Configuring these settings will add some inconvenience for legitimate administrators but do not actually contribute at all to security. Let's look at the settings one at a time:
1. Disable admin shares - These are only available to administrators anyway. If you disable them, anyone who is an administrator can easily turn them right back on (yes, remotely too). In other words, all this setting does is break legitimate remote management. It does not improve security one bit.
2. Hide last logon name - First, finding a logon name for an attacker is trivial. Second, if your password is so weak that the only thing standing between you and a compromise is your logon name, you are in deep trouble.
3. Control apps users can run - The proper way to control apps users can run is with Software Restriction Policies, not with Windows 95-style reg hacks. Besides, the value here is set in HKCU. In other words, you are restricting what apps YOU can run, not what apps anyone else can run.
4. Disable DUN password - What exactly is the risk here? How is an attacker going to get this password? It is protected with DPAPI. Only the user can read it. If an attacker were able to get to DPAPI it means they are running code as you, in which case this hack is meaningless. They will have access to anything you do, including your Dial-Up password the next time you type it.
5. Hide access to drives - This is a cosmetic hack which only hides them from Explorer. Open a command prompt, or use the Open/Save dialog in Word (or any number of other apps) and they are available again. This is not a security setting at all.
6. Clear page file - What attackers are you worried about here? Unless you are trying to protect against physical attacks by a nation state it is highly unlikely that data stored in the page file is going to present a problem for you. The question you have to ask yourself is whether you really care to defend against attackers willing to dig through 2 gigabytes of binary data in the hope of finding something interesting (keep in mind, there are no labels in that file telling them where the juicy data is or even how it is formatted). This is a meaningful setting in ultra-secure environments where physical compromise of shut down systems is possible AND you have reason to believe that applications improperly store data in memory AND you routinely shut down systems, not elsewhere. Besides, most users are not willing to accept the 12-15 minute hit on shutdown time.
7. Disable access to system properties - First, setting this in HKCU disables YOUR access to system properties, not anyone elses. Second, you cannot modify anything in system properties unless you are an administrator, so all this setting would ever do is restrict administrators from doing somethign. Third, if you are an administrator, you can easily bypass this hack. Therefore, this hack is meaningless. If you want to stop users from modifying system properties, do not let them run as admins.
8. Disable LM hash - First, there are several instances post Windows 2000 where you need an LM hash. Second, this setting is thin veneer. What threat are you worried about specifically? Cracking passwords? Cracking passwords against hashes is a meaningless and unnecessary attack. Disabling LM hashes really do not add much to security these days, although it is not going to hurt anything in some instances. This is probably the one setting in the list most related to security though. If you want to find out more about why this setting is not particularly useful, and what kinds of things it breaks, go to http://www.microsoft.com/technet/community/columns/secmgmt/sm1005.mspx.
9. Restrict null sessions - First, the values you give for this hack are for Windows 2000, not Windows XP. Settings designed for one operating system are not guaranteed to work on another. Second, most null session information access is already disabled in XP by default. Third, what is the threat you are worried about? None of the information avaiable via a null session is particularly sensitive. If your security depends on keeping attackers from listing share names and user names you probably have a lot more serious problems to deal with. Fourth, if you have a firewall, this setting is moot. If you do not, you have other more serious issues to worry about.
10. Hide the security tab - This is in no way shape or form a security setting. First, it is set in HKCU, where it affects YOU not anyone else. Second, only someone who owns the object or has been granted the proper permission on it can set security. Such a user can set security in a number of ways, this just blocks one of them.
None of these settings improve actual security one bit. They are either just security theater or they attempt to solve a problem that exists elsewhere. They are pretty likely to make the system unmanageable, unsupportable, or just plain less useful though.
There are many resources to help protect Windows XP. For home users, there are four steps: Turn on the Windows Firewall, use an anti-malware program, ensure that Auto Updates are turned on, and do not run as an administrator.
If you are trying to configure security in an enterprise, and you want to maintain a supported system, go read the Windows XP Security Guide: http://go.microsoft.com/fwlink/?LinkId=14840. You may also want to look at http://www.protectyourwindowsnetwork.com for a more holistic security perspective.
Keep Up with TechRepublic