Export (0) Print
Expand All

Data Security and Data Availability for End Systems

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
By Tom Dodds, MCS Principal Consultant, MCS Southern California, Warren Kerby, Consultant, MCS Southern California, Michael Howard, Program Manager, Microsoft Corporation

Microsoft Solutions Framework

Best Practices for Enterprise Security

Note: This white paper is one of a series. Best Practices for Enterprise Security ( http://www.microsoft.com/technet/archive/security/bestprac/bpent/bpentsec.mspx ) contains a complete list of all the articles in this series. See also the Security Entities Building Block Architecture ( http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspx ).

On This Page

The Focus of This Paper
Securing Servers and Workstations on the Web
Applying the Security Configuration Using Policy
Creating an Auditing and Monitoring Strategy
Designing a Fault Tolerance Solution
Appendix A: User Rights Explained (from Resource Kit)
Appendix B: Local Security Settings (from Resource Kit)
Appendix C: HighSecweb.inf File

The Focus of This Paper

Overview

This paper is based on a security engagement Microsoft Consulting Services (MCS) recently completed at a large bank. It discusses MCS best practices in the following areas:

  • Securing servers and workstations on the Web. This section outlines many of the concepts and key considerations you should take into account when defending servers or workstations from attacks.

  • Applying the security configuration using policy. This section offers recommendations on how to apply your security model.

  • Creating an auditing and monitoring strategy. This section outlines tools you can use to proactively manage your security model.

  • Designing a fault tolerance solution. This section provides an outline of how MCS created a reliable and scalable solution for the account.

The evaluation and completion of the security tasks outlined in this paper will help a company create a more secure environment and Internet presence.

Securing Servers and Workstations on the Web

Common Attacks

There are many different ways that hackers attempt to gain access or do damage to a company system. Most of these attacks are well known and documented on many security Web sites. Some of the more common attacks are listed as follows.

Spoofing User Identity

Spoofing user identity is when a hacker obtains a user's personal information or something that enables the hacker to replay the authentication procedure. Spoofing threats are associated with a hacker being able to impersonate a valid system user or resource to get access to the system and thereby compromise system security.

Tampering with Data

An unauthorized change to stored or in-transit information, formatting of a hard disk, a malicious intruder introducing an undetectable network packet in a communication, and an intruder making an undetectable change to a sensitive file are all tampering threats.

Repudiability

A user performing an illegal operation without the ability to be traced is called "repudiability." Repudiability threats are associated with users (malicious or otherwise) who can deny a wrongdoing without any way for you to prove otherwise.

Information Disclosure

Disclosure of private or business-critical information can compromise an enterprise. Information disclosure threats expose information to individuals who are not supposed to see it. A user's ability to read a file that she or he was not granted access to, as well as an intruder's ability to read the data while in transit between two computers, are both disclosure threats. Note that this threat differs from a spoofing threat in that here the perpetrator gets access to the information directly rather than by having to spoof a legitimate user.

Denial of Service

A "Denial of Service" (DoS) attack prevents legitimate users from using a service. The effectiveness of a DoS attack is measured three ways:

  • Effort. A measure of the effort required for the attack to be successful. The least effort is a single packet that crashes a computer. The greatest effort is a lot of large packets, possibly sent by multiple attackers.

  • Severity. A measure of how much the service has been degraded. A severe attack will prevent all legitimate users from accessing the service. A mild attack may slow down access, but not shut it down completely.

  • Persistence. An attack is persistent if its effects continue after the attack stops. The strongest attacks persist even if the attacker is blocked from accessing the service. Some attacks persist until the server is rebooted. The effects of a weak attack end as soon as the attack does.

DoS attacks range from mildly annoying to true security risks. In general, a good firewall should prevent them from happening. (For more information on preventing DoS attacks, see "Preventing Denial of Service Attacks" later in this paper.)

Elevation of Privilege

An elevation of privilege threat is when an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. The more dangerous aspect of such threats is compromising the system in undetectable ways whereby the user is able to take advantage of the privileges without the knowledge of system administrators. Elevation of privilege threats include those situations where an attacker is allowed more privilege than should properly be granted, compromising the security of the entire system and causing extreme system damage. Here the attacker has effectively penetrated all system defenses and become part of the trusted system itself and can do anything.

Determining Which Information to Secure

The first step you must take is to determine the level of security needed on each system in the environment. For example, outside Web servers normally contain information that is public and therefore would need a different type of security model than, say, a database server that is storing confidential information. Another type of device that provides security is a firewall. A firewall normally is used to limit access to information from users inside and outside the enterprise. Therefore, how you design and implement a secure firewall is very important to the plan. But before this means anything practical, you must first define information security.

When defining information security for our bank project, we asked the following questions:

  • Which information should be defined as top secret, secret, classified, and unclassified?

  • Is there information kept outside the organization's network (defined as classified, secret, or top secret) that shouldn't be accessed by anonymous users?

  • Is there information that should be accessed only by particular groups of people?

  • Are there connections in place that allow internal users to gain direct access to external resources?

  • Are there facilities in place that allow external people access internally?

  • What type of access is needed by the application suite and do users have to get that access through the firewall?

The bank outlined all of these issues, created a security team, assigned a security officer, and created an enterprise-wide security policy. After this was complete, we developed the proper security model and completed the details necessary to create a secure infrastructure for the bank.

Determining the Level of Security

It is important to categorize and understand what security is required based on the classification of the information. For example, you could start by determining the level to which the information secured can be accessed. There are two extremes of enterprise security:

  • Information that is not allowed should not be accessed without proper permissions. In this case, the information technology (IT) group determines who is allowed to access what information. This is a restrictive arrangement, but a controllable one. This is also a model that is well known and has been in place for many years. The challenges with this architecture have been to control all the different security logins required to gain access to all the required resources.

  • Information that is not disallowed can be accessed by anyone. This leaves users primarily responsible for controlling their actions when accessing information anonymously. Web users in particular prefer this arrangement, but it can be troublesome from a security standpointit makes controlling access to data difficult because users don't have to give any credentials to get logged in.

In the case of our bank project, we adopted a security policy that straddles these extremes, one that allows us to control yet promote data access so that users can get to the information they need.

Physical Security

Physical security involves protecting the computers used to store and process sensitive and/or valuable data (whether a server or a workstation). Protecting against accidental or deliberate access (including changes to the way the computer is set up), however, should not prevent users from doing their work nor should it erect unrealistic or inconvenient barriers to user resources.

Standard Security

For standard security, the computer system must be protected, as any valuable equipment would be. In the case of our bank project, this involved housing the computer in a building that is locked and out-of-bounds to unauthorized users.

As was mentioned in the previous section, the first step to create a secure infrastructure is to evaluate the current security level of each server and workstation. Some of the key issues from a physical security perspective in a standard security model are outlined below. The next sections after this one goes into more detail on important issues when building a security model. The actual application of these recommendations is outlined in Part 3 of this document, "Applying the Security Configuration Using Policy," which details applying these settings in a Windows 2000 environment. Also, always remember it is imperative to continually check http://www.microsoft.com/technet/security/default.mspx for the latest additions to this list.

The first thing to evaluate on either the server or the client is the physical security of the boxes and the environment. The chart below shows some of the suggestions we made at the bank to protect its clients or servers.

Physical Security

Client or Server

Protection against casual theft

Client and server

Locked room

Server

Climate-controlled environment

Server

Controlled entrance

Server

Locked cable room (hub is not exposed)

Server

Computer locks on desktop. For servers, locks on racks and the area has security controls (door lock, room lock) using company badges for access.

Client and server

Procedures for physical admin/repair (spares on site)

Client and server

Power / surge protector

Client and server

Floppy disabled (or at least require that users be logged in as administrator to use the device)

Client and server

Floppy disk drive removed (if it is not required)

Client and server in a high secure environment

Power-on password

Client and server in a high secure environment

Edit the boot.ini file with the boot timeout set to 0 seconds

Client and server in a high secure environment

Only NTFS file system on all drives

Client and server in a high secure environment

Backups

Regular backups protect data from all sorts of hazards: hardware failures, honest mistakes, viruses, and malicious mischief. In our bank project, because files must be read to be backed up and written to be restored, backup privileges were limited to administrators and backup operators.

Auditing

Often a company does not know about a breach of security until it finds it, usually by auditing the network. Effective auditing can also uncover actions that pose a security risk and identify the user accounts from which the actions were taken. Establishing an audit policy requires that you balance the auditing cost (in disk space and CPU cycles) against its advantages. System setup and capacity may dictate how many functions you can realistically audit. At the very least, the bank decided to audit failed log-on attempts, attempts to access sensitive data, and changes to security settings.

Creating a High-Security Environment

Depending on the level of security required, additional security measures can be implemented to create a high-security environment. To determine the need for additional security measures in our bank project, we first needed to identify which computers, if any, contained sensitive data at high risk for theft or intentional violation and disruption. Security for these machines, or their subnet, we decided to augment with more stringent security features than those used for the rest of network.

Controlling Access

No computer is ever completely secure if people other than the authorized user can sit down and tinker with it. In the case of our bank project, the bank attempted to minimize the impact of a user logging in at the console by:

  • Disabling the floppy-based boot if the computer hardware provides the option. If the computer doesn't require a floppy disk drive, then they removed it.

  • Locking the CPU case with a key that is stored away from the computer.

  • Using the NT file system (NTFS) on the entire hard disk.

  • Removing the network card if the computer does not need network access.

If possible or practical, the bank will keep unauthorized users away from computer power and reset switches. The most secure computers (other than those in locked and guarded rooms) give users access to only the keyboard, monitor, mouse, and printer. The bank will lock up the CPU and removable media drives and allow only authorized personnel to have access to them.

By default, Microsoft Windows 2000 allows any program to access files on floppy disks and CDs. A highly secure, multi-user environment allows only the person interactively logged on to access those devices, so interactive users can write sensitive information to these drives confident that no other user or program can see or modify it (detailed steps of how to accomplish this are contained in the Appendix). This mode allocates system floppy disks or CDs to a user as part of the interactive log-on process, and then frees them automatically for general use or reallocation when that user logs off. For our bank project, we made it a standard practice to remove sensitive data from the floppy or CD-ROM drives before logging off.

Network-Level Security

By placing a computer on a network, you add an access route to the computer that should be secured against some level of intrusionfrom casual to intentional. User validation and protections on files and other objects are sufficient for standard-level security, but high-level security demands that the physical network be secured.

The main risk is unauthorized network taps. If the network is set up completely within a secure building (a rarity) the risk of unauthorized taps is minimized or eliminated. If the network is not completely within direct physical control, you must decide on a level of realistic protection and institute it, beginning with physical security. If, for instance, cabling passes through unsecured areas, consider using optical fiber links rather than twisted pairit is much harder to tap a fiber and siphon off data.

More common these days is Internet communications. The security issue here cuts both ways, because this sort of connection provides access to and from the Internet community. In essence, this means that just about everyone in the world with access to a computer has possible access to some or all systems contained within an enterprise. To get in, however, we have created a series of moats or security walls that they must defeat before they can gain access.

It is beyond the scope of this document to go into firewall design and implementation, but this would act as our first moat. The rest of this document details the security lockdown and secure architecture MCS created for the bank behind the first firewall.

Important General Security Considerations

Known States and Repeatability

Have a process for setting up servers that is repeatable. Start with clean installations of the operating system and always use NTFS. That way you will get a consistent set of files, and their permissions will be set properly. If the extra work of doing clean installations seems daunting, keep in mind that if there is a hardware failure or you are adding or replacing a server, you will most likely have to do a clean installation. If you upgrade a bunch of servers, they will most likely have different sets of files installed. IIS and other components can be configured with scripts. Create a script and use it for all updates. You won't forget a setting, and you can always use that script if you have to add another server.

It can be very difficult to use a server that is completely locked down. For example, unused services should be turned off while a server is in "production" mode. However, it necessary to keep some services running while configuring the server. Create two scripts: one script to lock the server down for "production" mode, and another to put the server in "maintenance" mode. Servers have been hacked because security settings were turned off "temporarily" for maintenance, and not turned back on.

Components

If you are not using a component or feature, do not install it. Delete or disable it. This is very important. Remove everything you can possibly remove and still have your site function.

Set Services to "Manual"

Turn off all services that you are not using. To help determine which services are being used, set the Startup Type of services that you believe are unused to Manual. Restart the server and use all of your applications. Then use the Services MMC snap-in to see which services are started. Services that haven't started probably are set to Disabled.

Passwords

The security of any workstation or server is only as good as its passwords. Use strong passwords and change them frequently based on policy. Recent studies suggest that you choose passwords that are at least seven characters long and contain a mix of letters, numbers, and punctuation marks.

Use the Event Logs Service

The Event Log services will generally have information that will help you debug problems. They also are a great source of information on possible malicious activities that could be occurring on the system.

Keep a Log of Changes

Keep a chronological list of all the changes you make. This will make it easier to configure new machines, and it also provides a record of what you've done.

Confirmation

Always double-check your configuration before connecting a server to the Internet. No server should ever be on the Internet without all security measures in place. Use a checklist to keep track of security measures. Attackers are continuously scanning IP addresses to find new machines. There are many vulnerability detectors available, both commercial and freeware. Use these products to confirm that your security measures are in place and working.

Defense in Depth

Do not rely on a single defense to protect you. Make attackers work their way through a maze of defenses. Design systems like a castle with a moat, drawbridge, outer wall, inner wall, and a keep. This doesn't mean that it must be difficult for the legitimate user to get information from your Web site. Read-only access is usually simple to achieve. All methods for changing, editing, adding, or posting information to a Web site must be carefully secured.

Maintenance

Maintenance is an ongoing activity for any secure Web site. The simplest, and most important, maintenance activity is monitoring security bulletins and implementing any recommendations. Maintenance also includes periodic checks to ensure that all security procedures are still in place and working.

Test All Features Frequently

Stop periodically, reboot the computer, and test your applications. If you find that something has stopped working or its behavior has changed, you can look at the list of changes and figure out which setting caused the change.

Use a Net Sniffer to Detect Traffic

A network sniffer or monitor may give you clues about which services are running. Use the "Well Known Port Numbers" document, http://www.isi.edu/in-notes/iana/assignments/port-numbers , to determine which services are using a port.

Applying the Latest Service Pack and Hotfixes

It is very important to keep current on all security information for all of the products that you are using on both the server and the workstation. Once a security-related issue becomes public, the recommended fixes must be implemented as soon as possible. Attackers monitor this information also and will use it against any client or site that isn't up-to-date. Attackers write scripts that test a system for all known weaknesses. Systems are routinely hacked because of well-known exploits. Therefore, we cannot emphasize enough the importance of staying current on security updates and patches.

Microsoft automatically e-mails security bulletins as issues are discovered. To see previous bulletins, and sign up for future bulletins, go to http://www.microsoft.com/technet/security/default.mspx . After you review all Microsoft Security Bulletins, ensure that all the latest patches are applied to the perimeter network (also known as DMZ or demilitarized zone) servers. Currently, Windows NT 4.0 Service Pack 6 (SP6) is the latest Service Pack and is recommended for secure Internet Information Server 4(IIS4) sites. See the following site:

Also review the latest Microsoft security news at http://www.microsoft.com/technet/security/default.mspx .

Preventing DoS Attacks

Denial of Service attacks are very difficult to defend against. Again, one of the most important things to do is to keep up to date on the latest DoS attacks posted on http://www.microsoft.com/technet/security/default.mspx . Another approach is to harden the TCP/IP stack on a Windows 2000 server or workstation to help prevent common DoS attacks from impacting the performance of your system or bringing it down.

Hardening the TCP/IP Stack

By default, the TCP/IP stack is configured to handle normal traffic and to be robust under normal working conditions. If a Windows 2000 server or workstation is going to be exposed to the Internet, the TCP/IP stack should be reconfigured to handle the various TCP/IP protocol attacks. See the Knowledge Base article, "Internet Server Unavailable Because of Malicious SYN Attacks" ( http://support.microsoft.com/default.aspx?scid=kb;en-us;142641&sd=tech ) for more information.

To harden the stack at the bank, we set the following keys. All of the TCP/IP parameters are located under the registry key

HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services

SynAttackProtect

Key:

Tcpip\Parameters

Value Type:

REG_DWORDBoolean

Valid Range:

0, 1, 2

Default:

0

Description:

When enabled, this parameter causes TCP to adjust the retransmission of SYN-ACKS to cause connection responses to time out more quickly if it appears that there is a SYN-ATTACK in progress. This determination is based on the TcpMaxPortsExhausted parameter.

Parameters:

0:

Default Value Normal protection against SYN Attacks.

1:

Better Protection - This parameter causes TCP to adjust the retransmission of SYN-ACKS to cause connection responses to time out more quickly if it appears that there is a SYN-ATTACK in progress. This determination is based on the TcpMaxPortsExhausted, TCPMaxHalfOpen, and TCPMaxHalfOpenRetried.

2:

Best Protection Adds in additional delays to connection indications to quickly timeout TCP connection requests when a SYN=Attack is in progress. This is the recommended setting. When using this setting, note that the following socket options will no longer work on any socket: Scalable windows (RFC 1323) and per adapter configured TCP parameters (Initial RTT, window size).

EnableDeadGWDetect

Key:

Tcpip\Parameters

Value Type:

REG_DWORDBoolean

Valid Range:

0, 1 (False, True)

Default:

1 (True)

Description:

When this parameter is 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the Advanced section of the TCP/IP configuration dialog in the Network Control Panel. See the "Dead Gateway Detection" section in this paper for details.

Recommended:

0 an attack could force use to switch gateways and thus making up switch to non-intended gateways

EnablePMTUDiscovery

Key:

Tcpip\Parameters

Value Type:

REG_DWORDBoolean

Valid Range:

0, 1 (False, True)

Default:

1 (True)

Description:

When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet.

Recommended:

0 an attacker could force MTU to something tiny and over-work the stack

KeepAliveTime

Key:

Tcpip\Parameters

Value Type:

REG_DWORDTime in milliseconds

Valid Range:

10xFFFFFFFF

Default:

7,200,000 (two hours)

Description:

The parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application.

Recommended:

300,000 (5 minutes)

NoNameReleaseOnDemand

Key:

Netbt\Parameters

Value Type:

REG_DWORDBoolean

Valid Range:

0, 1 (False, True)

Default:

0 (False)

Description:

This parameter determines whether the computer releases its NetBIOS name when it receives a name-release request from the network. It was added to allow the administrator to protect the computer against malicious name-release attacks.

PerformRouterDiscovery

Key:

Tcpip\Parameters\Interfaces\<interface>

Value Type:

REG_DWORD--BOOLEAN

Valid Range:

0: Disabled
1: Enabled
2: Off by default, DHCP-controlled

Default:

2

Description:

This parameter controls whether Windows NT attempts to perform router discovery per RFC 1256 on a per-interface basis.

Recommended:

0 This will prevent bogus router advertisements

Note:

Use the value in Tcpip\Parameters\Adapters to figure out which value under Interfaces matches the network adapter.

Network Settings

Disable NetBIOS over TCP/IP

Another way to prevent malicious users from gaining access to your workstation or server via some facility other than TCP/IP is to disable NetBIOS (network basic input/output system) over TCP/IP. This will disable the use of all default share and printer access to your computer using the \\Name\Share command set. These operations include directory and printer sharing, NetDDE (network Dynamic Data Exchange), and remote administration.

You can control the use of NetBIOS over TCP/IP (NBT) by going into Advanced TCP/IP Settings and disabling NetBIOS over TCP/IP. This way, no one can try to remote-mount drives or remote-edit registries. Windows NT networking services run promiscuously over multiple transports; therefore, internally your computers can still talk to each other over other internal protocols.

datava01

Port and Protocol Configurations

The next important step on any NIC (network interface card) exposed to the Internet is to set up TCP/IP filtering to control what types of traffic are allowed to communicate to the system. Many people fall into the trap of not making these changes if they have a firewall between themselves and the Internet. They make the assumption that the firewall will provide complete protection. This is the kind of thinking that allows hackers to gain access to Web servers, cable, or DSL (Digital Subscriber Line) computers that are connected to the Web. Adding these changes to the exposed NIC creates another moat in your defense that hackers must defeat before they can claim victory. At the bank, we used the advanced TCP/IP settings to set filtering for our Internet NIC. The following illustration shows these settings.

Cc722919.datava02(en-us,TechNet.10).gif

Basically, the bank permitted only TCP ports 80 for HTTP access and 443 for Secure Sockets Layer (SSL). They permitted no User Datagram Protocol (UDP) ports and only IP Protocol 6 (TCP). It's important to realize that specific company port requirements need to be identified and validated for individual needs. Also, it's important to understand fully the security implications of enabling a port or protocol.

Unbind Unnecessary Services and Protocols from Your Internet Adapter Cards

Another way hackers gain access to a remote machine is by using some information about services that the local user may not know they have enabled. Therefore, it's important to disable any unused services.

Disable Unnecessary Default Services

The following services should be disabled. These changes are implemented within the bank's security template. If the template is backed out, these services will still remain disabled and will require manual changes in order to enabled them. The services the bank disabled on its IIS servers included:

  • Alerter

  • ClipBook

  • Distributed File System

  • Distributed Link Tracking Client

  • Distributed Ling Tracking Server

  • Fax Service

  • Internet Connection Sharing

  • Intersite Messaging

Note: This service must be running on all DC's if multiple sites are used.

  • Messenger

  • NetMeeting Remote Desktop Sharing

  • Network DDE

  • Network DDE DSDM

  • Task Scheduler

  • Telnet

  • Terminal Service

  • Utility Manager

  • File Replication

  • Print Spooler

  • Remote Registry Service

Note: You will need to set this back to manual and start the service to use BackupExec or Netdiags.exe.

Restrict Default NTFS Permissions

For each hard drive on the bank's systems, we modified the ACL on the root directory:

  1. In Windows Explorer, right-click the icon for the hard drive.

  2. Click Properties, and then click the Security tab.

  3. Add the local Administrators group with Full Control.

  4. Change permissions for Everyone to apply to Domain Users instead. Click Advanced. Select the Everyone entry and click View/Edit. Click Change. Select the domain scope, and then select Domain Users.

  5. Click OK four times to close all dialogs and accept changes.

The team modified ACLs on these folders, which do not inherit permissions from the root: (Documents and Settings, Program Files, WINNT) to the following permissions:

  • Change permissions for Users to apply to Authenticated Users instead.

  • Delete permissions for Power Users and Everyone.

We also restricted access to the system's local security account manager (SAM) database by modifying the ACLs on Winnt\System32\config and Winnt\Repair by:

  • Changing permissions for Users to apply to Authenticated Users.

  • Deleting permissions for Power Users and Everyone.

Remove Unnecessary File System Access

The next step was to disable auto-generation of 8.3 names for backward compatibility with16-bit apps. In a secure environment it's important to avoid using 16-bit apps. The team turned off this feature by setting: HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation = reg_dword : 1. Another important step is to disable the build in admin shares by:

  • Removing the default administrative network file shares.

    • For each hard drive on all systems, remove the default share (C$, D$, etc.). Open Windows Explorer and right-click the icon for the hard drive. Click Sharing.

    • Select Do not share this folder.

    • Click OK to accept changes.

    • For the system volume, remove the default admin share (Admin$). Right-click the %windir% directory. Proceed as above.

    • To ensure that the default shares will not be recreated set this reg key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer = reg_dword : 0

Note: BackupExec requires the above share names prior to backing up the server.

Secure Local User Accounts

Another important step is to control the built-in accounts that are a part of Windows 2000. Many hackers exploit this type of information when they are attempting to breach a server's account login structure. Some of the changes our team made include:

  • Renamed the Administrator account and then created a fake Administrator account that with no right. Make sure both accounts have robust passwords. Also, it's important to disable NetBIOS over TCP/IP to prevent dictionary types of attacks over the Internet from succeeding. (This was discussed earlier.)

Important Note On domain controllers, do not rename the Administrator account. Copy it to create a working "administrator" account and remove all privileges/group memberships from the original. This avoids the well-known admin account RID.

  • Limit the membership of the local Administrator's group.

  • Disable the Guest account and give it a strong password.

  • Disable the TsInternetUser account and give it a strong password. This account is automatically created (both locally and on the domain) when you install the OS, even if you do not install Terminal Services. Disable the account instead of deleting it, because if you later install an OS upgrade it will recreate the account if it does not exist.

  • Disable the IUSR_<machine> account on the web server and give it a strong password.

  • Disable network logon for the local Administrator and Administrator's accounts. Force these accounts to require interactive logon.

Secure the System Registry

The registry is the heart of a Windows 2000 system and it is essential to restrict anonymous access to the registry to prevent unauthenticated users from doing things like enumerating shares and local/domain users (KB article 143474). See Group Policy or set LM\System\CurrentControlSet\Control\LSA\RestrictAnonymous = reg_dword : 1. Other things to consider include:

  • Restrict network access to the registry. Create the Winreg key and set its ACL to grant access only to Domain Admins (KB article 155363). Add HKLM\System\CurrentControlSet\Control\SecurePipeServers\winreg.

  • Change the file association for the .REG extension to something like NOTEPAD.EXE. This prevents a malicious Web site from inserting new keys into your registry while you are browsing the Web.

Setting User Rights Assignments

The next key component of any server or workstation security strategy is to control the advanced User Rights that are set by default when a Windows 2000 server or workstation is installed. Again, it is important to apply these settings using the steps outlined in the Group Policy section of this paper, "Applying the Security Configuration Using Policy." The settings in the bank's .inf file for its secure Web servers are listed in the following illustration.

Cc722919.datava03(en-us,TechNet.10).gif

One of the challenges we faced when adding these settings was to fully understand the impact each setting had to applications that were already installed and running. That is why it's important to understand completely what each setting does before applying the template. A better approach, we discovered, would have been to set the security on all servers, including the development servers, before the server was in production, and then create our application in a secure environment that mimics the eventual production world. It can be challenging to track down which setting caused an issue after the template is applied if the development servers have a different security configuration. Please refer to the Appendix for a complete explanation of each setting.

Tightening Down the System

There are many settings on a Windows 2000 system that can be configured to tighten down the default installation. It is up to the security team to decide what level of security they need to implement and how many of these configuration changes are required. Again, the bank decided to start with the High Security Web site INF file supplied by Microsoft on the Web refer to http://www.microsoft.com/technet/security/default.mspx for the latest version), and custom it to meet the bank's internal needs. The following illustration shows the changes made by the HighSecWeb template (see Appendix C for a copy of the bank's Highsecweb template).

Cc722919.datava04(en-us,TechNet.10).gif

Again, it's important to fully understand the impact each configuration change has before applying the template. Refer to the Appendix for an explanation of the settings changed by the preceding template (anything that is not defined is not outlined). It is also important to take the HighSecWeb template and customize it to meet your individual security needs.

Auditing

Auditing of your servers is one of the key components in a monitoring strategy. It is very important to track these on a regular basis and to set up alerts when an incursion occurs. There are many third-party products that assist with this process. Refer to the monitoring and auditing section below for suggestions. A sample of how we configured auditing for our bank project is in the chart below.

Auditing

Policy Setting

Audit Account Logon Events

Success and Failure

Audit Account Management

Success and Failure

Audit Directory Access

Not Defined

Audit Logon Events

Success and Failure

Audit Object Access

Success

Audit Policy Change

Success and Failure

Audit Privilege Use

Success and Failure

Audit Process Tracking

Not Defined

Audit System Events

Success and Failure

Other System Changes

There are other important changes that need to be made at a file and system level. To the default security configuration at the bank, we set the system boot time to zero seconds, as shown in the following illustration.

Set the system boot time to zero seconds.

To prevent unauthorized users from bypassing the default Windows NT boot and secure logon process:

Go to Control Panel | System | Advanced | Startup and Recovery and set the Display List of Operating Systems to 0

Cc722919.datava05(en-us,TechNet.10).gif

We also moved all access control list (ACL) critical files. To do this, we placed all commonly used administrative tools in a special directory out of %systemroot% and restricted them as an ACL so that only administrators have full access to these files. Moving ACL critical files is important because hackers could use these tools to gain valuable information and launch rogue programs from the command line. This applies to both the workstation or server.

For example, create a directory called \tools, and place the following files in there:

xcopy.exe

wscript.exe

cscript.exe

net.exe

ftp.exe

telnet.exe

arp.exe

edlin.exe

ping.exe

route.exe

at.exe

finger.exe

posix.exe

rsh.exe

atsvc.exe

qbasic.exe

runonce.exe

syskey.exe

cacls.exe

ipconfig.exe

rcp.exe

secfixup.exe

nbtstat.exe

rdisk.exe

debug.exe

regedt32.exe

regedit.exe

edit.com

netstat.exe

tracert.exe

nslookup.exe

rexec.exe

cmd.exe

     

Policy and Auditing Changes

One of the key components of any security strategy is to ensure the configuration of the servers and workstations meet the policies set by the security committee in the policy document. The following charts outlines the configuration set for the bank. Refer to the section on Group Policy later in this paper, "Applying the Security Configuration Using Policy," to understand the recommended way to apply these policies.

Accounts

Policy Setting

Use separate accounts for administrative activity and general user activity.

Set in policy.

Rename Administrator account to something less obvious.

Set in policy.

Prohibit Guest from writing or deleting any files, directories, or registry keys (with the possible exception of a directory where information can be left).

Guest disabled.

Set server to lock automatically if it is not used for a set period of time. Use alt-ctrl-del 32-bit screen saver with the Password Protected option.

Logon screen saver set to five minutes.

Passwords

Policy Setting

Maximum password age.

Set to 30 days.

Enforce password uniqueness.

Set to five unique passwords.

Password made up of number, special character, and mixed case. (Strong password option installed [see 161990]).

Strong passwords need to be enforced

Lock account after third unsuccessful attempt.

Sixty minutes to reset retry and account access.

At least eight characters long.

Set to eight characters.

User Names

Policy Setting

Does not form part of company name or application name.

Policy.

User name is at least eight characters long.

Set to eight.

Lock account after third unsuccessful attempt.

Set in security policy.

Internet Information Server File System Changes

Another important aspect of the bank's security model was the creation of a secure hosting environment for all Web components. Based on information obtained from the Microsoft Security Web site, the bank set the appropriate virtual directory permissions/Web application space, set the appropriate IIS log file ACLs, enable the logging mechanism, and chose to disable or remove all sample applications.

Setting Directory Permissions/Web Application Space

When setting the appropriate virtual directory permissions/Web application space, it is important to control the IIS application directories. This is application dependent, but the following general rules apply:

File Type

ACL

CGI etc .EXE, .DLL, .CMD, .PL

Everyone (X)
Administrators (Full Control)
System (Full Control)

Script Files .ASP etc

Everyone (X)
Administrators (Full Control)
System (Full Control)

Include Files .INC, .SHTML, .SHTM

Everyone (X)
Administrators (Full Control)
System (Full Control)

Static Content .HTML, .GIF, .JPEG

Everyone (R)
Administrators (Full Control)
System (Full Control)

These settings would apply to any computer running a Web site.

Rather than setting ACLs on each file, we recommend setting new directories for each type of file and setting ACLs on the directory and allowing the ACLs to inherit to the files. For example a directory structure may look like this:

c:\inetpub\wwwroot\myserver\static (.html)

C:\inetpub\wwwroot\myserver\include (.inc)

C:\inetpub\wwwroot\myserver\script (.asp)

c:\inetpub\wwwroot\myserver\executable (.dll)

c:\inetpub\wwwroot\myserver\images (.gif, .jpeg)

Real ACL inheritance is a feature of Windows NT4 SP4 with the Security Configuration Editor installed.

Also, if you are using FTP and SMTP then their directories need special attention.

Setting IIS Log File ACLs

To prevent malicious users who have deleted files to cover their tracks, set appropriate IIS log file ACLs. We recommend set the ACLs on the IIS-generated log files (%systemroot%\system32\LogFiles) to:

  • Administrators (Full Control)

  • System (Full Control)

These settings apply to any computer running a Web site.

Enable Logging Setting

Logging is paramount when you want to see if your server is being attacked. You should use World Wide Web Consortium (W3C) Extended Logging format by loading the IIS MMC snap in. Then:

  1. Right-click on the Web site.

  2. Click Properties.

  3. Choose Logging W3C Extended Log.

Also, remember to set all required general and extended properties in the Properties box of the log file.

These settings apply to any computer running a Web site.

Disabling or Removing All Sample Applications

Samples are just that, samples, and should never be installed on a production server. This includes documentation (the software development kit [SDK] documents include sample code), the Exploration Air sample site from the SDK, and others. Here are the default locations for some of the samples:

Technology

Location

IIS

c:\inetpub\iissamples

IIS SDK

c:\inetpub\iissamples\sdk

Admin Scripts

c:\inetpub\AdminScripts

Data access

c:\Program Files\Common Files\System\msadc\Samples

These settings apply to any computer running a Web site.

Applying the Security Configuration Using Policy

The goal for creating and applying security policies is to simplify and centralize the process for configuring and managing security within the network perimeter for Windows 2000 Servers. Using organizational units is the best method for separating specific security requirements for certain servers, such as the IIS servers, from the rest of the servers. It is important to plan the policy architecture separating specific security requirements for servers using organizational units because once the infrastructure is in production, a policy may need to be backed out or changed due to problems and only the servers that belong to the organizational unit will be affected and not the rest of the servers within the network perimeter.

Policy Hierarchy and Inheritance

A Group Policy is applied hierarchically, from the least-restrictive container group (local group) to the most-restrictive container group (organizational unit). Lower container groups inherit Group Policies from a higher container group by default. The order in which policies are applied from least to greatest is the local server group, site group, domain group and then the organizational unit. The implementation for the bank was to use a domain-wide policy for the common security requirements and organizational units for the specific server security requirements, which will overwrite the default local server group policies.

Domain Policy

In addition to managing security using organizational units, a domain-wide policy will be implemented assigning common security policies required in the network perimeter, such as account, audit, and user rights to all servers. When the domain is built, a default domain policy is created. The goal will be to not modify the default policy but override it with certain parameters by creating a new policy and linking it above the domain policy. Only the parameters that are defined in the linked policy will override the default domain policy. If there are problems, then the override policy can be disabled, which will ensure that the default domain policy will take control again.

Domain Controller Policy

A separate default policy is created for the domain controllers when the domain is built. Certain security policies will need to be applied to override the domain controller default policies. A new domain controller policy will be built and linked above the default domain controller policy just like the domain policy. By creating new domain policies, it will make it easier to back out the override in case a problem occurs. Backing out the override policy will put the default policies back in place.

Applying Group Policies

A group policy is applied when the server is restarted. By default, the interval at which a group policy is refreshed for Windows 2000 based computers is 90 minutes. A group policy can also be immediately applied to a server by issuing the following command on the computer:

Secedit /refreshpolicy machine_policy

Policy Design and Implementation

Group Policies that modify the security settings for computers are divided into multiple sections:

  • Account Policies Section

    • Password Policy

    • Account Lockout Policy

    • Kerberose Policy

  • Local Policies Section

    • Audit Policy

    • User Rights Policy

    • Security Options Policy

  • System Services Policy

The domain policy configured for the bank modified the Account Policies and the Audit Policy, which are common to all servers in the network perimeter. In addition, the Security Options Policies and System Services are configured and applied for each organizational unit that was created for each of the specific class of servers. Additional registry modifications may be added too and imbedded in the security template created for the organizational unit, such as the hardening of the TCP/IP parameters for the IIS Servers. The following steps were used to create and implement security policies for the bank:

  1. Understand and document default local and domain policies.

  2. Create organizational units to separate group policies for the different class of servers.

  3. Create security templates or inf files specific to each group of servers defined in the organizational unit.

  4. Install the security template into the newly created Group Policy.

  5. Create and install a security template for the Domain Controllers.

  6. Create and install a security template for the Domain Group Policy.

Document Default Local and Domain Policies

When the domain is initially created, a domain policy and a domain controller policy are created with default settings. Before changes to policies are applied to the network perimeter, the current default policy settings for member servers and domain controllers need to be reviewed and document. See the Appendix for detailed information on default domain policies.

Create Organizational Units in AD for Each Class of Server

Separate organizational units simplify the process for deploying Group Policies in order to apply customized security templates to each class of server. Domain controllers are in a separate organizational unit by default. Four organization units were created for the bank based on the different class of servers in the network perimeter. The following are the names of the organizational units that were created and a brief summary of the security applied to each:

IIS Servers. These servers need the tightest security applied to them since they are on the front line of the network perimeter. The security model created for the IIS servers enforces strong security. This includes hardening of the TCP/IP stack, disabling services not required and overriding the default security options of the group policy with enforced restrictions. See the IIS Template at end of this section.

FTP Servers. The same security model is applied as the IIS Servers with the addition of enabling FTP. See the IIS Template at end of this section.

LDAP Servers. The same security policy created for IIS is applied to the LDAP servers and the same services are disabled. The hardening of the TCP/IP parameters is not applied.

Create a Customized Security Template for Each Class of Server

Each type of server warrants a different security configuration. Although the differences are minor, automated management is best served by creating a distinct template for each type of server. The following templates were created for the bank for each category of server. These templates are stored on the domain controllers in the network perimeter.

  • Bank IIS.inf to be installed in the IIS Servers organizational unit

  • Bank FTP.inf to be installed in the FTP Servers organizational unit

  • Bank LDAP.inf to be installed in the LDAP Servers organizational unit

  • Bank SQL.inf to be installed in the SQL Servers organizational unit

  • Bank Domain.inf to be installed in the Domain container

  • Bank Domain Controller.inf installed in the Domain Controller organizational unit

To review or make modifications to templates, open the Secure Templates MMC snap-in, expand the default Templates directory, which is located under %systemroot%\security\templates, and select one of the templates listed above to view its current configuration. In order to make changes, double-click on one of the policies within the template and make appropriate changes. To save the template, right-click the template name, such as Bank IIS.INF, and click Save to replace configuration or Save As to create a new template to test with.

Install the Group Policy in Each Organizational Unit Container

Once the security templates are created, a new Group Policy can be created for each of the organizational units, and then the security template (inf file) can be imported into the newly created policy. To accomplish this, open Active Directory Users And Computers and locate the organizational unit that the policy is going to be created within.

  1. Select the organizational unit to make the change, and click Properties.

  2. Click on the Group Policy tab.

  3. Click New, then type a meaningful name for the new Policy.

  4. Click Close.

  5. Select the new policy, and click Edit.

  6. Under Windows Settings, click Properties on the Security Settings folder.

  7. Select Import Policy, and import the security template created in previous step.

  8. Check the box labeled Clear the database before importing.

  9. Click Close.

The policy is now created and loaded with the correct template. Computers can now be moved into the organizational unit and have the policy applied. Follow the same set of steps to install the Domain Controller and Domain Policies.

Policy Templates

The following parameters and values are the default domain settings for all servers and workstations in the bank's environment that are joined within the domain. The domain controller policy modifies the user rights policy just for the domain controllers. The domain policy modifies only the account policy for all servers that are joined into the domain.

Account Policies Password Policy

Enforce password history

0

Minimum password age

42

Minimum password length

0

Passwords must meet complexity requirements

Disable

Store password using reversible encryption for all users in the domain

Disable

Account Policies Account Lockout Policy

 

Account lockout duration

0

Account lockout threshold

0

Reset account lockout counter after

30

Account Policies Kerberose Policy

 

Enforce user logon restrictions

Enabled

Maximum lifetime for service ticket

600 Minutes

Maximum lifetime for user ticket

10 Hours

Maximum lifetime for user ticket renewal

7 Days

Maximum tolerance for computer clock synchronization

5 Minutes

Local Policy Audit Policy

 

Account Logon Events

No Auditing

Account management

No Auditing

Directory service

No Auditing

Logon events

No Auditing

Objects access

No Auditing

Policy Change

No Auditing

Privilege use

No Auditing

Process tracking

No Auditing

System events

No Auditing

Local Policy Application Event Log

 

Application Event Log MaximumLogSize

Not defined

Application Event Log AuditLogRetentionPeriod

Not defined

Application Event Log RestrictGuestAccess

Not defined

Local Policy Security Event Log

 

Application Event Log MaximumLogSize

Not defined

Application Event Log AuditLogRetentionPeriod

Not defined

Application Event Log RestrictGuestAccess

Not defined

Local Policy System Event Log

 

Application Event Log MaximumLogSize

Not defined

Application Event Log RestrictGuestAccess

Not defined

User Rights - Created from the default domain controller policy

 

Access this computer from the network

Admins, BK Ops, Power Users, Users, Everyone, IUSRs

Act as part of the operating system

LocalSystem

Add workstations to the domain

Authenticated Users

Backup files and directories

Admins, BK Ops

Bypass traverse checking

Admins, BK Ops, Power Users, Users, Everyone, IUSRs

Change the system time

Admins, Svr Ops

Create pagefile

Admins

Create a token object

LocalSystem

Create permanent shared objects

LocalSystem

Debug programs

Admins, Local System

Deny access to this computer from the network

Nobody is Denied

Deny logon as a batch job

Nobody is Denied

Deny logon as a service

Nobody is Denied

Deny logon locally

Nobody is Denied

Enable computer and user accounts to be trusted for delegation

 

Force shutdown from a remote system

Admins, Svr Ops

Generate security audits

Local System

Increase quotas

Admins

Increase scheduling priority

Admins

Load and unload device drivers

Admins

Lock pages in memory

Policy is Obsolete

Logon as a batch job

LocalSystem

Logon as a service

No Accounts have permission

Logon locally

Admins, BK Ops, Power Users, Users, ISInternet User

Manage auditing and security log

Admins

Modify firmware environment values

Admins, LocalSystem

Profile single process

Admins, LocalSystem

Profile system performance

Admins, LocalSystem

Remove computer from docking station

Admins, Power Users, Users

Replace a process level token

LocalSystem

Restore files and directories

Admins, BK Ops, Svr Ops

Shutdown the system

Admins, BK Ops, Svr Ops

Synchronize directory service data

Currently, not used

Take ownership of files or other objects

Admins

Security Options

 

Additional restrictions for anonymous connections

None. Rely on default permissions

Allow server operators to schedule tasks (DCs only)

Not defined

Allow system to be shut down without having to log on

Disabled

Allowed to eject removable NTFS media

Administrators

Amount of idle time required before disconnecting session

15 minutes

Audit the access of global system objects

Disabled

Audit use of Backup and Restore privilege

Enabled

Automatically log off users when logon time expires (local)

Enabled

Clear virtual memory page file when system shuts down

Disabled

Digitally sign client communication (always)

Enabled

Digitally sign client communication (when possible)

Enabled

Digitally sign server communication (always)

Enabled

Digitally sign server communication (when possible)

Enabled

Disable CTRL+ALT+DEL requirement for logon

Disabled

Do not display last user name in logon screen

Enabled

LAN Manager Authentication Level

Send LM & NTLM responses

Message text for users attempting to log on

 

Message title for users attempting to log on

 

Number of previous logons to cache

10 logons

Prevent system maintenance of computer account password

Disabled

Prevent users from installing printer drivers

Enabled

Prompt user to change password before expiration

14 days

Recovery Console: Allow automatic administrative logon

Disabled

Recovery Console: Allow floppy copy and access to drives and folders

Disabled

Rename administrator account

Not defined

Rename guest account

Not defined

Restrict CD-ROM access to locally logged-on user only

Enabled

Restrict floppy access to locally logged-on user only

Enabled

Secure channel: Digitally encrypt or sign secure channel data (always)

Disabled

Secure channel: Digitally encrypt secure channel data (when possible)

Enabled

Secure channel: Digitally sign secure channel data (when possible)

Enabled

Secure channel: Require strong (Windows 2000 or later) session key

Disabled

Send unencrypted password to connect to third-party SMB servers

Disabled

Shut down system immediately if unable to log security audits

Disabled

Smart card removal behavior

No Action

Strengthen default permissions of global system objects

Enabled

Unsigned driver installation behavior

Not defined

Unsigned non-driver installation behavior

Not defined

IIS Group Policy Security Configuration

The next step was to create and apply the Web security templates to the organizational unit that represented fro example Web servers in the perimeter network. A security template was created (Bank Secweb.INF) that contains all the parameters in the following table and was applied using the MMC snap-in Security Configuration and Analysis Tool. This template is a customized version of the highsecweb.inf file provided by the Microsoft IIS security team. The following parameters and their associated values are the current configuration for the local policies that are applied to organizational unit for the bank's network perimeter servers.

Security Options

Additional restrictions for anonymous connections

None. Rely on default permissions

Allow server operators to schedule tasks (DCs only)

Not defined

Allow system to be shut down without having to log on

Disabled

Allowed to eject removable NTFS media

Administrators

Amount of idle time required before disconnecting session

15 minutes

Audit the access of global system objects

Disabled

Audit use of Backup and Restore privilege

Enabled

Automatically log off users when logon time expires (local)

Enabled

Clear virtual memory page file when system shuts down

Disabled

Digitally sign client communication (always)

Disabled

Digitally sign client communication (when possible)

Enabled

Digitally sign server communication (always)

Disabled

Digitally sign server communication (when possible)

Enabled

Disable CTRL+ALT+DEL requirement for logon

Disabled

Do not display last user name in logon screen

Enabled

LAN Manager Authentication Level

Send NTLMv2 responses Only

Message text for users attempting to log on

Unauthorized Access Message

Message title for users attempting to log on

I M P O R T A N T N O T I C E! !

Number of previous logons to cache

10 logons

Prevent system maintenance of computer account password

Disabled

Prevent users from installing printer drivers

Enabled

Prompt user to change password before expiration

14 days

Recovery Console: Allow automatic administrative logon

Disabled

Recovery Console: Allow floppy copy and access to drives and folders

Disabled

Rename administrator account

Not defined

Rename guest account

Vistor

Restrict CD-ROM access to locally logged-on user only

Enabled

Restrict floppy access to locally logged-on user only

Enabled

Secure channel: Digitally encrypt or sign secure channel data (always)

Enabled

Secure channel: Digitally encrypt secure channel data (when possible)

Enabled

Secure channel: Digitally sign secure channel data (when possible)

Enabled

Secure channel: Require strong (Windows 2000 or later) session key

Enabled

Send unencrypted password to connect to third-party SMB servers

Disabled

Shut down system immediately if unable to log security audits

Disabled

Smart card removal behavior

No Action

Strengthen default permissions of global system objects

Enabled

Unsigned driver installation behavior

Warn but allow installation

Unsigned non-driver installation behavior

Warn but allow installation

Lessons Learned

A couple of lessons we learned when applying these policies include:

  • If the print spooler is disabled, then WinMgmt (WMI) will produce an event id 37-error message in the application event log.

  • If Digital Sign Server Communication (When Possible) is enabled, then the Netlogon service will produce an error message in the event log stating that it cannot find the domain controller. Secure channel settings must be applied to the domain controller prior to implementing on any of the servers in the domain.

  • In order to install the BackupExec agent remotely onto a server in the domain, the remote registry service on the server must be started prior to the install. This service is disabled as part of the security lockdown process. Also the C$ share must be created on the server prior to the install.

  • Develop scripts, or security templates, to automate disabling unnecessary services. Also, upgrading the operating system from NT4.0 to Windows 2000 will re-enable some of the services disabled during the security lock down.

Creating an Auditing and Monitoring Strategy

Security Tools

Now that we have outlined the Windows 2000 Security Model and have an understanding of how to secure the infrastructure, the next important step is to fully understand how a company would proactively detect a security exposure or breach. Since security on our project is of paramount importance, these measures need to be taken to assure resilience against possible intruders.

To address compliance with the defined security policy, many steps need to be taken. The process of validating the security policy settings can be quite tedious because there are many areas to cover. There are several security tools available that can be used to simplify this process. These tools range in functionality from port scanners (a low level tool) to overall security scanners. The following is a list of categories these tools usually fall under:

  • Vulnerability and/or port scanners

  • File system checkers

  • Event log analyzers

  • Registry analyzers

  • Access Control (ACL) analyzers

  • Packet sniffers

  • Password crackers

  • Overall security scanners

To better understand these security tools, it is necessary to understand their functionality. We will look at each one of the categories in more depth to understand their features and their value.

Vulnerability and/or Port Scanners

Each network service on Windows 2000 usually listens on a specific port (a well- known port) to service client requests. For Web servers it is port 80 and 443 for SSL communications. The "well-known ports" list enumerates all of the reserved ports and the services they provide. In our bank project, the ability to scan ports on a remote box could give a hacker an idea of possible entry points into the bank's system. Port scanners are usually the first set of tools that hackers use to identify targets ports. Therefore, it's important to use this type of tool to understand the current open and closed port configuration. Example port scanners are:

  • UltraScanA port scanner based on Windows NT

  • Nessus Projecta vulnerability scanner ( http://www.nessus.com )

File System Checkers

Another proactive set of tools that scans the system for anomalies at a system level is Intact from Pedestal Software. Intact works by first scanning a computer and creating a database of system filesa compact digital "snapshot" of the system in a known secure state. The user can configure the software very precisely, specifying individual files and directories to monitor on each computer, or create a standard template for all computers in an enterprise environment. Once this baseline database is created, a system administrator can deploy the Intact software to check the integrity of a system at any time. By scanning the current system and comparing that information with the data stored in the database, Intact detects and reports any additions, deletions, or changes to the system outside of the specified boundaries. If these changes are valid, the administrator can update the baseline database with the new information. If malicious changes are found, the system administrator will know immediately which parts of which components of the network have been affected. ( http://www.pedestalsoftware.com/ ).

Event Log Analyzers

With the security policy in place, the event logs become the repository of valuable audit information. Unfortunately, this repository is useless unless someone reviews its content. There are some challenges associated with event logs and by far the main one is its distribution. A company must look on every server in the farm to identify and address any security issues. Transferring all logs to a single repository, such as a database, simplifies the process of reviewing them, and in the case of our bank project, it also enables the bank to find time correlations between suspicious activities on numerous boxes.

There are two tools that can be used to export logs for consolidation:

Registry Analyzers

The Windows NT registry functions as the central repository of all configuration and security information. It is important to monitor it for any suspicious activity. Tools such as SomarSoft's DumpReg can be used to track registry changes and to watch for malicious activity. SomarSoft's RegMon utility can help you understand how various applications use registry. For more information, see the following Web sites:

Access Control Analyzers

Monitoring access control lists (ACL) is also very important. All of the Windows security always uses ACLs as the last line of defence. Given that all files and directories have individual ACLs, there is quite a bit of information to monitor. To be effective at this, a company can use tools such as:

Packet Sniffers

Packet sniffing enables viewing of actual network activity. Even if a hacker is skilled enough to delete traces of his or her activity, the network traces are recorded in real-time and cannot be manipulated. Catching suspicious activity using this tool requires a great deal of skill. There are many sources of this type of the tool. The Network Monitor comes standard with Windows (note: the standard tool is limited to seeing traffic between its own network adapter and the rest of the network). To obtain a version that is capable of sniffing all of the traffic, you must use the version of the tool that shipped with Systems Management Sever. Another solution is to use the Total Network Visibility product from McAfee.

Password Crackers

There are some tools today that enable hackers to crack Windows NT passwords. Perhaps the most widely used is a tool called L0phtCrack from L0pht Heavy Industries. This tool is able to use a dictionary attack, which will try every word in a dictionary to guess passwords. It also can use a brute force attack. This type of attack will try all of the combinations of the characters you supply to it in order to find that match. With the ability to match passwords against the authentication requests sniffed form the wire or using local registry, L0phtCrack is a great reason strong password security policy. We used the security measures outlined in this document to prevent the use of L0phtCrack on the bank's Web site. For more information about L0phtCrack, see http://www.l0pht.com

Overall Security Scanners

While all of the tool categories mentioned assist with the effort to create a secure network, they do not allow company administrators to track multiple security exposures, monitor the company's Web site proactively, and test a company's servers to make sure they comply with the security model. Fortunately, third- party vendors have recognized this need and have created a set of tools that can be used to scan and monitor a company's systems for security compliance or incursions. These tools make the security less tedious and more attainable, thus making them an administrator's first choice for deriving and enforcing security policy across the entire network.

Some of the tools in this category include Internet Security Scanner (ISS) by Internet Security Systems and Database Scanner (DBScanner) by Internet Security Systems. ISS can validate the security configuration of a company by running a system scan. It provides a complete scanning a report creation tool that details security issues by severity and outlines possible solutions. This tool can run "simulated" attacks against a target server to validate the enforcement of the security lockdown procedure. ISS also provides a real-time monitoring product that can detect any security breaches and alert administration staff on the type of incursion and steps to take to close the breach. For more information on ISS, see http://www.iss.net .

DBScanner by Internet Security Systems assesses the security settings for your databases. It runs passwords attacks and provides recommendations for making a company's databases more secure. It is imperative to remember that if the database stores critical information, it must be included as part of the security model. For more information on DBScanner, see http://www.iss.net .

Other vendor's tools with similar functionality include:

IIS Monitoring Tools

We tested the tools in the following list to allow the bank to proactively monitor the health of its Web site. These tools vary in the level and type of monitoring they provide. We also recommended that the bank download these tools and test them in the lab.

  • NT Systems Management software that monitors events, services, network devices, performance counters, ASCII logs, applications, and security parameters ( http://www.logcaster.com ).

  • A full-featured tool from NetIQ that optimizes the performance and availability of a Windows NT and Windows 2000 system ( http://www.netiq.com ).

In general, most of the tools mentioned previously can enable a company ability to meet the requirements outlined in its security policy. In the case of our bank project, the bank will perform an analysis of each server and quickly provide feedback on the current compliance status. In addition, these tools can also be used to simplify the auditing process, run simulated attacks, monitor the sites and check the current patch level of all servers.

Designing a Fault Tolerance Solution

Components of the Design

In our bank project, the bank's fault tolerance strategy is consistent with the architecture recommended in the documentation on Windows DNA. Basically, the bank built a three-tiered architecture that includes redundancy at every level. The main components of the design are outlined in the following diagram.

Cc722919.datava06(en-us,TechNet.10).gif

Firewall Architecture

The bank's standard for all low-level networking components is Cisco. Based on this, the initial level of fault tolerance included two PIX Firewalls as the entry point to the Internet and to the corporate network. Using the "PIX Firewall fail over option" the team eliminated a single point of failure for the Internet and the corporate backend. Basically, with two PIX Firewalls running in parallel, if one malfunctions, the second PIX Firewall transparently picks up and keeps things running. One thing to remember is that this second firewall is a standby hot failover and does not provide any level of load balancing.

Web Farm and Cisco Local Director

A key requirement of the architecture for the bank was the ability to create a farm of redundant Web servers that would be load balanced and still have the ability to manage state. Again based on the bank's Cisco standard, the Local Director product was implemented. Cisco System's Local Director allowed the team to achieve high-availability and scalability while still load balancing TCP/IP traffic across multiple servers. The Local Director product also manages state and allowed the team to easily manage transaction-based processing. In regard to fault tolerance, Local Director comes with a hot standby failover mechanism, eliminating it as a single point of failure for the server farm. Local Director allowed the team to achieve its Web server redundancy and scalability needs by allowing servers to be removed from the farm transparently. Also, Cisco can provide numbers outlining the performance factors of the product on some of the highest traffic Internet sites.

NLBS LDAP Farm

The second tier utilized Network Load Balancing Service (NLBS) to load balance and provide redundancy of the Lightweight Directory Access Protocol (LDAP) servers. This emulated an online banking branch office. In this case, all critical components must include the ability to still function in the event of a server failure. All users of the Web site will be required to create an online account that will be stored in the membership database in the LDAP farm. Therefore, it is crucial that this component of the architecture always be available. This issue was addressed by using Windows 2000's built-in NLBS to create a farm or cluster of up to 32 servers and to distribute Web traffic across all the servers in the farm. Using NLBS, it was possible for the bank to handle multiple requests across the LDAP server farm, making the best use of available resources. The bank's example shows how a customer can combine Microsoft and third-party technologies (Cisco PIX and LocalDirector) to build Web farms that can scale to meet both current and future needs.

Security and the SQL Cluster

When the bank's team created its security model, the database was identified as the "Crown Jewels of the System." In other words, any direct access to the database by a malicious individual was to be strictly prohibited. The approach to achieving this was to place the server on a separate network segment behind the internal firewall (refer to previous picture). This allowed the bank to control all traffic to and from the LDAP servers by using firewall security techniques and policies. For example, the bank created a perimeter security model using access filters, address hiding, IPSec, and stateful inspection to control and encrypt host communication from the perimeter network to the SQL Cluster.

The back-end SQL Cluster consists of two servers each with two NICs (one for the private network and one for the heartbeat) located behind the firewall. The bank configured this cluster in active-to-active mode. In other words, both servers provide services rather than having one server provide all services and the other wait on hot standby (active-to-passive mode). The back-end cluster provides only a single service, access to the SQL database, and it is tightly controlled.

This configuration addresses the bank's requirement for a tightly secured fully fault tolerant architecture for the database components. For example, if server one experiences a hardware failure, the other server in the cluster immediately takes over the services of the downed server. The failure of a server will not cause a disruption in any banking service. When the hardware issue is solved, the server can be immediately brought back online and added back into the cluster. Another level of fault tolerance that is implemented on the cluster (for that matter on all servers) is a RAID 5 disk array. If a drive fails, it can be replaced without any disruption to Web banking services.

Also, the bank is using an EMC Symmetrix Enterprise Storage system, attached to two clustered IBM Netfinity Windows 2000 servers. The combination of Microsoft Cluster Server (MSCS) and EMC's Symmetrix Remote Data Facility (SRDF) software provide the team with the highest levels of mission-critical information protection and availability. Refer to http://get-ready-for-the-new.emc.com/windows/windows2000.htmOLD01282000 for details of EMC's Windows 2000 support.

Appendix A: User Rights Explained (from Resource Kit)

Securing Advanced User RightsWindows 2000 Server (from Resource Kit)

User Right

Registry Key and Description (Resource Kit)

Access this Computer from the Network

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users and groups are allowed to connect to the computer over the network.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Power Users
Users
Everyone
Domain Controllers
Administrators
Authenticated Users
Everyone

Act as Part of the Operating System

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
This policy allows a process to authenticate as any user, and therefore gain access to the same resources as any user. Only low-level authentication services should require this privilege.
The potential access is not limited to what is associated with the user by default, because the calling process may request that arbitrary additional accesses be put in the access token. Of even more concern is that the calling process can build an anonymous token that can provide any and all accesses. Additionally, the anonymous token does not provide a primary identity for tracking events in the audit log.
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.
By default, only the LocalSystem account has the privilege to act as part of the operating system.

Backup Files and Directories

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can circumvent file and directory permissions for the purposes of backing up the system.
Specifically, the privilege is similar to granting the following permissions to the user or group in question on all files and folders on the system:
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Domain Controllers
Administrators
Backup Operators

Bypass Traverse Checking

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Power Users
Users
Everyone
Domain Controllers
Administrators
Authenticated Users
Everyone

Change the System Time

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users and groups can change the time and date on the internal clock of the computer.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Power Users
Domain Controllers
Administrators
Server Operators

Create a Pagefile

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users and groups can create and change the size of a pagefile. Creating a pagefile is accomplished by specifying a paging file size for a given drive in the System Properties Performance Options.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default is to allow administrators the ability to create a pagefile.

Create a Token

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which accounts can be used by processes to create a token which can then be used to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
It is recommended that processes requiring this privilege use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.

Debug Programs

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can attach a debugger to any process. This privilege provides powerful access to sensitive and critical operating system components.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only administrators and LocalSystem accounts have the privileges to debug programs.

Deny Access to this Computer from the Network

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users are prevented from accessing a computer over the network. This policy setting supercedes the Access this computer from the network policy setting if a user account is subject to both policies.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.

Deny Logon as a Batch Job

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which accounts are prevented from being able to log on as a batch job. This policy setting supercedes the Log on as a batch job policy setting if a user account is subject to both policies.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, there are no users denied logon as a batch job.

Deny Logon as a Service

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which service accounts are prevented from registering a process as a service. This policy setting supercedes the Log on as a service policy setting if an account is subject to both policies.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, there are no accounts denied logon as a service.

Deny Logon Locally

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users are prevented from logging on at the computer. This policy setting supercedes the Log on locally policy setting if an account is subject to both policies.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, there are no accounts denied the ability to logon locally.

Enable Computer and User Accounts to be Trusted

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can set the Trusted for Delegation setting on a user or computer object.
The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using a client's delegated credentials, as long as the client's account does not have the Account cannot be delegated account control flag set.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
(none)
Domain Controllers
Administrators
Misuse of this privilege or of the Trusted for Delegation setting could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

Force Shutdown from a remote System

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users are allowed to shut down a computer from a remote location on the network.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Domain Controllers
Administrators
Server Operators

Generate Security Audits

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only the LocalSystem account has the privilege to be used by processes to generate security audits.

Increase Quotas

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which accounts can use a process with write property access to another process to increase the processor quota assigned to the other process.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Domain Controllers
Administrators
This privilege is useful for system tuning, but can be abused as in a denial-of-service attack.

Increase Scheduling Priority

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which accounts can use a process with write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Domain Controllers
Administrators

Load and Unload Device Drivers

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can dynamically load and unload device drivers. This privilege is necessary for installing drivers for Plug and Play devices.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Domain Controllers
Administrators

Lock pages in Memory

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
This privilege is obsolete and, therefore, is never checked.
This policy determines which accounts can use a process to keep data in physical memory, preventing the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance.

Logon as a Batch Job

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Allows a user to be logged on by means of a batch-queue facility.
For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only the LocalSystem account has the privilege to be logged on as a batch job.
See also the Deny logon as a batch job policy.
In the initial release of Windows 2000, the task scheduler automatically grants this right as necessary.

Logon as a Service

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which service accounts can register a process as a service.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, no accounts have the privilege to log on as a service.

Logon
Locally

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determine which users can log on at the computer.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Power Users
Users
Guest
Domain Controllers
Account Operators
Administrators
Backup Operators
Print Operators
To allow a user to log on locally to a domain controller, you have to grant this right by means of the Default Domain Controller Group Policy object.

Manage Auditing and Security Log

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys.
A user with this right can use the security tab in the security permission set editor's Properties dialog box to specify auditing options for the selected object.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only administrators have the privilege to manage auditing and the security log.
This policy does not allow a user to specify that file and object access auditing be enabled in general. In order for such auditing to take place, the Audit object access setting under Audit Policies must be configured.

Profile Single Process

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can use Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only administrators and LocalSystem accounts have the privilege to profile a single nonsystem process.

Profile System Performance

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can use Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes. This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only administrators and LocalSystem accounts have the privilege to profile a single nonsystem process.

Remove Computer from Docking station

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can undock a laptop computer from its docking station.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
On servers and workstations, Administrators, Power Users, and Users have the right to remove a laptop computer from its docking station on computers that contain "clean installations" of Windows 2000 (that is, they weren't upgraded from a previous version of Windows). If you have upgraded the computer's operating system from Windows NT to Windows 2000, this right to remove the laptop computer from its docking station must be explicitly granted to the appropriate group or user.

Replace a Process Level Token

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which user accounts can initiate a process to replace the default token associated with a launched subprocess.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only LocalSystem accounts have this privilege.

Restore Files and Directories

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can circumvent file and directory permissions when restoring backed up files and directories, and which users can set any valid security principal as the owner of an object.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Domain Controllers
Administrators
Backup Operators
Server Operators

Shut Down the System

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users logged on locally to the computer can shut down the operating system using the Shut Down command.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
The default groups that have this right on each platform are:
Workstations and Servers
Administrators
Backup Operators
Power Users
Users
Domain Controllers
Account Operators
Administrators
Backup Operators
Server Operators
Print Operators

Synchronize Directory Service Data

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
This policy setting is not used in the initial release of Windows 2000.

Take Ownership of Files and other Directories

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Determines which users can take ownership of any securable object in the system including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
This user right is defined in the Default Domain Controller Group Policy object and in the local security policy of workstations and servers.
By default, only administrators have the privilege to take ownership of files or other objects.

Appendix B: Local Security Settings (from Resource Kit)

Additional Restrictions for Anonymous Connections

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Windows 2000 allows anonymous users to perform certain activities such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By default, an anonymous user has the same access that is granted to the Everyone group for a given resource.

This security option allows additional restrictions to be placed on anonymous connections as follows:

  • None. Rely on default permissions.

  • Do not allow enumeration of SAM accounts and shares.

    This option replaces "Everyone" with "Authenticated Users" in the security permissions for resources.

No access without explicit anonymous permissions.

This option removes "Everyone" and "Network" from the anonymous users token; thus requiring that "Anonymous" be given explicit access to any required resources.

Allow System To Be Shut Down Without Logging On

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether a computer can be shut down without having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the Windows logon screen.

When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut Down the System user right in order to perform a system shutdown.

By default, this option is enabled on workstations and disabled on servers in Local Computer Policy.

Allowed to Eject Removable NTFS Media

Registry Setting

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines who is allowed to eject removable NTFS media from the computer.

This policy is defined by default in Local Computer Policy. By default, only administrators have the right to eject removable NTFS media. This policy setting can be modified to provide any interactive user with the ability to eject removable NTFS media from the computer.

Amount of Idle Time Before Disconnecting Session

Registry Setting

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines who is allowed to eject removable NTFS media from the computer.

This policy is defined by default in Local Computer Policy. By default, only administrators have the right to eject removable NTFS media. This policy setting can be modified to provide any interactive user with the ability to eject removable NTFS media from the computer.

Audit the Access of Global System Objects

Registry Setting

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether access of global system objects will be audited. When this policy is enabled, it causes system objects such as mutexes, events, semaphores, and DOS Devices to be created with a default system access control list (SACL). If the Audit object access audit policy is also enabled, then access to these system objects will be audited.

This policy is defined by default in Local Computer Policy where it is disabled by default.

Audit Use of All Rights Including Backup and Restore Privileges

Registry Setting

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether to audit every use of user rights including Backup and Restore. If you enable this policy, and if the Audit privilege use policy is enabled and in effect, then any instance of user rights being exercised will be recorded in the security log. If you disable this policy, when users use Backup or Restore privileges, those events will not be audited even when Audit Privilege Use is enabled. You should disable this policy if you want to contain the growth of the security log.

This policy is defined by default in Local Computer Policy where it is disabled by default.

Automatically Log Off User When Logon Time Expires

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether to disconnect users that are connected to the local machine outside of their user account's valid logon hours. This setting affects the Server Message Block (SMB) component of a Windows 2000 server. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.

While Automatically log off users when logon time expires (local) affects only the individual machines on which it is applied, this policy affects all machines in the domain.

Clear Virtual Memory Page File When System Shuts Down

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the virtual memory pagefile should be cleared when the system is shut down. Windows 2000 virtual memory support uses a system pagefile to swap pages of memory to disk when they are not being actively used. On a running system, this pagefile is opened exclusively by the operating system and is well protected. However, systems that are configured to allow booting to other operating systems might want to ensure that system pagefile is wiped clean when Windows 2000 shuts down. This ensures that sensitive information from process memory that might have made it into the pagefile is not available to an unauthorized user who has managed to directly access the page file.

When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. Enabling this security option also causes the hibernation file (hiberfil.sys) to be zeroed out when hibernation is disabled on a laptop system. When this policy is disabled, the virtual memory pagefile is not cleared during system shutdown.

This policy is defined by default in Local Computer Policy, where it is disabled by default.

Digitally Sign Client Communication (Always)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the computer will always digitally sign client communications. The Windows 2000 Server Message Block (SMB) authentication protocol supports mutual authentication, which closes a "man-in-the-middle" attack, and supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB, which is then verified by both the client and the server.

In order to use SMB signing, you must either enable it or require it on both the SMB client and the SMB server. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the packet signing protocol during all subsequent sessions. If SMB signing is required on a server, then a client will not be able to establish a session unless it is at least enabled for SMB signing. If this policy is enabled, it requires the Windows 2000 SMB client to perform SMB packet signing. If this policy is disabled, it does not require the SMB client to sign packets.

This policy is defined by default in Local Computer Policy, where it is disabled by default.

Note SMB signing will impose a performance penalty on your system. Although it doesn't consume any more network bandwidth, it does use more CPU cycles on the client and server side.

Digitally Sign Client Communication (When Possible)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If this policy is enabled, it causes the Windows 2000 Server Message Block (SMB) client to perform SMB packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.

This policy is defined by default in Local Computer Policy, where it is enabled by default.

Digitally Sign Sever Communication (Always)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If this policy is enabled, it requires the Windows 2000 Server Message Block (SMB) server to perform SMB packet signing. This policy is defined by default in Local Computer Policy, where it is disabled by default.

See Digitally sign client communications (always) for further details about using digital signatures in client/server communications.

Digitally Sign Sever Communication (When Possible)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If this policy is enabled, it causes the Windows 2000 Server Message Block (SMB) server to perform SMB packet signing. This policy is disabled by default on workstation and server platforms in Local Computer Policy. This policy is enabled by default on Domain Controllers in the Default Domain Controllers Group Policy object.

See Digitally sign client communications (always) for further details about using digital signatures in client/server communications.

Disable CTRL + ALT + DEL Requirement for Logon

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL in order to log on. Not having to press CTRL+ALT+DEL leaves the user susceptible to attacks that attempt to intercept the user's password. Requiring CTRL+ALT+DEL before logon ensures that the user is communicating by means of a trusted path when entering their password.

If this policy is disabled, then any user is required to press CTRL+ALT+DEL before logging on to Windows (unless they are using a smart card for Windows logon). This policy is disabled by default on workstations and servers that are joined to a domain. It is enabled by default on stand-alone workstations.

Do Not Display Last User Name in Logon Screen

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the name of the last user to logon to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully logon is not displayed in the Log On to Windows dialog box. If this policy is disabled, the name of the last user to logon is displayed.

This policy is defined by default in Local Computer Policy, where it is disabled by default.

LAN Manager Authentication Level

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines which challenge/response authentication protocol is used for network logons. The choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:

  • Send LM & NTLM responses: Clients use LM and NTLM authentication, and never use NTLMv2 session security; DCs accept LM, NTLM, and NTLMv2 authentication.

  • Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication.

  • Send NTLM response only: Clients use NTLM authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication.

  • Send NTLMv2 response only: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs accept LM, NTLM, and NTLMv2 authentication.

  • Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM (accept only NTLM and NTLMv2 authentication).

  • Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only, and use NTLMv2 session security if server supports it; DCs refuse LM and NTLM (accept only NTLMv2 authentication).

The default setting for servers is Send LM & NTLM responses.

This setting can affect the ability of Windows 2000 computers to communicate with Windows NT 4.0 and earlier clients over the network. For example, at the time of this writing, Windows NT 4.0 computers prior to SP4 do not support NTLMv2. Win9x computers do not support NTLM.

Message Text and Title for Users Logging On

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (Title)

Allows the specification of a title to appear in the title bar of the window that contains the Message text for users attempting to log on.

For servers, this policy is enabled but there is no default text specified. This policy is not defined for workstations by default.

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (Text)

Specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, such as to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. For servers, this policy is enabled but there is no default text specified. This policy is not defined for workstations by default.

Number of Previous Logons to Cache

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines the number of times a user can log on to a Windows domain using cached account information. Windows 2000 caches previous users' logon information locally so that they will be able to log on in the event that a domain controller is unavailable during subsequent logon attempts. If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:

The system cannot log you on now because the domain <DOMAIN_NAME> is not available.

In this policy setting, a value of 0 disables logon caching. Any value above 50 will only cache 50 logon attempts. For servers, this policy is defined by default in Local Computer Policy and the default value is 10 logons.

Prevent System Maintenance of a Computer Account Password

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the computer account password should be prevented from being reset every week. As a part of Windows 2000 security, computer account passwords are changed automatically every seven days. If this policy is enabled, the machine is prevented from requesting a weekly password change. If this policy is disabled, a new password for the computer account will be generated every week.

This policy is defined by default in Local Computer Policy where it is disabled by default.

Prevent Users from Installing Printer Drivers

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether members of the Users group are prevented from installing print drivers. If this policy is enabled, it prevents users from installing printer drivers on the local machine. This prevents users from "Adding Printers" when the device driver does not exist on the local machine. If this policy is disabled, then a member of the Users group can install printer drivers on the computer.

By default, this setting is enabled on servers and disabled on workstations.

Prompt User to Change Password Before Expiration

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password.

By default, this value is set to 14 days.

Recovery Console: Allow Automatic Administrative Logon

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password.

By default, this value is set to 14 days.

Recovery Console: Allow Floppy Copy and Access to All Drives

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Enabling this option enables the Recovery Console SET command, which allows you to set the following Recovery Console environment variables:

  • AllowWildCards - Enable wildcard support for some commands (such as the DEL command).

  • AllowAllPaths - Allow access to all files and folders on the computer.

  • AllowRemovableMedia - Allow files to be copied to removable media, such as a floppy disk.

  • NoCopyPrompt - Do not prompt when overwriting an existing file.

By default, the SET command is disabled and all these variables are not enabled

Restrict CD-ROM Access to Locally Logged On User Only

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether a CD-ROM is accessible to both local and remote users simultaneously. If enabled, this policy allows only the interactively logged-on user to access removable CD-ROM media. If no one is logged on interactively, the CD-ROM may be shared over the network.

If this policy is disabled, then the local user and remote users can access the CD-ROM simultaneously.

Restrict Floppy Access to Locally Logged On User Only

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether removable floppy media is accessible to both local and remote users simultaneously. If enabled, this policy allows only the interactively logged-on user to access removable floppy media. If no one is logged on interactively, the floppy media may be shared over the network.

If this policy is disabled, then the local user and remote users can access the floppy media simultaneously.

Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted.

If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted.

If this policy is disabled, signing and encryption are negotiated with the domain controller.

By default, this policy is disabled.

Note: This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing.

If this parameter is enabled, then Secure channel: Digitally sign secure channel data (when possible) is automatically enabled.

Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted.

If this policy is enabled, all outgoing secure channel traffic should be encrypted.

If this policy is disabled, outgoing secure channel traffic will not be encrypted.

By default, this option is enabled.

Secure Channel: Digitally Sign Secure Channel Data (When Possible)

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the computer will always digitally encrypt or sign secure channel data. When a Windows 2000 system joins a domain, a computer account is created. Thereafter, when the system boots, it uses the password for that account to create a secure channel with the domain controller for its domain. Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked and not all information is encrypted.

If this policy is enabled, all outgoing secure channel traffic should be signed.

If this policy is disabled, no outgoing secure channel traffic will be signed.

By default, this option is enabled.

Note: If Secure channel: Digitally encrypt secure channel data (when possible) is enabled, it will override any setting for this option and force it to be enabled.

Secure Channel: Require Strong (Windows 2000 or Later) Session Key

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the DC. This option should only be enabled if all of the DCs in all trusted domains support strong keys.

By default, this value is disabled.

Send Unencrypted Password to Connect to Third-Party SMB Servers

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

If this policy is enabled, the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non-Microsoft SMB servers that do not support password encryption during authentication.

By default, this option is disabled.

Shut Down System Immediately If Unable to Log Security Audits

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines whether the system should shut down if it is unable to log security events. If this policy is enabled, it causes the system to halt if a security audit cannot be logged for any reason. Typically, an event will fail to be logged when the security audit log is full and the retention method specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry cannot be overwritten and this security option is enabled, the following blue screen error will occur:

STOP: C0000244 {Audit Failed}

An attempt to generate a security audit failed.

To recover, an administrator must log on, archive the log (if desired), clear the log, and reset this option as desired.

By default, this policy is disabled.

Smart Card Removal Behavior

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines what should happen when the smart card for a logged-on user is removed from the smart card reader. The options are:

  • No Action

  • Lock Workstation

  • Force Logoff

By default, No Action is specified.

If Lock Workstation is specified, then the workstation is locked when the smart card is removed allowing users to leave the area, take their smart card with them, and still maintain a protected session. If Force Logoff is specified, then the user is automatically logged off when the smart card is removed.

Strengthen Default Permissions of Global System Objects

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Determines the strength of the default discretionary access control list (DACL) for objects. Windows 2000 maintains a global list of shared system resources such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects with what permissions.

If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create.

By default, this option is enabled.

Appendix C: HighSecweb.inf File

On the following pages is the Highsecweb.inf that the bank's team used to create its customized security template. Please refer to http://www.microsoft.com/technet/security/default.mspx for the most recent version of this file.

; Template Version:     05.00.HB.0000 
; 
; ------------------------------------------------------------------- 
; Revision History 
; ------------------------------------------------------------------- 
; Date        Comment 
; 03-Sep-1999 Original, based on the following assumptions: 
; The computer is a not a domain controller. 
; DCs should not be Web servers. 
; The computer is a standalone server. 
; If the computer is joined to a domain,  
; then domain-level policies may (or may not)  
; overwrite these settings. 
; If computer is joined to a domain,  
; it should be in its own OU, and you should  
; apply this template at the OU level. 
; Computer is a dedicated Web server and physically protected. 
; Computer has the Windows 2000 clean-install defaults 
; No modifications have been made to ACLs, User Rights, etc. 
; No one is allowed to log on locally to the computer except an admin. 
; Admins are not allowed to log on over  
; the network (they have to go to the Web server to administer it). 
; Admin\Guest accounts are not renamed via this template. 
; 24-Jan-2000    Updated registry entries 
; ------------------------------------------------------------------- 
[version] 
signature="$CHICAGO$" 
Revision=1 
[System Access] 
MinimumPasswordAge = 2 
MaximumPasswordAge = 42 
MinimumPasswordLength = 8 
PasswordComplexity = 1 
PasswordHistorySize = 24 
LockoutBadCount = 5 
ResetLockoutCount = 30 
LockoutDuration = -1 
RequireLogonToChangePassword = 0 
ClearTextPassword = 0 
[System Log] 
RestrictGuestAccess = 1 
[Security Log] 
MaximumLogSize = 10240 
AuditLogRetentionPeriod = 0 
RestrictGuestAccess = 1 
[Application Log] 
RestrictGuestAccess = 1 
;---------------------------------------------------------------------- 
;    Local Policies\Audit Policy 
;---------------------------------------------------------------------- 
[Event Audit] 
AuditSystemEvents = 3 
AuditLogonEvents = 3 
AuditObjectAccess = 1 
AuditPrivilegeUse = 3 
AuditPolicyChange = 3 
AuditAccountManage = 3 
AuditAccountLogon = 3 
[Privilege Rights] 
SeInteractiveLogonRight = %SceInfAuthUsers% 
SeNetworkLogonRight = %SceInfAuthUsers% 
SeDenyNetworkLogonRight = %SceInfAdmins% 
[Group Membership] 
%SceInfPowerUsers%__Memberof = 
%SceInfPowerUsers%__Members =  
[Strings] 
SceInfAdministrator = Administrator 
SceInfAdmins = Administrators 
SceInfAcountOp = Account Operators 
SceInfAuthUsers = Authenticated Users 
SceInfBackupOp = Backup Operators 
SceInfDomainAdmins = Domain Admins 
SceInfDomainGuests = Domain Guests 
SceInfDomainUsers = Domain Users 
SceInfEveryone = Everyone 
SceInfGuests = Guests 
SceInfGuest = Guest 
SceInfPowerUsers = Power Users 
SceInfPrintOp = Print Operators 
SceInfReplicator = Replicator 
SceInfServerOp = Server Operators 
SceInfUsers = Users 

[HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/SynAttackProtect]

"ValueType"=dword:00000004

"DisplayType"=dword:00000000

"DisplayName"="TCPIP: Syn Attack Protection"

[Registry Values]

MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,5

MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2

MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,1

MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,1

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,1

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,1

MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1

MACHINE\Software\Microsoft\Driver Signing\Policy=3,2

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,1

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms=1,1

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD=1,0

MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies=1,1

MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableWebPrinting=4,1

MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation=4,1

MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer=4,0

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect=4,0

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableSecurityFilters=4,1

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect=4,1

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect=4,0

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery=4,0

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=4,300000

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting=4,1

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions=4,2

MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions=4,3

MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NoNameReleaseOnDemand=4,1

MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\DynamicBacklogGrowthDelta=4,10

MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\EnableDynamicBacklog=4,1

MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\MinimumDynamicBacklog=4,20

MACHINE\SYSTEM\CurrentControlSet\Services\AFD\Parameters\MaximumDynamicBacklog=4,20000

MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,1

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=1,This is a private computer system. <add your own text>

MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,A T T E N T I O N !

[Service General Setting]

Alerter,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

ClipSrv,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Browser,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Dhcp,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Fax,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

SharedAccess,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Messenger,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

mnmsrvc,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Spooler,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

RasAuto,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

RasMan,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

RemoteRegistry,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Schedule,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

TapiSrv,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

TermService,4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

PolicyAgent,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"

W3SVC,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"

IISADMIN,4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"

Irmon,4,"D:AR(A;;RPWPDTRC;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft