Client hardening

This excerpt from Microsoft Windows Group Policy Guide covers best practices for creating and maintaining a secure environment for desktops and laptops running Windows XP Professional. Hardening clients also involves knowing which ports need to be open for secure communications, how to restrict groups on client computers, and how much privilege to give IT Staff, administrators and help desk staff, among other tasks.

Microsoft Windows Group Policy Guide The following excerpt series from Chapter 5 of "Microsoft Windows Group Policy Guide" by William R. Stanek, Darren Mar-Elia and Derek Melber is provided by Microsoft Press, copyright 2005. Click here to purchase the book.


Client hardening

TABLE OF CONTENTS
    Best practice security settings
    Ports required for clients
    Restricted groups for clients
    Client computers for IT staff and administrators
    Client computers for help desk staff

  Best practice security settings  Return to Table of Contents

Not only should servers be hardened to protect against outside intruders, but clients need the same attention. Clients also need to have services, ports, applications, groups, and so on locked down to reduce security risks as much as possible. This reduction in security risk should not compromise functionality in most cases. If the security on a client is too tight, users might not be able to use applications and network communications as needed.

To show a wide range of client configuration best practices, we will look at four common environments. The best practices focus on creating and maintaining a secure environment for desktops and laptops running Windows XP Professional. We will break down clients into two more categories: enterprise and high security:

  • Enterprise   The enterprise environment consists of a Windows 2000 or Windows Server 2003 Active Directory domain. The clients in this environment will be managed using Group Policy that is applied to containers, sites, domains, and OUs. Group Policy provides a centralized method of managing security policy across the environment.

  • High security   The high-security environment has elevated security settings for the client. When high-security settings are applied, user functionality is limited to functions that are required for the necessary tasks. Access is limited to approved applications, services, and infrastructure environments.

It would be impossible to cover every possible scenario or environment. However, we will suggest security settings that have been reviewed, tested, and approved by Microsoft engineers, consultants, and customers in a production environment. Table 5-14 lists settings that are available within a standard security template and the best-practice configurations for the following four scenarios:

  • Enterprise desktop computers
  • Enterprise laptop computers
  • High-security desktop computers
  • High-security laptop computers

MORE INFO   For more information on the below security settings for hardening Windows XP clients in each of these four environments, see the Windows XP Security Guide v2. For a thorough discussion of all security settings available in Windows XP Service Pack 2, see the Threats and Countermeasures Guide.

IMPORTANT   Before you implement any security settings or best-practice configurations for your production clients, be sure to test the settings for your environment. Applications, operating systems, and other network constraints can cause issues with these best-practice settings in some instances.

Table 5-14   Best practice security settings for the four types of clients

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
Auditing
Account Logon
Events
Success
Failure
Success
Failure
Success
Failure
Success
Failure
Account
Management
Success
Failure
Success
Failure
Success
Failure
Success
Failure
Directory Service
Access
No Auditing No Auditing No Auditing No Auditing
Logon Events Success
Failure
Success
Failure
Success
Failure
Success
Failure
Object Access Success
Failure
Success
Failure
Success
Failure
Success
Failure
Policy Change Success Success Success Success
Privilege Use Failure Failure Failure Failure
Process Tracking No Auditing No Auditing No Auditing No Auditing
System Events Success Success Success
Failure
Success
Failure

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
User Rights
Access this computer
from the network
Administrators,
Backup Opera-
tors, Power
Users, Users
Administrators,
Backup Opera-
tors, Power
Users, Users
Administrators,
Users
Administrators,
Users
Act as part of the
operating system
No one No one No one No one
Adjust memory
quotas for a
process
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators,
Network
Service
Administrators,
Local Service,
Network
Service
Allow log on
locally
Users,
Administrators
Users,
Administrators
Users,
Administrators
Users,
Administrators
Allow log on
through
Terminal Services
Administrators,
Remote Desk-
top Users
Administrators,
Remote Desk-
top Users
No one No one
Backup files and
directories
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Change the
system time
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Create a pagefile Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Create a permanent
shared object
Not Defined
(Use defaults)
Not Defined
(Use defaults)
No one No one
Create a token
object
Not Defined
(Use defaults)
Not Defined
(Use defaults)
No one No one
Debug programs Administrators Administrators Administrators Administrators
Deny access to this
computer from
the network
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Everyone Everyone
Deny log on
through Terminal
Services
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Everyone Everyone
Enable computer
and user accounts
to be trusted for
delegation
No one No one No one No one
Force shutdown from
a remote system
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Generate security
audits
Not Defined
(Use defaults)
Not Defined
(Use defaults)
NETWORK
SERVICE,
LOCAL
SERVICE
NETWORK
SERVICE,
LOCAL
SERVICE
Increase scheduling
priority
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Load and unload
device drivers
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Log on as a batch
job
Not Defined
(Use defaults)
Not Defined
(Use defaults)
No one No one
Log on as a service Not Defined
(Use defaults)
Not Defined
(Use defaults)
No one No one
Manage auditing
and security log
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Modify firmware
environment values
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Perform volume
maintenance tasks
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Profile single
process
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Profile system
performance
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators
Replace a process
level token
LOCAL
SERVICE,
NETWORK
SERVICE
LOCAL
SERVICE,
NETWORK
SERVICE
LOCAL
NETWORK
SERVICE
LOCAL
SERVICE,
NETWORK
SERVICE
Restore files and
directories
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators,
Users
Shut down the
system
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators,
Users
Administrators,
Users
Take ownership
of files or other
objects
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators Administrators

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
Security Options
Accounts: Guest
account status
Disabled Disabled Disabled Disabled
Accounts: Limit
local account use of
blank passwords to
console logon
Enabled Enabled Enabled Enabled
Accounts: Rename
administrator
account
Recommended Recommended Recommended Recommended
Accounts: Rename
guest account
Recommended Recommended Recommended Recommended
Devices: Allow
undock without
having to log on
Disabled Disabled Disabled Disabled
Devices: Allowed to
format and eject
removable media
Administrators,
Interactive
Users
Administrators,
Interactive
Users
Administrators Administrators
Devices: Prevent
users from installing
printer drivers
Enabled Enabled Enabled Enabled
Devices: Restrict
CD-ROM access to
locally logged -- on
user only
Disabled Disabled Disabled Disabled
Devices: Restrict
floppy access to
locally logged -- on
user only
Disabled Disabled Disabled Disabled
Devices: Unsigned
driver installation
behavior
Warn but
allow
installation
Warn but
allow
installation
Do not allow
installation
Do not allow
installation
Domain member:
Digitally encrypt or
sign secure channel
data (always)
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Enabled Enabled
Domain member:
Digitally encrypt
secure channel data
(when possible)
Enabled Enabled Enabled Enabled
Domain member:
Digitally sign secure
channel data
(when possible)
Enabled Enabled Enabled Enabled
Domain member:
Disable machine
account password
changes
Disabled Disabled Disabled Disabled
Domain member:
Maximum machine
account password
age
30 days 30 days 30 days 30 days
Domain member:
Require strong
(Windows 2000 or
later) session key
Enabled Enabled Enabled Enabled
Interactive logon:
Do not display last
user name
Enabled Enabled Enabled Enabled
Interactive logon:
Do not require
CTRL+ALT+DEL
Disabled Disabled Disabled Disabled
Interactive logon:
Message text for
users attempting to
log on
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
Interactive logon:
Message title for
users attempting
to log on
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
Interactive logon:
Number of previous
logons to cache
(in case domain
controller is not
available)
2 2 0 1
Interactive logon:
Prompt user to
change password
(in case domain
before expiration
14 days 14 days 14 days 14 days
Interactive logon:
Require Domain
Controller authenti-
cation to unlock
workstation
Disabled Disabled Enabled Disabled
Interactive logon:
Smart card removal
behavior
Lock
Workstation
Lock
Workstation
Lock
Workstation
Lock
Workstation
Microsoft network
client: Digitally sign
communications
(always)
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Enabled Enabled
Microsoft network
client: Digitally sign
communications
(if server agrees)
Enabled Enabled Enabled Enabled
Microsoft network
client: Send unen-
crypted password
to third -- party SMB
servers
Disabled Disabled Disabled Disabled
Microsoft network
server: Amount of
idle time required
before suspending
session
15 minutes 15 minutes 15 minutes 15 minutes
Microsoft network
server: Digitally sign
communications
(always)
Enabled Enabled Enabled Enabled
Microsoft network
server: Digitally sign
communications
(if client agrees)
Enabled Enabled Enabled Enabled
Network access:
Allow anonymous
SID/Name translation
Disabled Disabled Disabled Disabled
Network access:
Do not allow anony-
mous enumeration
of SAM accounts
Enabled Enabled Enabled Enabled
Network access:
Do not allow storage
of credentials or .NET
Passports for network
authentication
Enabled Enabled Enabled Enabled
Network access:
Let Everyone
permissions apply
to anonymous users
Disabled Disabled Disabled Disabled
Network access:
Shares that can
be accessed
anonymously
comcfg, dfs$ comcfg, dfs$ comcfg, dfs$ comcfg, dfs$
Network access:
Sharing and security
model for local
accounts
Classic -- local
users authenti-
cate as them-
selves
Classic -- local
users authenti-
cate as them-
selves
Classic -- local
users authenti-
cate as them-
selves
Classic -- local
users authenti-
cate as them-
selves
Network security:
Do not store LAN
Manager hash value
on next password
change
Enabled Enabled Enabled Enabled
Network security:
LAN Manager
authentication
level
Send NTLMv2
responses
only
Send NTLMv2
responses
only
Send NTLMv2
response
only/refuse LM
and NTLM
Send NTLMv2
response
only/refuse LM
and NTLM
Network security:
LDAP client signing
requirements
Not defined Not defined Require
signing
Require
signing
Network security:
Minimum session
security for NTLM
SSP based (including
secure RPC) clients
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Network security:
Minimum session
security for NTLM
SSP based (including
secure RPC) servers
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Recovery console:
Allow automatic
administrative logon
Disabled Disabled Disabled Disabled
Recovery console:
Allow floppy copy
and access to all
drives and all folders
Enabled Enabled Disabled Disabled
Shutdown: Allow
system to be shut
down without
having to log on
Disabled Disabled Disabled Disabled
Shutdown: Clear
virtual memory
page file
Disabled Disabled Enabled Enabled
System cryptography:
Use FIPS compliant
algorithms for
encryption, hashing,
and signing
Disabled Disabled Disabled Disabled
System objects:
Default owner for
objects created by
members of the
Administrators group
Object creator Object creator Object creator Object creator
System objects:
Require case
insensitivity for non-
Windows subsystems
Enabled Enabled Enabled Enabled
System objects:
Strengthen default
permissions of
internal system
objects (for example,
Symbolic Links)
Enabled Enabled Enabled Enabled

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
Event Log
Maximum application
log size
20480 KB 20480 KB 20480 KB 20480 KB
Maximum security
log size
40960 KB 40960 KB 81920 KB 81920 KB
Maximum system
log size
20,480 KB 20,480 KB 20,480 KB 20,480 KB
Prevent local guests
group from accessing
application log
Enabled Enabled Enabled Enabled
Prevent local guests
group from accessing
security log
Enabled Enabled Enabled Enabled
Prevent local guests
group from accessing
system log
Enabled Enabled Enabled Enabled
Retention method
for application log
As needed As needed As needed As needed
Retention method
for security log
As needed As needed As needed As needed
Retention method
for system log
As needed As needed As needed As needed

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
System Services
Alterter Disabled Disabled Disabled Disabled
Application Layer
Gateway Service
Disabled Disabled Disabled Disabled
Application
Management
Disabled Disabled Disabled Disabled
ASP .NET State
Service
Disabled Disabled Disabled Disabled
Automatic Updates Automatic Automatic Automatic Automatic
Background
Intelligent Transfer
Service
Manual Manual Manual Manual
ClipBook Disabled Disabled Disabled Disabled
COM+ Event
System
Manual Manual Manual Manual
COM+ System
Application
Disabled Disabled Disabled Disabled
Computer Browser Disabled Disabled Disabled Disabled
Cryptographic
Services
Automatic Automatic Automatic Automatic
DHCP Client Automatic Automatic Automatic Automatic
Distributed Link
Tracking Client
Disabled Disabled Disabled Disabled
Distributed Link
Tracking Server
Disabled Disabled Disabled Disabled
Distribution Transac-
tion Coordinator
Disabled Disabled Disabled Disabled
DNS Client Automatic Automatic Automatic Automatic
Error Reporting
Service
Disabled Disabled Disabled Disabled
Event Log Automatic Automatic Automatic Automatic
Fax Service Manual Manual Disabled Disabled
FTP Publishing Disabled Disabled Disabled Disabled
Help and Support Disabled Disabled Disabled Disabled
HTTP SSL Disabled Disabled Disabled Disabled
Human Interface
Device Access
Disabled Disabled Disabled Disabled
IIS Admin Service Disabled Disabled Disabled Disabled
IMAPI CD-Burning
COM Service
Disabled Disabled Disabled Disabled
Indexing Service Disabled Disabled Disabled Disabled
IPSec Services Automatic Automatic Automatic Automatic
Logical Disk Manager Manual Manual Manual Manual
Logical Disk
Manager Administra-
tive Service
Manual Manual Manual Manual
Messenger Disabled Disabled Disabled Disabled
MS Software Shadow
Copy Provider
Disabled Disabled Disabled Disabled
Netlogon Automatic Automatic Automatic Automatic
NetMeeting Remote
Desktop Sharing
Disabled Disabled Disabled Disabled
Network
Connections
Manual Manual Manual Manual
Network DDE Manual Manual Disabled Disabled
Network DDE DSDM Manual Manual Disabled Disabled
Network Location
Awareness (NLA)
Manual Manual Manual Manual
Network Provision-
ing Service
Disabled Disabled Disabled Disabled
NTLM Support
Provider
Automatic Automatic Automatic Automatic
Performance Logs
and Alerts
Manual Manual Manual Manual
Plug and Play Automatic Automatic Automatic Automatic
Portable Media
Serial Number
Disabled Disabled Disabled Disabled
Print Spooler Disabled Disabled Disabled Disabled
Protected Storage Automatic Automatic Automatic
Remote Access
Auto Connection
Manager
Disabled Disabled Disabled
Remote Access
Connection
Manager
Disabled Disabled Disabled
Remote Desktop
Helper Session
Manager
Disabled Disabled Disabled
Remote Procedure
Call (RPC)
Disabled Disabled Disabled Disabled
Remote Procedure
Call (RPC) Locator
Disabled Disabled Disabled Disabled
Remote Registry
Service
Automatic Automatic Disabled Disabled
Removable Storage Disabled Disabled Disabled Disabled
Routing and
Remote Access
Disabled Disabled Disabled Disabled
Secondary Logon Disabled Disabled Disabled Disabled
Security Accounts
Manager
Automatic Automatic Automatic Automatic
Server Automatic Automatic Disabled Disabled
Shell Hardware
Detection
Disabled Disabled Disabled Disabled
Smart Card Disabled Disabled Disabled Disabled
SSDP Discovery
Service
Disabled Disabled Disabled Disabled
System Event
Notification
Automatic Automatic Automatic Automatic
System Restore
Service
Disabled Disabled Disabled Disabled
Task Scheduler Disabled Disabled Disabled Disabled
TCP/IP NetBIOS
Helper Service
Automatic Automatic Automatic Automatic
Telephony Disabled Disabled Disabled Disabled
Telnet Disabled Disabled Disabled Disabled
Terminal Services Disabled Disabled Disabled Disabled
Themes Disabled Disabled Disabled Disabled
Uninterruptible
Power Supply
Disabled Disabled Disabled Disabled
Volume Shadow
Copy
Disabled Disabled Disabled Disabled
WebClient Disabled Disabled Disabled Disabled
Windows Audio Disabled Disabled Disabled Disabled
Windows Firewall/
Internet Connection
Sharing (ICS)
Disabled Disabled Enabled Enabled
Windows Image
Acquisition (WIA)
Disabled Disabled Disabled Disabled
Windows Installer Automatic Automatic Automatic Automatic
Windows
Management
Instrumentation
Automatic Automatic Automatic Automatic
Windows
Management
Instrumentation
Driver Extensions
Disabled Disabled Disabled Disabled
Windows Time Automatic Automatic Automatic Automatic
Windows User
Mode Driver
Framework
Disabled Disabled Disabled Disabled
Wireless Zero
configuration
Manual Manual Manual Manual
WMI Performance
Adapter
Disabled Disabled Disabled
Workstation Automatic Automatic Automatic

  Ports required for clients  Return to Table of Contents

Clients must have basic communication on a network to send and receive e-mail and access network resources. Specific ports must be opened to provide this communication, as shown in Table 5-15. Depending on whether your client needs to communicate in some different manner or has an application that requires a different port opened, these ports will allow secure communications.

Table 5-15   Ports required for clients

Ports Description
137 (NetBIOS name
service)
Used by the browse master service. This port must be opened for
WINS and browse master servers.
138 (NetBIOS
datagram service)
Must be open to accept inbound datagrams from NetBIOS appli-
cations such as the Messenger service and the Windows Browser.
139 (NetBIOS
session service)
Should be closed unless you run applications or operating systems
that must support Windows networking (SMB) connections. If you
run Windows NT 4.0, Windows Millennium Edition, Windows 98,
or Windows 95, this port must be open on your servers.
445 (SMB) Used by basic Windows networking, including file sharing, printer
sharing, and remote administration.
3389 (Remote
Desktop Protocol)
Must be open if you are using Terminal Services for application
sharing, remote desktop, or remote assistance.

  Restricted groups for clients  Return to Table of Contents

The local groups that exist on client computers should be controlled to ensure that the correct members belong to the administrative groups that exist on each computer. If these groups are not controlled through Group Policy, the local administrator will be able to control who has administrative control over the computer, and this can lead to insecure configurations and vulnerabilities.

Table 5-16 lists best practices for local group and which users or groups should be configured to belong to each group.

Table 5-16   Restricted group best practices for clients

Local Group Members
Administrators Administrator (local)
Domain Admins
Backup Operators No one
Network Configuration Operators No one
Power Users No one
Remote Desktop Users No one

  Client computers for IT staff and administrators  Return to Table of Contents

The standard client computer settings might not work for a computer that is used by someone on the IT staff or an administrator's computer. These users need more privileged access to their own computers, including the ability to install applications, modify their own registries, run Administrative tools, and possibly back up their own computers. These tasks require certain services, ports, and restricted group configurations on the computer. The following sections offer best-practice configurations for computers used by IT staff and administrators to give them the access they need. We will cover only the settings that differ from those for the standard client computer suite described previously.

Security settings for IT staff and administrators

IT staff and administrators need access to key parts of their computers to access files, folders, and registry values. When an application is installed that needs to update these portions of their computers, the security must not prohibit them from doing these tasks. Instead of listing the exact security settings that need to be made (which would be almost impossible to determine without knowing the application or task), we will look at some of key tasks and responsibilities of an administrator and how to loosen security enough to allow these functions.

Local services and software

Administrators need to access certain services that might otherwise be disabled. You might need to set the following services to manual or automatic:

  • Alerter
  • Distributed Link Tracking Client
  • Help and Support
  • IIS Admin Service
  • IMAPI CD-Burning COM Service
  • Messenger
  • MS Software Shadow Copy Provider
  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator
  • Removable Storage
  • Server
  • Uninterruptible Power Supply

An administrator might also need to install other software to administer other clients, servers, or Active Directory resources, including the following:

  • Administrative Tools (Admnpak.msi)
  • Group Policy Management Console (Gpmc.msi)
  • Windows Support Tools (SupportTools folder on the Windows XP product CD)
  • Windows XP Resource Kit Tools, which are on the CD-ROM included in the Microsoft Windows XP Professional Resource Kit, Third Edition (Microsoft Press, 2005)

These applications can be installed by Group Policy or by the user of the computer. A user must have administrative privileges to perform the installs.

Local group configuration

The recommended local group configuration for a standard client computer does not allow an administrator enough control of her computer to perform her duties. You must consider a different configuration, whether it is deployed using Restricted Groups or manually on each computer. Table 5-17 lists some best-practice configurations for local groups on an IT staff or administrator client machine.

Table 5-17   Restricted group best practices for IT staff or administrator clients

Local Group Members
Administrators Administrator (local)
Domain Admins
Domain\ ‹username›  (where ‹username› is the user
account for the administrator of the client)
Backup Operators Administrators (local)
Network Configuration
Operators
Administrators (local)

  Client computers for help desk staff  Return to Table of Contents

The Help Desk staff also needs more control over their computers than standard users need. However, they should not have as much control as an administrator. Depending on how your Help Desk is structured, you might have different sets of parameters for different Help Desk staff. For example, some Help Desk staff might be allowed to install applications while others are not. Here are some best-practice configurations for computers used by Help Desk staff to give them the access they need. These settings only represent the differences from the standard client computer suite of settings that are described above.

Security settings for help desk staff

To fulfill their responsibilities and communicate with network servers and resources, the Help Desk staff will need access to certain services on their client computers that might otherwise be disabled. You might need to set the following services to manual or automatic:

  • Alerter
  • Distributed Link Tracking Client
  • Help and Support
  • IIS Admin Service
  • IMAPI CD-Burning COM Service
  • Messenger
  • MS Software Shadow Copy Provider
  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator
  • Removable Storage

The Help Desk staff might also need to install additional software to perform administration of the clients, servers, or Active Directory objects. Here is a list of applications that many Help Desk personnel need to use:

  • Administrative Tools (Admnpak.msi)
  • Group Policy Management Console (Gpmc.msi)
  • Windows Support Tools (SupportTools folder on the Windows XP product CD)
  • Windows XP Resource Kit Tools, which are on the CD-ROM included in the Microsoft Windows XP Professional Resource Kit, Third Edition (Microsoft Press, 2005)

TIP   Although these tools provide complete control over all aspects of Active Directory and Group Policy, the Help Desk staff will be delegated privileges within Active Directory and through the GPMC to restrict their control over much of Active Directory.

These applications can be installed using Group Policy, or they can be installed by the user of the computer. To install these tools, the user must have administrative privileges.

Local group configuration

The recommended standard local group configuration for a standard client computer will not allow Help Desk staff enough control over their computers to perform their duties. You must consider a different configuration of local groups, whether it is deployed using Restricted Groups or manually on each computer. Table 5-18 lists best-practice configurations for local groups on a Help Desk client.

Table 5-18   Restricted group best practices for help desk clients

Local Group Members
Administrators Administrator (local)
Domain Admins
Domain\ ‹username›  (where ‹username› is the user account for
the administrator of the client. This is needed when the Help Desk
employee needs to install software manually on his computer.)
Backup Operators Administrators (local) or Power Users
Network Configuration
Operators
Administrators (local) or Power Users
Power Users Domain\ ‹username›  (where ‹username› is the user account
for the administrator of the client. This is needed when the Help
Desk employee needs to modify local resources but not install
applications.)

Click for the next excerpt in this series: Troubleshooting security settings


Click for the book excerpt series or visit www.microsoft.com to purchase "Microsoft Windows Group Policy Guide."


This was first published in November 2005

Dig deeper on Microsoft Windows XP Pro

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close