Windows XP Security Guide
Chapter 4: Administrative Templates for Windows XP
On This Page
OverviewThis chapter describes in detail how to configure and apply additional security settings to Microsoft® Windows® XP Professional with Service Pack 2 (SP2) by using Administrative Templates. Administrative Template (.adm) files are used to configure settings in the Windows XP registry that govern the behavior of many services, applications, and operating system components. Five of the Administrative Templates that ship with Windows XP SP2 include hundreds of additional settings that you can use to improve the security of Windows XP Professional. There are several settings in the Microsoft Windows Server™ 2003 Administrative Templates that do not work with Windows XP. For a complete listing of all the Administrative Template settings that are available with Windows XP, see the Microsoft Excel® workbook "Policy Settings" that is referenced in the “More Information” section at the end of this chapter. The following table lists the .adm files and the applications and services that they affect. Table 4.1 Administrative Template Files
Note: You must manually configure the Administrative Template settings in the Group Policy object (GPO) to apply them to the computers and users in your environment. There are two major groups of settings in the Administrative Templates:
As in Chapter 3, "Security Settings for Windows XP Clients," setting prescriptions are included for the Enterprise Client (EC) and Specialized Security – Limited Functionality (SSLF) environments that are defined in this guide. Note: The user settings are applied to an organizational unit (OU) that contains users through a linked GPO. See Chapter 2, "Configuring the Active Directory Domain Infrastructure," for additional details about this OU. Some settings are available under both Computer Configuration and User Configuration in the Group Policy Object Editor. If a setting that applies to a user who logs on to a computer that has had the same Computer Configuration setting applied to it through Group Policy, the Computer Configuration setting takes precedence over the User Configuration setting. Previous versions of this guide contained information about settings for Office XP. However, these settings have now been updated for Office 2003 and are available on the Microsoft Web site. See the "More Information" section at the end of this chapter for links to this information. This chapter does not describe all possible settings that are available in the Administrative Templates provided by Microsoft; many of these settings are user interface (UI) settings that are not specific to security. Decisions about which of the prescribed setting configurations in this guidance apply to your environment should be based on the security goals of your organization. If there are additional settings you want to apply through Group Policy to Windows XP Professional, you can develop your own custom templates. See the white papers listed in the “More Information” section at the end of this chapter for detailed information about how to develop your own Administrative Templates. Computer Configuration SettingsThe following sections discuss the settings that are prescribed under Computer Configuration in the Group Policy Object Editor. Configure these settings at the following location: Computer Configuration\Administrative Templates This location is shown in context in the following figure: The structure of this chapter is based on the container structure in Group Policy. Tables in the following sections summarize setting recommendations for various Computer Configuration options, and recommendations are provided for both desktop and laptop client computers in two types of secure environments—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment. More detailed information about each of the settings is provided in the subsections that follow each table. Apply these settings through a GPO that is linked to an OU that contains the computer accounts in your environment. Include the laptop settings in the GPO that is linked to the laptop OU, and the desktop settings in the GPO that is linked to the desktop OU. Windows ComponentsThe following figure illustrates the sections in Group Policy that will be affected by the setting changes in this section: NetMeetingMicrosoft NetMeeting allows users to conduct virtual meetings across the network in your organization. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Table 4.2 Recommended NetMeeting Settings
Disable remote Desktop SharingThis policy setting disables the remote desktop sharing feature of NetMeeting. If you enable this policy setting, users will not be able to configure NetMeeting to allow remote control of the local desktop. The Disable remote Desktop Sharing setting is Not Configured for the EC environment. However, it is configured to Enabled for the SSLF environment to prevent users from sharing desktops remotely through NetMeeting. Internet ExplorerMicrosoft Internet Explorer Group Policies help you enforce security requirements for Windows XP workstations, and prevent the exchange of unwanted content through Internet Explorer. Use the following criteria to secure Internet Explorer on the workstations in your environment:
You can configure the following prescribed computer settings for Internet Explorer in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer The following table summarizes many of the Internet Explorer setting recommendations. Additional information about each setting is provided in the subsections that follow the table. Table 4.3 Recommended Internet Explorer Settings
Disable Automatic Install of Internet Explorer componentsIf you enable this policy setting, Internet Explorer will not be able to download components when users browse to Web sites that require the components to fully function. If this policy setting is disabled or not configured, users will be prompted to download and install components each time they visit Web sites that use them. The Disable Automatic Install of Internet Explorer components setting is configured to Enabled for the two environments that are discussed in the chapter. Note: Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy to update Internet Explorer through Microsoft Update or a similar service. Disable Periodic Check for Internet Explorer software updatesIf you enable this policy setting, Internet Explorer will not be able to determine whether a later browser version is available and notify users if this is the case. If this policy setting is disabled or not configured, Internet Explorer will check for updates every 30 days (its default setting) and notify users if a new version is available. The Disable Periodic Check for Internet Explorer software updates setting is configured to Enabled for the two environments that are discussed in this chapter. Note: Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy for the administrators in your organization to ensure that they periodically accept new updates for Internet Explorer on the client computers in your environment. Disable software update shell notifications on program launchThis policy setting specifies that programs that use Microsoft software distribution channels will not notify users when they install new components. Software distribution channels are used to update software dynamically on users’ computers; this functionality is based on Open Software Distribution (.osd) technologies. The Disable software update shell notifications on program launch setting is configured to Enabled for the two environments that are discussed in this chapter. Do not allow users to enable or disable add-onsThis policy setting allows you to manage whether users have the ability to allow or deny add-ons through Manage Add-ons. If you configure this policy setting to Enabled, users cannot enable or disable add-ons through Manage Add-ons. The only exception is if an add-on has been specifically entered into the Add-On List policy setting in a way that allows users to continue to manage the add-on. In such a case, the user can still manage the add-on through Manage Add-ons. If you configure this policy setting to Disabled, the user will be able to enable or disable add-ons. Note: For more information about how to manage Internet Explorer add-ons in Windows XP with SP2, see KB article 883256, "How to manage Internet Explorer add-ons in Windows XP Service Pack 2" at http://support.microsoft.com/?kbid=883256. Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. Therefore, this policy setting is configured to Enabled for the two environments that are discussed in this guide. Note: You should review the GPO settings in Internet Explorer\Security Features\Add-on Management to ensure that appropriate authorized add-ons can still run in your environment. For example, you may want to read the Microsoft Knowledge base article “Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy” at http://support.microsoft.com/default.aspx?kbid=555235. Make proxy settings per-machine (rather than per-user)If you enable this policy setting, users will not be allowed to alter user-specific proxy settings. They must use the zones that are created for all users of the computers they access. The Make proxy settings per-machine (rather than per-user) setting is configured to Enabled for desktop client computers for the two environments that are discussed in this chapter. However, the policy setting is configured to Disabled for laptop client computers because mobile users may have to change their proxy settings as they travel. Security Zones: Do not allow users to add/delete sitesEnable this policy setting to disable the site management settings for security zones. (To see the site management settings for security zones, open Internet Explorer, select Tools and then Internet Options, click the Security tab, and then click Sites.) If this policy setting is disabled or not configured, users will be able to add or remove Web sites in the Trusted Sites and Restricted Sites zones, as well as alter settings in the Local Intranet zone. The Security Zones: Do not allow users to add/delete sites setting is configured to Enabled for the two environments that are discussed in this chapter. Note: If you enable the Disable the Security page setting (located in \User Configuration\ Security Zones: Do not allow users to change policiesIf you enable this policy setting, you disable the Custom Level button and Security level for this zone slider on the Security tab in the Internet Options dialog box. If this policy setting is disabled or not configured, users will be able to change the settings for security zones. It prevents users from changing security zone policy settings that are established by the administrator. The Security Zones: Do not allow users to change policies setting is configured to Enabled for the two environments that are discussed in this chapter. Note: If you enable the Disable the Security page setting (located in \User Configuration\ Security Zones: Use only machine settingsThis policy setting affects how security zone changes apply to different users. It is intended to ensure that security zone settings remain uniformly in effect on the same computer and do not vary from user to user. If you enable this policy setting, changes that one user makes to a security zone will apply to all users of that computer. If this policy setting is disabled or not configured, users of the same computer are allowed to establish their own security zone settings. The Security Zones: Use only machine settings setting is configured to Enabled for the two environments that are discussed in this chapter. Turn off Crash DetectionThis policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer. If you enable this policy setting, a crash in Internet Explorer will be similar to one on a computer that runs Windows XP Professional with Service Pack 1 (SP1) or earlier: Windows Error Reporting will be invoked. If you disable this policy setting, the crash detection feature in add-on management will be functional. Because Internet Explorer crash report information could contain sensitive information from the computer's memory, the Turn off Crash Detection setting is configured to Enabled for both of the two environments that are discussed in this chapter. If you experience frequent repeated crashes and need to report them for follow-up troubleshooting, you could temporarily configure the policy setting to Disabled. Internet Explorer\Internet Control Panel\Security PageYou can configure these computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page SP2 introduced several new policy settings to help you secure Internet Explorer zone configuration across your environment. The default values for these settings provide enhanced security compared to earlier versions of Windows. However, you might want to review these settings to determine whether you want to require them or relax them in your environment for usability or application compatibility. For example, SP2 configures Internet Explorer to block pop-ups for all Internet zones by default. You might want to ensure that this policy setting is enforced on all computers in your environment to eliminate pop-up windows and to reduce the possibility of malicious software and spyware installations that are often spawned from Internet Web sites. Conversely, your environment might contain applications that require the use of pop-ups to function. If so, you could configure this policy to allow pop-ups for Web sites within your intranet. Internet Explorer\Internet Control Panel\Advanced PageYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Table 4.4 Recommended Allow Software to Run Settings
Allow software to run or install even if the signature is invalidMicrosoft ActiveX® controls and file downloads often have digital signatures attached that certify the file's integrity and the identity of the signer (creator) of the software. Such signatures help ensure that unmodified software is downloaded and that you can positively identify the signer to determine whether you trust them enough to run their software. The Allow software to run or install even if the signature is invalid setting allows you to manage whether downloaded software can be installed or run by users even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature. Because unsigned software can create a security vulnerability, this policy setting is configured to Disabled for both of the environments that are discussed in this chapter. Note: Some legitimate software and controls may have an invalid signature and still be OK. You should carefully test such software in isolation before you allow it to be used on your organization's network. Internet Explorer\Security Features\MK Protocol Security RestrictionYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction Table 4.5 Recommended MK Protocol Settings
Internet Explorer Processes (MK Protocol)This policy setting reduces attack surface area because it blocks the seldom-used MK protocol. Some older Web applications use the MK protocol to retrieve information from compressed files. If you configure this policy setting to Enabled, the MK protocol is blocked for Windows Explorer and Internet Explorer, which causes resources that use the MK protocol to fail. If you disable this policy setting, other applications are allowed to use the MK protocol API. Because the MK protocol is not widely used, it should be blocked wherever it is not needed. This policy setting is configured to Enabled for both of the environments that are discussed in this chapter. Microsoft recommends that you block the MK protocol unless you specifically need it in your environment. Note: Because resources that use the MK protocol will fail when you deploy this policy setting, you should ensure that none of your applications use the protocol. Internet Explorer\Security Features\Consistent MIME HandlingYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent MIME Handling Table 4.6 Recommended Consistent MIME Handling Settings
Internet Explorer Processes (Consistent MIME Handling)Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files that are received through a Web server. The Consistent MIME Handling setting determines whether Internet Explorer requires that all file type information that is provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME data indicates that the file is really an executable file, Internet Explorer changes its extension to reflect this executable status. This capability helps ensure that executable code cannot masquerade as other types of data that may be trusted. If you enable this policy setting, Internet Explorer examines all received files and enforces consistent MIME data for them. If you disable or do not configure this policy setting, Internet Explorer does not require consistent MIME data for all received files and will use the MIME data that is provided by the file. MIME file type spoofing is a potential threat to your organization. You should ensure that these files are consistent and properly labeled to help prevent malicious file downloads that may infect your network. This policy setting is configured to Enabled for both of the environments that are discussed in this chapter. Note: This policy setting works in conjunction with, but does not replace, the MIME Sniffing Safety Features settings. Internet Explorer\Security Features\MIME Sniffing Safety FeaturesYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MIME Sniffing Safety Features Table 4.7 Recommended MIME Sniffing Settings
Internet Explorer Processes (MIME Sniffing)MIME sniffing is a process that examines the content of a MIME file to determine its context—whether it is a data file, an executable file, or some other type of file. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. When set to Enabled, MIME sniffing will never promote a file of one type to a more dangerous file type. If you disable this policy setting, MIME sniffing configures Internet Explorer processes to allow promotion of a file from one type to a more dangerous file type. For example, a text file could be promoted to an executable file, which is dangerous because any code in the supposed text file would be executed. MIME file-type spoofing is a potential threat to your organization. Microsoft recommends that you ensure these files are consistently handled to help prevent malicious file downloads that may infect your network. The Internet Explorer Processes (MIME Sniffing) setting is configured to Enabled for both of the environments that are discussed in this chapter. Note: This policy setting works in conjunction with, but does not replace, the Consistent MIME Handling settings. Internet Explorer\Security Features\Scripted Window Security RestrictionsYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions Table 4.8 Recommended Scripted Window Restrictions Settings
Internet Explorer Processes (Scripted Window Security Restrictions)Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force you to interact with a window that contains malicious code. The Internet Explorer Processes (Scripted Window Security Restrictions) setting restricts pop-up windows and does not allow scripts to display windows in which the title and status bars are not visible to the user or that hide other windows’ title and status bars. If you enable this policy setting, pop-up windows will not display in Windows Explorer and Internet Explorer processes. If you disable or do not configure this policy setting, scripts will still be able to create pop-up windows and windows that hide other windows. The Internet Explorer Processes (Scripted Window Security Restrictions) setting is configured to Enabled for both of the environments that are discussed in this chapter. When enabled, this policy setting makes it difficult for malicious Web sites to control your Internet Explorer windows or fool users into clicking on the wrong window. Internet Explorer\Security Features\Protection From Zone ElevationYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation Table 4.9 Recommended Zone Elevation Protection Settings
Internet Explorer Processes (Zone Elevation Protection)Internet Explorer places restrictions on each Web page that it opens. These restrictions are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a local computer have the fewest security restrictions and reside in the Local Machine zone, which makes the Local Machine security zone a prime target for malicious attackers. If you enable the Internet Explorer Processes (Zone Elevation Protection) setting, any zone can be protected from zone elevation by Internet Explorer processes. This approach prevents content that runs in one zone from gaining the elevated privileges of another zone. If you disable this policy setting, no zone receives such protection for Internet Explorer processes. Because of the severity and relative frequency of zone elevation attacks, the Internet Explorer Processes (Zone Elevation Protection) setting is configured to Enabled for both of the environments that are discussed in this chapter. Internet Explorer\Security Features\Restrict ActiveX InstallYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install Table 4.10 Restrict ActiveX Install Settings
Internet Explorer Processes (Restrict ActiveX Install)This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompts for ActiveX control installations will be blocked for Internet Explorer processes. If you disable this policy setting, prompts for ActiveX control installations will not be blocked and these prompts will be displayed to users. Users often choose to install software such as ActiveX controls that are not permitted by their organization’s security policy. Such software can pose significant security and privacy risks to networks. Therefore, the Internet Explorer Processes (Restrict ActiveX Install) setting is configured to Enabled for both of the environments that are discussed in this chapter. Note: This policy setting also blocks users from installing authorized legitimate ActiveX controls that will interfere with important system components like Windows Update. If you enable this policy setting, make sure to implement some alternate way to deploy security updates such as Windows Server Update Services (WSUS). Internet Explorer\Security Features\Restrict File DownloadYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download Table 4.11 Recommended Restrict File Download Settings
Internet Explorer Processes (Restrict File Download)In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they click the wrong button and accept the download. If you configure the Internet Explorer Processes (Restrict File Download) setting to Enabled, file download prompts that are not user-initiated are blocked for Internet Explorer processes. If you configure this policy setting to Disabled, file download prompts will occur that are not user-initiated for Internet Explorer processes. The Internet Explorer Processes (Restrict File Download) setting is configured to Enabled for both of the environments that are discussed in this chapter to help prevent attackers from placing arbitrary code on users' computers. Internet Explorer\Security Features\Add-on ManagementYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management Table 4.12 Add-on Management Settings
Deny all add-ons unless specifically allowed in the Add-on ListThis policy setting, along with the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting. If you enable this policy setting, Internet Explorer only allows add-ins that are specifically listed (and allowed) through the Add-on List. If you disable this policy setting, users may use Add-on Manager to allow or deny any add-ons. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List setting and the Add-on List setting to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used. Add-on ListThis policy setting, along with the Deny all add-ons unless specifically allowed in the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting. If you enable the Add-on List setting, you are required to list the add-ons to be allowed or denied by Internet Explorer. The specific list of add-ons that should be included on this list will vary from one organization to another, and therefore this guide does not provide a detailed list. For each entry that you add to the list, you must provide the following information:
If you disable the Add-on List setting, the list is deleted. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used. Terminal Services\Client/Server data redirectionTerminal Services settings provide options to redirect client computer resources to servers that are accessed through Terminal Services. The following setting is specific to Terminal Services. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection Table 4.13 Recommended Do Not Allow Drive Redirection Settings
Do not allow drive redirectionThis policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer or My Computer in the following format: \\TSClient\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. For this reason, the Do not allow drive redirection setting is configured to Enabled for the SSLF environment. However, this policy setting is Not Configured for the EC environment. Terminal Services\Encryption and SecurityYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Encryption and Security Table 4.14 Recommended Terminal Services Encryption and Security Settings
Always prompt client for password upon connectionThis policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on if they enter a password in the Remote Desktop Connection client. The Always prompt client for password upon connection setting is configured to Enabled in the SSLF environment. However, this policy setting is Not Configured for the EC environment. Note: If you do not configure this policy setting, the local computer administrator can use the Terminal Services Configuration tool to either allow or prevent passwords from being automatically sent. Set client connection encryption levelThis policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. The encryption level is set to High Level to enforce 128-bit encryption for the two environments that are discussed in this chapter. Terminal Services\ClientYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Administrative Templates\Windows Components\Terminal Services\Client Table 4.15 Recommended Do Not Allow Passwords to be Saved Settings
Do not allow passwords to be savedThis policy setting prevents passwords from being saved on a computer by Terminal Services clients. If you enable this policy setting, the password saving checkbox is disabled for Terminal Services clients and users will not be able to save passwords. Because saved passwords can cause additional compromise, the Do not allow passwords to be saved setting is configured to Enabled for both of the environments that are discussed in this chapter. Note: If this policy setting was previously configured as Disabled or Not Configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server. Windows MessengerWindows Messenger is used to send instant messages to other users on a computer network. The messages may include files and other attachments. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Windows Messenger Table 4.16 Recommended Windows Messenger Settings
Do not allow Windows Messenger to be runYou can enable the Do not allow Windows Messenger to be run setting to disable Windows Messenger and prevent the program from being executed. Because this application has been used for malicious purposes such as spam, the distribution of malicious software, and disclosure of sensitive data, Microsoft recommends that you configure the Do not allow Windows Messenger to be run setting to Enabled for both the EC and SSLF environments. Note: If you configure this policy setting to Enabled, Remote Assistance is prevented from using Windows Messenger and users are prevented from using MSN® Messenger. Windows UpdateAdministrators use Windows Update settings to manage how patches and hotfixes are applied on Windows XP workstations. Updates are available from the Microsoft Windows Update Web site. Alternatively, you can set up an intranet Web site to distribute patches and hotfixes in a similar manner with additional administrative control. The Windows Update Administrative Template (WUAU.adm) was introduced with Windows XP Service Pack 1 (SP1). Windows Server Update Services (WSUS) is an infrastructure service that builds on the success of the Microsoft Windows Update and Software Update Services (SUS) technologies. WSUS manages and distributes critical Windows patches that resolve known security vulnerabilities and other stability issues with Microsoft Windows operating systems. WSUS eliminates manual update steps with a dynamic notification system for critical updates that are available to Windows client computers through your intranet server. No Internet access is required from client computers to use this service. This technology also provides a simple and automatic way to distribute updates to your Windows workstations and servers. Windows Server Update Services also offers the following features:
Note: If you choose to distribute patches through another method, such as Microsoft Systems Management Server, this guide recommends that you disable the Configure Automatic Updates setting. There are several Windows Update settings. A minimum of three settings is required to make Windows Update work: Configure Automatic Updates, No auto-restart for scheduled Automatic Updates installations, and Reschedule Automatic Updates scheduled installations. A fourth setting is optional and depends on the requirements of your organization: Specify intranet Microsoft update service location. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Windows Update The settings that are discussed in this section do not individually address specific security risks, but relate more to administrator preference. However, configuration of Windows Update is essential to the security of your environment because it ensures that the client computers in your environment receive security patches from Microsoft soon after they are available. Note: Windows Update is dependent on several services, including the Remote Registry service and the Background Intelligence Transfer Service. In Chapter 3, "Security Settings for Windows XP Clients," these services are disabled in the SSLF environment. Therefore, if these services are disabled, Windows Update will not work, and the following four setting prescriptions may be disregarded for the SSLF environment only. The following table summarizes the recommended Windows Update settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.17 Recommended Windows Update Settings
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog boxThis policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. If you disable this policy setting, the Install Updates and Shut Down option will display in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu or clicks Shut Down after pressing CTRL+ALT+DELETE. Because updates are important to the overall security of all computers, the Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box setting is configured to Disabled for both of the environments that are discussed in this chapter. This policy setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box setting. Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog boxThis policy setting allows you to manage whether the Install Updates and Shut Down option is allowed to be the default choice in the Shut Down Windows dialog. If you disable this policy setting, the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation when the user selects the Shut Down option in the Start menu. Because updates are important to the overall security of all computers, the Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box setting is configured to Disabled for both of the environments that are discussed in this chapter. Note: This policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box setting is Enabled. Configure Automatic UpdatesThis policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search the Windows Update Web site or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:
If you disable this policy setting, you will need to download and manually install any available updates from the Windows Update Web site at http://windowsupdate.microsoft.com. The Configure Automatic Updates setting is configured to Enabled for the two environments that are discussed in this chapter. No auto-restart for scheduled Automatic Updates installationsIf this policy setting is enabled, the computer will wait for a logged-on user to restart it to complete a scheduled installation; otherwise, the computer will restart automatically. When enabled, this policy setting also prevents Automatic Updates from restarting computers automatically during a scheduled installation. If a user is logged on to a computer when Automatic Updates requires a restart to complete an update installation, the user is notified and given the option to delay the restart. Automatic Updates will not detect future updates until the restart occurs. If the No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation. If automatic restarts are a concern, you can configure the No auto-restart for scheduled Automatic Updates installations setting to Enabled. If you do enable this policy setting, schedule your client computers to restart after normal business hours to ensure that the installation is completed. The No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled for the two environments that are discussed in this chapter. Note: This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is configured to Disabled, it will not work. A restart is generally required to complete an update installation. Reschedule Automatic Updates scheduled installationsThis policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after a specified number of minutes when you next start the computer. If you configure this policy setting to Disabled or Not Configured, previously scheduled installations will occur during the next regularly scheduled installation time. The Reschedule Automatic Updates scheduled installations setting is configured to Enabled for the two environments that are discussed in this chapter. After you enable this policy setting, you may change the default waiting period to one that is appropriate for your environment. Note: This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is Disabled, the Reschedule Automatic Updates scheduled installations setting has no effect. You can enable the latter two settings to ensure that previously missed installations will be scheduled to install each time the computer restarts. Specify intranet Microsoft update service locationThis policy setting specifies an intranet server to host updates that are available from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network. This policy setting lets you specify a WSUS server on your network to function as an internal update service. The Automatic Updates client will work with the WSUS server to search the service for updates that apply to the computers on your network. The Specify intranet Microsoft update service location setting is configured to Enabled for both of the environments that are discussed in this chapter. Note: An enabled Specify intranet Microsoft update service location setting has no effect if the Configure Automatic Updates setting is disabled. SystemYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System The following figure illustrates the sections in Group Policy that will be affected by the setting changes in this section: The following table summarizes the recommended system settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.18 Recommended System Settings
Turn off AutoplayAutoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay setting to disable the Autoplay feature. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. The Turn off Autoplay setting is configured to Enabled – All Drives for the SSLF environment only. However, this policy setting is Not Configured for the EC environment. Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. Turn off Windows Update device driver search promptThis policy setting controls whether the administrator is prompted to search Windows Update for device drivers through the Internet. If this policy setting is Enabled, administrators will not be prompted to search Windows Update. If both this policy setting and Turn off Windows Update device driver searching are Disabled or Not Configured, the administrator will be prompted for consent before Windows Update is searched for device drivers. Because there is some risk involved when any device drivers are downloaded from the Internet, the Turn off Windows Update device driver search prompt setting is configured to Enabled for the SSLF environment and Disabled for the EC environment. The reason for this recommendation is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource management. Note: This policy setting is only effective if the Turn off Windows Update device driver searching setting in Administrative Templates/System/Internet Communication Management/Internet Communication is Disabled or Not Configured. LogonYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Logon The following table summarizes the recommended Logon settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.19 Recommended Logon Settings
Do not process the legacy run listThis policy setting causes the run list, which is a list of programs that Windows XP runs automatically when it starts, to be ignored. The customized run lists for Windows XP are stored in the registry at the following locations:
You can enable the Do not process the legacy run list setting to prevent a malicious user from running a program each time Windows XP starts, which could compromise data on the computer or cause other harm. When this policy setting is enabled, certain system programs are prevented from running, such as antivirus software, and software distribution and monitoring software. Microsoft recommends that you evaluate the threat level to your environment before you determine whether to use this policy setting for your organization. The Do not process the legacy run list setting is Not Configured for the EC environment and Enabled for the SSLF environment. Do not process the run once listThis policy setting causes the run-once list, which is the list of programs that Windows XP runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run once the next time the client computer restarts. Setup and installation programs are sometimes added to this list to complete installations after a client computer restarts. If you enable this policy setting, attackers will not be able to use the run-once list to launch rogue applications, which was a common method of attack in the past. A malicious user can exploit the run-once list to install a program that may compromise the security of Windows XP client computers. Note: Customized run-once lists are stored in the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. The Do not process the run once list setting should cause minimal functionality loss to users in your environment, especially if the client computers have been configured with all of your organization's standard software before this policy setting is applied through Group Policy. The Do not process the run once list setting is set to Not Configured for the EC environment and to Enabled for the SSLF environment. Group PolicyYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Group Policy Table 4.20 Recommended Group Policy Settings
Registry policy processingThis policy setting determines when registry policies are updated. It affects all policies in the Administrative Templates folder, and any other policies that store values in the registry. If this policy setting is enabled, the following options are available:
Some settings that are configured through the Administrative Templates are made in areas of the registry that are accessible to users. User changes to these settings will be overwritten if this policy setting is enabled. The Registry policy processing setting is configured to Enabled for both of the environments that are discussed in this chapter. Remote AssistanceYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Remote Assistance The following table summarizes the recommended Remote Assistance settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.21 Recommended Remote Assistance Settings
Offer Remote AssistanceThis policy setting determines whether a support person or an IT "expert" administrator can offer remote assistance to computers in your environment if a user does not explicitly request assistance first through a channel, e-mail, or Instant Messenger. Note: The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation after the Offer Remote Assistance setting is configured to Enabled. If this policy setting is enabled the following options are available:
When you configure this policy setting, you can also specify a list of users or user groups known as "helpers" who may offer remote assistance. To configure the list of helpers
If this policy setting is disabled or not configured, users and or groups will not be able to offer unsolicited remote assistance to computer users in your environment. The Offer Remote Assistance setting is Not Configured for the EC environment. However, this policy setting is configured to Disabled for the SSLF environment to prevent access to Windows XP client computers across the network. Solicit Remote AssistanceThis policy setting determines whether remote assistance may be solicited from the Windows XP computers in your environment. You can enable this policy setting to allow users to solicit remote assistance from IT "expert" administrators. Note: Experts cannot connect to a user’s computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation. If the Solicit Remote Assistance setting is enabled, the following options are available:
Also, the following options are available to configure the amount of time that a user help request remains valid:
When a ticket (help request) expires, the user must send another request before an expert can connect to the computer. If you disable the Solicit Remote Assistance setting, users cannot send help requests and the expert cannot connect to their computers. If the Solicit Remote Assistance setting is not configured, users can configure solicited remote assistance through the Control Panel. The following settings are enabled by default in the Control Panel: Solicited remote assistance, Buddy support, and Remote control. The value for the Maximum ticket time is set to 30 days. If this policy setting is disabled, no one will be able to access Windows XP client computers across the network. The Solicit Remote Assistance setting is Not Configured for the EC environment and is configured to Disabled for the SSLF environment. Error ReportingThese settings control how operating system and application errors are reported. In the default configuration, when an error occurs the user is queried by a pop-up dialog box about whether they want to send an error report to Microsoft. Microsoft has strict policies in place to protect data that is received in these reports. However, the data is transmitted in plaintext, which is a potential security risk. Microsoft provides the Corporate Error Reporting tool for organizations to collect the reports locally and not send them to Microsoft over the Internet. Microsoft recommends the use of the Corporate Error Reporting tool in the SSLF environment to prevent sensitive information from exposure on the Internet. Additional information about this tool is included in the “More Information” section at the end of this chapter. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Error Reporting The following table summarizes the recommended Error Reporting settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.22 Recommended Error Reporting Settings
Display Error NotificationThis policy setting controls whether error messages are displayed to users on their computer screens. If you enable this policy setting, error message notifications will be sent when errors occur and users will have access to details about the errors. If you disable this policy setting, users are prevented from viewing error notifications. When an error occurs, it is important that the user is aware of the problem. Users will not be made aware of problems if you disable the Display Error Notification setting. For this reason, the Display Error Notification setting is configured to Enabled for the two environments that are discussed in this chapter. Configure Error ReportingThis policy setting controls whether errors are reported. When this policy setting is enabled, users can choose whether to report errors when they occur. Errors may be reported to Microsoft through the Internet or to a local file share. If you enable this policy setting, the following options are also available:
If the Configure Error Reporting setting is disabled, users are unable to report errors. If the Display Error Notification setting is enabled, users will receive error notifications but cannot report them. The Configure Error Reporting setting allows you to customize an error reporting strategy for your organization and collect reports for local analysis. The Configure Error Reporting setting is configured to Enabled for the two environments that are discussed in this chapter. In addition, the following options were selected for the SSLF environment:
You can also select the Corporate upload file path option and include the path to the server on which you have installed the Corporate Error Reporting tool. You should evaluate the needs of your organization to determine which of these options to use. Remote Procedure CallYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\System\Remote Procedure Call The following table summarizes the recommended Remote Procedure Call settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.23 Recommended Remote Procedure Call Settings
Restrictions for Unauthenticated RPC clientsThis policy setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to the RPC server. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC interfaces that have specifically asked to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy. If you enable this policy setting, the following values are available:
Because unauthenticated RPC communication can create a security vulnerability, the Restrictions for Unauthenticated RPC clients setting is configured to Enabled and the RPC Runtime Unauthenticated Client Restriction to Apply value is set to Authenticated for both of the environments that are discussed in this chapter. Note: RPC applications that do not authenticate unsolicited inbound connection requests may not work properly when this configuration is applied. Ensure you test applications before you deploy this policy setting throughout your environment. Although the Authenticated value for this policy setting is not completely secure, it can be useful for providing application compatibility in your environment. RPC Endpoint Mapper Client AuthenticationIf you enable this policy setting, client computers that communicate with this computer will be forced to provide authentication before an RPC communication is established. By default, RPC clients will not use authentication to communicate with the RPC Server Endpoint Mapper Service when they request the endpoint of a server. However, this default was changed for the SSLF environment to require client computers to authenticate before an RPC communication is allowed. Internet Communication Management\Internet Communication settingsThere are several configuration settings available in the Internet Communication settings group. This guide recommends that many of these settings be restricted, primarily to help improve the confidentiality of the data on your computer systems. If these settings are not restricted, information could be intercepted and used by attackers. Although the actual occurrence of this type of attack today is rare, proper configuration of these settings will help protect your environment against future attacks. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\System\Internet Communication Management\Internet Communication settings The following table summarizes the recommended Internet Communication settings. Additional information about each setting is provided in the subsections that follow the table. Table 4.24 Recommended Internet Communication Settings
Turn off the Publish to Web task for files and foldersThis policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. If you configure the Turn off the Publish to Web task for files and folders setting to Enabled, these options are removed from the File and Folder tasks in Windows folders. By default, the option to publish to the Web is available. Because this capability could be used to expose secured content to an unauthenticated Web client computer, this policy setting is configured to Enabled for both the EC and SSLF environments. Turn off Internet download for Web publishing and online ordering wizardsThis policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. If this policy setting is enabled, Windows is prevented from downloading providers; only the service providers that are cached in the local registry will display. Because the Turn off Publish to Web task for files and folders setting was enabled for both the EC and SSLF environments (see the previous setting), this option is not needed. However, the Turn off Internet download for Web publishing and online ordering wizards setting is configured to Enabled to minimize the attack surface of client computers and to ensure that this capability cannot be exploited in other ways. Turn off the Windows Messenger Customer Experience Improvement ProgramThis policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. You can enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the user settings that enable the collection of usage information. In large enterprise environments it may be undesirable to have information collected from managed client computers. The Turn off the Windows Messenger Customer Experience Improvement Program setting is configured to Enabled for both of the environments that are discussed in this chapter to prevent information being collected. Turn off Search Companion content file updatesThis policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. If you configure this policy setting to Enabled, you prevent Search Companion from downloading content updates during searches. The Turn off Search Companion content file updates setting is configured to Enabled for both the EC and SSLF environments to help control unnecessary network communications from each managed client computer. Note: Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior. Turn off printing over HTTPThis policy setting allows you to disable the client computer’s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. If you enable this policy setting, the client computer will not be able to print to Internet printers over HTTP. Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise environments. The Turn off printing over HTTP setting is configured to Enabled for both the EC and SSLF environments to help prevent a potential security breach from an insecure print job. Note: This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP. Turn off downloading of print drivers over HTTPThis policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The Turn off downloading of print drivers over HTTP setting is configured to Enabled to prevent print drivers from being downloaded over HTTP. Note: This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits drivers that are not already installed locally from being downloaded. Turn off Windows Update device driver searchingThis policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Because there is some risk when any device drivers are downloaded from the Internet, the Turn off Windows Update device driver searching setting is configured to Enabled for the SSLF environment and Disabled for the EC environment. The reason for this configuration is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource and configuration management. Note: See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted before Windows Update is searched for device drivers if a driver is not found locally. NetworkThere are no specific security-related configurations in the Network container of Group Policy. However, there are a number of very important settings in the Network Connections\Windows Firewall container that the following sections will explain. The following figure illustrates the sections in Group Policy that will be affected by the setting changes in this section:  Figure 4.4 Group Policy structure for Computer Configuration Network Connections Network Connections\Windows FirewallWindows Firewall settings are made in two profiles—Domain Profile and Standard Profile. Whenever a domain environment is detected the Domain Profile is used, and whenever a domain environment is not available the Standard Profile is used. When a Windows Firewall setting is Recommended in one of the following two tables, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful. When you need to determine which applications or ports may need exceptions, it may be helpful to enable Windows Firewall logging, Windows Firewall auditing, and network tracing. For more information, see the article “Configuring a Computer for Windows Firewall Troubleshooting,” which is available online at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/ For more information about how Windows XP uses Network Location Awareness (NLA) to determine what kind of network it is connected to, see the article "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft Web site at http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx. Typically, the Domain Profile is configured to be less restrictive than the Standard Profile because a domain environment often provides additional layers of protection. The policy setting names are identical in both profiles. The following two tables summarize the policy settings for the different profiles, and more detailed explanations are provided in the subsections that follow the tables. Network Connections\Windows Firewall\Domain ProfileThe settings in this section configure the Windows Firewall Domain Profile. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile Table 4.25 Recommended Windows Firewall Domain Profile Settings
Note: When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful. Network Connections\Windows Firewall\Standard ProfileThe settings in this section configure the Windows Firewall Standard Profile. This profile is often more restrictive than the Domain Profile, which assumes a domain environment provides some basic level of security. The Standard Profile is expected to be used when a computer is on an untrusted network, such as a hotel network or a public wireless access point. Such environments pose unknown threats and require additional security precautions. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile Table 4.26 Recommended Windows Firewall Standard Profile Settings
|
