Best Practices for Windows XP
Personal Computer Users
Best Practices for Windows XP
Securing a Windows XP Desktop
This document provides instructions for building a secure Windows XP desktop computer for
the Stanford environment.
No matter what operating system you're using, the basic steps for securing it are the same:
Install all operating system patches.
Verify user account security.
Eliminate unnecessary applications and network services.
Install and configure necessary applications and network services.
Configure system logging to record significant events.
Keep applications and operating system patches up to date.
Install the latest patches
It's imperative that you connect to the network and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Unpatched machines are frequently exploited within minutes of being attached to an open network like Stanford's.
Once you've booted your WinXP box onto the Stanford network, select the
button in the lower left hand corner of the screen. Select the
menu item, and follow the instructions. Install
the critical updates that Windows Update discovers. Be sure you've installed all the updates for Internet Explorer, too. IE is an integral part of the Windows operating system, and must be patched at the same time other security fixes are applied.
Verify user account security
Disable Guest Account if necessary. Windows operating systems include a Guest account designed for temporary users. That's usually not a good idea, and in the vast majority of cases the Guest account should be disabled. On Windows XP Home Edition, disabling the Guest account is not possible. Set a strong password for it instead. For WinXP Professional, confirm or disable the Guest account with this:
Make sure all accounts have passwords set. Many Windows systems still have administrator or other accounts without any passwords set, or have very simple passwords. Check all accounts in the
screen as noted above and make sure passwords have been set. Make sure that all accounts have good passwords that are not based on dictionary words.
button on the lower left-hand corner of the screen.
Confirm that it says
Guest account is off.
Limit Administrative Privileges. Many computer users login to their Windows system as administrator for all their day-to-day activity, or they create user accounts with administrative privilege levels. Many email and Web-based attacks take advantage of this by hijacking the security context of the logged-in user (the poor person who's accidentally clicked on that executable program they should have left alone). It's far safer to assign most users the
account type. Any user can use the
while right-clicking an application to see the
option) to temporarily become the Administrator, if necessary, for instance to install software. Follow these steps for creating an Administrative account and lowering your default account privileges:
Guidelines for choosing good passwords
To create new users, open
and click on
Create an new account
and fill in an account name. Make sure it is an easy to remember Administrative name for you, such as
Admin. Click the
radio button. Then click
Now click on the icon for that new account, and select
Create a password
to set a password for this account.
After entering a password, click the
button and select your default user account icon.
Change my account type
and click the
Click on the
Change account type
button to commit and you are done.
Eliminate unnecessary applications and network services
Many services should be disabled by
default, including file sharing. What follows are
instructions for verifying and disabling any services
that need to be done one by one. Make sure you disable
Alerter; ClipBook; HP Web Jetadmin; Messenger;
Netmeeting Remote Desktop Sharing; Network
Dynamic Data Exchange; Network DDE DSDM; Remote
Registry Service; Routing and Remote Access;
telnet; and Universal Plug and
Play Device Host, if they are
button on the lower, left-hand corner of the screen.
Scroll down to the service in question and double-click it.
instead of either
Reboot your computer after all desired service changes are made.
Members of Stanford Windows domains (including but not limited to the WIN, IT, SU, SU-GSB, FAC, GSB, LAWSU, and STANFORD-NT domains) may need to turn on several of the "riskier" remote management tools, in order to allow their systems to be managed effectively. This risk is reduced by the fact that the domain controllers themselves can secure the individual workstations, making this a reasonable action for domain members. If you're in one of those groups (or smaller domains not specifically mentioned here), ask your administrator about whether or not remote management tools are required. If they are, you'll want to leave the services they require enabled. These are probably
Remote Registry Service
Application Management, but may include others.
Disabling unnecessary and potentially dangerous services
Disable Remote Assistance.
This facility allows for remote control of your desktop for troubleshooting purposes, which isn't what we want by default. Go to
Control Panel, double-click on the
icon, find the
Settings, and unselect the
Allow this computer to be controlled remotely
If your machine is a member of a Windows domain, ask your administrator about whether or not to disable Remote Assistance.
Disable Windows Simple File Sharing.
Simple File Sharing shares files anonymously without any user access security, and shouldn't ever be used.
Go to the
section of the window
Use Simple File Sharing
Install necessary applications: PC-Leland
is a Stanford-specific application that allows Windows users to authenticate using Kerberos, and enables access to the AFS file system and authenticated parts of the Stanford Web space. With PC-Leland, you can login once to your PC desktop, and have that login shared across multiple applications and services running on SUNet (the Stanford University Network). All Windows users are strongly encouraged to install PC-Leland.
Install necessary services: file sharing
Stanford provides the
AFS file system
as the primary mechanism for sharing files between members of the SUNet community. AFS support is included in PC-Leland on WinXP. But if for some reason you need to enable PC-based file sharing -- that is, network-based access to the documents on your local system's hard drive -- here's how to do it as securely as possible:
Windows XP Home only supports Simple File Sharing, which includes no access control and should not be used within the Stanford network
Allowing Anonymous connections to your shared folders allows everyone on the Stanford network to browse your systems without having a local user account, which is undesirable in most cases.. Limiting users on each share to Authenticated Users makes this more difficult. On a WinXP Professional system, replace the
on all file shares:
For each drive icon, right click it and select
Sharing And Security
Click on the
and in the window type
to get back to the user list screen
and click the remove button
and then click
when it finishes.
To fully protect your system from anonymous file system browsing, on WinXP Professional, configure the
registry key, as follows. Go to
Administrative Tools --> Local Security Policy --> Local Policies --> Security Options. Make sure the following two policies are enabled:
Far more information on disabling null session enumeration
Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Install anti-virus software
Stanford licenses Norton Anti-Virus for desktop protection. All users are strongly encouraged to install it and to run LiveUpdate regularly (this is Norton's mechanism for updating virus signatures). This software can be downloaded from
Configure system logging
Although Stanford makes no attempt to collect system logs from every desktop computer on its network, those logs are invaluable when administrators need to troubleshoot a problem or recover a system that's been hacked. By default, Windows leaves all logging disabled, but you can set it yourself. Click on the
Double click on
Double click on
Local Security Settings,
Local Policies --> Audit Policy.
Here's the audit policy configuration we recommend for stand-alone WinXP desktops:
To change the setting on an individual policy, highlight it, then right-click. Under the
item, you'll be able to select for success and/or failure audits. Note that if your machine is a member of a domain, its audit policy may be controlled by the Domain Controller.
Microsoft allows a whopping 512 kb of storage space for Event Log records, and overwrites old records when that limit is reached. In most cases, that's a reasonable configuration (it should allow your machine to retain at least a few days of activity). But you can increase the amount of storage space available. From the Control Panel, double click on
and then double click on
You'll see the three subsets of the Event Log, the Application, Security and System Logs. Access the properties of these logs by selecting one, right clicking on it, and bringing up the
Log size is controlled here. We recommend leaving the default configuration of
When maximum log size is reached
to avoid inadvertently disabling your desktop system should you run out of log space.
More information than you ever wanted about Windows Logging
Optional: use the WinXP built-in firewall
Windows XP includes a new feature, the
Internet Connection Firewall.
The ICF restricts access to services running on your machine, so it can prevent many kinds of attacks. It's especially valuable if you're using a laptop or a PC from home, which may be exposed to a more hostile environment than the Stanford network itself. ICF can interfere with the performance of some network-based applications, so run it at your own risk.
on configuring the ICF to permit the correct functioning of PC-Leland and file sharing.
Keep application and operating system patches up to date
Default configurations of WindowsXP rely on the WindowsUpdate mechanism to notify users of new critical patches, and to manage the download and installation of those patches. To be sure you've got it running:
Click on the
button in the lower left hand corner of your screen.
Be sure that
Keep my computer up to date
is selected, and pick the notification and install option that best suits your needs (Notify me before installing updates, Install updates automatically, Install updates at the time I've selected)
Install and use the Security Self-Test. Install
the Security Self-Test
to make sure your system meets a good standard for security. This tool checks for many of the above conditions, as well as what software you have installed. Passing this test confirms that the changes you've made have been successful, and that your computer is ready for the Stanford network..
Other Resources and Links
Thursday, 10-Jul-2008 14:32:46 PDT
© 2002-2004, Stanford University. All rights
Comments about this document?
Need computing help? Visit