Hardening Windows XP Operating Systems (Stand-a-lone)

IT Security is implemented in layers and one layer is the hardening of the operating system against malicious/nefarious activity. A part of the hardening process includes the use of security templates. Windows comes with a generic template but to get the most it is recommended accessing the NIST site and download both their standard security templates but also their hardening guides. The guides give you step by step instructions for implementing the NIST security template on stand alone Windows XP machines/workstations.

Hardening involves many steps which include such things as keeping the operating system up to date with all the security fixes/patches, instructing users on downloading files/using complex passwords, updating the firewall and antivirus programs, and many other security items.

The following procedures provide step by step instructions for setting up a single template for one or more workstations. The administrator needs to keep in mind that implementation involves using this starting template with possible modifications on each workstation depending on the users requirements for work. These instructions are for implementing the basic template on a workstation(s).

In Windows XP, a security template is a text-based file that contains values for security-relevant system
settings, thus representing a particular security configuration.

Templates can be created and updated using the Security Templates Microsoft Management Console (MMC) snap-in. Templates may be applied to a local computer or imported to a Group Policy Object or Group Policy Management Console, which facilitates the rapid deployment of security settings across a Windows XP environment.

Windows XP ships with several predefined security templates.60 Although these templates are included in Windows XP, NIST does not recommend their use.

NIST has also created a set of templates, which are referenced in Appendix A of the pdf document provided on their web site.

These templates are based on the DISA, NSA, and Microsoft Windows XP security templates and recommendations. They represent the baseline recommended settings advocated by CIS, DISA, NSA, NIST, Microsoft, and other security experts.

The NIST templates have been customized and fully documented for use on Windows XP workstations in SOHO, enterprise, high security, and legacy environments.

To view and modify the NIST template settings, perform the following steps:

Start the MMC by using the Start menu Run command, and opening mmc.exe.

Click on File, then Add/Remove Snap-in. Click on Add, highlight the Security Templates snap-in and click on Add. Click on Close, then click on OK. When completed, save the console in the Administrative Tools folder for future use.

To use the NIST templates supplied with this document, copy them into the %SystemRoot%\Security\Templates 64 folder. Choose the template that will be applied to the workstation.

Navigate through the security template settings and adjust settings as necessary to comply with local security policy. When all changes have been completed, right-click on the template name, choose Save As, and specify a new template name. (NIST recommends modifying copies of templates instead of the originals.) The saved template file can then be used on the local computer or other computers in the environment.

Analysis and Configuration

As mentioned previously, the Security Configuration and Analysis snap-in can be used to compare the current security settings of the local workstation to the settings in a template before the template is applied. This enables system administrators to examine and adjust the changes the security template will
make to the computer’s settings. To use the Security Configuration and Analysis snap-in to compare and apply security settings on a local Windows XP system, perform the following steps:

Start the MMC by using the Start menu Run command, and opening mmc.exe.

Click on File, then Add/Remove Snap-in. Click on Add, highlight the Security Configuration and Analysis snap-in and click on Add. Click on Close, then click on OK. When completed, save the console in the Administrative Tools folder for future use.

Open a new database by right-clicking Security Configuration and Analysis and selecting Open Database. Name the database and click open.

Choose the template that will be applied to the workstation. Click Open to load the settings from the template.

Right-click the Security Configuration and Analysis snap-in and choose Analyze Computer Now. Specify the default log name and location, then click on OK.65 The system will then compare the current security settings active on the computer with the template settings.

When the checks are completed, navigate through the categories of settings listed under the Security Configuration and Analysis snap-in. The differences between the templates and the computer configuration are displayed. For example, items with a red X differ from the template, and items with a green checkmark match the template. Other items may not have been analyzed because no setting was defined in the template, or because they were dependent on another value
that was not set. Besides the icon, each item also gives a verbal description, such as Not Analyzed or Not Defined.

If a review of the settings indicates that particular template settings should not be applied to the system, they can be adjusted by modifying the database settings shown on the screen. To accomplish this action, double-click on the setting that needs to be altered, make the necessary adjustments, and click on OK to return to the main settings listing. Repeat this process until all desired adjustments have been completed.

To apply the database settings to the system, right-click on the Security Configuration and Analysis snap-in and choose Configure Computer Now. Specify the default log name and location, then click on OK. The settings are applied to the system.

When the configuration is completed, the policy used to apply the configuration can be exported for future use on this computer or others. Export the configuration policy by right clicking on the Security Configuration and Analysis snap-in and choosing Export Template. Name and save the template for future use on the local computer or other computers in the environment. The saved template file can also be imported to reset settings to a working configuration if future modifications cause problems.