TechNet Home > TechNet Security > Guidance > Windows XP

Windows XP Security Guide

Chapter 3: Security Settings for Windows XP Clients

Updated: April 13, 2006

	Overview
	Account Policy Settings
	Local Policy Settings
	Audit Policy Settings
	User Rights Assignment Settings
	Security Option Settings
	Event Log Security Settings
	Restricted Groups
	System Services
	Additional Registry Settings
	How to Modify the Security Configuration Editor User Interface
	Additional Security Settings
	Securing the File System
	Summary

Overview

This chapter describes in detail the primary security settings that are configured through Group Policy in a Microsoft® Windows® 2000 or Windows Server™ 2003 Active Directory® directory service domain. Implement the prescribed policy settings to ensure that the desktop and laptop computers in your organization that run Microsoft Windows XP Professional with Service Pack 2 (SP2) are configured securely. Guidance is not provided for all available policy settings in Windows XP, just those that are directly relevant to the security of the computer.

As described in Chapter 1, "Introduction to the Windows XP Security Guide," the guidance that is presented in this chapter is specific to the Enterprise Client (EC) and the Specialized Security – Limited Functionality (SSLF) environments that are defined in this guide. In some instances, this chapter recommends policy settings for laptops that are different than those for desktops because portable computers are mobile and not always connected to domain controllers in your environment through your organization’s network. It is also assumed that laptop users sometimes work at different times when on-site technical support is not available. For these reasons, policy settings that require connectivity to a domain controller or that govern logon hours are different for laptop client computers.

Policy settings that are not specified for specific environments are sometimes defined at the domain level, as described in Chapter 2, "Configuring the Active Directory Domain Infrastructure." Other policy settings that are listed as Not Defined in this chapter are treated in this manner because the default value is sufficiently secure for that particular environment. Also, undefined policy settings in these Group Policy objects (GPOs) facilitate the deployment of applications that need to modify settings during installation. For example, enterprise management tools may need to assign specific user rights to the local service accounts on managed computers. The guidance in this chapter consists of recommendations, and you should always carefully consider your business needs before you make any changes in your environment.

The following table defines the infrastructure (.inf) files that are available with this guidance. The files contain all of the baseline security setting prescriptions for the two environments that are discussed in this chapter.

Table 3.1 Baseline Security Templates

Description	EC	SSLF
Baseline security templates for desktops	EC-Desktop.inf	SSLF-Desktop.inf
Baseline security templates for laptops	EC-Laptop.inf	SSLF-Laptop.inf

For more detailed information about the policy settings that are discussed in this chapter, see the companion guide, Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at http://go.microsoft.com/fwlink/?LinkId=15159.

Top of page

Account Policy Settings

Account policy setting information is not provided in this chapter. These settings are discussed in Chapter 2, "Configuring the Active Directory Domain Infrastructure," of this guide.

Top of page

Local Policy Settings

Local policy settings may be configured on any computer that runs Windows XP Professional through either the Local Security Policy Console or through the Active Directory domain-based GPOs. Local policy settings include those for Audit policy, user rights assignments, and security options.

Top of page

Audit Policy Settings

An Audit policy determines the security events to report to administrators so that user or system activity in specified event categories is recorded. The administrator can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.

However, before you implement an Audit policy you must decide which event categories need to be audited in your environment. The audit settings you choose within the event categories define your Audit policy. When you define audit settings for specific event categories, an administrator can create an Audit policy that will meet the security needs of your organization.

If no audit settings are configured, it will be difficult or impossible to determine what took place during a security incident. However, if audit settings are configured so that too many authorized activities generate events, the Security event log will fill up with useless data. The information in the following sections is designed to help you decide what to monitor and how to collect relevant audit data for your organization.

You can configure the Audit policy settings in Windows XP at the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

The following table summarizes the Audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter. The Enterprise Client environment is referred to as EC, and the Specialized Security – Limited Functionality environment is referred to as SSLF. You should review these recommendations and adjust them as appropriate for your organization. However, be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for Audit privilege use, so many audit events will be generated that it may not be feasible to find other types of entries in the Security event log. Such a configuration could also have a significant impact on performance. More detailed information about each of the settings is provided in the following subsections.

Table 3.2 Audit Policy Setting Recommendations

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Audit account logon events	Success	Success	Success, Failure	Success, Failure
Audit account management	Success	Success	Success, Failure	Success, Failure
Audit directory service access	Not Defined	Not Defined	Not Defined	Not Defined
Audit logon events	Success	Success	Success, Failure	Success, Failure
Audit object access	No Auditing	No Auditing	Failure	Failure
Audit policy change	Success	Success	Success	Success
Audit privilege use	No Auditing	No Auditing	Failure	Failure
Audit process tracking	No Auditing	No Auditing	No Auditing	No Auditing
Audit system events	Success	Success	Success	Success

Audit account logon events

If this policy setting is enabled, events for credential validation are generated. These events occur on the computer that is authoritative for the credentials. For domain accounts the domain controller is authoritative, and for local accounts the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization depending on the accounts that are used to log on.

In this guidance, the Audit account logon events setting is configured to Success only for the EC environment and to Success and Failure for the SSLF environment.

Audit account management

This policy setting is used to track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.

The Audit account management setting is configured to Success for the EC environment and to Success and Failure for the SSLF environment.

Audit directory service access

This policy setting can only be enabled to perform audit tasks on domain controllers. For this reason, the setting is not defined at the workstation level. This policy setting does not apply to computers that run Windows XP Professional. Therefore, ensure that the Audit directory service access setting is configured to Not Defined for the two environments that are discussed in this chapter.

Audit logon events

This policy setting generates events that record the creation and destruction of logon sessions. These events occur on the computer that is accessed. For interactive logons, these events would be generated on the computer that was logged on to. If a network logon was performed to access a share, these events would be generated on the computer that hosts the resource that was accessed.

If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which user has either accessed or attempted to access computers in the organization.

The Audit logon events setting is configured to log Success events for the EC environment. This policy setting is configured to Success and Failure events for the SSLF environment.

Audit object access

By itself, this policy setting will not cause any events to be audited. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL).

A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information:

•	The security principal (user, computer, or group) to be audited.
•	The specific access type to be audited, called an access mask.
•	A flag to indicate whether to audit failed access events, successful access events, or both.

If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user unsuccessfully attempts to access an object with a specified SACL.

Organizations should define only the actions they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.

The Audit object access setting is configured to No Auditing for the EC environment and to Failure for the SSLF environment. You must enable this setting for the following procedures to take effect.

The following procedures detail how to manually set up audit rules on a file or folder and how to test each audit rule for each object in the specified file or folder. The testing procedure may be automated by means of a script file.

To define an audit rule for a file or folder

1.	Locate the file or folder using Windows Explorer and select it.
2.	Click the File menu and select Properties.
3.	Click the Security tab, and then click the Advanced button.
4.	Click the Auditing tab.
5.	Click the Add button, and the Select User, Computer, or Group dialog box will display.
6.	Click the Object Types... button, and in the Object Types dialog box select the object types you want to find. Note: The User, Group, and Built-in security principal object types are selected by default.
7.	Click the Locations... button, and in the Location: dialog box select either your domain or local computer.
8.	In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and click OK. The Auditing Entry dialog box will display.
9.	Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box. Note: Remember that each access may generate multiple events in the event log and cause it to grow rapidly.
10.	In the Auditing Entry dialog box, next to List Folder / Read Data, select Successful and Failed, and then click OK.
11.	The audit entries you have enabled will display under the Auditing tab of the Advanced Security Setting dialog box.
12.	Click OK to close the Properties dialog box.

To test an audit rule for the file or folder

1.	Open the file or folder.
2.	Close the file or folder.
3.	Start the Event Viewer. Several Object Access events with Event ID 560 will appear in the Security event log.
4.	Double-click the events as needed to view their details.

Audit policy change

This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, by adding the Debug programs privilege or the Back up files and directories privilege.

The Audit policy change setting is configured to Success for the two environments that are discussed in this chapter. The setting value for Failure is not included because it will not provide meaningful access information in the Security event log.

Audit privilege use

This policy setting determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records.

The Audit privilege use setting is configured to No Auditing for computers in the EC environment and to Failure for the SSLF environment to audit all unsuccessful attempts to use privileges.

Audit process tracking

This policy setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so typically it is set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched.

The Audit process tracking setting is configured to No Auditing for the two environments that are discussed in this chapter.

Audit system events

This policy setting is very important because it allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.

The Audit system events setting is configured to Success for both of the environments that are discussed in this chapter.

Top of page

User Rights Assignment Settings

In conjunction with many of the privileged groups in Windows XP Professional, a number of user rights may be assigned to certain users or groups that typical users do not have.

To set the value of a user right to No One, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting.

You can configure the user rights assignment settings in Windows XP at the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

The following table summarizes user rights assignment setting recommendations for user rights that begin with the letters A through E. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter. More detailed information about each of the settings is provided in the following subsections.

Recommendations for user rights that begin with the rest of the letters in the alphabet are summarized in Table 3.4, and additional detailed information about those user rights is provided in the subsections that follow that table.

Note: Many features in Internet Information Server (IIS) require certain accounts such as IIS_WPG, IIS IUSR_<ComputerName>, andIWAM_<ComputerName> to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, see “IIS and Built-in Accounts (IIS 6.0)” at http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/
IIS/3648346f-e4f5-474b-86c7-5a86e85fa1ff.mspx.

User Rights A – E

Table 3.3 User Rights Assignment Setting Recommendations – Part 1

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Access this computer from network	Not Defined	Not Defined	Administrators	Administrators
Act as part of the operating system	No One	No One	No One	No One
Adjust memory quotas for a process	Not Defined	Not Defined	Administrators, Local Service, Network Service	Administrators, Local Service, Network Service
Allow log on locally	Users, Administrators	Users, Administrators	Users, Administrators	Users, Administrators
Allow log on through Terminal Services	Not Defined	Not Defined	No One	No One
Back up files and directories	Not Defined	Not Defined	Administrators	Administrators
Bypass traverse checking	Not Defined	Not Defined	Administrators, Users	Administrators, Users
Change the system time	Administrators	Administrators	Administrators	Administrators
Create a pagefile	Administrators	Administrators	Administrators	Administrators
Create permanent shared objects	Not Defined	Not Defined	No One	No One
Create a token object	Not Defined	Not Defined	No One	No One
Debug programs	Administrators	Administrators	No One	No One
Deny access to this computer from the network	Support_ 388945a0, Guest	Support_ 388945a0, Guest	Support_ 388945a0, Guest	Support_ 388945a0, Guest
Deny log on as a batch job	Not Defined	Not Defined	Support_ 388945a0, Guest	Support_ 388945a0, Guest
Deny log on locally	Not Defined	Not Defined	Support_ 388945a0, Guest, any service accounts	Support_ 388945a0, Guest, any service accounts
Deny log on through Terminal Services	Not Defined	Not Defined	Everyone	Everyone
Enable computer and user accounts to be trusted for delegation	Not Defined	Not Defined	No One	No One

Access this computer from network

This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)–based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).

The Access this computer from network setting is configured to Not Defined for the EC environment and to Administrators for the SSLF environment.

Act as part of the operating system

This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.

For this reason, the Act as part of the operating system setting is restricted to No One for both of the environments that are discussed in this chapter.

Adjust memory quotas for a process

This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.

For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, and Network Service for both computer types for the SSLF environment and configured to Not Defined for computers for the EC environment.

Allow log on locally

This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or Microsoft Internet Information Services (IIS) also require this user right.

The Guest account is assigned this user right by default. Although this account is disabled by default, Microsoft recommends that you enable this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to the Backup Operators group if your organization requires that they have this capability.

The Allow log on locally setting is restricted to the Users and Administrators groups for the two environments that are discussed in this chapter.

Allow log on through Terminal Services

This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, then assign this user right only to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group.

Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the new Remote Assistance feature in Windows XP Professional.

The Allow log on through Terminal Services setting is configured to Not Defined for the EC environment. For additional security this policy setting is configured to No One for the SSLF environment.

Backup files and directories

This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.

The Back up files and directories setting is configured to Not Defined for computers in the EC environment. This policy setting is configured to the Administrators group for the SSLF environment.

Bypass traverse checking

This policy setting allows users who do not have the special “Traverse Folder” access permission to “pass through” folders when they navigate an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.

The Bypass traverse checking setting is configured to Not Defined for computers in the EC environment. It is configured to the Administrators and Users groups for the SSLF environment.

Change the system time

This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer’s time setting is changed, logged events reflect the new time, not the actual time that the events occurred.

The Change the system time setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers.

Create a pagefile

This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.

The Create a pagefile setting is configured to the Administrators for all computers for both the EC environment and the SSLF environment.

Create permanent shared objects

This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right.

The Create permanent shared objects setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.

Create a token object

This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments where security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.

The Create a token object setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.

Debug programs

This policy setting determines which users can attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. This user right is required when administrators want to take advantage of patches that support “in-memory patching,” also known as “hotpatching.” For more information about the latest features in the Microsoft Package Installer, see “The Package Installer (Formerly Called Update.exe) for Microsoft Windows Operating Systems and Windows Components” at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/deployment/winupdte.mspx. Because an attacker could exploit this user right, it is assigned only to the Administrators group by default.

Note: Microsoft released several security patches in October 2003 that used a version of Update.exe that required the administrator to have the Debug programs user right. Administrators who did not have this user right were unable to install these patches until they reconfigured their user rights. For more information, see the Microsoft Knowledge Base article “Windows Product Updates may stop responding or may use most or all the CPU resources” at http://support.microsoft.com/default.aspx?kbid=830846.

The Debug programs user right is very powerful. Therefore, this policy setting is configured to Administrators for the EC environment and maintained at its default setting of No One for the SSLF environment.

Deny access to this computer from the network

This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In a high security environment, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers.

The Deny access to this computer from the network setting is configured to the Support_388945a0 and Guest accounts for computers in both of the environments that are discussed in this chapter.

Deny log on as a batch job

This policy setting prohibits user logon through a batch-queue facility, a feature in Windows Server 2003 that is used to schedule jobs to run automatically one or more times in the future.

The Deny log on as a batch job setting is configured to Not Defined for the EC environment and to Support_388945a0 and Guest for the SSLF environment.

Deny log on locally

This policy setting prohibits users from local logon to the computer console. If unauthorized users could log on locally to a computer, they could download malicious code or elevate their privileges on the computer. (If attackers have physical access to the console, there are other risks to consider.) This user right should not be assigned to those users who need physical access to the computer console.

The Deny log on locally setting is configured to Not Defined for the EC environment and to Support_388945a0 and Guest for the SSLF environment. Also, any service accounts for the SSLF environment that are added to the computer should be assigned this user right to prevent their abuse.

Deny log on through Terminal Services

This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.

The Deny log on through Terminal Services setting is configured to Not Defined for the EC environment and to the Everyone group for the SSLF environment.

Enable computer and user accounts to be trusted for delegation

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

For this reason, the Enable computer and user accounts to be trusted for delegation setting is configured to Not Defined for the EC environment and to No One for the SSLF environment.

User Rights F –T

Table 3.4 User Rights Assignment Setting Recommendations – Part 2

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Force shutdown from a remote system	Administrators	Administrators	Administrators	Administrators
Generate Security Audits	Local Service, Network Service	Local Service, Network Service	Local Service, Network Service	Local Service, Network Service
Increase scheduling priority	Administrators	Administrators	Administrators	Administrators
Load and unload device drivers	Administrators	Administrators	Administrators	Administrators
Lock pages in memory	No One	No One	No One	No One
Log on as a batch job	Not Defined	Not Defined	No One	No One
Log on as a service	Not Defined	Not Defined	Network Service, Local Service	Network Service, Local Service
Manage auditing and security log	Administrators	Administrators	Administrators	Administrators
Modify firmware environment variables	Administrators	Administrators	Administrators	Administrators
Perform volume maintenance tasks	Administrators	Administrators	Administrators	Administrators
Profile single process	Not Defined	Not Defined	Administrators	Administrators
Profile system performance	Administrators	Administrators	Administrators	Administrators
Remove computer from docking station	Administrators, Users	Administrators, Users	Administrators, Users	Administrators, Users
Replace a process level token	Local Service, Network Service	Local Service, Network Service	Local Service, Network Service	Local Service, Network Service
Restore files and directories	Not Defined	Not Defined	Administrators	Administrators
Shut down the system	Administrators, Users	Administrators, Users	Administrators, Users	Administrators, Users
Take ownership of files or other objects	Administrators	Administrators	Administrators	Administrators

This table summarizes user rights assignment setting recommendations for user rights that begin with the letters F through T. More detailed information about each of the settings is provided in the following subsections.

Force shutdown from a remote system

This policy setting allows users to shut down Windows XP–based computers from remote locations on the network. Anyone that has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recommends that only highly trusted administrators be assigned this user right.

The Force shutdown from a remote system setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Generate Security Audits

This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.

For this reason, the Generate Security Audits setting is configured to the Local Service and Network Service groups for both of the environments that are discussed in this chapter.

Increase scheduling priority

This policy setting allows users to change the amount of processor time that a process utilizes. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service condition for a computer.

For this reason, the Increase scheduling priority setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Load and unload device drivers

This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right and membership in either the Power Users group or the Administrators group is required for users to add local printers or printer drivers in Windows XP.

Because this user right could be used by an attacker, the Load and unload device drivers setting is configured to the Administrators group for both of the environments that are discussed in this chapter.

Lock pages in memory

This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur.

For this reason, the Lock pages in memory setting is configured to No One for both of the environments that are discussed in this chapter.

Log on as a batch job

This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in the EC environment. However, its use should be restricted in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.

Therefore, the Log on as a batch job user right is configured to Not Defined for the EC environment and to No One for the SSLF environment.

Log on as a service

This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a SSLF environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an EC environment.

The Log on as a service setting is configured to Not Defined for the EC environment and to Network Service and Local Service for the SSLF environment.

Manage auditing and security log

This policy setting determines which users can change the auditing options for files and directories as well as clear the Security log.

Because this capability represents a relatively small threat, the Manage auditing and security log setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.

Modify firmware environment variables

This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of service condition.

Because this capability represents a relatively small threat, the Modify firmware environment variables setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.

Perform volume maintenance tasks

This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial of service condition.

The Perform volume maintenance tasks setting enforces the default value of the Administrators group for both of the environments that are discussed in this chapter.

Profile single process

This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that could be used to mount an attack on the system.

The Profile single process setting is configured to Not defined for computers in the EC environment and to the Administrators group for the SSLF environment.

Profile system performance

This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer.

The Profile system performance setting enforces the default of the Administrators group for both of the environments that are discussed in this chapter.

Remove computer from docking station

This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer.

The Remove computer from docking station setting is configured to the Administrators and Users groups for both of the environments that are discussed in this chapter.

Replace a process level token

This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.

The Replace a process level token setting is configured to the default values of Local Service and Network Service for both of the environments that are discussed in this chapter.

Restore files and directories

This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows XP in your environment. This user right also determines which users can set valid security principals as object owners; it is similar to the Back up files and directories user right.

The Restore files and directories setting is configured to Not Defined for the EC environment and to the Administrators group for the SSLF environment.

Shut down the system

This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. In high security environments, Microsoft recommends that this right only be assigned to the Administrators and Users groups.

The Shut down the system setting is configured to the Administrators and Users groups for both of the environments that are discussed in this chapter.

Take ownership of files or other objects

This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user.

The Take ownership of files or other objects setting is configured to the default value of the Administrators group for both of the environments that are discussed in this chapter.

Top of page

Security Option Settings

The security option settings that are applied through Group Policy on computers that run Windows XP in your environment are used to enable or disable capabilities and features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings are also used to configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works.

You can configure the security option settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Not all of the settings that are included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the prescribed settings will take full effect.

The following sections provide security option setting recommendations, and are grouped by type of object. Each section includes a table that summarizes the settings, and detailed information is provided in the subsections that follow each table. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this chapter—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment.

Accounts

The following table summarizes the recommended security option settings for accounts. Additional information is provided in the subsections that follow the table.

Table 3.5 Security Option Setting Recommendations – Accounts

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Accounts: Administrator account status	Not Defined	Not Defined	Enabled	Enabled
Accounts: Guest account status	Disabled	Disabled	Disabled	Disabled
Accounts: Limit local account use of blank passwords to console logon only	Enabled	Enabled	Enabled	Enabled
Accounts: Rename administrator account	Recommended	Recommended	Recommended	Recommended
Accounts: Rename guest account	Recommended	Recommended	Recommended	Recommended

Accounts: Administrator account status

This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured.

The Accounts: Administrator account status setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

Accounts: Guest account status

This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system.

The Accounts: Guest account status security option setting is configured to Disabled for the two environments that are discussed in this chapter.

Accounts: Limit local account use of blank passwords to console logon only

This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts with blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer.

The Accounts: Limit local account use of blank passwords to console logon only setting is configured to Enabled for the two environments that are discussed in this chapter.

Accounts: Rename administrator account

The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends that you choose another name for this account, and that you avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console).

The recommendation to use the Accounts: Rename administrator account setting applies to both of the environments that are discussed in this chapter.

Note: This policy setting is not configured in the security templates, nor is a new username for the account suggested in this guidance. Suggested usernames are omitted to ensure that organizations that implement this guidance will not use the same new username in their environments.

Accounts: Rename guest account

The built-in local guest account is another well-known name to hackers. Microsoft also recommends that you rename this account to something that does not indicate its purpose. Even if you disable this account (which is recommended), ensure that you rename it for added security.

The recommendation to use the Accounts: Rename guest account setting applies to both of the environments that are discussed in this chapter.

Note: This policy setting is not configured in the security templates, nor is a new username for the account suggested here. Suggested usernames are omitted to ensure that organizations that implement this guidance will not use the same new username in their environments.

Audit

The following table summarizes the recommended Audit settings. Additional information is provided in the subsections that follow the table.

Table 3.6 Security Option Setting Recommendations – Audit

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Audit: Audit the access of global system objects	Not Defined	Not Defined	Disabled	Disabled
Audit: Audit the use of Backup and Restore privilege	Not Defined	Not Defined	Disabled	Disabled
Audit: Shut down system immediately if unable to log security audits	Not Defined	Not Defined	Not Defined	Not Defined

Audit: Audit the access of global system objects

This policy setting creates a default System Access Control List (SACL) for system objects such as mutexes, events, semaphores, and MS-DOS® devices, and causes access to these system objects to be audited.

If the Audit: Audit the access of global system objects setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured to Not Defined for the EC environment and Disabled for the SSLF environment.

Audit: Audit the use of Backup and Restore privilege

This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored.

If the Audit: Audit the use of Backup and Restore privilege setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured to Not Defined for the EC environment and Disabled for the SSLF environment.

Audit: Shut down system immediately if unable to log security audits

This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason.

If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. Therefore, this policy setting is configured to Not Defined for both of the environments that are discussed in this chapter.

Devices

The following table summarizes the recommended security option settings for devices. Additional information is provided in the subsections that follow the table.

Table 3.7 Security Option Setting Recommendations – Devices

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Devices: Allow undock without having to log on	Not Defined	Not Defined	Disabled	Disabled
Devices: Allowed to format and eject removable media	Administrator, Interactive Users	Administrator, Interactive Users	Administrators	Administrators
Devices: Prevent users from installing printer drivers	Enabled	Disabled	Enabled	Disabled
Devices: Restrict CD-ROM access to locally logged on user only	Not Defined	Not Defined	Disabled	Disabled
Devices: Restrict floppy access to locally logged on user only	Not Defined	Not Defined	Disabled	Disabled
Devices: Unsigned driver installation behavior	Warn but allow installation	Warn but allow installation	Warn but allow installation	Warn but allow installation

Devices: Allow undock without having to log on

This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user who is not logged on must have been assigned the Remove computer from docking station user right (not defined in this guidance).

The Devices: Allow undock without having to log on setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Devices: Allowed to format and eject removable media

This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges.

The Devices: Allow to format and eject removable media setting is restricted to the Administrators and Interactive Users groups for the EC environment, and to the Administrators group only for the SSLF environment for added security.

Devices: Prevent users from installing printer drivers

It is feasible for a hacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possibility of such an event, only administrators should be allowed to install printer drivers. However, because laptops are mobile devices, laptop users may need to occasionally install a printer driver from a remote source in order to continue their work. Therefore, this policy setting should be disabled for laptop users, but always enabled for desktop users.

The Devices: Prevent users from installing printer drivers setting is configured to Enabled for desktops in both of the environments that are discussed in this chapter and to Disabled for laptop users in both of the environments.

Devices: Restrict CD-ROM access to locally logged on user only

This policy setting determines whether the CD-ROM drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access media from the CD-ROM drive. When this policy setting is enabled and no one is logged on, the CD-ROM drive can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.

The Devices: Restrict CD-ROM access to locally logged on user only setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Devices: Restrict floppy access to locally logged on user only

This policy setting determines whether the floppy drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access floppy drive media. When this policy setting is enabled and no one is logged on, floppy drive media can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.

The Devices: Restrict floppy access to locally logged on user only setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Devices: Unsigned driver installation behavior

This policy setting determines what happens when an attempt is made to install a device driver (by means of the Setup API) that has not been approved and signed by the Windows Hardware Quality Lab (WHQL). This option prevents the installation of unsigned drivers or warns the administrator that an unsigned driver is about to be installed, which can prevent installation of drivers that have not been certified to run on Windows XP. If you configure this policy setting to the Warn but allow installation value, one potential problem is that unattended installation scripts will fail when they attempt to install unsigned drivers.

For this reason, the Devices: Unsigned driver installation behavior setting is configured to the Warn but allow installation for both of the environments that are discussed in this chapter.

Note: If you implement this policy setting, the client computers should be fully configured with all of your standard software applications before Group Policy is applied to mitigate the risk of installation errors that are caused by the setting.

Domain Member

The following table summarizes the recommended security option settings for domain members. Additional information is provided in the subsections that follow the table.

Table 3.8 Security Option Setting Recommendations – Domain Member

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Domain member: Digitally encrypt or sign secure channel data (always)	Enabled	Enabled	Enabled	Enabled
Domain member: Digitally encrypt secure channel data (when possible)	Enabled	Enabled	Enabled	Enabled
Domain member: Digitally sign secure channel data (when possible)	Enabled	Enabled	Enabled	Enabled
Domain member: Disable machine account password changes	Disabled	Disabled	Disabled	Disabled
Domain member: Maximum machine account password age	30 days	30 days	30 days	30 days
Domain member: Require strong (Windows 2000 or later) session key	Enabled	Enabled	Enabled	Enabled

Domain member: Digitally encrypt or sign secure channel data (always)

This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, then it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data is signed and encrypted.

The Domain member: Digitally encrypt or sign secure channel data (always) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Domain member: Digitally encrypt secure channel data (when possible)

This policy setting determines whether a domain member may attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain member will be prevented from negotiating secure channel encryption.

The Domain member: Digitally encrypt secure channel data (when possible) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Domain member: Digitally sign secure channel data (when possible)

This policy setting determines whether a domain member may attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network.

The Domain member: Digitally sign secure channel data (when possible) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Domain member: Disable machine account password changes

This policy setting determines whether a domain member may periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its computer account password as specified by the Domain Member: Maximum machine account password age setting, which by default is every 30 days. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker may be able to determine the password for the system's domain account.

Therefore, the Domain member: Disable machine account password changes setting is configured to Disabled for both of the environments that are discussed in this chapter.

Domain member: Maximum machine account password age

This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.

Therefore, the Domain member: Maximum machine account password age setting is configured to 30 days for both of the environments that are discussed in this chapter.

Domain member: Require strong (Windows 2000 or later) session key

When this policy setting is enabled, a secure channel may only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key.

To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel data with a strong key, which means all domain controllers must be running Microsoft Windows 2000 or later. If communication to non-Windows 2000 domains is required, Microsoft recommends that you disable this policy setting.

The Domain member: Require strong (Windows 2000 or later) session key setting is configured to Enabled for both of the environments that are discussed in this chapter.

Interactive Logon

The following table summarizes the recommended security option settings for interactive logon. Additional information is provided in the subsections that follow the table.

Table 3.9 Security Option Setting Recommendations – Interactive Logon

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Interactive Logon: Do not display last user name	Enabled	Enabled	Enabled	Enabled
Interactive Logon: Do not require CTRL+ALT+DEL	Disabled	Disabled	Disabled	Disabled
Interactive Logon: Message text for users attempting to log on	This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.	This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.	This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.	This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted.
Interactive Logon: Message title for users attempting to log on	IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA- TION.	IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA- TION.	IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA- TION.	IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZA- TION.
Interactive Logon: Number of previous logons to cache (in case domain controller is not available)	2	2	0	2
Interactive Logon: Prompt user to change password before expiration	14 days	14 days	14 days	14 days
Interactive Logon: Require Domain Controller authentication to unlock workstation	Enabled	Disabled	Enabled	Disabled
Interactive Logon: Smart card removal behavior	Lock Workstation	Lock Workstation	Lock Workstation	Lock Workstation

Interactive Logon: Do not display last user name

This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.

The Interactive logon: Do not display last user name setting is configured to Enabled for the two environments that are discussed in this chapter.

Interactive Logon: Do not require CTRL+ALT+DEL

The CTRL+ALT+DEL key combination establishes a trusted path to the operating system when a user enters a username and password. When this policy setting is enabled, users are not required to use this key combination to log on to the network. However, this configuration poses a security risk because it provides an opportunity for users to log on with weaker logon credentials.

The Interactive logon: Do not require CTRL+ALT+DEL setting is configured to Disabled for the two environments that are discussed in this chapter.

Interactive Logon: Message text for users attempting to log on

This policy setting specifies a text message that displays to users when they log on. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. The message text that is specified in the previous table is a recommended example for both the EC and SSLF environments.

The Interactive Logon: Message text for users attempting to log on setting is enabled with suitable text for both of the environments that are discussed in this chapter.

Note: Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, the Interactive logon: Message text for users attempting to log on and the Interactive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly.

Interactive Logon: Message title for users attempting to log on

This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. The reason for this policy setting is the same as for the previous message text setting. Organizations that do not use this policy setting are more legally vulnerable to trespassers who attack the system.

Therefore, the Interactive Logon: Message title for users attempting to log on setting is enabled with suitable text for both of the environments that are discussed in this chapter.

Interactive Logon: Number of previous logons to cache (in case domain controller is not available)

This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. The default value for this policy setting is 10. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.

The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to 2 for both desktop and laptop computers in the EC environment and for the laptop computers in the SSLF environment. However, this policy setting is configured to 0 for desktops in the SSLF environment because these computers should always be securely connected to the organization’s network.

Interactive Logon: Prompt user to change password before expiration

This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.

The Interactive logon: Prompt user to change password before expiration setting is configured to 14 days for both of the environments that are discussed in this chapter.

Interactive Logon: Require Domain Controller authentication to unlock workstation

When this policy setting is enabled, a domain controller must authenticate the domain account used to unlock the computer. When this policy setting is disabled, cached credentials can be used to unlock the computer. Microsoft recommends that this policy setting be disabled for laptop users in both environments, because mobile users do not have network access to domain controllers.

The Interactive logon: Require Domain Controller authentication to unlock workstation setting is configured to Enabled for desktop computers in both the EC and SSLF environments. However, this policy setting is configured to Disabled for laptops in both of the environments, which allows these users to work when they are away from the office.

Interactive Logon: Smart card removal behavior

This policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader. When configured to Lock Workstation, this policy setting locks the workstation when the smart card is removed, which allows users to leave the area, take their smart cards with them, and automatically lock their workstations. If you configure this policy setting to Force Logoff, users will be automatically logged off when the smart card is removed.

The Interactive logon: Smart card removal behavior setting is configured to the Lock Workstation option for both of the environments that are discussed in this chapter.

Microsoft Network Client

The following table summarizes the recommended security option settings for Microsoft network client computers. Additional information is provided in the subsections that follow the table.

Table 3.10 Security Option Setting Recommendations – Microsoft Network Client

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Microsoft network client: Digitally sign communications (always)	Enabled	Enabled	Enabled	Enabled
Microsoft network client: Digitally sign communications (if server agrees)	Enabled	Enabled	Enabled	Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers	Disabled	Disabled	Disabled	Disabled

Microsoft network client: Digitally sign communications (always)

This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy client computers, set this option to Disabled because these computers will not be able to authenticate or gain access to domain controllers. However, you can use this policy setting in Windows 2000 or later environments.

The Microsoft network client: Digitally sign communications (always) setting is configured to Enabled for computers for both of the environments that are discussed in this chapter.

Note: When Windows XP computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more details about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the companion guide Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP, which is available for download at http://go.microsoft.com/fwlink/?LinkId=15159.

Microsoft network client: Digitally sign communications (if server agrees)

This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows networks helps to prevent sessions from being hijacked. If you enable this policy setting, the Microsoft network client will use signing only if the server with which it communicates accepts digitally signed communication.

The Microsoft network client: Digitally sign communications (if server agrees) setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Microsoft network client: Send unencrypted password to third-party SMB servers

Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to non-Microsoft SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network.

The Microsoft network client: Send unencrypted password to third-party SMB servers setting is configured to Disabled for the two environments that are discussed in this chapter.

Microsoft Network Server

The following table summarizes the recommended security option settings for Microsoft network servers. Additional information is provided in the subsections that follow the table.

Table 3.11 Security Option Setting Recommendations – Microsoft Network Server

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Microsoft network server: Amount of idle time required before suspending session	15 minutes	15 minutes	15 minutes	15 minutes
Microsoft network server: Digitally sign communications (always)	Enabled	Enabled	Enabled	Enabled
Microsoft network server: Digitally sign communications (if client agrees)	Enabled	Enabled	Enabled	Enabled

Microsoft network server: Amount of idle time required before suspending session

This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.

The Microsoft network server: Amount of idle time required before suspending session setting is configured to Enabled for a period of 15 minutes in both of the environments that are discussed in this chapter.

Microsoft network server: Digitally sign communications (always)

This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server.

The Microsoft network server: Digitally sign communications (always) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Microsoft network server: Digitally sign communications (if client agrees)

This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled.

The Microsoft network server: Digitally sign communications (if client agrees) setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Network Access

The following table summarizes the recommended security option settings for network access. Additional information is provided in the subsections that follow the table.

Table 3.12 Security Option Setting Recommendations – Network Access

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Network access: Allow anonymous SID/Name translation	Disabled	Disabled	Disabled	Disabled
Network access: Do not allow anonymous enumeration of SAM accounts	Enabled	Enabled	Enabled	Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	Enabled	Enabled	Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication	Enabled	Enabled	Enabled	Enabled
Network access: Let Everyone permissions apply to anonymous users	Disabled	Disabled	Disabled	Disabled
Network access: Named Pipes that can be accessed anonymously	Not Defined	Not Defined	* See the following setting description for the complete list of named pipes	* See the following setting description for the complete list of named pipes
Network access: Remotely accessible registry paths	Not Defined	Not Defined	* See the following setting description for the complete list of paths	* See the following setting description for the complete list of paths
Network access: Shares that can be accessed anonymously	Not Defined	Not Defined	comcfg, dfs$	comcfg, dfs$
Network access: Sharing and security model for local accounts	Classic – local users authenticate as themselves	Classic – local users authenticate as themselves	Classic – local users authenticate as themselves	Classic – local users authenticate as themselves

Network access: Allow anonymous SID/Name translation

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding username. Disable this policy setting to prevent unauthenticated users from obtaining usernames that are associated with their respective SIDs.

The Network access: Allow anonymous SID/Name translation setting is configured to Disabled for the two environments that are discussed in this chapter.

Network access: Do not allow anonymous enumeration of SAM accounts

This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will be not be able to enumerate domain account user names on the workstations in your environment. This policy setting also allows additional restrictions on anonymous connections.

The Network access: Do not allow anonymous enumeration of SAM accounts setting is configured to Enabled for the two environments that are discussed in this chapter.

Network access: Do not allow anonymous enumeration of SAM accounts and shares

This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment.

The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting is configured to Enabled for the two environments that are discussed in this chapter.

Network access: Do not allow storage of credentials or .NET Passports for network authentication

This policy setting controls the storage of authentication credentials and passwords on the local system.

The Network access: Do not allow storage of credentials or .NET Passports for network authentication setting is configured to Enabled for the two environments that are discussed in this chapter.

Network access: Let Everyone permissions apply to anonymous users

This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerate the names of domain accounts and network shares. An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks.

Therefore, the Network access: Let Everyone permissions apply to anonymous users setting is configured to Disabled for both of the environments that are discussed in this chapter.

Network access: Named Pipes that can be accessed anonymously

This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

For the EC environment the Network access: Named Pipes that can be accessed anonymously setting is configured to Not Defined. However, the following default values are enforced for the SSLF environment:

•	COMNAP
•	COMNODE
•	SQL\QUERY
•	SPOOLSS
•	LLSRPC
•	Browser

Network access: Remotely accessible registry paths

This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths.

For the EC environment the Network access: Remotely accessible registry paths setting is configured to Not Defined. However, for the SSLF environment the following default values are enforced:

•	System\CurrentControlSet\Control\ProductOptions
•	System\CurrentControlSet\Control\Print\Printers
•	System\CurrentControlSet\Control\Server Applications
•	System\CurrentControlSet\Control\ContentIndex
•	System\CurrentControlSet\Control\Terminal Server
•	System\CurrentControlSet\Control\Terminal Server\UserConfig
•	System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
•	System\CurrentControlSet\Services\Eventlog
•	Software\Microsoft\OLAP Server
•	Software\Microsoft\Windows NT\CurrentVersion

Network access: Shares that can be accessed anonymously

This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server.

The Network access: Shares that can be accessed anonymously setting is configured to Not Defined for the EC environment. However, ensure that this setting is configured to comcfg, dfs$ for the SSLF environment.

Note: It can be very dangerous to add other shares to this Group Policy setting. Any shares that are listed can be accessed by any network user, which could result in exposure or corruption of sensitive data.

Network access: Sharing and security model for local accounts

This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource.

Therefore, the Sharing and security model for local accounts setting uses the default Classic option for both of the environments that are discussed in this chapter.

Network Security

The following table summarizes the recommended security option settings for network security. Additional information is provided in the subsections that follow the table.

Table 3.13 Security Option Setting Recommendations – Network Security

Setting	EC desktop	EC laptop	SSLF desktop	SSLF laptop
Network security: Do not store LAN Manager hash value on next password change	Enabled	Enabled	Enabled	Enabled
Network security: LAN Manager authentication level	Send NTLMv2 responses only\refuse LM	Send NTLMv2 responses only\refuse LM	Send NTLMv2 response only\refuse LM and NTLM	Send NTLMv2 response only\refuse LM and NTLM
Network security: LDAP client signing requirements	Negotiate signing	Negotiate signing	Negotiate signing	Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption	Require message confidentiality, Require message integrity, Require NTLMv2 session security, Require 128 bit encryption

Network security: Do not store LAN Manager hash value on next password change

This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Windows NT® hash.

For this reason, the Network security: Do not store LAN Manager hash value on next password change setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: Very old operating systems and some third-party applications may fail when this policy setting is enabled. Also you will need to change the password on all accounts after you enable this setting.

Network security: LAN Manager authentication level

This policy setting specifies the type of challenge

Windows XP Security Guide

Chapter 3: Security Settings for Windows XP Clients

On This Page

Overview

Account Policy Settings

Local Policy Settings

Audit Policy Settings

Audit account logon events

Audit account management

Audit directory service access

Audit logon events

Audit object access

Audit policy change

Audit privilege use

Audit process tracking

Audit system events

User Rights Assignment Settings

User Rights A – E

Access this computer from network

Act as part of the operating system

Adjust memory quotas for a process

Allow log on locally

Allow log on through Terminal Services

Backup files and directories

Bypass traverse checking

Change the system time

Create a pagefile

Create permanent shared objects

Create a token object

Debug programs

Deny access to this computer from the network

Deny log on as a batch job

Deny log on locally

Deny log on through Terminal Services

Enable computer and user accounts to be trusted for delegation

User Rights F –T

Force shutdown from a remote system

Generate Security Audits

Increase scheduling priority

Load and unload device drivers

Lock pages in memory

Log on as a batch job

Log on as a service

Manage auditing and security log

Modify firmware environment variables

Perform volume maintenance tasks

Profile single process

Profile system performance

Remove computer from docking station

Replace a process level token

Restore files and directories

Shut down the system

Take ownership of files or other objects

Security Option Settings

Accounts

Accounts: Administrator account status

Accounts: Guest account status

Accounts: Limit local account use of blank passwords to console logon only

Accounts: Rename administrator account

Accounts: Rename guest account

Audit

Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege

Audit: Shut down system immediately if unable to log security audits

Devices

Devices: Allow undock without having to log on

Devices: Allowed to format and eject removable media

Devices: Prevent users from installing printer drivers

Devices: Restrict CD-ROM access to locally logged on user only

Devices: Restrict floppy access to locally logged on user only

Devices: Unsigned driver installation behavior

Domain Member

Domain member: Digitally encrypt or sign secure channel data (always)

Domain member: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible)

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

Domain member: Require strong (Windows 2000 or later) session key

Interactive Logon

Interactive Logon: Do not display last user name