Jun 11, 2008

Windows XP Security Guide- Administrative Templates for Windows XP

Windows XP Security Guide

Administrative Templates for Windows XP

Overview

This chapter describes in detail how to configure and apply additional security settings to Microsoft® Windows® XP Professional with Service Pack 2 (SP2) by using Administrative Templates. Administrative Template (.adm) files are used to configure settings in the Windows XP registry that govern the behavior of many services, applications, and operating system components.

Five of the Administrative Templates that ship with Windows XP SP2 include hundreds of additional settings that you can use to improve the security of Windows XP Professional. There are several settings in the Microsoft Windows Server™ 2003 Administrative Templates that do not work with Windows XP. For a complete listing of all the Administrative Template settings that are available with Windows XP, see the Microsoft Excel® workbook "Policy Settings" that is referenced in the “More Information” section at the end of this chapter.

The following table lists the .adm files and the applications and services that they affect.

Table 4.1 Administrative Template Files

File nameOperating systemDescription

System.adm

Windows XP Professional

Contains many settings to customize the user’s operating environment.

Inetres.adm

Windows XP Professional

Contains settings for Internet Explorer 6.0.

Conf.adm

Windows XP Professional

Contains settings to configure Microsoft NetMeeting®.

Wmplayer.adm

Windows XP Professional

Contains settings to configure Windows Media Player.

Wuau.adm

Windows XP Professional

Contains settings to configure Windows Update.

Note: You must manually configure the Administrative Template settings in the Group Policy object (GPO) to apply them to the computers and users in your environment.

There are two major groups of settings in the Administrative Templates:

Computer Configuration settings (stored in the HKEY_Local_Machine registry hive)

User Configuration settings (stored in the HKEY_Current_User registry hive)

As in Chapter 3, "Security Settings for Windows XP Clients," setting prescriptions are included for the Enterprise Client (EC) and Specialized Security – Limited Functionality (SSLF) environments that are defined in this guide.

Note: The user settings are applied to an organizational unit (OU) that contains users through a linked GPO. See Chapter 2, "Configuring the Active Directory Domain Infrastructure," for additional details about this OU.

Some settings are available under both Computer Configuration and User Configuration in the Group Policy Object Editor. If a setting that applies to a user who logs on to a computer that has had the same Computer Configuration setting applied to it through Group Policy, the Computer Configuration setting takes precedence over the User Configuration setting.

Previous versions of this guide contained information about settings for Office XP. However, these settings have now been updated for Office 2003 and are available on the Microsoft Web site. See the "More Information" section at the end of this chapter for links to this information.

This chapter does not describe all possible settings that are available in the Administrative Templates provided by Microsoft; many of these settings are user interface (UI) settings that are not specific to security. Decisions about which of the prescribed setting configurations in this guidance apply to your environment should be based on the security goals of your organization.

If there are additional settings you want to apply through Group Policy to Windows XP Professional, you can develop your own custom templates. See the white papers listed in the “More Information” section at the end of this chapter for detailed information about how to develop your own Administrative Templates.

Computer Configuration Settings

The following sections discuss the settings that are prescribed under Computer Configuration in the Group Policy Object Editor. Configure these settings at the following location:

Computer Configuration\Administrative Templates

This location is shown in context in the following figure:

Figure 4.1 Group Policy structure for Computer Configuration

Figure 4.1 Group Policy structure for Computer Configuration
See full-sized image

The structure of this chapter is based on the container structure in Group Policy. Tables in the following sections summarize setting recommendations for various Computer Configuration options, and recommendations are provided for both desktop and laptop client computers in two types of secure environments—the Enterprise Client (EC) environment and the Specialized Security – Limited Functionality (SSLF) environment. More detailed information about each of the settings is provided in the subsections that follow each table.

Apply these settings through a GPO that is linked to an OU that contains the computer accounts in your environment. Include the laptop settings in the GPO that is linked to the laptop OU, and the desktop settings in the GPO that is linked to the desktop OU.

Windows Components

The following figure illustrates the sections in Group Policy that will be affected by the setting changes in this section:

Figure 4.2 Group Policy structure for Computer Configuration Windows Components

Figure 4.2 Group Policy structure for Computer Configuration Windows Components
See full-sized image

NetMeeting

Microsoft NetMeeting allows users to conduct virtual meetings across the network in your organization. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\
NetMeeting

Table 4.2 Recommended NetMeeting Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Disable remote Desktop Sharing

Not Configured

Not Configured

Enabled

Enabled

Disable remote Desktop Sharing

This policy setting disables the remote desktop sharing feature of NetMeeting. If you enable this policy setting, users will not be able to configure NetMeeting to allow remote control of the local desktop.

The Disable remote Desktop Sharing setting is Not Configured for the EC environment. However, it is configured to Enabled for the SSLF environment to prevent users from sharing desktops remotely through NetMeeting.

Internet Explorer

Microsoft Internet Explorer Group Policies help you enforce security requirements for Windows XP workstations, and prevent the exchange of unwanted content through Internet Explorer. Use the following criteria to secure Internet Explorer on the workstations in your environment:

Ensure that requests to the Internet only occur in direct response to user actions.

Ensure that information sent to specific Web sites only reaches those sites unless specific user actions are allowed to transmit information to other destinations.

Ensure that trusted channels to servers/sites are clearly identified along with who owns the servers/sites on each channel.

Ensure that any script or program that runs with Internet Explorer executes in a restricted environment. Programs that are delivered through trusted channels may be enabled to operate outside of the restricted environment.

You can configure the following prescribed computer settings for Internet Explorer in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer

The following table summarizes many of the Internet Explorer setting recommendations. Additional information about each setting is provided in the subsections that follow the table.

Table 4.3 Recommended Internet Explorer Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Disable Automatic Install of Internet Explorer components

Enabled

Enabled

Enabled

Enabled

Disable Periodic Check for Internet Explorer software updates

Enabled

Enabled

Enabled

Enabled

Disable software update shell notifications on program launch

Enabled

Enabled

Enabled

Enabled

Do not allow users to enable or disable add-ons

Enabled

Enabled

Enabled

Enabled

Make proxy settings per-machine (rather than per-user)

Enabled

Disabled

Enabled

Disabled

Security Zones: Do not allow users to add/delete sites

Enabled

Enabled

Enabled

Enabled

Security Zones: Do not allow users to change policies

Enabled

Enabled

Enabled

Enabled

Security Zones: Use only machine settings

Enabled

Enabled

Enabled

Enabled

Turn off Crash Detection

Enabled

Enabled

Enabled

Enabled

Disable Automatic Install of Internet Explorer components

If you enable this policy setting, Internet Explorer will not be able to download components when users browse to Web sites that require the components to fully function. If this policy setting is disabled or not configured, users will be prompted to download and install components each time they visit Web sites that use them.

The Disable Automatic Install of Internet Explorer components setting is configured to Enabled for the two environments that are discussed in the chapter.

Note: Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy to update Internet Explorer through Microsoft Update or a similar service.

Disable Periodic Check for Internet Explorer software updates

If you enable this policy setting, Internet Explorer will not be able to determine whether a later browser version is available and notify users if this is the case. If this policy setting is disabled or not configured, Internet Explorer will check for updates every 30 days (its default setting) and notify users if a new version is available.

The Disable Periodic Check for Internet Explorer software updates setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy for the administrators in your organization to ensure that they periodically accept new updates for Internet Explorer on the client computers in your environment.

Disable software update shell notifications on program launch

This policy setting specifies that programs that use Microsoft software distribution channels will not notify users when they install new components. Software distribution channels are used to update software dynamically on users’ computers; this functionality is based on Open Software Distribution (.osd) technologies.

The Disable software update shell notifications on program launch setting is configured to Enabled for the two environments that are discussed in this chapter.

Do not allow users to enable or disable add-ons

This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Manage Add-ons. If you configure this policy setting to Enabled, users cannot enable or disable add-ons through Manage Add-ons. The only exception is if an add-on has been specifically entered into the Add-On List policy setting in a way that allows users to continue to manage the add-on. In such a case, the user can still manage the add-on through Manage Add-ons. If you configure this policy setting to Disabled, the user will be able to enable or disable add-ons.

Note: For more information about how to manage Internet Explorer add-ons in Windows XP with SP2, see KB article 883256, "How to manage Internet Explorer add-ons in Windows XP Service Pack 2" at http://support.microsoft.com/?kbid=883256.

Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. Therefore, this policy setting is configured to Enabled for the two environments that are discussed in this guide.

Note: You should review the GPO settings in Internet Explorer\Security Features\Add-on Management to ensure that appropriate authorized add-ons can still run in your environment. For example, you may want to read the Microsoft Knowledge base article “Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy” at http://support.microsoft.com/default.aspx?kbid=555235.

Make proxy settings per-machine (rather than per-user)

If you enable this policy setting, users will not be allowed to alter user-specific proxy settings. They must use the zones that are created for all users of the computers they access.

The Make proxy settings per-machine (rather than per-user) setting is configured to Enabled for desktop client computers for the two environments that are discussed in this chapter. However, the policy setting is configured to Disabled for laptop client computers because mobile users may have to change their proxy settings as they travel.

Security Zones: Do not allow users to add/delete sites

Enable this policy setting to disable the site management settings for security zones. (To see the site management settings for security zones, open Internet Explorer, select Tools and then Internet Options, click the Security tab, and then click Sites.) If this policy setting is disabled or not configured, users will be able to add or remove Web sites in the Trusted Sites and Restricted Sites zones, as well as alter settings in the Local Intranet zone.

The Security Zones: Do not allow users to add/delete sites setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: If you enable the Disable the Security page setting (located in \User Configuration\
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), the Security tab is removed from the interface and the Disable setting takes precedence over this Security Zones: setting.

Security Zones: Do not allow users to change policies

If you enable this policy setting, you disable the Custom Level button and Security level for this zone slider on the Security tab in the Internet Options dialog box. If this policy setting is disabled or not configured, users will be able to change the settings for security zones. It prevents users from changing security zone policy settings that are established by the administrator.

The Security Zones: Do not allow users to change policies setting is configured to Enabled for the two environments that are discussed in this chapter.

Note: If you enable the Disable the Security page setting (located in \User Configuration\
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) the Security tab is removed from Internet Explorer in Control Panel and the Disable setting takes precedence over this Security Zones: setting.

Security Zones: Use only machine settings

This policy setting affects how security zone changes apply to different users. It is intended to ensure that security zone settings remain uniformly in effect on the same computer and do not vary from user to user. If you enable this policy setting, changes that one user makes to a security zone will apply to all users of that computer. If this policy setting is disabled or not configured, users of the same computer are allowed to establish their own security zone settings.

The Security Zones: Use only machine settings setting is configured to Enabled for the two environments that are discussed in this chapter.

Turn off Crash Detection

This policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer. If you enable this policy setting, a crash in Internet Explorer will be similar to one on a computer that runs Windows XP Professional with Service Pack 1 (SP1) or earlier: Windows Error Reporting will be invoked. If you disable this policy setting, the crash detection feature in add-on management will be functional.

Because Internet Explorer crash report information could contain sensitive information from the computer's memory, the Turn off Crash Detection setting is configured to Enabled for both of the two environments that are discussed in this chapter. If you experience frequent repeated crashes and need to report them for follow-up troubleshooting, you could temporarily configure the policy setting to Disabled.

Internet Explorer\Internet Control Panel\Security Page

You can configure these computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

SP2 introduced several new policy settings to help you secure Internet Explorer zone configuration across your environment. The default values for these settings provide enhanced security compared to earlier versions of Windows. However, you might want to review these settings to determine whether you want to require them or relax them in your environment for usability or application compatibility.

For example, SP2 configures Internet Explorer to block pop-ups for all Internet zones by default. You might want to ensure that this policy setting is enforced on all computers in your environment to eliminate pop-up windows and to reduce the possibility of malicious software and spyware installations that are often spawned from Internet Web sites. Conversely, your environment might contain applications that require the use of pop-ups to function. If so, you could configure this policy to allow pop-ups for Web sites within your intranet.

Internet Explorer\Internet Control Panel\Advanced Page

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Table 4.4 Recommended Allow Software to Run Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Allow software to run or install even if the signature is invalid

Disabled

Disabled

Disabled

Disabled

Allow software to run or install even if the signature is invalid

Microsoft ActiveX® controls and file downloads often have digital signatures attached that certify the file's integrity and the identity of the signer (creator) of the software. Such signatures help ensure that unmodified software is downloaded and that you can positively identify the signer to determine whether you trust them enough to run their software.

The Allow software to run or install even if the signature is invalid setting allows you to manage whether downloaded software can be installed or run by users even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature.

Because unsigned software can create a security vulnerability, this policy setting is configured to Disabled for both of the environments that are discussed in this chapter.

Note: Some legitimate software and controls may have an invalid signature and still be OK. You should carefully test such software in isolation before you allow it to be used on your organization's network.

Internet Explorer\Security Features\MK Protocol Security Restriction

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction

Table 4.5 Recommended MK Protocol Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (MK Protocol)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (MK Protocol)

This policy setting reduces attack surface area because it blocks the seldom-used MK protocol. Some older Web applications use the MK protocol to retrieve information from compressed files. If you configure this policy setting to Enabled, the MK protocol is blocked for Windows Explorer and Internet Explorer, which causes resources that use the MK protocol to fail. If you disable this policy setting, other applications are allowed to use the MK protocol API.

Because the MK protocol is not widely used, it should be blocked wherever it is not needed. This policy setting is configured to Enabled for both of the environments that are discussed in this chapter. Microsoft recommends that you block the MK protocol unless you specifically need it in your environment.

Note: Because resources that use the MK protocol will fail when you deploy this policy setting, you should ensure that none of your applications use the protocol.

Internet Explorer\Security Features\Consistent MIME Handling

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Consistent MIME Handling

Table 4.6 Recommended Consistent MIME Handling Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (Consistent MIME Handling)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Consistent MIME Handling)

Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files that are received through a Web server. The Consistent MIME Handling setting determines whether Internet Explorer requires that all file type information that is provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME data indicates that the file is really an executable file, Internet Explorer changes its extension to reflect this executable status. This capability helps ensure that executable code cannot masquerade as other types of data that may be trusted.

If you enable this policy setting, Internet Explorer examines all received files and enforces consistent MIME data for them. If you disable or do not configure this policy setting, Internet Explorer does not require consistent MIME data for all received files and will use the MIME data that is provided by the file.

MIME file type spoofing is a potential threat to your organization. You should ensure that these files are consistent and properly labeled to help prevent malicious file downloads that may infect your network. This policy setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: This policy setting works in conjunction with, but does not replace, the MIME Sniffing Safety Features settings.

Internet Explorer\Security Features\MIME Sniffing Safety Features

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\MIME Sniffing Safety Features

Table 4.7 Recommended MIME Sniffing Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (MIME Sniffing)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (MIME Sniffing)

MIME sniffing is a process that examines the content of a MIME file to determine its context—whether it is a data file, an executable file, or some other type of file. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. When set to Enabled, MIME sniffing will never promote a file of one type to a more dangerous file type. If you disable this policy setting, MIME sniffing configures Internet Explorer processes to allow promotion of a file from one type to a more dangerous file type. For example, a text file could be promoted to an executable file, which is dangerous because any code in the supposed text file would be executed.

MIME file-type spoofing is a potential threat to your organization. Microsoft recommends that you ensure these files are consistently handled to help prevent malicious file downloads that may infect your network.

The Internet Explorer Processes (MIME Sniffing) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: This policy setting works in conjunction with, but does not replace, the Consistent MIME Handling settings.

Internet Explorer\Security Features\Scripted Window Security Restrictions

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions

Table 4.8 Recommended Scripted Window Restrictions Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (Scripted Window Security Restrictions)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Scripted Window Security Restrictions)

Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites will resize windows to either hide other windows or force you to interact with a window that contains malicious code.

The Internet Explorer Processes (Scripted Window Security Restrictions) setting restricts pop-up windows and does not allow scripts to display windows in which the title and status bars are not visible to the user or that hide other windows’ title and status bars. If you enable this policy setting, pop-up windows will not display in Windows Explorer and Internet Explorer processes. If you disable or do not configure this policy setting, scripts will still be able to create pop-up windows and windows that hide other windows.

The Internet Explorer Processes (Scripted Window Security Restrictions) setting is configured to Enabled for both of the environments that are discussed in this chapter. When enabled, this policy setting makes it difficult for malicious Web sites to control your Internet Explorer windows or fool users into clicking on the wrong window.

Internet Explorer\Security Features\Protection From Zone Elevation

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation

Table 4.9 Recommended Zone Elevation Protection Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (Zone Elevation Protection)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Zone Elevation Protection)

Internet Explorer places restrictions on each Web page that it opens. These restrictions are dependent upon the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a local computer have the fewest security restrictions and reside in the Local Machine zone, which makes the Local Machine security zone a prime target for malicious attackers.

If you enable the Internet Explorer Processes (Zone Elevation Protection) setting, any zone can be protected from zone elevation by Internet Explorer processes. This approach prevents content that runs in one zone from gaining the elevated privileges of another zone. If you disable this policy setting, no zone receives such protection for Internet Explorer processes.

Because of the severity and relative frequency of zone elevation attacks, the Internet Explorer Processes (Zone Elevation Protection) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Internet Explorer\Security Features\Restrict ActiveX Install

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Table 4.10 Restrict ActiveX Install Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (Restrict ActiveX Install)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Restrict ActiveX Install)

This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompts for ActiveX control installations will be blocked for Internet Explorer processes. If you disable this policy setting, prompts for ActiveX control installations will not be blocked and these prompts will be displayed to users.

Users often choose to install software such as ActiveX controls that are not permitted by their organization’s security policy. Such software can pose significant security and privacy risks to networks. Therefore, the Internet Explorer Processes (Restrict ActiveX Install) setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: This policy setting also blocks users from installing authorized legitimate ActiveX controls that will interfere with important system components like Windows Update. If you enable this policy setting, make sure to implement some alternate way to deploy security updates such as Windows Server Update Services (WSUS).
For more information about WSUS, see the Windows Server Update Services Product Overview page at http://www.microsoft.com/windowsserversystem/updateservices/evaluation/overview.mspx.

Internet Explorer\Security Features\Restrict File Download

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Restrict File Download

Table 4.11 Recommended Restrict File Download Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Internet Explorer Processes (Restrict File Download)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Restrict File Download)

In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on users' hard drives if they click the wrong button and accept the download.

If you configure the Internet Explorer Processes (Restrict File Download) setting to Enabled, file download prompts that are not user-initiated are blocked for Internet Explorer processes. If you configure this policy setting to Disabled, file download prompts will occur that are not user-initiated for Internet Explorer processes.

The Internet Explorer Processes (Restrict File Download) setting is configured to Enabled for both of the environments that are discussed in this chapter to help prevent attackers from placing arbitrary code on users' computers.

Internet Explorer\Security Features\Add-on Management

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management

Table 4.12 Add-on Management Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Deny all add-ons unless specifically allowed in the Add-on List

Recommended

Recommended

Recommended

Recommended

Add-on List

Recommended

Recommended

Recommended

Recommended

Deny all add-ons unless specifically allowed in the Add-on List

This policy setting, along with the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting.

If you enable this policy setting, Internet Explorer only allows add-ins that are specifically listed (and allowed) through the Add-on List. If you disable this policy setting, users may use Add-on Manager to allow or deny any add-ons.

You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List setting and the Add-on List setting to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used.

Add-on List

This policy setting, along with the Deny all add-ons unless specifically allowed in the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting.

If you enable the Add-on List setting, you are required to list the add-ons to be allowed or denied by Internet Explorer. The specific list of add-ons that should be included on this list will vary from one organization to another, and therefore this guide does not provide a detailed list. For each entry that you add to the list, you must provide the following information:

Name of the Value. The CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets; for example, {000000000-0000-0000-0000-0000000000000}. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

Value. A number that indicates whether Internet Explorer should deny or allow the add-on to be loaded. The following values are valid:

0 Deny this add-on

1 Allow this add-on

2 Allow this add-on and permit the user to manage it through Manage Add-ons

If you disable the Add-on List setting, the list is deleted. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used.

Terminal Services\Client/Server data redirection

Terminal Services settings provide options to redirect client computer resources to servers that are accessed through Terminal Services. The following setting is specific to Terminal Services.

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Client/Server data redirection

Table 4.13 Recommended Do Not Allow Drive Redirection Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Do not allow drive redirection

Not Configured

Not Configured

Enabled

Enabled

Do not allow drive redirection

This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer or My Computer in the following format:

\\TSClient\$

If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them.

For this reason, the Do not allow drive redirection setting is configured to Enabled for the SSLF environment. However, this policy setting is Not Configured for the EC environment.

Terminal Services\Encryption and Security

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Encryption and Security

Table 4.14 Recommended Terminal Services Encryption and Security Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Always prompt client for password upon connection

Not Configured

Not Configured

Enabled

Enabled

Set client connection encryption level

High Level

High Level

High Level

High Level

Always prompt client for password upon connection

This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on if they enter a password in the Remote Desktop Connection client.

The Always prompt client for password upon connection setting is configured to Enabled in the SSLF environment. However, this policy setting is Not Configured for the EC environment.

Note: If you do not configure this policy setting, the local computer administrator can use the Terminal Services Configuration tool to either allow or prevent passwords from being automatically sent.

Set client connection encryption level

This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session.

The encryption level is set to High Level to enforce 128-bit encryption for the two environments that are discussed in this chapter.

Terminal Services\Client

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Administrative Templates\Windows Components\Terminal Services\Client

Table 4.15 Recommended Do Not Allow Passwords to be Saved Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Do not allow passwords to be saved

Enabled

Enabled

Enabled

Enabled

Do not allow passwords to be saved

This policy setting prevents passwords from being saved on a computer by Terminal Services clients. If you enable this policy setting, the password saving checkbox is disabled for Terminal Services clients and users will not be able to save passwords.

Because saved passwords can cause additional compromise, the Do not allow passwords to be saved setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: If this policy setting was previously configured as Disabled or Not Configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server.

Windows Messenger

Windows Messenger is used to send instant messages to other users on a computer network. The messages may include files and other attachments.

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Windows Messenger

Table 4.16 Recommended Windows Messenger Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Do not allow Windows Messenger to be run

Enabled

Enabled

Enabled

Enabled

Do not allow Windows Messenger to be run

You can enable the Do not allow Windows Messenger to be run setting to disable Windows Messenger and prevent the program from being executed. Because this application has been used for malicious purposes such as spam, the distribution of malicious software, and disclosure of sensitive data, Microsoft recommends that you configure the Do not allow Windows Messenger to be run setting to Enabled for both the EC and SSLF environments.

Note: If you configure this policy setting to Enabled, Remote Assistance is prevented from using Windows Messenger and users are prevented from using MSN® Messenger.

Windows Update

Administrators use Windows Update settings to manage how patches and hotfixes are applied on Windows XP workstations. Updates are available from the Microsoft Windows Update Web site. Alternatively, you can set up an intranet Web site to distribute patches and hotfixes in a similar manner with additional administrative control. The Windows Update Administrative Template (WUAU.adm) was introduced with Windows XP Service Pack 1 (SP1).

Windows Server Update Services (WSUS) is an infrastructure service that builds on the success of the Microsoft Windows Update and Software Update Services (SUS) technologies. WSUS manages and distributes critical Windows patches that resolve known security vulnerabilities and other stability issues with Microsoft Windows operating systems.

WSUS eliminates manual update steps with a dynamic notification system for critical updates that are available to Windows client computers through your intranet server. No Internet access is required from client computers to use this service. This technology also provides a simple and automatic way to distribute updates to your Windows workstations and servers.

Windows Server Update Services also offers the following features:

Administrator control over content synchronization within your intranet. This synchronization service is a server-side component that retrieves the latest critical updates from Windows Update. As new updates are added to Windows Update, the server running WSUS automatically downloads and stores them, based on an administrator-defined schedule.

An intranet-hosted Windows Update server. This easy-to-use server acts as the virtual Windows Update server for client computers. It contains a synchronization service and administrative tools for managing updates. It services requests for approved updates from client computers that are connected to it through the HTTP protocol. This server can also host critical updates that are downloaded from the synchronization service and refer client computers to those updates.

Administrator control over updates. The administrator can test and approve updates from the public Windows Update site before deployment on their organization’s intranet. Deployment takes place on a schedule that the administrator creates. If multiple servers are running WSUS, the administrator controls which computers access particular servers that run the service. Administrators can enable this level of control with Group Policy in an Active Directory® directory service environment or through registry keys.

Automatic updates on computers (workstations or servers). Automatic Updates is a Windows feature that can be set up to automatically check for updates that are published on Windows Update. WSUS uses this Windows feature to publish administrator approved updates on an intranet.

Note: If you choose to distribute patches through another method, such as Microsoft Systems Management Server, this guide recommends that you disable the Configure Automatic Updates setting.

There are several Windows Update settings. A minimum of three settings is required to make Windows Update work: Configure Automatic Updates, No auto-restart for scheduled Automatic Updates installations, and Reschedule Automatic Updates scheduled installations. A fourth setting is optional and depends on the requirements of your organization: Specify intranet Microsoft update service location.

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Windows Update

The settings that are discussed in this section do not individually address specific security risks, but relate more to administrator preference. However, configuration of Windows Update is essential to the security of your environment because it ensures that the client computers in your environment receive security patches from Microsoft soon after they are available.

Note: Windows Update is dependent on several services, including the Remote Registry service and the Background Intelligence Transfer Service. In Chapter 3, "Security Settings for Windows XP Clients," these services are disabled in the SSLF environment. Therefore, if these services are disabled, Windows Update will not work, and the following four setting prescriptions may be disregarded for the SSLF environment only.

The following table summarizes the recommended Windows Update settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.17 Recommended Windows Update Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box

Disabled

Disabled

Disabled

Disabled

Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box

Disabled

Disabled

Disabled

Disabled

Configure Automatic Updates

Enabled

Enabled

Enabled

Enabled

No auto-restart for scheduled Automatic Updates installations

Disabled

Disabled

Disabled

Disabled

Reschedule Automatic Updates scheduled installations

Enabled

Enabled

Enabled

Enabled

Specify intranet Microsoft update service location

Enabled

Enabled

Enabled

Enabled

Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box

This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. If you disable this policy setting, the Install Updates and Shut Down option will display in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu or clicks Shut Down after pressing CTRL+ALT+DELETE.

Because updates are important to the overall security of all computers, the Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box setting is configured to Disabled for both of the environments that are discussed in this chapter. This policy setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box setting.

Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box

This policy setting allows you to manage whether the Install Updates and Shut Down option is allowed to be the default choice in the Shut Down Windows dialog. If you disable this policy setting, the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation when the user selects the Shut Down option in the Start menu.

Because updates are important to the overall security of all computers, the Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box setting is configured to Disabled for both of the environments that are discussed in this chapter.

Note: This policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box setting is Enabled.

Configure Automatic Updates

This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search the Windows Update Web site or your designated intranet site for updates that apply to them.

After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:

Notify before downloading any updates and notify again before installing them.

Download the updates automatically and notify when they are ready to be installed. (Default setting)

Automatically download updates and install them on the schedule specified below.

If you disable this policy setting, you will need to download and manually install any available updates from the Windows Update Web site at http://windowsupdate.microsoft.com.

The Configure Automatic Updates setting is configured to Enabled for the two environments that are discussed in this chapter.

No auto-restart for scheduled Automatic Updates installations

If this policy setting is enabled, the computer will wait for a logged-on user to restart it to complete a scheduled installation; otherwise, the computer will restart automatically. When enabled, this policy setting also prevents Automatic Updates from restarting computers automatically during a scheduled installation. If a user is logged on to a computer when Automatic Updates requires a restart to complete an update installation, the user is notified and given the option to delay the restart. Automatic Updates will not detect future updates until the restart occurs.

If the No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation. If automatic restarts are a concern, you can configure the No auto-restart for scheduled Automatic Updates installations setting to Enabled. If you do enable this policy setting, schedule your client computers to restart after normal business hours to ensure that the installation is completed.

The No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled for the two environments that are discussed in this chapter.

Note: This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is configured to Disabled, it will not work. A restart is generally required to complete an update installation.

Reschedule Automatic Updates scheduled installations

This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after a specified number of minutes when you next start the computer. If you configure this policy setting to Disabled or Not Configured, previously scheduled installations will occur during the next regularly scheduled installation time.

The Reschedule Automatic Updates scheduled installations setting is configured to Enabled for the two environments that are discussed in this chapter. After you enable this policy setting, you may change the default waiting period to one that is appropriate for your environment.

Note: This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is Disabled, the Reschedule Automatic Updates scheduled installations setting has no effect. You can enable the latter two settings to ensure that previously missed installations will be scheduled to install each time the computer restarts.

Specify intranet Microsoft update service location

This policy setting specifies an intranet server to host updates that are available from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network. This policy setting lets you specify a WSUS server on your network to function as an internal update service. The Automatic Updates client will work with the WSUS server to search the service for updates that apply to the computers on your network.

The Specify intranet Microsoft update service location setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: An enabled Specify intranet Microsoft update service location setting has no effect if the Configure Automatic Updates setting is disabled.

System

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System

The following figure illustrates the sections in Group Policy that will be affected by the setting changes in this section:

Figure 4.3 Group Policy structure for Computer Configuration System

Figure 4.3 Group Policy structure for Computer Configuration System
See full-sized image

The following table summarizes the recommended system settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.18 Recommended System Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Turn off Autoplay

Not Configured

Not Configured

Enabled –
All Drives

Enabled –
All Drives

Turn off Windows Update device driver search prompt

Disabled

Disabled

Enabled

Enabled

Turn off Autoplay

Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay setting to disable the Autoplay feature. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives.

The Turn off Autoplay setting is configured to Enabled – All Drives for the SSLF environment only. However, this policy setting is Not Configured for the EC environment.

Note: You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives.

Turn off Windows Update device driver search prompt

This policy setting controls whether the administrator is prompted to search Windows Update for device drivers through the Internet. If this policy setting is Enabled, administrators will not be prompted to search Windows Update. If both this policy setting and Turn off Windows Update device driver searching are Disabled or Not Configured, the administrator will be prompted for consent before Windows Update is searched for device drivers.

Because there is some risk involved when any device drivers are downloaded from the Internet, the Turn off Windows Update device driver search prompt setting is configured to Enabled for the SSLF environment and Disabled for the EC environment. The reason for this recommendation is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource management.

Note: This policy setting is only effective if the Turn off Windows Update device driver searching setting in Administrative Templates/System/Internet Communication Management/Internet Communication is Disabled or Not Configured.

Logon

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Logon

The following table summarizes the recommended Logon settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.19 Recommended Logon Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Do not process the legacy run list

Not Configured

Not Configured

Enabled

Enabled

Do not process the run once list

Not Configured

Not Configured

Enabled

Enabled

Do not process the legacy run list

This policy setting causes the run list, which is a list of programs that Windows XP runs automatically when it starts, to be ignored. The customized run lists for Windows XP are stored in the registry at the following locations:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

You can enable the Do not process the legacy run list setting to prevent a malicious user from running a program each time Windows XP starts, which could compromise data on the computer or cause other harm. When this policy setting is enabled, certain system programs are prevented from running, such as antivirus software, and software distribution and monitoring software. Microsoft recommends that you evaluate the threat level to your environment before you determine whether to use this policy setting for your organization.

The Do not process the legacy run list setting is Not Configured for the EC environment and Enabled for the SSLF environment.

Do not process the run once list

This policy setting causes the run-once list, which is the list of programs that Windows XP runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run once the next time the client computer restarts. Setup and installation programs are sometimes added to this list to complete installations after a client computer restarts. If you enable this policy setting, attackers will not be able to use the run-once list to launch rogue applications, which was a common method of attack in the past. A malicious user can exploit the run-once list to install a program that may compromise the security of Windows XP client computers.

Note: Customized run-once lists are stored in the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.

The Do not process the run once list setting should cause minimal functionality loss to users in your environment, especially if the client computers have been configured with all of your organization's standard software before this policy setting is applied through Group Policy.

The Do not process the run once list setting is set to Not Configured for the EC environment and to Enabled for the SSLF environment.

Group Policy

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Group Policy

Table 4.20 Recommended Group Policy Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Registry policy processing

Enabled

Enabled

Enabled

Enabled

Registry policy processing

This policy setting determines when registry policies are updated. It affects all policies in the Administrative Templates folder, and any other policies that store values in the registry. If this policy setting is enabled, the following options are available:

Do not apply during periodic background processing.

Process even if the Group Policy objects have not changed.

Some settings that are configured through the Administrative Templates are made in areas of the registry that are accessible to users. User changes to these settings will be overwritten if this policy setting is enabled.

The Registry policy processing setting is configured to Enabled for both of the environments that are discussed in this chapter.

Remote Assistance

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Remote Assistance

The following table summarizes the recommended Remote Assistance settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.21 Recommended Remote Assistance Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Offer Remote Assistance

Not Configured

Not Configured

Disabled

Disabled

Solicit Remote Assistance

Not Configured

Not Configured

Disabled

Disabled

Offer Remote Assistance

This policy setting determines whether a support person or an IT "expert" administrator can offer remote assistance to computers in your environment if a user does not explicitly request assistance first through a channel, e-mail, or Instant Messenger.

Note: The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation after the Offer Remote Assistance setting is configured to Enabled.

If this policy setting is enabled the following options are available:

Allow helpers to only view the computer

Allow helpers to remotely control the computer

When you configure this policy setting, you can also specify a list of users or user groups known as "helpers" who may offer remote assistance.

To configure the list of helpers

1.

In the Offer Remote Assistance setting configuration window, click Show. A new window will open in which you can enter helper names.

2.

Add each user or group to the Helper list in one of the following formats:

\

\

If this policy setting is disabled or not configured, users and or groups will not be able to offer unsolicited remote assistance to computer users in your environment.

The Offer Remote Assistance setting is Not Configured for the EC environment. However, this policy setting is configured to Disabled for the SSLF environment to prevent access to Windows XP client computers across the network.

Solicit Remote Assistance

This policy setting determines whether remote assistance may be solicited from the Windows XP computers in your environment. You can enable this policy setting to allow users to solicit remote assistance from IT "expert" administrators.

Note: Experts cannot connect to a user’s computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation.

If the Solicit Remote Assistance setting is enabled, the following options are available:

Allow helpers to remotely control the computer

Allow helpers to only view the computer

Also, the following options are available to configure the amount of time that a user help request remains valid:

Maximum ticket time (value):

Maximum ticket time (units): hours, minutes or days

When a ticket (help request) expires, the user must send another request before an expert can connect to the computer. If you disable the Solicit Remote Assistance setting, users cannot send help requests and the expert cannot connect to their computers.

If the Solicit Remote Assistance setting is not configured, users can configure solicited remote assistance through the Control Panel. The following settings are enabled by default in the Control Panel: Solicited remote assistance, Buddy support, and Remote control. The value for the Maximum ticket time is set to 30 days. If this policy setting is disabled, no one will be able to access Windows XP client computers across the network.

The Solicit Remote Assistance setting is Not Configured for the EC environment and is configured to Disabled for the SSLF environment.

Error Reporting

These settings control how operating system and application errors are reported. In the default configuration, when an error occurs the user is queried by a pop-up dialog box about whether they want to send an error report to Microsoft. Microsoft has strict policies in place to protect data that is received in these reports. However, the data is transmitted in plaintext, which is a potential security risk.

Microsoft provides the Corporate Error Reporting tool for organizations to collect the reports locally and not send them to Microsoft over the Internet. Microsoft recommends the use of the Corporate Error Reporting tool in the SSLF environment to prevent sensitive information from exposure on the Internet. Additional information about this tool is included in the “More Information” section at the end of this chapter.

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Error Reporting

The following table summarizes the recommended Error Reporting settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.22 Recommended Error Reporting Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Display Error Notification

Enabled

Enabled

Enabled

Enabled

Configure Error Reporting

Enabled

Enabled

Enabled

Enabled

Display Error Notification

This policy setting controls whether error messages are displayed to users on their computer screens. If you enable this policy setting, error message notifications will be sent when errors occur and users will have access to details about the errors. If you disable this policy setting, users are prevented from viewing error notifications.

When an error occurs, it is important that the user is aware of the problem. Users will not be made aware of problems if you disable the Display Error Notification setting. For this reason, the Display Error Notification setting is configured to Enabled for the two environments that are discussed in this chapter.

Configure Error Reporting

This policy setting controls whether errors are reported. When this policy setting is enabled, users can choose whether to report errors when they occur. Errors may be reported to Microsoft through the Internet or to a local file share. If you enable this policy setting, the following options are also available:

Do not display links to any Microsoft-provided “more information” Web sites

Do not collect additional files

Do not collect additional machine data

Force queue mode for application errors

Corporate upload file path

Replace instances of the word “Microsoft" with

If the Configure Error Reporting setting is disabled, users are unable to report errors. If the Display Error Notification setting is enabled, users will receive error notifications but cannot report them. The Configure Error Reporting setting allows you to customize an error reporting strategy for your organization and collect reports for local analysis.

The Configure Error Reporting setting is configured to Enabled for the two environments that are discussed in this chapter. In addition, the following options were selected for the SSLF environment:

Do not collect additional files

Do not collect additional machine data

Force queue mode for application errors

You can also select the Corporate upload file path option and include the path to the server on which you have installed the Corporate Error Reporting tool. You should evaluate the needs of your organization to determine which of these options to use.

Remote Procedure Call

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\System\Remote Procedure Call

The following table summarizes the recommended Remote Procedure Call settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.23 Recommended Remote Procedure Call Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Restrictions for Unauthenticated RPC clients

Enabled– Authenticated

Enabled– Authenticated

Enabled– Authenticated

Enabled– Authenticated

RPC Endpoint Mapper Client Authentication

Disabled

Disabled

Enabled

Enabled

Restrictions for Unauthenticated RPC clients

This policy setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to the RPC server. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC interfaces that have specifically asked to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy. If you enable this policy setting, the following values are available:

None. Allows all RPC clients to connect to RPC servers that run on the computer on which the policy is applied.

Authenticated. Allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy is applied. Interfaces that have asked to be exempt from this restriction will be granted an exemption.

Authenticated without exceptions. Allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy is applied. No exceptions are allowed.

Because unauthenticated RPC communication can create a security vulnerability, the Restrictions for Unauthenticated RPC clients setting is configured to Enabled and the RPC Runtime Unauthenticated Client Restriction to Apply value is set to Authenticated for both of the environments that are discussed in this chapter.

Note: RPC applications that do not authenticate unsolicited inbound connection requests may not work properly when this configuration is applied. Ensure you test applications before you deploy this policy setting throughout your environment. Although the Authenticated value for this policy setting is not completely secure, it can be useful for providing application compatibility in your environment.

RPC Endpoint Mapper Client Authentication

If you enable this policy setting, client computers that communicate with this computer will be forced to provide authentication before an RPC communication is established. By default, RPC clients will not use authentication to communicate with the RPC Server Endpoint Mapper Service when they request the endpoint of a server. However, this default was changed for the SSLF environment to require client computers to authenticate before an RPC communication is allowed.

Internet Communication Management\Internet Communication settings

There are several configuration settings available in the Internet Communication settings group. This guide recommends that many of these settings be restricted, primarily to help improve the confidentiality of the data on your computer systems. If these settings are not restricted, information could be intercepted and used by attackers. Although the actual occurrence of this type of attack today is rare, proper configuration of these settings will help protect your environment against future attacks.

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\System\Internet Communication Management\Internet Communication settings

The following table summarizes the recommended Internet Communication settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.24 Recommended Internet Communication Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Turn off the Publish to Web task for files and folders

Enabled

Enabled

Enabled

Enabled

Turn off Internet download for Web publishing and online ordering wizards

Enabled

Enabled

Enabled

Enabled

Turn off the Windows Messenger Customer Experience Improvement Program

Enabled

Enabled

Enabled

Enabled

Turn off Search Companion content file updates

Enabled

Enabled

Enabled

Enabled

Turn off printing over HTTP

Enabled

Enabled

Enabled

Enabled

Turn off downloading of print drivers over HTTP

Enabled

Enabled

Enabled

Enabled

Turn off Windows Update device driver searching

Disabled

Disabled

Enabled

Enabled

Turn off the Publish to Web task for files and folders

This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web.

If you configure the Turn off the Publish to Web task for files and folders setting to Enabled, these options are removed from the File and Folder tasks in Windows folders. By default, the option to publish to the Web is available. Because this capability could be used to expose secured content to an unauthenticated Web client computer, this policy setting is configured to Enabled for both the EC and SSLF environments.

Turn off Internet download for Web publishing and online ordering wizards

This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. If this policy setting is enabled, Windows is prevented from downloading providers; only the service providers that are cached in the local registry will display.

Because the Turn off Publish to Web task for files and folders setting was enabled for both the EC and SSLF environments (see the previous setting), this option is not needed. However, the Turn off Internet download for Web publishing and online ordering wizards setting is configured to Enabled to minimize the attack surface of client computers and to ensure that this capability cannot be exploited in other ways.

Turn off the Windows Messenger Customer Experience Improvement Program

This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. You can enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the user settings that enable the collection of usage information.

In large enterprise environments it may be undesirable to have information collected from managed client computers. The Turn off the Windows Messenger Customer Experience Improvement Program setting is configured to Enabled for both of the environments that are discussed in this chapter to prevent information being collected.

Turn off Search Companion content file updates

This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. If you configure this policy setting to Enabled, you prevent Search Companion from downloading content updates during searches.

The Turn off Search Companion content file updates setting is configured to Enabled for both the EC and SSLF environments to help control unnecessary network communications from each managed client computer.

Note: Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior.

Turn off printing over HTTP

This policy setting allows you to disable the client computer’s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. If you enable this policy setting, the client computer will not be able to print to Internet printers over HTTP.

Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise environments. The Turn off printing over HTTP setting is configured to Enabled for both the EC and SSLF environments to help prevent a potential security breach from an insecure print job.

Note: This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP.

Turn off downloading of print drivers over HTTP

This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.

The Turn off downloading of print drivers over HTTP setting is configured to Enabled to prevent print drivers from being downloaded over HTTP.

Note: This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits drivers that are not already installed locally from being downloaded.

Turn off Windows Update device driver searching

This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present.

Because there is some risk when any device drivers are downloaded from the Internet, the Turn off Windows Update device driver searching setting is configured to Enabled for the SSLF environment and Disabled for the EC environment. The reason for this configuration is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource and configuration management.

Note: See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted before Windows Update is searched for device drivers if a driver is not found locally.

Network

There are no specific security-related configurations in the Network container of Group Policy. However, there are a number of very important settings in the Network Connections\Windows Firewall container that the following sections will explain.

The following figure illustrates the sections in Group Policy that will be affected by the setting changes in this section:

Figure 4.4 Group Policy structure for Computer Configuration Network Connections

Figure 4.4 Group Policy structure for Computer Configuration Network Connections
See full-sized image

Network Connections\Windows Firewall

Windows Firewall settings are made in two profiles—Domain Profile and Standard Profile. Whenever a domain environment is detected the Domain Profile is used, and whenever a domain environment is not available the Standard Profile is used.

When a Windows Firewall setting is Recommended in one of the following two tables, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful.

When you need to determine which applications or ports may need exceptions, it may be helpful to enable Windows Firewall logging, Windows Firewall auditing, and network tracing. For more information, see the article “Configuring a Computer for Windows Firewall Troubleshooting,” which is available online at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/
library/Operations/bfdeda55-46fc-4b53-b4cd-c71838ef4b41.mspx.

For more information about how Windows XP uses Network Location Awareness (NLA) to determine what kind of network it is connected to, see the article "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft Web site at http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx.

Typically, the Domain Profile is configured to be less restrictive than the Standard Profile because a domain environment often provides additional layers of protection.

The policy setting names are identical in both profiles. The following two tables summarize the policy settings for the different profiles, and more detailed explanations are provided in the subsections that follow the tables.

Network Connections\Windows Firewall\Domain Profile

The settings in this section configure the Windows Firewall Domain Profile.

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile

Table 4.25 Recommended Windows Firewall Domain Profile Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Protect all network Connections

Enabled

Enabled

Enabled

Enabled

Do not allow exceptions

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Define program exceptions

Recommended

Recommended

Recommended

Recommended

Allow local program exceptions

Not Recommended

Not Recommended

Disabled

Disabled

Allow remote administration exception

Recommended

Recommended

Disabled

Disabled

Allow file and printer sharing exception

Disabled

Disabled

Disabled

Disabled

Allow ICMP exceptions

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Allow Remote Desktop exception

Recommended

Recommended

Not Recommended

Not Recommended

Allow UPnP framework exception

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Prohibit notifications

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Prohibit unicast response to multicast or broadcast requests

Enabled

Enabled

Enabled

Enabled

Define port exceptions

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Allow local port exceptions

Disabled

Disabled

Disabled

Disabled

Note: When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful.

Network Connections\Windows Firewall\Standard Profile

The settings in this section configure the Windows Firewall Standard Profile. This profile is often more restrictive than the Domain Profile, which assumes a domain environment provides some basic level of security. The Standard Profile is expected to be used when a computer is on an untrusted network, such as a hotel network or a public wireless access point. Such environments pose unknown threats and require additional security precautions.

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile

Table 4.26 Recommended Windows Firewall Standard Profile Settings

SettingEC desktopEC laptopSSLF desktopSSLF laptop

Protect all network Connections

Enabled

Enabled

Enabled

Enabled

Do not allow exceptions

Recommended

Recommended

Recommended

Recommended

Define program exceptions

Recommended

Recommended

Recommended

Recommended

Allow local program exceptions

Not Recommended

Not Recommended

Disabled

Disabled

Allow remote administration exception

Disabled

Disabled

Disabled

Disabled

Allow file and printer sharing exception

Disabled

Disabled

Disabled

Disabled

Allow ICMP exceptions

Disabled

Disabled

Disabled

Disabled

Allow Remote Desktop exception

Enabled

Enabled

Disabled

Disabled

Allow UPnP framework exception

Disabled

Disabled

Disabled

Disabled

Prohibit notifications

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Prohibit unicast response to multicast or broadcast requests

Enabled

Enabled

Enabled

Enabled

Define port exceptions

Not Recommended

Not Recommended

Not Recommended

Not Recommended

Allow local port exceptions

Disabled

Disabled

Disabled

Disabled

Note: When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful.

Windows Firewall: Protect all network connections

This policy setting enables Windows Firewall, which replaces Internet Connection Firewall on all computers that run Windows XP with SP2. This guide recommends that you configure this policy setting to Enabled to protect all network connections for computers in all of the environments that are discussed in this guide.

If the Windows Firewall: Protect all network connections setting is configured to Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored.

Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\
Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network setting.

Windows Firewall: Do not allow exceptions

This policy setting caused Windows Firewall to block all unsolicited incoming messages. It overrides all other Windows Firewall settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it.

Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. Such environments may need to configure the Windows Firewall: Do not allow exceptions setting to Disabled to allow those applications and services to run properly. However, before you configure this policy setting you should test the environment to determine exactly what communications need to be allowed.

Note: This policy setting provides a strong defense against external attackers and should be set to Enabled in situations where you require complete protection from external attacks, such as the outbreak of a new network worm. If you set this policy setting to Disabled, Windows Firewall will be able to apply other policy settings that allow unsolicited incoming messages.

Windows Firewall: Define program exceptions

Some applications may need to open and use network ports that are not typically allowed by Windows Firewall. The Windows Firewall: Define program exceptions setting allows you to view and change the program exceptions list that is defined by Group Policy.

If this policy setting is Enabled you can view and change the program exceptions list. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it requests Windows Firewall to open, even if that port is blocked by another setting. If you configure this policy setting to Disabled, the program exceptions list that is defined by Group Policy is deleted.

Note: If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. Because the entry is not checked, you can add programs that you have not installed yet. You can also accidentally create multiple exceptions for the same program with Scope or Status values that conflict.

Windows Firewall: Allow local program exceptions

This policy setting controls whether administrators can use the Windows Firewall component in Control Panel to define a local program exceptions list. If you disable this policy setting, administrators will not be able to define a local program exceptions list; also, this configuration ensures that program exceptions only come from Group Policy. If this policy setting is enabled, local administrators are allowed to use Control Panel to define program exceptions locally.

For enterprise client computers, there may be conditions that justify local program exceptions. These conditions may include applications that were not analyzed when the organization's firewall policy was created or new applications that require nonstandard port configuration. If you choose to enable the Windows Firewall: Allow local program exceptions setting for such situations, remember that the attack surface of the affected computers is increased.

Windows Firewall: Allow remote administration exception

Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports that are typically used by remote administration programs; Windows Firewall can block these ports.

To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. If this policy setting is enabled, the computer can receive the unsolicited incoming messages that are associated with remote administration on TCP ports 135 and 445. This policy setting also allows Svchost.exe and Lsass.exe to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. If you enable this policy setting, you need to specify the IP addresses or subnets from which these incoming messages are allowed.

If you configure the Windows Firewall: Allow remote administration exception setting to Disabled, Windows Firewall makes none of the described exceptions. The impact of configuring this policy setting to Disabled may be unacceptable to many organizations because many remote administration tools and tools that scan for vulnerabilities will fail. Therefore, Microsoft recommends that only the most security-sensitive organizations enable this policy setting.

For the Domain Profile, Microsoft recommends that the Windows Firewall: Allow remote administration exception setting be Enabled for computers in the EC environment (if possible) and Disabled for computers in the SSLF environment. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers that are used for remote administration.

Microsoft recommends that the Windows Firewall: Allow remote administration exception setting be Disabled for all computers in the Standard Profile to avoid known attacks that specifically use exploits against TCP ports 135 and 445.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow file and printer sharing exception

This policy setting creates an exception that allows file and printer sharing. It configures Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which such messages are allowed.

If you disable the Windows Firewall: Allow file and printer sharing exception setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers.

Because the computers in your environment that run Windows XP will not typically share files and printers, Microsoft recommends you configure the Windows Firewall: Allow file and printer sharing exception setting to Disabled for both of the environments that are discussed in this chapter.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow ICMP exceptions

This policy setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message.

If you configure the Windows Firewall: Allow ICMP exceptions setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you configure this policy setting to Disabled, Windows Firewall blocks all unsolicited inbound ICMP message types and the listed outbound ICMP message types. As a result, utilities that rely on ICMP may fail.

Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. Also, ICMP messages are used to estimate network performance when Group Policy is downloaded and processed; if ICMP messages are blocked, Group Policy may not be applied to affected systems. For that reason, Microsoft recommends that you configure the Windows Firewall: Allow ICMP exceptions setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure this policy setting with the appropriate message types.

Whenever the computer is on an untrusted network, the Windows Firewall: Allow ICMP exceptions setting should be configured to Disabled.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow Remote Desktop exception

Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have exploited the ports that are typically used by Remote Desktop.

To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. If you enable this policy setting, Windows Firewall opens TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these inbound messages are allowed.

If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator adds this port to a local port exceptions list in an attempt to open it, Windows Firewall does not open the port.

Some attacks can exploit an open port 3389, and therefore Microsoft recommends that you configure the Windows Firewall: Allow Remote Desktop setting to Disabled for the SSLF environment. To maintain the enhanced management capabilities that are provided by Remote Desktop, you need to configure this policy setting to Enabled for the EC environment. You must specify the IP addresses and subnets of the computers that are used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.

Windows Firewall: Allow UPnP framework exception

This policy setting allows a computer to receive unsolicited Plug and Play messages that are sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900.

If you enable the Windows Firewall: Allow UPnP framework exception setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these inbound messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.

Blocking UPnP network traffic effectively reduces the attack surface of computers in your environment. On trusted networks, Microsoft recommends that you configure the Windows Firewall: Allow UPnP framework exception setting to Disabled unless you use UPnP devices on your network. This policy setting should always be Disabled on untrusted networks.

Windows Firewall: Prohibit notifications

Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so because of current Windows Firewall rules.

The Windows Firewall: Prohibit notifications setting determines whether these settings are shown to the users. If you configure this policy setting to Enabled, Windows Firewall prevents the display of these notifications. If you configure it to Disabled, Windows Firewall allows the display of these notifications.

Typically, users will not be allowed to add applications and ports in response to these messages in EC or SSLF environments. In such cases, this message will inform the user of something over which they have no control and you should configure the Windows Firewall: Prohibit notifications setting to Enabled. In other environments where exceptions are allowed for some users, you should configure this policy setting to Disabled.

Windows Firewall: Prohibit unicast response to multicast or broadcast requests

This policy setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses that are sent by those other computers. When this policy setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses.

Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attempt to probe a known computer. Microsoft recommends that the Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting be configured to Enabled to help prevent this type of attack.

Note: This policy setting has no effect if the unicast message is a response to a DHCP broadcast message that is sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.

Windows Firewall: Define port exceptions

The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings.

If you enable the Windows Firewall: Define port exceptions setting, you can view and change the port exceptions list that is defined by Group Policy. To view and modify the port exceptions list, configure the setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means that you can accidentally create multiple entries for the same port with Scope or Status values that conflict.

If you disable the Windows Firewall: Define port exceptions setting, the port exceptions list that is defined by Group Policy is deleted but other settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions setting.

Environments with nonstandard applications that require specific ports to be open should consider program exceptions instead of port exceptions. Microsoft recommends that the Windows Firewall: Define port exceptions setting be configured to Enabled and that a list of port exceptions be specified only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Windows Firewall: Allow local port exceptions

This policy setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions setting.

If you enable the Windows Firewall: Allow local port exceptions setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list.

Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in EC or SSLF security environments. For that reason, Microsoft recommends that the Windows Firewall: Allow local port exceptions setting be configured to Disabled.

User Configuration Settings

The remaining sections of this chapter discuss User Configuration setting recommendations. Remember, these settings need to be applied to users, not computers. They should be implemented in a Group Policy that is linked to the OU that contains the users you wish to configure. You may want to refer to Figure 2.3, “Expanded OU structure to accommodate Windows XP–based desktop and laptop computers” in Chapter 2 to refresh your memory. These settings are configured in the Group Policy Object Editor at the following location:

User Configuration\Administrative Templates

This location is shown in context in the following figure:

Figure 4.5 Group Policy structure for User Configuration

Figure 4.5 Group Policy structure for User Configuration
See full-sized image

Apply these settings through a GPO that is linked to an OU that contains user accounts.

Note: User configuration settings are applied to any Windows XP–based computer that a user logs on to in an Active Directory domain. However, computer configuration settings apply to all client computers that are governed by a GPO in Active Directory without regard for which user logs on to the computer. For this reason, the tables in this section contain only recommended settings for the EC and the SSLF environments that are discussed in this chapter. There are no laptop or desktop prescriptions for these settings.

Windows Components

The following figure illustrates the sections in Group Policy that will be affected by the setting changes in the Windows Components section:

Figure 4.6 Group Policy structure for User Configuration Windows Components

Figure 4.6 Group Policy structure for User Configuration Windows Components
See full-sized image

Internet Explorer

You can configure the following prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components\
Internet Explorer

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.27 Recommended Internet Explorer User Configuration Settings

SettingEC computerSSLF computer

Browser menus\Disable Save this program to disk option

Not Configured

Enabled

Internet Control Panel\Disable the Advanced Page

Not Configured

Enabled

Internet Control Panel\Disable the Security Page

Not Configured

Enabled

Offline Pages\Disable adding channels

Enabled

Enabled

Offline Pages\Disable adding schedules for offline pages

Enabled

Enabled

Offline Pages\Disable all scheduled offline pages

Enabled

Enabled

Offline Pages\Disable channel user interface completely

Enabled

Enabled

Offline Pages\Disable downloading of site subscription content

Enabled

Enabled

Offline Pages\Disable editing and creating of schedule groups

Enabled

Enabled

Offline Pages\Disable editing schedules for offline pages

Enabled

Enabled

Offline Pages\Disable offline page hit logging

Enabled

Enabled

Offline Pages\Disable removing channels

Enabled

Enabled

Offline Pages\Disable removing schedules for offline pages

Enabled

Enabled

Configure Outlook Express

Enabled

Enabled

Disable Changing Advanced page settings

Not Configured

Enabled

Disable Changing Automatic Configuration Settings

Not Configured

Enabled

Disable Changing Certificate Settings

Not Configured

Enabled

Disable Changing Connection Settings

Not Configured

Enabled

Disable Changing Proxy Settings

Not Configured

Enabled

Do not allow AutoComplete to save passwords

Enabled

Enabled

Browser menus\Disable Save this program to disk option

This policy setting prevents users from saving a program or file that Internet Explorer has downloaded to the hard disk. If you enable this policy setting, users cannot save programs to disk with the Save This Program to Disk option. The program file will not download, and the user is informed that the command is not available. This policy setting helps protect high security environments because users cannot download potentially harmful programs through Internet Explorer and save them to disk.

The Browser menus\Disable Save this program to disk option setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Internet Control Panel\Disable the Advanced Page

This policy setting works in conjunction with other settings to ensure that users cannot change the settings that are configured in the Advanced tab of the Internet Explorer UI.

The Internet Control Panel\Disable the Advanced Page setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Internet Control Panel\Disable the Security Page

This policy setting works in conjunction with other settings to ensure that users cannot change the settings that are configured through Group Policy. This policy setting removes the Security tab from the Internet Options dialog box. If you enable this policy setting, users cannot view and change settings for security zones, such as scripting, downloads, and user authentication. Microsoft recommends that this policy setting be enabled so that users cannot change settings that will weaken other security settings in Internet Explorer.

The Internet Control Panel\Disable the Security Page setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Offline Pages\Disable adding channels

This policy setting removes users' ability to add channels to Internet Explorer. Channels are Web sites that are updated automatically on computers that run Internet Explorer, and the update schedule is specified by the channel provider. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content. It is a best practice to only allow a computer to download pages from the Internet when a user makes requests directly from the computer.

For these reasons, the Offline Pages\Disable adding channels setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable adding schedules for offline pages

This policy setting removes users' ability to specify that Web pages can be downloaded and viewed offline. This capability allows users to view Web pages when their computers are not connected to the Internet.

The Offline Pages\Disable adding schedules for offline pages setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable all scheduled offline pages

This policy setting disables any existing schedules that are set up to download Web pages so that they can be viewed offline. If you enable this policy, the check boxes for schedules on the Schedule tab of the Web page properties dialog box are cleared and users cannot select them. To display this tab, users click the Tools menu, Synchronize, select a Web page, then click the Properties button and the Schedule tab. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Offline Pages\Disable all scheduled offline pages setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable channel user interface completely

This policy setting removes users' ability to view the Channel Bar interface. Channels are Web sites that are automatically updated on computers, and the schedule is specified by the channel provider. If you enable this policy setting, users will not be able to access the Channel Bar interface and select the Internet Explorer Channel Bar check box on the Web tab in the Display Properties dialog box. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Offline Pages\Disable channel user interface completely setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable downloading of site subscription content

This policy setting removes users' ability to download subscription content from Web sites. However, synchronization of Web page content will still occur when the user returns to a page that was previously accessed to determine if any content has been updated. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Offline Pages\Disable downloading of site subscription content setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable editing and creating of schedule groups

This policy setting removes users' ability to add, edit, or remove schedules for offline review of Web pages and groups of Web pages to which they subscribe. A subscription group is a favorite Web page and the Web pages that link to it. If you enable this policy, the Add, Remove, and Edit buttons are dimmed on the Schedule tab in the Web page Properties dialog box. To display this tab, users click Tools and then Synchronize in Internet Explorer, select a Web page, click the Properties button, and then click the Schedule tab. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

For these reasons, the Offline Pages\Disable editing and creating of schedule groups setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable editing schedules for offline pages

This policy setting removes users' ability to edit any existing schedules that are set up to download Web pages for offline review. If you enable this policy, users will not be able to display the schedule properties of pages that have been set up for offline review. No properties will display when users click Tools, Synchronize in Internet Explorer, select a Web page, and then click the Properties button. Users do not receive any message that states the command is unavailable. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Offline Pages\Disable editing schedules for offline pages setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable offline page hit logging

This policy setting removes the ability of channel providers to record how often their channel pages are viewed by users when they are offline. This policy setting is one of several that block the ability of Internet Explorer to automatically download content.

The Offline Pages\Disable offline page hit logging setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable removing channels

This policy setting removes users' ability to disable channel synchronization in Internet Explorer. It is a best practice to only allow a computer to download pages from the Internet when a user makes requests directly from the computer.

For this reason, the Offline Pages\Disable removing channels setting is configured to Enabled for the two environments that are discussed in this chapter.

Offline Pages\Disable removing schedules for offline pages

This policy setting removes users' ability to clear preconfigured settings for Web pages to download for offline review. If you enable this policy setting, preconfigured Web page settings are protected. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Offline Pages\Disable removing schedules for offline pages setting is configured to Enabled for the two environments that are discussed in this chapter.

Configure Outlook Express

This policy setting allows administrators to enable and disable the ability of Microsoft Outlook® Express users to save or open attachments that can potentially contain a virus. Users cannot disable the Configure Outlook Express setting to stop it from blocking attachments. To enforce this policy setting, click Enable and select Block attachments that could contain a virus.

The Configure Outlook Express setting is configured to Enabled with the Block attachments that could contain a virus option for the two environments that are discussed in this chapter.

Disable Changing Advanced page settings

This policy setting removes users' ability to change settings on the Advanced tab in the Internet Options dialog box of Internet Explorer. If you enable this policy setting, users will not be able to change advanced settings that are related to security, multimedia, and printing in the browser. Also, they will not be able to select or clear the check boxes for these options on the Advanced tab of the Internet Options dialog box. This policy setting also removes users' ability to change settings that are configured through Group Policy.

The Disable Changing Advanced page settings setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Note: If you configure the Disable the Advanced page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to configure this policy setting because the Disable the Advanced page setting removes the Advanced tab from the Internet Options dialog box.

Disable Changing Automatic Configuration Settings

This policy setting removes users' ability to change automatically configured settings. Administrators use automatic configuration to update browser settings periodically. If you enable this policy setting, the automatic configuration settings are dimmed in Internet Explorer. (These settings are located in the Automatic Configuration area of the LAN Settings dialog box.) This policy setting also removes users' ability to change settings that are configured through Group Policy.

To view the LAN Settings dialog box

1.

Open the Internet Options dialog box, and click the Connections tab.

2.

Click the LAN Settings button to view the settings.

The Disable Changing Automatic Configuration Settings setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Note: The Disable the Connections page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) removes the Connections tab from Internet Explorer in Control Panel and takes precedence over this Disable Changing Automatic Configuration Settings configuration option. If the former setting is enabled, the latter setting is ignored.

Disable Changing Certificate Settings

This policy setting removes users' ability to change certificate settings in Internet Explorer. Certificates are used to verify the identity of software publishers. If you enable this policy setting, the certificate settings in the Certificates area of the Content tab in the Internet Options dialog box are dimmed. This policy setting also removes users' ability to change settings that are configured through Group Policy.

The Disable Changing Certificate Settings setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Note: When this policy setting is enabled, users can still double-click the software publishing certificate (.spc) file to run the Certificate Manager Import Wizard. This wizard enables users to import and configure settings for certificates from software publishers that are not already configured in Internet Explorer.

Note: The Disable the Content page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) removes the Content tab from Internet Explorer in Control Panel and takes precedence over this Disable Changing Certificate Settings configuration option. If the former setting is enabled, the latter setting is ignored.

Disable Changing Connection Settings

This policy setting removes users' ability to change dial-up settings. If you enable this policy setting, the Settings button on the Connections tab in the Internet Options dialog box is dimmed. This policy setting also removes users' ability to change settings that are configured through Group Policy. You may want to disable this policy setting for laptop users if their travel requires them to change their connection settings.

The Disable Changing Connection Settings setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Note: If you configure the Disable the Connections page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to configure this policy setting. The Disable the Connections page setting removes the Connections tab from the interface.

Disable Changing Proxy Settings

This policy setting removes users' ability to change proxy settings. If you enable this policy setting, the proxy settings are dimmed. (The proxy settings are located in the Proxy Server area of the LAN Settings dialog box that appears when the user clicks the Connections tab and then the LAN Settings button in the Internet Options dialog box.) This policy setting also removes users' ability to change settings that are configured through Group Policy. You may want to disable this policy setting for laptop users if their travel requires them to change their connection settings.

The Disable Changing Proxy Settings setting is configured to Enabled only for the SSLF environment. This policy setting is not configured for the EC environment.

Note: If you configure the Disable the Connections page setting (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), you do not need to configure this policy setting. The Disable the Connections page setting removes the Connections tab from the interface.

Do not allow AutoComplete to save passwords

This policy setting disables automatic completion of user names and passwords in forms on Web pages, and prevents user prompts to save passwords. If you enable this policy setting, the check boxes for User Names and Passwords on Forms and Prompt Me to Save Passwords are dimmed and users are prevented from saving passwords locally. To display these check boxes, users can open the Internet Options dialog box, click the Content tab, and then the AutoComplete button.

The Do not allow AutoComplete to save passwords setting is configured to Enabled for the two environments that are discussed in this chapter.

Attachment Manager

You can configure the following prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components\
Attachment Manager

The following table summarizes the recommended Attachment Manager user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.28 Recommended Attachment Manager User Configuration Settings

SettingEC computerSSLF computer

Do not preserve zone information in file attachments

Disabled

Disabled

Hide mechanisms to remove zone information

Enabled

Enabled

Notify antivirus programs when opening attachments

Enabled

Enabled

Do not preserve zone information in file attachments

This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Outlook Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setting requires that files be downloaded to NTFS disk partitions to function correctly. If zone information is not preserved, Windows cannot make proper risk assessments based on the zone where the attachment came from.

If the Do not preserve zone information in file attachments setting is enabled, file attachments are not marked with their zone information. If this policy setting is disabled, Windows is forced to store file attachments with their zone information. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, Microsoft recommends that you configure this policy setting to Disabled to ensure that as much security information as possible is preserved with each file.

The Do not preserve zone information in file attachments setting is configured to Disabled for both of the environments that are discussed in this chapter.

Hide mechanisms to remove zone information

This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. Typically, users can either click the Unblock button in the file’s Property sheet or select a check box in the Security Warning dialog. If the zone information is removed, users can open potentially dangerous file attachments that Windows has prevented users from opening.

When the Hide mechanisms to remove zone information setting is enabled, Windows hides the check box and Unblock button. When this policy setting is disabled, Windows displays the check box and the Unblock button. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, Microsoft recommends that you configure this policy setting to Enabled to ensure that as much security information as possible is retained with each file.

The Hide mechanisms to remove zone information setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: To configure whether files are saved with zone information, see the previous Do not preserve zone information in file attachments setting.

Notify antivirus programs when opening attachments

Antivirus programs are mandatory in many environments and provide a strong defense against attack.

The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, this policy setting configures Windows to call the registered antivirus program and have it scan file attachments when they are opened by users. If the antivirus scan fails, the attachments are blocked from being opened. If this policy setting is disabled, Windows does not call the registered antivirus program when file attachments are opened. To help ensure that virus scanners examine every file before it is opened, Microsoft recommends that this policy setting be configured to Enabled in all environments.

The Notify antivirus programs when opening attachments setting is configured to Enabled for both of the environments that are discussed in this chapter.

Note: An updated antivirus program must be installed for this policy setting to function properly. Many updated antivirus programs use new APIs that are included with SP2.

Windows Explorer

Windows Explorer is used to navigate the file system on client computers that run Windows XP Professional.

You can configure the following prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components\
Windows Explorer

The following table summarizes the recommended Windows Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table 4.29 Recommended Windows Explorer User Configuration Settings

SettingEC computerSSLF computer

Remove CD Burning features

Not configured

Enabled

Remove Security tab

Not configured

Enabled

Remove CD Burning features

This policy setting removes the built-in Windows XP features that allow users to burn CDs through Windows Explorer. Windows XP allows you to create and modify rewritable CDs if you have a read/write CD drive connected to your computer. This feature can be used to copy large amounts of data from a hard drive to a CD, which may then be removed from the computer.

The Remove CD Burning features setting is configured to Not Configured for the EC environment. However, this policy setting is configured to Enabled for the SSLF environment.

Note: This policy setting does not prevent CDs from being modified or created by third-party applications that use a CD writer. This guide recommends the use of software restriction policies to block the creation or modification of CDs by third-party applications. For more information, see Chapter 6, "Software Restriction Policy for Windows XP Clients."

Another way to prevent users from burning CDs is to remove the CD writers from the client computers in your environment or replace them with read-only CD drives.

Remove Security tab

This policy setting disables the Security tab on the file and folder properties dialog boxes in Windows Explorer. If you enable this policy setting, users cannot access the Security tab after opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives. Because the Security tab is inaccessible, users cannot change settings or view the list of users.

For these reasons, the Remove Security tab setting is Not Configured for the EC environment. However, this policy setting is configured to Enabled for the SSLF environment.

System

The following figure illustrates the sections in Group Policy that will be affected by the setting changes in the System section:

Figure 4.7 Group Policy structure for User Configuration System

Figure 4.7 Group Policy structure for User Configuration System
See full-sized image

You can configure the following prescribed setting in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\System

Prevent access to registry editing tools

The following table summarizes the recommended Registry Editor User configuration settings.

Table 4.30 Recommended Registry Editor User Configuration Settings

SettingEC computerSSLF computer

Prevent access to registry editing tools

Not configured

Enabled

This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe. If you enable this policy setting, a message will display when users try to use a registry editor that informs them that they cannot use either of these editors. This policy setting removes users' and intruders' ability to access the registry with these tools, but does not prevent access to the registry itself.

The Prevent access to registry editing tools setting is Not Configured for the EC environment. However, this policy setting is configured to Enabled for the SSLF environment.

System\Power Management

You can configure the following prescribed setting in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\System\Power Management

Prompt for password on resume from hibernate / suspend

The following table summarizes the recommended Prompt for password on resume from hibernate / suspend configuration settings.

Table 4.31 Recommended System\Power Management User Configuration Settings

SettingEC computerSSLF computer

Prompt for password on resume from hibernate / suspend

Enabled

Enabled

This policy setting controls whether client computers in your environment are locked when they resume operational mode from a hibernated or suspended state. If you enable this policy setting, client computers are locked when they resume operational mode and users must enter their passwords to unlock them. Potentially serious security breaches can occur if this policy setting is disabled or not configured, because the client computers may be accessed by anyone.

For this reason, the Prompt for password on resume from hibernate / suspend setting is configured to Enabled for the two environments that are discussed in this chapter.

No comments:

Post a Comment

Popular Posts