Updated: April 13, 2006

Overview

Welcome to the Windows XP Security Guide. This guide is designed to provide you with the best information available to assess and counter security risks that are specific to Microsoft® Windows® XP Professional with Service Pack 2 (SP2) in your environment. The chapters in this guide provide detailed information about how to configure enhanced security settings and features in Windows XP wherever possible to address identified threats in your environment. If you are a consultant, designer, or systems engineer who works in a Windows XP environment, this guide was designed with you in mind.

Microsoft engineering teams, consultants, support engineers, partners, and customers have reviewed and approved the information in this guide to make it:

• Proven. Based on field experience.
• Authoritative. Offers the best advice available.
• Accurate. Technically validated and tested.
• Actionable. Provides the steps to success.
• Relevant. Addresses real-world security concerns.

Best practices to secure both client and server computers were developed by consultants and systems engineers who have implemented Windows XP Professional, Microsoft Windows Server™ 2003, and Windows 2000 in a variety of environments, and these best practices are detailed in this guide. Step-by-step security prescriptions, procedures, and recommendations are also provided to help you maximize security for computers in your organization that run Windows XP Professional with SP2.

If you want more in-depth discussion of the concepts behind this material, see Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, the Microsoft Windows XP Resource Kit, the Microsoft Windows Server 2003 Resource Kit, the Microsoft Windows Security Resource Kit, and Microsoft TechNet.

This guide was originally created for Windows XP with SP1. This updated version reflects the significant security enhancements that Windows XP with SP2 provides, and it was developed and tested with computers that run Windows XP Professional with SP2. All references to Windows XP that are made in this guide refer to Windows XP with SP2 unless otherwise stated.

Executive Summary

Whatever your environment, you are strongly advised to be serious about security matters. Many organizations underestimate the value of their information technology (IT) environment, often because they exclude substantial indirect costs. If an attack on the servers in your environment is severe enough, it could significantly damage the entire organization. For example, an attack that makes your Web site unavailable and causes a major loss of revenue or customer confidence might lead to the collapse of your organization’s profitability. When you evaluate security costs, you should include the indirect costs that are associated with any attack in addition to the costs of lost IT functionality.

Vulnerability, risk, and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computer systems are subject to in a networked environment. This guide documents the major security-related countermeasures that are available in Windows XP with SP2, the vulnerabilities that they address, and the potential negative consequences (if any) of each countermeasure’s implementation.

The guide then provides specific recommendations for hardening computers that run Windows XP with SP2 in three common environments:

• Enterprise Client (EC). Client computers in this environment are located in an Active Directory® directory service domain and only need to communicate with systems running Windows 2000 or later versions of the Windows operating system.
• Stand-alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT® 4.0.
• Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment.

This guide is organized for easy accessibility so that you can quickly find the information you need to determine what settings are suitable for your organization's computers that run Windows XP with SP2. Although this guide was designed for the enterprise customer, much of it is appropriate for organizations of any size.

To obtain the most value from this material, you will need to read the entire guide. The team that produced this guide hopes that you will find the material covered in it useful, informative, and interesting. For further information, you can also refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at http://go.microsoft.com/fwlink/?LinkId=15159.

Who Should Read This Guide

This guide is primarily intended for consultants, security specialists, systems architects, and IT professionals who plan application or infrastructure development and the deployment of Windows XP workstations in an enterprise environment. This guide is not intended for home users. This guide is designed for individuals whose job roles include the following:

• System architects and planners who drive the architecture efforts for computers in their organizations.
• IT security specialists who focus on how to provide security across computing platforms within an organization.
• Business analysts and business decision makers (BDMs) who have critical business objectives and requirements that need IT desktop or laptop support.
• Consultants from both Microsoft Services and partners who need knowledge transfer tools for enterprise customers and partners.

Skills and Readiness

The following knowledge and skills are required for administrators and architects who develop, deploy, and secure Windows XP client computers in an enterprise organization.

• MCSE 2000 or later certification with more than two years of security-related experience or the equivalent.
• In-depth knowledge of the organization’s domain and Active Directory environments.
• Use of management tools, including MMC, Secedit, Gpupdate, and Gpresult.
• Experience in the administration of Group Policy.
• Experience deploying applications and client computers in enterprise environments.

Scope of this Guide

This guide focuses on how to create and maintain a secure environment for desktops and laptops that run Windows XP Professional with SP2. The guide explains the different stages of how to secure three different environments and what each setting addresses for desktop and laptop computers that are deployed in each one. Information is provided for Enterprise Client (EC), Stand-Alone (SA), and Specialized Security – Limited Functionality (SSLF) environments.

Settings that are not specifically recommended as part of this guide are not documented. For a thorough discussion of all the security settings in Windows XP, refer to the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP at http://go.microsoft.com/fwlink/?LinkId=15159.

Enterprise Client

The Enterprise Client (EC) environment consists of a Windows 2000 or Windows Server 2003 Active Directory domain. The client computers in this environment will be managed through Group Policy that is applied to sites, domains, and organizational units (OUs). Group Policy provides a centralized method to manage security policy across the environment.

Stand-Alone Client

The Stand-Alone Client (SA) environment includes client computers that cannot be joined to a domain or computers that are members of a Windows NT 4.0 domain. These client computers have to be configured through local policy settings. The management of stand-alone computers can be a considerably greater challenge than management of user accounts and policies in an Active Directory–based domain.

Specialized Security – Limited Functionality

The Specialized Security – Limited Functionality (SSLF) environment provides elevated security settings for client computers. When these security policy settings are applied, user functionality may be noticeably reduced because it is limited to only those specific functions that are required for the necessary tasks. Access is limited to approved applications, services, and infrastructure environments. To be clear, security policy settings for the SSLF environment only apply to a few systems at a very small number of organizations, such as military and intelligence agencies. These settings tend to favor security over manageability and usability; they should only be used on computers whose compromise could cause significant financial loss or loss of life. In other words, the SSLF settings are not a good choice for most organizations.

Chapter Overview

Windows XP with SP2 provides the most dependable version of a Windows client operating system to date, with improved security and privacy features. Overall security has been improved in Windows XP to help ensure your organization can work in a safer and more secure computing environment. The Windows XP Security Guide consists of seven chapters, and chapters two through six discuss the procedures that are required to create such an environment. Each of these chapters builds on an end-to-end process that is designed to secure Windows XP–based computers.

Chapter 1: Introduction to the Windows XP Security Guide

This chapter includes an overview of the guide, descriptions of the intended audience, the problems that are discussed in the guide, and the overall intent of the guide.

Chapter 2: Configuring the Active Directory Domain Infrastructure

You can use Group Policy to manage user and computer environments in Windows Server 2003 and Windows 2000 domains. It is an essential tool for securing Windows XP, and can be used to apply and maintain a consistent Security policy across a network from a central location. This chapter discusses the preliminary steps that must be performed in your domain before you apply Group Policy to your Windows XP client computers.

Group Policy settings are stored in Group Policy objects (GPOs) on domain controllers. GPOs are linked to sites, domains, and OUs within the Active Directory structure. Because Group Policy is so closely integrated with Active Directory, it is important to have a basic understanding of your Active Directory structure and security implications before you implement Group Policy.

Chapter 3: Security Settings for Windows XP Clients

This chapter describes the security settings for Windows XP client computers that may be set through Group Policy in a Windows 2000 or Windows Server 2003 Active Directory domain. Guidance is not provided for all of the available settings—only those settings that will help secure an environment from most current threats are provided. The guidance also allows users to continue to perform typical job functions on their computers. The settings that you configure should be based on your organization’s security goals.

Chapter 4: Administrative Templates for Windows XP

In this chapter, settings that can be added to Windows XP by using Administrative Templates are discussed. Administrative Templates are Unicode files that you can use to configure the registry–based settings that govern the behavior of many services, applications, and operating system components. There are many Administrative Templates that can be used with Windows XP, and they contain hundreds of settings.

Chapter 5: Securing Stand-Alone Windows XP Clients

Although most of this guide focuses on the Enterprise Client (EC) and Specialized Security – Limited Functionality (SSLF) environments, this chapter also discusses the configuration of stand-alone Windows XP client computers. Microsoft recommends that Windows XP be deployed in an Active Directory domain infrastructure, but recognizes that it is not always possible to do so. This chapter provides guidance about how to apply the recommended configurations to Windows XP with SP2 client computers that are not members of a Windows 2000 or Windows Server 2003 domain.

Chapter 6: Software Restriction Policy for Windows XP Clients

This chapter provides a basic overview of software restriction policy, which provides administrators with a policy-driven mechanism to identify and limit the software that can be run in their domain. Administrators can use a software restriction policy to prevent unwanted programs from running and prevent viruses, Trojan horses, or other malicious code from spreading. Software restriction policies fully integrate with Active Directory and Group Policy, and they can also be used in an environment without a Windows Server 2003 domain infrastructure when applied to only the local computer.

Chapter 7: Conclusion

The final chapter reviews the important points of the guide in a brief overview of everything that is discussed in the previous chapters.

Appendix A: Key Settings to Consider

Although this guide discusses many security countermeasures and security settings, it is important to understand a small number of them are especially important. This appendix discusses the settings that will have the biggest impact on the security of computers that run Windows XP with SP2.

Appendix B: Testing the Windows XP Security Guide

This appendix explains how the Windows XP Security Guide was tested in a lab environment to ensure that the guidance works as expected.

Download Content

A collection of security templates, scripts, and additional files is included with this guide to make it easier for your organization to evaluate, test, and implement the recommended countermeasures.

Security templates are text files that can be imported into domain–based Group Policies or applied locally with the Microsoft Management Console (MMC) Security Configuration and Analysis snap-in. Procedures that describe how to accomplish these tasks are detailed in Chapter 2, "Configuring the Active Directory Domain Infrastructure." You can use the scripts that are included with this guide to implement the recommended countermeasures on stand-alone workstations.

Also included in the download content is the Microsoft Excel® workbook "Windows XP Security Guide Settings," which documents the settings that are included in each of the security templates.

The files that accompany this guide are collectively referred to as tools and templates. These files are included in a .msi file within the self-extracting WinZip archive that contains this guide. The download version of the Windows XP Security Guide is available at http://go.microsoft.com/fwlink/?LinkId=14840. When you execute the .msi file, the following folder structure will be created in the location that you specify:

• \Windows XP Security Guide Tools and Templates\Security Templates. This folder contains all security templates that are discussed in Chapters 2 and 3 of the guide. It also contains an Excel spreadsheet that summarizes all of the recommendations in the guide.
• \Windows XP Security Guide Tools and Templates\SCE Update. This folder contains scripts and data files to automatically update the user interface for the Security Configuration Editor as discussed in Chapter 3 of the guide.
• \Windows XP Security Guide Tools and Templates\Stand Alone Clients. This folder contains all sample scripts and templates that are used to harden stand-alone computers, which are discussed in Chapter 5 of the guide.
• \Windows XP Security Guide Tools and Templates\Test Tools. This folder contains tools that are related to "Appendix B: Testing the Windows XP Security Guide."

Style Conventions

This guide uses the following style conventions.

Table 1.1 Style Conventions

Summary

This chapter introduced you to the Windows XP Security Guide and summarized the guide’s chapters. When you understand how the guide is organized, you are ready to take full advantage of the key security options that are built into Windows XP with SP2.

Effective, successful security operations require effort in all of the areas that are discussed in this guide, not just improvements in one. For this reason, it is highly recommended that you implement the recommendations in this guide that are appropriate for your organization as part of a wider defense-in-depth security architecture.

More Information

The following links provide additional information about Windows XP Professional security-related topics.

• For more information about security settings that can be configured on Microsoft Windows XP, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available at http://go.microsoft.com/fwlink/?LinkId=15159.
• For information about how to implement security on servers in a manner that is analogous to what is discussed in this guide, see the Windows Server 2003 Security Guide. The recommendations in this guide are designed to be applied to servers that need to support Windows XP client computers that are configured as described in the remaining chapters. It is available online at http://go.microsoft.com/fwlink/?LinkId=14845.
• For information about how to implement security risk management more effectively in your organization, see the Security Risk Management Guide at http://go.microsoft.com/fwlink/?LinkID=30794.
• For information about how to minimize the impact of malicious software, see The Antivirus Defense-in-Depth Guide at http://go.microsoft.com/fwlink/?LinkId=28732.
• For information about how to minimize the dependence on using passwords for authentication in your organization, see The Secure Access Using Smart Cards Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41313.
• For information about how to more effectively watch for and respond to potential security violations in your organization, see The Security Monitoring and Attack Detection Planning Guide at http://go.microsoft.com/fwlink/?LinkId=41309.
• For more details about how the Microsoft Operations Framework (MOF) can assist you in your organization, see http://technet.microsoft.com/en-us/library/cc506049.aspx.
• For information about Microsoft Windows Security, see the Microsoft Security Home Page at http://www.microsoft.com/security/.
• For information about the Microsoft Technical Security Notifications service, see http://www.microsoft.com/technet/security/bulletin/notify.mspx.