Problem solve Get help with specific problems with your technologies, process and projects.

Build a secure Windows XP desktop

Learn five steps to lock down Windows XP desktops and workstations.

Microsoft Windows XP has taken great security leaps forward since the introduction of XP Service Pack 2. Yet there are still some important steps midmarket companies can take to lock down XP desktops, taking advantage of some inherent security features built into the operating system.

The five steps that follow assume that Windows XP will not be required to connect directly to an older version of the OS; some of the settings shown here may interfere with that. Therefore, if Windows XP is required to connect to legacy Windows operating systems, some security may have to be sacrificed in order to maintain connectivity.

These steps also assume that the workstations you are securing are running Windows XP with Service Pack 2 or higher (Microsoft released Service Pack 3 for Windows XP in May 2008). Many of the security settings that will be discussed here were introduced in SP2.

One of the first steps towards ensuring Windows security is keeping Windows up to date with the latest security patches is by far the most important thing an organization can do to make desktops more secure. Fortunately, Windows XP contains a setting to apply the latest updates automatically. The technique used for enabling automatic updates varies, depending on whether the computer in question is a member of a domain.
If the Windows XP computer is not a domain member, then open the Control Panel and click the Performance and Maintenance link, followed by the System link. Windows will display the System Properties sheet. Select the properties sheet's Automatic Updates tab, see illustration below, and then choose the Automatic (recommended) option. Finally, click OK to close the System Properties sheet.

If the computer is a domain member, then group policy settings are the preferred way of enabling automatic updates. Do so by opening the Group Policy Object Editor (see illustration below) and then navigating to computer configuration | administrative templates | Windows components | Windows Update.

Most enterprise environments use a centralized update server that is responsible for downloading updates, so each machine on the network does not have to download the updates individually. The client workstations then get their updates from this distribution server. Microsoft offers a free Windows Update server product called Windows Server Update Service, or WSUS. You can download WSUS for free.

If implementing a WSUS Server or a third-party product, point the client machine to the update server through the Specify Intranet Microsoft Update Service Location group policy setting.

Windows XP allows local hard disks to be formatted using the FAT, FAT-32 or NTFS file systems. Of these, only NTFS supports file level security; FAT and FAT-32 do not allow you to set permissions on individual files or folders. The result is that if a volume is formatted with FAT or FAT-32, it is basically the same as assigning the Everyone group the Full Control permission for the entire volume.
To ensure the NTFS file system is used, open My Computer, right click on the system's hard drive, and choose the Properties command from the resulting shortcut menu. Doing so will display the drive's properties sheet, which will indicate which file system is in use (see illustration below).

Hopefully, you will find that the NTFS file system is being used, but if not, there is a way to convert your current file system to NTFS. To do so, open a Command Prompt window and enter the following command:
Convert C: /FS:NTFS

The command assumes the C: drive is being converted. If you need to convert another drive, substitute that drive's letter for the C: used in the command above.

In an enterprise environment, workstation security is typically controlled by group policies. This is a reasonable approach since the group policies can be applied at the domain, site or organizational unit (OU) level of the group policy hierarchy. At the same time, though, group policies can also be applied at the local computer level.

Many administrators make the mistake of neglecting to use local computer level group policies. The reason these policies are seldom used is because as soon as a user logs on, the settings in a local security policy are typically overwritten by policy settings contained in the domain, site and OU level policies. Even so, it is important to use local security policies because otherwise the computer is left unprotected until a user logs in to a domain and the Active Directory level policies are applied.

The good news is that configuring the local security policy for Windows XP clients is easier than one might expect. In fact, Microsoft offers some free security templates that are available via download. These templates are designed to automatically implement various security settings such as password length or complexity requirements to comply with Microsoft's recommended best practices. All an administrator has to do is pick the security template that best meets the company's needs, make any desired modifications to it, and apply it to the workstations.

To use the security templates, which are part of the Windows XP Security Guide, download the guide and extract its contents to your My Documents folder. Next, open My Computer and then choose the Folder Options command from the window's Tools menu. Then clear the Hide Extensions for Known File Types check box, and click OK.

Now, open the My Documents folder and navigate to the \Windows XP Security Guide\Tools and Templates\Security Guide\Stand Alone Clients folder. Note that each of the template files ends in the .TXT extension. This is a safeguard to prevent an administrator from accidentally applying a security template. Now, remove the .TXT extension, and copy the template files to a safe location where they will not be accidentally executed. For example, the SA Enterprise XP Client--Desktop.cmd.txt file could be renamed SA Enterprise XP Client--Desktop.cmd.

To apply a security template, log on to the machine that you want to apply the security settings to--with administrative permissions--and then double-click on the preferred template file. Keep in mind that there are several different security template files, and each applies a different level of security. It is extremely important to read the full descriptions of these files in the Windows XP Security Guide and figure out which template is right for your organization prior to applying one. Odds are that no one template is going to be a perfect fit, but the guide shows how to modify the template files to better meet an organization's needs.

It may seem obvious, but antivirus software is absolutely critical to a computer's security, and it must be kept up-to-date. Also check to see whether your antivirus application provides comprehensive protection against spyware and other malware. Many antivirus applications claim to protect against spyware but only guard against a handful of the more common varieties.

If a machine is a member of a domain, it's best to run different antivirus brands on the workstations and network servers. When new viruses are discovered, antivirus companies eventually develop detection signatures, but it's impossible to know which one will first, or how long it will take. By using different brands of antivirus at different layers of the network, an organization increases the odds new malware will be caught. If one antivirus product doesn't have a signature, the other might.

This might seem like another obvious step in securing a computer, but it is extremely important to either enable the Windows Firewall or install a third-party personal firewall. A network's perimeter firewall protects against malicious traffic coming in from the outside world, but not against attacks from within the network perimeter. With insiders often at the root of network breaches, it's tremendously important to use a firewall on each PC.

To manually enable the Windows Firewall, open the Control Panel and click on the Security Center link. Next, click on the Windows Firewall link. When the Windows Firewall properties sheet appears, click the On button (see illustration below), and then click OK.

An administrator also can enable and configure the Windows Firewall at the group policy level. Open the Group Policy Object Editor, and then navigate through the console tree to Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall.

There are two different firewall profiles that can be configured (see illustration below). There is a domain profile that is in effect any time the machine is logged in to a domain, and a standard profile that is in effect at other times.

Unfortunately, it's impossible to include every trick for hardening Windows XP here. However, if an organization takes these five critical steps, it will have a better chance at fending off threats targeting the desktop.

Brien M. Posey is a freelance technical writer. He was a CIO at a national chain of hospitals and healthcare facilities, and served as a network administrator for the Department of Defense at Fort Knox. Send comments on this article to

Send comments on this technical tip to

Dig Deeper on Microsoft endpoint security management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.