[unisog] Windows 2K and XP security settings?

David Foster foster at dim.ucsd.edu
Thu Jun 13 19:08:47 GMT 2002

We add this to our Windows policy:

1) No use if M$ Outlook (use Eudora)
2) No use of M$ Internet Explorer (use Netscape/Mozilla/Opera)
3) No running of network services (ftp/http) unless approved
4) No use of M$ IIS/Exchange Server/Telnet Server
5) Use of ZoneAlarm and Medium security setting (allow local
   network connectivity)

No Administrator privileges unless absolutely necessary, and
if you have such priveleges you must maintain your own system
(otherwise our IT group does it for you). We have a list of
"approved" software, and if they want to install something that
is not on that list they must get it approved (and then we may
add it to the list if deemed appropriate).

No sharing of volumes between personal systems.

Dave Foster

> To: unisog at sans.org
> Cc: RESNET-L at listserv.nd.edu
> From: Phil.Rodrigues at uconn.edu
> Date: Thu, 13 Jun 2002 14:54:08 -0400
> Subject: [unisog] Windows 2K and XP security settings?
> Hi all,
> I have been asked by our desktop support / PC standards folks to give some 
> security-minded recommendations for their new Windows 2000 and XP images. 
> I can think of some things off of the top of my head, and I'll bet after a 
> bit of research I can think of a few more.  What do you all do to help 
> secure your standard "NT-ish" installs?  (I know it is a broad question.)
> Some things they mention they do:
> - Patched to current service pack / windows update / security hotfix 
> standard for the OS and browser
> - Strong administrative passwords
> - Antivirus auto-updates once per day
> Some ideas off the top of my head:
> - Rename the administrative accounts
> - Enable personal firewall for XP (prob creates more support issues than 
> it solves)
> - Restrict Anonymous setting to disable account enumeration
> - Enable logon/logoff auditing to help track crack attempts
> - Set strong password policies for all local accounts
> - Enable auto-download of security updates
> I feel like this is my one crack at helping to secure the desktop for the 
> next year.  Help me get it right! ;-)
> Phil
> =======================================
> Philip A. Rodrigues
> Network Analyst, UITS
> University of Connecticut
> email: phil.rodrigues at uconn.edu
> phone: 860.486.3743
> fax: 860.486.6580
> web: http://www.security.uconn.edu
> =======================================

   << All opinions expressed are mine, not the University's >>

   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst     University of California, San Diego
    dfoster at ucsd.edu       Department of Neuroscience, Mail 0608
    (858) 534-7968         http://ncmir.ucsd.edu/

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all progress
   depends on the unreasonable."   -- George Bernard Shaw

More information about the unisog mailing list