Query Value Set Value Create Subkey Enumerate Subkeys Notify Create Link Delete Write DAC Write Owner Read Control
Description
Allows querying the registry for a specific value Allows new values to be created for a key and old values to be overwritten Allows the creation of subkeys Allows viewing of a list of subkeys under a registry key Allows registration of a callback function that is triggered when the value changes Allows the creation of link to a specific key Allows deletion of a value or key Allows modification of access controls on the key Allows a user to take ownership of a key Allows reading of the keys access control list
Special Permissions
Query Value Set Value Create Subkey Enumerate Subkeys Notify Create Link Delete Write DAC Write Owner Read Control
Full Control
x x x x x x x x x x
Read
x
Write
Delete
x x x x
60
UNCLASSIFIED
UNCLASSIFIED
Effective Permissions
With both allow and deny permissions for multiple groups, determining what registry permissions apply to a particular user or group may be confusing. Windows XP allows an easy way to view which permissions are effectively granted to any particular user or group for a given object. To view these effective permissions, perform the following: In a registry editor (e.g. regedit), right-click on a registry key Select Permissions from the pull-down menu Click Advanced Click the Effective Permissions tab In the Group or username section, click the Select button Under Enter the object name to select, enter the user or group name Click OK. Those permissions applying to the specified user or group will be checked.
UNCLASSIFIED
61
UNCLASSIFIED
Figure 5 Registry permissions configuration options Click Edit Security Click the Advanced button. Figure 6 shows the Advanced Security Settings window
62
UNCLASSIFIED
UNCLASSIFIED
Figure 6 Advanced security settings If permissions from the parent key are NOT to be inherited, ensure that the Inherit from parent the permission entries that apply to child objects checkbox is cleared Modify users and groups to reflect the recommended permissions by clicking the Add or Remove buttons Click on a user and/or group Click Edit. A Permission Entry dialog box will appear as shown in Figure 7 In the Apply onto pull-down menu, select the correct configuration. Possible values are: This key only, This key and subkeys, and Subkeys only In the Permissions pane, select the desired permissions. Refer to the earlier section on registry permissions Click OK OK OK OK to exit
UNCLASSIFIED
63
UNCLASSIFIED
64
UNCLASSIFIED
UNCLASSIFIED
Excluding registry keys from the security configuration
There are occasions where a specific registry key should retain its current security settings. To ensure that parent keys do not propagate their new permissions down to such registry keys, the object may be excluded from configuration. To exclude an object: In the right frame of Registry, double-click on the key to be changed Click the Do not allow permissions on this key to be replaced radio button. Click OK
The following notation is used in this section of the security templates: CLASSES_ROOT indicates HKEY_CLASSES_ROOT hive MACHINE indicates HKEY_LOCAL_MACHINE hive USERS indicates HKEY_USERS hive
UNCLASSIFIED
65
UNCLASSIFIED
REGISTRY KEY
CLASSES_ROOT\ Alias to MACHINE\SOFTWARE\Classes. Contains file associations and COM (Common Object Model) associations. \MACHINE\SOFTWARE
USER GROUPS
Administrators CREATOR OWNER
Contains information about the software installed on the local system. \MACHINE\SOFTWARE\Microsoft\ Cryptography\Calais
\MACHINE\SOFTWARE\Microsoft\MSDTC
\MACHINE\SOFTWARE\Microsoft\MSDTC\ Security\XAKey
\MACHINE\SOFTWARE\Microsoft\NetDDE Settings for Network Dynamic Data Exchange, which is a protocol that allows applications to exchange data. \MACHINE\SOFTWARE\Microsoft\ UPnP Device Host
Full Control Full Control (Subkeys only) SYSTEM Full Control Users Read Administrators Full Control CREATOR OWNER Full Control (Subkeys only) SYSTEM Full Control Users Read Administrators Full Control CREATOR OWNER Full Control (Subkeys only) LOCAL SERVICE Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete, Read permissions SYSTEM Full Control Users Read Administrators Full Control NETWORK SERVICE Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Read permissions SYSTEM Full Control Users Read Administrators Full Control NETWORK SERVICE Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Read permissions SYSTEM Full Control Administrators Full Control CREATOR OWNER Full Control (Subkeys only) SYSTEM Full Control Administrators CREATOR OWNER Full Control Full Control (Subkeys only) Full Control Full Control Read Full Control Full Control (Subkeys only) Full Control Read
Replace
Replace
Propagate
Replace
Replace
Replace
LOCAL SERVICE SYSTEM Users \MACHINE\SOFTWARE\Microsoft\ Administrators Windows NT\CurrentVersion\Asr\Commands CREATOR OWNER Automatic Server Recovery commands.
NOTE: If using the Backup Operators group, grant this group the following permissions: Query Value, Set Value, Create Subkey, Enumerate, Notify, Delete, Read permissions.
Replace
SYSTEM Users
66
UNCLASSIFIED
UNCLASSIFIED
REGISTRY KEY
\MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Perflib Parameters for the Performance Library, which collects information for Performance Monitor. Contains a language code subkey for each spoken language configured on the Windows XP system. For example, a subkey named 009 contains counters and descriptions for the language code English (United States). \MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\SeCEdit Stores file locations and registry values available through the Security Configuration Editor. \MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Group Policy Contains data for Group Policy settings that configure the Group Policy components of Windows XP. Contains subkeys representing each of the client-side extensions used to create settings in Group Policy. \MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Installer Contains configuration information for the Windows Installer. \MACHINE\SOFTWARE\Microsoft\Windows \ CurrentVersion\Policies Stores registry entries managed by Group Policy. Manages entries for the following subkeys: HKLM\SOFTWARE\Policies HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies HKCU\SOFTWARE\Policies HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies \MACHINE\SOFTWARE\Microsoft\Windows \ CurrentVersion\Policies\Ratings \MACHINE\SOFTWARE\Microsoft\Windows \ CurrentVersion\Telephony Administrators Users Administrators CREATOR OWNER Full Control Read Replace
USER GROUPS
Administrators CREATOR OWNER
Full Control Full Control (Subkeys only) INTERACTIVE Read NETWORK SERVICE Read SYSTEM Full Control
Administrators SYSTEM
Replace
Propagate
Propagate
Propagate
Full Control Full Control (Subkeys only) LOCAL SERVICE Full Control NETWORK SERVICE Full Control SYSTEM Full Control Users Read
Replace
UNCLASSIFIED
67
UNCLASSIFIED
REGISTRY KEY
\MACHINE\SYSTEM Stores values for the current control set or control sets that have been previously used to start Windows XP. \MACHINE\SYSTEM\clone
USER GROUPS
Administrators CREATOR OWNER SYSTEM Users Ignore
Ignore Propagate
\MACHINE\SYSTEM\controlsetXXX Administrators (XXX represents the control set number 001- CREATOR OWNER 010) SYSTEM Contains a control set that may be used to start Users and run Windows XP. \MACHINE\SYSTEM\CurrentControlSet\ Administrators Control\Class CREATOR OWNER
Note: This entry is explicitly listed in the template file because it has subkeys with many different permissions. The Propagate property will affect only those subkeys that inherit permissions from this subkey, leaving those that do not inherit intact.
Propagate
SYSTEM Users
\MACHINE\SYSTEM\CurrentControlSet\ Control\Network
NOTE: If using the Network Configuration Operators group, grant this group the following permissions: Query Value, Set Value, Create Subkey, Enumerate, Notify, Delete, Read permissions.
Replace
\MACHINE\SYSTEM\CurrentControlSet\ Control\SecurePipeServers\winreg The security permissions set on this key define which users or groups can connect to the system for remote registry access. If the key does not exist, anyone can remotely connect to the registry. It is highly recommended that only administrators have remote access to the registry.
NOTE: If using the Backup Operators group, grant this group the Read permission (this key only).
Replace
68
UNCLASSIFIED
UNCLASSIFIED
REGISTRY KEY
\MACHINE\SYSTEM\CurrentControlSet\ Control\Wmi\Security
USER GROUPS
Administrators Administrators
Security settings for the Windows Management CREATOR OWNER Instrumentation (WMI). WMI is the Microsoft implementation of Web-Based Enterprise SYSTEM Management (WBEM). \MACHINE\SYSTEM\CurrentControlSet\Enum Ignore Contains configuration data for hardware devices installed on the system. Changing permissions on this key may result in damage to the Plug and Play function of Windows XP. \MACHINE\SYSTEM\CurrentControlSet\ Administrators Hardware Profiles CREATOR OWNER Contains system hardware profiles (changes to the initial hardware configuration stored in the Software and System keys). \MACHINE\SYSTEM\CurrentControlSet\ Services\AppMgmt\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\ClipSrv\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\CryptSvc\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\DNSCache
NOTE: If using the Network Configuration Operators group, grant this group the following permissions: Query Value, Set Value, Create Subkey, Enumerate, Notify, Delete, Read permissions.
Ignore
SYSTEM Users Administrators SYSTEM Administrators SYSTEM Administrators SYSTEM Administrators LOCAL SERVICE NETWORK SERVICE SYSTEM Users
Full Control Full Control (Subkeys only) Full Control Read Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Read
Propagate
Replace
Replace
Replace
Propagate
Full Control Full Control Full Control Full Control Full Control Full Control
Replace
Replace
Replace
UNCLASSIFIED
69
UNCLASSIFIED
REGISTRY KEY
\MACHINE\SYSTEM\CurrentControlSet\ Services\Netbt
NOTE: If using the Network Configuration Operators group, grant this group the following permissions: Query Value, Set Value, Create Subkey, Enumerate, Notify, Delete, Read permissions.
USER GROUPS
Administrators LOCAL SERVICE NETWORK SERVICE SYSTEM Users
Administrators SYSTEM Administrators SYSTEM Administrators LOCAL SERVICE NETWORK SERVICE SYSTEM Users
Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Read
Replace
Replace
Propagate
\MACHINE\SYSTEM\CurrentControlSet\ Services\Rpcss\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\Samss\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\Scarddrv\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\Scardsvr\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\SNMP\Parameters\ PermittedManagers Only exists if the SNMP service has been started on the system. Defines the users that can gather SNMP information. \MACHINE\SYSTEM\CurrentControlSet\ Services\ SNMP\Parameters\ ValidCommunities Only exists if the SNMP service has been started on the system. Restricts normal users from gathering SNMP information. \MACHINE\SYSTEM\CurrentControlSet\ Services\Stisvc\Security
Administrators SYSTEM Administrators SYSTEM Administrators SYSTEM Administrators SYSTEM Administrators SYSTEM
Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control
Replace
Replace
Replace
Replace
Replace
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
70
UNCLASSIFIED
UNCLASSIFIED
REGISTRY KEY
\MACHINE\SYSTEM\CurrentControlSet\ Services\SysmonLog\Log Queries
USER GROUPS
Administrators CREATOR OWNER
Full Control Full Control (Subkeys only) NETWORK SERVICE Full Control SYSTEM Full Control Users Read Administrators Full Control SYSTEM Full Control Administrators Full Control LOCAL SERVICE Full Control NETWORK SERVICE Full Control SYSTEM Full Control Users Read
Replace Propagate
\MACHINE\SYSTEM\CurrentControlSet\ Services\W32time\Security \MACHINE\SYSTEM\CurrentControlSet\ Services\Wmi\Security USERS\.DEFAULT Profile that is used to generate new profiles when users first log on. It is also used while the Windows XP CTRL+ALT+DEL logon message is displayed. USERS\.DEFAULT\Software\Microsoft\ NetDDE Settings for Network Dynamic Data Exchange, which is a protocol that allows applications to exchange data. USERS\.DEFAULT\Software\Microsoft\ SystemCertificates\Root\ProtectedRoots
Administrators SYSTEM Administrators SYSTEM Administrators CREATOR OWNER SYSTEM Users Administrators CREATOR OWNER SYSTEM
Full Control Full Control Full Control Full Control Full Control Full Control (Subkeys only) Full Control Read Full Control Full Control (Subkeys only) Full Control
Replace
Replace
Replace
Replace
Replace
UNCLASSIFIED
71
UNCLASSIFIED
72
UNCLASSIFIED
UNCLASSIFIED
Chapter
10
Modifying File System Security Settings with Security Templates
The NT File System (NTFS) provides a way to safeguard valuable information. NTFS works in concert with the Windows user account system to allow authenticated users access to files. To implement the highest level of security, always format Windows XP partitions with the NT File System. The security provided by NTFS is based on system controls that are managed by the Windows XP operating system. As long as Windows XP is operating, NTFS permissions and user access control lists prevent unauthorized users from accessing files either locally or over the network. NTFS allows for varying levels of file access permissions to users or groups of users. Combined with file access permissions is the concept of inheritance. By default, newly created files or folders inherit the parent folders file access permissions. Refer to the previous chapter on the registry for more information on Windows XP inheritance.
Converting to NTFS
A non-NTFS volume can be converted at any time using the Convert.exe program (%SystemRoot%\system32\convert.exe). The convert command must be executed from a command prompt window using an administrative account. New in Windows XP, the convert.exe command automatically applies default NTFS permissions to the volume. Previously, in Windows NT 3.x, 4.0 and Windows 2000, converting a volume to NTFS would grant the Everyone group Full Control access to the entire volume. The steps needed to convert a drive to NTFS are as follows: Select Start Run cmd.exe to open a command prompt At the command prompt, type: convert volume /FS:NTFS [/V]
NOTE: Substitute the drive letter of the partition to be converted for volume (i.e. C:)
NOTE: The /v switch is optional and runs the program in verbose mode.
UNCLASSIFIED
73
UNCLASSIFIED
Special Permissions
Description
Traverse Folder allows users to move through a folder to access other files or folders, regardless of permissions the user may or may not have on that folder (folders only). This permission only has meaning when the user has not been granted the Bypass Traverse Checking user right. The Execute File permission allows a user to run program files (files only). List Folder allows the reading of file names and subfolders within a folder (folders only). Read Data allows file data to be read (files only).
List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data
Allows viewing of a files NTFS attributes (e.g., Read only or Hidden). Allows viewing of a files extended attributes. Extended attributes may vary as they are defined by specific programs. Create Files allows the creation of files within a folder (folders only). Write Data allows modification and/or overwriting of files (files only). Create Folders allows the creation of folders within a folder (folders only).
Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership Append Data allows making changes to the end of file (files only). Allows the modification of a files NTFS attributes (e.g., Read only or Hidden). Allows the modification of a files program-specific extended attributes. Allows the deletion of subfolders and files regardless if the Delete permission was granted on the subfolder or file. Allows deletion of a file or folder. Allows viewing of the permissions on a file or folder. Allows the modification of the permissions on a file or folder. Allows taking ownership of a file or folder.
74
UNCLASSIFIED
UNCLASSIFIED
Folder Permissions: Full Control Read & Execute List Folder Contents
Special Permissions
Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership
Modify
Read
Write
x x x x x x x x x x x x x
x x x x x x x x x x
x x x x
x x x x x x x x x x x
UNCLASSIFIED
75
UNCLASSIFIED
File Permissions: Special Permissions
Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Subfolders and Files Delete Read Permissions Change Permissions Take Ownership
Full Control
Modify
Read
Write
x x x x x x x x x x x x
x x x x x x x x x x
x x x x x x x x x x x
Effective Permissions
With both allow and deny permissions for multiple groups, determining what file permissions apply to a particular user or group may be confusing. Windows XP allows an easy way to view which permissions are effectively granted to any particular user or group for a given object. To view these effective permissions, perform the following: In Windows Explorer, right-click on the file or folder Select Properties from the pull-down menu Click the Security tab Click Advanced Click the Effective Permissions tab In the Group or username section, click the Select button Under Enter the object name to select, enter the user or group name Click OK. Those permissions applying to the specified user or group will be checked.
76
UNCLASSIFIED
UNCLASSIFIED
The necessary changes can be made in one of two ways. The first method is to use the Security Configuration Manager to apply the recommended file and folder permissions. The alternative and more time-consuming method is to change permissions on each file and folder manually. To view file system settings of a security template select the following in the MMC: Security Templates Default file directory (%SystemRoot%\Security\Templates) Specific configuration file File System
UNCLASSIFIED
77
UNCLASSIFIED
Figure 8 File permissions configuration options Click Edit Security Click Advanced If permissions from the parent key are NOT to be inherited, ensure that the Inherit from parent the permission entries that apply to child objects checkbox is unchecked Modify users and groups to reflect the recommended permissions by clicking the Add or Remove buttons Click the user or group to be edited. Click Edit. A Permission Entry dialog box will appear as shown in Figure 9. In the Apply onto pull-down menu, select the correct configuration (e.g., This folder, subfolders, and files). Click OK OK OK OK to exit
78
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
79
UNCLASSIFIED
To exclude an object: In the right frame of File System, double-click on the file or folder to be changed Click the Do not allow permissions on this file or folder to be replaced radio button Click OK
Folders and files in Table 14 are alphabetized as they appear in the security templates GUI.
80
UNCLASSIFIED
UNCLASSIFIED
FOLDER OR FILE
%AllUsersProfile% Folder containing desktop and profile attributes for all users, usually C:\Documents and Settings\All Users.
NOTE: If Windows XP has been reinstalled over another copy of the operating system, additional All Users profile folders will be created in the Documents and Settings folder. Typically, the new profile is called All Users.WINDOWS or All Users.COMPUTERNAME. Prior copies of the All Users folder, although still existing, will not be used. The %AllUsersProfile% environment variable will automatically point to the profile currently in use. To determine which profile is actually being used, see the HKLM\Software\Microsoft\ Windows NT\ CurrentVersion\ProfileList\ AllUsersProfile registry key value.
USER GROUPS
Administrators SYSTEM Users
Full Control Full Control (Subfolders and files only) Full Control Read, Execute Write (This folder and subfolders) Full Control Full Control Read, Execute
Propagate
%AllUsersProfile%\Application Data\ Microsoft Contains Microsoft application state data. %AllUsersProfile%\Application Data\ Microsoft\Crypto\DSS\MachineKeys
Replace
Full Control Replace Full Control List folder, Read attributes, Read extended attributes, Create files, Create folders, Write attributes, Write extended attributes, Read permissions (This folder only)
UNCLASSIFIED
81
UNCLASSIFIED
FOLDER OR FILE
%AllUsersProfile%\Application Data\ Microsoft\Crypto\RSA\MachineKeys
USER GROUPS
Administrators SYSTEM Users
%AllUsersProfile%\Application Data\ Microsoft\Dr Watson Folder containing the Dr. Watson application error log.
%AllUsersProfile%\Application Data\ Microsoft\Dr Watson\drwtsn32.log Dr. Watson application error log file.
NOTE: This setting only has significance if the drwtsn32.log file has already been created. Alternately, instead of writing the log file to a common location and risk all users on the system having access to it, the drwtsn32.exe application can be run and a new log and crash dump location can be specified.
SYSTEM Users
Users
Full Control Replace Full Control Full Control Full Control Replace Full Control Read, Execute Create files, Create folders, Write attributes, Write extended attributes, Read permissions (This folder only) Write (Subfolders and files only)
82
UNCLASSIFIED
UNCLASSIFIED
FOLDER OR FILE
%AllUsersProfile%\Documents
NOTE: When viewing the %AllUsersProfile% folder in Windows Explorer, the Documents subfolder appears as Shared Documents."
USER GROUPS
Administrators CREATOR OWNER
%AllUsersProfile%\Documents\desktop.ini
%AllUsersProfile%\DRM %ProgramFiles% Folder in which applications are installed. By default, this is %SystemDrive%\Program Files.
Replace
Ignore Replace
%SystemDrive% Drive on which Windows XP is installed. Contains important system startup and configuration files. %SystemDrive%\autoexec.bat c:\autoexec.bat Required by some legacy DOS applications for path parsing. The actual initialization file for DOS applications is %SystemRoot%\system32\autoexec.nt. %SystemDrive%\boot.ini c:\boot.ini Boot menu. %SystemDrive%\config.sys c:\config.sys Required by some legacy DOS applications for path parsing. The actual initialization file for DOS applications is %SystemRoot%\system32\config.nt. %SystemDrive%\Documents and Settings Folder containing user and default profiles. %SystemDrive%\Documents and Settings\ Administrator Folder containing the built-in Administrator profile.
Propagate
Replace
Administrators SYSTEM
Replace
Replace
Full Control Full Control Read, Execute Full Control Full Control
Propagate
Replace
UNCLASSIFIED
83
UNCLASSIFIED
FOLDER OR FILE
%SystemDrive%\Documents and Settings\ Default User Folder containing default desktop and profile attributes for users logging on for the first time.
NOTE: If Windows XP has been reinstalled over another copy of the operating system, additional Default User profile folders will be created in the Documents and Settings folder. Typically, the new profile is called Default User.WINDOWS or Default User.COMPUTERNAME. Prior copies of the Default User folder, although still existing, will not be used. Unlike the All Users profile, Default User does not have an associated environment variable, Therefore, the currently-used profile should be specified in this template entry if different than Default User. To determine the Default User profile currently being used, see the HKLM\Software\Microsoft\ Windows NT\ CurrentVersion\ProfileList\ DefaultUserProfile registry key value.
USER GROUPS
Administrators SYSTEM Users
Administrators SYSTEM Empty file that serves as a placeholder for DOS Users applications that use it to determine where the system partition is. %SystemDrive%\msdos.sys Administrators SYSTEM Empty file that serves as a placeholder for DOS Users applications that use it to determine where the system partition is.
%SystemDrive%\io.sys
Replace
Replace
84
UNCLASSIFIED
UNCLASSIFIED
FOLDER OR FILE
%SystemDrive%\ntbootdd.sys Copy of the SCSI device driver. Used when using SCSI or Signature syntax in boot.ini. %SystemDrive%\ntdetect.com c:\ntdetect.com Hardware detector during Windows XP boot. %SystemDrive%\ntldr c:\ntldr
USER GROUPS
Administrators SYSTEM
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
Windows XP operating system loader. %SystemDrive%\System Volume Information Ignore Accessible only by SYSTEM. %SystemRoot%
Ignore
Folder in which the Windows XP operating system is installed. For a new installation of SYSTEM Windows XP, by default this is called Users WINDOWS. Upgrades to Windows XP will maintain the older system root folder name, usually winnt if they were upgraded from Windows NT 4.0 or 2000 and WINDOWS if they were upgraded from Windows 9x. %SystemRoot%\$NtServicePackUninstall$ Administrators SYSTEM Contains older versions of system files necessary to back off a service pack. %SystemRoot%\CSC Contains all offline files requested by any user on the computer. CSC means client side caching. %SystemRoot%\Debug Contains various log files. SYSTEM Users Administrators SYSTEM Users
Full Control Full Control (Subfolders and files only) Full Control Read, Execute
Replace
Replace
Administrators
Full Control
Replace
Users
Full Control Full Control (Subfolders and files only) Full Control Read, Execute Full Control Full Control Traverse folder, List folder, Create files (This folder only) Write data, Append data (Files only) Full Control Full Control Write data, Append data Full Control Full Control Read, Execute
Propagate
Propagate
Replace
Replace
UNCLASSIFIED
85
UNCLASSIFIED
FOLDER OR FILE
%SystemRoot%\Offline Web Pages Folder containing web pages that have been downloaded for off-line viewing. %SystemRoot%\Prefetch
USER GROUPS
Ignore
Administrators
Contains data files related to the speed at which Administrators applications start. SYSTEM %SystemRoot%\regedit.exe Registry editing tool. %SystemRoot%\Registration Folder containing Component Load Balancing (CLB) registration files read by COM+ applications. Administrators SYSTEM Administrators SYSTEM Users
Full Control (This folder only Read, Execute (Files only) Full Control (Files only) Full Control Full Control
Replace
Replace
%SystemRoot%\Registration\CRMLog
SYSTEM Users
Users
Full Control Replace (This folder and files) Full Control (This folder and files) Read (This folder and files) Full Control Replace Full Control (Subfolders and files only) Full Control Traverse folder, List folder, Read attributes, Read extended attributes, Create files, Read permissions (This folder only) Read data, Read attributes, Read extended attributes, Write data, Append data, Write attributes, Write extended attributes, Delete, Read permissions (Files only) Full Control Full Control Replace
%SystemRoot%\repair
Administrators SYSTEM
Backup files of SAM database and other important registry and system files to be used during a system repair. Updated if NTBACKUP is used when the option to back up system state files is enabled. %SystemRoot%\security Administrators CREATOR OWNER Contains security templates and analysis databases. SYSTEM
Full Control Full Control (Subfolders and files only) Full Control
Replace
86
UNCLASSIFIED
UNCLASSIFIED
FOLDER OR FILE
%SystemRoot%\system32 Contains core operating system files. SYSTEM Users Administrators SYSTEM
USER GROUPS
Administrators CREATOR OWNER
%SystemRoot%\system32\arp.exe Displays and modifies the IP to MAC address translation tables of the address resolution protocol (ARP). %SystemRoot%\system32\at.exe Schedules programs to run at a specified date and time. %SystemRoot%\system32\ciadv.msc
Replace
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
Microsoft common console for Indexing Service. %SystemRoot%\system32\Com\comexp.msc Administrators SYSTEM Microsoft common console for Component Services. %SystemRoot%\system32\compmgmt.msc Administrators SYSTEM Microsoft common console for Computer Management. %SystemRoot%\system32\config Administrators SYSTEM Contains registry hive files and event logs. %SystemRoot%\system32\devmgmt.msc Administrators SYSTEM Microsoft common console for Device Management. %SystemRoot%\system32\dfrg.msc Administrators SYSTEM Microsoft common console for Disk Defragmenter. %SystemRoot%\system32\diskmgmt.msc Administrators SYSTEM Microsoft common console for Disk Management. %SystemRoot%\system32\dllcache Administrators CREATOR OWNER Contains copies of protected system files. These copies are used by the System File Checker to repair corrupted or modified system SYSTEM files. %SystemRoot%\system32\eventvwr.msc Administrators SYSTEM Microsoft common console for Event Viewer. %SystemRoot%\system32\fsmgmt.msc Administrators SYSTEM Microsoft common console for Shared Folders. %SystemRoot%\system32\gpedit.msc Administrators SYSTEM Microsoft common console for Group Policy. %SystemRoot%\system32\Group Policy Administrators Authenticated Users Folder containing local Group Policy Objects. SYSTEM
Replace
Replace
Replace
Replace
Replace
Replace
Full Control Full Control (Subfolders and files only) Full Control Full Control Full Control Full Control Full Control Full Control Full Control Full Control Read, Execute Full Control
Replace
Replace
Replace
Replace
Propagate
UNCLASSIFIED
87
UNCLASSIFIED
FOLDER OR FILE
%SystemRoot%\system32\ias Contains databases for the Internet Authentication Service. %SystemRoot%\system32\lusrmgr.msc Microsoft common console for Local Users and Groups. %SystemRoot%\system32\MSDTC Contains files for MS Distributed Transaction Coordinator, which is required for Microsoft Transaction Server. %SystemRoot%\system32\nbtstat.exe Displays protocol statistics and current TCP/IP connections using NetBIOS over TCP/IP. %SystemRoot%\system32\netsh.exe Command-line network configuration tool. %SystemRoot%\system32\netstat.exe Displays protocol statistics and current TCP/IP connections. %SystemRoot%\system32\nslookup.exe Displays DNS information. %SystemRoot%\system32\Ntbackup.exe File system backup program. %SystemRoot%\system32\NTMSData Default location for the Removable Storage database. %SystemRoot%\system32\ntmsmgr.msc Microsoft common console for Removable Storage. %SystemRoot%\system32\ntmsoprq.msc Microsoft common console for Removable Storage Operator Requests. %SystemRoot%\system32\perfmon.msc Microsoft common console for Performance Monitor. %SystemRoot%\system32\rcp.exe Program used to execute remote procedure calls. %SystemRoot%\system32\reg.exe Command-line tool for editing and querying the registry. %SystemRoot%\system32\regedt32.exe Pointer to regedit.exe. In previous versions of Windows NT (including Windows 2000) this was an additional registry editing tool.
USER GROUPS
Administrators CREATOR OWNER SYSTEM Administrators SYSTEM
Replace
Administrators Full Control NETWORK SERVICE Read, Write, Execute SYSTEM Full Control Administrators SYSTEM Full Control Full Control
Propagate
Replace
Replace
Replace
Full Control Full Control Full Control Full Control Full Control Full Control
Replace
Replace
Propagate
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
Administrators SYSTEM
Replace
88
UNCLASSIFIED
UNCLASSIFIED
FOLDER OR FILE
%SystemRoot%\system32\regini.exe Command-line tool for editing and querying the registry. %SystemRoot%\system32\rexec.exe Program used to execute remote calls. %SystemRoot%\system32\route.exe Program used to manipulate network routing tables. %SystemRoot%\system32\rsh.exe Program used to execute a remote shell. %SystemRoot%\system32\RSoP.msc Microsoft common console for Resultant Set of Policy. %SystemRoot%\system32\secedit.exe Security configuration and analysis tool. %SystemRoot%\system32\secpol.msc Microsoft common console for Local Security Policy. %SystemRoot%\system32\services.msc Microsoft common console for Services. %SystemRoot%\system32\Setup Contains optional component manager files. %SystemRoot%\system32\spool\Printers Printer spool. SYSTEM Users
USER GROUPS
Administrators SYSTEM
Replace
Replace
Replace
Replace
Replace
Replace
Replace
Administrators SYSTEM
Full Control Propagate Full Control Read, Execute Full Control Replace Full Control (Subfolders and files only) Full Control Traverse folder, Read attributes, Read extended attributes, Create files, Create folders (This folder and subfolders) Full Control Replace Full Control
Administrators SYSTEM
Replace
Uses the Trivial File Transfer Protocol service to transfer files to and from a remote computer without authentication. %SystemRoot%\system32\wmimgmt.msc Administrators SYSTEM Microsoft common console for Windows Management Instrumentation.
Replace
UNCLASSIFIED
89
UNCLASSIFIED
FOLDER OR FILE
%SystemRoot%\Tasks Folder containing jobs scheduled by Task Scheduler %SystemRoot%\Temp Folder containing temporary files. SYSTEM Users
USER GROUPS
Ignore
Full Control Replace Full Control (Subfolders and files only) Full Control Traverse folder, Create files, Create folders (This folder and subfolders)
90
UNCLASSIFIED
UNCLASSIFIED
Chapter
11
Security Configuration and Analysis
Once the appropriate security templates have been modified, security analysis and configuration can be performed via the Security Configuration and Analysis snap-in or command line operations. This procedure should be conducted when applying a security configuration to a local system. For instructions on importing security templates into Group Policy, see Chapter 12.
WARNING: Applying a secure configuration to a Windows XP system may result in a loss of performance and functionality.
Loading the Security Configuration and Analysis Snap-in into the MMC
To load the Security Configuration and Analysis snap-in into the MMC: Run the Microsoft Management Console (mmc.exe) Select Console Add/Remove Snap-in Click Add Select Security Configuration and Analysis Click Add Click Close Click OK To avoid having to reload the snap-in every time the MMC is exited and reopened, save the current console settings by performing the following: In the Console menu, select Save. By default, the file will be saved in the Administrative Tools menu of the currently logged-on user. Enter the file name under which the current console settings will be saved From then on, the console can be accessed from Start All Programs Administrative Tools.
NOTE: More than one snap-in can be loaded into the MMC at one time. For example, the Security Templates and Security Configuration and Analysis templates can both be loaded into a console that is saved for future use.
UNCLASSIFIED
91
UNCLASSIFIED
Select Open Database Enter the name of an existing database or a new database Click Open
NOTE: It is recommended that a new database be created for each analysis and configuration coupling.
Configuration files may be imported into the database by executing the following procedure: If a new database name was entered when opening a database, user will automatically be prompted to enter the configuration file to import. Otherwise: Right click on the Security Configuration and Analysis node in the left pane of the MMC Select Import Template In the Import Template dialog box, select the appropriate inf configuration file. Check the Clear this database before importing box to remove any previous settings stored in the database as illustrated in Figure 10.
NOTE: Import operations can append to or overwrite database information that has been previously imported. Appending is the default. If the user does not want to combine templates in a configuration, check the Clear this database before importing checkbox to overwrite the current database. WARNING: To avoid confusion and accidental combining of configurations, it is recommended that this option be checked every time a new analysis or configuration is performed.
Click Open
92
UNCLASSIFIED
UNCLASSIFIED
Secedit Command Line Options
Secedit.exe, introduced in Chapter 2, is useful for performing security analyses and configurations via the command line and batch and/or scheduled programs. The command line syntax for secedit when used for system analysis or configuration is: secedit {/analyze | /configure} [/cfg filename] [/db filename] [/log LogPath] [/verbose] [/quiet] [/overwrite] [/areas Areas] Table 15 explains the parameter syntax for secedit.exe options.
Parameter
/analyze /configure /cfg filename /db filename
Description
Performs an analysis Performs a configuration Path to a configuration file that will be appended to the database prior to performing the analysis Path to the database that secedit will perform the analysis against. If this parameter is not specified, the last configuration/analysis database is used. If there is no previous database, %SystemRoot%\Security\Database\secedit.sdb is used.
NOTE: It is recommended that a new database be created for each analysis and configuration coupling.
/log LogPath
Path to log file for the process. If not provided, progress information is output to the console.
NOTE: Log information is appended to the specified log file. User must specify a new file name if a new log file is to be created.
Specify detailed progress information Suppress screen and log output Overwrite the named database with the given configuration information.
NOTE: Configuration files can be appended to or overwrite database information that has been previously created. Appending is the default. Specify the /overwrite option to overwrite the current database. WARNING: To avoid confusion and accidental combining of configurations, it is recommended that this option be included every time a new analysis or configuration is performed.
UNCLASSIFIED
93
UNCLASSIFIED
Parameter
/areas Areas
Description
Only relevant when using the /configure switch. Specifies the security areas to be processed. The following areas are available: SECURITYPOLICY - Local policy and domain policy for the system, including account policies, audit policies, etc. GROUP_MGMT - Restricted Group settings USER_RIGHTS - User rights assignments DSOBJECTS - Security on directory objects REGKEYS - Security permissions on local registry keys FILESTORE - Security permissions on local file system SERVICES - Security configuration for all defined services
NOTE: If the /areas switch is not used, the default is all security areas. If used, each area name should be separated by a space.
94
UNCLASSIFIED
UNCLASSIFIED
Right-click on the Database node Select Analyze Computer Now In the Perform Analysis dialog box, enter the error log file path.
NOTE: Log information is appended to the specified log file. A new file name must be specified if a new log file is to be created.
Click OK
Configuring a System
During configuration, errors may result if specific files or registry keys do not exist on the system, but exist in the inf configuration file. Do not be alarmed. The inf files attempt to cover many different scenarios and configurations that your system may or may not match.
UNCLASSIFIED
95
UNCLASSIFIED
secedit /configure [/cfg filename] [/db filename] [/log LogPath] [/verbose] [/quiet] [/overwrite] [/areas Areas]
WARNING: Failure to enter a new database name each time a configuration is made or specify the /overwrite option may result in unpredictable behavior by secedit. For example, imported configuration files could get merged with other files and report unexpected analyses.
Following is an example of using the command line tool to configure only specific security areas: secedit /configure /cfg WinXP_workstation.inf /db newdb.sdb /log logfile.txt /overwrite /areas REGKEYS FILESTORE This example will import the WinXP_workstation.inf permission security settings and configure the local system. file system and registry
Click OK
NOTE: When a system is configured via the GUI, all settings in the template are applied. There is no option, as with secedit.exe, to specify that only parts of the template, e.g. file permissions or account policies, are to be applied.
96
UNCLASSIFIED
UNCLASSIFIED
Chapter
12
Applying Windows XP Group Policy in a Windows 2000 Domain
Group Policy is an Active Directory-based mechanism for controlling user and computer desktop environments in Windows 2000/XP domains. Settings for such items as security, software installation, and scripts can be specified through Group Policy. Group Policy is applied to groups of users and computers based on their location in Active Directory. Group Policy settings are stored in Group Policy objects (GPOs) on domain controllers. GPOs are linked to containers (sites, domains, and Organizational Units OUs) within the Active Directory structure. Because Group Policy is so closely integrated with Active Directory, it is important to have a basic understanding of Active Directory structure and security implications prior to implementing Group Policy. See the Guide to Securing Microsoft Windows 2000 Active Directory for more information. Group Policy is an essential tool for securing Windows XP. It can be used to apply and maintain a consistent security policy across a network from a central location.
Overview
Windows XP Group Policy introduces many new options previously not included in Windows 2000. However, Windows 2000 domain controllers are still able to push group policy to Windows XP clients via Active Directory. In order to take advantage of all the new Windows XP settings and features, the GPO must be edited on a Windows XP machine. An administrator can, however, perform subsequent GPO management (e.g. linking the GPO to domains or OUs) from the Windows 2000 domain controller. If a GPO is applied to a container containing both Windows XP and Windows 2000 systems, the Windows 2000 systems will ignore the Windows XP-specific settings, only configuring those options the Windows 2000 clients understand. Windows XP machines will correctly apply all settings. Review the Guide to Securing Microsoft Windows 2000 Group Policy prior to applying any GPOs on a Windows 2000 domain. Also, see the Microsoft article on Upgrading Windows 2000 Group Policy for Windows XP at http://support.microsoft.com/support/kb/articles/Q307/9/00.asp.
UNCLASSIFIED
97
UNCLASSIFIED
The Security Settings extension is located under Computer Configuration\Windows Settings\Security Settings within a GPO and can be accessed via the Group Policy MMC snap-in. Security Settings are computer, not user, specific and include all areas present in the security templates (e.g. Account Policies, Local Policy, etc.), with the addition of Public Key Policies and IP Security Policies on Active Directory.
Right-click Security Settings Select Import Policy from the pull-down menu
98
UNCLASSIFIED
UNCLASSIFIED
The Import Policy From window will initially display all template files in the %SystemRoot%\security\templates folder. Select a template from this folder or browse to find the appropriate template Click Open The settings in the selected template file will now be imported into the Security Settings node. You may view and modify these settings by navigating down through the Security Settings tree
WARNING: In order for a new GPO to apply correctly, you must register a modification to it. Simply importing a template into a new GPO isnt seen as a change despite the fact that closing the GPO in the Group Policy snap-in, then opening it again at a later time will show that the imported security settings have been retained. The GPO will be considered empty and not applied when group policies are refreshed. To register a change, edit anything in the GPO after importing the security template, even if you change a setting, then change it back again.
UNCLASSIFIED
99
UNCLASSIFIED
Local Group Policy Object
Every computer has a Local Group Policy, regardless of whether it is part of a domain. Local Group Policy is the first policy applied. Although any subsequent policies may override settings in the local policy, any settings specified in Local Group Policy, but not specified in other policies, will remain. Therefore, it is important to configure a solid local policy in addition to Active Directory Group Policy. The Local Group Policy Object (LGPO) is saved in %SystemRoot%\System32\Group Policy. It can be accessed and viewed by choosing the Local Computer object in the Group Policy snap-in or by selected the Local Security Policy option under the Administrative Tools menu. The LGPO does not have the full number of settings available with Active Directory Group Policy. For example, under the Security Settings node, only Account Policies and Local Policies are available. Thus, while a security template can be imported into the local policy, only the settings available to local policy will actually be imported. Additional settings, such as registry and file permissions, can be applied locally via Security Configuration and Analysis.
RSoP Snap-in
RSoP.msc is an MMC snap-in that displays the aggregate settings of all policies applied to the local computer. To open the snap-in, type RSoP.msc from the command line or add the Resultant Set of Policy snap-in while in the MMC. Figure 13 shows the RSoP snap-in. For each group policy setting, RSoP shows the Computer Setting (how the computer is currently configured) and the Source GPO (which GPO ultimately set that current configuration). For more information on RSoP, see http://www.microsoft.com/technet/prodtechnet/winxppro/proddocs/RSPintro.asp.
100
UNCLASSIFIED
UNCLASSIFIED
Gpresult.exe
Gpresult.exe is a command-line tool that gives statistics on when Group Policy was last applied to the computer, what GPOs were applied and in what order, and any GPOs that were not applied because of filtering. Gpresult can also collect information about a remote system. To view all the command-line options for gpresult, at the command line type: gpresult /?
Known Issues
This section addresses several known issues involving the interoperability of Windows XP Professional within a Windows 2000 domain.
UNCLASSIFIED
101
UNCLASSIFIED
2000 setting opens up the domain controller to numerous information-gathering tactics that could be used by an attacker. Even if the registry key is set = 1, there are several tools that can circumvent this setting and still enumerate user account information. The security risks in this case must be carefully weighed against any potential benefit of forcing users to change their passwords on next logon from Windows XP clients.
102
UNCLASSIFIED
UNCLASSIFIED
Chapter
13
Remote Assistance/Desktop Configuration Configuration
Like all remote-control technology, Remote Assistance and Remote Desktop have security implications that must be considered prior to using them. For the highest level of security, it is not recommended that remote-control technology be used on operational networks. However, it is understood that this technology can provide operational benefits to customers. This section addresses security recommendations that can be implemented to improve the security of the remote desktop and/or remote assistance capabilities if it is desired to use this technology.
Remote Assistance
Remote Assistance (RA) is a capability that allows a user, referred to as a novice, to request assistance from another person, referred to as the expert. Using this technology the expert may view the novices computer screen and send them messages or, if the novices computer settings allow it, the expert has the ability to take control of the novices system and simultaneously interact directly with the desktop. The novice is prompted to allow or deny the initial connection in view-only mode, and prompted again if the expert attempts to take control of the system. To use RA, both the novice and the expert must be running Windows XP. RA can be initiated via a user request, known as Solicited Remote Assistance, or by the expert offering assistance to the novice, known as Remote Assistance Offers. The HelpAssistant account is used for RA actions. The account is created as part of the default installation, randomly assigned a complex password, and then disabled. When an RA invitation is opened a novice ticket is created on the users local machine, port 3389 is opened to allow access to terminal services, and the HelpAssistant account is enabled. The expert then connects to the novices machine using the credentials of the HelpAssistant account. Once all tickets are either closed or expire, the HelpAssistant account is again disabled and port 3389 is closed.
NOTE: Terminal Services is also used for the Remote Desktop Connection capability so port 3389 may remain open if Remote Desktop is enabled on that machine.
UNCLASSIFIED
103
UNCLASSIFIED
ensure that the person is who they say they are is through the use of a password. The novice is prompted to provide a password for the session when they generate the invitation although it is not required by the system. The password is not contained within the invitation and must be provided to the expert via another means. However, password complexity, password policy, and account lockout policy rules are not applied to Solicited RA passwords. Invitations sent through MSN Messenger are sent as clear text XML formatted messages. Invitations sent through e-mail or saved as a file are MsRcIncident files which are also clear text XML formatted messages. It is therefore possible to read these messages to obtain data on who is requesting assistance, the machines IP address, the port in use by Terminal Services, and if the novice implemented a password. For these reasons, it is not recommended to use Solicited RA requests on any network where security is of concern.
User Rights
Allow logon through Terminal Services Determines which users or groups have the right to log on as a Terminal Services client. This right is needed for Remote Desktop users. If Remote Assistance is being used, only administrators using this new feature should have this right.
Note: It is not necessary to add any users or groups to this setting to allow RA offers.
Recommended Settings
<No one>
Deny logon through Terminal Services Determines which users and groups are prohibited from logging on as a Terminal Services client. This right is used for Remote Desktop users.
<No one>
Additionally, to permit the use of Remote Assistance Offers, the following group policy settings must also be set: Open a GPO in the Group Policy snap-in via the MMC or access a linked GPO through a containers Properties Group Policy tab. If accessing through the Group Policy tab, highlight the desired GPO and click the Edit button to access the Group Policy snap-in
104
UNCLASSIFIED
UNCLASSIFIED
Navigate down to the Computer Templates\System\Remote Assistance node. Configuration\Administrative
Double-click on the Solicited Remote Assistance setting in the right pane. Click the Enabled radio button to allow users to request remote assistance. Select the Allow helpers to only view the computer option from the pull down menu. Set the Maximum ticket time (value) to 0 and the Maximum ticket time (units) to minutes. Apply the setting and close this dialog box.
NOTE: It is necessary to enable Solicited Remote Assistance in order for Remote Assistance Offers to function. However, setting the maximum ticket time to 0 will prevent users from using the Solicited Remote Assistance capability
Double-click on the Offer Remote Assistance setting in the right pane. Click the Enabled radio button if you plan to allow experts to offer remote assistance to this machine. Select the Allow helpers to only view the computer option from the pull down menu.
WARNING: It is recommended that you never allow users the ability to give another person remotely control of their computer. Although the user can watch their actions and take back control at any time, it can only take a second to compromise a machine or make it inoperable.
Click the Helpers: Show button and provide a list of users who can provide assistance to this machine, such as administrators or help desk personnel. It is recommended that this capability be limited to only those users who absolutely require this capability. Users should be listed using the format: <Domain Name>\<User Name> or <Domain Name>\<Group Name>
UNCLASSIFIED
105
UNCLASSIFIED
Terminal Services client installed on their computer. The RDWC is installed by default when IIS is installed on XP Professional systems. When RD is enabled, port 3389 is opened to allow access to terminal services. All administrators (local and domain) and groups/users listed as members of the Remote Desktop Users group can access the machine remotely. When the connection is established, the client computer is locked using the credentials that were used to establish the connection. If a user is currently logged on to the system when another user attempts to connect, the remote user is given the option to disconnect the local user from their session and log them out, but only AFTER the remote user has already successfully authenticated, and only if s/he is an Administrator. RD uses the standard Windows authentication mechanisms therefore password policy and account lockout policy apply to the RD capability. All accounts used for RD connections must have passwords set.
NOTE: It is possible to lockout the default administrator account through remote desktop connections and prevent it from logging in remotely. However, the account can still be used to log in locally.
In order to use the Remote Desktop capability, the following changes must be made to the User Rights section of the provided security template file.
User Rights
Allow logon through Terminal Services Determines which users or groups have the right to log on as a Terminal Services client. This right is needed for Remote Desktop users. If Remote Assistance is being used, only administrators using this new feature should have this right. Deny logon through Terminal Services Determines which users and groups are prohibited from logging on as a Terminal Services client. This right is used for Remote Desktop users.
Recommended Settings
Administrators, Remote Desktop Users
<No one>
To enable a computer to accept Remote Desktop Connections, perform the following functions: Right click on My Computer and select Properties to open the System Properties dialog box. Select the Remote tab from the dialog box. Check the Allow users to connect remotely to this computer checkbox. Click the Select Remote Users button to open the Remote Desktop Users dialog box. Add users or groups based on your local policy.
NOTE: This process will add the selected users and groups to the local Remote Desktop Users group. Users and groups can also be added directly using local Computer Management.
106
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
107
UNCLASSIFIED
Terminal Services Policy Option
Limit users to one remote session
Limits user to one remote session. By default, Terminal Server allows an unlimited number of simultaneous active or disconnected sessions for each remote user. Limit number of connections This setting limits the number of simultaneous connections allowed to the Terminal Server. Do not allow new client connections When this setting is disabled, the Terminal Server will accept new client connections to the limit set in Limit number of connections setting. If this setting is set to enabled, the Remote Desktop feature is effectively disabled, with the exception that users will be able to reconnect to disconnected sessions. Do not allow local administrator to customize permissions Disables the administrator rights to customize security permissions in the Terminal Services Configuration tool. Security settings should be configured at the domain level, not by someone with local administrator rights on the system. Remote control settings To use the remote desktop remote capabilities, this setting must be enabled. It is recommended that only View Session with users permission be selected unless it is absolutely essential that the user exercise full control over another users session. Start a program on connection This setting is used to specify a program that will run automatically when a user logs on to a Terminal Server, overriding Start Program settings by the server administrator or user. Do not allow clipboard redirection Prevents the user from cutting and pasting information using the Windows clipboard between the applications running on the client computer itself and the applications running from within the users Terminal Services session. Do not allow smart card device redirection Prevents the mapping of smart card devices in a Terminal Services session. If this setting is enabled, users cannot use a smart card device to log on to a Terminal Services session. Allow audio redirection Allows users to play server audio on the local computer, or vice versa, during a Terminal Services session. Do not allow COM port redirection Prevents the user from accessing devices that require a serial (COM) port mapping from within the users Terminal Services session. Do not allow client printer redirection Prevents users from routing printing jobs from the server to a printer attached to the local computer. Do not allow LPT port redirection Prevents the user from accessing devices that require a parallel (LPT) port mapping from within the users Terminal Services session. Do not allow drive redirection Disables the mapping of client drives in the Terminal Services session. Do not set default client printer to be default printer in a session When enabled, the default printer that the user has set up on the client computer will not be the default printer from within the Terminal Services session. The default printer is that which is specified at the server.
Recommended Settings
Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
108
UNCLASSIFIED
UNCLASSIFIED
Terminal Services Policy Option
Always prompt client for password upon connection Requires users to provide a password to establish a Terminal Services session with the server. Prevents the use of saved credentials to connect to the server. Set client connection encryption level Sets the encryption parameters for all communications between the TS client and server. There are two choices: Client Compatible and High Level. Client compatible encrypts data at the maximum key strength supported by the client. High level encrypts data using a strong 128-bit key.
NOTE: A users computer must be running the 128-bit TS client software in order to establish a session with a server that is using the high level. Clients that do not support this level of encryption cannot connect.
Recommended Settings
Enabled
Do not use temp folders per session Allows the creation of temporary folders for each session the server is supporting. Creating separate folders reduces the risk of data being accessed inappropriately. Do not delete temp folder upon exit The server will delete the temporary folder created to support a users session when the session is closed. Deleting the folders reduces the risk of data being accessed inappropriately.
Note: The folders are not deleted when a session is disconnected, but only when the session is closed by logging off from that session.
Disabled
Disabled
Set time limit for disconnected sessions Limits how long a disconnected session can exist before it is closed. When a session is in a disconnected state, the programs/processes that the user had running on the server will continue to run even though the communications with the client have been lost. Set time limit for active sessions Limits how long a user can maintain an active session with the server. If set to never, no limit is set on how long an active session can exist. Set time limit for idle sessions Limits how long an idle session is kept open and not disconnected. An idle session may indicate that the user has stepped away from their computer, presenting someone else with the opportunity to use their session if their computer is not locked. Allow reconnection from original client only This setting only applies to Citrix ICA clients and is ignored for Windows clients. Terminate session when time limits are reached This setting determines if timed-out sessions are disconnected or closed by the server. When enabled, all sessions are closed when time-out limits are reached.
Enabled = 10 minutes
Enabled = Never
Enabled = 15 minutes
Not applicable
Enabled
UNCLASSIFIED
109
UNCLASSIFIED
Network Configuration Recommendations
Remote Assistance and Remote Desktop both use terminal services to provide the remote user access to the local system. Terminal services opens port 3389 on the Windows XP system when these capabilities are utilized. It is highly recommended that remote connections be limited to systems within the local intranet and that port 3389 be blocked at the perimeter firewall or filtering router. Both inbound and outbound connections on this port must be blocked to prevent external access. If only inbound connections are blocked, it is still possible for remote assistance connections to be established through an external messenger server using Windows Messenger. These connections are established by both users initiating outbound connections to the messenger server therefore connections in both directions must be blocked. If RA or RD connections from outside the local LAN are required, it is suggested that filtering be implemented on the firewall or router to permit only the specific external IP addresses access to the internal systems. All other addresses should be denied access on port 3389. For a higher level of protection, set up a VPN and require extremely strong multi-factor authentication for the very few users who are permitted to dial into to this VPN. It is generally also a good idea to only allow specific IPs to connect to this VPN server.
110
UNCLASSIFIED
UNCLASSIFIED
Chapter
14
Internet Connection Firewall Configuration
The Internet Connection Firewall (ICF) provides a basic level of protection to a computer from external connections. It uses stateful packet inspection to deny external packets from reaching the client unless they are in response to a client-initiated request. All other packets are dropped in the default configuration setting. This chapter gives a brief overview of security settings available with the ICF.
Recommended Usage
Internet Connection Firewall is not intended or flexible enough to use in a network setting. The ICF would not normally be run where the client is part of a protected network, or where the client computer is providing a service. Some examples of services include: file and print sharing, web servers, and ftp servers. In these cases, a dedicated firewall should be used to provide the customized level of protection needed. There are some situations where the use of the ICF does provide additional amounts of protection for the client computer. These occur when the computer is directly connected to Internet or external networks. Laptops that are connected to a DSL or cable modem, or connected to a different network while traveling, would benefit from the ICF.
Features
ICF protects the client computer in three different ways: stateful packet inspection, protection from port scans, and security logging. This section briefly describes each of these features.
UNCLASSIFIED
111
UNCLASSIFIED
Many port scanners will perform an ICMP ping to see if a host exists before executing a port scan. By default, pings will also be dropped, and the ICF-protected computer may be skipped even if some ports are in actuality open.
Security Logging
The ICF can be configured to log connection attempts. You can choose to log successful connections, dropped packets, or both. There are no other options for what information is written to the log file.
The ICF must be enabled and configured on each interface on which it is to run. If you used the Set up a home or small office network wizard either from the Network Tasks panel or from the Create a new connection wizard, the firewall may have been enabled by default. This wizard will enable the ICF under the two options in the wizard: This computer connects directly or through a network hub. Other computers on my network also connect to the Internet directly or through a hub. This computer connects directly to the internet. I do not have a network yet. If the network interface was set up any other way, or if the ICF is not enabled, it can be enabled by performing the following actions: Control Panel Network Right-click on the connection interface and select Properties from the pull-down menu Click the Advanced tab
112
UNCLASSIFIED
UNCLASSIFIED
Click on Protect my computer and network by limiting or preventing access to this computer from the Internet. See Figure 14. This will enable the ICF using the default configuration.
If you wish to customize the firewall settings, click Settings. This will bring up an interface with three tabs: Services, Security Logging, and ICMP.
UNCLASSIFIED
113
UNCLASSIFIED
The Services tab in Figure 15 shows the default options available for common services. Select any of the services and a window will pop up allowing you to indicate the name or address of the computer on which that service is running. Unless you are using the computer as a gateway to other computers, that entry should reflect the name of the computer on which the ICF is running. You can add additional services by clicking the Add tab and filling in the information for that service. For example, to add a web server on port 8080, the entry may look like Figure 16.
114
UNCLASSIFIED
UNCLASSIFIED
NOTE: If you are using DHCP to get the network address, you should use the machine name rather than the IP address on these forms since there is no guarantee that the IP address will always be the same.
The Security Logging tab will allow you to set up a log of ICF activity. You can choose to log dropped packets, successful connections, or both. You also have the choice of the location and maximum size of the log file. If the log file exceeds the maximum size, the oldest entries are dropped from the file. There is no way to automatically archive the log file. Figure 17 shows the security logging options.
UNCLASSIFIED
115
UNCLASSIFIED
Figure 17 Security Logging tab The ICMP tab will allow you to select various types of ICMP messages to allow. Unlike the TCP/UDP services, the ICMP section is broken into inbound and outbound packets. ICMP packets can be used to gather information about your network. It is recommended not to enable any of these messages unless absolutely necessary. Figure 18 shows the ICMP options.
116
UNCLASSIFIED
UNCLASSIFIED
Summary
The Internet Connection Firewall provides a basic level of protection to a computer. This protection is limited to new inbound connections, as there is no restriction on any connections initiated from the local machine or replies to a locally initiated connection. The default configuration will block all external connections to local services and will provide some protection against port scanning. Individual services can be allowed through the ICF by opening the associated port, but there is no selectivity. Traffic is either allowed or denied; you cannot filter based on content or address. If the computer is supporting these services, it should be located behind a more robust firewall than the ICF can provide. The ICF is useful in limited situations, such as when a computer is not part of a network and is connected directly to the Internet, such as when traveling dialing into the organizational Remote Access Server. Note that in environments that use IPSec, ICF must be disabled. Otherwise, the client will be unable to negotiate the IPSec policy and will not be able to make any network connections.
UNCLASSIFIED
117
UNCLASSIFIED
118
UNCLASSIFIED
UNCLASSIFIED
Chapter
15
Additional Security Settings
Aside from the security options set via security templates, several other security-related settings should be configured. This chapter addresses these settings.
UNCLASSIFIED
119
UNCLASSIFIED
Use of Administrator Accounts and the RunAs Command
Administrators should have two accounts: one with administrative privileges and one normal user account. System administrators should use their administrator account credentials only when necessary and use their regular user account for most daily tasks. Administrators should never browse the Internet with their administrator accounts since malicious web code will run under the context of the logged-on user. When performing tasks that require administrator privileges, the runas command can be used. This command will allow an unprivileged user to run a program as another user. Typing runas /? at the command prompt will provide a list of options for the command. Use the following syntax: runas /user:domain_name\administrator_account program_name The runas command can also be launched via a menu item shortcut by performing the following steps: From the Start menu, navigate to the desired application While holding down the SHIFT key, right-click on the application Select Run As from the pull-down menu Click the option The following user Type or select User name Type the Password Click OK
NOTE: The RunAs feature requires that the Secondary Logon service on Windows XP or the RunAs service on Windows 2000 be running. These services are started by default.
See the Microsoft Knowledge Base article Q294676 at http://support.microsoft.com/support/kb/articles/Q294/6/76.asp for more information on use of the runas command.
120
UNCLASSIFIED
UNCLASSIFIED
Read Share permissions are granted independent of NTFS permissions. However, share permissions act aggregately with NTFS permissions. When accessing a remote share, the more restrictive permissions of the two apply. For example, if a user accesses a share remotely and has Full Control over a shared folder, but only NTFS Read access to that folder on the local file system, he will only have Read access to the share. The default permissions on a share give the Everyone group Full Control; therefore, you must explicitly edit security permissions on shared resources to limit share access.. This means that your NTFS permissions will be solely used to determine what access remote users have to the share. If for some reason users accessing the share remotely should have less permission than the same users accessing the directory locally you can use share permissions to further restrict their access. Keep in mind, however, that restricting access to users on shares has no effect if they are logged on locally or via terminal services. For that reason, it is recommended to set good NTFS permissions.
NOTE: When Simple File Sharing is disabled (as is the case when a Windows XP machine is joined to a domain), Windows XP does not allow sharing of the Documents and Settings, Program Files, and %SystemRoot% folders as well as any folders below %SystemRoot%.
NOTE: If you have Simple File Sharing turned on, this dialog will be entirely different. With simple file sharing, all network users authenticate as the Guest user, regardless of the credentials they enter.
UNCLASSIFIED
121
UNCLASSIFIED
Deleting POSIX Registry Keys
As stated earlier in this guide, the POSIX subsystem is no longer included in Windows XP. However, two POSIX registry key values still exist. In fact, one key, HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\Posix is set to %SystemRoot%\system32\psxss.exe, a file that doesnt even exist in Windows XP. Therefore, it is recommended that the registry key values be removed by performing the following steps: In the registry editor, regedit, navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Subsystems registry key In the right-hand pane, select the Optional value. From the Edit menu, select Delete In the dialog box asking Are you sure you want to delete this value? click the Yes button Repeat this process for the Posix registry key value, also under the Subsystems registry key the
Double-click on the Solicited Remote Assistance setting in the right pane. Click the Disabled radio button to disallow users to request remote assistance. Apply the setting and close this dialog box. Double-click on the Offer Remote Assistance setting in the right pane
122
UNCLASSIFIED
UNCLASSIFIED
Click the Disabled radio button to disallow experts to offer remote assistance to this machine. Apply the setting and close this dialog box.
NOTE: The settings in group policy override any settings on the System Properties/Remote tab and will prevent users from using these capabilities even though the items may be selected under System Properties.
To disable a computer from accepting Remote Desktop Connections, perform the following functions: Right click on My Computer and select Properties to open the System Properties dialog box. Select the Remote tab from the dialog box. Ensure the Allow users to connect remotely to this computer checkbox is unchecked. Click the Select Remote Users button to open the Remote Desktop Users dialog box. Remove all users and groups from the Remote Desktop Users group.
Network Initialization
By default, Windows XP does not wait for the network to be fully initialized prior to user logon. Instead, cached credentials are used to log on existing users, resulting in shorter logon times. Group Policy is then applied in the background. This behavior results in certain policy extensions, such as Software Installation and Folder Redirection, taking up to two logons to be successfully applied. These extensions require that no users be logged on and must be processed in the foreground before users are using the computer. Also, user policy changes such as adding a profile path or logon script may also take up to two logons to be detected. A problem occurs with respect to password expiration notices not being displayed to users logging onto Windows XP clients in a Windows 2000 or Windows NT 4.0 domain. If the user is logged on with cached credentials before Group Policy is applied, the policy indicating when a password expiration warning should be displayed wont be processed until after the user logs on. Therefore, the users password will eventually expire with the user having had received no warning. This guide recommends not allowing user credentials to be cached (the Interactive logon: Number of previous logons to cache security option set equal to 0). Therefore, cached user credentials should never be used during logon to a domain, forcing the network to fully initialize. However, if the cached logons count is set to anything other than 0, problems could ensue. See Microsoft Knowledge Base article Q313194 at http://support.microsoft.com/support/kb/articles/Q313/19/4.asp for more information on the password expiration issue on Windows XP. In general, it is good practice to ensure that all computer-related group policy changes are applied prior to users logging on so that the user can operate under the correct security context. Therefore, the following group policy setting is recommended:
UNCLASSIFIED
123
UNCLASSIFIED
Navigate down to the Templates\System\Logon option Computer Configuration\Administrative
In the right pane, double-click Always wait for the network at computer startup and logon Click the Enabled radio button Click OK
124
UNCLASSIFIED
UNCLASSIFIED
Chapter
16
Appendix A Example Logon Banner
Lack of GroupPolicy
Windows NT 4.0 does not support Active Directory, and, hence, does not support the application of Group Policy. However, security settings can be locally set on a Windows XP machine either through the Security Configuration and Analysis tool described earlier in this document and/or via Local Group Policy.
UNCLASSIFIED
125
UNCLASSIFIED
Strong Session Key
In Chapter 5, the security option Domain member: Require strong (Windows 2000 or later) session key is recommended to be enabled. However, in a Windows NT domain, this option must be set to Disabled. Start Run gpedit.msc In the left pane, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policy\Security Options In the right pane, double-click Domain Member: Require strong (Windows 2000 or later) session key Select Disabled Click OK Close the Group Policy window
Autoenrollment
By default, Windows XP attempts automatic public key certificate enrollment. This autoenrollment feature requires Active Directory. In a Windows NT 4.0 domain, there is no Active Directory, so autoenrollment does not work and will record a failure periodically in the event log. To disable Autoenrollment, edit the Windows XP systems Local Group Policy. Start Run gpedit.msc In the left pane, navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies In the right pane, double-click Autoenrollment Settings Click Do not enroll certificates automatically Click OK Close the Group Policy window See Microsoft Knowledge Base Article Q310461 at http://support.microsoft.com/support/kb/articles/Q310/46/1.asp for more information on this issue.
126
UNCLASSIFIED
UNCLASSIFIED
Appendix
A
The DoD uses a standard warning banner that can be downloaded from the United States Navy INFOSEC Web Information Service http://infosec.nosc.mil/infosec.html. Select the text under the United States Department of Defense Warning Statement and copy it to the clipboard. This banner should resemble the following message:
This is a Department of Defense computer system. This computer system, including all related equipment, networks, and network devices (specifically including Internet access), is provided only for authorized U. S. Government use. DoD computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Monitoring includes active attacks by authorized DoD entities to test or verify the security of this system. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on or sent over this system may be monitored. Use of this DoD computer system, authorized or unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or adverse action. Use of this system constitutes consent to monitoring for these purposes."
Windows XP displays a message box with a caption and text that can be configured before a user logs on to the machine. The DoD requires organizations to use this message box to display a warning that notifies users that they can be held legally liable if they attempt to log on without authorization to use the computer. The absence of such a notice could be construed as an invitation, without restriction, to log on to the machine and browse the system.
UNCLASSIFIED
127
UNCLASSIFIED
Appendix
B
References References
Bartock, Paul, et. al., Guide to Securing Microsoft Windows NT Networks version 4.1, National Security Agency, September 2000. DiMaria, Vincent, et.al., Guide to Securing Microsoft Windows 2000 Terminal Services, National Security Agency, July 2, 2001. Haney, Julie, Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Toolset, National Security Agency, January 2002. MacDonald, Dave, Warren Barkley, Microsoft Windows 2000 TCP/IP Implementation Details, white paper, http://secinf.net/info/nt/2000ip/tcpipimp.html. McGovern, Owen, Julie Haney, Guide to Securing Microsoft Windows 2000 File and Disk Resources, DISA and National Security Agency, May 2002. Microsoft Technet, http://www.microsoft.com/technet. Microsoft Windows XP Professional Resource Kit Documentation, Microsoft Press, 2001. No Password Expiration Notice Is Presented During the Logon Process, KB Article Q313194, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313194, Microsoft, March 2002. Problems When the Autoenrollment Feature Cannot Reach an Active Directory Domain Controller, KB Article Q310461, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310461,
128
UNCLASSIFIED
UNCLASSIFIED
Microsoft, March 2002. Schultze, Eric, Windows XP Security: Everything youve always wanted to knowand a little bit more, as presented at InfoSec World 2002 conference. Upgrading Windows 2000 Group Policy for Windows XP, Microsoft KB article http://support.microsoft.com/default.aspx?scid=kb;en=us;Q307900, Microsoft, November 2001.
UNCLASSIFIED
129