OS Hardening Document for Windows XP Professional

OS Hardening Document for Windows XP Professional

Version 1.0

A.M. MOHAMED SAFI, Security Operations Team, MAY 2005.

(E-mail:- security.opr@wipro.com)

Security Operations

Confidential 1

OS Hardening Document for Windows XP Professional

Disclaimer
Recommendations contained in this document are generic and involves consensus from Security Specialists of the Security Operations Team. The Recommendations are intended towards improving the Security Aspects of the network, systems, and devices. Proper use of these recommendations requires careful analysis by the implementer based on his/her environment and requirements.

About
This Guide is focused on creating a baseline security policy for windows XP Professional.

Who should read this Document?

This guide is primarily intended for Machine owners, systems architects, and IT Professionals who are responsible deployment of Windows XP Professional.

Caution
The hardening guidelines should be followed before installing any applications on the OS.

Document Version Details

Date

Version

Changes Made

Prepared by

Reviewed by

Approved by

27-5-2005

1.0

Rebuilding and A.M. G.S. Hardening MOHAMED Jayakaran for SAFI Paul Windows XP Professional

Ravi Sogi

Security Operations

Confidential 2

OS Hardening Document for Windows XP Professional

I. Introduction
This guide for rebuilding and hardening Windows XP Professional machines consists of two parts, and an appendix. The first part contains a number of critical steps which everybody should take in order to prevent being infected with currently common worms. Other than the initial installation of Windows and running Windows Update, the hardening steps as described in the first part should take less than 30 minutes to do. The second part consists of recommended changes, as well some additional tips and tweaks which you may or may not wish to take depending on your own situation. Critical steps are marked with a *Critical*, and suggested steps have a little blurb describing why you may or may not choose to implement the suggestion. The entire first part is considered critical.

The majority of the guide is targeted towards XP machines which are:

1. Not part of a domain, 2. Do not have a remote systems administrator, 3. Are not dual booting with another OS? 4. Not running any servers, and 5. Do not need to transfer files directly with Windows 95/98/ME machines. Most of this guide is still applicable even if your computer does not fall cleanly into the above categories, but you may wish to be more careful when implementing some of the suggested steps. Any time you encounter an optional step which you are not familiar with, or not sure about the result of, you should check up on the results of the step before implementing it. While following this guide step for step will result in an XP system with greatly improved security, it is no substitute for ongoing attention to good computing security, including keeping up with patches, maintaining an up-to-date virus definition list, and exercising care with email attachments.

Security Operations

Confidential 3

OS Hardening Document for Windows XP Professional

*Critical* If you are rebuilding a machine, be sure to back up any data that you want to keep! Good choices for backing up include burning data onto CDs or DVDs, external hard drives, or tape drives. This guide assumes that you will be formatting your hard drive to perform a clean install of XP, which results in the loss of any data you may currently have on the hard drive.

Security Operations

Confidential 4

OS Hardening Document for Windows XP Professional

II. Checklist *Critical* Before you start on this guide, you should have:
1. A printed copy of this guide 2. Have the Windows XP Professional installation disc on hand, as well as the registration codes. 3. Have the latest Symantec Antivirus (currently version 9.0) installation disc on hand. Please note that Symantec has also been known as Norton. For the sake of consistency throughout this guide, we will refer to the company and product as Symantec. 4. Have the latest virus definition files for Symantec burnt onto a CD or downloaded onto a USB jump drive . The latest virus definition files can be downloaded from http://ec-ls3.wipro.com/intelligentupdater/ 5. If you are rebuilding a machine, be sure to have backed up any of your old data before you start! 6. Make a note of your network settings before you rebuild, particularly with the following info: a. Static or DHCP IP address (if static, note the actual IP, as well as the gateway and subnet mask) b. DNS Server (typically 10.200.50.100 and 10.200.52.100)

Security Operations

Confidential 5

OS Hardening Document for Windows XP Professional

III. Rebuilding and Securing XP *Critical* (All new rebuilds should go through these steps) 1. Leave your network cable unplugged while initially installing XP. *Critical*
Depending on when you're rebuilding, you can get infected before you even log in the first time -- the record for fastest re-infection of a newly rebuilt machine during the highest point of MS Blaster activity back in Sept '03 was 27 seconds.

2. When asked how you would like to format your hard drive, choose Format the partition using the NTFS file system
There are conditions under which you may want to choose FAT32 instead. If you have a Windows 95/98/ME machine which will need to access files stored on this XP machine, or you are dual-booting with Linux, then you will need to have at least one FAT32 partition. In general, though, NTFS is a better and more secure choice than FAT32.

3. Type in a strong Administrator password if (when) queried for it.

In no event should you use a blank password or a generic password such as administrator, password, etc. Many current worms will attempt to guess passwords on mapped drives, and of course will go through many generic passwords. A strong password is at least 8 characters long, has both letters and non-letter characters, and mixed upper and lower case, preferably something thatll mean something to you (i.e., TG2reBxp0).

Security Operations

Confidential 6

OS Hardening Document for Windows XP Professional

4. Since your network cable is unplugged, just accept the default networking info.
Unless you know that you are part of a domain, just select being part of a workgroup.

5. When prompted, select LAN, then (most likely) DHCP (Obtain IP automatically) and obtain DNS automatically.
If you have a static IP, you should enter the information from Step 6 of the check list here

6. When asked to input usernames just input one for now.

Its easier to add more lately than to add them now, since it doesnt prompt you for any password if you make them now, and its easier just to make the entire account later after you have the proper security settings set up.

7. At this point, you should be past the entire initial configuration windows, and have the default (and insecure!) installation of Windows XP.
If you prefer other graphical settings than the default, go ahead and change them at the end of the guide since all the screenshots are taken with the default screens.

8. Put passwords on user accounts

Click on Start->Control Panel->User Accounts, double click on your user account, and click on Create a password. Be sure to choose a strong password, and be sure to have a password for every account on your computer.

Security Operations

Confidential 7

OS Hardening Document for Windows XP Professional

9. Install Symantec AV from ls3.wipro.com/intelligentupdater/ or CD

http://ec-

Choose Install Client, and Unmanaged, unless you know you are specifically supposed to do otherwise.

10. Run the Intelligent Updater from ls3.wipro.com/intelligentupdater/ or CD

http://ec-

This is from the additional CD which you burnt for yourself, or which the Help Desk gave you. These are crucial virus definition files which have been added since Symantec AV was first released if you dont do this step, Symantec will not be able to catch most viruses and worms.

11. Schedule automatic Live Updates

Click on the little golden shield icon on the lower right hand corner of the screen. You should see the below screenshot.

Check to make sure that the date after Version: is no later than the previous Wednesday (although it should probably be the date that you downloaded the Updater). While were here, we might as well schedule future updates to happen automatically on a daily basis. Choose a time where you think that your machine will be online daily, and preferably when you wont be particularly busy working on it. Security Operations Confidential 8

OS Hardening Document for Windows XP Professional

12. be sure you have real time protection enabled

Check by going to Configure->File System Real Time Protection, and make sure the box marked Enable file system real time protection is checked. Make sure that you only select your local hard drive(s) (most likely just the C: drive). A weekly scan should be sufficient (feel free to modify to either a daily or monthly) pick a time when your computer will be on, but you wont be using it extensively. This should not be the same time as when you download your updates.

14. Schedule regular Symantec scans

13. Configure your network connection without the network cable plugged in
Yes, your network cable should still be unplugged at this point. Its possible that Windows XP may already have a network configuration correctly set up for you, especially you use DHCP, but you should still go through and check. Start->Control Panel->Network and Internet Connections->Network Connections (lower right hand area)

Security Operations

Confidential 9

OS Hardening Document for Windows XP Professional

14. Turn off bridging

You may have bridging set up by default, such as for Fire wire. This may cause the network port you are connected to automatically disable itself, depending on which building you are in.

15. Turn off Windows File and Printer sharing (optional)

Right click on your network connection(s), select Properties. You should be on the General tab uncheck the File and Printer Sharing box, then continue to the next step to turn on your firewall.

16. Turn on ICF for your network connections

Right click on your network connection(s), select Properties (if you didnt already do so from the previous step). Select the Advanced tab, check the Protect my computer... box, then click OK. Your machine may freeze momentarily when you first turn on the firewall. You may want to get a different firewall later, but having ICF on in the meantime is better than nothing.

Security Operations

Confidential 10

OS Hardening Document for Windows XP Professional

If you want to look into free firewalls available for personal use, you can check some of the references.

17. Plug your network cable in, and reboot your computer
Your computer is still insecure, but youll need to get on the network to get the latest Windows patches. Patching your computer regularly is crucial, since new bugs and exploits are found regularly and fixed by new patches from http://patch.wipro.com

18. Revealing hidden files and extensions

Click on Start -> My Computer, then on Tools->Folder Options, Go to the View tab, and unselect Automatically search for network folders and printers, select Show hidden files and folders, unselect Hide extensions for known file types, Hide protected operating system files, and Use simple file sharing, then click Apply, and OK. Security Operations Confidential 11

OS Hardening Document for Windows XP Professional

19. Set Internet Explorer to at least Medium Security

Start Internet Explorer (Start->Internet Explorer), and select Tools>Internet Options. Select the Security Tab, and be sure that the Security Level of the Internet zone is set to at least Medium. Click Apply, and OK.

Security Operations

Confidential 12

OS Hardening Document for Windows XP Professional

Security Operations

Confidential 13

OS Hardening Document for Windows XP Professional

IV. Additional Security Measures

Instructions and screenshots for these steps will be up in a few hours. Please check back. In the meantime, here is a list of other suggested steps for hardening your Windows XP system:

1. Turn off unnecessary services

Start ->Run -> services.msc (Or) Start -> Settings -> Control Panel -> Administrative Tools -> Services Disable all the Non Essential Services i.e. services that are not required for your environment.

Security Operations

Confidential 14

OS Hardening Document for Windows XP Professional

2. Change policies and audits

By default windows start certain services over which we do not have any control, during the installation phase. We begin the build process by disabling services, which are not required. Note: You may find a need to run the following services if you plan on using Microsoft Networking tools or sharing resources Server (when sharing resources) Workstation (when connecting to resources)

Note: Ensure the services listed in the Non-Essential Services column are the only services are set to Disabled.

Security Operations

Confidential 15

OS Hardening Document for Windows XP Professional

Non-essential Services
Alerter ClipBook Computer Browser DHCP Client DHCP Server

Service Description
Notifies selected users and computers of administrative alerts. Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks. Maintains an up-to-date list of computers on your network and supplies the list to programs that request it. Manages network configuration by registering and updating IP addresses and DNS names. This service allocates IP addresses and allows the advanced configuration of network settings such as DNS servers, WINS servers, and so on to DHCP clients automatically. If the DHCP Server service is turned off, DHCP clients will not receive IP addresses or network settings automatically. Helps to send and receive faxes Maintains file synchronization of file directory contents among multiple servers. for Enables Macintosh users to store and access files on this Windows server machine. If this service is turned off, Macintosh clients will not be able to view any NTFS shares.

Fax Service File Replication File Server Macintosh

Internet Connection Provides network address translation, addressing, and name Sharing resolution services for all computers on your home network through a dial-up connection. Intersite Messaging Allows sending and receiving messages between Windows Advanced Server sites.

Kerberos Key Generates session keys and grants service tickets for mutual Distribution Center client/server authentication. IPSEC Policy Agent Messenger NetLogon Manages IP security policy and start the ISAKMP/Oakley (IKE) and the IP security driver. Sends and receives messages transmitted by administrators or by the Alerter service. Supports pass-through authentication of account logon events for computers in a domain.

Netmeeting Remote Allows authorized people to remotely access your Windows Desktop Sharing desktop using NetMeeting. Network DDE Provides network transport and security for dynamic data

Security Operations

Confidential 16

OS Hardening Document for Windows XP Professional exchange (DDE). Network DDE DSDM Print Server Macintosh Manages shared dynamic data exchange and is used by Network DDE

for Enables Macintosh clients to route printing to a print spooler located on a computer running Windows 2000 Server. If this service is stopped, printing will be unavailable to Macintosh clients. Loads files to memory for later printing.

Print Spooler QoS Control

Admission Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Creates a network connection.

Remote Access Auto Connection Manager Remote Access Connection Manager Remote Service

Registry Allows remote registry manipulation. Manages removable media, drives, and libraries. Offers routing services to businesses in local area and wide area network environments. Enables starting processes under alternate credentials The SMTP service is used as an e-mail submission and relay agent. It can accept and queue e-mail for remote destinations and retry at specified intervals. Windows domain controllers use the SMTP service for intersite e-mail-based replication. The Collaboration Data Objects (CDO) for Windows 2000 COM component can use the SMTP Service to submit and queue outbound e -mail. Other applications may use the SMTP Service as the basis for the SMTP support in their product, for example, Microsoft Exchange 2000 Server. Echo (port 7, RFC 862) Discard (port 9, RFC 863) Character Generator (port 19, RFC 864)

Removable Storage Routing and Remote Access RunAs Service

SMTP

Simple Services

TCP/IP

Security Operations

Confidential 17

OS Hardening Document for Windows XP Professional Simple Services Daytime (port 13, RFC 867) Quote of the Day (port 17, RFC 865)

Once the service is enabled, all five protocols are enabled on TCP/IP all adapters. There is no provision for selectively enabling specific services or enabling this service on per-adapter basis. Disabling the service has no effect on the rest of the operating system. Manages and controls access to a smart card inserted into a smart card reader attached to the computer. Provides support for legacy smart card readers attached to the computer. Enables TCP/IP-based printing using the Line Printer Daemon protocol. If this service is stopped, TCP/IP-based printing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Enables NetBIOS name resolution. Presence of the WINS server(s) is crucial for locating the network resources identified using NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory and all computers on the network are running Windows 2000. Disabling or turning off WINS results in the following: Location of the Windows NT 4 domains fails. Location of Windows 2000 Active Directory domains by Windows NT 4 clients fails.

Smart Card Smart Card Helper

TCP/IP Print Server

Telephony

WINS

NetBIOS name resolution fails unless a device whose name should be resolved is on the same subnet as the device attempting name resolution and the latter is configured to attempt NetBIOS name resolution using broadcast. WMI WMI Extensions Provides system management information. Driver Provides systems management information to and from drivers. Enables a program to run at a designated time. (Disable this service only of its not required for this particular server)

Task Scheduler

Security Operations

Confidential 18

OS Hardening Document for Windows XP Professional

a. Account Policies/Password Policies:

Click on Start -> Run -> SECPOL.MSC then click on the plus sign next to Account Policy -> Password Policy and change the settings as given in the Password Policy table below

Policy Recommended Settings

Enforce password history Maximum password age Minimum password age Minimum password length Password must meet complexity requirements Store password using reversible encryption

10 passwords remembered 30 days 7 days 8 Enabled Disabled

Policy Recommended Settings

b. Account Policies/Account Lockout Policy

Click on Start -> Run -> SECPOL.MSC then click on the plus sign next to Account Policy -> Account Lockout Policy and change the settings as given in the table below

Policy

Account Lockout Duration 0 minutes Account lockout threshold 3 invalid login attempts Reset account lockout counter after 30 minutes

Recommended Settings

c. Local Policies/Audit Policy

To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC -> Local Policy -> Audit Policy and configure the policies based on the table below.

Security Operations

Confidential 19

OS Hardening Document for Windows XP Professional

Policy
Audit account logon events Audit account management Audit directory service Access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events

Recommended Settings
SUCCESS, FAILURE SUCCESS, FAILURE No Auditing SUCCESS, FAILURE No Auditing SUCCESS SUCCESS, FAILURE No Auditing SUCCESS

d. Local Policies/User Rights Assignment

To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC then go to Local Policy -> User Right Assignments and configure the settings as shown in the table below.

Policy
Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow log on through Terminal Services Change the system time Debug programs

Recommended Settings
Administrators, Authenticated Users Revoke all security accounts Administrators Administrators, Administrators groups and

Administrators Revoke all security groups and accounts(this can prevent windows 2003 using windows update) Deny access to this computer As per requirement(For Example from the network adding Anonymous logons, Guest) Deny log on as a batch job As per requirement (For Example add Guests to deny the rights) Deny log on through Terminal As per requirement Services Force shutdown from a remote Administrators system Generate security audits LOCALSERVICE,NETWORK,SERVICE Security Operations Confidential 20

OS Hardening Document for Windows XP Professional Impersonate a client after authentication Increase scheduling priority Load and unload device drivers Lock pages in memory Log on as a batch job LOCAL SERVICE, NETWORK, SERVICE, Administrators Administrators Administrators Revoke all security groups and accounts Manage auditing and security log Administrators Modify firmware environment Administrators values Perform volume maintenance Administrators tasks Profile single process Administrators Profile system performance Administrators Remove computer from docking Administrators station Replace a process level token LOCAL SERVICE, NETWORK, SERVICE, Restore files and directories Administrators Shut down the system Administrators Synchronize directory service Revoke all security groups data and accounts Take ownership of files and other Administrators objects

e. Local Policies/Security Options

To configure the Audit Policy Settings click on Start -> Run -> SECPOL.MSC -> then go to Local Policy -> Security Options and configure the settings as shown in the table below

Policy

Recommended Settings

Accounts: Guest account status Disabled Accounts: Limit local account use of blank passwords to console Enabled logon only Audit: Audit the access of global system objects (Need to restart the Disabled server for the configuration to take affect) Audit: Audit the use of Backup and Security Operations Confidential 21

OS Hardening Document for Windows XP Professional Restore privilege(Need to restart the server for the configuration to take affect) Audit: Shut down system immediately if unable to log security audits Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD ROM access to locally logged on user only Devices: Restrict floppy access to locally logged on user only Devices: Unsigned driver installation behavior Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Disabled

Disabled Disabled Administrators Enabled Enabled Enabled Do not Allow installation Enabled Disabled

This system is for the use of authorized Wipro personnel only and by accessing this system you hereby consent to the system being monitored by Wipro. Any unauthorized use will be onsidered Interactive logon: Message text for a breach of Wipros Information users attempting to log on Security policies and may also be unlawful under law. Wipro reserves the right to take any action including disciplinary action or legal proceedings in a court of law against persons involved in the violation of t he access restrictions herein. Interactive logon: Message title for !!!WARNING!!! users attempting to log on Interactive logon: Number of previous logons to cache (in case 0 domain controller is not available) Interactive logon: Prompt user to 7days change password before expiration Interactive logon: Require Domain Security Operations Confidential 22

OS Hardening Document for Windows XP Professional Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory page file Disabled Disabled Disabled Enabled Disabled Enabled

f. Event Log
Start -> Run -> eventvwr.msc and then click on plus sign next to System Tools -> Event Viewer -> Right click on Application log on the right hand side and click on properties, then configure the settings as given in the table below

Event
Maximum application log size Maximum security log size Maximum system log size Retention Method

1,02,400 KB 1,02,400 KB 1,02,400 KB Do not overwrite events (clear log manually)

Settings

g. Registry Settings
To configure the registry settings got to Start -> Run -> REGEDIT The following Registry Values have to be added to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \Tcpip\Parameters\registry key.

Note: Security Operations strongly recommends backing up registry before any changes are made to it. Security Operations Confidential 23

OS Hardening Document for Windows XP Professional

Sub key Registry Value Format Entry

EnableICMPRedirect SynAttackProtect EnableDeadGWDetect EnablePMTUDiscovery KeepAliveTime DisableIPSourceRouting TcpMaxConnectResponseRetrans missions DWORD 2 TcpMaxDataRetransmissions PerformRouterDiscovery TCPMaxPortsExhausted DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD

Recommended Value (Decimal)

0 1 0 0 300,000 2 2 3 0 5

Network security: LAN Manger authentication level Importing a security template will take care of some or all of these:
1. Password policies, account lockouts, audit policy, LMhash, NTLM2, access memory, SAM accounts, force ctrl-alt-del 2. Make a user account which will be your primary user account, with less than admin privileges. Change your admin password, now that you have your policies set. 3. Secure passwords, especially making sure that the admin password is secure 4. Change the settings so you can see file extensions and hidden files. This is a lot more important than it used to be, now that many viruses use double extensions (i.e., hi.txt.exe to make an executable look like a text file). 5. Turn off NetBIOS 6. Password protect your BIOS 7. Run the MS Baseline security analyzer 8. Look into getting a firewall other than ICF 9. Set Start Menu Security Security Operations Confidential 24

OS Hardening Document for Windows XP Professional

Appendix A:
1. Net logon Service: Enable the service if it is required in Services. 2. SNMP Service: Enable if it is required, and have a complex Community Strings 3. If you are facing problems in installing unsigned drivers, and you now that the device drivers is valid then enable t e policy under Security h Options which says Devices: Unsigned driver installation behavior, you can configure it to Warn but allow installation. 4. Increase the event log size based on your requirements if necessary.

Appendix B:
1. Signature Verification when installing new software on your computer, system files and device driver. To check for unsigned files Go to Start -> Run -> sigverif 2. Security Operations recommends using a central SYSLOG Server to store all the logs from different servers. 3. Do not use any third party remote access tools, use terminal services for all purposes. 4. Enable ports that are required only by Server. This can be done as shown below Go to Network Connections -> Right Click Local Area Connection -> Internet Protocol (TCP/IP) -> Properties -> Advanced -> Options -> Properties -> Click on Permit only and add the ports for TCP, UDP, and IP. 5. NTP Synchronization: Synchronize the server with BLR-ECDC5.wipro.com NTP Server; this can be done as shown below Go to Control Panel -> Date and Time -> Internet Time -> check the box which says automatically synchronizes with an Internet Time Server and for the server type in the blr-ec-dc5.wipro.com.

Appendix C:
1. Emergency repair disk (ERD): Use the backup utility program to create the emergency Repair Disk (ERD) after installation of OS and also when changes are made to the system. 2. Click -> Start -> Run -> type ntbackup and choose Emergency Repair Disk.

Security Operations

Confidential 25