Guide to Securing Microsoft Windows XP v1.1

v1.1

Final

Not available.

2003-12-01

Operating System

Microsoft Corporation

Microsoft Windows

Windows XP Professional

Desktop operating system

The purpose of this document is to inform the reader about the Windows XP security mechanisms that are available and how these security mechanisms can be implemented in a network environment. It is intended to provide a solid security foundation for any Windows XP network by providing step-by-step instructions on how to utilize the operating system’s built-in security features, additional add-on service packs and hotfixes to eliminate known security vulnerabilities. While networks will vary in purpose and scope, this document outlines security recommendations and procedures that can be adapted for any Windows XP network.

Another purpose of this document is to inform the reader about Windows XP Professional recommended security settings. These security settings include those that can be set via the Security Configuration Manager, through Group Policy, as well as manual settings.

Windows XP Professional is a client operating system only. The corresponding server version has not yet been released. Therefore, this document will address Windows XP within a Windows 2000 domain and utilizing Windows 2000 Active Directory and Group Policy. Additional security information on Group Policy Objects (GPOs) is addressed in the Guide to Securing Microsoft Windows 2000 Group Policy, which should be read prior to reading this document.

The following essential assumptions have been made to limit the scope of this document:

• The network consists only of machines running Microsoft Windows 2000 and Microsoft Windows XP Professional clean-installed machines (i.e., not upgraded). 

• Windows XP machines are formatted using the NT File System (NTFS).

• Domain controllers are Windows 2000 machines and are running Active Directory.

• The latest Windows 2000 and Windows XP service packs and hotfixes have been installed.

• All network machines are Intel-based architecture.

• Applications are Windows XP compatible.

This document is only a guide containing recommended security settings. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide while using products such as Microsoft Exchange, IIS, and SMS. The security changes described in this document only apply to Microsoft Windows XP Professional systems and should not be applied to any other Windows operating systems.

A Windows XP system can be severely impaired or disabled with incorrect changes or accidental deletions when using programs (examples: Security Configuration Manager, Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network.

Developped for the DOD.
Users of this guide should have a working knowledge of Windows XP installation and basic system administration skills.

Enterprise and Specialized Security-Limited Functionality.

Not available.

Currently, no “undo” function exists for deletions made within the Windows XP registry. The registry editor (Regedit.exe) prompts the user to confirm the deletions. When a registry key is being deleted, the message does not include the name of the key being deleted. Check your selection carefully before proceeding with any deletion.

Not available.

Not available.

DOD Directive 8500.

Refer to Known Issues.

Not available.

It should be noted that FSO Support for the STIGs, Checklists, and Tools is only available to DOD Customers.

Defense Information Systems Agency

Not available.

Not available.

Not available.

http://iase.disa.mil/stigs/stig/index.html

http://www.nsa.gov/notices/notic00004.cfm
?Address=/snac/os/winxp/winxp.pdf

SHA1 Digest (wxp_securityguides.zip) =
3ca5eacdd640fd45f397f10477c2ed3376b15af5

SHA256 Digest (wxp_securityguides.zip) =
f287ec4d35e6cf88932f7cdc1eeaffd59db6b18a
08957cfe99b1f14c5e885a25

v1.1: 2003-12-01

Windows XP Security Checklist, v4r1.10

Bartock, Paul, et. al., Guide to Securing Microsoft Windows NT Networks version 4.1, National Security Agency, September 2000.

DiMaria, Vincent, et.al., Guide to Securing Microsoft Windows 2000 Terminal Services, National Security Agency, July 2, 2001.

Haney, Julie, Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Toolset, National Security Agency, January 2002.

MacDonald, Dave and Warren Barkley, “Microsoft Windows 2000 TCP/IP Implementation Details,” white paper, http://secinf.net/info/nt/2000ip/tcpipimp.html.

McGovern, Owen and Julie Haney, Guide to Securing Microsoft Windows 2000 File and Disk Resources, DISA and National Security Agency, May 2002.

Microsoft Technet, http://www.microsoft.com/technet/.

Microsoft Windows XP Professional Resource Kit Documentation, Microsoft Press, 2001.

“No Password Expiration Notice Is Presented During the Logon Process,” KB Article Q313194, http://support.microsoft.com/default.aspx?scid=kb;en-us;Q313194, Microsoft, March 2002.

“Problems When the Autoenrollment Feature Cannot Reach an Active Directory Domain Controller,” KB Article Q310461, http://support.microsoft.com/default.aspx?
scid=kb;en-us;Q310461, Microsoft, March 2002.

Schultze, Eric, “Windows XP Security: Everything you’ve always wanted to know…and a little bit more,” as presented at InfoSec World 2002 conference.

“Upgrading Windows 2000 Group Policy for Windows XP,” Microsoft KB article http://support.microsoft.com/default.aspx?
scid=kb;en=us;Q307900, Microsoft, November 2001.

1067