locked
XP Security settings for stand-alone PC RRS feed

  • Question

  • Hello,

    I'm trying to apply a security lockdown to a stand-alone Windows XP system and wonder if somebody could please help unconfuse me on some points.

    1.   What needs to be set on a stand-alone PC?

    I'm happy with the process of creating a security template (based on the hisecws.inf) and applying it.   I am not sure what else actually needs doing after that.   The XP Security Guide gives me the impression that, seeing as the PC doesn't belong to a domain, I need do nothing further.   However, I have seen several sites where both the Computer and User configuration Administrative templates are also set.    Which is the case?  

    2. For rebuild purposes (when the security settings are unaltered), what files can I copy onto a newly built PC to reduce the time taken in applying the lockdown?

    2.  Is there a concise document that covers applying a security lockdown to a stand-alone PC?

    Thank you,

    Wednesday, August 22, 2012 4:29 PM

All replies

  • Thank you for your reply.   I've modified one of the security templates and applied it via the MMC  Security Configuration and Analysis snap-in.   However, I'm not sure what to do after that, if anything.   

    As far as I can tell from the Windows XP Security Guide, a networked PC would have modifications made to its Computer and User Administrative policies via the Group Policy Object Editor snap-in.   Chapter 5 of the Security Guide, which covers security a stand-alone XP client, seems to make no mention of this.   My web crawling has thrown up examples of people both applying the Administrative policies to a stand-alone PC and not applying them.   Some of them don't seem to make much sense from a stand-alone perspective (especially as my target PC doesn't have internet access) whilst others do.    What I would like to find is some further guidance on configuring stand-alone systems and what is applicable ... I'm a systems engineer and don't normally operate at this level of software/OS detail.

    Cheers,

    Friday, August 31, 2012 4:36 PM
  • Can you elaborate on your definition of 'stand-alone'.  

    Are you planning a stand-alone kiosk so that non-employee's cannot hack the machine via the keyboard/mouse, but can use a few approved applications

    http://www.msfn.org/board/topic/141367-need-your-help-guys/

    or do you mean it in the 'non-domain' sense (i.e. stand-alone or workgroup mode) which needs to be useable and allow any applications to run, allow ctrl alt del to work, etc.

    A little about pushing the settings via installation, Secedit.exe can be used to import/export your security settings, it's just a one-liner you'll need to run and the files you export will need to be included in the XP install.

    Import

    http://technet.microsoft.com/en-us/library/hh875511%28v=ws.10%29

    Export

    http://technet.microsoft.com/en-us/library/hh875542%28v=ws.10%29.aspx


    Don't forget to mark your posts as answered so they drop off the unanswered post filter.



    Saturday, September 1, 2012 4:31 AM
  • Thank you for the links, I'll have a look through them.   The latter 2, in particular, look quite useful.

    I meant in a "non-domain" sense and the PCs are almost, but not quite kiosk.    The main users are (effectively) "kiosk" users in the sense that they are presented with a single application; other users have slightly more access to the system, eg taking data-file backups.

    My main quandry is whether I need to carry out any changes to the Administrative Templates in the LGPO.

    Regards,

    Monday, September 3, 2012 11:52 AM