Securing Windows XP

Checklist for Windows XP Machines

1. Services: Windows XP often comes with Terminal Services, IIS, and RAS which can open holes in the system. The most commonly found services that should be disabled are listed below. Services can be viewed by opening the Control Panel, opening Administrative Tools, and then launching the Services Control Panel. For more information, please refer to Microsoft Technet Security, available on Microsoft's website at Microsoft.com.
   1. Alerter - Notifies selected users and computers of administrative alerts.
   2. Clipbook - enables the Clipbook Viewer to create and share "pages" of data to be viewed by remote computers.
   3. Computer Browser - maintains an up-to-date list of computers on your network, and supplies the list to programs that request it.
   4. Help and Support - Required for Microsoft Online help documents. If you ever "attempt" to use Help and Support, this service will be placed back into "Automatic," even if you already placed this service on Disabled.
   5. IIS Admin Service - allows administration of Internet Information Services (IIS). IIS should not be running on most client machines, and should be uninstalled. IIS can be removed by opening the Control Panel, opening Add/Remove Programs, selecting Add/Remove Windows Components, and then deselecting IIS Services.
   6. Messenger - sends and receives messages to or from users and computers, or those transmitted by administrators or by the Alerter service. Recently this service has been used to deliver "messenger spam."
   7. NetMeeting Remote Desktop Sharing - allows authorized users to remotely access your Windows desktop from another PC over a corporate intranet by using Microsoft NetMeeting.
   8. Remote Desktop Help Session Manager - Manages and controls Remote Assistance. Could create a MAJOR security hole.
   9. Remote Registry Service - allows remote registry manipulation. This service lets users connect to a remote registry and read and/or write keys to it-providing they have the required permissions.
   10. Server - provides RPC support and file print and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. Disabling this service also disables default shares on the machine.
   11. SSDP Discovery Service - Used to locate UPnP devices on your home network, in conjunction with Universal Plug and Play Device Host, it detects and configures UPnP devices on your home network. This service listens for TCP connections on port 5000 and for UDP 'datagram' packets arriving on port 1900. This allows malicious hackers (or high-speed Internet worms) located anywhere in the world to scan for, and locate, individual Windows UPnP-equipped machines. Note: UPnP is NOT related to PnP. Do NOT Disable Plug and Play service.
   12. Telnet - allows a remote user to log on to the system and run console programs by using the command line.
   13. Terminal Services - Allows remote login to the local computer. This service is required for Fast User Switching, Remote Desktop and Remote Assistance.
   14. Universal Plug and Play Device Host - Used in conjunction with SSDP Discovery Service, it detects and configures UPnP devices on your home network.
   15. Remote Task Manager Service - This service is not usually found in Windows XP installations, but it is worth mentioning. Created for Microsoft by WhiteHat Inc., it allows for complete remote administration and has been found on recent hacks. This service should be disabled, and the executable rtmservice.exe, downloaded remotely, should also be deleted.

[top]

2. Local Security Policy: Settings in the Local Security Policy can be changed based on the needs/wants of computer support. Machines can be made more or less accessible on the network by changing these and other settings. The following settings are recommendations for good security. Note that the settings will be different than below if File and Printer Sharing needs to be enabled. To access the Local Security Policy, enter the Control Panel. Switch the view to Classic. Open Administrative Tools. Double click on Local Security Policy and go to Security Options. The following sections in Security Options need to be set to the values below:

1. Accounts: Guest account status Disabled
2. Accounts: Limit local account use of blank passwords to console logon only Enabled
3. Interactive Logon: Do not require Ctrl + Alt + Del Disabled
4. Network Access: Allow anonymous SID/Name translation Disabled
5. Network Access: Do not allow anonymous enumeration of SAM accounts Enabled
6. Network Access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
7. Network Access: Do not allow storage of credentials or .NET passports for network authentication Enabled
8. Network Access: Let Everyone permissions apply to anonymous users Disabled
9. Network Access: Named Pipes that can be accessed anonymously
10. Network Access: Remotely Accessible registry paths
11. Network Access: Shares that can be accessed anonymously
12. Network Access: Sharing and Security model for local accounts Classic - Local users authenticate as themselves

1. Access this computer from the network
2. Act as part of the operating system
3. Add workstations to domain
4. Allow logon through Terminal Services
5. Deny access to this computer from the network Guests
6. Deny logon locally Guests
7. Force shutdown from a remote system
8. Log on as a batch job
9. Log on as a service
10. Log on locally Administrators, Authenticated Users

 [top]

3. Managing Users: To access the Users Control Panel, right click on My Computer and select Manage. This will open the Computer Management Console. Expand Local Users and Groups. Open the Users folder. Eliminate any users that do not need access to the machine. Disable the Guest account, and if it is not used, disable the Administrator account. Remember to give both accounts strong passwords. Next, open the Groups folder, and open the Administrators group. Make sure the only accounts listed are Administrator, and any other account that has purposefully been given administrative rights. Go through the rest of the groups and make sure all users listed are legitimate. Finally, remember to remove any built in Remote Assistance users.

4. Windows Updates and Virus Protection: Make sure the latest Windows Service Packs, Security Updates, and Virus definitions are installed on the machine. You may link directly to information and dowloads for the latest critical Microsoft updates by visiting our downloads page and checking the Windows Updates section. To download the Symantec Antivirus client provided by UNC, please click on the Symantec Antivirus link located on our downloads page.

• How do I run Microsoft Windows Updates?
• How do I update my Norton/Symantec Antivirus?

[top]

5. XP Specific Concerns: Remote Assistance and Remote Desktop are XP innovations that are intended to allow remote access of your computer to enable problem diagnosis or desktop sharing. This is obviously open to misuse, however potentially helpful it may seem at first sight. To remove Remote Assistance/Desktop, enter the Control Panel and select System. Click on the Remote tab. Uncheck the boxes under Remote Assistance and Remote Desktop.

Windows XP comes with a built in stateful firewall called Internet Connection Firewall (ICF). Enabling the firewall is recommended and provides extra security, but it must be configured to allow ICMP traffic for network troubleshooting on campus.

To enable ICF, right click on My Network Places, select Properties. Right click on Local Area Connection, then Properties. Click on the Advanced tab. Check the box next to “Protect my computer and network by limiting or preventing access to this computer from the Internet.” Next, click on the Settings button, and select the ICMP tab. Place a check in the boxes next to "Allow incoming echo...," "Allow incoming timestamp...," "Allow incoming router...," and "Allow incoming mask..." Click OK to save changes to the connection and enable ICF.

Windows XP Service Pack 2 will include significant enhancements to ICF, including new global configurations that apply to all connections, new dialogue boxes for local configuration, new startup security and shielded mode, local subnet restriction, traffic exceptions by application filename, and built in support for IPv6 ICF. For more information on these enhancements, refer to Microsoft's article on Deploying Internet Connection Firewall with Microsoft Windows XP SP2 (.doc). To configure SP2's ICF for the recommended settings, use the batch file below.

Automated SP2 ICF settings (this script only works on SP2 installations!)

[top]

Enabling Remote Account Lockout for the Administrative Account

1. By default, the "true" Administrator account (SID 500 i.e. the account created when the machine is first installed) is not subject to the account lockout policies set earlier. To enable network account lockout for the Administrator account, you will need the passprop.exe tool from the Windows 2000 Resource Kit. You can download passprop and other resource kit tools from the MCSE World site.
2. From the command prompt, execute "passprop /adminlockout." The Administrator account will now be subject to the same number of failed logons prior to lockout at the rest of your users. Note: This feature will only work if Account Lockout has been enabled in the User Manager | Policies | Account.Also, if the Administrator account is locked out, it will only be from the network. The Administrator can still logon from the local PC and reset the account lockout flag to allow access again. This will protect you against remote crackers trying to brute-force the Administrator account.

[top]

Disabling Distributed COM: PORT 135

1. Several recent worms (i.e. Blaster and Welchia) have exploited the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135. In addition to downloading the most recent patches for this vulnerability from the Microsoft site, the Distributed Communication service can also be disabled. Few programs require this service in order to run properly, although many support the service. The only way to find out if programs on a PC will be adversely affected, is to disable the service and see what happens. Should there be any problems, enabling the service is a simple process.(To re-enable, see instructions below)

[top]