Limit Local Account Use of Blank Passwords to Console Logon Only
One of the coolest features with Windows XP is how it handles blank passwords. By default, if an account has a blank password it can only be used at the console, not over the network. This is designed as a home-user feature to allow them to have the same experience they would have with Windows 9x, where passwords provide no real value. The Group Policy setting is there only to enforce this functionality. It is important to ensure that it stays on.
For the record, you can use this functionality with Windows Server 2003 as well. We have recommended its use in cases where we have servers locked in physically secure racks. Setting a blank Administrator account password allows physically trusted personnel to access the systems in case of severe failure, but those Administrator accounts cannot be used across the network by an attacker.
Anonymous Restrictions
Clients should look like black holes on the network to all systems other than management points. The authenticated IPsec bypass in the Windows XP Service Pack 2 firewall is a great way to make that happen, but the same lockdown should also be done with respect to anonymous restrictions. Pure clients have no business volunteering anything to anonymous users, and we recommend configuring all the anonymous settings discussed above.
We have even gone so far on some particularly threatened clients as turning off the Server service. This will, however, render the machine unmanageable since the Server service is used by virtually all remote management tools. On a system that is particularly threatened where remote management is not a requirement, however, this may be a reasonable course of action.
Enable Auditing
How much auditing you really want to do on clients depends on a lot of factors, such as the threats, management processes in place for audit logs, the number of clients, etc. Generally speaking, however, you probably do not want to collect gigantic logs from clients. However, a few events can prove very useful in forensics.
In this tutorial:
- Protecting Hosts
- Security Configuration Myths
- Myth 1: Security Guides Make Your System Secure
- Myth 2: If We Hide It, they Not Find It
- Myth 3: The More Tweaks, the Better
- Myth 4: Tweaks Are Necessary
- Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
- Myth 6: "High Security" Is an End Goal for All Environments
- Myth 7: Start Securing Your Environment by Applying a Security Guide
- Myth 8: Security Tweaks Can Fix Physical Security Problems
- Myth 9: Security Tweaks Will Stop Worms/Viruses
- Myth 10: An Expert Recommended This Tweak as Defense in Depth
- Server Security Tweaks
- Software Restriction Policies
- Do Not Store LAN Manager Hash Value
- Anonymous Restrictions
- Security Identifiers (SIDs)
- Password Policies
- SMB Message Signing
- Networking LAN Manager Authentication Level
- TCP Hardening
- Restricted Groups
- Audit Settings
- Client Security Tweaks
- Firewalls
- IPsec Filters
- SafeDllSearchMode
- Local Administrator Account Control
- Limit Local Account Use of Blank Passwords to Console Logon Only
- Logon Events
- Allowed to Format and Eject Removable Media
- The Caution ListChanges You Should Not Make
- Crash on Audit Failure
- Clear Virtual Memory Page File
- Security Configuration Tools