Since the motivations behind securing Windows XP in the K-12 environment are different from corporate motivations, so are the methods you use.
By William T. Evans
Securing Windows XP can be a challenging and complex process, one that doesn't end after the initial setup of a networked workstation. The procedures for securing Windows XP in educational and corporate environments are similar, but the motivating factors are sometimes different. For most corporate environments, the primary reason to secure a workstation is to prevent unauthorized access to a system--this includes protecting data and controlling "unofficial" software installations. In some cases, due to lack of experience or proper staffing, some organizations do not secure workstations at all. They simply rely on the built in "generic" security measures of the Windows XP operating system.
In K-12 environments there are additional motivations. Put simply, educational environments, specifically K-12, are concerned with the integrity of the operating system and any local applications. Preventing accidental or intentional tampering is a large part of the K-12 network administrator's job. Data security on the workstation is rarely a concern because data is almost never stored locally in K-12 environments. Also, maintaining operational consistency is a key factor as well. The novice end users in K-12 tend to be the staff (teachers) and the experienced end users are the students. Proper security provides benefits for both groups of end users. For the staff it provides a consistent and reliable interface and function. For the student it provides a controlled environment that cannot be tampered with.
Securing Windows XP in K-12 Environments--The process
The process of securing Windows XP in K-12 environments is a complex one. The network administrator must look at the client operating system from the perspective of the network administrator, technical staff, administrative staff, teaching staff, and the student as well. Security in the operating system must be effective, flexible, and also provide security for the applications that will be added initially and later on. This can be done by:
Using the Access Control List component of Windows XP, the network administrator can secure every drive, folder, and file on the workstation. Only the necessary access can be given or taken away where necessary. By default, much of the operating system and associated software is left open to the end user. Using ACLs all folders and files created by the operating system must be set to "Full Control" for Administrators and System, and "Read and Execute" for Users. These permissions must be propagated down to all subfolders and files (this includes the Program Files folder and Windows folder on the system root drive). The only folders that do require some level of Write access are:
- C:\Temp (may not exist)
- C:\Documents and Settings\All Users
- C:\Documents and Settings\Default User
The above process requires replacing all ACLs for the Users local group with Read and Execute permissions (except for the above mentioned directories).
Author's note: * Certain applications that reside in C:\Program Files will require Write access in order to function properly
An ACL can only be applied to either a user or a group. It's always best to create the permissions using local groups (you should use actual user accounts only rarely). Using local groups for settings permissions is a standard practice for many network administrators and is recommended by Microsoft. It is not suggested to use global groups because their effectiveness can be lost if a workstation cannot communicate with a domain controller.
You should only use Remote Administration (Terminal Services) where absolutely necessary. Also, you should enable it only network administrator access. You should disable unnecessary system services as well. This can be a complex task that you must perform carefully with proper testing. Finally, any unnecessary software should be removed from the workstation. This includes any software that is part of the Windows XP operating system that can be removed.
Securing Windows XP in K-12 environments--Troubleshooting and monitoring
Auditing Tools and logging (built-in to Windows XP)
Used properly, auditing and logging are invaluable when troubleshooting and verifying that the proper security is set on the operating system.
FileMon and RegMon (by Sysinternals)
The security auditing tools built-in to Windows XP are functional and provide great value. Sysinternals (which is now owned by Microsoft) offers a suite of tools that are an excellent complement to the built-in tools. Two of the tools are FileMon and RegMon., both graphical real-time tools to monitor file system and registry activity. Often they can easily provide information that operating system auditing alone cannot. Tools such as these are critical when testing the security of a new/modified Windows XP workstation setup. Legacy applications, or those with local data storage, often will conflict with the above recommended security configurations. These tools can help the network administrator to quickly identify and resolve issues.
Securing Windows XP in K-12 environments--The result
Securing Windows XP in K-12 environments is no easy task. The network administrator must be fully aware of all aspects of expected use and special requirements. You must set proper permissions using local groups, and turn off any unnecessary software and features. You must test all changes thoroughly using built-in and third-party tools. The result is a Windows XP workstation that is secure, tamper proof, and reliable.