Example: Securing Authentication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An organization developed an authentication strategy to strengthen the default security that Windows Server 2003 provides. This is to protect data from attackers whose activity has been noted in audit logs and because management has made increasing the security of the system a top priority. To meet these security demands, administrators created password policies to ensure strong passwords, applied account lockout policies to prevent brute-force attacks, assigned logon hours to prevent users from working during unsupervised times, and established a ticket expiration policy to enforce logon hours for several groups, excluding batch jobs.

The organization chose to eliminate LAN Manager authentication by setting the Restrict LanMan Authentication policy to Not supported to prevent the use of authentication methods that are vulnerable to attack. They chose to eliminate anonymous logon by enabling Restrict Anonymous Access to limit the number of resources that attackers can access by impersonating anonymous users. In order to enable these policies, the organization chose to retire their Windows NT 4.0–based domain controllers, and replaced them with new Windows Server 2003–based computers.

Administrators in the organization accepted the default clock synchronization tolerance of five minutes. This setting protects the system against replay attacks while keeping authentication traffic to a minimum.

Figure 14.5 shows the worksheet that the organization created to document their authentication security plan.

Figure 14.5   Example of an Authentication Security Worksheet