On This Page

Introduction
Before You Begin
Adding Hotfixes to Management Workstations and Windows Small Business Server 2003
Updating Existing Group Policy Objects
Configuring Security Center Settings
Configuring Windows Firewall Settings
Configuring Internet Explorer Security Settings
Configuring Internet Communication Management Settings
Configuring DCOM Access Settings
Configuring RPC Settings
Related Information

Introduction

Group Policy settings are applied based on your organizations implementation of Microsoft Active Directory, and they help protect your computer environment with standard configuration settings across categories of users and computers. New Group Policy network protection settings for Microsoft Windows XP Service Pack 2 (SP2) include:

• Windows Firewall. Configure these policy settings to turn the firewall on or off, manage program and port exceptions, and define exceptions for specific scenarios such as to allow remote administration on target computers.

• Internet Explorer. With these new policy settings, you can configure Microsoft Internet Explorer security settings. Furthermore, with policy settings, you can enable or disable Internet Explorer security features for various processes.

• Internet Communication Management. You can configure these settings to control how various components in Windows XP SP2 communicate over the Internet for tasks that involve exchange of information between computers in an organization and the Internet.

• DCOM Security. You configure these settings to control security settings for Distributed Component Object Model (DCOM). The DCOM infrastructure includes new access control restrictions to help minimize the security risks posed by network attacks.

• SecurityCenter. You configure these settings to centrally administer Windows Security Center. Security Center is a new feature in Windows XP SP2 that allows you to monitor computers in your organization to ensure that they comply with the latest security updates and to provide user alerts if a computer poses a security risk.

• Remote Procedure Call (RPC). You can configure the RPC policy settings to block remote anonymous access to RPC interfaces on the system, and to prevent anonymous access to the RPC Endpoint Mapper interface.

This document explains how to deploy the network protection Group Policy settings to help to secure Windows XP SP2 client computers.

For a complete list of recommended settings, see the following:

• "Windows XP Security Guide Appendix A: Additional Guidance for Windows XP Service Pack 2" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35465

You perform tasks on Group Policy objects (GPOs) in an Active Directory domain. Some of these tasks can be run from a domain controller but usually they are performed on a Windows XP SP2 client computer that contains Active Directory management tools.

Note:  For more information about how to deploy GPO, see the following:

• "Designing a Managed Environment: Staging Group Policy Deployments" on the Microsoft Windows Server System Web site at http://go.microsoft.com/fwlink/?linkid=35498

To configure network protection in an Active Directory environment, you perform these tasks:

• Add hotfixes to management workstations

• Update Existing GPOs

• Configure Security Center settings

• Configure Windows Firewall settings

• Configure Internet Explorer settings

• Configure Internet Communication Management settings

• Configure DCOM Security settings

• Configure RPC settings

IMPORTANT: The instructions in this document were developed with the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

For definitions of security-related terms, see the following:

• "Microsoft Security Glossary" on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=35468

Before You Begin

Windows XP SP2 can be used as a Windows domain client in an Active Directory   domain using domain controllers running any editions of:

• Microsoft Windows Server 2003

• Microsoft Windows Small Business Server 2003

• Microsoft Windows 2000 Server SP3 or later    

Before you install hotfixes, make sure that you have backed up your computer, including a backup of the registry.

For more information on how to backup the registry, see the following:

• Microsoft Knowledge Base article 322756 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=36365

Adding Hotfixes to Management Workstations and Windows Small Business Server 2003

If you manage Group Policy Object settings on computers that run earlier operating systems or service packs (for example, Windows XP with SP1 or Windows Server 2003), you must install a hotfix (KB842933) so policy settings appear correctly in the Group Policy Object Editor.

If you are using Small Business Server 2003 (SBS 2003) an additional hotfix (KB872769) must be applied because by default SBS 2003 turns off the Windows Firewall. The hotfix resolves this issue.

Note: The hotfixes listed are not included as part of Windows Update and you must install them separately. The hotfixes must be applied to all affected systems individually.

KB842933 applies to the following:

• Microsoft Windows Server 2003, Web Edition

• Microsoft Windows Server 2003, Standard Edition

• Microsoft Windows Server 2003, Enterprise Edition

• Microsoft Windows Server 2003, 64-Bit Enterprise Edition

• Microsoft Windows XP Professional SP1

• Microsoft Windows Small Business Server 2003, Premium Edition

• Microsoft Windows Small Business Server 2003, Standard Edition

• Microsoft Windows 2000 Advanced Server

• Microsoft Windows 2000 Server

• Microsoft Windows 2000 Professional

KB872769 applies to the following:

• Microsoft Windows Small Business Server 2003, Standard Edition

• Microsoft Windows Small Business Server 2003, Premium Edition

  Note: To obtain these hotfixes and for more information, see the following:

  • Microsoft Knowledge Base Article 842933 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35474

  • Microsoft Knowledge Base Article 872769 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35477

Requirements to perform this task

• Credentials: You must log on to the client computer as a member of the Domain Administrators security group or Local Administrators security group.

• Tools: The appropriate downloaded hotfix for your operating system as explained in the Knowledge Base articles 842933 and 872769.

Adding Hotfix 842933 to Windows Small Business Server 2003, Windows 2000 Server SP3 or later, Windows XP SP1, or Windows Server 2003

To add the hotfix

1. From the Windows desktop, click Start, click Run, type the path and filename of the downloaded hotfix, and then click OK.

2. On the Welcome to KB842933 Setup Wizard page, click Next.

3. On the License page, click I Agree, and then click Next.

4. On the Completing the KB842933 Setup Wizard page, to finish the hotfix installation and restart the computer, click Finish.

5. Repeat the above steps for all systems where it applies (servers and management workstations).

Adding Hotfix 872769 to Windows Small Business Server 2003

To add the hotfix

1. From the Windows desktop, click Start, click Run, type the path and filename of the downloaded 872769 hotfix, and then click OK.

2. On the Welcome to KB872769 Setup Wizard page, click Next.

3. On the License page, click I Agree, and then click Next.

4. On the Completing the KB872769 Setup Wizard page, to finish the hotfix installation and restart the computer, click Finish.

Updating Existing Group Policy Objects

Windows XP SP2 adds additional settings in the administrative templates. To configure these new settings, each GPO must be updated with the new administrative templates found in Windows XP SP2. Unless the Group Policy Objects are updated, settings related to the Windows Firewall will not be available.

You can update GPOs with the Microsoft Management Console (MMC) with the Group Policy Object Editor Snap-in installed on a computer with Windows XP SP2 installed.

After a GPO has been updated, you can configure the network protection settings that are appropriate for your computers running Windows XP SP2.

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins, or the Group Policy Creator/Owner security group.

• Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Updating Group Policy Objects

To update Group Policy objects

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

   

   Figure 1  Browse for a Group Policy Object

6. In the Browse for a Group Policy Object dialog box, select the Group Policy object that you want to update with the new Windows Firewall settings.

7. Click OK, and then click Finish to close the Group Policy Wizard.

   This applies the new administrative template to the selected GPO.

8. In the Add Standalone Snap-in dialog box, click Close.

9. In the Add/Remove Snap-in dialog box, click OK

10. Close the MMC, Click File then exit do not save changes to the console settings.

    Note: Although you do not save console changes, the above procedure imports the new administrative templates from Windows XP SP2 into the GPO. The templates must be imported into each defined GPO.

11. Repeat the steps for every GPO that is being used to apply Group Policy to computers that have Windows XP SP2 installed.

    Note:  To update your GPOs for network environments that use Active Directory and Windows XP SP1, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see the following:

    • "Enterprise Management with the Group Policy Management Console" on the Microsoft Windows Server System Web site at http://go.microsoft.com/fwlink/?linkID=35479

Configuring Security Center Settings

The Security Center is a new service in Windows XP SP2 that provides a central location to change security settings, learn more about security, and ensure that users’ computers are up-to-date with the essential security settings that are recommended by Microsoft.

In a Windows domain environment, you can use Group Policy to enable the Security Center to monitor users’ computers to help ensure that they have the latest security updates and to notify users if their computers may be at risk.

The Security Center service runs as a background process and checks the state of the following components on the user’s computer:

• Firewall. The Security Center checks whether Windows Firewall is on or off and also checks for the presence of some other software firewalls. To check for other firewalls, Security Center queries for specific Windows Management Instrumentation (WMI) providers, which have been made available by participating vendors.

• Virus protection. The Security Center checks for the presence of antivirus software. To check for the presence of antivirus software, Security Center queries for specific WMI providers that are made available by participating vendors. If the information is available, the Security Center service also determines whether the software is up to date and whether a real-time scan is turned on.

• Automatic Updates. The Security Center checks to ensure that Automatic Updates is set to the recommended setting, which automatically downloads and installs critical updates to the user’s computer. If Automatic Updates is turned off or is not set to the recommended settings, the Security Center provides appropriate recommendations.

If a component is found to be missing or out of compliance with your Security Policy, the Security Center alerts you with a red icon in the notification area of your taskbar and by provides an Alert message at logon. This message contains links to open the Security Center user interface, which provides information about the problem and recommendations for fixing it.

If you run firewall or antivirus software that is not detected by Security Center, you can set the Security Center to bypass alerting for that component.

You can use a Group Policy setting to centrally manage the Security Center feature for computers in a Windows domain.

If you enable the Turn on Security Center (Domain PCs only) policy setting, Security Center monitors essential security settings (firewall, antivirus, and automatic updates), and notifies users when their computers might be at risk. By default, the Turn on Security Center (Domain PCs only) policy setting is not enabled, which means it is turned off When the Security Center is turned off, neither the notifications nor the Security Center status section are displayed.

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

• Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring the Security Center Settings

Use this setting to allow users of computers that run Windows XP SP2 to use the Security Center for alerts about firewalls, antivirus software, and automatic updates.

To configure the SecurityCenter settings

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. Select the Group Policy Object you want to configure from the list. Click OK, then click Finish to close the Group Policy Wizard.

7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

8. In the console tree, open Computer Configuration, Administrative Templates, Windows Components, and then Security Center.

   

   Figure 2   SecurityCenter settings

9. Double-click Turn on SecurityCenter (Domain PCs only), click Enabled, and then click OK.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

1. From the Windows XP desktop, click Start, and then click Run.

2. In the Open box, type cmd, and then click OK.

   Note: For a complete description of the available options when using GPUpdate, see the following:

   • Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35504

3. At the command prompt, type GPUpdate, and then press ENTER.

   

   Figure 3   GPUpdate on a command line

4. To close the command prompt, type Exit and press ENTER.

Verifying Security Center Settings Are Applied

To verify SecurityCenter settings are applied

1. From the Windows XP desktop, click Start, and then click Control Panel.

2. Under Pick a category, click SecurityCenter.

3. Verify that Security Center starts.

   Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

   • "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35481

Configuring Windows Firewall Settings

There are three sets of Windows Firewall settings to configure:

• Allow authenticated IPSec bypass. This setting is used when an organization uses Internet Protocol Security (IPSec) to protect traffic and enables the Windows Firewall.

• Domain profile. These settings are used by computers when they are connected to a network that contains domain controllers for the domain of which the computers are a member.

• Standard profile. These settings are used by computers when they are not connected to your network, for example, when you travel with a laptop computer.

If you do not configure standard profile settings, the default values remain unchanged. Microsoft recommends that you configure both domain and standard profile settings and that you enable the Windows Firewall for both profiles. The only exception is if you are already using a third-party host firewall product.

If you already use a third-party host firewall product, then Microsoft recommends that you disable Windows Firewall.

If you decide to disable Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP SP2, Windows XP SP1, and Windows XP with no service packs installed, then you should configure these Group Policy settings:

• Prohibit use of Internet Connection Firewall on your DNS domain network set to Enabled

• Domain profile – Windows Firewall: Protect all network connections set to Disabled

• Standard profile – Windows Firewall: Protect all network connections set to Disabled

  Note: This standard profile setting ensures that Windows Firewall is not used, whether the computers are connected to your organization network or not. To ensure that Windows Firewall is not used on your organization network, but is used when the computers are not connected to the network, change this setting to Enabled.

The standard profile settings are typically more restrictive than the domain profile, because the standard profile settings do not include applications and services that are only used in a managed domain environment.

In a GPO, both the domain profile and standard profile contain the same set of Windows Firewall settings. Windows XP SP2 relies on network determination to apply the correct profile.

Note: For more information about network determination, see the following:

• "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35480

This section describes the possible Windows Firewall settings in a GPO and the recommended settings for an enterprise environment and demonstrates how to enable four types of settings.

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object that you modified in the previous task.

• Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed

  Note: To open a GPO you use either an MMC with the Group Policy Object Editor snap-in included, or the Active Directory Users and Computers console. To use the Active Directory Users and Computers console on a Windows XP client computer, you must run adminpak.msi from the Windows Server 2003 CD

Configuring Windows Firewall Settings using Group Policy

You use the Group Policy Object Editor snap-in or Active Directory Users and Computers to modify the Windows Firewall settings in the appropriate GPOs.

After you have configured the Windows Firewall settings, the next refresh of Computer Configuration Group Policy downloads the new Windows Firewall settings and applies them to computers running Windows XP SP2.

To configure Windows Firewall settings

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

8. In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall.

   

   Figure 4   Windows Firewall options in a Group Policy

9. Double-click Windows Firewall: Allow authenticated IPSec bypass.

   

   Figure 5   Allow authenticated IPSec bypass

   Table 1 summarizes the Allow authenticated IPSec bypass options.

   Table 1   Allow authenticated IPSec bypass settings for an enterprise

   Setting	Description	Notes
   Not Configured	This GPO will not change the current configuration of Windows Firewall
   Enabled	Windows Firewall does not process IPSec-secured traffic except from users or groups listed in the policy.	The syntax to list users and groups uses the SDDL standard. For more information, see the following: "Security Descriptor Definition Language" on the MSDN Web site at http://go.microsoft.com/fwlink/?linkid=35503
   Disabled	Windows Firewall processes IPSec-secured traffic.

10. Use the information in table 1 and click either Enabled or Disabled.

    Note: If you click Enabled, you can create a list of users or groups that are allowed to send IPSec secured traffic to your computer.

11. Click OK.    

12. Select either Domain Profile or Standard Profile.

    

    Figure 6   Windows Firewall settings in a Group Policy

    Table 2 summarizes the Windows Firewall Group Policy recommended settings for the domain and standard profiles.

    Table 2   Windows Firewall recommended settings for an enterprise

    Setting	Description	Domain Profile	Standard Profile
    Protect all network connections	Specifies that all network connections have Windows Firewall enabled	Enabled	Enabled
    Do not allow exceptions	Specifies that all unsolicited incoming traffic is dropped, which includes excepted traffic	Not configured	Enabled, unless you must configure program exceptions
    Define program exceptions	Defines excepted traffic in terms of program file names	Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network	Enabled and configured with the programs (applications and services) used by the computers running Windows XP with SP2 on your network
    Allow local program exceptions	Allows local configuration of program exceptions	Disabled, unless you want local administrators to configure program exceptions locally	Disabled
    Allow remote administration exception	Allows remote configuration using tools	Disabled, unless you want to be able to remotely administer your computers with MMC snap-ins	Disabled
    Allow file and print sharing exception	Specifies whether file and printer sharing traffic is allowed	Disabled, unless the computers that run Windows XP SP2 share local resources	Disabled
    Allow ICMP exceptions	Specifies the types of ICMP messages that are allowed	Disabled, unless you wish to use the ping command to troubleshoot	Disabled
    Allow Remote Desktop exception	Specifies whether the computer can accept a Remote Desktop-based connection request	Enabled	Enabled
    Allow UPnP framework exception	Specifies whether the computer can receive unsolicited UPnP messages	Disabled	Disabled
    Prohibit notifications	Disables notifications	Disabled	Disabled
    Allow logging	Allows you to log traffic and configure log file settings	Not configured	Not configured
    Prohibit unicast response to multicast or broadcast requests	Discards the unicast packets received in response to a multicast or broadcast request message	Enabled	Enabled
    Define port exceptions	Specifies excepted traffic in terms of TCP and UDP	Disabled	Disabled
    Allow local port exceptions	Allows local configuration of port exceptions	Disabled	Disabled

Enabling Exceptions for Ports

To enable exceptions for ports

1. In either the Domain Profile or Standard Profile settings area, double-click Windows Firewall: Define port exceptions.

   

   Figure 7   Windows Firewall: Define port exceptions Properties

2. Click Enabled, and then click Show.    

   

   Figure 8   Show Contents

3. Click Add.

   

   Figure 9   Add Item

4. Type the port information that you want to block or enable with this syntax:

   port:transport:scope:status:name

   Where port is the port number, transport is TCP or UDP, scope is either * (for all systems) or a list of the computers that are allowed to access the port, status is either enabled or disabled, and name is a text string used as a label for this entry.

   When using scope, host names, Domain Name System (DNS) names, or DNS suffixes are not supported. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24).

   For more information on TCP/IP addressing and subnetting, see the following:

   • Microsoft Knowledge Base article 164015 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=36370

   Note: If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

   This example uses a port exception named WebTest and enables TCP port 80 for all connections.

5. Click OK to close Add Item.

   

   Figure 10   Show Contents

6. Click OK to close Show Contents.

7. Click Close to close Windows Firewall: Define port exceptions Properties.

   Note: When Do not allow exceptions is selected, any Port Exceptions are ignored.

Enabling Exceptions for Programs

To enable exceptions for programs

1. In either the Domain Profile or Standard Profile settings area, double-click Windows Firewall: Define program exceptions.

   

   Figure 11   Windows Firewall: Define program exceptions Properties

2. Click Enabled, and then click Show.

   

   Figure 12   Show Contents

3. Click Add.

   

   Figure 13   Add Item

4. Type the program information that you want to block or enable, with this syntax:

   path:scope:status:name

   Where path is the program path and file name, scope is either * (for all systems) or a list of the computers that are allowed to access the program, status is either enabled or disabled, and name is a text string used as a label for this entry.

   This example enables Windows Messenger for all connections.

   For more information on TCP/IP addressing and subnetting, see the following:

   • Microsoft Knowledge Base article 164015 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=36370

5. Click OK to close Add Item.

   

   Figure 14   Show Contents

6. Click OK to close Show Contents.

7. Click Close to close Windows Firewall: Define program exceptions Properties.

Configuring Basic ICMP Options

For information on ICMP, see the following:

• "Internet Control Message Protocol (ICMP)" on the Microsoft Windows XP Web site at http://go.microsoft.com/fwlink/?linkid=35499

To configure basic ICMP options

1. In either the Domain or Standard Profile settings area, double-click Windows Firewall: Allow ICMP exceptions.

2. Click Enabled.

   

   Figure 15   Windows Firewall: Allow ICMP exceptions Properties

3. Select the appropriate ICMP exception(s) to enable. This example selects Allow inbound echo request.

4. Click OK to close Windows Firewall: Allow ICMP exceptions Properties.

Logging Dropped Packets and Successful Connections

To log dropped packets and successful connections

1. In either the Domain or Standard Profile settings area, double-click Windows Firewall: Allow Logging.

   

   Figure 16   Windows Firewall: Allow logging Properties

2. Click Enabled, select Log dropped packets and Log successful connections type a log file path and name, and then click OK.

   Note: The location that you save your log file to must be secured to prevent deletion or any tampering with the log.

3. Close Group Policy Editor.

4. If prompted to save console settings, click No.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which include security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

1. From the Windows XP desktop, click Start, and then click Run.

2. In the Open box, type cmd, and then click OK.

   Note: For a complete description of the available options when using GPUpdate, see the following:

   • Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35504

3. At the command prompt, type GPUpdate, and then press ENTER.

   

   Figure 17   GPUpdate on a command line

4. To close the command prompt, type Exit and press ENTER.

Verifying Windows Firewall Settings Are Applied

Note: When you use Group Policy to configure Windows Firewall the settings might not allow local administrators to change some elements of the configuration. Some tabs and options in the Windows Firewall dialog box are unavailable on user's local computers.

To verify Windows Firewall settings are applied

1. From SecurityCenter, under Manage security settings for, click Windows Firewall.

2. Click the General, Exceptions, and Advanced tabs, and verify that the desired configuration is applied to Windows Firewall on the computer and then click OK to close Windows Firewall.

   Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

   • "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35481

Configuring Internet Explorer Security Settings

For Windows XP SP2, you can manage all Internet Explorer security settings for both computer and user configurations with new Group Policy settings.

Windows XP SP2 uses two primary areas of policy settings:

• Security Features

• URL Actions

Security Features policy settings allow you to manage specific scenarios that might affect security of Internet Explorer. In most cases, you will want to prevent specific behavior; therefore you must ensure that the security feature is enabled. For example, it is possible that malicious code run in the Local Machine zone instead of the Internet zone can attempt to elevate its own permissions. To help prevent such attacks, you can use the Protection from Zone Elevation policy setting.

For each of the Security Features policy settings, you can specify policy settings that control the behavior of the security features, by:

• Internet Explorer processes

• A list of defined processes

• All processes regardless of where they are initiated from

A Uniform Resource Locator (URL) Action refers to an action that a browser can take that might pose a security risk to the local computer, such as an attempt to run a Java applet or an ActiveX control. URL Actions correspond to security settings in the registry that identify the action to take for that feature in the security zone where the URL resides. URL Action settings include enable, disable, prompt, and others as appropriate.

To provide security management of URL Actions in Internet Explorer, you use the new Security Page Group Policy settings under Internet Control Panel. By using Group Policy to control security for URL Actions, you can create standard Internet Explorer configurations for all users and computers in your organization.

To provide security, you can enable policies for all URL zones with the security zone template policy settings. For each of the URL Action template policy settings, you can specify one of the following security levels:

• Low. This is typically used for URL security zones that contain Web sites that are fully trusted by the user. This is the default security level for the Trusted Sites zone.

• Medium-low. This might be used for URL security zones that contain Web sites that are unlikely to cause damage to your computer or data. This is the default security level for the Intranet zone.

• Medium. This might be used for URL security zones that contain Web sites that are neither trusted nor untrusted. This is the default security level for the Internet zone.

• High. This is used for URL security zones that contain Web sites that could potentially cause damage to users’ computers or data. This is the default security level for Restricted Sites zone.

For more information about Security Features controls, see the following:

• "Changes in Functionality in Microsoft Windows XP Service Pack 2" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35487

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

• Tools: Microsoft Management Console (MMC) with the Group policy Object Editor snap-in installed

Configuring Internet Explorer Security Settings

To configure Internet Explorer settings

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

7. Click Close to exit the Add Standalone Snap-in dialog box, and then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

8. In the console tree, open Computer Configuration, Administrative Templates, Windows Components, Internet Explorer, and then Security Features.

   

   Figure 18   Internet Explorer Group Policy security settings

9. Use the information in table 3 to configure the Internet Explorer Security settings.

   Table 3   Internet Explorer Security Features settings

   Setting	Description	Default Configuration	Recommended Configuration for an Enterprise Environment
   Binary Behavior Security Restriction Policy	Controls whether the Binary Behavior Security Restriction setting is prevented or allowed	Not configured	Add any approved behaviors  for your organization to the Admin-Approved behaviors list in the #package#behavior notation
   MK Protocol Security Restriction	Reduces attack surface area by preventing the MK protocol	Not configured	Enabled for all processes
   Local Machine Zone Lockdown Security	Helps to mitigate attacks that use the Local Machine zone to load malicious HTML code	Not configured	Enabled for all processes
   Consistent MIME Handling	Determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent	Not configured	Enabled for all processes
   MIME Sniffing Safety Feature	Determines whether Internet Explorer MIME sniffing prevents promotion of a file of one type to a more dangerous file type	Not configured	Enabled for all processes
   Object Caching Protection	Defines whether a reference to an object is accessible when the user navigates within the same domain or to a new domain	Not configured	Enabled for all processes
   Scripted Windows Security Restrictions	Restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other title and status bars	Not configured	Enabled for all processes
   Protection from Zone Elevation	Helps protect the Local Machine security zone	Not configured	Enabled for all processes
   Information Bar	Manages whether the Information Bar is displayed for Internet Explorer processes when file or code installs are restricted	Not configured	Enabled for all processes
   Restrict ActiveX Install	Allows you to block ActiveX control installation prompts for Internet Explorer processes	Not configured	Enabled for all processes
   Restrict File Download	Allows you to block file download prompts that are not user initiated	Not configured	Enabled for all processes
   Add-on Management	Allows you to ensure that any Internet Explorer add-ons that are not listed in the Add-on List policy setting are denied	Not configured	Enabled for all add-ons unless specifically allowed in the add-on list
   Network Protocol Lockdown	Specifies a restricted protocol list for the Internet, intranet, trusted sites, restricted sites, and Local Machine security zones	Not configured	Enable specific protocols for each security zone

10. Expand Internet Control Panel

    

    Figure 19   Internet Control Panel settings

11. Enable each setting to prevent users from gaining access to the listed Internet Explorer configuration pages. To do this, double-click each setting, click Enabled, and then click OK.

12. Expand Security Page.

    

    Figure 20   Internet Control Panel Security Page settings

13. There are two ways to configure Security zones; you can use templates or choose each setting per zone.
    Either:

    • Use the information in table 4 to use Zone Templates to configure each security zone. Double-click each template option and then click Enabled.

      Or

    • Use the information in table 5 to configure each security zone separately

      Table 4   Internet Control Panel settings per-Security Zone

      Setting	Recommended Configuration	Recommended Level
      Internet Zone Template	Enabled	Medium
      Intranet Zone Template	Enabled	Medium-Low
      Trusted Sites Zone Template	Enabled	Low
      Restricted Sites Zone Template	Enabled	High
      Local Machine Zone Template	Enabled	Low
      Locked-Down Local Machine Zone Template	Enabled	High

      Table 5   Internet Control Panel settings per-Security Zone

      Setting	Description	Default Configuration
      Download signed ActiveX controls	Manages the download of signed ActiveX controls from the URL zone of the HTML page that contains the control.	Not configured
      Download unsigned ActiveX controls	Manages the download of unsigned ActiveX controls from the URL zone of the HTML page that contains the control.	Not configured
      Initialize and script ActiveX controls not marked as safe	Manages the execution of ActiveX controls and plug-ins from HTML pages in the zone.	Not configured
      Run ActiveX controls and plug-ins	Determines if the ActiveX control object safety is overridden or enforced for pages in the URL security zone. Object safety should be overridden only if all ActiveX controls and scripts that might interact with them on pages in the zone can be trusted not to breach security. This is an aggregate of URLACTION_ACTIVEX_OVERRIDE_DATA_SAFETY and URLACTION_ACTIVEX_OVERRIDE_SCRIPT_SAFETY.	Not configured
      Allow active scripting	Determines if script code on the pages in the URL security zone is run or not.	Not configured
      Scripting of Java applets	Determines whether or not script code on HTML pages in the URL security zone is allowed to use Java applets if the properties, methods, and events of the applet are exposed to scripts.	Not configured
      Script ActiveX controls marked safe for scripting	Determines if scripts can be used for safe ActiveX controls.	Not configured
      Access data sources across domains	Determines if the resource is allowed to access data sources across domains.	Not configured
      Allow paste operations via script	Determines if scripts can do paste operations.	Not configured
      Submit non-encrypted form data	Determines if HTML forms on pages in the URL security zone, or submitted to servers in the zone, are allowed. Aggregate of the URLACTION_HTML_SUBMIT_FORMS_FROM and URLACTION_HTML_SUBMIT_FORMS_TO flags.	Not configured
      Allow font downloads	Determines if HTML font downloads are allowed.	Not configured
      User data persistence	Determines if user data persistence is enabled.	Not configured
      Navigate sub-frames across different domains	Determines if subframes are allowed to navigate across different domains.	Not configured

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which include security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

1. From the Windows XP desktop, click Start, and then click Run.

2. In the Open box, type cmd, and then click OK.

   Note: For a complete description of the available options when using GPUpdate, see the following:

   • Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35504

3. At the command prompt, type GPUpdate, and then press ENTER.

   

   Figure 21   GPUpdate on a command line

4. To close the command prompt, type Exit and press ENTER.

Verifying Internet Explorer Security Settings Are Applied

Note: When you use Group Policy to configure Internet Explorer the settings might not allow local administrators to change some elements of the configuration. Some tabs and options in the dialog boxes are unavailable on user's local computers.

Verifying Internet Explorer Security Settings Are Applied

To verify Internet Explorer settings are applied

1. From Security Center, under Manage security settings for, click Internet Options.

2. Click the Security, Privacy, and Advanced tabs, and verify that the desired configuration is applied to Internet Explorer on the computer and then click OK to close Internet Properties.

   Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

   • "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35481

Configuring Internet Communication Management Settings

Windows XP SP2 provides new Group Policy settings, which are designed primarily to control the way in which components in Windows XP SP2 communicates with the Internet. Group Policy settings allow you to manage the ability to:

• Order picture prints online

• Use online storage space

• Publish to the Web

In Windows XP SP2, users can click tasks in Windows Explorer to order picture prints online (Online Print Wizard), sign up for a service that offers online storage space (Add Network Place Wizard), or publish files that can be viewed in a browser (Web Publishing Wizard) as well as other tasks. The task or wizard obtains the names and URLs of these service providers from two sources: a list stored locally (in the registry) and a list stored on a Microsoft Web site. By default, Windows displays providers from a list on the Microsoft Web site in addition to providers listed in the registry.

You can use the following Group Policy settings to control the way in which these wizards and tasks work and to control the way in which these components communicate with the Internet:

• Turn off the "Publish to Web" task for files and folders. This policy setting specifies whether the tasks needed to publish items to the Web are available from File and Folder Tasks in Windows folders. The tasks include Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web.

• Turn off Internet download for Web publishing and online ordering wizards. This policy setting specifies whether Windows should download a list of providers for the Web Publishing Wizard, the Add Network Place Wizard, and the Online Print Wizard. By default, Windows displays providers downloaded from a Windows Web site in addition to providers specified in the registry.

• Turn off the "Order Prints" picture task. This policy setting specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders. This setting disables the Online Print Ordering Wizard.

These policy settings are available for both User and Computer Configuration.

For more information about how to control the use of the Add Network Place Wizard and the Web Publishing Wizard, see the following:

• "Using Windows XP Professional with Service Pack 2 in a Managed Environment: Controlling Communication with the Internet" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=35489

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

• Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring Internet Communication Management Settings

To configure Internet Communication Management settings

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

8. In the console tree, open Computer Configuration, Administrative Templates, System, and then Internet Communication Management.

   

   Figure 22   Internet Communication Management settings

9. Configure the Restrict Internet communication setting to Disabled to disable all settings under Internet Communication settings, or Enabled to enable all settings under Internet Communication settings.

10. To configure each setting individually, expand Internet Communication settings, and then use table 6 to configure the settings.

    Table 6   Recommended Internet Communication settings

    Setting	Description	Recommended Setting
    Turn off the Publish to Web task for files and folders	Specifies whether the tasks, Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders	Enabled
    Turn off Internet download for Web publishing and online ordering wizards	Controls whether Windows downloads a list of providers to the publish on the Web and order online wizards	Enabled
    Turn off the Windows Messenger Customer Experience Improvement Program	Specifies whether Windows Messenger collects anonymous information about how the Windows Messenger software and service is used	Enabled
    Turn off Search Companion content file updates	Specifies whether Search Companion should automatically download content updates during local and Internet searches	Enabled
    Turn off printing over HTTP	Allows you to disable printing over HTTP from this client	Enabled
    Turn off downloading of print drivers over HTTP	Controls whether the computer can download print driver packages over HTTP	Enabled
    Turn off Windows Update device driver searching	Specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present	Disabled

    Note: Table 6 includes all the recommended settings for Internet Communication.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

1. From the Windows XP desktop, click Start, and then click Run.

2. In the Open box, type cmd, and then click OK.

   Note: For a complete description of the available options when using GPUpdate, see the following:

   • Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35504

3. At the command prompt, type GPUpdate, and then press ENTER.

   

   Figure 23   GPUpdate on a command line

4. To close the command prompt, type Exit and press ENTER.

Verifying Internet Communication Management Settings Are Applied

To verify Internet Communication Management settings are applied

1. Click Start, and then click My Pictures.

2. Verify under Picture Tasks that Order prints online does not appear.

3. Verify under File and Folder Tasks that Publish this folder to the Web does not appear.

4. Close My Pictures.

   Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

   • "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35481

Configuring DCOM Access Settings

The Microsoft Component Object Model (COM) is a system for creating software applications that can interact. DCOM allows these applications to be distributed across locations. The DCOM wire protocol transparently provides support for communication between COM components.

Note: For more information on DCOM security, see the following:

• “Best Practices for Mitigating RPC and DCOM Vulnerabilities” on the Microsoft TechNet web site at http://go.microsoft.com/fwlink/?linkid=36371

Many COM applications include some security-specific code but use weak settings, often allowing unauthenticated access between components. In Windows XP SP2, a change has been made in COM to provide computer wide access controls that govern access to all call, activation, or launch requests on the computer. Windows XP SP2 provides a minimum authorization standard that must be passed to access any COM server on the computer.

Note: For more information on COM fixes in Windows XP SP2, see the following:

• “ Com+ fixes in Windows XP Service Pack 2” at http://support.microsoft.com/default.aspx?scid=kb;en-us;838211

Computer wide access control lists (ACL) are checked on each DCOM request. If the check fails, the request is denied. There is a computer wide ACL for:

• Launch and activation permissions. These control authorization to start a COM server during COM activation if the server is not already running and have four access rights:

  • Local Launch

  • Remote Launch

  • Local Activate

  • Remote Activate

• Access permissions. These control authorization to call a running COM server and have two access rights:

  • Local Calls

  • Remote Calls

    Note:  A local COM message arrives by way of the Local Call, while a remote COM message arrives by way of a Remote Call.

The permissions can be configured through the Component Services Microsoft Management Console (MMC) and provides a minimum security standard that must be passed, regardless of the settings of the specific COM server application.

Note: By default, Windows Firewall blocks this MMC snap-in on a computer running Windows XP SP2, if you receive a security alert to this effect you must click unblock.

The default Windows XP SP2 computer restriction settings appear in table 7.

Table 7   Default DCOM access control restrictions

Permission	Administrator	Everyone	Anonymous
Launch and Activation	Local Launch Local Activate Remote Launch Remote Activate	Local Launch Local Activate	No permissions set
Access	No permissions set	Local Call Remote Call	Local Call

The default settings enable all local scenarios to work without modification to the software or the operating system. The defaults also enable most COM client scenarios and disables remote activations by non-administrators to installed COM servers.

If you implement a COM server and expect to support remote activation by a non-administrative COM client or remote unauthenticated calls, then you must change the default configuration for this feature.

Note:  Although this document explains how to modify the default settings, if you do so you might increase the vulnerability of your computer to attack.

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

• Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring DCOM Settings

To configure DCOM settings

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. Select the Group Policy Object you want to configure and click OK then Finish toexit the Group Policy Wizard.

7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

8. In the console tree, open Computer Configuration, Windows Settings, Security Settings, Local Policies, and then Security Options.

   

   Figure 24   Security Options

9. Double-click DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax.

   Note: For more information on SDDL, see the following:

   • "Security Descriptor Definition Language" on the MSDN Web site at http://go.microsoft.com/fwlink/?linkid=35503

   

   Figure 25   DCOM: Machine Access Restrictions

10. Click Edit Security.

    

    Figure 26   Access Permissions

11. To grant access to all of your computers for particular users of DCOM applications in the enterprise, click Add.

    

    Figure 27   Select Users, Computers, or Groups

12. Type the users name and then click OK.

13. Click OK to close the Access Permission dialog box and then click OK to close the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax box.

14. Double-click DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax, and then click Edit Security. To grant launch or activation permissions to all of your computers for particular users of DCOM applications in the enterprise, click Add.

15. Type the users name and then click OK.

16. Click OK to close the Access Permission dialog box and then click OK to close the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax box.

17. Close the console.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

1. From the Windows XP desktop, click Start, and then click Run.

2. In the Open box, type cmd, and then click OK.

   Note: For a complete description of the available options when using GPUpdate, see the following:

   • Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35504

3. At the command prompt, type GPUpdate, and then press ENTER.

   

   Figure 28   GPUpdate on a command line

4. To close the command prompt, type Exit and press ENTER.

Verifying DCOM Security Settings Are Applied

To verify DCOM settings are applied

1. Click Start and then click Control Panel.

2. Click Performance and Maintenance.

3. Under or pick a Control Panel icon, click Administrative Tools.  

4. In Administrative Tools, double-click Component Services.

5. In the Component Services console, double-click Component Services, double-click Computers, right-click My Computer and then click the Properties.  

6. Click COM Security, click both the Edit Defaults buttons and verify that the desired configuration for DCOM is applied and then click OK to close COM Security.

7. Close Component Services and then close Administrative tools.

8. Close the Control Panel.

   Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

   • "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?linkid=35481

Configuring RPC Settings

Windows XP SP2 includes changes to the RPC service which are designed to help make RPC interfaces secure by default and reduce the attack surface of Windows XP. Two new policy settings have been added:

• Restrictions for Unauthenticated RPC clients. This policy setting allows you to modify the behavior of all RPC interfaces on the system and, by default, eliminates remote anonymous access to RPC interfaces on the system, with some exceptions.

• RPC Endpoint Mapper Client Authentication. This policy setting allows you to direct RPC clients that must communicate with the Endpoint Mapper Service to authenticate, provided that the RPC call for which the endpoint needs to be resolved has authentication information.  

When you require RPC calls to perform authentication, even a relatively low level of authentication can help protect an interface from attack. This is a particularly useful against worms which rely on exploitable buffer overruns that can be invoked remotely by using anonymous connections.

For more information on RPC security, see the following:

• “Best Practices for Mitigating RPC and DCOM Vulnerabilities” on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=36371

Requirements to perform this task

• Credentials: You must log on to a Windows XP SP2 computer that is an Active Directory domain client, as a member of the Domain Admins security group and open a Group Policy Object.

• Tools: Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Configuring RPC Settings

When you enable the Restrictions for Unauthenticated RPC clients policy setting, you can configure RPC Runtime Unauthenticated Client to Apply with one of these options:

• Authenticated (Default). This option allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy setting is applied. Interfaces that have asked to be exempt from this restriction are granted an exemption. This option represents the RPC_RESTRICT_REMOTE_CLIENT_DEFAULT (1) value.

• Authenticated without exceptions. This option allows only authenticated RPC clients to connect to RPC servers running on the computer on which the policy setting is applied; it does not permit exceptions. If you select this option, a system cannot receive remote anonymous calls using RPC; it provides the highest level of security. This option represents the RPC_RESTRICT_REMOTE_CLIENT_HIGH (2) value.

• None. This option allows all RPC clients to connect to RPC servers that run on the computer on which the policy is applied. If you select this option, the system bypasses the new RPC interface restriction. This option is equivalent to the RPC behavior in previous versions of Windows. This option represents the RPC_RESTRICT_REMOTE_CLIENT_NONE (0) value.

When you enable the RPC Endpoint Mapper Client Authentication policy setting, RPC clients that must communicate with the Endpoint Mapper Service Authentication, provided that the RPC call for which the endpoint needs to be resolved has authentication information.

When you disable the RPC Endpoint Mapper Client Authentication policy setting, RPC Clients that must communicate with the Endpoint Mapper Service do not authenticate. The Endpoint Mapper Service on computers running Microsoft Windows NT 4.0 operating systems cannot process authentication information supplied in this manner. This means that if you enable this setting on a client computer that client cannot communicate with a Windows NT 4.0 server that uses RPC if endpoint resolution is needed.

To configure RPC settings

1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in.

3. On the Standalone tab, click Add.

4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and click Add.

5. In the Select Group Policy Object dialog box, click Browse.

6. Select the Group Policy Object you want to configure from the list. Click OK, then click Finish to close the Group Policy Wizard.

7. Click Close to exit the Add Standalone Snap-in dialog box, then click OK to exit the Add/Remove Snap-in dialog box and return to the management console.

8. In the console tree, open Computer Configuration, Administrative Templates, System, and then Remote Procedure Call.

   

   Figure 29   RPC settings

9. Use the configuration information above and double click Restrictions for Unauthenticated RPC clients, click Enabled, then choose Authenticated without exceptions, and then click OK.

10. Use the configuration information above and double click RPC Endpoint Mapper Client Authentication, click Enabled, and then click OK.

11. Close the Group Policy Object.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings, which includes security settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default these refresh cycles are every 90 minutes, with a random offset of + or - 30 minutes.

To refresh Group Policy between standard cycles, use the GPUpdate utility.

Running GPUpdate

To run GPUpdate

1. From the Windows XP desktop, click Start, and then click Run.

2. In the Open box, type cmd, and then click OK.

   Note: For a complete description of the available options when using GPUpdate, see the following:

   • Microsoft Knowledge Base article 298444 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35504

3. At the command prompt, type GPUpdate, and then press ENTER.

   

   Figure 30   GPUpdate on a command line

4. To close the command prompt, type Exit and press ENTER.

Verifying RPC Settings Are Applied

This procedure contains information about how to edit the registry. Before you edit the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, see the following:

• Microsoft Knowledge Base article 256986 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35500

Verifying RPC Settings Are Applied

To verify RPC settings are applied

1. Click Start and then click Run.

2. Type Regedit then click OK.

3. In the Registry Editor, double-click HKEY_LOCAL_MACHINE then double click SOFTWARE\Policies\Microsoft\Windows NT\Rpc.  

4. Verify that there are the following entries in the registry:

   EnableAuthEPResolution REG_DWORD 0x000000001

   RestrictRemoteClientsIn REG_DWORD 0x000000002

5. Close the Registry Editor.

   Note: If your configuration settings are not applied, you must troubleshoot Group Policy application. To troubleshoot Group Policy application, see the following:

   • "Troubleshooting Group Policy in Windows Server 2003" on the Microsoft Download Center Website at http://go.microsoft.com/fwlink/?linkid=35481