Professional Documents
Culture Documents
Disclaimer
About
Caution
Rebuilding
and A.M. G.S.
27-5-2005 1.0 Hardening MOHAMED Jayakaran Ravi Sogi
for SAFI Paul
Windows
XP
Professional
I. Introduction
Most of this guide is still applicable even if your computer does not
fall cleanly into the above categories, but you may wish to be more
careful when implementing some of the suggested steps. Any time you
encounter an optional step which you are not familiar with, or not sure
about the result of, you should check up on the results of the step before
implementing it. While following this guide step for step will result in an
XP system with greatly improved security, it is no substitute for ongoing
attention to good computing security, including keeping up with patches,
maintaining an up-to-date virus definition list, and exercising care with
email attachments.
There are conditions under which you may want to choose FAT32
instead. If you have a Windows 95/98/ME machine which will need to
access files stored on this XP machine, or you are dual-booting with
Linux, then you will need to have at least one FAT32 partition. In
general, though, NTFS is a better and more secure choice than FAT32.
Unless you know that you are part of a domain, just select being
part of a workgroup.
If you have a static IP, you should enter the information from Step
6 of the check list here
It’s easier to add more lately than to add them now, since it doesn’t
prompt you for any password if you make them now, and it’s easier just
to make the entire account later after you have the proper security
settings set up.
Choose ‘Install Client’, and ‘Unmanaged’, unless you know you are
specifically supposed to do otherwise.
Click on the little golden shield icon on the lower right hand corner
of the screen. You should see the below screenshot.
Check to make sure that the date after ‘Version: ‘is no later than
the previous Wednesday (although it should probably be the date that
you downloaded the Updater). While we’re here, we might as well
schedule future updates to happen automatically on a daily basis.
Choose a time where you think that your machine will be online daily,
and preferably when you won’t be particularly busy working on it.
Make sure that you only select your local hard drive(s) (most likely
just the C: drive). A weekly scan should be sufficient (feel free to modify
to either a daily or monthly) – pick a time when your computer will be on,
but you won’t be using it extensively. This should not be the same time
as when you download your updates.
Yes, your network cable should still be unplugged at this point. It’s
possible that Windows XP may already have a network configuration
correctly set up for you, especially you use DHCP, but you should still go
through and check.
You may have bridging set up by default, such as for Fire wire.
This may cause the network port you are connected to automatically
disable itself, depending on which building you are in.
If you want to look into free firewalls available for personal use,
you can check some of the references.
17. Plug your network cable in, and reboot your computer
Disable all the Non Essential Services i.e. services that are not
required for your environment.
Note: You may find a need to run the following services if you plan
on using Microsoft Networking tools or sharing resources Server (when
sharing resources) Workstation (when connecting to resources)
exchange (DDE).
Network DDE DSDM Manages shared dynamic data exchange and is used by
Network DDE
Print Server for Enables Macintosh clients to route printing to a print spooler
Macintosh located on a computer running Windows 2000 Server. If this
service is stopped, printing will be unavailable to Macintosh
clients.
Print Spooler Loads files to memory for later printing.
QoS Admission Provides network signaling and local traffic control setup
Control functionality for QoS-aware programs and control applets.
Remote Access Auto Creates a connection to a remote network whenever a
Connection Manager program references a remote DNS or NetBIOS name or
address.
Remote Access Creates a network connection.
Connection Manager
Remote Registry Allows remote registry manipulation.
Service
Removable Storage Manages removable media, drives, and libraries.
Routing and Remote Offers routing services to businesses in local area and wide
Access area network environments.
RunAs Service Enables starting processes under alternate credentials
The SMTP service is used as an e-mail submission and relay
agent. It can accept and queue e-mail for remote destinations
and retry at specified intervals. Windows domain controllers
use the SMTP service for intersite e-mail-based replication.
SMTP The Collaboration Data Objects (CDO) for Windows 2000
COM component can use the SMTP Service to submit and
queue outbound e -mail.
Other applications may use the SMTP Service as the basis for
the SMTP support in their product, for example, Microsoft
Exchange 2000 Server.
Click on Start -> Run -> SECPOL.MSC then click on the plus sign
next to Account Policy -> Password Policy and change the settings as
given in the Password Policy table below
Click on Start -> Run -> SECPOL.MSC then click on the plus sign
next to Account Policy -> Account Lockout Policy and change the settings
as given in the table below
To configure the Audit Policy Settings click on Start -> Run ->
SECPOL.MSC -> Local Policy -> Audit Policy and configure the policies
based on the table below.
To configure the Audit Policy Settings click on Start -> Run ->
SECPOL.MSC then go to Local Policy -> User Right Assignments and
configure the settings as shown in the table below.
To configure the Audit Policy Settings click on Start -> Run ->
SECPOL.MSC -> then go to Local Policy -> Security Options and
configure the settings as shown in the table below
f. Event Log
Start -> Run -> eventvwr.msc and then click on plus sign next to
System Tools -> Event Viewer -> Right click on Application log on the
right hand side and click on properties, then configure the settings as
given in the table below
Event Settings
Maximum application log size 1,02,400 KB
Maximum security log size 1,02,400 KB
Maximum system log size 1,02,400 KB
Retention Method Do not overwrite events (clear log
manually)
g. Registry Settings
To configure the registry settings got to Start -> Run -> REGEDIT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\registry key.
Note: Security Operations strongly recommends backing up registry
before any changes are made to it.
2. Make a user account which will be your primary user account, with
less than admin privileges. Change your admin password, now that you
have your policies set.
4. Change the settings so you can see file extensions and hidden files.
This is a lot more important than it used to be, now that many viruses
use ‘double extensions’ (i.e., hi.txt.exe to make an executable look like a
text file).
Appendix A:
Appendix B:
Appendix C: