HARDENING WINDOWS XP: YOUR DEFINITIVE LOCKDOWN GUIDE 1 WHAT IS A SERVICE PATCH? This presentation will examine the following items and how to lock them down step by step. This will enable your XP system to be lean, mean and ready to do battle with attackers of all types. Windows XP Professional Configuration Checklist Details 1. Verify that all disk partitions are formatted with NTFS 2. Change Logging Settings 3. Disable Indexing Service 4. Protect file shares 5. Disable fast User Switching 6. Use software restriction policies 7. Disable unnecessary services 8. Keep up-to-date on the latest security updates 9. Use Security Baseline Analyzer 2 BEST PRACTICE #1: DISK PARTITIONS ARE FORMATTED WITH NTFS Many older XP workstations still use the older less secure FAT, FAT32, or FAT32x files systems. The enhanced NTFS file system offers greater access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions on your computer are formatted using NTFS. If necessary, use the “Convert Utility” to non-destructively convert your FAT partitions to NTFS. Before running this utility always make a backup of critical data, but that should go without saying! 3 BEST PRACTICE #2: CHANGE SYSTEM LOGGING SETTINGS By default the system logging does not provide for extensive logging activity. To change the system logging follow these steps: 1. Open Event Viewer 2. In the console tree, click the log you want to change. 3. On the Action menu, click Properties. 4. On the General tab, in Maximum log size, specify the new log size in kilobytes. Change log sizes 5. Application: 81920, overwrite as needed 6. Security: 81920, overwrite as needed 7. System: 81920, overwrite as needed 8. To put the new setting in effect, click Clear Log. 4 BEST PRACTICE #3: DISABLE INDEXING SERVICE Indexing Service is a base service for Microsoft Windows operating systems that extracts content from files and constructs an indexed catalog to facilitate efficient and rapid searching. Indexing Service can extract both text and property information from files on the local host and on remote, networked hosts. The files can be simply members of a selected file system or part of a virtual Web hosted by, for example, Internet Information Services (IIS). The index server has been a major vulnerability of the XP operating systems. It is recommended to turn off this service unless otherwise needed. To disable the indexing service performs the following steps: 1. In the "Start" menu, choose "Run." 2. Type "services.msc" and press Enter. 3. Scroll-down to "Indexing Service" and double-click it. 4. If the service status is "Running", then stop it by pressing the "Stop" button. 5. To make sure this service doesn't run again, under "Startup Type:", choose "Disabled." 6. Windows search will still work if you perform these steps, but it will work more slowly than if indexing was enabled. 5 BEST PRACTICE #3: DISABLE INDEXING SERVICE 6 BEST PRACTICE #4: PROTECT FILE SHARES By default, Windows XP Professional systems that are not connected to a domain use a network access model called "Simple File Sharing," where all attempts to log on to the computer from across the network will be forced to use the Guest account. This means that network access as well as Remote Procedure Calls (RPCS) will only be available to the Guest account. This can be a big vulnerability and has been exploited by some the most widely used attack tools targeting the Windows XP OS. 1. To change it, go to: Start => Programs => Accessories => Windows Explorer and drop down the Tools menu and select ‘Folder Options’. 7 BEST PRACTICE #5: DISABLE FAST-USER SWITCHING When multiple users share a computer, logging off and logging on to the computer in order to switch users can become tiresome. Fast User Switching, a feature that makes it possible for you to quickly switch between users without actually logging off from the computer. Multiple users can share a computer and use it simultaneously, switching back and forth without closing the programs they are running. However, if you are not sharing computers this feature should be disable. To disable fast-user switching: 1. Go to control panel > User Accounts 2. Select “change the way users log in and out” 3. Click “Off” the option for “Use Fast User Switching” 4. Apply Changes 8 BEST PRACTICE #5: DISABLE FAST-USER SWITCHING 9 BEST PRACTICE #6: USE SOFTWARE RESTRICTION POLICIES Software restriction policies provide administrators with a policy driven mechanism that identifies software running in their domain, and controls the ability of that software to run. Using a software restriction policy, an administrator can prevent unwanted programs from running; this includes viruses and Trojan horses, or other software that is known to cause conflicts when installed. Software restriction policies can be used on a standalone computer by configuring the local security policy. Software restriction policies also integrate with Group Policy and Active Directory. 10 BEST PRACTICE #7: DISABLE UNNECESSARY SERVICES Hardening Windows XP included turning off any network services not required for normal operations. In particular, you should consider whether your computer needs any IIS Web services. By default, IIS is not installed as part of Windows XP and should only be installed if its services are specifically required. It is recommended that if you don’t need them, disable the following services ASAP: 1. 2. 3. 4. 5. 6. 7. 8. Telnet Universal Plug and Play Device Host IIS (not installed by default) Netmeeting Remote Desktop Sharing Remote Desktop Help Session Manager Remote Registry Routing & Remote Access SSDP Discovery Service It is also recommend that the server service and computer browser be eliminated if you are on a stand-alone machine connected to the Internet. There is no practical use for them and leave you exposed. 11 BEST PRACTICE #7: DISABLE UNNECESSARY SERVICES 12 Best Practice #9: Keep up-to-date on the Latest Security Updates The Auto Update feature in Windows XP can automatically detect and download the latest security fixes from Microsoft. Auto Update can be configured to automatically download fixes in the background and then prompt the user to install them once the download is complete. To configure Auto Update, click System in Control Panel and select the Automatic Updates tab. Choose the first notification setting to download the updates automatically and receive notification when they are ready to be installed. 13 WHAT IS A PRODUCT FAMILY? A product family is a collection of products that have a related purpose. For instance, the Microsoft Windows® product family includes all Windows operating systems, such as Windows 3.11, Windows 95, and Windows 2000. A product is one member of a product family. For instance, Microsoft Windows NT® is a product in the Windows family. A version is an instance of a product. For instance, Windows NT 3.5, Windows NT 4.0, and Windows 2000 are different versions of the Windows NT product. 14 SERVICE PACK VERSUS PATCHES A service pack is a periodic update that corrects problems in one version of a product. For instance, there have been six service packs for Windows NT 4.0. Some Microsoft products use the term service release rather than service pack, but the terms mean the same thing. A patch is an update that occurs between service packs. A patch is sometimes also referred to as a hotfix. Note: Most patches are built to correct security vulnerabilities, but we also build patches to correct critical stability or performance issues. In this article, though, we'll only discuss security patches. http://technet.microsoft.com/en-us/library/cc723502.aspx 15 WINDOWS UPDATE UTILITY WINDOWS 7 Click Start > Control Panel > Windows Update 16 VIEW UPDATE INFORMATION WINDOWS 7 From the Windows Update window, click on a link to view additional information on that update. The 1 important update was selected in this example,. 17 Review the Update History From the Windows Update Window, select View Update History 18 Frequently Asked Questions From the Windows Update window, select Updates: frequently asked questions to find out more information 19 Settings for Automatic Updates From the Windows Update window, select Change Settings 20 Running Microsoft Baseline Security Analyzer Sample Scan 21 Additional System Information • Links provide more information for a particular issue • Report can be printed for documentation • Report can be copied to clipboard 22 Administrative Vulnerabilities Links are provided as to what was scanned, the result details, and instructions on how to correct an issue. 23