Windows Security Checklist

Introduction

The instructions in this page are meant as additional security precautions for advanced users to take after completing the basic-level precautions in the security checklists by operating system. These recommendations require a degree of comfort with your Windows operating system's administrative controls.

The recommendations below fall into four main categories:

• Controlling overall access to your computer
  (including securing a wireless home network if you use one)
  
  
• Making sure that only authorized users are granted access
  (includng making sure that the "Everyone" access group is removed and replaced by the "Authorized users" access group)
  
  
• Performing actions with the least amount of privileges required
  (including logging in as a limited user for everyday tasks like word processing, and reserving Administrator privileges for when you need to install or remove software)
  
  
• Enabling automatic audit logs of security-related events
  (including recording failed login attempts and the like)

Restricting access

• Use the Microsoft Baseline Security Analyzer (MBSA) to detect and correct common security misconfigurations
  Microsoft provides a tool called the Microsoft Baseline Security Analyzer (MBSA) to assist with detecting potential security flaws and correcting them. The MBSA tool checks for issues such as missing patches, user accounts without passwords, available updates to installed Microsoft software, and more.
  
  
• If you use a home wireless network, make sure to secure it
  By default, wireless networks broadcast their identity (called an SSID) to every computer within signal range, and allow any computer to connect to it. However, there are three simple steps you can take to close your wireless network to most uninvited guests. For more information, see Home Wireless Network Security.
  
  
• (XP) Make sure Remote Desktop is disabled
  Remote Desktop is a method that you can use to log into your computer from elsewhere on a network. However, this can also leave the potential for unwanted intruders to try to log in to your computer. Since Remote Desktop is disabled by default, the safest option is to leave it disabled if you don't need it.

• Disable automatic hidden shares
  To make it easier to administer computers remotely over the network, several Windows operating systems include automatic hidden shares at the root level of your drives (C:\, D:\, etc.).
  
  It's safer to turn off the root-level folder access and individually share only the folders that you need to access from other computers. However, some programs (including McAfee's ePolicy Orchestrator and others) are designed to expect some of these automatic shares to be enabled despite their security implications.
  
  For more information about when and how to disable automatic hidden shares, see Microsoft's Knowledge Base article How to create and delete hidden or administrative shares on client computers. Remember to document anything you change in case a software package unexpectedly stops working after any modifications you perform.
  
  
• Disable unused ports and services
  The easiest way to disable access to network ports for services you aren't using is to use a personal firewall, as described in the basics section, and set it to block any incoming requests that aren't in response to your own requests.
  
  Disabling unused services can improve both your computer's security and its speed. However, you will need to do some independent study to make sure that none of the software on your computer requires the services you want to disable. Microsoft's Knowledge Base provides more information about services and whether the best setting for a service is "automatic" (starts when the computer does), "manual" (starts when needed), or "disabled" (can't be started).
  
  
• (XP) Disable Simple File Sharing
  Both versions of Windows XP offer Simple File Sharing as a local network file sharing option. However, Simple File Sharing makes no distinction between authorized guests and unauthorized guests -- every access is treated as though it comes from someone trusted to be looking at your files and potentially changing them.
  
  
  • For XP Home Edition users:
    There is no way to disable Simple File Sharing on XP Home Edition. Therefore, the best solution is to assign a password to the Guest account that is at least 8 characters long and uses letters, numbers, and capitals.
    
    
  • For XP Professional users:
    There are two choices available. You can disable all file sharing or you can use access control lists instead of Simple File Sharing. For more information, see Microsoft's How to disable simplified sharing and set permissions on a shared folder in Windows XP and Chapter 16: Authorization and Access Control.
    

Admit authorized users only

• Remove "Everyone" access and use "Authorized Users" instead
  By default, a Windows computer is configured so that a user group called "Everyone" is given certain permissions on the computer. This is useful for computers that are running web servers and other public resources, because it means that people who are trying to access the computer don't need to have a login name and password in order to access something. However, for your home computer, you want to make sure that only users who are authorized to log in -- yourself and anyone else who has an account on the computer -- are allowed to access your system.
  
  There are two areas to consider removing "Everyone" access and replacing it with "Authorized User" access.
  
  One location is on any folders you have shared -- by default, "Everyone" has full control over anything in a shared directory. It's much safer to remove the "Everyone" group and add the "Authorized Users" group in its place. See Microsoft's Knowledge Base article 307874 (Windows XP) or 301281 (Windows 2000) for more information.
  
  The other location is in the Local Security Settings area. For more information about what each Local Security Settings entry permits, see Microsoft's Windows XP documentation or Windows 2000 documentation.

Least privilege

• Only log in as administrator when installing software and patching your system
  You should use a user identity without administrative privileges for everyday activities; don't log in as an administrator unless you're doing something that requires administrative privileges.
  
  
• Disable password caching in all browsers
  Don't configure your web browsers or Internet connection software to remember your name and password. A flaw in browser security could expose your passwords to collection by an attacker.
  

Auditing

• Enable security auditing on key services
  Keeping track of things like failed attempts at logging in or changing security policies makes it easier to determine what's wrong if you have a security problem. The Audit Policy administrative tool contains a list of security-related items that can be logged.
  

More resources

For more advanced Windows security checklists, including some registry modification recommendations (which should only be undertaken by users who are comfortable with the risks of editing registry files), see:

• Microsoft's Knowledge Base
• Windows 2000 Installation Security Checklist and Windows XP Installation Security Checklist from LabMice.net