e following steps: 1. Start the MMC by using the Start menu Run command, and opening mmc.exe.
2. Click on File, then Add/Remove Snap-in. Click on Add, highlight the Security Configuration and Analysis snap-in and click on Add. Click on Close, then click on OK. When completed, save the console in the Administrative Tools folder for future use.
3. Create a new database by right-clicking Security Configuration and Analysis and selecting Open Database. Name the database and click Open.
4. Choose the template that will be applied to the workstation. Click Open to load the settings from the template.
5. Right-click the Security Configuration and Analysis snap-in and choose Analyze Computer Now. Specify the default log name and location, then click on OK. The system will then compare the current security settings active on the computer with the template settings.
6. When the checks are completed, navigate through the categories of settings listed under the Security Configuration and Analysis snap-in. The differences between the templates and the computer configuration are displayed. For example, items with a red X differ from the template,
and items with a green checkmark match the template. Other items may not have been analyzed because no setting was defined in the template, or because they were dependent on another value that was not set. Besides the icon, each item also gives a verbal description, such as Not Analyzed or Not Defined.
7. If a review of the settings indicates that particular template settings should not be applied to the system, they can be adjusted by modifying the database settings shown on the screen. To accomplish this action, double-click on the setting that needs to be altered, make the necessary adjustments, and click on OK to return to the main settings listing. Repeat this process until all desired adjustments have been completed.
8. To apply the database settings to the system, right-click on the Security Configuration and Analysis snap-in and choose Configure Computer Now. Specify the default log name and location, then click on OK. The settings are applied to the system.
9. When the configuration is completed, the policy used to apply the configuration can be exported for future use on this computer or others. Export the configuration policy by right clicking on the Security Configuration and Analysis snap-in and choosing Export Template. Name and save the template for future use on the local computer or other computers in the environment. The saved template file can also be imported to reset settings to a working configuration if future modifications cause problems.
5.3 Group Policy Distribution
In a domain environment, Group Policy Objects (GPO) can be used to distribute security settings to all computers in an Active Directory OU. The recommended method is to separate computers by role into OUs. For example, all similarly configured domain member workstations within an environment should be in an OU. To import a security template into a GPO, perform the following steps:
1. Start the MMC by using the Start menu Run command, and opening mmc.exe.
2. Click on File, then Add/Remove Snap-in. Click on Add, highlight the Group Policy snap-in, and click on Add. Select the appropriate Group Policy Object and click OK, then click finish.
3. Click on Close, then click on OK.
4. Expand the Group Policy Object. Next, expand Computer Configuration and click on Windows Settings.
5. Right-click on Security Settings and choose Import Policy.
6. Select the desired template file and click on Open.
The security settings in the template now can be deployed to all computers within the OU. Group Policy can be applied only using a Windows 2000 Server or Windows 2003 Server (domain controller) in a domain environment (Active Directory). Microsoft also offers the Group Policy Management Console(GPMC) for managing Group Policy for multiple domains. The GPMC combines the functionality of several existing Group Policy-related tools into a single interface. GPMC can be used to import, edit, and apply security templates to Windows systems throughout an enterprise, which is ideal for a managed environment. Once the GPMC has been installed, it can be run simply by executing gpmc.msc. To open the GPMC snap-in within the MMC console, perform the following steps:
1. Start the MMC by using the Start menu Run command, and opening mmc.exe.
2. Click on File, then Add/Remove Snap-in. Click on Add, highlight the Group Policy Management snap-in, and click on Add. Click on Close, then click on OK.
In GPMC, a GPO needs to be
1. Open GPMC.
2. Right-click on the appropriate OU and select Link an Existing GPO.
3. A list of GPOs will be displayed; select the one that should be linked to the OU. This establishes the link.
An alternative is to create a new GPO that is automatically linked to a site, domain, or OU. To create a new GPO for an OU, perform the following steps:
1. Open GPMC.
2. Right-click on the appropriate OU and select Create and Link a GPO Here. This opens the New GPO dialog box.
3. Provide a name for the GPO. This creates the GPO and automatically links it to the selected OU.
4. Right-click on the new GPO and select Edit to modify the GPO with the Group Policy Editor.
GPMC can import security templates into a GPO. To do so, perform the following steps:
1. Open GPMC.
2. Right-click on the appropriate GPO and click Edit.
3. Expand Computer Configuration and click on Windows Settings.
4. Right-click on Security Settings and choose Import Policy.
5. Select the desired template file and click on Open.
GPMC can also be used to edit security settings for a GPO. To do so, perform the following steps:
1. Open GPMC.
2. Right-click on the appropriate GPO and click Edit.
3. Expand Computer Configuration and click on Windows Settings.
4. Click on Security Settings and then click on the appropriate policy (e.g., Account Policies, Local Policies, Event Log).
5. Modify the security settings as needed and click on OK when finished.
Another helpful feature of GPMC is the Group Policy Modeling Wizard, which provides Resultant Set of Policy (RSoP) functionality. This means that the wizard can determine the effects of applying combinations of GPOs (e.g., site, domain, and OU level) to a particular user or computer. To do so for an OU, perform the following steps:
1. Open GPMC.
2. Right-click on the appropriate OU and select Group Policy Modeling Wizard.
3. Make the desired selections for the simulation, such as specifying a username, computer name, user location, site, computer location, or security groups.
4. At the Summary of Selections screen, review the settings to ensure they are correct and click on Next to run the simulation.
5. Once the simulation has ended, the wizard displays the results in a Group Policy Results report. If two or more GPOs had conflicting settings for a particular policy, the report shows which policy was applied. This is very helpful in resolving conflicts among GPOs and troubleshooting unexpected GPO behavior…
Some third-party system management and configuration tools provide similar functionality to GPMC—the ability to import, edit, apply, verify, monitor, and report on security settings in GPOs. These tools may also provide additional functionality, such as in-depth auditing capabilities.
5.4 Administrative Templates
In addition to security templates, Windows XP also supports administrative templates. Administrative templates are used to configure both security and non-security settings (i.e., user interface configuration) for Windows XP and various Microsoft applications. Administrative templates can only be used in association with GPOs, so they cannot be used to secure systems in typical SOHO environments and many legacy environments. Because of that, this publication uses security templates instead of administrative templates.
Administrators of systems in enterprise and SSLF environments may prefer to use administrative templates that include security settings instead of using both administrative templates with non-security settings and separate security templates. Administrators can choose to incorporate the security settings presented in this guide into their administrative templates. Windows XP includes several default administrative templates that address particular types of settings, including general Windows XP settings, Internet Explorer, Microsoft NetMeeting, Windows Media Player, and Microsoft Update. Administrators could use these templates as a starting point for creating organization or environment-specific templates. Administrators should perform extensive testing of all administrative templates before using them to configure and secure production systems.
5.5 Summary of Recommendations
� Use the NIST security templates or FDCC GPOs to configure security settings on Windows XP systems. Modify the templates and GPOs as necessary to conform to local security policy, and document all modifications.
� Use the Security Templates and Security Configuration and Analysis MMC snap-ins to create, import, view, modify, and export template settings, and to compare template settings with actual system .
� Use the Group Policy Object Editor, Group Policy Management Console, and Group Policy Modeling Wizard MMC snap-ins to automate the deployment of security settings to domain member systems.
6. NIST Windows XP Template and GPO Settings Overview
This section provides an overview of the security settings that will be put into place by the NIST templates and FDCC GPOs, as discussed in Appendix A, as well as additional types of settings that can be added to the templates and GPOs. The settings are divided into several categories: Account Policies, Local Policies, Event Log Policies, Restricted Groups, System Services, File Permissions, Registry Permissions, and Registry Values. For each category, this section describes at a high level the related security controls from the templates and GPOs and how the controls can be used to improve the security of the system. This section does not cover all of the actual recommended parameters and values from the security templates and GPOs. This section provides an overview of the security settings that will be put into place by the NIST templates and FDCC GPOs, as discussed in Appendix A, as well as additional types of settings that can be added to the templates and GPOs. The settings are divided into several categories: Account Policies, Local Policies, Event Log Policies, Restricted Groups, System Services, File Permissions, Registry Permissions, and Registry Values. For each category, this section describes at a high level the related security controls from the templates and GPOs and how the controls can be used to improve the security of the system. This section does not cover all of the actual recommended parameters and values from the security templates and GPOs.
6.1 Account Policies
In addition to educating users regarding the selection and use of good passwords, it is also important to set password parameters so that passwords are sufficiently strong. This reduces the likelihood of an attacker guessing or cracking passwords to gain unauthorized access to the system. As described in Section 3.2.1, NIST recommends the use of NTLM v2 or Kerberos instead of LM or NTLM v1 for authentication. Windows XP offers the same password parameters as Windows 2000. The following parameters are specified in the NIST templates and GPOs:
� Maximum Password Age. This forces users to change their passwords regularly. The lower this value is set, the more likely users will be to choose poor passwords that are easier for them to remember (e.g., Mypasswd1, Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will be compromised and used by unauthorized parties.
� Minimum Password Age. This setting requires users to wait for a certain number of days before changing their password again. The setting prevents a user from changing a password when it reaches the maximum age and then immediately changing it back to the previous password. Unfortunately, this setting also prevents users who inadvertently reveal a new password to others from changing it immediately without administrator intervention.
� Minimum Password Length. This setting specifies the minimum length of a password in characters. The rationale behind this setting is that longer passwords are more difficult to guess and crack than shorter passwords. The downside is that longer passwords are often more difficult for users to remember. Organizations that want to set a relatively large minimum password length should encourage their users to use passphrases, which may be easier to remember than conventional passwords.
� Passwords Must Meet Complexity Requirements. Like the Minimum Password Length setting, this setting makes it more difficult to guess or crack passwords. Enabling this setting implements complexity requirements including not having the user account name in the password and using a mixture of character types, including upper case and lower case letters, digits, and special characters such as punctuation marks.
� Enforce Password History. This setting determines how many old passwords the system will remember for each account. Users will be prevented from reusing any of the old passwords. For example, if this is set to 24, then the system will not allow users to reuse any of their last 24 passwords. Old passwords may have been compromised, or an attacker may have taken a long time to crack encrypted passwords. Reusing an old password could inadvertently give attackers access to the system.
� Store Passwords Using Reversible Encryption for All Users in the Domain. If this setting is enabled, passwords will be stored in a decryptible format, putting them at higher risk of compromise. This setting should be disabled unless it is needed to support a legacy authentication protocol, such as Challenge Handshake Authentication Protocol (CHAP).
Attackers often attempt to gain access to user accounts by guessing passwords. Windows XP can be configured to lock out (disable) an account when too many failed login attempts occur for a single user account in a certain time period. The following account lockout parameters are set in the NIST templates and GPOs:
� Account Lockout Threshold. The threshold value specifies the maximum number of failed attempts that can occur before the account is locked out.
� Account Lockout Duration. This value specifies how long the user account should be locked out. This is often set to a low but substantial value (e.g., 15 minutes), for two reasons. First, a legitimate user that is accidentally locked out only has to wait 15 minutes to regain access, instead of asking an administrator to unlock the account. Second, an attacker who is guessing passwords using brute force methods will only be able to try a small number of passwords at a time, then wait 15 minutes before trying any more. This greatly reduces the chances that the brute force attack will be successful.
� Reset Account Lockout Counter After. This specifies the time period to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled.
One of the main challenges in setting account policies is balancing security, functionality, and usability. For example, locking out user accounts after only a few failed logon attempts in a long time period may make it more difficult to gain unauthorized access to accounts by guessing passwords, but may also sharply increase the number of calls to the help desk to unlock accounts accidentally locked by failed attempts from legitimate users. This could also cause more users to write down their passwords or choose easier-to-remember passwords. Organizations should carefully think out such issues before setting Windows XP account policies.
6.2 Local Policies
The Local Policies category encompasses three subcategories: system auditing policy, user rights assignment, and security options. Each of these subcategories is discussed in more depth in the following sections.
6.2.1 Audit Policy
Windows XP includes powerful system auditing capabilities. The purpose of auditing is to record certain types of actions to a log, so that system administrators can review the logs and detect unauthorized activity. Audit logs may also be helpful when investigating a security incident. As shown in Table 6-1, system auditing is available for logon events, account management, directory service access, object access, policy change, privilege use, process tracking, and system events. Each audit policy category can be configured to record successful events, failed events, both successful and failed events, or neither. Section 7.3 describes how file auditing can be configured, as well as how the Event Viewer can be used to review log entries.
Table 6-1. System Wide Audit Policy Description Audit Policy
|
Description
|
Audit account logon events
|
Audits when a user logs on or off a remote computer from this workstation.
|
Audit account management
|
Audits when a user account or group is created, changed, or deleted; a user account is renamed, disabled, or enabled; a password is set or changed.
|
Audit directory service access
|
Audits the event of a user accessing an active directory object that has its own System Access Control List (SACL) specified. This setting is not applicable to Windows XP systems.
|
Audit logon events
|
Audits users logging on, logging off, or making a network connection to the local computer.
|
Audit object access
|
Audits a user accessing an object (for example, a file, folder, registry key, or printer) that has its own SACL specified. Auditing of success or failure of system wide object access will create numerous log entries. Certain object access failures may be normal as a result of applications requesting all access types to objects, even though the application does not require all access types to function properly. Use object access auditing with caution.
|
Audit policy change
|
Audits every change to user rights assignment policies, audit policies, and trust policies.
|
Audit privilege use
|
Audits each instance of a user exercising a user right. This is likely to generate a very large number of events.
|
Audit process tracking
|
Audits detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling this setting will generate many events, so it should only be used when absolutely necessary.
|
Audit system events
|
Audits when a user restarts or shuts down the computer or when an event occurs
|
Recommended settings for system auditing can be applied to systems from the NIST templates and GPOs. Settings can also be applied manually by performing the following steps:
1. From the Start menu, choose Control Panel.
2. Select Administrative Tools, and then choose Local Security Policy.
3. Expand Local Policies, and then click on Audit Policy.
4. The right pane lists the current audit settings. Make any necessary changes by double-clicking on the appropriate item, modifying the setting, and clicking OK to save the change.
The NIST templates and GPOs do not enable auditing for specific files or registry keys. Administrators should consider enabling auditing for the most important directories (e.g., %SystemDrive%, directories holding critical user information) and registry keys (e.g., HKLM\Software, HKLM\System). Because enabling auditing for directories and registry keys could cause a large number of auditing events to be generated, administrators should carefully test any such auditing settings before deploying them on production systems.
6.2.2 User Rights Assignment
The NIST security templates and GPOs specify which groups (e.g., Administrators, Users) have certain user rights. The goal is for each group to have only the necessary rights, and for users to only belong to the necessary groups. This is the principle of least privilege, described previously in Section 2.2. Examples of user rights that can be specified are as follows:
� Accessing the system remotely and locally
� Performing backups
� Changing the time and date on the system
� Managing the logs
� Shutting down the system.
6.2.3 Security Options
Besides the Local Security Policy settings mentioned earlier in this section, additional settings called Security Options can be modified to achieve greater security than the default settings provide. The NIST templates and GPOs specify values for dozens of such settings. Examples of the types of settings available are as follows:
� Limiting the use of blank passwords
� Renaming the default Administrator and Guest accounts
� Restricting remote access to floppy and CD-ROM drives
� Encrypting secure channel data in a domain
� Securing the interactive logon screen (e.g., not showing the previous user’s account name, displaying a warning banner, prompting users to change passwords before they expire)
� Restricting which types of network access may be performed
� Specifying which types of authentication may be used (e.g., NTLM v2).
The Security Options settings can also be accessed and adjusted manually by performing the following steps:
1. From the Start menu, choose Control Panel.
2. Select Administrative Tools, and then choose Local Security Policy.
3. Expand Local Policies and select Security Options.
4. The right pane lists the security option and indicates the current setting for each. Make any necessary changes by double-clicking on the appropriate security option, modifying the setting, and clicking OK to save the change.
6.3 Event Log Policies
Windows XP records information about significant events in three logs: the Application Log, the Security Log, and the System Log. The logs contain error messages, audit information, and other records of activity on the system. The logs can be used not only to identify suspicious and malicious behavior and investigate security incidents, but also to assist in troubleshooting system and application problems. Therefore, it is important to enable logging for all three types of logs. The NIST templates and GPOs enable all three logs for all environments, and also specify the maximum log size. This is important because if the maximum log size is very low, the system will not have much room for storing information on system activity. Some organizations may have a logging policy and central log server, so the template settings may need to be adjusted so they comply with the policy.
6.4 Restricted Groups
NIST recommends that all users be removed from the Remote Desktop Users group on all systems in all environments, except for those users that specifically need to belong to the group. This will reduce the possibility of someone gaining unauthorized access to the system through Remote Desktop. NIST also recommends restricting membership in the Power Users group because it is nearly equivalent in privileges to the Administrators group. Users should not use an account in the Power Users group to operate a system on a daily basis; such accounts should be treated as Administrators group accounts and used only when necessary. Whenever possible, users who need additional privileges, but not full administrative-level access, should be granted the individual privileges needed instead of the range of privileges granted by Power Users group membership. By default, each NIST security template removes all users from the Remote Desktop Users and Power Users groups; the SSLF template also removes all users from the Backup Operators group. The FDCC GPOs do not make any changes to the groups.
6.5 System Services
Windows XP operates with many services that are started automatically when the system boots up.99 These services consume resources and may introduce vulnerabilities to the host. All unnecessary services should be disabled to reduce the number of attack vectors against the system. In managed environments, the Group Policy Object should be used to configure services on systems; in other environments, services can be shut off individually on each system. For both configuration methods, each service on a system can be configured with one of three startup types:
� Automatic. The service is started automatically. This means that the service is running whenever the system is up.
� Manual. The service is started only by the system when it is needed. In practice, many services that are reconfigured to Manual are not automatically started when needed; for example, if the Print Spooler is set to Manual, it will not be started when a user tries to print a document.
, 4. Installation, Backup, and Patching
This section of the guide contains advice on performing Windows XP installations, and backing up and patching Windows XP systems. It discusses the risks of installing a new system on a network and the factors to consider when partitioning Windows XP hard drives. It also describes various installation techniques and provides pointers to more information on performing them. Another important topic is the ability of Windows XP to back up and restore data and system configuration information. This section also discusses how to update existing systems through Microsoft Update and other means to ensure that they are running the latest service packs and hotfixes. Advice is also presented on identifying missing patches and security misconfigurations on systems.
Organizations should have sound configuration management policies that govern changes made to operating systems and applications, such as applying patches to an operating system or modifying application configuration settings to provide greater security. Configuration management policies should also address the initial installation of the operating system, the installation of each application, and the roles, responsibilities, and processes for performing and documenting system changes caused by upgrades, patches, and other methods of modification.
4.1 Performing a New Installation
This guide assumes that a new Windows XP installation is being performed from scratch. If an administrator or user is upgrading an existing Windows installation, some of the advice in this guide may be inappropriate and could cause problems. Because a machine is unsecured and very vulnerable to exploitation through the network during installation, it is recommended that all installations and initial patching be done with the computer not connected to any network. If a computer must be connected to a network, then it is recommended that the network be isolated and strongly protected (e.g., shielded by a firewall on a trusted network segment) to minimize exposure to any network attacks during installation.47 If possible, the latest service pack and critical hotfixes should be downloaded from Microsoft’s Web site, archived to read-only media, such as CD-ROMs, and kept physically secure.
4.1.1 Partitioning Advice
One of the major decisions during installation is how to partition hard drives. The primary consideration is how large the disk drive is; for example, partitioning is not recommended for drives under 6 gigabytes (GB). For larger drives, the following factors should be considered:
� How large is the drive?
� How many physical drives does the machine have?
� If the system only has one drive, is there a desire to logically separate the OS and applications from data? An example of the benefit of this is that if the OS needs to be upgraded or reinstalled, the data can easily be preserved.
� What is the purpose of this computer? For example, if a computer will be used to share files within a workgroup, it may be useful to have a separate partition for the file share.
� Is there a need for redundancy (e.g., mirroring a data partition onto a second drive)?
Windows XP Professional provides a feature known as dynamic disks On a dynamic disk, partition sizes can be changed as needed. For example, an administrator could create an OS and applications partition and a data partition on a large drive, leaving much of the drive space available for future allocation. As needed, the administrator can use the free space to create new partitions and to expand the existing partitions. This provides considerable flexibility for future growth. Users are cautioned that, as with any other new feature, dynamic disks should be tested before deploying them on production systems. Dynamic disks may be incompatible with some applications, particularly system maintenance and management utilities.
Another important consideration during installation is which type of filesystem to use for each partition. NIST recommends using NTFS for each partition unless there is a particular need to use another type of filesystem. Section 7.1 contains more information on NTFS and other filesystem options.
4.1.2 Installation Methods
There are several ways to perform Windows XP installations. This section covers three primary methods: local installations, cloning through Sysprep, and the Remote Installation Services (RIS).
4.1.2.1 Local Installation
The local installation approach refers to traditional methods of installing Windows, such as using a Microsoft CD. This is effective only for installing a small number of computers at a time because it requires user attention throughout the installation. When installing Windows XP from a CD, follow the default steps, except for the following:
� For the Network Setting configuration, select Custom and disable all network clients, services, and protocols that are not required. Although this will help to limit the computer’s exposure to network-based attacks, consider the implications of disabling each service because this may inadvertently break required functionality (e.g., connecting to remote servers and printers). See Section 7.5 for more information on network clients, services, and protocols. Consider disabling the following services:
– Client for Microsoft Networks (most users will require
– Client for Microsoft Networks (most users will require this service)
– Client Service for NetWare
– File and Printer Sharing for Microsoft Networks
– QoS Packet Scheduler
– NWLink IPX/SPX/NetBIOS Compatible Transport Protocol.
� If possible, assign an Internet Protocol (IP) address, default gateway, and domain name system (DNS) server.
� Even if the computer will be joining a domain, choose to be in only a workgroup, and change the workgroup name to something other than the default of WORKGROUP.
� Set all environment-specific settings, such as the time zone.
When the installation prompts for accounts to be added, only one account should be added initially. Other accounts can always been added later once the system is fully patched and configured. By default, the account created during the installation and the built-in Administrator account both belong to the Administrators group. After the initial post-installation boot, assign both accounts strong passwords. The next task is to install the latest service pack and hotfixes. Only after the machine has been brought up to current patch levels should it be connected to a regular network. Then, the networking configuration can be changed, such as joining the workstation to a domain, or assigning a workgroup to enable sharing of workgroup resources (e.g., shared directories, printers). Other services that were disabled during installation can be enabled if needed. It is also helpful to scan through the list of installed Windows components, determine which applications and utilities (e.g., Internet games) are not needed, and remove them
4.1.2.2 Sysprep
Sysprep is a tool that permits an image from a single Windows XP computer installation, known as a gold system, to be cloned onto multiple systems in conjunction with a cloning software program such as Ghost or Disk Image. This technique reduces user involvement in the installation process to approximately 5 to 10 minutes at the start of the installation. The Sysprep approach has several benefits. Because the standard image can be created with a strong security configuration, Sysprep reduces the possibility of human error during the installation process. In addition, the Windows XP installation occurs more quickly with Sysprep. This is beneficial not only for building new systems, but also for reinstalling and reconfiguring the operating system and applications much more quickly when needed—for example, as a result of hardware failure or a virus infection. In preparing the “gold” image for Sysprep, the same guidelines used for a local installation should be used, with the addition of enabling any needed services and patching the system. It is also important to physically secure image media so that it is not inadvertently or purposely altered.
4.1.2.3 Remote Installation Services
The Remote Installation Services (RIS) allow a computer to be booted from the network and then to automatically install an instance of Windows XP. RIS can be configured to perform either a completely automated and unattended installation with RISetup, or one that requires minimal user attendance (similar to the Sysprep tool) with RIPrep. Several hardware and software dependencies exist; therefore, Microsoft’s documentation on the tool should be consulted for detailed instructions regarding how to configure this installation method.
The RIS method has the same advantages as Sysprep. RIS has the additional advantage of not needing the machine to be installed to have direct access to the physical install media (e.g., a CD-ROM). This can be ideal in an SSLF environment in which machines might not have CD-ROM drives. The primary disadvantage of RIS is that the machine must be connected to a network while it is being installed. This could open up a window of opportunity to exploit a security weakness before installation is completed.
4.2 Backing Up Systems
To increase the availability of data in case of a system failure or data corruption caused by a power failure or other event, Windows XP has built-in capabilities to back up and restore data and systems. By default, users run the Backup or Restore Wizard, which automates most of the backup and restore processes. For example, during a backup the user is presented with several options, including backing up the current user’s files and settings, backing up all users’ files and settings, and backing up the whole system. This allows the user to back up data and systems without having to manually indicate which files and directories should be backed up, if the user’s files are where the backup program expects them to be. To run the Backup or Restore Wizard, perform the following steps:
1. Open My Computer. Right-click on the drive that contains the data to be backed up, and select Properties.
2. Click on the Tools tab. Click on the Backup Now… button. This launches the Backup or Restore Wizard.
When a backup is performed, the result is a .bkf file (Backup.bkf by default). If a full system backup is performed, the Automated System Recovery Wizard will prompt the user to insert a floppy disk, which will be turned into a recovery disk that can be used with the .bkf file to restore the system in case of failure. As the name indicates, the Backup or Restore Wizard can also be used to restore a backup from a .bkf file. It is very important to verify periodically that backups and restores can be performed successfully; backing up a system regularly may not be beneficial if the backups are corrupt or the wrong files are being backed up, for example. Organizations should have policies and procedures that address the entire backup and recovery process, as well as the protection and storage of backup media and recovery disks. Because backups may contain sensitive user data as well as system configuration and security information (e.g., passwords), backup media should be properly protected to prevent unauthorized access.
When the Backup or Restore Wizard is run, it presents an option to select Advanced Mode. This switches to the Backup Utility interface, which is not as user-friendly but provides greater customizability and more features. For example, the Backup Utility can be used to schedule backups. In general, system administrators are more likely to use the Backup Utility mode, while end users are more likely to use the Backup or Restore Wizard mode.
Besides the backup wizards and utilities provided by Windows XP, there are also various third-party utilities for backing up and restoring files and systems. It is important to verify that the third-party software can properly back up and restore Windows XP-specific resources, such as the Windows registry and EFS-encrypted files and folders. Windows XP’s built-in utilities also use a shadow copy backup technique when possible, which means that they essentially take a snapshot of the system and then perform a backup on that snapshot. This avoids problems with attempting to back up open files. Third-party backup utilities used on Windows XP systems should have good mechanisms for handling open files.
4.3 Updating Existing Systems
Host security—securing a given computer—has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses.57 In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, which provide approved security patches for use by the Automatic Updates feature. This section discusses Automatic Updates and Microsoft Update, as well as patch management considerations for managed environments. This section also defines the types of updates that Microsoft typically provides.
4.3.1 Update Notification
As described later in this section, it is possible to configure Windows XP systems to download critical updates automatically. However, this still leaves other updates that can only be downloaded manually. Therefore, it is important for Windows XP system administrators to be notified of new updates that Microsoft releases. The Microsoft Security Notification Service is a mailing list that notifies subscribers of new security issues and the availability of all types of Microsoft updates. Microsoft security bulletins are also available online from the TechNet Security TechCenter. Individual bulletins are issued for each new vulnerability and are incorporated into monthly bulletins that list the vulnerabilities in order of potential severity (e.g., critical, important, moderate). Each bulletin provides guidance regarding under what circumstances the suggested mitigation strategy (e.g., patch) should be applied.
4.3.2 Microsoft Update Types
Microsoft releases updated code for Windows XP-related security issues through three mechanisms: hotfixes, security rollups, and service packs.
� A hotfix is a patch that fixes a specific problem. When a new vulnerability is discovered in Windows XP or a Microsoft application (e.g., Internet Explorer), Microsoft develops a hotfix that will resolve the problem. Hotfixes are released on an individual basis as needed. Hotfixes should be applied as soon as practical for vulnerabilities that are likely to be exploited. (Whenever possible, hotfixes should first be tested on a nonproduction system to ensure that they do not inadvertently break functionality or introduce a new security problem by breaking a previous hotfix.)
� A security rollup is a collection of several hotfixes. The security rollup makes the same changes to the system that would be performed if each hotfix were installed separately. However, it is easier to download and install a single security rollup than 10 hotfixes. Microsoft releases security rollups on
occasion when merited. Security rollups are most useful for updating existing systems that have not been maintained and for patching new systems.
A service pack (SP) is a major upgrade to the operating system that resolves dozens of functional and security problems and often introduces some new features or makes significant configuration changes to systems. Service packs incorporate previously released hotfixes, so once an SP has been applied to a system, there is no need to install the hotfixes that were included in the service pack. Service packs are released every few years; for example, Windows XP was released in the fall of 2001, SP1 in the fall of 2002, SP2 in the summer of 2004, and SP3 in the spring of 2008. Because SPs often make major changes to the operating system, organizations should test the SP thoroughly before deploying it in production. In SOHO environments, the best approach is to delay installation of the SP for at least a few weeks so that early adopters can identify any bugs or issues. However, if the SP provides a fix for a major security issue, and the fix is not available through hotfixes, it may be less risky to install the SP immediately than to let the system remain unpatched.
4.3.3 Automatic Updates
One facility that is available to patch systems with little to no user intervention is the Automatic Updates feature. When enabled, it will automatically check the Microsoft update servers for OS and Microsoft application updates, including service packs, security roll-ups, and hotfixes, as well as updated hardware drivers. Automatic Updates has a prioritization feature that ensures the most critical security updates are installed before less important updates.
Automatic Updates provides three configuration options to users:
� Notifies the user before downloading or installing any updates
� Downloads updates automatically but notifies the user before installing updates
� Downloads all updates and automatically installs them according to a specified schedule.
Generally, it is best to configure the system to download updates automatically, unless bandwidth usage is a concern. For example, downloading patches could adversely affect the functionality of a computer that is connected to the Internet on a slow link. In this case, it would be preferable for Automatic Updates to be configured to notify the user that new patches are available. The user should then make arrangements to download the patch at the next possible time when the computer is not needed for normal functionality. Choosing whether to install updates automatically or prompt the user is dependent upon the situation. If the user is likely to ignore the notifications, then it may be more effective to install the updates on a schedule. If the system is in use at unpredictable days and times, then it may be difficult to set a schedule that will not interfere with system usage. Another issue to consider is that many updates require the system to be rebooted before the update takes effect. Windows XP offers an Install updates and shutdown option as part of its Shut Down dialog box, which may be helpful in reminding users to launch the update installation process.
It is highly recommended that the Automatic Updates service be enabled to keep the OS and key Microsoft applications (e.g., Internet Explorer, Outlook Express) fully patched. To enable Automatic Updates, perform the following steps:
1. Click the Start menu and select Control Panel.
2. Double-click Automatic Updates.
3. Choose the appropriate radio button (such as Download updates for me, but let me choose when to install them). Click OK.
Some organizations do not want the latest updates applied immediately to their Windows systems. For example, in a managed environment it may be undesirable for hotfixes to be deployed to production systems until they have been tested by Windows administrators and security administrators. In addition, in large environments, many systems may need to download the same hotfix simultaneously. This could cause a serious impact on network bandwidth. Organizations with such concerns often establish a local WUS or WSUS update server that contains approved updates and restrict the locations from which updates can be retrieved through group policy. The Automatic Updates feature on Windows XP systems should then be configured to point to the local update server. Unfortunately, although WUS and WSUS provide a method for distributing Microsoft updates, they cannot be used to distribute third party software updates.
4.3.4 Microsoft Update
Users with local administrator privileges can also manually update their systems by visiting the Microsoft Update Web site. The Microsoft Update site will check the computer to determine what security and functionality updates are available and produce a list of updates. The user can then select which updates should be installed at this time, and tell Microsoft Update to perform the installations. To use Microsoft Update, perform the following steps:
1. Run Internet Explorer. 运行Internet Explorer
2. From the Tools menu, select Windows Update. If a prompt appears asking to install and run Windows Update, click Yes.
3. If a prompt appears saying that a new version of the Windows Update or Microsoft Update software is available, click on Install Now or Download and Install Now to install the new version. Multiple updates may be needed. If prompted to do so, close Internet Explorer or
reboot the computer so that the new version of the update software takes effect. (If a reboot is needed, restart these instructions at step 1 after the reboot completes.)
4. Click on the Custom button to identify available updates.
5. Microsoft Update checks for updates and lists the available updates. Depending on the service pack level of the computer, either Service Pack 2 or 3 or non-service pack updates should be displayed. Follow the appropriate step:
a. Non-service pack updates are grouped by high priority updates, optional software updates, and optional hardware updates
i. Review the list of available updates, select the desired ones (or accept the default setting), then click Review and install updates. In some cases, one patch may need to be installed by itself; therefore, it may not be possible to install all desired patches at once.
ii. Confirm that the correct updates are listed, and click the Install Updates button to perform the installations. Review any licensing agreements that are displayed and click on the appropriate button for each.
iii. The download and installation process will begin. Depending on the number of updates and the network bandwidth available, it may take from a few minutes to a few hours to download and install the updates. When the installations are done, Microsoft Update should report which updates were successfully installed. It will also prompt the user to reboot the computer if any of the updates require a reboot to complete the installation. Click on OK to reboot immediately or Cancel to manually reboot the computer later.
b. Service Pack 2 or 3 can be installed through Microsoft Update using the following steps:
i. Click on Download and Install Now.
ii. Review the license agreement and click on the appropriate button.
iii. The service pack should be downloaded and installed. This may take considerable time, depending primarily on the size of the service pack and the type of Internet connectivity and bandwidth available. A setup or installation wizard may prompt the user at some point; click Next to continue.
iv. Once the installation has ended, a summary should be displayed that reports the installation was successful. Click Restart Now to reboot the computer.
v. After the reboot, the Help protect your PC screen appears. The Automatic Updates setting is configured later in the instructions, so at this time, choose the Not right now option and click Next.
vi. The Security Center opens and displays the status of security programs. Since antivirus software and other security programs have not yet been installed on the computer, the current status is irrelevant. Close the Security Center..
6. Repeat all of these steps until no more updates are available. Depending on which service pack was on the computer, and the number of additional updates that need to be applied, it may take several rounds of updating the computer and rebooting it to bring a new Windows XP installation completely up to date.
Because Windows Update requires local administrative privileges and is run manually, its use is generally not recommended within enterprise, SSLF, and FDCC environments. As described in Section 4.3.5, it is recommended that all updates be tested and verified before coordinated deployment, which the use of Microsoft Update could circumvent. Microsoft Update has additional complications in enterprise environments because it is typically unrealistic to run any application manually on every workstation in the enterprise on a regular basis, and individual users may not have the necessary local administrative rights.
Patching in Managed Environments
Enterprise, SSLF, and FDCC environments, especially those that are considered managed environments, should have a patch management program that is responsible for acquiring, testing, and verifying each patch, then arranging for its distribution to systems throughout the organization. NIST SP 800-40 version 2.0, Creating a Patch and Vulnerability Management Program, provides in-depth advice on establishing patching processes and testing and applying patches. For each patch that is released, the patch management team should research the associated vulnerabilities and prioritize the patch appropriately. It is not uncommon for several patches to be released in a relatively short time, and typically one or two of the patches are much more important to the organization than the others. Each patch should be tested with system configurations that are representative of the organization’s systems. Once the team determines that the patch is suitable for deployment, the patch needs to be distributed through automated or manual means for installation on all appropriate systems. (There are several third-party applications available for patch management and distribution, which support many types of platforms and offer functionality that supports enterprise requirements.) Finally, the team needs to check systems periodically to confirm that the patch has been installed on each system, and to take actions to ensure that missing patches are applied.
Microsoft offers the following command-line tools that may be helpful in hotfix deployment, as follows:
� The qchain.exe tool allows multiple hotfixes to be installed at one time, instead of installing a hotfix rebooting, then installing another hotfix.
� The qfecheck.exe tool can be used to track and verify installed hotfixes.
4.4 Identifying Security Issues
Host security is largely dependent upon staying up to date with security patches as well as identifying and remediating other security weaknesses. The Microsoft Baseline Security Analyzer (MBSA) is a utility that can scan the local computer and remote computers to identify security issues. MBSA must have local administrator-level access on each computer that it is scanning. MBSA offers both graphical user interface (GUI) and command-line interfaces. MBSA can identify which updates are missing from the operating system and common Microsoft applications (e.g., Internet Explorer, Media Player, Internet Information Services [IIS], Exchange Server, Structured Query Language [SQL] Server) on each system. For the operating system and a few applications (e.g., Internet Explorer, IIS, SQL Server, Office), it can also identify other security issues, such as insecure configurations and settings. MBSA only identifies the problems; it has no ability to change settings or download and install updates onto systems. The methods discussed in Section 4.3 should be used to download and apply patches.
Enterprise configuration management tools are also available that can be used to assess the security posture of Windows XP systems. These tools have a variety of capabilities, such as comparing security settings with baseline settings and identifying missing patches. Some tools can also correct problems that they find by changing settings, installing patches, and performing other actions. The tools can provide an independent verification that the security controls are implemented as intended and can document this verification for use in demonstrating compliance with laws, regulations, and other security requirements. NIST has been leading the development of the Security Content Automation Protocol (SCAP), which is a set of specifications for expressing security information in standardized ways. Enterprise configuration management tools that support SCAP can use security baselines that are made publicly available by organizations such as NIST, and they can also generate output in standardized forms that can be used by other tools.
Individual systems can also monitor their own security state and alert users of potential problems. Windows XP offers the Windows Security Center, which is a service that can be configured to monitor the state of the system’s firewall (either Windows Firewall or a third-party firewall) and antivirus software, as well as the settings for Automatic Updates.Windows Security Center can generate alerts if the firewall, antivirus software, or Automatic Updates feature is not enabled, and also if certain major configuration settings are insecure, such as not setting antivirus software to perform real-time scanning, and not setting Automatic Updates to download and install updates automatically. Windows Security Center can monitor several types of third-party firewall and antivirus software. Windows Security Center is most helpful in SOHO environments, so that users can monitor the security state of their systems. In an enterprise environment, systems might be updated through methods other than Automatic Updates, and the status of systems’ firewalls and antivirus software might already be monitored centrally.
4.5 Summary of Recommendations
� Use the recommendations presented in this guide only on new Windows XP systems, not systems upgraded from previous versions of Windows. For upgraded systems, some of the advice in this guide may be inappropriate and could cause problems.
� Have sound configuration management policies that govern changes made to operating systems and applications, such as applying patches and modifying configuration settings.
� Until a new system has been fully installed and patched, either keep it disconnected from all networks, or connect it to an isolated, strongly protected network.
� Use NTFS for each hard drive partition unless there is a particular need to use another type of filesystem.
� Disable all network clients, services, and protocols that are not required.
� Assign strong passwords to the built-in administrator account and the user account created during installation.
� Keep systems up to current patch levels to eliminate known vulnerabilities and weaknesses.
� Use MBSA or other similar utilities on a regular basis to identify patch status issues
5. Overview of the Windows XP Security Policy Configuration and Templates
This section provides an introduction to the concept of Windows XP security templates and describes how the NIST Windows XP security templates were developed. It then provides guidance on how organizations can view, modify, and apply security templates to individual Windows XP systems or to all Windows XP systems within one or more Active Directory Organizational Units (OU). Windows XP also provides a mechanism for comparing the settings in a security template to the current settings on a system; this can be used to identify potential security issues, as well as organization-specific characteristics that may need to be incorporated into the templates.
NIST provides Group Policy Objects (GPO), not templates, for the FDCC specification. See http://fdcc.nist.gov/ for more information on the FDCC GPOs and how to test, modify, and apply them
5.1 Windows XP Security Templates
In Windows XP, a security template is a text-based file that contains values for security-relevant system settings, thus representing a particular security configuration. Templates can be created and updated using the Security Templates Microsoft Management Console (MMC) snap-in. Templates may be applied to a local computer or imported to a Group Policy Object or Group Policy Management Console, which facilitates the rapid deployment of security settings across a Windows XP environment. Templates may also be applied through various commercial change and configuration management tools. The Security Configuration and Analysis MMC snap-in can be used to apply templates to a system and to compare the values within a template to existing settings on a system to analyze the system’s security posture.
Windows XP ships with several predefined security templates. Although these templates are included in Windows XP, NIST does not recommend their use. Microsoft intended for the default templates to be used as the basis for creating organizational-specific templates. Several organizations have developed and published their own templates, typically geared toward specific system purposes. Examples include the templates included with the Microsoft Windows XP Security Guide and the templates from the National Security Agency (NSA). As part of the development of this document, NIST has also compiled a set of templates. The NIST template for SSLF environments represents the consensus settings from several organizations, including DISA, Microsoft, NIST, NSA, and the United States Air Force (USAF); the other NIST templates are based on Microsoft’s templates and recommendations. They represent the baseline recommended settings advocated by DISA, NSA, NIST, Microsoft, and other security experts. The NIST templates have been customized and fully documented for use on Windows XP workstations in SOHO, enterprise, SSLF, and legacy environments. Use caution when applying anyof the NIST templates, and if necessary, modify them to conform to local security policy and document all modifications. To view and modify the NIST template settings, perform the following steps:
1. To use the NIST templates supplied with this document, copy them into the %SystemRoot%\Security\Templates88 folder through Explorer.
2. Start the MMC by using the Start menu Run command, and opening mmc.exe.
3. Click on File, then Add/Remove Snap-in. Click on Add, highlight the Security Templates snap-in and click on Add. Click on Close, then click on OK. When completed, save the console in the Administrative Tools folder for future use.
4. Use the Security Templates snap-in to choose the template that will be applied to the workstation. Navigate through the security template settings and adjust settings as necessary to comply with local security policy. When all changes have been completed, right-click on the template name, choose Save As, and specify a new template name. (NIST recommends modifying copies of templates instead of the originals.) The saved template file can then be used on the local computer or other computers in the environment.
5.2 Analysis and Configuration
As mentioned previously, the Security Configuration and Analysis snap-in can be used to compare the current security settings of the local workstation to the settings in a template before the template is applied. This enables system administrators to examine and adjust the changes the security template will make to the computer’s settings. To use the Security Configuration and Analysis snap-in to compare and apply security settings on a local Windows XP system, perform th