Securing Windows XP Professional in a Peer-to-Peer Networking Environment
On This Page
Introduction
Peer-to-peer networking can increase productivity by making it easy to share information and resources on your network. However, the ability of computer users to control access to their computer can leave them vulnerable to information theft, loss, or inadvertent sharing of information. That is why, in addition to enforcing a corporate computing policy, you should make sure you and your employees understand the basics of Windows peer-to-peer networking and security. Some basic best practices include:
| • | Staying current with Windows security updates |
| • | Using antivirus software |
| • | Using Internet Connection Firewall |
| • | Using strong passwords |
| • | Not sharing files and folders with hosts on the Internet |
| • | Restricting permissions on shared folders to the minimum required |
| • | Sharing only the minimum folders required |
| • | Disabling sharing wherever it is not required |
With the increasing threat of malicious code—such as worms, viruses, and hacker threats—it is critical that all customers take immediate action to help lock down their desktop and portable computers. This document explains how to implement the security measures for a small or medium business environment where peer-to-peer networking is used. These recommendations help ensure that your computers running Microsoft Windows XP Professional Service Pack 1 (SP1) are more secure from the majority of current security threats, while ensuring that users can continue to be efficient and productive on their computers.
The following tasks are included in this document:
| • | Securing the file system |
| • | Securing user accounts |
| • | Securing access from the network |
| • | Updating security patches |
| • | Checking security with the Microsoft Baseline Security Analyzer |
In addition to the advanced step-by-step guidance in this document, you will also find information about the top security recommendations that Microsoft is making to all customers, from home customers to enterprise customers.
IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps may differ slightly.
Before You Begin
As with any security recommendations, this guidance strives to find the right balance between enhanced security and usability. The recommendations provided here will work successfully for Windows XP Professional deployments in a wide variety of environments. However, before implementing these recommendations you should note that this document does not address the wide variety of needs and configurations that may be required in a large corporation. In addition, the guidance may not fully address the specific security needs of some organizations.
Meeting the Service Pack Requirement
The recommendations in this document apply only to computers running Windows XP Professional with Service Pack 1 (SP1) or SP1(a) that are members of a WORKGROUP. If Service Pack 1 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at http://windowsupdate.microsoft.com, and have Windows Update scan your computer for available updates. If Service Pack 1 shows up as an available update, install it before proceeding with the procedures in this document.
Administrative Requirements
You must be logged on as an administrator or a member of the Administrators group in order to complete the following procedures. If your computer is connected to a network, network policy settings might also prevent you from completing these procedures.
Securing the File System
A file system is the way that directories and files are organized on a computer. There are several ways to protect your file system from unauthorized access, alteration or deletion. This section provides the following step-by-step instructions for securing the file system:
| • | Converting file systems to NTFS |
| • | Using antivirus software |
| • | Protecting file shares |
| • | Securing shared folders |
| • | Disabling or deleting unnecessary accounts |
Converting File Systems to NTFS
During the Windows XP setup process, computers are configured to use either the FAT32 or NTFS file system. FAT32 is an older technology used by previous versions of Windows. The NTFS file system is faster and more secure than FAT32. For optimal performance and security of the operating system, use NTFS on all file system partitions on your computer.
Checking the File System Type on Your Computer
Before converting the file system on your computer, you need to verify that you are not using NTFS already. Use the following steps to check the file system type on your computer. If these steps help you confirm that you are already using NTFS, you can skip Converting the File System to NTFS below.
| • | To check the file system type on your computer
|
Check the file system type for all disks on the computer. Even if the file system was configured as FAT32 when the operating system was installed, it can be easily converted to NTFS to provide additional security.
Converting the File System to NTFS
To convert the file system to NTFS, take note of the name of the disk otherwise known as the volume label (C Drive in the preceding example) and complete the following steps.
| • | To convert the file system to NTFS
|
Note: If you are attempting to convert the drive where the operating system is installed, you might be prompted to schedule the conversion to occur the next time the system is restarted. If this occurs, type Y, and then restart the computer.
Using Antivirus Software
Computer viruses are programs that are loaded on to your system without your knowledge or approval. Viruses and other forms of malicious software have been around for years. Today's viruses can replicate themselves and use the Internet and e-mail applications to spread across the world within hours.
An antivirus software program will help protect your computer against many known viruses, worms, Trojan horses, and other malicious code. Antivirus software continually scans your computer for viruses and helps detect and remove them. Installing antivirus software only solves part of the problem - keeping the antivirus signature files up-to-date is critical to maintaining a secure desktop or portable computer.
Many new computers come with antivirus software already installed. However, antivirus software requires a subscription to stay up-to-date. If you don't have a current subscription for these updates, your computer is likely to be vulnerable to new threats.
User education regarding safe e-mail practices is another critical step in preventing virus attacks. Users should not open an e-mail or take action on an e-mail attachment unless they are expecting the file. All e-mail attachments should be scanned with the antivirus software prior to its execution.
For a list of the software vendors that provide antivirus software compatible with Windows XP, see http://support.microsoft.com/kb/49500.
Protecting File Shares
By default, computers running Windows XP Professional that are not connected to a domain use a network access model called "Simple File Sharing" in which all attempts to log on to the computer from across the network are forced to use the Guest account. This means that network access through Server Message Block (SMB), used for file and print access, as well as Remote Procedure Call (RPC), used by most remote management tools and remote registry access, will be available only to the Guest account.
In the Simple File Sharing model, you can create file shares so that network users can be limited to read-only access or so that network users can read, create, change, and delete files. Simple File Sharing is intended for use on a home network and behind a firewall, such as Internet Connection Firewall provided by Windows XP. If you are connected to the Internet, and are not operating behind a firewall, remember that any file shares you create might be accessible to any user on the Internet.
Securing Shared Folders
Windows peer-to-peer networking allows you to share the contents of your file system with other computers on the network. The following set of steps assumes that you have already shared one or more folders in your file system. By changing some of the default file system settings, can make unauthorized access to you your shared folders more difficult.
| • | To secure a shared folder
|
Notes:
| • | You can set permissions only on drives formatted to use the NTFS file system. |
| • | If the check boxes on the Permissions dialog box are not available, the permissions are inherited from the parent folder. |
| • | To change permissions, you must be the user who created the shared folder or have permission from the user who created it. |
| • | Groups or users who have Full Control permissions for a folder can delete files and subfolders in that folder, regardless of the permissions that otherwise protect the files and subfolders. |
Disabling or Deleting Unnecessary Accounts
After installing Windows XP Professional, disable or delete any user accounts that you do not require.
| • | To disable an account
|
| • | To delete an account
|
Securing User Accounts
By using passwords, disabling or deleting unnecessary accounts, and setting account lockout, you can reduce the chances of unauthorized access to your computer.
Using Passwords
It is important to set passwords for all user accounts created on a Windows-based computer for two reasons. Firstly, leaving a password blank allows anyone to access the computer by using that user account.
Secondly, by default, local user accounts without a password can only log directly on to a computer at the console logon screen and cannot log on remotely. This restriction does not apply to domain accounts or to the local Guest account. If the Guest account is enabled and has a blank password, it can be used to log on and access any resource on a peer-to-peer network authorized for access by the Guest account.
| • | To set or reset a password for an existing user account
|
Disabling the Guest Account
This setting recommendation applies only to computers running Windows XP Professional that belong to a domain or to computers that do not use the Simple File Sharing model.
On computers running Windows XP Professional that are not connected to a domain, users who attempt to log on from across the network are forced to use the Guest account by default. This requirement prevents hackers from attempting to access a system across the Internet from logging on by using a local Administrator account that has no password.
To allow remote logon by using a Guest account, ensure that the Guest account is enabled on all computers running Windows XP Professional that are not joined to a domain. The local Guest account is enabled by default.
| • | To disable the Guest account
|
Note: Users who log on to a computer using the Guest account do not have access to password-protected files, folders, and settings.
Enabling Internet Connection Firewall
A firewall is a security system that acts as a protective boundary between a network and the outside world. Windows XP Professional includes Internet Connection Firewall (ICF), which you can use to restrict what types of data is communicated between the Internet and your network. ICF also protects a single computer connected to the Internet with a cable modem, a DSL modem, or a dial-up modem. However, ICF is not needed if you already have a firewall or proxy server on your network.
If your network uses Internet Connection Sharing (ICS) to provide Internet access to multiple computers, use ICF on the shared Internet connection. However, ICS and ICF can be enabled separately.
If you are sharing an Internet connection, enable the firewall only on the host computer that is connected to the Internet. The host computer appears to the Internet as the only computer on the Internet, hiding the computers in your network. The host computer with ICF enabled provides a single point of security for your host computer and network computers. Computers running earlier versions of Windows are protected without the need for additional firewalls.
You must be logged on to your computer with a local administrator account in order to enable Internet Connection Firewall.
Do not enable Internet Connection Firewall on virtual private networking (VPN) connections, which are typically used to securely log on to a corporate network. Do not enable ICF on client computers that are part of a large company or school network with a server-client structure. ICF will interfere with file and printer sharing in these scenarios.
| • | To enable Internet Connection Firewall
|
Updating Security Patches
A good way to keep up-to-date on security patches is to subscribe to Microsoft Security bulletins which will arrive in your e-mail at about the same time as Automatic Update notifies you of available updates. Sign up to receive the security bulletins in e-mail at http://www.microsoft.com/security/default.mspx. In addition to staying informed through bulletins, there are a number of technologies that can help automate security patching.
Automatic Update
The Automatic Update feature in Windows XP can automatically detect and download the latest security fixes from Microsoft. Automatic Update can be configured to automatically download fixes in the background and then prompt the user to install them after the download is complete.
| • | To configure your computer for automatic updates
|
Check Security with Microsoft Baseline Security Analyzer
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).
In Windows 2000, Windows XP, and Windows Server 2003, the Microsoft Baseline Security Analyzer will report configurations that are not secure and patches that can be used to help fix the problem. The tests can be run locally or on remote computers.
| • | To install Microsoft Baseline Security Analyzer
|
Scanning for Updates and Patches
| • | To use the MBSA to scan for updates and patches
|
Scanning for Secure Configuration
In addition to scanning for missing security updates, MBSA scans for computer configurations that are not secure.
| • | To scan for secure configuration
|
Related Information
For more information about securing Windows XP, see the following:
| • | The Windows XP Security Guide on the Microsoft Web site to download the complete guide |
| • | The Guide to Securing Windows XP Professional in Small and Medium Businesses on the Microsoft Web site |
For more information about related topics on securing Windows XP, see the following:
| • | The Threats and Countermeasures Guide page on the Microsoft Web site |
| • |