Export (0) Print
Expand All

Appendix E - Windows 2000 Security Configuration Checklist for the Evaluated Configuration

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

File System Configuration

Security Objective: Allow configuration of evaluated security mechanisms and support conformance to Security Target requirements.

File System Type: NTFS

  check

 

Account Policy: Password Policy

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Enforce Password History

Security Objective: Set limit on how often passwords may be reused.

Computer Setting: _____ passwords remembered

(Recommended: 24 passwords remembered.)

 

  check
 

box

Maximum Password Age

Security Objective: Set the length of time users can keep their passwords before they have to change it.

Computer Setting: _____ days

(Recommended: 42 days.)

 

  check
 

box

Minimum Password Age

Security Objective: Set the length of time users must keep a password before they can change it.

Computer Setting: _____ days

(Recommended: 2 days.)

 

  check
 

box

Minimum Password Length

Security Objective: Set the minimum number characters required for user passwords.

Computer Setting: 8 characters

  check

 

 

box

Passwords Must Meet Complexity Requirements

Security Objective: Requires the use of complex (strong) passwords.

Computer Setting:

boxEnabledbox Disabled

(Recommended: Enabled.)

 

  check
 

box

Store Passwords Using Reversible Encryption for all Users in the Domain

Security Objective: Do Not Enable. Uses weak encryption for passwords.

Computer Setting: Disabled

  check

 

Account Policy: Account Lockout Policy

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Account Lockout Duration

Security Objective: After invalid password attempts, locks account for a specified period of time.

Computer Setting: _____ minutes

(The ST requires this setting, but does not specify the duration. Recommendation is to set to 0, which requires an administrator to unlock the account.)

  check

 

 

box

Account Lockout Threshold

Security Objective: Set the number of bad login attempts allowed before locking the account.

Computer Setting: _____ invalid login attempts

(The ST requires this setting and specifies that it must not be set to a value greater than 5. Recommendation is to set to this value to 5 bad login attempts.)

  check

 

 

box

Reset Account Lockout Counter After

Security Objective: Set how long the lockout threshold is maintained before being reset.

Computer Setting: _____ minutes

(This value must be set when setting the previous two policy values. Recommended setting is 30 minutes.)

  check

 

Account Policy: Kerberos Policy

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Enforce User Logon Restrictions

Security Objective: Validates every logon request by checking the user rights policy.

Computer Setting: Retain default settings (Enabled)

  check

 

 

box

Maximum Lifetime for Service Ticket

Security Objective: Sets the maximum duration for which a service ticket is valid.

Computer Setting: _____ minutes

(Default setting is recommended: 600 minutes for domain members, 60 minutes for non-domain computers.)

 

  check
 

box

Maximum Lifetime for User Ticket

Security Objective: Sets the maximum duration for which a user ticket is valid.

Computer Setting: _____ hours

(Default setting is recommended: 10 hours for domain members, 7 hours for non-domain computers.)

 

  check
 

box

Maximum Lifetime for User Ticket Renewal

Security Objective: Sets the renewal period for expired tickets.

Computer Setting: _____ days

(Default setting is recommended: 7 days for domain members, 10 days for non-domain computers.)

 

  check
 

box

Maximum Tolerance for Computer Clock Synchronization

Security Objective: Sets the maximum tolerance for synchronization between computers in the Domain.

Computer Setting: Retain default settings (5 minutes for domain members, 60 minutes for non-domain computers)

  check

 

Local Policy: Audit Policy

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Audit Account Logon Events

Security Objective: Audit account logon/logoff events from another computer in which this computer is used to validate the account. "Account logon events" are generated where the account resides.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit Account Management

Security Objective: Audit account management activities.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit Directory Service Access

Security Objective: Audit access to an Active Directory object that has its own system access control list specified.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit Logon Events

Security Objective: Audit local or network logon/logoff events to this computer. "Logon events" are generated where the logon attempt occurs.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit Object Access

Security Objective: Audit access to an object--for example, a file, folder, registry key, or printer, which has its own system access control list specified.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit Policy Change

Security Objective: Audit a change to user rights assignment policies, audit policies, or trust policies.

Computer Setting:

box SuccessboxFailure

(Recommended: Success)

 

  check
 

box

Audit Privilege Use

Security Objective: Audit each instance of a user exercising a user right.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit Process Tracking

Security Objective: Audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.

Computer Setting:

box SuccessboxFailure

(Recommended: Success, Failure)

 

  check
 

box

Audit System Events

Security Objective: Audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.

Computer Setting:

box SuccessboxFailure

(Recommended: Success)

 

  check
Local Policy: User Rights Assignment

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Access this Computer from the Network

Security Objective: Determines which users are allowed to connect over the network to the computer.

Computer Setting: Assigned To:

Dd277462.scg01(en-us,TechNet.10).gif

(In Domain Policy set as indicated for Windows 2000 Professional and Servers.)

  check

 

 

box

Act as Part of the Operating System

Security Objective: Allow a process to authenticate as a user and thus gain access to the same resources as a user.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Add Workstations to Domain (Domain Controller)

Security Objective: Allows a user to add a computer to a specific domain.

Computer Setting: Remove the Authenticated Users account and do not assign this privilege to other accounts. Domain Admins has this privilege by default.

  check

 

 

box

Backup Files and Directories

Security Objective: Allows the user to circumvent file and directory permissions to backup the system.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Bypass Traverse Checking

Security Objective: Allows the user to pass through folders to which the user otherwise has no access.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Change the System Time

Security Objective: Allows the user to set the time for the internal clock of the computer.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Create a Pagefile

Security Objective: Allows the user to create and change the size of a pagefile.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Create a Token Objec t

Security Objective: Allows a process to create an access token.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Crea te Permanent Shared Objects

Security Objective: Allow a process to create a directory object in the Windows 2000 object manager.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Debug Programs

Security Objective: Allows the user to attach a debugger to any process.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Deny Access to this Computer from the Network

Security Objective: Prohibits a user or group from connecting to the computer from the network.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Deny Logon as a Batch Job

Security Objective: Prohibits a user or group from logging on through a batch-queue facility.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Deny Logon as a Service

Security Objective: Prohibits a user or group from logging on as a service.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Deny Logon Locally

Security Objective: Prohibits a user or group from logging on locally at the keyboard.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Enable Computer and User Accounts to be Trusted for Delegation

Security Objective: Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Force Shutdown from a Remote System

Security Objective: Allows a user to shut down a computer from a remote location on the network.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Generate Security Audits

Security Objective: Allows a process to generate entries in the security log.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Increase Quotas

Security Objective: Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process.

Computer Setting: Do not change the defaults of "Assigned To: Administrators."

(In Domain Policy, assign to Administrators only.)

  check

 

 

box

Increase Scheduling Priority

Security Objective: Allows a process that has Write Property access to another process to Computer Setting: Do not change the defaults of "Assigned To: Administrators."

(In Domain Policy, assign to Administrators only.)

  check

 

 

box

Load and Unload Device Drivers

Security Objective: Allows a user to install and uninstall Plug and Play device drivers.

Computer Setting: Do not change the defaults of Assigned To: Administrators.

(In Domain Policy, assign to Administrators only.)

  check

 

 

box

Lock Pages in Memory

Security Objective: Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Log on as a Batch Job

Security Objective: Allows a user to log on by using a batch-queue facility.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Log on as a Service

Security Objective: Allows a security principal to log on as a service.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Log on Locally

Security Objective: Allows a user to log on locally at the computer's keyboard.

Computer Setting: Assigned To:

Dd277462.scg03(en-us,TechNet.10).gif

(In Domain Policy set as indicated for Windows 2000 Professional and Servers.)

  check

 

 

box

Manage Auditing and Security Log

Security Objective: Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and Registry keys.

Computer Setting: Do not change the defaults of "Assigned To: Administrators."

(In Domain Policy, assign to Administrators only.)

  check

 

 

box

Modify Firmware Environment Values

Security Objective: Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet.

Computer Setting: Do not change the defaults of "Assigned To: Administrators."

(In Domain Policy, assign to Administrators only.)

  check

 

 

box

Profile Single Process

Security Objective: Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Profile System Performance

Security Objective: Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes.

Computer Setting: Do not change the defaults of "Assigned To: Administrators."

(In Domain Policy, assign to Administrators only.)

  check

 

 

box

Remove Computer from Docking Station

Security Objective: Allows a user of a portable computer to unlock the computer by clicking "Eject PC" on the Start menu.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Replace a Process Level Token

Security Objective: Allows a parent process to replace the access token that is associated with a child process.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Restore Files and Directories

Security Objective: Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Shut Down th e System

Security Objective: Allows a user to shut down the local computer

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: For Windows 2000 Professional assign to Administrators, Authenticated Users, Backup Operators, Power Users.)

 

  check
 

box

Synchronize Directory Service Data

Security Objective: Allows a service to provide directory synchronization services.

Computer Setting: Assigned To:

Dd277462.scg02(en-us,TechNet.10).gif

(Recommended: Do not change the defaults)

 

  check
 

box

Take Ownership of Files or Other Objects

Security Objective: Allows the user to take ownership of any securable object in the system.

Computer Setting: Do not change the defaults of "Assigned To: Administrators."

(In Domain Policy, assign to Administrators only.)

  check

 

Local Policy: Security Options

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Additional Restrictions for Anonymous Connections

Security Objective: Set restrictions on anonymous connections to the computer.

Computer Setting: Do not allow enumeration of SAM accounts and shares

  check

 

 

box

Allow Server Operators to Schedule Tasks (Domain Controllers Only)

Security Objective: Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility.

Computer Setting: Disabled

(The AT schedule facility is not part of the Evaluated Configuration.)

  check

 

 

box

Allow System to be Shut Down Without Logon Without Having to Log On

Security Objective: Set a computer to allow shutdown without requiring a user to logon.

Computer Setting: Disabled

  check

 

 

box

Allowed to Eject Removable NTFS Media

Security Objective: Set the accounts allowed to eject removable NTFS media from the computer.

Computer Setting: Accounts defined in the policy: _________________________

(Recommended: Administrators)

 

  check
 

box

Amount of Idle Time Required Before Disconnecting a Session

Security Objective: Set the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity.

Computer Setting: _____ minutes

(Recommended: Do not change the default setting of 15 minutes.)

 

  check
 

box

Audit the Access of Global System Objects

Security Objective: Allows access of global system objects to be audited.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled, only when there is a strict audit management process in place.)

 

  check
 

box

Audit the Use of Backup and Restore Privilege

Security Objective: Allow auditing of Backup and Restore user rights.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled, only when there is a strict audit management process in place.)

 

  check
 

box

Automatically Log Off Users When Logon Time Expires

Security Objective: When enabled, disconnects users that are connected to the local machine outside of their user account's valid logon hours. Can only be set on DCs.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled)

 

  check
 

box

Automatically Log Off Users When Logon Time Expires (Local)

Security Objective: When enabled, disconnects users that are connected to the local machine outside of their user account's valid logon hours.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled)

 

  check
 

box

Clear Virtual Memory Pagefile When System Shuts Down

Security Objective: Determines whether the virtual memory pagefile should be cleared when the system is shut down.

Computer Setting: Enabled

  check

 

 

box

Digitally Sign Client Communications (Always)

Security Objective: Determines whether the computer will always digitally sign client communications.

Computer Setting: Disabled

  check

 

 

box

Digitally Sign Client Communications (When Possible)

Security Objective: If enabled, causes the SMB client to perform SMB packet signing only when communicating with an SMB server that is enabled or required to perform SMB packet signing.

Computer Setting: Enabled

  check

 

 

box

Digitally Sign Server Communications (Always)

Security Objective: If enabled, requires the SMB server to perform SMB packet signing.

Computer Setting: Disabled

  check

 

 

box

Digitally Sign Server Communications (When Possible)

Security Objective: If enabled, causes the SMB server to perform SMB packet signing when necessary.

Computer Setting: Enabled

  check

 

 

box

Disable CTRL+ALT+ DEL Requirement for Logon

Security Objective: Determines whether pressing CTRL+ALT+DEL is required before a user can log on.

Computer Setting: Disabled

(A "Disabled" setting actually enables/requires the use of CTRL+ALT+DEL)

  check

 

 

box

Do Not Display Last User Name in Logon Screen

Security Objective: Determines whether the name of the last user to logon to the computer is displayed in the Windows logon screen.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled)

 

  check
 

box

LAN Manager Authentication Level

Security Objective: Determines which challenge/response authentication protocol is used for network logons.

Computer Setting: Selected Option: _______________________________________

(Recommended: Send NTLMv2 response only/refuse LM & NTLM)

 

  check
 

box

Message Text for Users Attempting to Log On

Security Objective: Specifies a text message that is displayed to users when they log on.

Computer Setting: Message text: __________________________________

___________________________________

___________________________________

___________________________________

(Recommended: Set a warning banner in accordance to local policy requirements.)

 

  check
 

box

Message Title for Users Attempting to Log On

Security Objective: Specifies a title that appears in the title bar of the window containing the message text for users attempting to log on.

Computer Setting: Message title: _____________________________________

(Recommended: Set a warning banner in accordance to local policy requirements.)

 

  check
 

box

Number of Previous Logons to Cache (In Case Domain Controller is not Available)

Security Objective: Determines the number of times a user can log on to a Windows domain using cached account information.

Computer Setting: Cache: 0 logons

  check

 

 

box

Prevent System Maintenance of Computer Account Password

Security Objective: Determines whether the computer account password should be prevented from being reset every week. If this policy is enabled, the machine is prevented from requesting a weekly password change.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Verify that local policies are set at the default of Disabled, and that Domain Policies are either Disabled or Not Defined.)

 

  check
 

box

Prevent Users from Installing Print Drivers

Security Objective: Determines whether members of the Users group are prevented from installing print drivers.

Computer Setting: Enabled

  check

 

 

box

Prompt User to Change Password Before Expiration

Security Objective: Determines how far in advance Windows 2000 should warn users that their password is about to expire.

Computer Setting: _____ days

(Recommended: Default setting of 14 days is adequate.)

 

  check
 

box

Recovery Console: Allow Automatic Administrative Logon

Security Objective: If set, the Recovery Console does not require a password and will automatically log on to the system.

Computer Setting: Disabled

(The Recovery Console is not part of the Evaluated Configuration.)

  check

 

 

box

Recovery Console: Allow Floppy Copy and Access to all Drives and all Folders

Security Objective: Enabling this option enables the Recovery Console SET command.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Do not enable this option. The Recovery Console is not part of the Evaluated Configuration.)

 

  check
 

box

Rename Administrator Account

Security Objective: Associates a different account name with the security identifier (SID) for the account "Administrator".

Computer Setting:

(Recommended: Change and safeguard the recorded account name. Do not record it in this document.)

 

  check
 

box

Rename Guest Account

Security Objective: Associates a different account name with the security identifier (SID) for the account Guest.

Computer Setting:

(Recommended: Change and safeguard the recorded account name. Do not record it in this document.)

 

  check
 

box

Restrict CD-ROM Access to Locally Logged-On User Only

Security Objective: If enabled, this policy allows only the interactively logged-on user to access removable CD-ROM media.

Computer Setting: Enabled

  check

 

 

box

Restrict Floppy Access to Locally Logged-On User Only

Security Objective: If enabled, this policy allows only the interactively logged-on user to access removable floppy media.

Computer Setting: Enabled

  check

 

 

box

Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)

Security Objective: If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted.

Computer Setting:

boxEnabledboxDisabled

(Recommended: By default this option is Disabled. Do not change the default setting.)

 

  check
 

box

Secure Channel: Digitally Encrypt or Sign Secure Channel Data (When Possible)

Security Objective: If this policy is enabled, all outgoing secure channel traffic should be encrypted.

Computer Setting:

boxEnabledboxDisabled

(Recommended: By default this option is Enabled. Do not change the default setting.)

 

  check
 

box

Secure Channel: Digitally Sign Secure Channel Data (When Possible)

Security Objective: If this policy is enabled, all outgoing secure channel traffic should be signed.

Computer Setting:

boxEnabledboxDisabled

(Recommended: By default this option is Enabled. Do not change the default setting.)

 

  check
 

box

Secure Channel: Require Strong (Windows 2000 or later) Session Key

Security Objective: If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows2000 or later) encryption key.

Computer Setting:

boxEnabledboxDisabled

(Recommended: By default this option is Disabled. Generally, do not change the default setting. This policy should only be enabled if "all" DCs in a trusted domain support strong keys.)

 

  check
 

box

Secure System Partition (For RISC Platforms Only)

Security Objective: If this policy is enabled, only administrative access is allowed to a RISC-based system partition (which must be FAT) while the operating system is running.

Computer Setting: Not Defined

(This policy does not apply to the Evaluated Configuration.)

 

  check
 

box

Send Unencrypted Password to Connect to Third-Party SMB Servers

Security Objective: If enabled, the SMB redirector is allowed to send clear-text passwords to non-Microsoft SMB servers, which do not support password encryption during authentication.

Computer Setting:

boxEnabledboxDisabled

(Recommended: By default this option is Disabled. Do not change the default setting.)

 

  check
 

box

Shut Down System Immediately if Unable to Log Security Audits

Security Objective: Determines whether the system should shut down if it is unable to log security events.

Computer Setting:

boxEnabledboxDisabled

Note: Use this security policy on servers and Domain Controllers only after implementing strict procedures for archiving and clearing the audit logs on a regular basis.

(Recommended: Enabled. Requires archiving and clearing the logs on a regular basis.)

 

  check
 

box

Smart Card Removal Behavior

Security Objective: Determines what should happen when the smart card for a logged-on user is removed from the smart card reader.

Computer Setting: ___________________________________

(Recommended: If using smart cards, set to Lock Workstation. However, the integration of smart card technology is not part of the evaluated configuration.)

 

  check
 

box

Strengthen Default Permissions for Global System Objects (e.g., Symbolic Links)

Security Objective: If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create.

Computer Setting: Enabled

  check

 

 

box

Unsigned Driver Installation Behavior

Security Objective: Determines what should happen when an attempt is made to install a device driver that has not been certified by the Windows Hardware Quality Lab.

Computer Setting: ___________________________________

(Recommended: Set to Warn but allow installation.)

 

  check
 

box

Unsigned Non-Driver Installation Behavior

Security Objective: Determines what should happen when an attempt is made to install any nondevice driver software that has not been certified.

Computer Setting: ___________________________________

(Recommended: Set to Warn but allow installation.)

 

  check
Event Logs: Settings for Event Logs

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Maximum Application Log Size

Security Objective: Specifies the maximum size for the application event log.

Computer Setting: ______________ kilobytes

(Recommended: For most environments, the default value of 512 kilobytes is adequate.)

 

  check
 

box

Maximum Security Log Size

Security Objective: Specifies the maximum size for the security event log.

Computer Setting: ______________ kilobytes

(Recommended: A larger log size should be set based on the amount of expected activity, the amount of available disk space, and the frequency with which the logs will be manually reviewed, archived, and cleared.)

 

  check
 

box

Maximum System Log Size

Security Objective: Specifies the maximum size for the system event log.

Computer Setting: ______________ kilobytes

(Recommended: For most environments, the default value of 512 kilobytes is adequate.)

 

  check
 

box

Restrict Guest Access to Application Log

Security Objective: If enabled, anonymous users are prevented from accessing to the application event log. This policy option is not available in standalone Windows 2000 Professional and Servers.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled.)

 

  check
 

box

Restrict Guest Access to Security Log

Security Objective: If enabled, anonymous users are prevented from accessing to the security event log. This policy option is not available in standalone Windows 2000 Professional and Servers.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled.)

 

  check
 

box

Restrict Guest Access to System Log

Security Objective: If enabled, anonymous users are prevented from accessing to the system event log. This policy option is not available in standalone Windows 2000 Professional and Servers.

Computer Setting:

boxEnabledboxDisabled

(Recommended: Enabled.)

 

  check
 

box

Retain Application Log

Security Objective: Determines the number of days' worth of events that should be retained for the application log if the retention method for the application log is "By Days."

Computer Setting: _____ days

(Recommended: Do not change the default settings (7 days). Defaults are "Not Defined" By Days. for Domain and Domain Controller Policies and 7 days in Log Properties.)

 

  check
 

box

Retain Security Log

Security Objective: Determines the number of days worth of events that should be retained for the security log if the retention method for the security log is "By Days".

Computer Setting: _____ days

(Recommended: Do not change the default settings (7 days). Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)

 

  check
 

box

Retain System Log

Security Objective: Determines the number of days' worth of events that should be retained for the system log if the retention method for the system log is "By Days".

Computer Setting: _____ days

(Recommended: Do not change the default settings (7 days). Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)

 

  check
 

box

Retention Method for Application Log

Security Objective: Determines the wrapping method for the application log.

Computer Setting: __________________________________________

(Recommended: Do not change the default settings. Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)

 

  check
 

box

Retention Method for Security Log

Security Objective: Determines the wrapping method for the security log.

Computer Setting: __________________________________________

(Recommended: Do not change the default settings. Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)

 

  check
 

box

Retention Method for System Log

Security Objective: Determines the wrapping method for the system log.

Computer Setting: __________________________________________

(Recommended: Do not change the default settings. Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)

 

  check
 

box

Shut Down the Computer When the Security Audit Log is Full

Security Objective: Use Shut down system immediately if unable to log security audits instead of this policy setting.

Computer Setting:

(Recommended: Set as Not Defined.)

 

  check
System Services

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Evaluated Services

Security Objective: To remain in the Evaluated Configuration it is acceptable to have all of the services listed below enabled and running.

Dd277462.scg04(en-us,TechNet.10).gif

(Recommended: Do not disable the evaluated services listed. The default settings are appropriate.)

  check

 

 

box

Non-Evaluated Services

Security Objective: The default services listed below are not acceptable for the Evaluated Configuration and must be disabled.

Dd277462.scg05(en-us,TechNet.10).gif

(Note: Additional services not explicitly listed as Evaluated Services must also be disabled)

  check

 

Registry Permissions: HKEY_LOCAL_MACHINE

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

box \SOFTWARE

Administrators: Full Control

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

box \SOFTWARE\classes

Administrators: Full Control

Authenticated Users: Read

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

  check

 

 

box

box \SOFTWARE\classes\.hlp

Administrators: Full Control

Authenticated Users: Read

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

box \SOFTWARE\classes\helpfile

Administrators: Full Control

Authenticated Users: Read

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

  check

 

 

box

box \SOFTWARE\Microsoft\OS/2 Subsystem for NT

Administrators: Full Control

CREATOR OWNER: Full Control (Subkeys only)

SYSTEM: Full Control

Inheritance Method: Propagate

box \SOFTWARE\Microsoft\Windows NT \CurrentVersion

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

  check

 

 

box

box \SYSTEM\CurrentControlSet\Control \ComputerName

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

box \SYSTEM\currentcontrolset\control \ContentIndex

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

  check

 

 

box

box \SYSTEM\CurrentControlSet\Control \Keyboard Layout

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

box \SYSTEM\CurrentControlSet\Control \Keyboard Layouts

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

  check

 

 

box

box \SYSTEM\CurrentControlSet\Control \Print\Printers

Administrators: Full Control

Authenticated Users: Read

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Replace

Note: Remove inheritance and replace all ACLs.

box \SYSTEM\CurrentControlSet\Control \ProductOptions

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

  check

 

 

box

box \SYSTEM\CurrentControlSet\Services \Eventlog

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

box \SYSTEM\CurrentControlSet\Services \Tcpip

Authenticated Users: Read

Inheritance Method: Propagate

Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

  check

 

Registry Permissions: HKEY_CLASSES_ROOT

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

box \HKEY_CLASSES_ROOT

Administrators: Full Control

Authenticated Users: Read

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

 

  check
File System Permissions

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

box C:\autoexec.bat

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

box C:\boot.ini

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

  check

 

 

box

box C:\config.sys

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

  check

 

 

box

box C:\ntbootdd.sys

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

Note: Used when SCSI is available.

box C:\ntdetect.com

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box C:\ntldr

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %ProgramFiles%

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

 

  check
 

box

box %SystemDirectory%

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

box %SystemDirectory%\appmgmt

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

 

  check
 

box

box %SystemDirectory%\config

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemDirectory%\dllcache

Administrators: Full Control

CREATOR OWNER: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box %SystemDirectory%\DTCLog

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

box %SystemDirectory%\GroupPolicy

Administrators: Full Control

Authenticated Users: Read, Execute

SYSTEM: Full Control

Inheritance Method: Propagate

 

  check
 

box

box %SystemDirectory%\ias

Administrators: Full Control

CREATOR OWNER: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemDirectory%\Ntbackup.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box %SystemDirectory%\NTMSData

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Propagate

box %SystemDirectory%\rcp.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box %SystemDirectory%\Regedt32.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemDirectory%\repl

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

 

  check
 

box

box %SystemDirectory%\repl\export

Administrators: Full Control

CREATOR OWNER: Full Control

Replicator: Read, Execute

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

box %SystemDirectory%\repl\import

Administrators: Full Control

Replicator: Modify

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

 

  check
 

box

box %SystemDirectory%\rexec.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemDirectory%\rsh.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box %SystemDirectory%\secedit.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemDirectory%\Setup

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

 

  check
 

box

box %SystemDirectory%\spool\Printers

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Traverse folder, Read attributes, Read extended attributes, Create files, Create folders

(Folder and Subfolders)

Inheritance Method: Replace

 

  check
 

box

box %SystemDrive%

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

box %SystemDrive%\Documents and Settings

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

 

  check
 

box

box %SystemDrive%\Documents and Settings\Administrator

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemDrive%\Documents and Settings\All Users

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

 

  check
 

box

box %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Traverse folder, Create files, Create folders

(Folder and Subfolders)

Inheritance Method: Replace

box %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\ drwtsn32.log

Administrators: Full Control

CREATOR OWNER: Full Control

SYSTEM: Full Control

Users: Modify

Inheritance Method: Replace

  check

 

 

box

box %SystemDrive%\io.sys

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

box %SystemDrive%\msdos.sys

Administrators: Full Control

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

 

  check
 

box

box %SystemDrive%\Temp

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Traverse folder, Create files, Create folders

(Folder and Subfolders)

Inheritance Method: Replace

  check

 

 

box

box %SystemRoot%

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Replace

box %SystemRoot%\$NtServicePackUninstall$

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box %SystemRoot%\debug

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Read, Execute

Inheritance Method: Propagate

box %SystemRoot%\debug\UserMode

Administrators: Full Control

SYSTEM: Full Control

Users: (Folder only) - Traverse folder, List folder, Create files. (Files only) – Create files, create folders

Inheritance Method: Propagate

 

  check
 

box

box %SystemRoot%\regedit.exe

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

box %SystemRoot%\Registration

Administrators: Full Control

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

 

  check
 

box

box %SystemRoot%\repair

Administrators: Full Control

SYSTEM: Full Control

Inheritance Method: Replace

 

  check
 

box

box %SystemRoot%\ Temp

Administrators: Full Control

CREATOR OWNER: Full Control

(Subfolders and Files)

SYSTEM: Full Control

Users: Traverse folder, Create files, Create folders

(Folder and Subfolders)

Inheritance Method: Replace

  check

 

Additional Registry Settings (Values are shown in decimal, unless otherwise noted)

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Disable DirectDraw

Dd277462.scg06(en-us,TechNet.10).gif

  check

 

 

box

Disable Unnecessary Devices

Dd277462.scg07(en-us,TechNet.10).gif

  check

 

 

box

Remove OS/2 and POSIX S ubsystems

Dd277462.scg08(en-us,TechNet.10).gif

  check

 

 

box

Protect kernel Object Attributes

Dd277462.scg09(en-us,TechNet.10).gif

  check

 

 

box

Restrict Null Session Access

Dd277462.scg10(en-us,TechNet.10).gif

  check

 

 

box

Restrict Null Session Access Over Named Pipes

Dd277462.scg11(en-us,TechNet.10).gif

  check

 

 

box

Prevent Interference of the Session Lock from Application Generated Input

Dd277462.scg12(en-us,TechNet.10).gif

Note: It is important to note that the appropriate screen saver settings must be set in conjunction with this key for the feature to make sense. The necessary screen saver settings are:

  • A selected screen saver

  • Password protection

  • A screen saver timeout period

If the screensaver is not properly configured this feature will essentially have no effect on the machines overall security.

  check

 

 

box

Generate an Audit Event when the Audit Log Reaches a Percent Full Threshold

Dd277462.scg13(en-us,TechNet.10).gif

(The value may be edited to conform to local requirements.)

  check

 

 

box

Harden the TCP/IP Stack Against Denial of Service Attacks

Dd277462.scg14(en-us,TechNet.10).gif

 

  check
 

box

Make Screensaver Password Protection Immediate

Dd277462.scg15(en-us,TechNet.10).gif

 

  check
 

box

Disable LMHash Creation

Dd277462.scg16(en-us,TechNet.10).gif

 

  check
 

box

Disable Autorun

Dd277462.scg17(en-us,TechNet.10).gif

 

  check
 

box

Generate Administrative Alert when the Audit Log is Full

Dd277462.scg18(en-us,TechNet.10).gif

Note: Administrative alerts rely on both the Alerter and Messenger services. Make sure that the Alerter service is running on the source computer and that the Messenger service is running on the recipient computer.

 

  check
 

box

LDAP Server handling of LDAP BIND command requests

Dd277462.scg19(en-us,TechNet.10).gif

 

  check
Additional Recommendations

Completed and Verified

WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)

Required

Recommended

 

box

Back up the Administrator's Encryption Certificate

If applicable, backup the Administrator's encryption certificate and store in a secured location.

 

  check
 

box

Enable Automatic Screen Lock Protection

Set a password-protected screensaver. A recommended timeout period is 15 minutes.

 

  check
 

box

Update the System Emergency Repair Disk

Update the systems ERD to reflect the changes made.

 

  check
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft