Appendix E - Windows 2000 Security Configuration Checklist for the Evaluated Configuration

Article
03/24/2009

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	File System Configuration Security Objective: Allow configuration of evaluated security mechanisms and support conformance to Security Target requirements. File System Type: NTFS

box

File System Configuration

Security Objective: Allow configuration of evaluated security mechanisms and support conformance to Security Target requirements.

File System Type: NTFS

Account Policy: Password Policy

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Enforce Password History* Security Objective: Set limit on how often passwords may be reused. Computer Setting: _____ passwords remembered (Recommended: 24 passwords remembered.)
	*Maximum Password Age* Security Objective: Set the length of time users can keep their passwords before they have to change it. Computer Setting: _____ days (Recommended: 42 days.)
	*Minimum Password Age* Security Objective: Set the length of time users must keep a password before they can change it. Computer Setting: _____ days (Recommended: 2 days.)
	*Minimum Password Length* Security Objective: Set the minimum number characters required for user passwords. Computer Setting: 8 characters
	*Passwords Must Meet Complexity Requirements* Security Objective: Requires the use of complex (strong) passwords. Computer Setting: Enabled Disabled (Recommended: Enabled.)
	*Store Passwords Using Reversible Encryption for all Users in the Domain* Security Objective: Do Not Enable. Uses weak encryption for passwords. Computer Setting: Disabled

Account Policy: Account Lockout Policy

box

Account Lockout Duration

Security Objective: After invalid password attempts, locks account for a specified period of time.

Computer Setting: _____ minutes

(The ST requires this setting, but does not specify the duration. Recommendation is to set to 0, which requires an administrator to unlock the account.)

box

Account Lockout Threshold

Security Objective: Set the number of bad login attempts allowed before locking the account.

Computer Setting: _____ invalid login attempts

(The ST requires this setting and specifies that it must not be set to a value greater than 5. Recommendation is to set to this value to 5 bad login attempts.)

box

Reset Account Lockout Counter After

Security Objective: Set how long the lockout threshold is maintained before being reset.

Computer Setting: _____ minutes

(This value must be set when setting the previous two policy values. Recommended setting is 30 minutes.)

Account Policy: Kerberos Policy

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Enforce User Logon Restrictions* Security Objective: Validates every logon request by checking the user rights policy. Computer Setting: Retain default settings (Enabled)
	*Maximum Lifetime for Service Ticket* Security Objective: Sets the maximum duration for which a service ticket is valid. Computer Setting: _____ minutes (Default setting is recommended: 600 minutes for domain members, 60 minutes for non-domain computers.)
	*Maximum Lifetime for User Ticket* Security Objective: Sets the maximum duration for which a user ticket is valid. Computer Setting: _____ hours (Default setting is recommended: 10 hours for domain members, 7 hours for non-domain computers.)
	*Maximum Lifetime for User Ticket Renewal* Security Objective: Sets the renewal period for expired tickets. Computer Setting: _____ days (Default setting is recommended: 7 days for domain members, 10 days for non-domain computers.)
	*Maximum Tolerance for Computer Clock Synchronization* Security Objective: Sets the maximum tolerance for synchronization between computers in the Domain. Computer Setting: Retain default settings (5 minutes for domain members, 60 minutes for non-domain computers)

Local Policy: Audit Policy

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Audit Account Logon Events* Security Objective: Audit account logon/logoff events from another computer in which this computer is used to validate the account. "Account logon events" are generated where the account resides. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit Account Management* Security Objective: Audit account management activities. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit Directory Service Access* Security Objective: Audit access to an Active Directory object that has its own system access control list specified. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit Logon Events* Security Objective: Audit local or network logon/logoff events to this computer. "Logon events" are generated where the logon attempt occurs. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit Object Access* Security Objective: Audit access to an object--for example, a file, folder, registry key, or printer, which has its own system access control list specified. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit Policy Change* Security Objective: Audit a change to user rights assignment policies, audit policies, or trust policies. Computer Setting: SuccessFailure (Recommended: Success)
	*Audit Privilege Use* Security Objective: Audit each instance of a user exercising a user right. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit Process Tracking* Security Objective: Audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Computer Setting: SuccessFailure (Recommended: Success, Failure)
	*Audit System Events* Security Objective: Audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log. Computer Setting: SuccessFailure (Recommended: Success)

Local Policy: User Rights Assignment

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Access this Computer from the Network* Security Objective: Determines which users are allowed to connect over the network to the computer. Computer Setting: Assigned To: (In Domain Policy set as indicated for Windows 2000 Professional and Servers.)
	*Act as Part of the Operating System* Security Objective: Allow a process to authenticate as a user and thus gain access to the same resources as a user. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Add Workstations to Domain (Domain Controller)* Security Objective: Allows a user to add a computer to a specific domain. Computer Setting: Remove the Authenticated Users account and do not assign this privilege to other accounts. Domain Admins has this privilege by default.
	*Backup Files and Directories* Security Objective: Allows the user to circumvent file and directory permissions to backup the system. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Bypass Traverse Checking* Security Objective: Allows the user to pass through folders to which the user otherwise has no access. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Change the System Time* Security Objective: Allows the user to set the time for the internal clock of the computer. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Create a Pagefile* Security Objective: Allows the user to create and change the size of a pagefile. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Create a Token Objec* t Security Objective: Allows a process to create an access token. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Crea* te Permanent Shared Objects Security Objective: Allow a process to create a directory object in the Windows 2000 object manager. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Debug Programs* Security Objective: Allows the user to attach a debugger to any process. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Deny Access to this Computer from the Network* Security Objective: Prohibits a user or group from connecting to the computer from the network. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Deny Logon as a Batch Job* Security Objective: Prohibits a user or group from logging on through a batch-queue facility. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Deny Logon as a Service* Security Objective: Prohibits a user or group from logging on as a service. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Deny Logon Locally* Security Objective: Prohibits a user or group from logging on locally at the keyboard. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Enable Computer and User Accounts to be Trusted for Delegation* Security Objective: Allows the user to change the Trusted for Delegation setting on a user or computer in Active Directory. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Force Shutdown from a Remote System* Security Objective: Allows a user to shut down a computer from a remote location on the network. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Generate Security Audits* Security Objective: Allows a process to generate entries in the security log. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Increase Quotas* Security Objective: Allows a process that has Write Property access to another process to increase the processor quota that is assigned to the other process. Computer Setting: Do not change the defaults of "Assigned To: Administrators." (In Domain Policy, assign to Administrators only.)
	*Increase Scheduling Priority* Security Objective: Allows a process that has Write Property access to another process to Computer Setting: Do not change the defaults of "Assigned To: Administrators." (In Domain Policy, assign to Administrators only.)
	*Load and Unload Device Drivers* Security Objective: Allows a user to install and uninstall Plug and Play device drivers. Computer Setting: Do not change the defaults of Assigned To: Administrators. (In Domain Policy, assign to Administrators only.)
	*Lock Pages in Memory* Security Objective: Allows a process to keep data in physical memory, which prevents the system from paging data to virtual memory on disk. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Log on as a Batch Job* Security Objective: Allows a user to log on by using a batch-queue facility. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Log on as a Service* Security Objective: Allows a security principal to log on as a service. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Log on Locally* Security Objective: Allows a user to log on locally at the computer's keyboard. Computer Setting: Assigned To: (In Domain Policy set as indicated for Windows 2000 Professional and Servers.)
	*Manage Auditing and Security Log* Security Objective: Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and Registry keys. Computer Setting: Do not change the defaults of "Assigned To: Administrators." (In Domain Policy, assign to Administrators only.)
	*Modify Firmware Environment Values* Security Objective: Allows modification of system environment variables either by a process through an API or by a user through the System Properties applet. Computer Setting: Do not change the defaults of "Assigned To: Administrators." (In Domain Policy, assign to Administrators only.)
	*Profile Single Process* Security Objective: Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Profile System Performance* Security Objective: Allows a user to run Microsoft Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes. Computer Setting: Do not change the defaults of "Assigned To: Administrators." (In Domain Policy, assign to Administrators only.)
	*Remove Computer from Docking Station* Security Objective: Allows a user of a portable computer to unlock the computer by clicking "Eject PC" on the Start menu. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Replace a Process Level Token* Security Objective: Allows a parent process to replace the access token that is associated with a child process. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Restore Files and Directories* Security Objective: Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Shut Down th* e System Security Objective: Allows a user to shut down the local computer Computer Setting: Assigned To: (Recommended: For Windows 2000 Professional assign to Administrators, Authenticated Users, Backup Operators, Power Users.)
	*Synchronize Directory Service Data* Security Objective: Allows a service to provide directory synchronization services. Computer Setting: Assigned To: (Recommended: Do not change the defaults)
	*Take Ownership of Files or Other Objects* Security Objective: Allows the user to take ownership of any securable object in the system. Computer Setting: Do not change the defaults of "Assigned To: Administrators." (In Domain Policy, assign to Administrators only.)

Local Policy: Security Options

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Additional Restrictions for Anonymous Connections* Security Objective: Set restrictions on anonymous connections to the computer. Computer Setting: Do not allow enumeration of SAM accounts and shares
	*Allow Server Operators to Schedule Tasks (Domain Controllers Only)* Security Objective: Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. Computer Setting: Disabled (The AT schedule facility is not part of the Evaluated Configuration.)
	*Allow System to be Shut Down Without Logon Without Having to Log On* Security Objective: Set a computer to allow shutdown without requiring a user to logon. Computer Setting: Disabled
	*Allowed to Eject Removable NTFS Media* Security Objective: Set the accounts allowed to eject removable NTFS media from the computer. Computer Setting: Accounts defined in the policy: _________________________ (Recommended: Administrators)
	*Amount of Idle Time Required Before Disconnecting a Session* Security Objective: Set the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. Computer Setting: _____ minutes (Recommended: Do not change the default setting of 15 minutes.)
	*Audit the Access of Global System Objects* Security Objective: Allows access of global system objects to be audited. Computer Setting: EnabledDisabled (Recommended: Enabled, only when there is a strict audit management process in place.)
	*Audit the Use of Backup and Restore Privilege* Security Objective: Allow auditing of Backup and Restore user rights. Computer Setting: EnabledDisabled (Recommended: Enabled, only when there is a strict audit management process in place.)
	*Automatically Log Off Users When Logon Time Expires* Security Objective: When enabled, disconnects users that are connected to the local machine outside of their user account's valid logon hours. Can only be set on DCs. Computer Setting: EnabledDisabled (Recommended: Enabled)
	*Automatically Log Off Users When Logon Time Expires (Local)* Security Objective: When enabled, disconnects users that are connected to the local machine outside of their user account's valid logon hours. Computer Setting: EnabledDisabled (Recommended: Enabled)
	*Clear Virtual Memory Pagefile When System Shuts Down* Security Objective: Determines whether the virtual memory pagefile should be cleared when the system is shut down. Computer Setting: Enabled
	*Digitally Sign Client Communications (Always)* Security Objective: Determines whether the computer will always digitally sign client communications. Computer Setting: Disabled
	*Digitally Sign Client Communications (When Possible)* Security Objective: If enabled, causes the SMB client to perform SMB packet signing only when communicating with an SMB server that is enabled or required to perform SMB packet signing. Computer Setting: Enabled
	*Digitally Sign Server Communications (Always)* Security Objective: If enabled, requires the SMB server to perform SMB packet signing. Computer Setting: Disabled
	*Digitally Sign Server Communications (When Possible)* Security Objective: If enabled, causes the SMB server to perform SMB packet signing when necessary. Computer Setting: Enabled
	*Disable CTRL+ALT+* *DEL* *Requirement for Logon* Security Objective: Determines whether pressing CTRL+ALT+DEL is required before a user can log on. Computer Setting: Disabled (A "Disabled" setting actually enables/requires the use of CTRL+ALT+DEL)
	*Do Not Display Last User Name in Logon Screen* Security Objective: Determines whether the name of the last user to logon to the computer is displayed in the Windows logon screen. Computer Setting: EnabledDisabled (Recommended: Enabled)
	*LAN Manager Authentication Level* Security Objective: Determines which challenge/response authentication protocol is used for network logons. Computer Setting: Selected Option: _______________________________________ (Recommended: Send NTLMv2 response only/refuse LM & NTLM)
	*Message Text for Users Attempting to Log On* Security Objective: Specifies a text message that is displayed to users when they log on. Computer Setting: Message text: __________________________________ ___________________________________ ___________________________________ ___________________________________ (Recommended: Set a warning banner in accordance to local policy requirements.)
	*Message Title for Users Attempting to Log On* Security Objective: Specifies a title that appears in the title bar of the window containing the message text for users attempting to log on. Computer Setting: Message title: _____________________________________ (Recommended: Set a warning banner in accordance to local policy requirements.)
	*Number of Previous Logons to Cache (In Case Domain Controller is not Available)* Security Objective: Determines the number of times a user can log on to a Windows domain using cached account information. Computer Setting: Cache: 0 logons
	*Prevent System Maintenance of Computer Account Password* Security Objective: Determines whether the computer account password should be prevented from being reset every week. If this policy is enabled, the machine is prevented from requesting a weekly password change. Computer Setting: EnabledDisabled (Recommended: Verify that local policies are set at the default of Disabled, and that Domain Policies are either Disabled or Not Defined.)
	*Prevent Users from Installing Print Drivers* Security Objective: Determines whether members of the Users group are prevented from installing print drivers. Computer Setting: Enabled
	*Prompt User to Change Password Before Expiration* Security Objective: Determines how far in advance Windows 2000 should warn users that their password is about to expire. Computer Setting: _____ days (Recommended: Default setting of 14 days is adequate.)
	*Recovery Console: Allow Automatic Administrative Logon* Security Objective: If set, the Recovery Console does not require a password and will automatically log on to the system. Computer Setting: Disabled (The Recovery Console is not part of the Evaluated Configuration.)
	*Recovery Console: Allow Floppy Copy and Access to all Drives and all Folders* Security Objective: Enabling this option enables the Recovery Console SET command. Computer Setting: EnabledDisabled (Recommended: Do not enable this option. The Recovery Console is not part of the Evaluated Configuration.)
	*Rename Administrator Account* Security Objective: Associates a different account name with the security identifier (SID) for the account "Administrator". Computer Setting: (Recommended: Change and safeguard the recorded account name. Do not record it in this document.)
	*Rename Guest Account* Security Objective: Associates a different account name with the security identifier (SID) for the account Guest. Computer Setting: (Recommended: Change and safeguard the recorded account name. Do not record it in this document.)
	*Restrict CD-ROM Access to Locally Logged-On User Only* Security Objective: If enabled, this policy allows only the interactively logged-on user to access removable CD-ROM media. Computer Setting: Enabled
	*Restrict Floppy Access to Locally Logged-On User Only* Security Objective: If enabled, this policy allows only the interactively logged-on user to access removable floppy media. Computer Setting: Enabled
	*Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)* Security Objective: If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted. Computer Setting: EnabledDisabled (Recommended: By default this option is Disabled. Do not change the default setting.)
	*Secure Channel: Digitally Encrypt or Sign Secure Channel Data (When Possible)* Security Objective: If this policy is enabled, all outgoing secure channel traffic should be encrypted. Computer Setting: EnabledDisabled (Recommended: By default this option is Enabled. Do not change the default setting.)
	*Secure Channel: Digitally Sign Secure Channel Data (When Possible)* Security Objective: If this policy is enabled, all outgoing secure channel traffic should be signed. Computer Setting: EnabledDisabled (Recommended: By default this option is Enabled. Do not change the default setting.)
	*Secure Channel: Require Strong (Windows 2000 or later) Session Key* Security Objective: If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows2000 or later) encryption key. Computer Setting: EnabledDisabled (Recommended: By default this option is Disabled. Generally, do not change the default setting. This policy should only be enabled if "all" DCs in a trusted domain support strong keys.)
	*Secure System Partition (For RISC Platforms Only)* Security Objective: If this policy is enabled, only administrative access is allowed to a RISC-based system partition (which must be FAT) while the operating system is running. Computer Setting: Not Defined (This policy does not apply to the Evaluated Configuration.)
	*Send Unencrypted Password to Connect to Third-Party SMB Servers* Security Objective: If enabled, the SMB redirector is allowed to send clear-text passwords to non-Microsoft SMB servers, which do not support password encryption during authentication. Computer Setting: EnabledDisabled (Recommended: By default this option is Disabled. Do not change the default setting.)
	*Shut Down System Immediately if Unable to Log Security Audits* Security Objective: Determines whether the system should shut down if it is unable to log security events. Computer Setting: EnabledDisabled Note: Use this security policy on servers and Domain Controllers only after implementing strict procedures for archiving and clearing the audit logs on a regular basis. (Recommended: Enabled. Requires archiving and clearing the logs on a regular basis.)
	*Smart Card Removal Behavior* Security Objective: Determines what should happen when the smart card for a logged-on user is removed from the smart card reader. Computer Setting: ___________________________________ (Recommended: If using smart cards, set to Lock Workstation. However, the integration of smart card technology is not part of the evaluated configuration.)
	*Strengthen Default Permissions for Global System Objects (e.g., Symbolic Links)* Security Objective: If this policy is enabled, the default DACL is stronger, allowing non-admin users to read shared objects, but not modify shared objects that they did not create. Computer Setting: Enabled
	*Unsigned Driver Installation Behavior* Security Objective: Determines what should happen when an attempt is made to install a device driver that has not been certified by the Windows Hardware Quality Lab. Computer Setting: ___________________________________ (Recommended: Set to Warn but allow installation.)
	*Unsigned Non-Driver Installation Behavior* Security Objective: Determines what should happen when an attempt is made to install any nondevice driver software that has not been certified. Computer Setting: ___________________________________ (Recommended: Set to Warn but allow installation.)

Event Logs: Settings for Event Logs

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Maximum Application Log Size* Security Objective: Specifies the maximum size for the application event log. Computer Setting: ______________ kilobytes (Recommended: For most environments, the default value of 512 kilobytes is adequate.)
	*Maximum Security Log Size* Security Objective: Specifies the maximum size for the security event log. Computer Setting: ______________ kilobytes (Recommended: A larger log size should be set based on the amount of expected activity, the amount of available disk space, and the frequency with which the logs will be manually reviewed, archived, and cleared.)
	*Maximum System Log Size* Security Objective: Specifies the maximum size for the system event log. Computer Setting: ______________ kilobytes (Recommended: For most environments, the default value of 512 kilobytes is adequate.)
	*Restrict Guest Access to Application Log* Security Objective: If enabled, anonymous users are prevented from accessing to the application event log. This policy option is not available in standalone Windows 2000 Professional and Servers. Computer Setting: EnabledDisabled (Recommended: Enabled.)
	*Restrict Guest Access to Security Log* Security Objective: If enabled, anonymous users are prevented from accessing to the security event log. This policy option is not available in standalone Windows 2000 Professional and Servers. Computer Setting: EnabledDisabled (Recommended: Enabled.)
	*Restrict Guest Access to System Log* Security Objective: If enabled, anonymous users are prevented from accessing to the system event log. This policy option is not available in standalone Windows 2000 Professional and Servers. Computer Setting: EnabledDisabled (Recommended: Enabled.)
	*Retain Application Log* Security Objective: Determines the number of days' worth of events that should be retained for the application log if the retention method for the application log is "By Days." Computer Setting: _____ days (Recommended: Do not change the default settings (7 days). Defaults are "Not Defined" By Days. for Domain and Domain Controller Policies and 7 days in Log Properties.)
	*Retain Security Log* Security Objective: Determines the number of days worth of events that should be retained for the security log if the retention method for the security log is "By Days". Computer Setting: _____ days (Recommended: Do not change the default settings (7 days). Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)
	*Retain System Log* Security Objective: Determines the number of days' worth of events that should be retained for the system log if the retention method for the system log is "By Days". Computer Setting: _____ days (Recommended: Do not change the default settings (7 days). Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)
	*Retention Method for Application Log* Security Objective: Determines the wrapping method for the application log. Computer Setting: __________________________________________ (Recommended: Do not change the default settings. Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)
	*Retention Method for Security Log* Security Objective: Determines the wrapping method for the security log. Computer Setting: __________________________________________ (Recommended: Do not change the default settings. Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)
	*Retention Method for System Log* Security Objective: Determines the wrapping method for the system log. Computer Setting: __________________________________________ (Recommended: Do not change the default settings. Defaults are "Not Defined" for Domain and Domain Controller Policies and 7 days in Log Properties.)
	*Shut Down the Computer When the Security Audit Log is Full* Security Objective: Use Shut down system immediately if unable to log security audits instead of this policy setting. Computer Setting: (Recommended: Set as Not Defined.)

System Services

box

Evaluated Services

Security Objective: To remain in the Evaluated Configuration it is acceptable to have all of the services listed below enabled and running.

(Recommended: Do not disable the evaluated services listed. The default settings are appropriate.)

box

Non-Evaluated Services

Security Objective: The default services listed below are not acceptable for the Evaluated Configuration and must be disabled.

(Note: Additional services not explicitly listed as Evaluated Services must also be disabled)

Registry Permissions: HKEY_LOCAL_MACHINE

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	\SOFTWARE Administrators: Full Control CREATOR OWNER: Full Control (Subkeys only) Power Users: Special (Read, Write, Delete) SYSTEM: Full Control Users: Read Inheritance Method: Propagate \SOFTWARE\classes Administrators: Full Control Authenticated Users: Read CREATOR OWNER: Full Control (Subkeys only) Power Users: Special (Read, Write, Delete) SYSTEM: Full Control Users: Read Inheritance Method: Propagate
	\SOFTWARE\classes\.hlp Administrators: Full Control Authenticated Users: Read CREATOR OWNER: Full Control (Subkeys only) Power Users: Special (Read, Write, Delete) SYSTEM: Full Control Users: Read Inheritance Method: Propagate \SOFTWARE\classes\helpfile Administrators: Full Control Authenticated Users: Read CREATOR OWNER: Full Control (Subkeys only) Power Users: Special (Read, Write, Delete) SYSTEM: Full Control Users: Read Inheritance Method: Propagate
	\SOFTWARE\Microsoft\OS/2 Subsystem for NT Administrators: Full Control CREATOR OWNER: Full Control (Subkeys only) SYSTEM: Full Control Inheritance Method: Propagate \SOFTWARE\Microsoft\Windows NT \CurrentVersion Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.
	\SYSTEM\CurrentControlSet\Control \ComputerName Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain. \SYSTEM\currentcontrolset\control \ContentIndex Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.
	\SYSTEM\CurrentControlSet\Control \Keyboard Layout Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain. \SYSTEM\CurrentControlSet\Control \Keyboard Layouts Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.
	\SYSTEM\CurrentControlSet\Control \Print\Printers Administrators: Full Control Authenticated Users: Read CREATOR OWNER: Full Control (Subkeys only) Power Users: Special (Read, Write, Delete) SYSTEM: Full Control Users: Read Inheritance Method: Replace Note: Remove inheritance and replace all ACLs. \SYSTEM\CurrentControlSet\Control \ProductOptions Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.
	\SYSTEM\CurrentControlSet\Services \Eventlog Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain. \SYSTEM\CurrentControlSet\Services \Tcpip Authenticated Users: Read Inheritance Method: Propagate Note: Replace Eveyone with Authenticated Users. All inherited ACLs remain.

Registry Permissions: HKEY_CLASSES_ROOT

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	\HKEY_CLASSES_ROOT Administrators: Full Control Authenticated Users: Read CREATOR OWNER: Full Control (Subkeys only) Power Users: Special (Read, Write, Delete) SYSTEM: Full Control Users: Read Inheritance Method: Propagate

box

box \HKEY_CLASSES_ROOT

Administrators: Full Control

Authenticated Users: Read

CREATOR OWNER: Full Control (Subkeys only)

Power Users: Special (Read, Write, Delete)

SYSTEM: Full Control

Users: Read

Inheritance Method: Propagate

File System Permissions

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	C:\autoexec.bat Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace C:\boot.ini Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	C:\config.sys Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace
	C:\ntbootdd.sys Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace Note: Used when SCSI is available. C:\ntdetect.com Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	C:\ntldr Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %ProgramFiles% Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace
	%SystemDirectory% Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace %SystemDirectory%\appmgmt Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate
	%SystemDirectory%\config Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemDirectory%\dllcache Administrators: Full Control CREATOR OWNER: Full Control SYSTEM: Full Control Inheritance Method: Replace
	%SystemDirectory%\DTCLog Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate %SystemDirectory%\GroupPolicy Administrators: Full Control Authenticated Users: Read, Execute SYSTEM: Full Control Inheritance Method: Propagate
	%SystemDirectory%\ias Administrators: Full Control CREATOR OWNER: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemDirectory%\Ntbackup.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	%SystemDirectory%\NTMSData Administrators: Full Control SYSTEM: Full Control Inheritance Method: Propagate %SystemDirectory%\rcp.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	%SystemDirectory%\Regedt32.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemDirectory%\repl Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate
	%SystemDirectory%\repl\export Administrators: Full Control CREATOR OWNER: Full Control Replicator: Read, Execute SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate %SystemDirectory%\repl\import Administrators: Full Control Replicator: Modify SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate
	%SystemDirectory%\rexec.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemDirectory%\rsh.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	%SystemDirectory%\secedit.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemDirectory%\Setup Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate
	%SystemDirectory%\spool\Printers Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Traverse folder, Read attributes, Read extended attributes, Create files, Create folders (Folder and Subfolders) Inheritance Method: Replace
	%SystemDrive% Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate %SystemDrive%\Documents and Settings Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate
	%SystemDrive%\Documents and Settings\Administrator Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemDrive%\Documents and Settings\All Users Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate
	%SystemDrive%\Documents and Settings\All Users\Documents\DrWatson Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Traverse folder, Create files, Create folders (Folder and Subfolders) Inheritance Method: Replace %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\ drwtsn32.log Administrators: Full Control CREATOR OWNER: Full Control SYSTEM: Full Control Users: Modify Inheritance Method: Replace
	%SystemDrive%\io.sys Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace %SystemDrive%\msdos.sys Administrators: Full Control SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace
	%SystemDrive%\Temp Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Traverse folder, Create files, Create folders (Folder and Subfolders) Inheritance Method: Replace
	%SystemRoot% Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Read, Execute Inheritance Method: Replace %SystemRoot%\$NtServicePackUninstall$ Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	%SystemRoot%\debug Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Read, Execute Inheritance Method: Propagate %SystemRoot%\debug\UserMode Administrators: Full Control SYSTEM: Full Control Users: (Folder only) - Traverse folder, List folder, Create files. (Files only) – Create files, create folders Inheritance Method: Propagate
	%SystemRoot%\regedit.exe Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace %SystemRoot%\Registration Administrators: Full Control SYSTEM: Full Control Users: Read Inheritance Method: Propagate
	%SystemRoot%\repair Administrators: Full Control SYSTEM: Full Control Inheritance Method: Replace
	%SystemRoot%\ Temp Administrators: Full Control CREATOR OWNER: Full Control (Subfolders and Files) SYSTEM: Full Control Users: Traverse folder, Create files, Create folders (Folder and Subfolders) Inheritance Method: Replace

Additional Registry Settings (Values are shown in decimal, unless otherwise noted)

Completed and Verified	WINDOWS 2000 Security Configuration Checklist (Settings apply to all operating system versions except where otherwise noted)	Required	Recommended
	*Disable DirectDraw*
	*Disable Unnecessary Devices*
	*Remove OS/2 and POSIX S* ubsystems
	*Protect kernel Object Attributes*
	*Restrict Null Session Access*
	*Restrict Null Session Access Over Named Pipes*
	*Prevent Interference of the Session Lock from Application Generated Input* Note: It is important to note that the appropriate screen saver settings must be set in conjunction with this key for the feature to make sense. The necessary screen saver settings are: A selected screen saver Password protection A screen saver timeout period If the screensaver is not properly configured this feature will essentially have no effect on the machines overall security.
	*Generate an Audit Event when the Audit Log Reaches a Percent Full Threshold* (The value may be edited to conform to local requirements.)
	*Harden the TCP/IP Stack Against Denial of Service Attacks*
	*Make Screensaver Password Protection Immediate*
	*Disable LMHash Creation*
	*Disable Autorun*
	*Generate Administrative Alert when the Audit Log is Full* Note: Administrative alerts rely on both the Alerter and Messenger services. Make sure that the Alerter service is running on the source computer and that the Messenger service is running on the recipient computer.
	*LDAP Server handling of LDAP BIND command requests*