OS Hardening Document for Windows XP Professional

OS Hardening Document for

Windows XP Professional
Version 1.0

A.M. MOHAMED SAFI,

Security Operations Team, MAY 2005.
(E-mail:- security.opr@wipro.com)

Security Operations Confidential 1

OS Hardening Document for Windows XP Professional

Disclaimer

Recommendations contained in this document are generic and involves

consensus from Security Specialists of the Security Operations Team.
The Recommendations are intended towards improving the Security
Aspects of the network, systems, and devices. Proper use of these
recommendations requires careful analysis by the implementer based on
his/her environment and requirements.

About

This Guide is focused on creating a baseline security policy for windows

XP Professional.

Who should read this Document?

This guide is primarily intended for Machine owners, systems architects,

and IT Professionals who are responsible deployment of Windows XP
Professional.

Caution

The hardening guidelines should be followed before installing any

applications on the OS.

Document Version Details

Date Version Changes Prepared Reviewed Approved

Made by by by

Rebuilding
and A.M. G.S.
27-5-2005 1.0 Hardening MOHAMED Jayakaran Ravi Sogi
for SAFI Paul
Windows
XP
Professional

Security Operations Confidential 2

OS Hardening Document for Windows XP Professional

I. Introduction

This guide for rebuilding and hardening Windows XP Professional

machines consists of two parts, and an appendix. The first part contains
a number of critical steps which everybody should take in order to
prevent being infected with currently common worms. Other than the
initial installation of Windows and running Windows Update, the
hardening steps as described in the first part should take less than 30
minutes to do. The second part consists of recommended changes, as
well some additional tips and tweaks which you may or may not wish to
take depending on your own situation. Critical steps are marked with a
*Critical*, and suggested steps have a little blurb describing why you
may or may not choose to implement the suggestion. The entire first part
is considered critical.

The majority of the guide is targeted towards XP machines

which are:

1. Not part of a domain,

2. Do not have a remote systems administrator,
3. Are not dual booting with another OS?
4. Not running any servers, and
5. Do not need to transfer files directly with Windows 95/98/ME
machines.

Most of this guide is still applicable even if your computer does not
fall cleanly into the above categories, but you may wish to be more
careful when implementing some of the suggested steps. Any time you
encounter an optional step which you are not familiar with, or not sure
about the result of, you should check up on the results of the step before
implementing it. While following this guide step for step will result in an
XP system with greatly improved security, it is no substitute for ongoing
attention to good computing security, including keeping up with patches,
maintaining an up-to-date virus definition list, and exercising care with
email attachments.

Security Operations Confidential 3

OS Hardening Document for Windows XP Professional

*Critical* If you are rebuilding a machine, be sure to back up any

data that you want to keep! Good choices for backing up include burning
data onto CDs or DVDs, external hard drives, or tape drives. This guide
assumes that you will be formatting your hard drive to perform a clean
install of XP, which results in the loss of any data you may currently
have on the hard drive.

Security Operations Confidential 4

OS Hardening Document for Windows XP Professional

II. Checklist *Critical*

Before you start on this guide, you should have:

1. A printed copy of this guide

2. Have the Windows XP Professional installation disc on hand, as well
as the registration codes.
3. Have the latest Symantec Antivirus (currently version 9.0) installation
disc on hand. Please note that Symantec has also been known as Norton.
For the sake of consistency throughout this guide, we will refer to the
company and product as Symantec.
4. Have the latest virus definition files for Symantec burnt onto a CD or
downloaded onto a USB jump drive . The latest virus definition files can
be downloaded from http://ec-ls3.wipro.com/intelligentupdater/
5. If you are rebuilding a machine, be sure to have backed up any of your
old data before you start!
6. Make a note of your network settings before you rebuild, particularly
with the following info:
a. Static or DHCP IP address (if static, note the actual IP, as well as the
gateway and subnet mask)
b. DNS Server (typically 10.200.50.100 and 10.200.52.100)

Security Operations Confidential 5

OS Hardening Document for Windows XP Professional

III. Rebuilding and Securing XP *Critical*

(All new rebuilds should go through these steps)

1. Leave your network cable unplugged while initially

installing XP. *Critical*

Depending on when you're rebuilding, you can get infected before

you even log in the first time -- the record for fastest re-infection of a
newly rebuilt machine during the highest point of MS Blaster activity
back in Sept '03 was 27 seconds.

2. When asked how you would like to format your hard

drive, choose ‘Format the partition using the NTFS file
system’

There are conditions under which you may want to choose FAT32
instead. If you have a Windows 95/98/ME machine which will need to
access files stored on this XP machine, or you are dual-booting with
Linux, then you will need to have at least one FAT32 partition. In
general, though, NTFS is a better and more secure choice than FAT32.

3. Type in a strong Administrator password if (when)

queried for it.

In no event should you use a blank password or a ‘generic’

password such as ‘administrator’, ‘password’, etc. Many current worms
will attempt to guess passwords on mapped drives, and of course will go
through many generic passwords. A strong password is at least 8
characters long, has both letters and non-letter characters, and mixed
upper and lower case, preferably something that’ll mean something to
you (i.e., TG2reBxp0).

Security Operations Confidential 6

OS Hardening Document for Windows XP Professional

4. Since your network cable is unplugged, just accept the

default networking info.

Unless you know that you are part of a domain, just select being
part of a workgroup.

5. When prompted, select LAN, then (most likely) DHCP

(Obtain IP automatically) and obtain DNS automatically.

If you have a static IP, you should enter the information from Step
6 of the check list here

6. When asked to input usernames just input one for now.

It’s easier to add more lately than to add them now, since it doesn’t
prompt you for any password if you make them now, and it’s easier just
to make the entire account later after you have the proper security
settings set up.

7. At this point, you should be past the entire initial

configuration windows, and have the default (and
insecure!) installation of Windows XP.

If you prefer other graphical settings than the default, go ahead

and change them at the end of the guide since all the screenshots are
taken with the default screens.

8. Put passwords on user accounts

Click on Start->Control Panel->User Accounts, double click on

your user account, and click on ‘Create a password’. Be sure to choose a
strong password, and be sure to have a password for every account on
your computer.

Security Operations Confidential 7

OS Hardening Document for Windows XP Professional

9. Install Symantec AV from http://ec-

ls3.wipro.com/intelligentupdater/ or CD

Choose ‘Install Client’, and ‘Unmanaged’, unless you know you are
specifically supposed to do otherwise.

10. Run the Intelligent Updater from http://ec-

ls3.wipro.com/intelligentupdater/ or CD

This is from the additional CD which you burnt for yourself, or

which the Help Desk gave you. These are crucial virus definition files
which have been added since Symantec AV was first released – if you
don’t do this step, Symantec will not be able to catch most viruses and
worms.

11. Schedule automatic Live Updates

Click on the little golden shield icon on the lower right hand corner
of the screen. You should see the below screenshot.

Check to make sure that the date after ‘Version: ‘is no later than
the previous Wednesday (although it should probably be the date that
you downloaded the Updater). While we’re here, we might as well
schedule future updates to happen automatically on a daily basis.
Choose a time where you think that your machine will be online daily,
and preferably when you won’t be particularly busy working on it.

Security Operations Confidential 8

OS Hardening Document for Windows XP Professional

12. be sure you have real time protection enabled

Check by going to Configure->File System Real Time Protection,

and make sure the box marked ‘Enable file system real time protection is
checked.

Make sure that you only select your local hard drive(s) (most likely
just the C: drive). A weekly scan should be sufficient (feel free to modify
to either a daily or monthly) – pick a time when your computer will be on,
but you won’t be using it extensively. This should not be the same time
as when you download your updates.

14. Schedule regular Symantec scans

13. Configure your network connection without the

network cable plugged in

Yes, your network cable should still be unplugged at this point. It’s
possible that Windows XP may already have a network configuration
correctly set up for you, especially you use DHCP, but you should still go
through and check.

Start->Control Panel->Network and Internet Connections->Network

Connections (lower right hand area)

Security Operations Confidential 9

OS Hardening Document for Windows XP Professional

14. Turn off bridging

You may have bridging set up by default, such as for Fire wire.
This may cause the network port you are connected to automatically
disable itself, depending on which building you are in.

15. Turn off Windows File and Printer sharing (optional)

Right click on your network connection(s), select Properties. You
should be on the ‘General’ tab – uncheck the ‘File and Printer Sharing’
box, then continue to the next step to turn on your firewall.

16. Turn on ICF for your network connections

Right click on your network connection(s), select Properties (if you

didn’t already do so from the previous step). Select the ‘Advanced’ tab,
check the ‘Protect my computer...’ box, then click ‘OK’. Your machine
may freeze momentarily when you first turn on the firewall. You may
want to get a different firewall later, but having ICF on in the meantime
is better than nothing.

Security Operations Confidential 10

OS Hardening Document for Windows XP Professional

If you want to look into free firewalls available for personal use,
you can check some of the references.

17. Plug your network cable in, and reboot your computer

Your computer is still insecure, but you’ll need to get on the

network to get the latest Windows patches. Patching your computer
regularly is crucial, since new bugs and exploits are found regularly and
fixed by new patches from http://patch.wipro.com

18. Revealing hidden files and extensions

Click on Start -> My Computer, then on Tools->Folder Options, Go

to the ‘View’ tab, and unselect ‘Automatically search for network folders
and printers’, select ‘Show hidden files and folders’, unselect ‘Hide
extensions for known file types’, ‘Hide protected operating system files’,
and ‘Use simple file sharing’, then click ‘Apply’, and ’OK’.

Security Operations Confidential 11

OS Hardening Document for Windows XP Professional

19. Set Internet Explorer to at least Medium Security

Start Internet Explorer (Start->Internet Explorer), and select Tools-

>Internet Options. Select the ‘Security’ Tab, and be sure that the
‘Security Level’ of the ‘Internet’ zone is set to at least ‘Medium’. Click
‘Apply’, and ‘OK’.

Security Operations Confidential 12

OS Hardening Document for Windows XP Professional

Security Operations Confidential 13

OS Hardening Document for Windows XP Professional

IV. Additional Security Measures

Instructions and screenshots for these steps will be up in a few

hours. Please check back. In the meantime, here is a list of other
suggested steps for hardening your Windows XP system:

1. Turn off unnecessary services

Start ->Run -> services.msc (Or) Start -> Settings -> Control Panel
-> Administrative Tools -> Services

Disable all the Non Essential Services i.e. services that are not
required for your environment.

Security Operations Confidential 14

OS Hardening Document for Windows XP Professional

2. Change policies and audits

By default windows start certain services over which we do not

have any control, during the installation phase. We begin the build
process by disabling services, which are not required.

Note: You may find a need to run the following services if you plan
on using Microsoft Networking tools or sharing resources Server (when
sharing resources) Workstation (when connecting to resources)

Note: Ensure the services listed in the Non-Essential Services

column are the only services are set to Disabled.

Security Operations Confidential 15

OS Hardening Document for Windows XP Professional

Non-essential Service Description

Services
Alerter Notifies selected users and computers of administrative
alerts.
ClipBook Supports ClipBook Viewer, which allows pages to be seen by
remote ClipBooks.
Computer Browser Maintains an up-to-date list of computers on your network
and supplies the list to programs that request it.
DHCP Client Manages network configuration by registering and updating
IP addresses and DNS names.
DHCP Server This service allocates IP addresses and allows the advanced
configuration of network settings such as DNS servers, WINS
servers, and so on to DHCP clients automatically. If the
DHCP Server service is turned off, DHCP clients will not
receive IP addresses or network settings automatically.
Fax Service Helps to send and receive faxes
File Replication Maintains file synchronization of file directory contents
among multiple servers.
File Server for Enables Macintosh users to store and access files on this
Macintosh Windows server machine. If this service is turned off,
Macintosh clients will not be able to view any NTFS shares.
Internet Connection Provides network address translation, addressing, and name
Sharing resolution services for all computers on your home network
through a dial-up connection.
Intersite Messaging Allows sending and receiving messages between Windows
Advanced Server sites.
Kerberos Key Generates session keys and grants service tickets for mutual
Distribution Center client/server authentication.
IPSEC Policy Agent Manages IP security policy and start the ISAKMP/Oakley
(IKE) and the IP security driver.
Messenger Sends and receives messages transmitted by administrators
or by the Alerter service.
NetLogon Supports pass-through authentication of account logon
events for computers in a domain.
Netmeeting Remote Allows authorized people to remotely access your Windows
Desktop Sharing desktop using NetMeeting.
Network DDE Provides network transport and security for dynamic data

Security Operations Confidential 16

OS Hardening Document for Windows XP Professional

exchange (DDE).
Network DDE DSDM Manages shared dynamic data exchange and is used by
Network DDE
Print Server for Enables Macintosh clients to route printing to a print spooler
Macintosh located on a computer running Windows 2000 Server. If this
service is stopped, printing will be unavailable to Macintosh
clients.
Print Spooler Loads files to memory for later printing.
QoS Admission Provides network signaling and local traffic control setup
Control functionality for QoS-aware programs and control applets.
Remote Access Auto Creates a connection to a remote network whenever a
Connection Manager program references a remote DNS or NetBIOS name or
address.
Remote Access Creates a network connection.
Connection Manager
Remote Registry Allows remote registry manipulation.
Service
Removable Storage Manages removable media, drives, and libraries.
Routing and Remote Offers routing services to businesses in local area and wide
Access area network environments.
RunAs Service Enables starting processes under alternate credentials
The SMTP service is used as an e-mail submission and relay
agent. It can accept and queue e-mail for remote destinations
and retry at specified intervals. Windows domain controllers
use the SMTP service for intersite e-mail-based replication.
SMTP The Collaboration Data Objects (CDO) for Windows 2000
COM component can use the SMTP Service to submit and
queue outbound e -mail.
Other applications may use the SMTP Service as the basis for
the SMTP support in their product, for example, Microsoft
Exchange 2000 Server.

• Echo (port 7, RFC 862)

Simple TCP/IP • Discard (port 9, RFC 863)
Services
• Character Generator (port 19, RFC 864)

Security Operations Confidential 17

OS Hardening Document for Windows XP Professional

• Daytime (port 13, RFC 867)

• Quote of the Day (port 17, RFC 865)
Once the service is enabled, all five protocols are enabled on
Simple TCP/IP all adapters. There is no provision for selectively enabling
Services specific services or enabling this service on per-adapter basis.
Disabling the service has no effect on the rest of the
operating system.
Smart Card Manages and controls access to a smart card inserted into a
smart card reader attached to the computer.
Smart Card Helper Provides support for legacy smart card readers attached to
the computer.
Enables TCP/IP-based printing using the Line Printer
Daemon protocol. If this service is stopped, TCP/IP-based
TCP/IP Print Server
printing will be unavailable. If this service is disabled, any
services that explicitly depend on it will fail to start.
Provides Telephony API (TAPI) support for programs that
control telephony devices and IP based voice connections on
Telephony
the local computer and, through the LAN, on servers that are
also running the service.
Enables NetBIOS name resolution. Presence of the WINS
server(s) is crucial for locating the network resources
identified using NetBIOS names. WINS servers are required
unless all domains have been upgraded to Active Directory
and all computers on the network are running Windows
2000.
Disabling or turning off WINS results in the following:
WINS • Location of the Windows NT 4 domains fails.
• Location of Windows 2000 Active Directory domains by
Windows NT 4 clients fails.
NetBIOS name resolution fails unless a device whose name
should be resolved is on the same subnet as the device
attempting name resolution and the latter is configured to
attempt NetBIOS name resolution using broadcast.
WMI Provides system management information.
WMI Driver Provides systems management information to and from
Extensions drivers.
Task Scheduler Enables a program to run at a designated time. (Disable this
service only of it’s not required for this particular server)

Security Operations Confidential 18

OS Hardening Document for Windows XP Professional

a. Account Policies/Password Policies:

Click on Start -> Run -> SECPOL.MSC then click on the plus sign
next to Account Policy -> Password Policy and change the settings as
given in the Password Policy table below

Policy Recommended Policy Recommended

Settings Settings
Enforce password history 10 passwords remembered
Maximum password age 30 days
Minimum password age 7 days
Minimum password length 8
Password must meet complexity Enabled
requirements
Store password using reversible Disabled
encryption

b. Account Policies/Account Lockout Policy

Click on Start -> Run -> SECPOL.MSC then click on the plus sign
next to Account Policy -> Account Lockout Policy and change the settings
as given in the table below

Policy Recommended Settings

Account Lockout Duration 0 minutes
Account lockout threshold 3 invalid login attempts
Reset account lockout counter after 30 minutes

c. Local Policies/Audit Policy

To configure the Audit Policy Settings click on Start -> Run ->
SECPOL.MSC -> Local Policy -> Audit Policy and configure the policies
based on the table below.

Security Operations Confidential 19

OS Hardening Document for Windows XP Professional

Policy Recommended Settings

Audit account logon events SUCCESS, FAILURE
Audit account management SUCCESS, FAILURE
Audit directory service Access No Auditing
Audit logon events SUCCESS, FAILURE
Audit object access No Auditing
Audit policy change SUCCESS
Audit privilege use SUCCESS, FAILURE
Audit process tracking No Auditing
Audit system events SUCCESS

d. Local Policies/User Rights Assignment

To configure the Audit Policy Settings click on Start -> Run ->
SECPOL.MSC then go to Local Policy -> User Right Assignments and
configure the settings as shown in the table below.

Policy Recommended Settings

Access this computer from the Administrators, Authenticated Users
network
Act as part of the operating Revoke all security groups and
system accounts
Add workstations to domain Administrators
Adjust memory quotas for a Administrators,
process
Allow log on through Terminal Administrators
Services
Change the system time Administrators
Debug programs Revoke all security groups and
accounts(this can prevent windows
2003 using windows update)
Deny access to this computer As per requirement(For Example
from the network adding Anonymous logons, Guest)
Deny log on as a batch job As per requirement (For Example add
Guests to deny the rights)
Deny log on through Terminal As per requirement
Services
Force shutdown from a remote Administrators
system
Generate security audits LOCALSERVICE,NETWORK,SERVICE

Security Operations Confidential 20

OS Hardening Document for Windows XP Professional

Impersonate a client afterLOCAL SERVICE, NETWORK,

authentication SERVICE,
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Lock pages in memory Administrators
Log on as a batch job Revoke all security groups and
accounts
Manage auditing and security log Administrators
Modify firmware environment Administrators
values
Perform volume maintenance Administrators
tasks
Profile single process Administrators
Profile system performance Administrators
Remove computer from docking Administrators
station
Replace a process level token LOCAL SERVICE, NETWORK,
SERVICE,
Restore files and directories Administrators
Shut down the system Administrators
Synchronize directory service Revoke all security groups
data and accounts
Take ownership of files and other Administrators
objects

e. Local Policies/Security Options

To configure the Audit Policy Settings click on Start -> Run ->
SECPOL.MSC -> then go to Local Policy -> Security Options and
configure the settings as shown in the table below

Policy Recommended Settings

Accounts: Guest account status Disabled
Accounts: Limit local account use
of blank passwords to console Enabled
logon only
Audit: Audit the access of global
system objects (Need to restart the Disabled
server for the configuration to take
affect)
Audit: Audit the use of Backup and

Security Operations Confidential 21

OS Hardening Document for Windows XP Professional

Restore privilege(Need to restart the Disabled

server for the configuration to take
affect)
Audit: Shut down system
immediately if unable to log Disabled
security audits
Devices: Allow undock without Disabled
having to log on
Devices: Allowed to format and Administrators
eject removable media
Devices: Prevent users from Enabled
installing printer drivers
Devices: Restrict CD – ROM access Enabled
to locally logged – on user only
Devices: Restrict floppy access to Enabled
locally logged – on user only
Devices: Unsigned driver Do not Allow installation
installation behavior
Interactive logon: Do not display Enabled
last user name
Interactive logon: Do not require Disabled
CTRL+ALT+DEL
This system is for the use of
authorized Wipro personnel only
and by accessing this system you
hereby consent to the system being
monitored by Wipro. Any
unauthorized use will be onsidered
Interactive logon: Message text for a breach of Wipro’s Information
users attempting to log on Security policies and may also be
unlawful under law. Wipro reserves
the right to take any action
including disciplinary action or
legal proceedings in a court of law
against persons involved in the
violation of the access restrictions
herein.
Interactive logon: Message title for !!!WARNING!!!
users attempting to log on
Interactive logon: Number of
previous logons to cache (in case 0
domain controller is not available)
Interactive logon: Prompt user to 7days
change password before expiration
Interactive logon: Require Domain

Security Operations Confidential 22

OS Hardening Document for Windows XP Professional

Controller authentication to unlock Disabled

workstation
Interactive logon: Smart card Disabled
removal behavior
Recovery console: Allow automatic Disabled
administrative logon
Recovery console: Allow floppy copy
and access to all drives and all Enabled
folders
Shutdown: Allow system to be shut Disabled
down without having to log on
Shutdown: Clear virtual memory Enabled
page file

f. Event Log

Start -> Run -> eventvwr.msc and then click on plus sign next to
System Tools -> Event Viewer -> Right click on Application log on the
right hand side and click on properties, then configure the settings as
given in the table below

Event Settings
Maximum application log size 1,02,400 KB
Maximum security log size 1,02,400 KB
Maximum system log size 1,02,400 KB
Retention Method Do not overwrite events (clear log
manually)

g. Registry Settings

To configure the registry settings got to Start -> Run -> REGEDIT

The following Registry Values have to be added to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
\Tcpip\Parameters\registry key.
Note: Security Operations strongly recommends backing up registry
before any changes are made to it.

Security Operations Confidential 23

OS Hardening Document for Windows XP Professional

Sub key Registry Value Format Recommended

Entry Value (Decimal)
EnableICMPRedirect DWORD 0
SynAttackProtect DWORD 1
EnableDeadGWDetect DWORD 0
EnablePMTUDiscovery DWORD 0
KeepAliveTime DWORD 300,000
DisableIPSourceRouting DWORD 2
TcpMaxConnectResponseRetrans DWORD 2
missions DWORD 2
TcpMaxDataRetransmissions DWORD 3
PerformRouterDiscovery DWORD 0
TCPMaxPortsExhausted DWORD 5

Network security: LAN Manger authentication level

Importing a security template will take care of some or all

of these:
1. Password policies, account lockouts, audit policy, LMhash, NTLM2,
access memory, SAM accounts, force ctrl-alt-del

2. Make a user account which will be your primary user account, with
less than admin privileges. Change your admin password, now that you
have your policies set.

3. Secure passwords, especially making sure that the admin password is

secure

4. Change the settings so you can see file extensions and hidden files.
This is a lot more important than it used to be, now that many viruses
use ‘double extensions’ (i.e., hi.txt.exe to make an executable look like a
text file).

5. Turn off NetBIOS

6. Password protect your BIOS

7. Run the MS Baseline security analyzer

8. Look into getting a firewall other than ICF

9. Set Start Menu Security

Security Operations Confidential 24

OS Hardening Document for Windows XP Professional

Appendix A:

1. Net logon Service: Enable the service if it is required in Services.

2. SNMP Service: Enable if it is required, and have a complex
Community Strings
3. If you are facing problems in installing unsigned drivers, and you now
that the device drivers is valid then enable the policy under Security
Options which says Devices: Unsigned driver installation behavior, you
can configure it to Warn but allow installation.
4. Increase the event log size based on your requirements if necessary.

Appendix B:

1. Signature Verification when installing new software on your computer,

system files and device driver. To check for unsigned files Go to Start ->
Run -> sigverif
2. Security Operations recommends using a central SYSLOG Server to
store all the logs from different servers.
3. Do not use any third party remote access tools, use terminal services
for all purposes.
4. Enable ports that are required only by Server. This can be done as
shown below
Go to Network Connections -> Right Click Local Area Connection ->
Internet Protocol (TCP/IP) -> Properties -> Advanced -> Options ->
Properties -> Click on Permit only and add the ports for TCP, UDP, and
IP.
5. NTP Synchronization: Synchronize the server with BLR-EC-
DC5.wipro.com NTP Server; this can be done as shown below
Go to Control Panel -> Date and Time -> Internet Time -> check the box
which says automatically synchronizes with an Internet Time Server and
for the server type in the blr-ec-dc5.wipro.com.

Appendix C:

1. Emergency repair disk (ERD): Use the backup utility program

to create the emergency Repair Disk (ERD) after installation of OS and
also when changes are made to the system.
2. Click -> Start -> Run -> type ‘ntbackup’ and choose Emergency Repair
Disk.

Security Operations Confidential 25