Book Excerpt

Client hardening

Microsoft Windows Group Policy Guide The following excerpt series from Chapter 5 of "Microsoft Windows Group Policy Guide" by William R. Stanek, Darren Mar-Elia and Derek Melber is provided by Microsoft Press, copyright 2005. Click here to purchase the book.


Client hardening

TABLE OF CONTENTS
    Best practice security settings
    Ports required for clients
    Restricted groups for clients
    Client computers for IT staff and administrators
    Client computers for help desk staff

  Best practice security settings Return to Table of Contents

Not only should servers be hardened to protect against outside intruders, but clients need the same attention. Clients also need to have services, ports, applications, groups, and so on locked down to reduce security risks as much as possible. This reduction in security risk should not compromise functionality in most cases. If the security on a client is too tight, users might not be able to use applications and network communications as needed.

To show a wide range of client configuration best practices, we will look at four common environments. The best practices focus on creating and maintaining a secure environment for desktops and laptops running Windows XP Professional. We will break down clients into two more categories: enterprise and high security:

  • Enterprise   The enterprise environment consists of a Windows 2000 or Windows Server 2003 Active Directory domain. The clients in this environment will be managed using Group Policy that is applied to containers, sites, domains, and OUs. Group Policy provides a centralized method of managing security policy across the environment.

  • High security   The high-security environment has elevated security settings for the client. When high-security settings are applied, user functionality is limited to functions that are required for the necessary tasks. Access is limited to approved applications, services, and infrastructure environments.

It would be impossible to cover every possible scenario or environment. However, we will suggest security settings that have been reviewed, tested, and approved by Microsoft engineers, consultants, and customers in a production environment. Table 5-14 lists settings that are available within a standard security template and the best-practice configurations for the following four scenarios:

  • Enterprise desktop computers
  • Enterprise laptop computers
  • High-security desktop computers
  • High-security laptop computers

MORE INFO   For more information on the below security settings for hardening Windows XP clients in each of these four environments, see the Windows XP Security Guide v2. For a thorough discussion of all security settings available in Windows XP Service Pack 2, see the Threats and Countermeasures Guide.

IMPORTANT   Before you implement any security settings or best-practice configurations for your production clients, be sure to test the settings for your environment. Applications, operating systems, and other network constraints can cause issues with these best-practice settings in some instances.

Table 5-14   Best practice security settings for the four types of clients

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
Auditing
Account Logon
Events
Success
Failure
Success
Failure
Success
Failure
Success
Failure
Account
Management
Success
Failure
Success
Failure
Success
Failure
Success
Failure
Directory Service
Access
No AuditingNo AuditingNo AuditingNo Auditing
Logon EventsSuccess
Failure
Success
Failure
Success
Failure
Success
Failure
Object AccessSuccess
Failure
Success
Failure
Success
Failure
Success
Failure
Policy ChangeSuccessSuccessSuccessSuccess
Privilege UseFailureFailureFailureFailure
Process TrackingNo AuditingNo AuditingNo AuditingNo Auditing
System EventsSuccessSuccessSuccess
Failure
Success
Failure

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
User Rights
Access this computer
from the network
Administrators,
Backup Opera-
tors, Power
Users, Users
Administrators,
Backup Opera-
tors, Power
Users, Users
Administrators,
Users
Administrators,
Users
Act as part of the
operating system
No oneNo oneNo oneNo one
Adjust memory
quotas for a
process
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators,
Network
Service
Administrators,
Local Service,
Network
Service
Allow log on
locally
Users,
Administrators
Users,
Administrators
Users,
Administrators
Users,
Administrators
Allow log on
through
Terminal Services
Administrators,
Remote Desk-
top Users
Administrators,
Remote Desk-
top Users
No oneNo one
Backup files and
directories
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Change the
system time
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Create a pagefileNot Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Create a permanent
shared object
Not Defined
(Use defaults)
Not Defined
(Use defaults)
No oneNo one
Create a token
object
Not Defined
(Use defaults)
Not Defined
(Use defaults)
No oneNo one
Debug programsAdministratorsAdministratorsAdministratorsAdministrators
Deny access to this
computer from
the network
Not Defined
(Use defaults)
Not Defined
(Use defaults)
EveryoneEveryone
Deny log on
through Terminal
Services
Not Defined
(Use defaults)
Not Defined
(Use defaults)
EveryoneEveryone
Enable computer
and user accounts
to be trusted for
delegation
No oneNo oneNo oneNo one
Force shutdown from
a remote system
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Generate security
audits
Not Defined
(Use defaults)
Not Defined
(Use defaults)
NETWORK
SERVICE,
LOCAL
SERVICE
NETWORK
SERVICE,
LOCAL
SERVICE
Increase scheduling
priority
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Load and unload
device drivers
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Log on as a batch
job
Not Defined
(Use defaults)
Not Defined
(Use defaults)
No oneNo one
Log on as a serviceNot Defined
(Use defaults)
Not Defined
(Use defaults)
No oneNo one
Manage auditing
and security log
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Modify firmware
environment values
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Perform volume
maintenance tasks
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Profile single
process
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Profile system
performance
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators
Replace a process
level token
LOCAL
SERVICE,
NETWORK
SERVICE
LOCAL
SERVICE,
NETWORK
SERVICE
LOCAL
NETWORK
SERVICE
LOCAL
SERVICE,
NETWORK
SERVICE
Restore files and
directories
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators,
Users
Shut down the
system
Not Defined
(Use defaults)
Not Defined
(Use defaults)
Administrators,
Users
Administrators,
Users
Take ownership
of files or other
objects
Not Defined
(Use defaults)
Not Defined
(Use defaults)
AdministratorsAdministrators

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
Security Options
Accounts: Guest
account status
DisabledDisabledDisabledDisabled
Accounts: Limit
local account use of
blank passwords to
console logon
EnabledEnabledEnabledEnabled
Accounts: Rename
administrator
account
RecommendedRecommendedRecommendedRecommended
Accounts: Rename
guest account
RecommendedRecommendedRecommendedRecommended
Devices: Allow
undock without
having to log on
DisabledDisabledDisabledDisabled
Devices: Allowed to
format and eject
removable media
Administrators,
Interactive
Users
Administrators,
Interactive
Users
AdministratorsAdministrators
Devices: Prevent
users from installing
printer drivers
EnabledEnabledEnabledEnabled
Devices: Restrict
CD-ROM access to
locally logged -- on
user only
DisabledDisabledDisabledDisabled
Devices: Restrict
floppy access to
locally logged -- on
user only
DisabledDisabledDisabledDisabled
Devices: Unsigned
driver installation
behavior
Warn but
allow
installation
Warn but
allow
installation
Do not allow
installation
Do not allow
installation
Domain member:
Digitally encrypt or
sign secure channel
data (always)
Not Defined
(Use defaults)
Not Defined
(Use defaults)
EnabledEnabled
Domain member:
Digitally encrypt
secure channel data
(when possible)
EnabledEnabledEnabledEnabled
Domain member:
Digitally sign secure
channel data
(when possible)
EnabledEnabledEnabledEnabled
Domain member:
Disable machine
account password
changes
DisabledDisabledDisabledDisabled
Domain member:
Maximum machine
account password
age
30 days30 days30 days30 days
Domain member:
Require strong
(Windows 2000 or
later) session key
EnabledEnabledEnabledEnabled
Interactive logon:
Do not display last
user name
EnabledEnabledEnabledEnabled
Interactive logon:
Do not require
CTRL+ALT+DEL
DisabledDisabledDisabledDisabled
Interactive logon:
Message text for
users attempting to
log on
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
This system is
restricted to
authorized
users. Individu-
als attempting
unauthorized
access will be
prosecuted. If
unauthorized,
terminate
access now!
Clicking on OK
indicates your
acceptance of
the information
in the back-
ground.
Interactive logon:
Message title for
users attempting
to log on
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
IT IS AN
OFFENSE TO
CONTINUE
WITHOUT
PROPER
AUTHORIZA-
TION
Interactive logon:
Number of previous
logons to cache
(in case domain
controller is not
available)
2201
Interactive logon:
Prompt user to
change password
(in case domain
before expiration
14 days14 days14 days14 days
Interactive logon:
Require Domain
Controller authenti-
cation to unlock
workstation
DisabledDisabledEnabledDisabled
Interactive logon:
Smart card removal
behavior
Lock
Workstation
Lock
Workstation
Lock
Workstation
Lock
Workstation
Microsoft network
client: Digitally sign
communications
(always)
Not Defined
(Use defaults)
Not Defined
(Use defaults)
EnabledEnabled
Microsoft network
client: Digitally sign
communications
(if server agrees)
EnabledEnabledEnabledEnabled
Microsoft network
client: Send unen-
crypted password
to third -- party SMB
servers
DisabledDisabledDisabledDisabled
Microsoft network
server: Amount of
idle time required
before suspending
session
15 minutes15 minutes15 minutes15 minutes
Microsoft network
server: Digitally sign
communications
(always)
EnabledEnabledEnabledEnabled
Microsoft network
server: Digitally sign
communications
(if client agrees)
EnabledEnabledEnabledEnabled
Network access:
Allow anonymous
SID/Name translation
DisabledDisabledDisabledDisabled
Network access:
Do not allow anony-
mous enumeration
of SAM accounts
EnabledEnabledEnabledEnabled
Network access:
Do not allow storage
of credentials or .NET
Passports for network
authentication
EnabledEnabledEnabledEnabled
Network access:
Let Everyone
permissions apply
to anonymous users
DisabledDisabledDisabledDisabled
Network access:
Shares that can
be accessed
anonymously
comcfg, dfs$comcfg, dfs$comcfg, dfs$comcfg, dfs$
Network access:
Sharing and security
model for local
accounts
Classic -- local
users authenti-
cate as them-
selves
Classic -- local
users authenti-
cate as them-
selves
Classic -- local
users authenti-
cate as them-
selves
Classic -- local
users authenti-
cate as them-
selves
Network security:
Do not store LAN
Manager hash value
on next password
change
EnabledEnabledEnabledEnabled
Network security:
LAN Manager
authentication
level
Send NTLMv2
responses
only
Send NTLMv2
responses
only
Send NTLMv2
response
only/refuse LM
and NTLM
Send NTLMv2
response
only/refuse LM
and NTLM
Network security:
LDAP client signing
requirements
Not definedNot definedRequire
signing
Require
signing
Network security:
Minimum session
security for NTLM
SSP based (including
secure RPC) clients
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Network security:
Minimum session
security for NTLM
SSP based (including
secure RPC) servers
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Require mes-
sage confiden-
tiality, Require
message
integrity, Re-
quire NTLMv2
session security,
Require
128-bit
encryption
Recovery console:
Allow automatic
administrative logon
DisabledDisabledDisabledDisabled
Recovery console:
Allow floppy copy
and access to all
drives and all folders
EnabledEnabledDisabledDisabled
Shutdown: Allow
system to be shut
down without
having to log on
DisabledDisabledDisabledDisabled
Shutdown: Clear
virtual memory
page file
DisabledDisabledEnabledEnabled
System cryptography:
Use FIPS compliant
algorithms for
encryption, hashing,
and signing
DisabledDisabledDisabledDisabled
System objects:
Default owner for
objects created by
members of the
Administrators group
Object creatorObject creatorObject creatorObject creator
System objects:
Require case
insensitivity for non-
Windows subsystems
EnabledEnabledEnabledEnabled
System objects:
Strengthen default
permissions of
internal system
objects (for example,
Symbolic Links)
EnabledEnabledEnabledEnabled

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
Event Log
Maximum application
log size
20480 KB20480 KB20480 KB20480 KB
Maximum security
log size
40960 KB40960 KB81920 KB81920 KB
Maximum system
log size
20,480 KB20,480 KB20,480 KB20,480 KB
Prevent local guests
group from accessing
application log
EnabledEnabledEnabledEnabled
Prevent local guests
group from accessing
security log
EnabledEnabledEnabledEnabled
Prevent local guests
group from accessing
system log
EnabledEnabledEnabledEnabled
Retention method
for application log
As neededAs neededAs neededAs needed
Retention method
for security log
As neededAs neededAs neededAs needed
Retention method
for system log
As neededAs neededAs neededAs needed

Security Setting Enterprise
Desktop
Enterprise
Laptop
High Security
Desktop
High Security
Laptop
System Services
AlterterDisabledDisabledDisabledDisabled
Application Layer
Gateway Service
DisabledDisabledDisabledDisabled
Application
Management
DisabledDisabledDisabledDisabled
ASP .NET State
Service
DisabledDisabledDisabledDisabled
Automatic UpdatesAutomaticAutomaticAutomaticAutomatic
Background
Intelligent Transfer
Service
ManualManualManualManual
ClipBookDisabledDisabledDisabledDisabled
COM+ Event
System
ManualManualManualManual
COM+ System
Application
DisabledDisabledDisabledDisabled
Computer BrowserDisabledDisabledDisabledDisabled
Cryptographic
Services
AutomaticAutomaticAutomaticAutomatic
DHCP ClientAutomaticAutomaticAutomaticAutomatic
Distributed Link
Tracking Client
DisabledDisabledDisabledDisabled
Distributed Link
Tracking Server
DisabledDisabledDisabledDisabled
Distribution Transac-
tion Coordinator
DisabledDisabledDisabledDisabled
DNS ClientAutomaticAutomaticAutomaticAutomatic
Error Reporting
Service
DisabledDisabledDisabledDisabled
Event LogAutomaticAutomaticAutomaticAutomatic
Fax ServiceManualManualDisabledDisabled
FTP PublishingDisabledDisabledDisabledDisabled
Help and SupportDisabledDisabledDisabledDisabled
HTTP SSLDisabledDisabledDisabledDisabled
Human Interface
Device Access
DisabledDisabledDisabledDisabled
IIS Admin ServiceDisabledDisabledDisabledDisabled
IMAPI CD-Burning
COM Service
DisabledDisabledDisabledDisabled
Indexing ServiceDisabledDisabledDisabledDisabled
IPSec ServicesAutomaticAutomaticAutomaticAutomatic
Logical Disk ManagerManualManualManualManual
Logical Disk
Manager Administra-
tive Service
ManualManualManualManual
MessengerDisabledDisabledDisabledDisabled
MS Software Shadow
Copy Provider
DisabledDisabledDisabledDisabled
NetlogonAutomaticAutomaticAutomaticAutomatic
NetMeeting Remote
Desktop Sharing
DisabledDisabledDisabledDisabled
Network
Connections
ManualManualManualManual
Network DDEManualManualDisabledDisabled
Network DDE DSDMManualManualDisabledDisabled
Network Location
Awareness (NLA)
ManualManualManualManual
Network Provision-
ing Service
DisabledDisabledDisabledDisabled
NTLM Support
Provider
AutomaticAutomaticAutomaticAutomatic
Performance Logs
and Alerts
ManualManualManualManual
Plug and PlayAutomaticAutomaticAutomaticAutomatic
Portable Media
Serial Number
DisabledDisabledDisabledDisabled
Print SpoolerDisabledDisabledDisabledDisabled
Protected StorageAutomaticAutomaticAutomatic
Remote Access
Auto Connection
Manager
DisabledDisabledDisabled
Remote Access
Connection
Manager
DisabledDisabledDisabled
Remote Desktop
Helper Session
Manager
DisabledDisabledDisabled
Remote Procedure
Call (RPC)
DisabledDisabledDisabledDisabled
Remote Procedure
Call (RPC) Locator
DisabledDisabledDisabledDisabled
Remote Registry
Service
AutomaticAutomaticDisabledDisabled
Removable StorageDisabledDisabledDisabledDisabled
Routing and
Remote Access
DisabledDisabledDisabledDisabled
Secondary LogonDisabledDisabledDisabledDisabled
Security Accounts
Manager
AutomaticAutomaticAutomaticAutomatic
ServerAutomaticAutomaticDisabledDisabled
Shell Hardware
Detection
DisabledDisabledDisabledDisabled
Smart CardDisabledDisabledDisabledDisabled
SSDP Discovery
Service
DisabledDisabledDisabledDisabled
System Event
Notification
AutomaticAutomaticAutomaticAutomatic
System Restore
Service
DisabledDisabledDisabledDisabled
Task SchedulerDisabledDisabledDisabledDisabled
TCP/IP NetBIOS
Helper Service
AutomaticAutomaticAutomaticAutomatic
TelephonyDisabledDisabledDisabledDisabled
TelnetDisabledDisabledDisabledDisabled
Terminal ServicesDisabledDisabledDisabledDisabled
ThemesDisabledDisabledDisabledDisabled
Uninterruptible
Power Supply
DisabledDisabledDisabledDisabled
Volume Shadow
Copy
DisabledDisabledDisabledDisabled
WebClientDisabledDisabledDisabledDisabled
Windows AudioDisabledDisabledDisabledDisabled
Windows Firewall/
Internet Connection
Sharing (ICS)
DisabledDisabledEnabledEnabled
Windows Image
Acquisition (WIA)
DisabledDisabledDisabledDisabled
Windows InstallerAutomaticAutomaticAutomaticAutomatic
Windows
Management
Instrumentation
AutomaticAutomaticAutomaticAutomatic
Windows
Management
Instrumentation
Driver Extensions
DisabledDisabledDisabledDisabled
Windows TimeAutomaticAutomaticAutomaticAutomatic
Windows User
Mode Driver
Framework
DisabledDisabledDisabledDisabled
Wireless Zero
configuration
ManualManualManualManual
WMI Performance
Adapter
DisabledDisabledDisabled
WorkstationAutomaticAutomaticAutomatic

  Ports required for clients Return to Table of Contents

Clients must have basic communication on a network to send and receive e-mail and access network resources. Specific ports must be opened to provide this communication, as shown in Table 5-15. Depending on whether your client needs to communicate in some different manner or has an application that requires a different port opened, these ports will allow secure communications.

Table 5-15   Ports required for clients

PortsDescription
137 (NetBIOS name
service)
Used by the browse master service. This port must be opened for
WINS and browse master servers.
138 (NetBIOS
datagram service)
Must be open to accept inbound datagrams from NetBIOS appli-
cations such as the Messenger service and the Windows Browser.
139 (NetBIOS
session service)
Should be closed unless you run applications or operating systems
that must support Windows networking (SMB) connections. If you
run Windows NT 4.0, Windows Millennium Edition, Windows 98,
or Windows 95, this port must be open on your servers.
445 (SMB)Used by basic Windows networking, including file sharing, printer
sharing, and remote administration.
3389 (Remote
Desktop Protocol)
Must be open if you are using Terminal Services for application
sharing, remote desktop, or remote assistance.

  Restricted groups for clients Return to Table of Contents

The local groups that exist on client computers should be controlled to ensure that the correct members belong to the administrative groups that exist on each computer. If these groups are not controlled through Group Policy, the local administrator will be able to control who has administrative control over the computer, and this can lead to insecure configurations and vulnerabilities.

Table 5-16 lists best practices for local group and which users or groups should be configured to belong to each group.

Table 5-16   Restricted group best practices for clients

Local GroupMembers
AdministratorsAdministrator (local)
Domain Admins
Backup OperatorsNo one
Network Configuration OperatorsNo one
Power UsersNo one
Remote Desktop UsersNo one

  Client computers for IT staff and administrators Return to Table of Contents

The standard client computer settings might not work for a computer that is used by someone on the IT staff or an administrator's computer. These users need more privileged access to their own computers, including the ability to install applications, modify their own registries, run Administrative tools, and possibly back up their own computers. These tasks require certain services, ports, and restricted group configurations on the computer. The following sections offer best-practice configurations for computers used by IT staff and administrators to give them the access they need. We will cover only the settings that differ from those for the standard client computer suite described previously.

Security settings for IT staff and administrators

IT staff and administrators need access to key parts of their computers to access files, folders, and registry values. When an application is installed that needs to update these portions of their computers, the security must not prohibit them from doing these tasks. Instead of listing the exact security settings that need to be made (which would be almost impossible to determine without knowing the application or task), we will look at some of key tasks and responsibilities of an administrator and how to loosen security enough to allow these functions.

Local services and software

Administrators need to access certain services that might otherwise be disabled. You might need to set the following services to manual or automatic:

  • Alerter
  • Distributed Link Tracking Client
  • Help and Support
  • IIS Admin Service
  • IMAPI CD-Burning COM Service
  • Messenger
  • MS Software Shadow Copy Provider
  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator
  • Removable Storage
  • Server
  • Uninterruptible Power Supply

An administrator might also need to install other software to administer other clients, servers, or Active Directory resources, including the following:

  • Administrative Tools (Admnpak.msi)
  • Group Policy Management Console (Gpmc.msi)
  • Windows Support Tools (SupportTools folder on the Windows XP product CD)
  • Windows XP Resource Kit Tools, which are on the CD-ROM included in the Microsoft Windows XP Professional Resource Kit, Third Edition (Microsoft Press, 2005)

These applications can be installed by Group Policy or by the user of the computer. A user must have administrative privileges to perform the installs.

Local group configuration

The recommended local group configuration for a standard client computer does not allow an administrator enough control of her computer to perform her duties. You must consider a different configuration, whether it is deployed using Restricted Groups or manually on each computer. Table 5-17 lists some best-practice configurations for local groups on an IT staff or administrator client machine.

Table 5-17   Restricted group best practices for IT staff or administrator clients

Local GroupMembers
AdministratorsAdministrator (local)
Domain Admins
Domain\ ‹username›  (where ‹username› is the user
account for the administrator of the client)
Backup OperatorsAdministrators (local)
Network Configuration
Operators
Administrators (local)

  Client computers for help desk staff Return to Table of Contents

The Help Desk staff also needs more control over their computers than standard users need. However, they should not have as much control as an administrator. Depending on how your Help Desk is structured, you might have different sets of parameters for different Help Desk staff. For example, some Help Desk staff might be allowed to install applications while others are not. Here are some best-practice configurations for computers used by Help Desk staff to give them the access they need. These settings only represent the differences from the standard client computer suite of settings that are described above.

Security settings for help desk staff

To fulfill their responsibilities and communicate with network servers and resources, the Help Desk staff will need access to certain services on their client computers that might otherwise be disabled. You might need to set the following services to manual or automatic:

  • Alerter
  • Distributed Link Tracking Client
  • Help and Support
  • IIS Admin Service
  • IMAPI CD-Burning COM Service
  • Messenger
  • MS Software Shadow Copy Provider
  • Remote Procedure Call (RPC)
  • Remote Procedure Call (RPC) Locator
  • Removable Storage

The Help Desk staff might also need to install additional software to perform administration of the clients, servers, or Active Directory objects. Here is a list of applications that many Help Desk personnel need to use:

  • Administrative Tools (Admnpak.msi)
  • Group Policy Management Console (Gpmc.msi)
  • Windows Support Tools (SupportTools folder on the Windows XP product CD)
  • Windows XP Resource Kit Tools, which are on the CD-ROM included in the Microsoft Windows XP Professional Resource Kit, Third Edition (Microsoft Press, 2005)

TIP   Although these tools provide complete control over all aspects of Active Directory and Group Policy, the Help Desk staff will be delegated privileges within Active Directory and through the GPMC to restrict their control over much of Active Directory.

These applications can be installed using Group Policy, or they can be installed by the user of the computer. To install these tools, the user must have administrative privileges.

Local group configuration

The recommended standard local group configuration for a standard client computer will not allow Help Desk staff enough control over their computers to perform their duties. You must consider a different configuration of local groups, whether it is deployed using Restricted Groups or manually on each computer. Table 5-18 lists best-practice configurations for local groups on a Help Desk client.

Table 5-18   Restricted group best practices for help desk clients

Local GroupMembers
AdministratorsAdministrator (local)
Domain Admins
Domain\ ‹username›  (where ‹username› is the user account for
the administrator of the client. This is needed when the Help Desk
employee needs to install software manually on his computer.)
Backup OperatorsAdministrators (local) or Power Users
Network Configuration
Operators
Administrators (local) or Power Users
Power UsersDomain\ ‹username›  (where ‹username› is the user account
for the administrator of the client. This is needed when the Help
Desk employee needs to modify local resources but not install
applications.)

Click for the next excerpt in this series: Troubleshooting security settings


Click for the book excerpt series or visit www.microsoft.com to purchase "Microsoft Windows Group Policy Guide."



This was first published in November 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: