Published: December 31, 2003 | Updated: April 26, 2006
Although this guide discussed many security countermeasures and security settings, it is important to understand that some of them are especially important. This appendix highlights those settings; you may wish to refer to the relevant chapter for an explanation of what the setting does and why it is important.
Which settings to include in this list could be the subject of an extensive debate. In fact, this topic was discussed at great length by a group of security experts within Microsoft. You may feel that some settings are missing, or that some of the listed settings do not need to be on the list. Because each organization has a distinct environment with unique business requirements, different opinions about security issues should be expected. Still, this list might help you prioritize tasks that relate to hardening computers that run Microsoft® Windows®.
Important countermeasures that are not security settings include:
- Keep computers up-to-date on service packs and hotfixes with automated tools for testing and deployment.
- Install and configure distributed firewall software or organizational IPsec policies.
- Deploy and maintain antivirus software.
- Deploy and maintain antispyware software on computers that are used to browse Web sites.
- Use a non-administrative account for day-to-day tasks. You should only use an account with administrator privileges to perform tasks that require elevated privileges.
Key security settings that are available in Microsoft Windows include:
- Password policy, which is discussed in Chapter 3, "The Domain Policy."
- Enforce Password History
- Maximum Password Age
- Minimum Password Length
- Passwords must meet complexity requirements
- Store Password Using reversible encryption for all users in the domain
- User rights, which are discussed in Chapter 4, "The Member Server Baseline Policy."
- Access this computer from the network
- Act as part of the operating system
- Allow logon locally
- Allow Log on through Terminal Services
- Security options, which are discussed in Chapter 4, "The Member Server Baseline Policy."
- Accounts: Limit local account use of blank passwords to console logon only
- Domain Member: Digitally encrypt or sign Secure channel Data (always)
- Domain Member: Digitally encrypt Secure channel Data (when possible)
- Domain Member: Digitally sign Secure channel Data (when possible)
- Domain member: require strong (Windows 2000 or later) session key
- Network access: Allow anonymous SID/Name translation
- Network Access: Do not allow anonymous enumeration of SAM accounts
- Network access: do not allow enumeration of SAM accounts and shares
- Network Access: Let Everyone permissions apply to anonymous users
- Network Access: Remotely Accessible Registry Paths
- Network Access: Restrict Anonymous access to named pipes and shares
- Network Access: Shares that can be accessed anonymously
- Network Access: Sharing and Security Model for Local Accounts
- Network Security: Do not store LAN manager hash value on next password change
- Network Security: LAN Manager Authentication Level
- Additional registry settings, which are discussed in Chapter 4, "The Member Server Baseline Policy."