Since the motivations behind securing Windows XP in an educational environment are different from corporate motivations, so are the methods you use.

Securing Windows XP can be a challenging and complex process, one that doesn't end after the initial setup of a networked workstation. The procedures for securing Windows XP in educational and corporate environments are similar, but the motivating factors are sometimes different. For most corporate environments, the primary reason to secure a workstation is to prevent unauthorised access to a system -- this includes protecting data and controlling "unofficial" software installations. In some cases, due to lack of experience or proper staffing, some organisations do not secure workstations at all. They simply rely on the built in "generic" security measures of the Windows XP operating system.

In K-12 (Kindergarten through to year 12) environments there are additional motivations. Put simply, educational environments, specifically K-12, are concerned with the integrity of the operating system and any local applications. Preventing accidental or intentional tampering is a large part of the K-12 network administrator's job. Data security on the workstation is rarely a concern because data is almost never stored locally in K-12 environments. Also, maintaining operational consistency is a key factor as well. The novice end users in K-12 tend to be the staff (teachers) and the experienced end users are the students. Proper security provides benefits for both groups of end users. For the staff it provides a consistent and reliable interface and function. For the student it provides a controlled environment that cannot be tampered with.

The process

ACLs (permissions)
Using the Access Control List component of Windows XP, the network administrator can secure every drive, folder, and file on the workstation. Only the necessary access can be given or taken away where necessary. By default, much of the operating system and associated software is left open to the end user. Using ACLs all folders and files created by the operating system must be set to "Full Control" for Administrators and System, and "Read and Execute" for Users. These permissions must be propagated down to all subfolders and files (this includes the Program Files folder and Windows folder on the system root drive). The only folders that do require some level of Write access are:

• C:\Temp (may not exist)
• C:\Documents and Settings\All Users
• C:\Documents and Settings\Default User
• C:\WINDOWS\Debug
• C:\WINDOWS\Prefetch
• C:\WINDOWS\Temp
• C:\WINDOWS\system32\MsDtc
• C:\WINDOWS\system32\spool

The above process requires replacing all ACLs for the Users local group with Read and Execute permissions (except for the above mentioned directories).

Author's note: Certain applications that reside in C:\Program Files will require Write access in order to function properly

Local groups
An ACL can only be applied to either a user or a group. It's always best to create the permissions using local groups (you should use actual user accounts only rarely). Using local groups for settings permissions is a standard practice for many network administrators and is recommended by Microsoft. It is not suggested to use global groups because their effectiveness can be lost if a workstation cannot communicate with a domain controller.

Miscellaneous
You should only use Remote Administration (Terminal Services) where absolutely necessary. Also, you should enable it only network administrator access. You should disable unnecessary system services as well. This can be a complex task that you must perform carefully with proper testing. Finally, any unnecessary software should be removed from the workstation. This includes any software that is part of the Windows XP operating system that can be removed.

Troubleshooting and monitoring

Auditing tools and logging (built-in to Windows XP)
Used properly, auditing and logging are invaluable when troubleshooting and verifying that the proper security is set on the operating system.

FileMon and RegMon (by Sysinternals)
The security auditing tools built-in to Windows XP are functional and provide great value. Sysinternals (which is now owned by Microsoft) offers a suite of tools that are an excellent complement to the built-in tools. Two of the tools are FileMon and RegMon., both graphical real-time tools to monitor file system and registry activity. Often they can easily provide information that operating system auditing alone cannot. Tools such as these are critical when testing the security of a new/modified Windows XP workstation setup. Legacy applications, or those with local data storage, often will conflict with the above recommended security configurations. These tools can help the network administrator to quickly identify and resolve issues.

The result
Securing Windows XP in K-12 environments is no easy task. The network administrator must be fully aware of all aspects of expected use and special requirements. You must set proper permissions using local groups, and turn off any unnecessary software and features. You must test all changes thoroughly using built-in and third-party tools. The result is a Windows XP workstation that is secure, tamper proof, and reliable.

TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.