help securing windows

[D.]

I have several questions about xp pro security, I hope I can ask them
coherently enough that
it might make sense to anyone who might be able to help me take some
of the complexity out
of understanding how to better secure my computers both locally and
on the network.

1. By default, will xp pro or w2k lock me out at some point unless I
change my password
every "x" number of days?

2. I run as a renamed administrator on both xp pro and w2k. Does
that sheild me from local
and internet hazards of running as admin? If so, how, or how not?
[Not in the sense that someone could
or would guess the renamed admin account name, but otherwise]. Or do
I need to use a power
user account?

3. I believe when installing xp pro, [also w2k], I was asked if I
would be the only user, or would there be more than one user. I
selected the first, but w2k requires "ctrl-alt-delete," to log on and
xp does not. However, now I'd like to setup a user or guest account
with limited rights and access on each. Also, when I lock either
computer, each shows the names of the only person/computers that
can unlock "this" computer. Isn't that a potential security risk in
itself? [Being provided half the log-in scheme already]? How can
member/s of any single or group of users be made blank in this
window?

4. Experimenting, I once created a snap-in in xp, successfully
locking myself out of most of the function of my own computer. I
thought it strange that windows would even allow me to do that, as I
believe I was running as renamed admin. I can't remember how I
recovered from that, [deleted the snap in I think], but I did and of
course don't want to do it again. I am confused about the correct
hierarchal structure of setting up xp and w2k for optimal security,
[permissions? etc.], on both os'es. Is there a site that lays it out
in laymans terms somewhere, so that I might not have to take the
weekend or more to achieve it?

Thanks for your help.

D.

 

[Roger Abell [MVP]]

inlined . . .

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4

I have several questions about xp pro security, I hope I can ask them
coherently enough that
it might make sense to anyone who might be able to help me take some
of the complexity out
of understanding how to better secure my computers both locally and
on the network.

1. By default, will xp pro or w2k lock me out at some point unless I
change my password
every "x" number of days?

This depends. There is a checkbox in the properties of accounts, which
when checked exempts that account from having its password aged.
Box is to effect : Password never expires
Now, beyond that, password aging can be shut off for all accounts in
using settings in the Accounts area of Local Security Policy

2. I run as a renamed administrator on both xp pro and w2k. Does
that sheild me from local
and internet hazards of running as admin? If so, how, or how not?
[Not in the sense that someone could
or would guess the renamed admin account name, but otherwise]. Or do
I need to use a power
user account?

You are best off using a limited, plain Users member account.
Not an admin, not a Power Users member.
The less the priv of the account, the less that can happen if you
accidentally click on something, are tricked to, or there is an unpatched
exploit.
If you use an admin account it does not matter what it is named.
Renaming the builtin Administrator account used to be a standard
practice, and IMO still should be. However, if your machine has had
its default settings loosened, it may be possible to remotely discover
the new name of the built-in adm account, and for that matter of all
adm accounts.

3. I believe when installing xp pro, [also w2k], I was asked if I
would be the only user, or would there be more than one user. I
selected the first, but w2k requires "ctrl-alt-delete," to log on and
xp does not. However, now I'd like to setup a user or guest account
with limited rights and access on each. Also, when I lock either
computer, each shows the names of the only person/computers that
can unlock "this" computer. Isn't that a potential security risk in
itself? [Being provided half the log-in scheme already]? How can
member/s of any single or group of users be made blank in this
window?

I recall no such prompt in W2k install, although it has been a very long
time since I install Pro version of W2k.
Log in behavior in W2k is in one flavor only. XP added the welcome
screen. Both can be configured to not require person intervention
to log in, using a automatic login to specified account upon boot.
Just go ahead and define new accounts. The initial setup questions
in XP were for configuring your intial user experience. When there
are multiple accounts the Welcome screen (or older login prompt
when configured as the one to be used or when in domain) will be
presented. The default Administrator will become hidden after the
second account is defined (Pro), etc.
TweakUI from the XP PowerToys will allow you to control what
accounts appear on the Welcome screen.

As to the risk of having the username displayed, as always there
are trade-offs. If it does not tell you which account is logged in
and you do not remember (or in a shared machine environment you
have no chance of remembering) then all you could do is the double
login as an admin (which will kill whatever may have been left intensionally
running in the logged in account). I think this comes down to, if they
can walk up to the machine, you have provided them access to the
info (or to the opportunity to steal the machine, to force it to boot from
floppy or cd whereupon they could . . . ) etc.

4. Experimenting, I once created a snap-in in xp, successfully
locking myself out of most of the function of my own computer. I
thought it strange that windows would even allow me to do that, as I
believe I was running as renamed admin. I can't remember how I
recovered from that, [deleted the snap in I think], but I did and of
course don't want to do it again. I am confused about the correct
hierarchal structure of setting up xp and w2k for optimal security,
[permissions? etc.], on both os'es. Is there a site that lays it out
in laymans terms somewhere, so that I might not have to take the
weekend or more to achieve it?

I usually suggest that folks with Pro editions
1. rename the built-in administrator account
2. set a strong password on the built-in administrator account and
test the account, but otherwise leave it unused
3. define a new admin for personal use, and a plain user account
for personal use, again each with different, strong passwords
4. set a Deny of Full Control on Windows\System32\GroupPolicy
for the built-in admin account (so whatever happens, local policy
cannot lock that account out from login or tools) before experimenting
in the local security policy settings using (non-built-in) admin account
5. define an account named Administrator, set it to disabled, and
remove it from all groups
and other stuff . . .

Securiing the systems can become a complex issue, depending on
how secure you want things. There are a number of sites, many of
which can be turned up by google search, as there are also many
MS guidance papers/articles you can find starting at
www.microsoft.com/security and www.microsoft.com/technet/security