Securing Windows XP Professional in a Peer-To-Peer Networking Environment

7/24/2019 Securing Windows XP Professional in a Peer-To-Peer Networking Environment

1/13

Small Business Security Guidance

Securing Windows XP Professional ina Peer-to-Peer NetworkingEnvironment

Updated: July 2006

For the latest information, please seewww.microsoft.comtechnetsecuritysmall!usinessdefault.msp"


2/13

2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-onCommercial

!icense. To view a cop" of this license# visit http$%%creativecommons.or&%licenses%b"-nc%2.'% or send a letter to

Creative Commons# '() *oward +treet# 'th ,loor# +an ,rancisco# California# (0'# /+A.


3/13

+ecurin& indows 1 rofessional in a eer-to-eer etworkin& 3nvironment iii

Contents

4ntroduction...............................................................................................

5bective of This 7ocument.....................................................................

8efore 9ou 8e&in.........................................................................................Meetin& the +ervice ack :e;uirement......................................................

Administrative :e;uirements...................................................................

+ecurin& the ,ile +"stem..............................................................................

Convertin& 9our ,ile +"stems to T,+.......................................................

/sin& Antivirus +oftware.........................................................................

/sin& Microsoft 7efender........................................................................

rotectin& ,ile +hares.............................................................................

+ecurin& +hared ,olders.........................................................................

7isablin& /nnecessar" +ervices................................................................7isablin& or 7eletin& /nnecessar" /ser Accounts.......................................

+ecurin& /ser Accounts..........................................................................

/sin& asswords...............................................................................

indows ,irewall.........................................................................................

/pdatin& +ecurit" atches............................................................................

Automatic /pdate..................................................................................

:elated 4nformation...................................................................................


4/13

Introduction

#eer$to$peer networ%in& can increase producti'ity !y ma%in& it easy to share informationand resources on your networ%. (owe'er, the a!ility of computer users to control accessto their computers can lea'e them 'ulnera!le to information theft, loss, or inad'ertentsharin& of files. )herefore, in addition to enforcin& a company computin& policy youshould ma%e sure you and your employees understand the !asics of *indows peer$to$peer networ%in& and security.

*ith the threat of malicious code+such as worms, 'iruses, )roan horses, and spyware+and hac%ers, it is critical to ta%e immediate action to loc% down des%top and porta!lecomputers. )his document e"plains how to implement security measures for a small ormedium$si-ed !usiness en'ironment where peer$to$peer networ%in& is used. )heserecommendations help ensure that your computers runnin& icrosoft/ *indows/ ##rofessional with Ser'ice #ac% 2 1S#2 are more secure, while ensurin& that users cancontinue to !e efficient and producti'e on their computers.

Objective of This Document3fter you familiari-e yourself with the information in this document, you should !e a!le toincrease the security of a peer$to$peer wor%&roup.

Before You Begin

3s with any security recommendations, this &uidance stri'es to find the ri&ht !alance!etween enhanced security and usa!ility. )he recommendations pro'ided in thisdocument will wor% successfully for *indows # #rofessional S#2 deployments in a wide'ariety of en'ironments. (owe'er, !efore implementin& these recommendations youshould note that this document does not address the wide 'ariety of needs andconfi&urations that may !e re4uired in a lar&e or&ani-ation. 5n addition, the &uidance may

not fully address the specific security needs of some or&ani-ations.

Meeting the Service Pack Requirement

)he recommendations in this document apply only to computers runnin& *indows ##rofessional with S#2 that are mem!ers of a wor%&roup, not a domain. 5f S#2 is notinstalled on a particular computer or if you do not %now whether it is installed, you can &oto the icrosoft Updatepa&e on the icrosoft *e! site athttp:windowsupdate.microsoft.com, and ha'e your computer scanned for a'aila!leupdates. 5f S#2 shows up as an a'aila!le update, install it !efore startin& the proceduresin this document.

Note 4nstallin& +2 re;uires a computer restart.

dministrative Requirements

ou must !e lo&&ed on as an administrator or a mem!er of the 3dministrators &roup tocomplete the followin& procedures. 5f your computer is connected to a networ%, networ%policy settin&s mi&ht also pre'ent you from completin& these procedures.
http://windowsupdate.microsoft.com/http://windowsupdate.microsoft.com/http://windowsupdate.microsoft.com/


5/13

Securing the !i"e S#stem

3 file system determines the way that directories and files are or&ani-ed on a computer.)here are ways to protect your file system from unauthori-ed access, alteration ordeletion. )his section pro'ides step$!y$step instructions for completin& the followin&tas%s, which will help you secure the file system:

7on'ertin& file systems to 8)FS

Usin& anti'irus software

Usin& *indows 9efender 1Beta 2

#rotectin& file shares

Securin& shared folders

9isa!lin& unnecessary ser'ices

9isa!lin& or deletin& unnecessary accounts

$onverting Your !i"e S#stems to %T!S

9urin& the *indows # setup process, computers can !e confi&ured to use either theF3)2 or 8)FS file system.

F3)2 is an older technolo&y that pre'ious 'ersions of *indows use. )he 8)FS filesystem is faster and more secure than F3)2 and many other, older file systems. Foroptimal performance of the operatin& system, use 8)FS to protect all of the file systempartitions on your computer. Use the followin& two procedures to first 'erify the type of filesystem on your computer, and then, if needed, con'ert the file system to 8)FS.

Important ou should consider the followin& limitations !efore you con'ert a F3)partition to 8)FS:

)he con'ersion is a one$way process. 3fter you con'ert a partition to 8)FS, youcannot con'ert the partition !ac% to F3). )o restore the partition as a F3) partition,the partition would ha'e to !e reformatted as F3), which erases all data from thepartition. 9ata would then ha'e to !e restored from !ac%up.

;emo'in& *indows # to re'ert to *indows dition1e is not an option after you con'ert any dri'e on the computer to 8)FS.

7on'ert.e"e re4uires that a certain amount of free space !e present on the dri'e tocon'ert the file system. For additional information a!out the amount of free spacethat is re4uired for a con'ersion, see the icrosoft ?nowled&e Base articleFree Space ;e4uired to 7on'ert F3) to 8)FSathttp:support.microsoft.com%!@A6A60.
http://support.microsoft.com/kb/156560http://support.microsoft.com/kb/156560


6/13

+ecurin& indows 1 rofessional in a eer-to-eer etworkin& 3nvironment )

To check the file sstem tpe on our computer

@. 7lic% Start, and then clic% ! Computer.

2. ;i&ht$clic% the dri'e letter you want to chec%, and then clic% Properties.

. )he file system type should !e 8)FS as shown in the followin& screen shot. 5f it isnot, you can use the 7on'ert.e"e utility to con'ert from F3)@6 or F3)2 to 8)FS.

;epeat this procedure for all partitions located on hard dis%s on the computer. >'en if thefile system was confi&ured as F3)2 when the operatin& system was installed, you caneasily con'ert it to 8)FS to pro'ide additional security.

)o con'ert the file system to 8)FS, ta%e note of the name of the dis%, otherwise %nownas the 'olume la!el 19ri'e 7 in the precedin& fi&ure. )hen complete the followin&procedure, which will con'ert your file system to 8)FS. 7on'ertin& your file system to8)FS pro'ides your computer with a hi&her le'el of security.

To convert the file sstem to NT"S

@. 7lic% Start, #un, type cmd, and then clic% $%.

2. 3t the command prompt, type the followin&, where is the dri'e youwant to con'ert, and then press >8)>;:

convert & 'fs&ntfs

. ou will !e prompted to enter the current 'olume la!el for the dri'e. >nter the 'olume

la!el that was identified earlier, and then press >8)>;.

. *hen the con'ersion is complete, type e(itand then press >8)>; to close thecommand prompt.

Note 4f "ou are attemptin& to convert the drive where the operatin& s"stem is installed#"ou ma" be prompted to schedule the conversion to occur the ne


7/13

( +mall 8usiness +ecurit" =uidance

&sing ntivirus Soft'are

7omputer 'iruses are pro&rams that are loaded on to your computer without your%nowled&e or appro'al. Ciruses and other forms of malicious software ha'e !een aroundfor years. )odayDs 'iruses can replicate themsel'es and use the 5nternet and e$mail

applications to spread across the world in less than an hour.3n anti'irus software pro&ram will help protect your computer a&ainst many %nown'iruses, worms, )roan horses, and other malicious code. 3nti'irus software continuallyscans your computer for 'iruses and helps detect and remo'e them. 5nstallin& anti'irussoftware only sol'es part of the pro!lem+%eepin& the anti'irus si&nature files up$to$dateis critical to maintainin& a secure des%top or porta!le computer.

any new computers come with anti'irus software already installed. (owe'er, anti'irussoftware re4uires a su!scription to stay up$to$date. 5f you donDt ha'e a currentsu!scription for these updates, your computer is li%ely to !e 'ulnera!le to new threats.

User education re&ardin& safe e$mail practices is another critical step in pre'entin& 'irusattac%s. Users should not open e$mail messa&es or ta%e action on e$mail attachmentsunless they are e"pectin& the file. >nsure that all e$mail attachments are scanned with

anti'irus software !efore they are e"ecuted.

icrosoft offers *indows Ei'e ne7are, an automatically self$updatin& #7 care ser'icethat runs 4uietly in the !ac%&round. 5t helps pro'ide persistent protection a&ainst 'iruses,hac%ers, and other threats, and helps %eep your #7 tuned up and your importantdocuments !ac%ed up. For more details, see *indows Ei'e ne7areatwww.windowsonecare.com.

For more information a!out software 'endors that pro'ide anti'irus software that iscompati!le with *indows #, see the Eist of anti'irus software 'endorspa&e on theicrosoft *e! site at http:support.microsoft.com%!


8/13

+ecurin& indows 1 rofessional in a eer-to-eer etworkin& 3nvironment '

users from other wor%stations to access a directory on a local hard dri'e. 3 *indows ##rofessional wor%station user can assi&n permission to these shares to local accountsand &roups in !oth confi&urations, !ut can only assi&n access to 3cti'e 9irectory/directory ser'ice accounts and &roups if the wor%station is a mem!er of 3cti'e 9irectory.

By default, shares are created with >'eryone ha'in& full control. )hese permissions must!e modified to allow only those who need access to the share. 5n addition, user accounts

and &roups of user accounts can !e limited to what they can do on a file share. )hey can!e limited to read$only access or they can !e assi&ned permissions to create, chan&e,and e'en delete files.

File sharin& is intended for use on a home or !usiness networ% !ehind a firewall, such as*indows Firewall 1pro'ided with *indows # S#2. 5f you are connected to the 5nternet,and are not operatin& !ehind a firewall, remem!er that any file shares you create mi&ht!e accessi!le to any user on the 5nternet.

Securing Shared !o"ders

*indows peer$to$peer networ%in& allows you to share the contents of your file systemwith other computers on your networ%. )he followin& procedure assumes that you ha'e

already shared one or more folders in your file system. By chan&in& some of the defaultfile system settin&s, you can restrict unauthori-ed access to your shares.

>'ery user that re4uires access to the share from their computer also needs a useraccount on the wor%station with the share. )his re4uirement is a limitation of a peer$to$peer wor%&roup networ% confi&uration. 5t is wise to %eep the num!er of computersthat ha'e shared directories to a minimum. 5f you ha'e shares on all wor%stations,you ha'e to ha'e user accounts on all wor%stations, which can 4uic%ly !ecome acomple" confi&uration to support.

ou can set permissions only on dri'es that are formatted to use the 8)FS filesystem.

5n the followin& steps you will remo'e the Everonespecial &roup that pro'idesanonymous access. )hen you will assi&n each local user account #eador Changepermissions to the shared folder.

#ead&i'es a user account enou&h permissions to list the files, open the files,and copy the files from the share to another location.

Change&i'es a user account the a!ility to list, add, modify, and delete files.

ou ha'e to select !oth Changeand #eadto assi&n Changepermissions. Eimit thenum!er of users to whom you assi&n Changepermissions. 5t is not ad'isa!le toassi&n other user accounts "ull Controlto the share. "ull Control&i'es users thesame permissions as Change, !ut also the a!ility to ta%e ownership offilesdirectories and chan&e permissions.


9/13

6 +mall 8usiness +ecurit" =uidance

To secure a shared folder

@. ;i&ht$clic% a folder that has !een pre'iously shared, and then select Sharing andSecurit.

2. n the Sharingta!, clic% Permissions. 3 screen similar to the followin& will display.

. Select the Everone&roup, and then clic% #emove.

. 7lic% )ddto select which users can access the folder.

A. 5n the Select *sers+ or ,roupsdialo& !o", clic% $.ect Tpes.

6. 7lear the /uilt-in securit principalsand ,roupschec% !o"es, and then clic% $%.I. 7lic% )dvanced.

=. 7lic% "ind Now.


10/13

+ecurin& indows 1 rofessional in a eer-to-eer etworkin& 3nvironment >

Disab"ing &nnecessar# Services

By disa!lin& unnecessary ser'ices you can reduce the chances of a %nown or un%nown'ulnera!ility !ein& e"ploited. Use 3dd or ;emo'e #ro&rams in 7ontrol #anel to disa!leser'ices.

For a list of ser'ices and their settin&s, see the 9efault settin&s for ser'ices pa&e on theicrosoft *indows # #rofessional 9ocumentation*e! site atwww.microsoft.comresourcesdocumentationwindows"pallproddocsen$ussyssr'defaultsettin&s.msp"KmfrLtrue.

Disab"ing or De"eting &nnecessar# &serccounts

9isa!le or delete any user accounts that you do not re4uire. By disa!lin& or deletin&unnecessary accounts you can reduce the chances of unauthori-ed access to yourcomputer.

To disale an account

@. 7lic% Start, and then clic% Control Panel.

2. 9ou!le$clic% *ser )ccounts.

. 7lic% the )dvancedta! and then clic% the )dvanced!utton.

. 7lic% the *sers!ranch.

A. 9ou!le$clic% a user account to display the properties dialo& !o".

6. Select the )ccount is disaledchec%!o".

Note A disabled account will still e


11/13

? +mall 8usiness +ecurit" =uidance

Securing &ser ccounts

By usin& passwords and confi&urin& account loc%out, you can reduce the chances ofunauthori-ed access to your computer.

*sing Passwords5t is important that all user accounts on e'ery wor%station ha'e a password. Eea'in&passwords !lan% allows people to access computers as if they were someone else.

9o not use the Guest account on wor%stations. 5t should !e disa!led.

>'ery user should ha'e their own user account. User accounts and passwordsshould not !e shared.

)wo concepts are commonly confused with re&ard to passwords. 3 user account can!ecome loc%ed out, which is typically caused !y tryin& to lo& on with an incorrectpassword too many times. )he account ust needs to !e unloc%ed+the password doesneed to !e reset unless the user has for&otten what the password was. 3 &ood e"ample,and pro!a!ly the most common, is when someone &ets loc%ed out !ecause they had the

73#S E7? %ey on when they were typin& their password.3 password reset pro'ides the user account with a new password, usually a temporarypassword. )he temporary password can then !e pro'ided to the user so they can lo& on.5t is !est to set such passwords to e"pire the first time they are used, in case the userfor&ets to chan&e it after lo&&in& on. Forcin& the user to lo& on and immediately create anew password ensures that only the user %nows their password.

To unlock a locked user account


2. 9ou!le$clic% *ser )ccounts.

. 7lic% the )dvancedta! and then clic% the )dvanced!utton.

. 7lic% the *sers!ranch.

A. Find the affected user account and dou!le$clic% it.

6. 7lear the )ccount is locked outchec%!o" and then clic% $%.

To set or reset a password for an e(isting user account

@. #erform steps @ throu&h A from the pre'ious procedure.

2. #lace a chec%mar% in the *ser must change password at ne(t logon option. )henclic% $%.

. ;i&ht$clic% the account in 4uestion and clic% Set Password. ou will !e promptedwith a warnin& messa&e. a%e note of the possi!le impact !efore proceedin&.

. 5f you clic%ed the Proceed!utton, enter the temporary password in !oth passwordfields.

A. 7lic% $%and communicate the temporary password to the user.

(indo's !ire'a""

*indows Firewall is a host$!ased firewall solution that is included as part of *indows ##rofessional S#2 and is hi&hly confi&ura!le. 5t is ena!led !y default and helps protect


12/13

+ecurin& indows 1 rofessional in a eer-to-eer etworkin& 3nvironment

a&ainst networ% attac%s. *indows Ei'e ne7are also monitors *indows Firewall, &i'in&you a sin&le console to chec% the o'erall security status of your #7.

*indows Firewall is not intended to replace the functionality of a networ% firewall.*indows Firewall ena!les *indows networ%in& ports so that peer$to$peer wor%&roupscan communicate and share resources. 3 networ% firewall needs to !e in place to protectthe networ% while *indows Firewall protects each wor%station for which it is installed and

ena!led. 3 num!er of manufacturers ha'e afforda!le networ% firewalls desi&ned for smallto medium$si-ed networ%s.

To verif that Windows "irewall has not een disaled


2. 9ou!le$clic% the Windows "irewallicon.

. >nsure that $n 1recommended2is selected.

&)dating Securit# Patches

3 &ood way to %eep up$to$date on security patches is to su!scri!e to icrosoft Security

!ulletins which are sent 'ia e$mail. ou can si&n up to recei'e the security !ulletins on theicrosoft Security*e! site at www.microsoft.comsecuritydefault.msp". 5n addition tostayin& informed throu&h !ulletins, there are a num!er of technolo&ies that can helpautomate security patchin&.

utomatic &)date

)he 3utomatic Update feature in *indows # can automatically detect and download thelatest security patches from icrosoft. 5t can !e confi&ured to automatically downloadfi"es in the !ac%&round and then prompt the user to install them after the download iscomplete.

To configure our computer for automatic updates


2. 9ou!le$clic% the )utomatic *pdatesicon.

. 7onfi&ure all your *indows # wor%stations to )utomatic. 8ote that you canconfi&ure how often and what time of day these updates will occur.

. 7lic% $%.

Note Microsoft also issues securit" bulletins throu&h its +ecurit" otification +ervice. Thesebulletins are issued for an" Microsoft product that is found to have a securit" issue.
http://www.microsoft.com/security/default.mspxhttp://www.microsoft.com/security/default.mspxhttp://www.microsoft.com/security/default.mspx


13/13

0 +mall 8usiness +ecurit" =uidance

Re"ated Information

For more information a!out securin& *indows #, see the followin&:

)he Windows XP Security Guide, which is a'aila!le for 'iewin& and download on the

icrosoft )ech8et *e! site atwww.microsoft.comtechnetsecurityprodtechwindows"psecwin"pdefault.msp".

For more information a!out related topics on securin& *indows #, see the followin&:

)he Threats and Countermeasures&uide, which is a'aila!le for 'iewin& anddownload on the icrosoft )ech8et *e! site atwww.microsoft.comtechnetsecuritytopicsser'ersecuritytc&tc&ch00.msp".
http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspxhttp://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspxhttp://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/default.mspxhttp://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch00.mspx

Documents

Securing Windows XP Professional in a Peer-To-Peer Networking Environment