Since the motivations behind securing Windows XP in an educational environment are different from corporate motivations, so are the methods you use.
Securing Windows XP can be a challenging and complex process, one that doesn't end after the initial setup of a networked workstation. The procedures for securing Windows XP in educational and corporate environments are similar, but the motivating factors are sometimes different. For most corporate environments, the primary reason to secure a workstation is to prevent unauthorised access to a system -- this includes protecting data and controlling "unofficial" software installations. In some cases, due to lack of experience or proper staffing, some organisations do not secure workstations at all. They simply rely on the built in "generic" security measures of the Windows XP operating system.
In K-12 (Kindergarten through to year 12) environments there are additional motivations. Put simply, educational environments, specifically K-12, are concerned with the integrity of the operating system and any local applications. Preventing accidental or intentional tampering is a large part of the K-12 network administrator's job. Data security on the workstation is rarely a concern because data is almost never stored locally in K-12 environments. Also, maintaining operational consistency is a key factor as well. The novice end users in K-12 tend to be the staff (teachers) and the experienced end users are the students. Proper security provides benefits for both groups of end users. For the staff it provides a consistent and reliable interface and function. For the student it provides a controlled environment that cannot be tampered with.
The process
The process of securing Windows XP in K-12 environments is a complex one. The network administrator must look at the client operating system from the perspective of the network administrator, technical staff, administrative staff, teaching staff, and the student as well. Security in the operating system must be effective, flexible, and also provide security for the applications that will be added initially and later on. This can be done by:ACLs (permissions)
Using the Access Control List component of Windows XP, the
network administrator can secure every drive, folder, and file on the
workstation. Only the necessary access can be given or taken away where
necessary. By default, much of the operating system and associated software is
left open to the end user. Using ACLs all folders and
files created by the operating system must be set to "Full Control"
for Administrators and System, and "Read and Execute" for Users. These
permissions must be propagated down to all subfolders and files (this includes
the Program Files folder and Windows folder on the system root drive). The only
folders that do require some level of Write access are:
- C:\Temp (may not exist)
- C:\Documents and Settings\All Users
- C:\Documents and Settings\Default User
- C:\WINDOWS\Debug
- C:\WINDOWS\Prefetch
- C:\WINDOWS\Temp
- C:\WINDOWS\system32\MsDtc
- C:\WINDOWS\system32\spool
The above process requires replacing all ACLs for the Users local group with Read and Execute permissions (except for the above mentioned directories).
Author's note: Certain applications that reside in C:\Program Files will require Write access in order to function properly
Local groups
An ACL can only be applied to either a user or a group. It's
always best to create the permissions using local groups (you should use actual
user accounts only rarely). Using local groups for settings permissions is a
standard practice for many network administrators and is recommended by
Microsoft. It is not suggested to use global groups because their effectiveness
can be lost if a workstation cannot communicate with a domain controller.
Miscellaneous
You should only use Remote Administration (Terminal
Services) where absolutely necessary. Also, you should enable it only network
administrator access. You should disable unnecessary system services as well. This
can be a complex task that you must perform carefully with proper testing. Finally,
any unnecessary software should be removed from the workstation. This includes
any software that is part of the Windows XP operating system that can be
removed.
Troubleshooting and monitoring
Auditing tools and logging (built-in to Windows XP)
Used properly, auditing and logging are invaluable when
troubleshooting and verifying that the proper security is set on the operating
system.
FileMon and RegMon (by Sysinternals)
The security auditing tools built-in to Windows XP are
functional and provide great value. Sysinternals
(which is now owned by Microsoft) offers a suite of tools that are an excellent
complement to the built-in tools. Two of the tools are FileMon and RegMon., both
graphical real-time tools to monitor file system and registry activity. Often they
can easily provide information that operating system auditing alone cannot. Tools
such as these are critical when testing the security of a new/modified Windows
XP workstation setup. Legacy applications, or those with local data storage,
often will conflict with the above recommended security configurations. These
tools can help the network administrator to quickly identify and resolve
issues.
The result
Securing Windows XP in K-12 environments is no easy task. The
network administrator must be fully aware of all aspects of expected use and
special requirements. You must set proper permissions using local groups, and
turn off any unnecessary software and features. You must test all changes thoroughly
using built-in and third-party tools. The result is a Windows XP workstation
that is secure, tamper proof, and reliable.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
3%
2%
