Accounts: Administrator account status |
Enabled |
Because it is necessary to have an administrator, the administrator account should be enabled for authorized users. |
Accounts: Guest account Status |
Disabled |
Because it is risky to have guest accounts, the guest account should be disabled unless specifically required. |
Accounts: Limit local account use of blank passwords to console logon only |
Enabled |
Accounts with blank passwords significantly increase the likelihood of network-based attacks. |
Accounts: Rename administrator account |
Not Defined |
Renaming the administrator account forces a malicious individual to guess both the account name and password. Note that even though the account can be renamed, it still uses the same well known SID, and there are tools available to quickly identify this and provide the name. |
Accounts: Rename Guest account |
Not Defined |
Because the Guest account is disabled by default, and should never be enabled, renaming the account is not important. However, if an organization decides to enable the Guest account and use it, it should be renamed beforehand. |
Audit: Audit the access of global system objects |
Enabled |
This setting needs to be enabled for auditing to take place in the Event Viewer. The auditing setting can be set to Not Defined, Success or Failure in the Event View. |
Audit: Audit the use of backup and restore privilege |
Enabled |
For security reasons, this option should be enabled so that auditors will be aware of users creating backups of potentially sensitive data. |
Audit: Shut down system immediately if unable to log security audits |
Disabled |
Enabling this option shuts down the system if it is unable to log audits. This can help prevent missed audit events. Enabling very large log files on a separate partition helps mitigate this. |
Devices: Allow undock without having to log on |
Disabled |
Disabling this option ensures that only authenticated users can dock and undock computers. |
Devices: Allow to format and eject removable media |
Administrators |
This option is not typically useful for desktop images. |
Devices: Prevent users from installing printer drivers |
Enabled |
Because the Windows GDI system runs in kernel space, allowing a user to install a printer driver could lead to elevated privileges. |
Devices: Restrict CD-ROM access to locally logged-on user only |
Enabled |
Enabling this option prevents remote users from accessing the local CD-ROM, which may contain sensitive information. |
Devices: Restrict floppy access to locally logged-on user only |
Enabled |
In situations in which the server is physically secured and password authentication is required by the Recover Console, this option can be enabled to facilitate system recovery. |
Devices: Unsigned driver installation behavior |
Warn but allow installation |
Most driver software is signed. Administrators should not install unsigned drivers unless the origin and authenticity can be verified and the software has been thoroughly tested in a lab environment first. Because only senior administrators will be working on these systems, it is safe to leave this to their discretion. |
Domain controller: Allow server operators to schedule tasks |
Disabled |
The ability to schedule tasks should be limited to administrators only. |
Domain controller: LDAP server signing requirements |
Not Defined |
This option applies only to domain controllers. |
Domain controller: Refuse machine account password changes |
Disabled |
Enabling this option allows machine accounts to automatically change their passwords. |
Domain member: Digitally encrypt or sign secure channel data (always) |
Disabled |
If the domain controller is known to support encryption of the secure channel, this option can be enabled to protect against local network attacks. |
Domain member: Digitally encrypt secure channel data (when possible) |
Enabled |
Enabling this option provides the most flexibility while enabling the highest security when the server supports it. |
Domain member: Digitally sign secure channel data (when possible) |
Enabled |
Enabling this option provides the most flexibility while enabling the highest security when the server supports it. |
Domain member: Disable machine account password changes |
Disabled |
Disabling this option allows machine accounts to automatically change their passwords. |
Domain member: Maximum machine account password age |
30 days |
Less frequently changed passwords are easier to break than passwords that are changed more frequently. |
Domain member: Require strong (Windows 2000 or later) session key |
Enabled |
Enabling this option sets strong session keys for all computers running Windows 2000 or later. |
Interactive logon: Do not display last user name |
Enabled |
Hiding the last user name should be enabled, especially when the administrator user account is renamed. This helps prevent a passerby from determining account names. |
Interactive logon: Do not require CTRL+ALT+DEL |
Disabled |
The CTRL+ALT+DEL sequence is intercepted at a level lower than user mode programs are allowed to hook. Requiring this sequence at logon is a security feature designed to prevent a Trojan Horse program masquerading as the Windows logon from capturing users' passwords. |
Interactive logon: Message text for users attempting to log on |
[provide legal text] |
An appropriate legal and warning message should be displayed according to the Corporate Security Policy. |
Interactive logon: Message title for users attempting to log on |
[provide legal title text] |
An appropriate legal and warning message should be displayed according to the Corporate Security Policy. |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
10 logons |
This option is usually appropriate only for laptops that might be disconnected from their domain. It also presents a security risk for some types of servers, such as application servers. If a server is compromised and domain logons are cached, the attacker may be able to use this locally stored information to gain domain-level credentials. |
Interactive logon: Prompt user to change password before expiration |
14 days |
Password prompts should be aligned according to the Corporate Security Policy. |
Interactive logon: Require Domain Controller authentication to unlock workstation |
Enabled |
Enabling this option allows a domain controller account to unlock any workstation. This should only be allowed for the local Administrator account on the computer. |
Interactive logon: Require smart card |
Not Defined |
If this system will not be using smart cards, this option is not necessary. |
Interactive logon: Smart card removal behavior |
Not Defined |
If this system will not be using smart cards, this option is not necessary. |
Microsoft network client: Digitally sign communications (always) |
Disabled |
For systems communicating to servers that do not support SMB signing, this option should be disabled. However, if packet authenticity is required, this can be enabled. |
Microsoft network client: Digitally sign communications (if server agrees) |
Enabled |
For systems communicating to servers that do support SMB signing, this option should be enabled. |
Microsoft network client: Send unencrypted password to third-party SMB servers |
Disabled |
If this option is enabled, then a third-party SMB server could negotiate a dialect that does not support cryptographic functions. Authentication would be performed using plain-text passwords. |
Microsoft network server: Amount of idle time required before suspending session |
15 minutes |
This should be set appropriately for the end-user system such that idle connections do not linger or consume resources. |
Microsoft network server: Digitally sign communications (always) |
Disabled |
For systems communicating to servers that do not support SMB signing, this option should be disabled. However, if packet authenticity is required, this can be enabled. |
Microsoft network server: Digitally sign communications (if client agrees) |
Enabled |
For systems communicating to servers that do not support SMB signing, this option should be disabled. However, if packet authenticity is required, this can be enabled. |
Microsoft network server: Disconnect clients when logon hours expire |
Enabled |
Enabling this option prevents users from logging on after authorized hours. |
Network access: Allow anonymous SID/Name translation |
Disabled |
This option is highly important for securing Windows networking. Disabling it severely restricts the abilities granted to a user connecting with a Null session. |
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
This option is highly important for securing Windows networking. Enabling this option severely restricts the abilities granted to a user connecting with a Null session. Because “Everyone” is no longer in the anonymous user’s token, access to IPC$ is disallowed. Pipes that are explicitly set to allow anonymous are inaccessible because the SMB tree connection to this share fails. |
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Enabled |
This option is highly important for securing Windows networking. Enabling this option severely restricts the abilities granted to a user connecting with a Null session. Because “Everyone” is no longer in the anonymous user’s token, access to IPC$ is disallowed. Pipes that are explicitly set to allow anonymous are inaccessible because the SMB tree connection to this share fails. |
Network access: Do not allow storage of credentials or .NET passports for network authentication |
Enabled |
Enabling this option prevents the storage of sensitive passwords in the computers’ cache. |
Network access: Let Everyone permissions apply to anonymous users |
Disabled |
Anonymous users should have no access to computers. |
Network access: Named Pipes that can be accessed anonymously |
Not Defined |
Named pipes should be restricted anonymously. Restricting named pipes breaks some intersystem processes, such as network printing. |
Network access: Remotely accessible registry paths |
Not Defined |
Registry paths should be restricted from remote access unless for monitoring circumstances. |
Network access: Shares that can be accessed anonymously |
None |
No shares should be accessed anonymously. |
Network access: Sharing and security model for local accounts |
Guest only—local users authenticate as Guest |
Limit all local accounts to Guest privileges. |
Network security: Do not store LAN Manager hash value on next password change |
Enabled |
Enabling this feature deletes the weaker LAN Manager hashes, reducing the likelihood of password attacks from sniffing the weak hash over the name or from the local SAM database file. |
Network security: Force logoff when logon hours expire |
Enabled |
This option should be enabled as part of the acceptable policy. |
Network security: LAN Manager authentication level |
Send NTLMv2 response only |
Sending LM is less secure than NTLM, and should only be enabled if the system will communicate with computers running Windows 98 or Windows 95. Additionally, use NTLMv2 only; however, computers running Windows 98, Windows 95, or unpatched Windows NT4.0 will not be able to communicate with servers running NTLMv2. |
Network security: LDAP client signing requirements |
Negotiate signing |
Require signing when authenticating to third party LDAP servers. This prevents attacks against rogue LDAP servers and clear-text submission of passwords over the network. |
Network security: Minimum session security for NTLM SSP-based (including secure RPC) clients |
Require NTLMv2 session security |
The NTLM hashes contain weaknesses that attacks may exploit. When enabled, these requirements strengthen the authentication algorithms for Windows. |
Network security: Minimum session security for NTLM SSP-based (including secure RPC) servers |
Require NTLMv2 session security |
The NTLM hashes contain weaknesses that attacks may exploit. When enabled, these requirements will strengthen the authentication algorithms for Windows. |
Recovery console: Allow automatic administrative logon |
Disabled |
If automatic administrative logon is enabled, then a malicious user that has console access could simply restart the computer and gain administrative privileges. However, an organization may enable this feature if the computer is a physically secure server, allowing access to the system if the administrator password is forgotten. |
Recovery console: Allow floppy copy and access to all drives and all folders |
Disabled |
The recovery console can be used as an attack method to gain access to SAM database files offline; therefore, this option should be enabled to prevent those files from being copied to a floppy disk. |
Shutdown: Allow system to be shut down without having to log on |
Disabled |
This option is used to prevent users without valid accounts from shutting down the system, and is a good precautionary measure. |
Shutdown: Clear virtual memory pagefile |
Disabled |
Clearing the memory pagefile at shutdown can help prevent offline analysis of the file, which might contain sensitive information from system memory, such as passwords. However, in situations in which the computer is physically secured, this can be enabled to reduce time required for system restarts. |
System cryptography: Force strong key protection for user keys stored on the computer |
User is prompted when the key is first used |
Protecting local cryptographic secrets helps prevent privilege escalation across the network, once access to one system is obtained. |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
Not Defined |
Require stronger, standard, and compliant algorithms for encryption, hashing, and signing. |
System Objects: Default owner for objects created by members of the Administrators group |
Administrators group |
Administrators should only have access to the created file. |
System objects: Require case insensitivity for non-Windows subsystems |
Disabled |
Require case-sensitivity for non-Windows subsystems, such as UNIX passwords. |
System settings: Optional subsystems |
Enter POSIX here only if expressly required |
The POSIX execution layer has had multiple local exploits in the past, and should be disabled unless required by third-party software. It is extremely rare for POSIX to be required by commercial software packages. |
System settings: Use Certificate Rules on Windows executables for Software Restriction policies |
Not Defined |
When certificate rules are created, enabling this option enforces software restriction policies that check a Certificate Revocation List (CRL) to make sure the software's certificate and signature are valid. |