Windows Server 2003 Recommended Baseline Security

IT Security 

Guidance 

Windows Server 2003 

Recommended 

Baseline 

March 2004 

ITSG-20


Recommended Baseline Security (ITSG-20) 

This page intentionally left blank. 

March 2004



Foreword 

The Windows Server 2003 Recommended Baseline Security is an unclassified publication, issued 

under the authority of the Chief, Communications Security Establishment (CSE). 

CSE wishes to acknowledge Microsoft for the “Windows Server 2003 Security Guide” and 

“Threats and Counter Measures: Security Settings in Windows Server 2003 and Windows XP” 

documents which are both used as reference. 

For further information, please contact CSE’s: 

Client Contact Centre 

cryptosvc@cse-cst.gc.ca (e-mail) 

613-991-8495 (tel) 

_______________________________________ 

Diane Keller 

A/Director, Architecture and Engineering 

©2004 Government of Canada, Communications Security Establishment 

It is permissible to make extracts from this publication, provided the extracts are for Government 

of Canada departmental use. For commercial purposes, written permission from CSE is required. 

Foreword March 2004 i




ii March 2004 Foreword



Disclaimer of Responsibility 

This product review was prepared by CSE for the use of the federal government. The review is 

informal and limited in scope. It is not an assessment or evaluation, and does not represent an 

endorsement of the product by CSE. The material in it reflects CSE’s best judgement, in light of 

the information available to it at the time of preparation. Any use which a third party makes of 

this report, or any reliance on or decisions made based on it, are the responsibility of such third 

parties. CSE accepts no responsibility for damages, if any, suffered by any third party as a result 

of decisions or actions based on this report. 

© 2004 Government of Canada, Communications Security Establishment (CSE) 

P.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4 

This publication may be reproduced verbatim, in its entirety, without charge, for educational and 

personal purposes only. However, written permission from CSE is required for use of the 

material in edited or excepted form, or for any commercial purpose. 

Disclaimer of Responsibility March 2004 iii




iv March 2004 Disclaimer of Responsibility



Record of Amendments 

Amendment No. Date Entered by 

Record of Amendments March 2004 v




vi March 2004 Record of Amendments



Executive Summary 

This guide provides detailed guidance for hardening a Windows 2003 Server. Deploying 

hardened servers is critical when protecting information technology (IT) from attack. By using 

the information in this guide, System Administrators can install packages that will deploy 

hardened servers in their environment. 

The intent of this guide is to provide a very secure Baseline configuration. System 

Administrators may then add functionality as needed. 

To help System Administrators add functionality, two configurations are provided: a print server 

and a file server. 

This guide has been developed using the “Microsoft Windows Server 2003 Security Guide” 

[Reference 1] as reference. The Microsoft guide was analyzed and tested at CSE. The result is 

detailed instructions on: 

• Necessary software 

• Registry keys 

• Security settings 

• Internet Protocol Security (IPSec) 

Executive Summary March 2004 vii




viii March 2004 Executive Summary



Table of Contents 

Foreword......................................................................................................................... i 

Disclaimer of Responsibility ....................................................................................... iii 

Record of Amendments................................................................................................ v 

Executive Summary .................................................................................................... vii 

Table of Contents......................................................................................................... ix 

List of Tables .............................................................................................................. xiii 

List of Figures ............................................................................................................. xv 

List of Abbreviations and Acronyms....................................................................... xvii 

1 Introduction......................................................................................................... 1 

1.1 Background................................................................................................ 1 

1.2 Aim............................................................................................................. 1 

1.3 Scope......................................................................................................... 1 

1.4 Approach ................................................................................................... 2 

1.5 Functional and Security Testing................................................................. 2 

1.6 Assumptions .............................................................................................. 2 

1.7 Related documents.................................................................................... 2 

1.8 Document Structure................................................................................... 2 

1.9 Typographic Conventions .......................................................................... 3 

1.10 Reference Documents ............................................................................... 3 

2 Overview: Information Technology Security Guidance for Windows Server 

2003 ..................................................................................................................... 5 

2.1 How to Use This Document ....................................................................... 5 

2.1.1 Installation....................................................................................... 5 

2.1.2 Configuration................................................................................... 5 

2.1.3 Monitoring and Enforcement ........................................................... 6 

2.2 Assumptions / Restrictions......................................................................... 6 

2.2.1 Installation....................................................................................... 6 

2.2.2 Policy .............................................................................................. 6 

2.2.3 Policy Monitoring and Enforcement................................................. 6 

3 Automated Installation....................................................................................... 7 

3.1 Initiating Automated Installation ................................................................. 7 

3.2 Domain Server Installation Configuration file ............................................. 7 

3.2.1 Winnt.sif (Domain)........................................................................... 8 

3.3 Workgroup Server Installation Configuration file...................................... 24 

3.3.1 Winnt.sif (Workgroup) ................................................................... 25 

4 Server Policy Files............................................................................................ 43 

4.1 Policy File Application.............................................................................. 43 

4.1.1 Policy Application in a Domain...................................................... 43 

4.1.2 Policy Application in a Workgroup................................................. 44 

Table of Contents March 2004 ix



4.2 Baseline Server Policy Files Details ........................................................ 45 

4.3 Account Policies ...................................................................................... 45 

4.3.1 Password Policy............................................................................ 45 

4.3.2 Account Lockout Policy ................................................................. 46 

4.3.3 Kerberos Policy ............................................................................. 47 

4.4 Local Policies........................................................................................... 48 

4.4.1 Audit Policy ................................................................................... 48 

4.4.2 User Rights Assignments.............................................................. 49 

4.4.3 Security Options............................................................................ 56 

4.5 Event Log................................................................................................. 69 

4.5.1 Log Size ........................................................................................ 69 

4.5.2 Guest Access................................................................................ 70 

4.5.3 Retention Method.......................................................................... 70 

4.6 System Services ...................................................................................... 70 

4.6.1 Services Explicitly Covered by Microsoft Guidance ...................... 71 

4.6.2 Services Not Explicitly Covered by Microsoft Guidance................ 97 

4.7 Additional Security Settings ..................................................................... 98 

4.7.1 Security Consideration for Network Attacks .................................. 98 

4.7.2 AFD.SYS Settings....................................................................... 100 

4.7.3 Other Security Related Settings.................................................. 101 

4.7.4 Manual Activities ......................................................................... 102 

4.7.5 Access Controls .......................................................................... 105 

4.7.6 Variance from Microsoft Guidance.............................................. 111 

5 Role Based Server Policies ........................................................................... 117 

5.1 Role Based IPSec Policies .................................................................... 117 

5.1.1 Load IPSec policy ....................................................................... 117 

5.1.2 Activate IPSec Policy .................................................................. 117 

5.2 Domain File Server Security Policy........................................................ 118 

5.2.1 Variance from Microsoft “Hardening File Servers” Guidance ...... 118 

5.2.2 [Service General Setting] ............................................................ 119 

5.2.3 Domain File Server IPSec Policy ................................................ 119 

5.3 Domain Print Server Policy .................................................................... 121 

5.3.1 Variance from Microsoft “Hardening Print Servers” Guidance .... 121 

5.3.2 [Registry Values] ......................................................................... 121 


5.3.4 Domain Print Server IPSec Policy............................................... 122 

5.4 Workgroup File Server Policy ................................................................ 124 




5.4.4 Workgroup File Server IPSec Policy ........................................... 125 

5.5 Workgroup Print Server Policy............................................................... 126 




5.5.4 Workgroup Print Server IPSec Policy.......................................... 127 

x March 2004 Table of Contents



6 Server Policy Compliance: Inspection and Enforcement ........................... 131 

6.1 Configuration of Microsoft Management Console (MMC) ...................... 131 

6.2 Load Policy File and Computer Configuration........................................ 131 

6.3 Compare Resultant Policy and Computer Settings................................ 132 

Bibliography .............................................................................................................. 133 

Annex A...................................................................................................................... 135 

Table of Contents March 2004 xi




xii March 2004 Table of Contents



List of Tables 

Table 1 – General File Access Controls ...................................................................... 106 

Table 2 – General Registry Access Controls............................................................... 109 

Table 3 – Variance from Microsoft Member Server Baseline ...................................... 111 

Table 4 – Variance from Microsoft Bastion Host Local Policy ..................................... 114 

List of Figures March 2004 xiii



List of Figures 

Figure 1 – Example Active Directory Structure................................................................ 7 

List of Figures March 2004 xv




xvi July 2004 List of Abbreviations and Acronyms



List of Abbreviations and Acronyms 

.NET 

Microsoft Tools for development environment 

AD 

Active Directory 

ADSI 

Active Directory Service Interface 

API 

Application Program Interface 

ASCII 

American Standard Code for Information Interchange 

ASP 

Active Server Pages 

COM 

Component Object Module 

DDE 

Dynamic Data Exchange 

FTP 

File Transfer Protocol 

GB 

Gigabyte 

GUI 

Graphical User Interface 

HTTP 

HyperText Transfer Protocol 

HTTPS 

Secure HyperText Transfer Protocol 

IAS 

Internet Authentication Service 

ICF 

Internet Connection Firewall 

ICMP 

Internet Control Message Protocol 

ICS 

Internet Connection Sharing 

IIS 

Internet Information Server 

IMAPI 

Image Mastering Application Programming Interface 

IP 

Internet Protocol 

IPSec 

Internet Protocol Security 

IPX 

Internetwork Packet Exchange 

ISAPI 

Internet Server API 

KB 

Kilobyte 

LAN 

Local Area Network 

LM 

LAN Manager 

MB 

Megabyte 

MMC 

Microsoft Management Console 

MQDSS 

Message Queue Directory Service Support 

MSMQ 

Microsoft Message Queue 

MSN 

Microsoft Network 

NNTP 

Network News Transfer Protocol 

NTLM 

Security Service Provider 

OSPF 

Open Shortest Path First 

POP3 Post Office Protocol 3 

RAD 

Rapid Application Development 

RADIUS 

Remote Authentication Dial-In Service 

RPC 

Remote Procedure Call 

List of Abbreviations and Acronyms March 2004 xvii



SAM 

SID 

SMB 

SMTP 

SNMP 

SYN-ACK 

SYN-ATTACK 

TCP 

UI 

VPN 

WHQL 

WMI 

WMPOCM 

WPAD 

WWW 

Security Accounts Manager 

Security Identifier 

Server Message Block 

Simple Mail Transfer Protocol 

Simple Network Management Protocol 

Synchronization Acknowledgement 

Attacker sends SYN requests to a target (victim). The target sends 

a SYN ACK in response and waits for an ACK to come back to 

complete the session set up. 

Transmission Control Protocol 

User Interface 

Virtual Private Network 

Windows Hardware Quality Lab 

Windows Management Interface 

Windows Media Player 

Web Proxy Autodiscovery 

World Wide Web 

xviii March 2004 List of Abbreviations and Acronyms



1 Introduction 

1.1 Background 

Threat agents exploit vulnerabilities to either gain control or disable a computer. Experts differ 

on what may be the primary cause of computer vulnerabilities. Some will agree that two causes 

are exploitation of defects in software, and lack of secure configurations. 

To address software defects, vendors issue patches in many forms. These are designed to 

address software defects particular to an operating system or application. Although they fix one 

problem, patches create other issues. In addition to patches, checklists are used to provide 

computer users with secure and tested configuration guides. 

In the past, Government agencies 1 have produced and disseminated checklists for securing 

computer systems. However, the way checklists are produced has changed. Vendors realize 

benefits producing configuration checklists for their own products. In turn, public and private 

organizations save time and money by leveraging this complex work. 

1.2 Aim 

ITSG-20 provides a practical set of security settings for Microsoft Windows Server 2003. The 

aim is to establish and maintain a High Security Windows Server 2003 environment. 

There are two platform variants: Domain Server and Workgroup Server. We cover two 

applications as well: Print Server and File Server. In other words, we provide four 

configurations, one for each application running on each platform, as follows: 

1) Domain File Server 

2) Domain Print Server 

3) Workgroup File Server 

4) Workgroup Print Server 

The guideline provides a Baseline configuration that applies to all servers of a given type, 

Domain Server or Workgroup Server. Given that the Baseline configuration provides security 

before functionality, it should be used as a starting point. File and Print Server application 

policies are layered on top of the Baseline configuration. In this way, we provide a template for 

creating additional server roles based on the CSE Baseline. Application policies layered above 

the Baseline enables the server to function as intended. 

1.3 Scope 

ITSG-20 provides guidance to build High Security Domain and High Security Workgroup 

servers. Additional policies can be applied to support a variety of roles within your organization. 

1 Agencies such as: National Institute of Standards and Technology (NIST), National Security Agency (NSA), 

Center for Internet Security (CIS), and SANS (SysAdmin, Audit, Network, Security). 

Introduction March 2004 1



We provide two such additional policies: File Server Role Guidance and Print Server Role 

Guidance. 

1.4 Approach 

Two documents were of significant reference: Windows Server 2003 Security Guide and Threats 

and Counter Measures: Security Settings in Windows Server 2003 and Windows XP. These 

documents were tested and augmented in a CSE lab environment to produce ITSG-20. 

Wherever possible, an automated approach is used throughout this document. 

1.5 Functional and Security Testing 

Connectivity was verified by accessing services offered by the hardened systems (Printer or File 

Shares). Once usability was established, Vulnerability and Penetration tests were executed 

against the systems. Results from vulnerability and penetration tests influenced this document. 

1.6 Assumptions 

It is assumed the reader has a thorough understanding of security features within Windows 

Server 2003. ITSG-20 is a detailed guide intended for use by system administrators. 

It is recommended that the reference documents listed in section 1.10 be reviewed. This will 

enhance the readers understanding of ITSG-20. 

1.7 Related documents 

See section 1.10, in addition to the Bibliography at the end of this document. 

1.8 Document Structure 

This document has the following structure: 

1. Introduction 

This section provides an explanation of the document and contents. 

2. Overview: Information Technology Security Guidance for Windows Server 2003 

This section provides an outline for the approach used by the document. It explains the 

method used to “Start secure and stay secure”, as follows: 

a) Installation; 

b) Configuration and Monitoring; and 

c) Enforcement. 

This section also provides details on assumptions and restrictions used for the above. 

Included is a list of reference documents and description of tests performed against the 

environment. 

2 March 2004 Introduction



3. Automated Installation 

This section provides values to perform an unattended installation of a Domain or 

Workgroup based server. This automated installation ensures that systems are consistent, 

with minimum software packages. 

4. Server Policy Files 

This section provides policy file values for the creation of a secure server in Domain or 

Workgroup environments. 

5. Role Based Server Policies 

This section provides policy file entries used to modify the baseline. These policy entries 

allow a server to perform designated file or print server activities, including IPSec. 

6. Server Policy Compliance: Inspection and Enforcement 

This section details a method for monitoring and enforcing policies outlined in this guide. 

The approach uses capabilities inherent in the Windows Server 20003 operating system. 

7. Annex A: Server Policy File Details 

This section has policy files with comments and explanations. This section explains settings 

in more detail. It also identifies differences from the Microsoft recommendation. 

1.9 Typographic Conventions 

The following typographic conventions are used in this document: 

1. Bold Italics are used to denote parameters and their values 

EXAMPLE: JoinDomain=”cse.local” 

2. [Square Brackets Denote File Section Headings] 

EXAMPLE: [Identification] 

3. “Items in quotations marks are to be entered in the file with quotation marks” 

EXAMPLE: 

JoinDomain=”cse.local” 

1.10 Reference Documents 

[Reference 1] Windows Server 2003 Security Guide 

[Reference 2] Threats and Counter Measures: Security Settings in Windows Server 2003 and 

Windows XP 

Introduction March 2004 3




4 March 2004 Introduction



2 Overview: Information Technology Security Guidance 

for Windows Server 2003 

This guide provides build instructions for a secure Baseline configuration of Windows Server 

2003. Guidance is provided for both a Windows Workgroup and Domain. You should use this 

Baseline as a starting point for configuring other services. For your benefit, policies for print and 

file services are provided. 

2.1 How to Use This Document 

Deploying a secure server can be organized in three steps: install the Operating System (OS), 

apply security policy, than apply additional changes, as needed. 

To begin, the guide presents Baseline configurations for workgroup and domain servers. For 

easy reference, information is organized consistent with “Windows Security Guide for 2003 

Server”. Additional items beyond Microsoft recommendations are listed in a separate section. 

Policies for print and file servers are also presented in separate sections. These policies are 

applied to the Baseline of the installed OS. Any additional changes are contained in the print and 

file server policy sections. 

System administrators can replace variables with values of their own. These settings produce a 

custom install package used to create a file or print server. 

To apply the Baseline and role specific policies in a Domain, Active Directory organizational 

units must be created. 

In a Workgroup environment, policies must be applied immediately upon system startup. By 

policy, the built-in administrator account is disabled. Make sure you create a site-specific 

administrator account prior to applying the policy. 

In addition to guidance on the deployment of secure servers, a maintenance section using 

Microsoft MMC is provided. 

2.1.1 Installation 

The installation process is automated via the use of an answer file (see Appendix A). This 

answer file directs the installation process. While many approaches can achieve this result, we 

make use of the Winnt.sif file. 

The Windows installation process reads the answer file from a floppy disk. Local information 

(System name, TCP/IP parameters, Domain/Workgroup) is supplied to reflect requirements. The 

result is an unattended installation that has no operator interaction. 

2.1.2 Configuration 

ITSG-20 takes a layered approach to policy application. The first layer is the Baseline 

configuration for the OS. This layer is intended to provide a security profile with minimal 

exposure. Additional policy requirements are determined by role. Each policy file enables 

specific elements that allow the server to perform a single function (file sharing, print sharing, 

etc). Additional analysis and testing is required to build multi-function servers. 

The Domain environment supports a layered approach. This is accomplished by applying policy 

at the Domain level as well as the Organizational Unit (OU) level. Further granularity is 

Overview March 2004 5



achieved within a level; this allows you to create a matrix of policies for servers and 

environments. 

In a Workgroup environment, policy is applied in a prescribed order via policy files. This 

provides a consistent security profile for servers in a Workgroup environment. 

Since ‘policy files’ are simply text files, you can edit them with your favorite text editor. You 

may also copy and paste the policy text found at the end of this document. 

2.1.3 Monitoring and Enforcement 

We have outlined a manual method that provides basic compliance verification. This manual 

approach limits scalability of the solution. In a large environment, we recommend an automated 

method. 

2.2 Assumptions / Restrictions 

2.2.1 Installation 

For the installation of the OS, please ensure the following: 

a. The CD-ROM is before the floppy drive in the boot device order; 

b. There is no previous version of Windows (if not the installation will pause); and 

c. The first available disk partition is for the operating system. 

The following assumptions are made: 

a. The Server to be installed is not a Cluster Member; 

b. The Domain has an Organizational Unit for Servers; 

c. The Domain has an Organizational Unit for Print Servers under Servers; 

d. The Domain has an Organizational Unit for Files servers under Servers; and 

e. The installation is limited to contents of the Microsoft Server 2003 distribution. 

2.2.2 Policy 

Application of the policy results in the following: 

a. Local Guest account is renamed and disabled; 

b. Local Administrator account is renamed and disabled; 

c. All systems are Windows 2000 or later; 

d. System will shutdown if unable to log security events; 

e. No shares or named pipes can be accessed anonymously; 

f. No registry data can be accessed remotely; 

g. No accounts have the right to submit batch jobs; 

h. Administrator accounts cannot start services (Use an appropriate SERVICE account); 

i. Plug and Play is enabled when required as it is disabled by default; and 

j. SNMP is disabled. 

2.2.3 Policy Monitoring and Enforcement 

No additional assumptions are required for Policy Monitoring and Enforcement. 

6 March 2004 Overview



3 Automated Installation 

This section provides details for the Winnt.sif files. These files are used to install Windows 

Server 2003 in a Domain or Workgroup environment. In both cases, use local operational values. 

The raw files (ones without comments) are in Appendix A. 

NOTE: You must maintain your system with the latest service packs and hot fixes. This ensures 

the system’s security is current. 

3.1 Initiating Automated Installation 

The automated installation uses a combination of CDROM and a floppy disk with a Winnt.sif 

file. During the boot process, it determines if the floppy has a Winnt.sif file. If present, it will use 

the settings in the file to configure the system. 

3.2 Domain Server Installation Configuration file 

In the Active Directory tree, the Domain version requires a ‘Print Servers’ and ‘File Servers’ 

organizational unit (OU) be part of a ‘Public Servers’ OU (see below). All three of these OU’s 

are placeholders for policy that apply to the OU level in the directory information tree. 

Domain Name 

domain.local 

Organizational 

Unit 

User 

Systems 

Public 

Servers 

Organizational 

Unit 

File Servers 

Print Servers 

Servers 

File Server 1 File Server 2 

Figure 1 – Example Active Directory Structure 

Automated Installation March 2004 7

Unclassified ITSG for Windows Server 2003 

3.2.1 Winnt.sif (Domain) 

3.2.1.1 [Data] 

AutoPartition=1 

The AutoPartition value provides a location for the Windows operating system. The setting 

‘1’installs the operating system in the first available partition with sufficient space. If there is an 

existing operating system, the install will halt and require further instruction. 

MsDosInitiated=0 

The MsDosInitiated value must be present and must be set to ‘zero’ or the automated installation 

fails. 

UnattendedInstall=Yes 

When set to ‘YES’, the UnattendedInstall value allows the pre-installation of Windows by using 

the CD Boot method. 

3.2.1.2 [GuiUnattended] 

AdminPassword="A_Str0ng_p@SSw0rd" 

The AdminPassword value defines the Local Administrator password on the system being 

installed. 

NOTE: 

Select a value consistent with the local policy on Administrator passwords. 

EncryptedAdminPassword=No 

The EncryptedAdminPassword value determines if the setup encrypts the Administrator 

password. The setting ‘No’ does not encrypt the password. You may enable this feature via the 

setupmgr.exe tool provided on the Windows distribution media. 

OEMSkipWelcome=1 

The OEMSkipWelcome value determines if the startup displays the Welcome page. The setting 

‘1’ does not display the Welcome page. 

OEMSkipRegional=1 

The OEMSkipRegional value determines if the installation will display the Regional Settings 

page. The setting ‘1’ does not display the Regional Settings page. 

8 March 2004 Automated Installation



TimeZone=035 

The TimeZone value sets the system clock to the local time zone. 

004 – Pacific Standard Time 

010 – Mountain Standard Time 

020 – Central Standard Time 

025 – Canada Central Standard Time (Saskatchewan) 

035 – Eastern Standard Time 

050 – Atlantic Standard Time 

060 – Newfoundland and Labrador Standard Time 

AutoLogon=No 

The Autologon value determines if the Administrator account will be automatically logged on 

until the system is rebooted. The setting ‘No’ disables the AutoLogon feature. The 

AutoLogonCount can increase the number of reboots required to disable the autologon feature. 

3.2.1.3 [Identification] 

DomainAdmin=administrator 

The DomainAdmin value provides the install with a privileged Domain account. The 

DomainAdmin can add the system to the domain. 

DomainAdminPassword=" A_Str0ng_p@SSW0RD " 

The DomainAdminPassword provides the required password for the DomainAdmin account. 

NOTE: Provide a local value. 

JoinDomain="Department_Name.local" 

The JoinDomain value is the name of the Domain the system will join. 

NOTE: The local Domain name is required. 



MachineObjectOU="OU=File Servers, OU=Public Servers, DC=Department_Name, 

DC=local" 

The MachineObjectOU value defines the Organizational Unit of the system in the Domain. 

NOTE: 

Local Domain values are required. 

3.2.1.4 [LicenseFilePrintData] 

AutoMode=PerServer 

The AutoMode value defines the license mode. Enter either PerSeat or PerServer. 

NOTE: If PerServer is specified then the AutoUsers value must be supplied as well. 

AutoUsers=5 

The AutoUsers value determines the number of concurrent users the PerServer license supports. 

NOTE: A local value is required that reflects the license purchased for the system. 

3.2.1.5 [Unattended] 

OemPreinstall=No 

The OEMPreinstall value determines if there are OEM files to be installed. The setting ‘No’ 

indicates all files are on the Windows distribution. 

UattendedSwitch=Yes 

The UnattendedSwitch value specifies whether Setup skips Windows Welcome. The setting 

‘Yes’ skips the Windows Welcome. 

Repartition=No 

The Repartition value determines what action to take on first drive partitions. The setting ‘No’ 

maintains all partitions on the first drive. 

TargetPath=Windows 

The TargetPath value defines the location of the operating system. The setting ‘Windows’ places 

the operating system files in a windows folder. 




UnattendedMode=FullUnattended 

The UnattendedMode value determines the level of human interaction with the installation 

process. The setting ‘FullUnattended’ has no human interaction. 

WaitForReboot=No 

The WaitForReboot value determines if the system will reboot immediately or provide an 

opportunity for human interaction. The setting ‘No’ reboots the system immediately. 

OemSkipEula=Yes 

The OemSkipEula value determines if the end user license agreement is presented during the 

installation. The setting ‘Yes’ does not display the end user license agreement. 

FileSystem=ConvertNTFS 

The FileSystem value determines the file system type for the installation. The value 

ConvertNTFS installs the system on an NTFS file system. 

3.2.1.6 [UserData] 

ComputerName=FileServer01 

The ComputerName value sets the ComputerName registry value. 


FullName="System_Admin" 

The FullName value sets the RegisteredOwner in the registry. 


OrgName="Department_Name" 

The OrgName value sets the RegisteredOrganisation in the registry. 




ProductKey="xxxx-xxxx-xxxx-xxxx-xxxx" 

The ProductKey value supplies the required license string for the version of Windows Server 

2003 being installed. 

NOTE: 

Provide a local value. 

3.2.1.7 [params.MS_TCPIP.Adapter01] 

SpecificTo=Adapter01 

The SpecificTo value identifies the network adapter to be configured. The setting ‘Adapter01’ 

applies to the first network adapter identified. 

DisableDynamicUpdate=No 

The DisableDynamicUpdate value determines if the system will dynamically register ‘A’ and 

‘PTR’ records. The setting ‘No’ dynamically registers the ‘A’ and ‘PTR’ records with the DNS. 

EnableAdapterDomainNameregistration=No 

The EnableAdapterDomainNameregistration value determines if the connection specific DNS 

records are going to be registered. The setting ‘No’ does not register connection specific DNS 

records. 

DefaultGateway=xxx.xxx.xxx.xxx 

The DefaultGateway sets the TCP/IP default gateway value for the adapter. 


DHCP=Yes 

The DHCP value determines if the adapter will request a TCP/IP address using DHCP. The 

setting ‘Yes’ requests a TCP/IP address. 

DNSDomain=Department_Name.local 

The DNSDomain provides the name of the domain to which the system is entered. 





NetBIOSOptions=1 

The NetBIOSOptions determines the NetBIOS over TCP/IP setting. The setting ‘1’ enables 

NetBIOS over TCP/IP. 

Subnetmask=xxx.xxx.xxx.xxx 

The Subnetmask provides the subnet mask address. 


3.2.1.8 [NetOptionalComponents] 

DHCPServer=0 

The DHCPServer value determines if the system will install the DHCP Server. The setting ‘0’ 

does not install the DHCP Server. 

DNS=0 

The DNS value determines if the system will install the DNS Server. The setting ‘0’ does not 

install the DNS Server. 

IAS=0 

The IAS value determines if the system will install the Internet Authentication Service. The 

setting ‘0’ does not install the Internet Authentication Service. 

ILS=0 

The ILS value determines if setup will install services that support telephony features (caller ID, 

conference calls, video conferencing, faxing, etc.). The setting ‘0’ does not install the Internet 

Locator Service. 

LDPSVC=0 

The LPDSVC value determines if the system will install UNIX Print services. The setting ‘0’ 

does not install UNIX Print services. 

MacPrint=0 

The MacPrint value determines if the system will install Macintosh print services. The setting ‘0’ 

does not install Macintosh Print services. 



MacSrv=0 

The MacSrv value determines if the system will install Macintosh file services. The setting ‘0’ 

does not install Macintosh file services. 

Netcm=0 

The Netcm value determines if the system will install Microsoft Connection Manager 

Administration Kit and Phone Book Service. The setting ‘0’ does not install this service. 

NetMonTools=0 

The ‘NetMon Tools’ value determines if the system will install the network monitoring tools. 

The setting ‘0’ does not install the network monitoring tools. 

SimpTcp=0 

The ‘SimpTcp’ value determines if the system will install simple TCP/IP protocol suites. The 

setting ‘0’ does not install the simple TCP/IP protocol suites. 

SNMP=0 

The ‘SNMP’ value determines if the system will install Simple Network Management Protocol. 

The setting ‘0’ does not install the SNMP protocol. 

WINS=0 

The ‘WINS’ value determines if the system will install Windows Internet Name Service. The 

setting ‘0’ does not install WINS. 

3.2.1.9 [Components] 

AccessOpt=On 

The AccessOpt value sets the registry value accessopt. The setting ‘On’ installs the Accessibility 

wizard. 

appsrv_console=Off 

The appsrv_console sets the registry value appsrv_console. The setting ‘Off’ does not install the 

Application Server Console. 




aspnet=Off 

The aspnet value sets the aspnet registry value. The setting ‘Off’ does not install the ASP .NET 

development platform. 

AutoUpdate=Off 

The AutoUpdate value sets the autoupdate registry value. The setting ‘Off’ does not install 

AutoUpdate. 

BitsServerExtensionsISAPI=Off 

The BitsServerExtensionsISAPI sets the bitsserverextensionsisapi registry value. The setting 

‘Off’ does not install ISAPI for BITS server extensions. 

BitsServerExtensionManager=Off 

The BitsServerExtensionManager sets the bitsserverextensionmanager registry key. The setting 

‘Off’ does not install the MMC snap-in, administrative APIs and ADSI extensions for BITS. 

Calc=On 

The Calc value sets the registry value calc. The setting ‘Off’ does not install the Calculator 

feature. 

certsrv=On 

The certsrv value sets the certsrv registry value. The setting ‘On’ installs the Certificate Services 

components. 

certsrv_client=Off 

The certsrv_client value sets the certsrv_client registry value. The setting ‘Off’ does not install 

the Web client components of Certificate Services. This requires a Certification Authority to be 

defined with the CAName parameter. This also requires a computer system hosting the 

Certification Authority be defined with the CAMachine parameter. These entries support the use 

of a certificate in a web browser. 



certsrv_server=Off 

The certsrv_server value sets the certsrv_server registry value. The setting ‘Off’ does not install 

the Certificate Server Services. Only systems that are intended to offer a Certification Authority 

service require this to be enabled. 

charmap=On 

The charmap value sets the charmap registry value. The setting ‘On’ installs the Character Map 

feature. 

chat=Off 

The chat value sets the chat registry value. The setting ‘Off’ does not install the Chat program. 

Clipbook=Off 

The Clipbook value sets the clipbook registry value. The setting ‘Off’ does not install the 

Clipbook. 

cluster=Off 

The cluster value sets the cluster registry value. The setting ‘Off’ does not install the cluster 

software. 

complusnetwork=On 

The complusnetwork value sets the complusnetwork registry value. The setting ‘On’ enables 

network Com+ access. 

deskpaper=Off 

The deskpaper value sets the deskpaper registry value. The setting ‘Off’ does not install a 

desktop background. 

dialer=Off 

The dialer value sets the dialer registry value. The setting ‘Off’ does not install the Phone Dialer. 

dtcnetwork=Off 

The dtcnetwork value sets the dtcnetwork registry value. The setting ‘Off’ does not enable DTC 

network access. DTC is the Distributed Transaction Coordinator. 




fax=Off 

The fax value sets the fax registry value. The setting ‘Off’ does not install the Fax feature. 

fp_extensions=Off 

The fp_extensions value sets the fp_extensions registry value. The setting ‘Off’ does not install 

the FrontPage server extensions. 

fp_vdir_deploy=Off 

The fp_vdir_deploy value sets the fp_vdir_deploy registry value. The setting ‘Off’ does not 

install the Visual InterDev RAD Remote Deployment Support. 

freecell=Off 

The freecell value sets the freecell registry value. The setting ‘Off’ does not install the Freecell 

game. 

hearts=Off 

The hearts value sets the hearts registry value. The setting ‘Off’ does not install the Hearts game. 

hypertrm=Off 

The hyperterm value sets the hyperterm registry value. The setting ‘Off’ does not install the 

HyperTerminal feature. 

IEAccess=Off 

The IEAccess value determines if the Internet Explorer Access points are visible. The setting 

‘Off’ does not make the Internet Explorer Access points visible. 

iis_asp=Off 

The iis_asp value sets the iis_asp registry value. The setting ‘Off’ does not install the Active 

Server Pages feature. 



iis_common=Off 

The iis_common value sets the iis_common registry value. The setting ‘Off’ does not install the 

common set of files needed by IIS. 

iis_ftp=Off 

The iis_ftp value sets the iis_ftp registry value. The setting ‘Off’ does not install the FTP 

Service. 

iis_inetmgr=Off 

The iis_inetmgr value sets the iis_inetmgr registry value. The setting ‘Off’ does not install the 

MMC-based administration tools for IIS. 

iis_internetdataconnector=Off 

The iis_internetdataconnector value sets the iis_internetdataconnector registry value. The setting 

‘Off’ does not install the Internet Data Connector. 

iis_nntp=Off 

The iis_nntp value sets the iis_nntp registry value. The setting ‘Off’ does not install the NNTP 

Service. 

iis_serversidesincludes=Off 

The iis_serversideincludes value sets the iis_serversideincludes registry value. The setting ‘Off’ 

does not install the Server Side Includes. 

iis_smpt=Off 

The iis_smtp value sets the iis_smtp registry value. The setting ‘Off’ does not install the SMTP 

Service. 

iis_webadmin=Off 

The iis_webadmin value sets the iis_webadmin registry value. The setting ‘Off’ does not install 

the Web UI for Web server administration (Remote Administration Tools). 




iis_webdav=Off 

The iis_webdav value sets the iis_dav registry value. The setting ‘Off’ does not install the 

WebDAV Publishing. 

iis_www=Off 

The iis_www value sets the iis_www registry value. The setting ‘Off’ does not install the WWW 

Service. 

iis_www_vdir_scripts=Off 

The iis_www_vdir_scripts value sets the iis_www_vdir_scripts registry value. The setting ‘Off’ 

does not create the optional scripts directory on the default web site. 

indexsrv_system=Off 

The indexsrv_system value sets the indexsrv_system registry value. The setting ‘Off’ does not 

install the Indexing Service. 

inetprint=Off 

The inetprint value sets the inetprint registry value. The setting ‘Off’ does not install Internet 

Printing. 

licenseserver=Off 

The licenseserver value sets the licenseserver registry value. The setting ‘Off’ does not enable 

Terminal Services licensing. 

media_clips=Off 

The media_clips value sets the media_clips registry value. The setting ‘Off’ does not install 

sample sounds. 

media_utopia=Off 

The media_utopia value sets the media_utopia registry value. The setting ‘Off’ does not install 

the Utopia sound scheme. 



minesweeper=Off 

The minesweeper value sets the minesweeper registry value. The setting ‘Off’ does not install 

the Minesweeper game. 

mousepoint=On 

The mousepoint value sets the mousepoint registry value. The setting ‘On’ installs all available 

mouse pointers. 

msmq_ADIntegrated=Off 

The msmq_ADIntegrated value sets the msmq_ADIntegrated registry value. The setting ‘Off’ 

does not integrate MSMQ with Active Directory. 

msmq_Core=Off 

The msmq_core value sets the msmq_core registry value. The setting ‘Off’ does not install the 

Message Queuing components. 

msmq_HTTPSupport=Off 

The msmq_HTTPSupport value sets the msmq_HTTPSupport registry value. The setting ‘Off’ 

does disables the sending and receiving of messages using the HTTP protocol. 

msmq_LocalStorage=Off 

The msmq_LocalStorage value sets the msmq_LocalStorage registry value. The setting ‘Off’ 

does not store messages locally. 

msmq_MQDSSService=Off 

The msmq_MQDSSService value sets the msmq_MQDSSService registry value. The setting 

‘Off’ restricts access to Active Directory and site recognition for downstream clients. 

msmq_RoutingSupport=Off 

The msmq_RoutingSupport value sets the msmq_RoutingSupport registry value. The setting 

‘Off’ does not provide efficient routing. 




msmq_TriggerService=Off 

The msmq_TriggerService value sets the msmq_TriggerService registry value. The setting ‘Off’ 

disassociates the arrival of incoming messages at a queue with functionality in a Component 

Object Module (COM) component. The same may be said for a standalone executable program. 

msnexplr=Off 

The msnexplr value sets the msnexpire registry value. The setting ‘Off’ does not install MSN 

Explorer. 

mswordpad=On 

The mswordpad value sets the mswordpad registry value. The setting ‘On’ installs the 

mswordpad feature. 

netcis=Off 

The netcis value sets the netcis registry value. The setting ‘Off’ does not install Microsoft COM 

Internet Services. 

netoc=Off 

The netoc value sets the netoc registry value. The setting ‘Off’ does not install optional 

networking components. 

objectpkg=Off 

The objectpkg value determines if the Object Packager is installed. The setting ‘Off’ does not 

install the Object Packager. 

OEAccess=Off 

The OEAccess value determines if the visible entry points to Outlook Express are installed. The 

setting ‘Off’ does not install the visible entry points for Outlook Express. 

paint=Off 

The paint value sets the paint registry value. The setting ‘Off’ does not install Microsoft Paint. 



pinball=Off 

The pinball value sets the pinball registry value. The setting ‘Off’ does not install the Pinball 

game. 

Pop3Admin=Off 

The Pop3Admin value determines if the optional Web UI for the Remote Administration Tools is 

installed. The setting ‘Off’ does not install the optional Web UI for the Remote Administration 

Tools. 

Pop3Service=Off 

The Pop3Service value determines if the main POP3 service is installed. The setting ‘Off’ does 

not install the main POP3 service. 

Pop3Srv=Off 

The Pop3Srv value determines if the root POP3 component is installed. The setting ‘Off’ does 

not install the root POP3 component 

rec=Off 

The rec value determines if the Sound Recorder is installed. The setting ‘Off’ does not install the 

Sound recorder. 

reminst=Off 

The reminst value sets the reminst registry value. The setting ‘Off’ does not install the Remote 

installation Service. 

rootautoupdate=Off 

The rootautoupdate value sets the rootautoupdate registry value. The setting ‘Off’ disables the 

OMC Update Root Certificates. If the user is presented with a certificate issued by an untrusted 

root authority, actions that require authentication are prevented. 

rstorage=Off 

The rstorage value sets the rstorage registry value. The setting ‘Off’ does not install the Remote 

Storage feature. 




solitaire=Off 

The solitaire value sets the solitaire registry value. The setting ‘Off’ does not install the Solitaire 

game. 

spider=Off 

The spider value sets the spider registry value. The setting ‘Off’ does not install the Spider game. 

templates=Off 

The templates value sets the templates registry value. The setting ‘Off’ does not install 

Document Templates. 

TerminalServer=On 

The TerminalServer value determines if the Terminal Server is installed. The setting ‘On’ installs 

the service. 

TSWebClient=Off 

The TSWebClient determines if the ActiveX control for hosting Terminal Services client 

connections over the Web are installed. The setting ‘Off’ does not install the ActiveX control. 

vol=Off 

The vol value sets the vol registry value. The setting ‘Off’ does not install The Volume Control. 

WBEMSNMP=Off 

The WBEMSNMP value sets the WBEMSNMP registry value. The setting ‘Off’ does not install 

the WMI SNMP Provider. 

WMAccess=Off 

The WMAccess value determines if the visible entry points to Windows Manager are installed. 

The setting ‘Off’ does not install the visible entry points to Windows Manager. 

WMPOCM=Off 

The WMPOCM value determines if the visible entry points to the Windows Media Player are 

installed. The setting ‘Off’ does not install the visible entry points to Windows Media Player. 



wms=Off 

The wms value sets the wms registry value. The setting ‘Off’ does not install the core Windows 

Media Server components. 

wms_admin_asp=Off 

The wms_admin_asp value sets the wms_admin_asp registry value. The setting ‘Off’ does not 

install Windows Media Services Web-based administrative components. 

wms_admin_mmc=Off 

The wms_admin_mmc value sets the wms_admin_mmc registry value. The setting ‘Off’ does 

not install the Windows Media Services MMC-based administrative components. 

wms_isapi=Off 

The wms_isapi value sets the wms_isapi registry value. The setting ‘Off’ does not install the 

Windows Media Services Multicast and Advertisement Logging Agent components. 

wms_server=Off 

The wms_server value sets the wms_server registry value. The setting ‘Off’ does not install the 

Windows Media Services server components. 

zonegames=Off 

The zonegames value sets the zonegames registry value. The setting ‘Off’ does not install the 

Microsoft Gaming Zone Internet Games. 

3.3 Workgroup Server Installation Configuration file 

The Workgroup Server installation can create a new workgroup or join an existing one. The 

installation assumes no use of DHCP or DNS. As a result, the Administrator must enter TCP/IP 

values into the Winnt.sif to enable networking. 




3.3.1 Winnt.sif (Workgroup) 

3.3.1.1 [Data] 


The AutoPartition value provides a location to place the Windows operating system. The setting 

‘1’installs the operating system in the first available partition with sufficient space. If there is an 

existing operating system the install will halt and require further instruction. 


The MsDosInitiated value must be present and must be set to ‘zero’. If not, the automated 

installation fails. 


When set to ‘YES’, the UnattendedInstall value allows the pre-installation of Windows by using 

the CD Boot method. 

3.3.1.2 [GuiUnattended] 

AdminPassword="A_Str0ng_p@SSw0rd" 

The AdminPassword value defines the Local Administrator password on the system being 

installed. 

NOTE: 

Select a value in keeping with the local policy on Administrator passwords. 

EncryptedAdminPassword=No 

The EncryptedAdminPassword value determines if the setup encrypts the Administrator 

password. The setting ‘No’ does not encrypt the password. You may enable this feature via the 

setupmgr.exe tool provided on the Windows distribution media. 

OEMSkipWelcome=1 

The OEMSkipWelcome value determines if the startup displays the Welcome page. The setting 

‘1’ does not display the Welcome page. 


The OEMSkipRegional value determines if the installation will display the Regional Settings 

page. The setting ‘1’ does not display the Regional Settings page. 



TimeZone=035 

The TimeZone value sets the system clock to the local time zone. 

004 – Pacific Standard Time 

010 – Mountain Standard Time 

020 – Central Standard Time 

025 – Canada Central Standard Time (Saskatchewan) 

035 – Eastern Standard Time 

050 – Atlantic Standard Time 

060 – Newfoundland and Labrador Standard Time 

AutoLogon=No 

The Autologon value determines if the Administrator account will automatically log on until the 

system is rebooted. The setting ‘No’ disables the AutoLogon feature. The AutoLogonCount can 

increase the number of reboots required to disable the feature. 

3.3.1.3 [Identification] 

JoinWorkgroup=Department_Name 

The JoinWorkgroup value determines which workgroup the server will join. 

NOTE: This value must be replaced with a local value. 

3.3.1.4 [LicenseFilePrintData] 


The AutoMode value defines the license mode. Enter either PerSeat or PerServer. 

NOTE: If PerServer is specified then the AutoUsers value must be supplied as well. 

AutoUsers=5 

The AutoUsers value determines the number of concurrent users the PerServer license supports. 





3.3.1.5 [Unattended] 


The OEMPreinstall value determines if there are OEM files to be installed. The setting ‘No’ 

indicates all required files are on the Windows distribution. 


The UnattendedSwitch value specifies whether Setup skips Windows Welcome. The setting 

‘Yes’ skips the Windows Welcome. 


The Repartition value determines what action to take on first drive partitions. The setting ‘No’ 

maintains all partitions on the first drive. 


The TargetPath value defines a location for the operating system. The setting ‘Windows’ places 

the operating system in the Windows folder. 


The UnattendedMode value determines the level of human interaction with the installation. The 

setting ‘FullUnattended’ has no human interaction during the process. 


The WaitForReboot value determines if the system will reboot immediately or provide an 

opportunity for human interaction. The setting ‘No’ reboots the system immediately. 


The OemSkipEula value determines if the end user license agreement is presented during the 

installation. The setting ‘Yes’ does not display the end user license agreement. 

FileSsytem=ConvertNTFS 

The FileSystem value determines the file system type for the installation. The value 

ConvertNTFS installs the system on an NTFS file system. 



3.3.1.6 [UserData] 

ComputerName=File_Server_1 

The ComputerName value sets the ComputerName registry value. 


FullName="System_Admin" 

The FullName value sets the RegisterdOwner in the registry. 


OrgName="Department_Name" 

The OrgName value sets the RegisteredOrganisation in the registry. 



The ProductKey value supplies the required license string for the version of Windows Server 

2003 being installed. 

NOTE: 

Provide a local value. 

3.3.1.7 [Networking] 

This section defines the Network for the system. In a Workgroup environment, static means are 

used for networking; this includes static IP addresses, and a Hosts file for name resolution. As a 

result, automated network definition is disabled. All values are supplied via parameters in this 

installation file. 

InstallDefaultComponents=No 

The InstallDefaultComponents indicates if the network setup will use DHCP and DNS. The 

setting ‘No’ indicates that the network will use supplied values as opposed to DHCP and DNS. 

3.3.1.8 [NetAdapters] 

Adapter1=params.Adapter1 

The Adapter1 value defines network interfaces to install with associated logical names. This 

ensures commands bound for adapters are properly directed. 




3.3.1.9 [params.Adapter1] 

InfID=* 

The InfID identifies a network adapter with a value that is the same as the Plug and Play ID. If 

there were more than one adapter, the parameter would supply the Plug and Play ID. 

3.3.1.10 [NetClients] 

MS_MSClient=params.MS_MSClient 

The MS_MSClient value specifies the section where the Client for Microsoft Networks is 

defined. The value ‘params.MS_MSClient’ is the title of the section that contains the definition 

of the network client. 

3.3.1.11 [NetServices] 

MS_SERVER=params.MS_SERVER 

The MS_SERVER value specifies the section where the entries are supplied to define a network 

service. There are no network services defined in this installation file. As a result there is no need 

for a ‘params.MS_SERVER’ section. 

3.3.1.12 [NetProtocols] 

MS_TCPIP=params.MS_TCPIP 

The MS_TCPIP value defines the section that holds the entries for this protocol. 

3.3.1.13 [params.MS_TCPIP] 

DNS=No 

The DNS value defines if the server will use a DNS Server. The setting ‘No’ indicates the server 

will not use DNS for name resolution. 

UseDomainNameDevolution=No 

The UseDomainNameDevolution value determines if the system will attempt to connect when 

the supplied DNS name is not Fully Qualified. The setting ‘No’ prevents the system from 

making this attempt. 



EnableLMHosts=Yes 

The EnableLMHosts value determines if the server will use the Hosts file to resolve network 

name to address translations. The setting ‘Yes’ indicates the Hosts file will be used for name 

resolution. 

AdapterSections=params.MS_TCPIP.Adapter1 

The AdapterSections value defines the location in this file that contains the definition of the 

adapter. 

3.3.1.14 [params.MS_TCPIP.Adapter1] 


The SpecificTo value identifies the network adapter to which the block of commands applies. 

The setting ‘Adapter01’ applies to the first network adapter identified. 

DHCP=No 

The DHCP value identifies if the system uses DHCP. The setting ‘No’ indicates that the system 

will not obtain a TCP/IP address from a DHCP server. 

IPAddress=xxx.xxx.xxx.xxx 

The IPAddress value defines the IP address for the adapter. 

SubnetMask=xxx.xxx.xxx.xxx 

The Subnetmask value provides the subnet mask addresses. 

DefaultGateway=xxx.xxx.xxx.xxx 

The DefaultGateway value defines the address for Packets bound outside the mask. The gateway 

acts as the first stop in the route to the target system. 

WINS=No 

The WINS value determines if the system will use Windows Internet Name Service. The setting 

‘No’ disables WINS on the specified adapter. 





The NetBIOSOptions value determines if the system enables NetBIOS over TCP/IP. The setting 

‘zero’ disallows NetBIOS over TCP/IP. 

3.3.1.15 [NetOptionalComponents] 


The DHCPServer value determines if the system will install the DHCP Server. The setting ‘0’ 

does not install the DHCP Server. 

DNS=0 

The DNS value determines if the system will install the DNS Server. The setting ‘0’ does not 

install the DNS Server software. 

IAS=0 

The IAS value determines if the system will install the Internet Authentication Service. The 

setting ‘0’ does not install the Internet Authentication Service. 

ILS=0 

The ILS value determines if setup will install services that support telephony features (caller ID, 

conference calls, video conferencing, faxing, etc.). The setting ‘0’ does not install the Internet 

Locator Service. 

LDPSVC=0 

The LPDSVC value determines if setup will install UNIX Print services. The setting ‘0’ does not 

install UNIX Print services. 

MacPrint=0 

The MacPrint value determines if setup will install Macintosh print services. The setting ‘0’ does 

not install Macintosh Print services. 

MacSrv=0 

The MacSrv value determines if setup will install Macintosh file services. The setting ‘0’ does 

not install Macintosh file services. 



Netcm=0 

The Netcm value determines if setup will install the Microsoft Connection Manager 

Administration Kit and Phone Book Service. The setting ‘0’ does not install these services. 

NetMonTools=0 

The ‘NetMon Tools’ value determines if setup will install the network monitoring tools. The 

setting ‘0’ does not install the network monitoring tools. 

SimpTcp=0 

The ‘SimpTcp’ value determines if setup will install simple TCP/IP protocol suites. The setting 

‘0’ does not install simple TCP/IP protocol suites. 

SNMP=0 

The ‘SNMP’ value determines if setup will install Simple Network Management Protocol. The 

setting ‘0’ does not install the SNMP protocol. 

WINS=0 

The ‘WINS’ value determines if setup will install Windows Internet Name Service. The setting 

‘0’ does not install WINS. 

3.3.1.16 [Components] 

AccessOpt=On 

The AccessOpt value sets the registry value accessopt. The setting ‘On’ installs the Accessibility 

wizard. 


The appsrv_console sets the registry value appsrv_console. The setting ‘Off’ does not install the 

Application Server Console. 

aspnet=Off 

The aspnet value sets the aspnet registry value. The setting ‘Off’ does not install the ASP .NET 

development platform. 





The AutoUpdate value sets the autoupdate registry value. The setting ‘Off’ does not install 

AutoUpdate. 


The BitsServerExtensionsISAPI sets the bitsserverextensionsisapi registry value. The setting 

‘Off’ does not install ISAPI for BITS server extensions. 


The BitsServerExtensionManager sets the bitsserverextensionmanager registry key. The setting 

‘Off’ does not install the MMC snap-in, administrative APIs and ADSI extensions for BITS. 

Calc=On 

The Calc value sets the registry value for calc. The setting ‘Off’ does not install the Calculator 

feature. 

certsrv=On 

The certsrv value sets the certsrv registry value. The setting ‘On’ installs the Certificate Services 

components. 


The certsrv_client value sets the certsrv_client registry value. The setting ‘Off’ does not install 

the Web client components of Certificate Services. This requires a Certification Authority to be 

defined with the CAName parameter. This also requires a computer system hosting the 

Certification Authority be defined with the CAMachine parameter. These entries support the use 

of a certificate in a web browser. 


The certsrv_server value sets the certsrv_server registry value. The setting ‘Off’ does not install 

the Certificate Server. 

charmap=On 

The charmap value sets the charmap registry value. The setting ‘On’ installs the Character Map 

feature. 



chat=Off 

The chat value sets the chat registry value. The setting ‘Off’ does not install the Chat program. 

Clipbook=Off 

The Clipbook value sets the clipbook registry value. The setting ‘Off’ does not install the 

Clipbook. 

cluster=Off 

The cluster value sets the cluster registry value. The setting ‘Off’ does not install the cluster 

software. 


The complusnetwork value sets the complusnetwork registry value. The setting ‘On’ enables 

network Com+ access. 

deskpaper=Off 

The deskpaper value sets the deskpaper registry value. The setting ‘Off’ does not install a 

desktop background. 

dialer=Off 

The dialer value sets the dialer registry value. The setting ‘Off’ does not install the Phone Dialer. 


The dtcnetwork value sets the dtcnetwork registry value. The setting ‘Off’ disables DTC network 

access. DTC is the Distributed Transaction Coordinator. 

fax=Off 

The fax value sets the fax registry value. The setting ‘Off’ does not install the Fax feature. 


The fp_extensions value sets the fp_extensions registry value. The setting ‘Off’ does not install 

the FrontPage server extensions. 





The fp_vdir_deploy value sets the fp_vdir_deploy registry value. The setting ‘Off’ does not 

install the Visual InterDev RAD Remote Deployment Support. 

freecell=Off 

The freecell value sets the frecell registry value. The setting ‘Off’ does not install the Freecell 

game. 

hearts=Off 

The hearts value sets the hearts registry value. The setting ‘Off’ does not install the Hearts game. 

hypertrm=Off 

The hyperterm value sets the hyperterm registry value. The setting ‘Off’ does not install the 

HyperTerminal feature. 

IEAccess=Off 

The IEAccess value determines if the Internet Explorer Access points are visible. The setting 

‘Off’ does not make the Internet Explorer Access points visible. 

iis_asp=Off 

The iis_asp value sets the iis_asp registry value. The setting ‘Off’ does not install the Active 

Server Pages feature. 


The iis_common value sets the iis_common registry value. The setting ‘Off’ does not install the 

common set of files needed by IIS. 

iis_ftp=Off 

The iis_ftp value sets the iis_ftp registry value. The setting ‘Off’ does not install the FTP 

Service. 


The iis_inetmgr value sets the iis_inetmgr registry value. The setting ‘Off’ does not install the 

MMC-based administration tools for IIS. 




The iis_internetdataconnector value sets the iis_internetdataconnector registry value. The setting 

‘Off’ does not install the Internet Data Connector. 

iis_nntp=Off 

The iis_nntp value sets the iis_nntp registry value. The setting ‘Off’ does not install the NNTP 

Service. 


The iis_serversideincludes value sets the iis_serversideincludes registry value. The setting ‘Off’ 

does not install the Server Side Includes. 

iis_smpt=Off 

The iis_smtp value sets the iis_smtp registry value. The setting ‘Off’ does not install the SMTP 

Service. 


The iis_webadmin value sets the iis_webadmin registry value. The setting ‘Off’ does not install 

the Web UI for Web server administration (Remote Administration Tools). 


The iis_webdav value sets the iis_dav registry value. The setting ‘Off’ does not install WebDAV 

Publishing. 

iis_www=Off 

The iis_www value sets the iis_www registry value. The setting ‘Off’ does not install the WWW 

Service. 


The iis_www_vdir_scripts value sets the iis_www_vdir_scripts registry value. The setting ‘Off’ 

does not does not create the optional scripts directory on the default web site. 





The indexsrv_system value sets the indexsrv_system registry value. The setting ‘Off’ does not 

install the Indexing Service. 

inetprint=Off 

The inetprint value sets the inetprint registry value. The setting ‘Off’ does not install Internet 

Printing. 


The licenseserver value sets the licenseserver registry value. The setting ‘Off’ does not enable 

Terminal Services licensing. 


The media_clips value sets the media_clips registry value. The setting ‘Off’ does not install 

sample sounds. 


The media_utopia value sets the media_utopia registry value. The setting ‘Off’ does not install 

the Utopia sound scheme. 


The minesweeper value sets the minesweeper registry value. The setting ‘Off’ does not install 

the Minesweeper game. 

mousepoint=On 

The mousepoint value sets the mousepoint registry value. The setting ‘On’ installs all available 

mouse pointers. 


The msmq_ADIntegrated value sets the msmq_ADIntegrated registry value. The setting ‘Off’ 

does not integrate MSMQ with Active Directory. 



msmq_Core=Off 

The msmq_core value sets the msmq_core registry value. The setting ‘Off’ does not install the 

Message Queuing components. 


The msmq_HTTPSupport value sets the msmq_HTTPSupport registry value. The setting ‘Off’ 

does not enable sending and receiving of messages using HTTP. 


The msmq_LocalStorage value sets the msmq_LocalStorage registry value. The setting ‘Off’ 

does not store messages locally. 


The msmq_MQDSSService value sets the msmq_MQDSSService registry value. The setting 

‘Off’ disables access to Active Directory and site recognition for downstream clients. 


The msmq_RoutingSupport value sets the msmq_RoutingSupport registry value. The setting 

‘Off’ does not provide efficient routing. The Message Queuing components are not installed so 

this parameter does not affect the system. 


The msmq_TriggerService value sets the msmq_TriggerService registry value. The setting ‘Off’ 

disassociates the arrival of incoming messages at a queue with functionality in a Component 

Object Module (COM) component. The same may be said for a standalone executable program. 

msnexplr=Off 

The msnexplr value sets the msnexplr registry value. The setting ‘Off’ does not install MSN 

Explorer. 

mswordpad=On 

The mswordpad value sets the mswordpad registry value. The setting ‘On’ installs the 

mswordpad feature. 




netcis=Off 

The netcis value sets the netcis registry value. The setting ‘Off’ does not install Microsoft COM 

Internet Services. 

netoc=Off 

The netoc value sets the netoc registry value. The setting ‘Off’ does not install optional 

networking components. 

objectpkg=Off 

The objectpkg value determines if the Object Packager is installed. The setting ‘Off’ does not 

install the Object Packager. 

OEAccess=Off 

The OEAccess value determines if the visible entry points to Outlook Express are installed. The 

setting ‘Off’ does not install the visible entry points for Outlook Express. 

paint=Off 

The paint value sets the paint registry value. The setting ‘Off’ does not install Microsoft Paint. 

pinball=Off 

The pinball value sets the pinball registry value. The setting ‘Off’ does not install the Pinball 

game. 

Pop3Admin=Off 

The Pop3Admin value determines if setup will install the optional Web UI for the Remote 

Administration Tools. The setting ‘Off’ does not install the optional Web UI. 


The Pop3Service value determines if setup will install the main POP3 service. The setting ‘Off’ 

does not install the main POP3 service. 

Pop3Srv=Off 

The Pop3Srv value determines if setup will install the root POP3 component. The setting ‘Off’ 

does not install the root POP3 component. 



rec=Off 

The rec value determines if setup will install the Sound Recorder. The setting ‘Off’ does not 

install the Sound recorder. 

reminst=Off 

The reminst value sets the reminst registry value. The setting ‘Off’ does not install the remote 

installation Service. 


The rootautoupdate value sets the rootautoupdate registry value. The setting ‘Off’ disables the 

OMC Update Root Certificates. If the user is presented with a certificate issued by a root 

authority that is not directly trusted, and the Update Root Certificates component is not installed 

on the user’s computer, the user will be prevented from completing the action that required 

authentication. 

rstorage=Off 

The rstorage value sets the rstorage registry value. The setting ‘Off’ does not install the Remote 

Storage feature. 

solitaire=Off 

The solitaire value sets the solitaire registry value. The setting ‘Off’ does not install the Solitaire 

game. 

spider=Off 

The spider value sets the spider registry value. The setting ‘Off’ does not install the Spider game. 

templates=Off 

The templates value sets the templates registry value. The setting ‘Off’ does not install 

Document Templates. 

TerminalServer=Off 

The TerminalServer value determines if setup will install Terminal Services. The setting of ‘Off’ 

does not install Terminal Services. 





The TSWebClient determines if the ActiveX control for hosting Terminal Services client 

connections over the Web are installed. The setting ‘Off’ does not install the ActiveX control. 

vol=Off 

The vol value sets the vol registry value. The setting ‘Off’ does not install the Volume Control. 

WBEMSNMP=Off 

The WBEMSNMP value sets the WBEMSNMP registry value. The setting ‘Off’ does not install 

the WMI SNMP Provider. 

WMAccess=Off 

The WMAccess value determines if setup will install visible entry points to Windows Manager. 

The setting ‘Off’ does not install visible entry points to Windows Manager. 

WMPOCM=Off 

The WMPOCM value determines setup will install visible entry points to Windows Media 

Player. The setting ‘Off’ does not install visible entry points to Windows Media Player. 

wms=Off 

The wms value determines sets the wms registry value. The setting ‘Off’ does not install the core 

Windows Media Server components. 


The wms_admin_asp value sets the wms_admin_asp registry value. The setting ‘Off’ does not 

install Windows Media Services Web-based administrative components. 


The wms_admin_mmc value sets the wms_admin_mmc registry value. The setting ‘Off’ does 

not install the Windows Media Services MMC-based administrative components. 

wms_isapi=Off 

The wms_isapi value sets the wms_isapi registry value. The setting ‘Off’ does not install the 

Windows Media Services Multicast and Advertisement Logging Agent components. 




The wms_server value sets the wms_server registry value. The setting ‘Off’ does not install the 

Windows Media Services server components. 

zonegames=Off 

The zonegames value sets the zonegames registry value. The setting ‘Off’ does not install the 

Microsoft Gaming Zone Internet Games component. 




4 Server Policy Files 

4.1 Policy File Application 

Apply policies dictated by the environment (Domain or Workgroup). 

4.1.1 Policy Application in a Domain 

The policy files are applied to Organizational Units within the Active Directory. The structure of 

the Directory will dictate the exact names and locations of the Organizational Units. The 

structure deployed in the CSE lab had an Organizational Unit for “Public Servers” to which the 

Baseline configuration was applied. The “Print Servers” and “File Servers” organizational units 

are placed in the “Public Server” organizational unit. The appropriate policies are applied to the 

specific organizational unit. 

This procedure is applicable to any organizational unit and any policy file. Simply substitute the 

‘OU’ and ‘policy file name’ as required. 

1. Invoke Active Directory interface. 

2. Expand Directory - click on the “+” signs to display the desired OU. 

3. Right click on the desired OU and select Properties from the menu. 

a. “Organizational Unit Properties” dialog opens. 

4. Select “Group Policy” tab. 

5. Click “New” button. 

6. “New Group Policy Object” is created. 

7. Rename “New Group Policy Object” to desired value. 

8. Click “Edit” button. 

b. “Group Policy Object Editor” dialog opens. 

9. Click “+” beside “Windows Settings”. 

10. Right Click “Security Settings”. 

11. Select “Import Policy” from menu. 

12. Browse to desired policy file and select it. 

13. Enable “Clear this database before importing”. 

14. Click “Open” (policy is imported). 

15. Click “File” and then “Exit”. 

16. Click “Apply”. 

17. Click “Exit”. 

Server Policy Files March 2004 43


Repeat this process until all OUs (Public Servers, Print Servers and Files Servers) have the 

required policy files applied to them. 

4.1.2 Policy Application in a Workgroup 

The policies for a workgroup server must be applied in the appropriate order to ensure a correct 

policy. Apply the Baseline configuration first, than apply additional policies to enable the 

designated role of the server. 

To enter a policy file with the local Group Policy Editor, perform the following: 

1. Open a command window. 

2. Enter “MMC” and press “Return”. 

a. “Console 1” dialog opens. 

3. Click “File”. 

4. Select “Add/Remove Snap-in”. 

5. “Add/Remove Snap-in” dialog displayed. 

6. Click “Add”. 

7. “Add Standalone Snap-in” dialog displayed. 

8. Browse to and select “Group Policy Editor”. 


10. “Select Group Policy Object” dialog displayed. 

11. Accept defaults and click “”Finish”. 

12. Click “Close”. 

13. Click “OK”. 

a. The “Root Console Window” appears. 

14. Click on “+” beside “Local Computer Policy” 

15. Click on “+” beside “Windows Settings”. 

16. Right click on “Security Settings”. 

17. Select “Import Policy”. 

18. Browse to desired policy file and select it. 

a. Import Baseline configuration policy first then Role based policies. 

19. Click “Open”. 


21. Click “Exit”. 

22. “Microsoft Management Console” dialog displayed. 

44 March 2004 Server Policy Files



23. Select “Yes” if you wish to save the settings. 

a. Otherwise, select “No”. 

4.2 Baseline Server Policy Files Details 

The following section provides additional services and settings that are managed by policy files. 

The Domain and Workgroup Baseline configuration files are largely identical. The following 

section provides details on the security settings. Items that are not the same will have both 

settings documented. 

4.3 Account Policies 

Account policies determine the rules for user’s with respect to passwords and Kerberos. 

4.3.1 Password Policy 

4.3.1.1 Enforce password history 

PasswordHistorySize = 24 

The ‘PasswordHistorySize’ defines the number of passwords retained by the system. This 

history is compared with user input during password changes. The setting ‘24’ requires the user 

to select twenty-four unique passwords before they can re-use their first one. With a 

‘MinimumPasswordAge’ of two, the user would have to cycle their password every two days to 

get back to their original password. 

4.3.1.2 Maximum password age 

MaximumPasswordAge = 42 

The ‘MaximumPasswordAge’ defines the maximum number of days a user can keep the same 

password. A setting of forty-two requires the user to change their password every forty-two days. 

Combined with the ‘PasswordComplexity’ and ’PasswordLength’ settings, these settings ensure 

the password is strong and resilient to attack. 

4.3.1.3 Minimum Password Age 

MinimumPasswordAge = 2 

The ‘MinimumPasswordAge’ defines how many days a user must wait between password 

changes. The setting ‘2’ requires the user to wait two before they can change it again. 

4.3.1.4 Minimum password length 

MinimumPasswordLength = 8 

The ‘MinimumPasswordLength’ defines the minimum number of characters acceptable for a 

password. The setting ‘8’ requires the user to enter a password of eight characters or more. 



Combined with the ‘PasswordComplexity’ and ‘MaximumPasswordAge’ settings, these settings 

ensure the password is strong and resilient to attack. 

4.3.1.5 Password must meet complexity requirements 

PasswordComplexity = 1 

The ‘PasswordComplexity’ switch defines password complexity requirements. The setting ‘1’ 

requires the user to enter a password that meets the criteria below. 

The password contains characters from three of the following four categories: 

• Upper Case Character (A-Z) 

• Lower Case Character (a-z) 

• Base 10 Digits (0-9) 

• Non-alphanumeric (! @ # $ % ^ &) 

This setting helps thwart brute-force attacks. 

4.3.1.6 Store password using reversible encryption 

ClearTextPassword = 0 

The ‘ClearTextPassword’ keyword determines if the system stores passwords using reversible 

encryption. The setting ‘zero’ disables reversible encryption. 

NOTE: 

Never enable this option unless operational considerations outweigh the need to 

protect password information. 

4.3.2 Account Lockout Policy 

4.3.2.1 Account Lockout Duration 

LockoutDuration = 15 

The ‘LockoutDuration’ defines the length of time (in minutes) that an account is disabled after 

lockout. The setting ‘15’ disables the user’s account for 15 minutes. This value needs to be 

synchronized with ‘ResetLockoutCounter’ so the user can logon when the ‘LockoutDuration’ 

has expired. 

4.3.2.2 Account lockout threshold 

LockoutBadCount = 10 

The ‘LockoutBadCount’ defines the number of failed logons allowed before the account is 

locked. The setting ‘10’ causes the user’s account to be locked after 10 consecutive logon 

attempts. The setting prevents extended password guessing attacks. 




4.3.2.3 Reset account lockout counter after 

ResetLockoutCount = 15 

The ‘ResetLockoutCount’ defines the length of time (in minutes) before a lockout reset occurs. 

The setting ‘15’ resets the lockout to zero after fifteen minutes. This value needs to be 

synchronized with ‘LockoutDuration’ so the user can logon when the ‘LockoutDuration’ has 

expired. 

4.3.3 Kerberos Policy 

There are no Kerberos settings in the Workgroup Baseline configuration. 

4.3.3.1 Enforce user logon restrictions 

TicketValidateClient = 1 

The ‘TicketValidateClient’ determines if Kerberos V5 Key Distribution Centre authentication is 

required. The setting ‘1’ requires the use of Kerberos Authentication. 

4.3.3.2 Maximum lifetime for the service ticket 

MaxServiceAge = 600 

The ‘MaxServiceAge’ defines the number of minutes a service ticket will be valid. The setting 

‘600’ allows the ticket to be used for ten hours. 

4.3.3.3 Maximum lifetime for user ticket 

MaxTicketAge = 10 

The ‘MaxTicketAge’ defines the maximum hours a user’s ticket granting ticket may be used. 

The setting ‘10’ indicates that the ticket granting ticket must be replaced or renewed after ten 

hours. 

4.3.3.4 Maximum lifetime for user ticket renewal 

MaxRenewAge = 7 

The ‘MaxRenewAge’ defines the number of days a ticket granting ticket may be renewed after 

issuance. The setting ‘7’ allows a ticket granting ticket to be renewed for seven days. 

4.3.3.5 Maximum tolerance for computer clock synchronization 

MaxClockSkew = 5 

The ‘MaxClockSkew’ defines the maximum amount of time a system clock can be different 

from the Domain Controller clock. The setting of ‘5’ indicates systems more than 5 minutes 

different than the Domain Controller clock will be refused. 



4.4 Local Policies 

4.4.1 Audit Policy 

4.4.1.1 Audit account logon events 

AuditAccountLogon = 3 

The ‘AuditAccountLogon’ defines types of logon events to audit. The setting ‘3’ audits ‘success’ 

and ‘fail’ events. ‘Success’ events can determine who accessed the system during an incident. 

‘Fail’ events provide insight to password guessing attacks. 

4.4.1.2 Audit account management 

AuditAccountManage = 3 

The ‘AuditAccountManage’ defines types of logon events to audit. The setting ‘3’ audits 

‘success’ and ‘fail’ events. ‘Success’ events can be used in investigations, monitoring accounts at 

the time of an incident. ‘Fail’ attempts can determine if users are probing the system for 

vulnerabilities. 

4.4.1.3 Audit directory service access 

AuditDSAccess = 3 

The ‘AuditDSAccess‘ defines types of logon events to audit. The setting ‘3’ audits ‘success’ and 

‘fail’ events. The Directory Service holds crucial information for the Domain. Knowledge of 

access during an incident can provide valuable information about Active Directory objects 

accessed during an attack. 

4.4.1.4 Audit logon events 

AuditLogonEvents = 3 

The ‘AuditLogonEvents’ defines types of logon events to audit. The setting ‘3’ audits ‘success’ 

and ‘fail’ events. ‘Success’ events can be used to determine who was accessing the system 

during an incident. ‘Fail’ logon attempts can determine if the system is under a password 

guessing attack. 

4.4.1.5 Audit object access 

AuditObjectAccess = 2 

The ‘AuditObjectAccess’ defines the type of logon events that will be audited. The setting ‘2’ 

audits failed events. Failed attempts can be monitored to determine if any users are probing the 

system for vulnerabilities. 




4.4.1.6 Audit policy change 

AuditPolicyChange = 3 

The ‘AuditPolicyChange’ defines the type of logon events that will be audited. The setting 3 

audits ‘success and ‘fail’ events. ‘Success’ events are used in investigations to determine access 

to the system and policy used at the time of the incident. ‘Fail’ attempts can determine if users 

are probing the system for vulnerabilities. 

4.4.1.7 Audit privilege use 

AuditPrivilegeUse = 3 

The ‘AuditPrivilegeUse’ defines logon events to be audited. The setting ‘3’ audits ‘success’ and 

‘fail’ events. ‘Success’ events are used to determine who was accessing the system at the time of 

the incident. ‘Fail’ attempts can determine if users are probing the system for vulnerabilities. 

4.4.1.8 Audit process tracking 

AuditProcessTracking = 0 

The ‘AuditProcessTracking’ defines logon events to be audited. The setting ‘0’ audits no events. 

The value of this information is weighed against the volume of data collected. Due to large 

volumes of data, the normal setting for this value is disabled. However, during an incident the 

information provided is invaluable. If an attack is suspected, we recommend the setting be 

enabled. 

4.4.1.9 Audit system events 

AuditSystemEvents = 3 

The’ AuditSystemEvents’ defines events to be audited. The setting ‘3’ audits ‘success’ and ‘fail’ 

events. These events reflect the system shutdown and restarts, system security events, and events 

that affect the security log. 

4.4.2 User Rights Assignments 

4.4.2.1 Access this computer from the network 

senetworklogonright = *S-1-5-11,*S-1-5-32-544 

The ‘senetworklogonright’ grants network protocol access to the system (SMB, NetBIOS, CIFS, 

HTTP and COM+). The policy grants privileges to the Administrators and authenticated users. 

The ability to access the system from the network provides greater exposure for an attack. 

Restricting access reduces the exposure. 



4.4.2.2 Act as part of the operating system 

setcbprivilege = 

The ‘setcbprivilege’ grants an account the ability to act as part of the operating system. 

According to Microsoft, there is no reason why an account would require this privilege. 

4.4.2.3 Add workstations to domain 

semachineaccountprivilege = 

The ‘semachineaccountprivilege’ grants the right to add workstations to a domain. This policy 

grants no privilege. Restricting this privilege helps maintain Domain integrity. 

4.4.2.4 Adjust memory quotas for a process 

seincreasequotaprivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20 

The ‘seincreasequotaprivilege’ grants the ability to adjust memory quotas for a process. This 

policy grants privileges to Administrators, LOCAL SERVICE and NETWORK SERVICE 

accounts. If misused, DoS attacks are possible. 

4.4.2.5 Allow log on locally 

seinteractivelogonright = *S-1-5-32-551,*S-1-5-32-544 

The ‘seinteractivelogonright’ grants logon privilege to the local console. These privileges are 

given to Administrators and Backup operators. Local access is restricted to accounts that have 

legitimate reason for access. By restricting this privilege, system exposure is reduced. 

4.4.2.6 Allow log on through Terminal Services 

seremoteinteractivelogonright = *S-1-5-32-544 

The ‘seremoteinteractivelogonright’ grants the right to logon remotely through Terminal 

Services. This policy grants rights to Administrators. There is no requirement to allow users this 

form of access. 

4.4.2.7 Backup files and directories 

sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544 

The ‘sebackupprivilege’ grants the right to backup files and directories. Rights are given to 

Administrators and Backup Operators. If your policy does not allow administrators to backup 

then omit the Administrators group. The allocation of this privilege must be tightly controlled. 




4.4.2.8 Bypass traverse checking 

sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5-32-544 

The ‘sechangenotifyprivilege’ grants the right to bypass traverse checking in NTFS file systems 

and the Registry. This policy grants rights to Users, Backup Operators, Administrators, and 

authenticated users. 

4.4.2.9 Change the system time 

sesystemtimeprivilege = *S-1-5-32-544 

The ‘sesystemtimeprivilege’ grants the right to change the system time. This policy grants rights 

to Administrators. The system time is critical in incident investigation. Without a consistent time, 

it is difficult to co-relate events on multiple systems. 

4.4.2.10 Create a pagefile 

secreatepagefileprivilege = *S-1-5-32-544 

The ‘secreatepagefileprivilege’ grants the right to create a page file. This policy grants rights to 

Administrators. Too large a page file can cause poor system performance. Restricting this to 

Administrators reduces the exposure to trusted individuals. 

4.4.2.11 Create a token object 

secreatetokenprivilege = 

The ‘secreatetokenprivilege’ grants the right to create local security token objects. The privilege 

gives the ability to create or modify Access Tokens. This policy does not grant rights to anyone. 

This can prevent privilege escalation attacks and DoS conditions. 

4.4.2.12 Create global objects 

secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544 

The ‘secreateglobalprivilege’ grants the right to create objects available to all sessions. This 

policy grants rights to Administrators and the SERVICE account. It can be used to affect other 

user’s processes. 

4.4.2.13 Create permanent shared objects 

secreatepermanentprivilege = 

The ‘secreatepermanentprivilege’ grants the right to create shared objects (folders, printers). 

Users with this privilege could expose sensitive data to the network by creating a shared object. 

Only members of the Administrators group can create permanent shared objects. 



4.4.2.14 Debug programs 

sedebugprivilege = 

The ‘sedebugprivilege’ grants the right to debug any kernal process. Program debugging should 

never be done in a production environment. In the event it is required, grant rights for a short 

time. 

4.4.2.15 Deny access to this computer from the network 

sedenynetworklogonright = *S-1-5-32-546, *S-1-5-7 

The ‘sedenynetworklogonright’ prevents access for a variety of network protocols. The policy 

applies the right to Guests and ANONYMOUS LOGON. The Administrators must add the local 

accounts ‘Guest’, ‘Support_388945a0’ and Built-in Administrator account. 

NOTE: 

Given no reason for network access to the system for a group or user, access should 

be denied. 

4.4.2.16 Deny log on as a batch job 

sedenybatchlogonright = *S-1-5-32-546, *S-1-5-7 

The ‘sedenybatchlogonright‘ prevents the ability to create batch jobs. This policy applies rights 

to Guests and ANONYMOUS LOGON. The Administrators must add the local accounts ‘Guest’ 

and ‘Support_388945a0’. The batch facility could be used to schedule jobs that result in a DoS. 

NOTE: 

Given no reason for batch logon access to the system for a group or user, access 

should be denied. 

4.4.2.17 Deny log on as a service 

sedenyservicelogonright = *S-1-5-32-546,*S-1-5-32-544, *S-1-5-7 

The ‘sedenyservicelogonright’ prevents access to a variety of network protocols. This policy 

applies the rights to Guests, ANONYMOUS LOGON, and Administrators. Administrators must 

add the local accounts ‘Guest’, ‘Support_388945a0’ and Built-in Administrator account. 

4.4.2.18 Deny log on locally 

sedenyinteractivelogonright = *S-1-5-32-546, *S-1-5-7 

The ‘sedenyinteractivelogonright’ prevents local access to the system. This policy applies the 

rights to Guests and ANONYMOUS LOGON. Administrators must add the local accounts 

‘Guest’ and ‘Support_388945a0’. 

NOTE: 

Given no reason for interactive access to the system for a group, access should be 

denied. 




4.4.2.19 Deny log on through Terminal Services 

sedenyremoteinteractivelogonright = *S-1-5-32-546, *S-1-5-7 

The ‘sedenyremoteinteractivelogonright’ prevents logon through terminal services. This policy 

applies rights to Guests and ANONYMOUS LOGON. Administrators must add the local 

accounts ‘Guest’, ‘Support_388945a0’ and Built-in Administrator. 

NOTE: 

Given no reason for terminal services access for a group, access should be denied. 

4.4.2.20 Enable computer and user accounts to be trusted for delegation 

seenabledelegationprivilege = 

The ‘seenabledelegationprivilege’ grants the right to change the ‘trusted for delegation’ setting 

on Active Diretory objects. This policy does not grant privileges to anyone. The misuse of this 

privilege could lead to impersonation of users in a Domain. 

4.4.2.21 Force shutdown from a remote system 

seremoteshutdownprivilege = 

The ‘seremoteshutdownprivilege’ grants the right to shut the system down from a remote 

location. This policy grants rights to noone. Servers in a High Security zone require physical 

access to be shut down. 

4.4.2.22 Generate security audits 

seauditprivilege = *S-1-5-19,*S-1-5-20 

The ‘seauditprivilege’ grants the right to generate records in the security logs. This policy grants 

rights to NETWORK SERVICE and LOCAL SERVICE. By limiting rights to non-interactive 

accounts, DoS conditions through full logs can be avoided. 

4.4.2.23 Impersonate a client after authentication 

seimpersonateprivilege = *S-1-5-19,*S-1-5-20 

The ‘seimpersonateprivilege’ grants the right for applications to impersonate that client. This 

policy grants rights to Local Service and Network Service. For better security, privileges are 

limited to non-interactive accounts. 

4.4.2.24 Increase scheduling priority 

seincreasebasepriorityprivilege = *S-1-5-32-544 

The ‘seincreasebasepriorityprivilege’ grants the right to increase process priority. This policy 

grants privileges to Administrators. If misused, a DoS condition could starve CPU resources. 



4.4.2.25 Load and unload device drivers 

seloaddriverprivilege = *S-1-5-32-544 

The ‘seloaddriverprivilege’ grants the right to load and unload device drivers. This policy grants 

privileges to Administrators. The driver code is run with elevated privileges. By restricting 

privileges to Administrators, the exposure is reduced. 

4.4.2.26 Lock pages in memory 

selockmemoryprivilege = 

The ‘selockmemoryprivilege’ grants the right to keep data in physical memory. This policy 

grants privileges to no one. The abuse of privileges can result in starved memory resources and a 

DoS situation. Restricting this privilege reduces exposure to this threat. 

4.4.2.27 Log on as a batch job 

sebatchlogonright = 

The ‘sebatchlogonright’ grants the right to submit batch jobs (log on as a batch job). This policy 

grants rights to noone. The Task Scheduler could cause a DoS; limiting this privilege reduces the 

threat. 

4.4.2.28 Log on as a service 

seservicelogonright = *S-1-5-20,*S-1-5-19 

The ‘seservicelogonright’ grants the right to logon as a service. This policy grants rights to Local 

Service and Network Service. Interactive accounts are purposely excluded. 

4.4.2.29 Manage auditing and security log 

sesecurityprivilege = *S-1-5-32-544 

The ‘sesecurityprivilege’ grants the right to specify object access auditing options. This policy 

grants rights to Administrators. Administrators alone can determine the appropriate auditing 

level. This ensures that users of the system cannot reduce auditing and eliminate traces of their 

activity. 

4.4.2.30 Modify firmware environment values 

sesystemenvironmentprivilege = *S-1-5-32-544 

The ‘sesystemenvironmentprivilege’ grants rights to modify firmware environment values. This 

policy grants these rights to Administrators only. The ability to change system configurations 

needs to be controlled. 




4.4.2.31 Perform volume maintenance tasks 

semanagevolumeprivilege = *S-1-5-32-544 

The ‘semanagevolumeprivilege’ grants rights to manage volumes or disks. This policy grants 

rights to Administrators only. The administrative function of volume and disk management can 

damage user data on a disk. Restricting this privilege reduces the threat. 

4.4.2.32 Profile single process 

seprofilesingleprocessprivilege = *S-1-5-32-544 

The ‘seprofilesingleprocessprivilege’ grants the right to monitor performance of a non-system 

process. This policy grants these rights to Administrators. The ability to profile a process can 

provide information to be used as a basis of an attack. Limiting privileges to Administrators 

reduces this threat. 

4.4.2.33 Profile system performance 

sesystemprofileprivilege = *S-1-5-32-544 

The ‘sesystemprofileprivilege’ grants the right to monitor performance of a system process. This 

policy grants these rights to Administrators only. Profiling a system gathers information useful 

for an attack. Limiting privileges to Administrators reduces this threat. 

4.4.2.34 Remove computer from docking station 

seundockprivilege = *S-1-5-32-544 

The ‘seundockprivilege’ grants the right to undock the server. This policy grants these privileges 

to Administrators only. As a preventive measure, these privileges are restricted. 

4.4.2.35 Replace a process level token 

seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20 

The ‘seassignprimarytokenprivilege’ grants the right to replace a process security token of a 

child process. These rights are ganted to Local Service and Network Service. This can be used to 

launch processes as another user, providing the ability to hide inappropriate activity on a system. 

4.4.2.36 Restore files and directories 

serestoreprivilege = *S-1-5-32-544 

The ‘serestoreprivilege’ grants the right to bypass permissions when restoring objects. This 

policy grants privileges to Administrators only. Due to the nature of the restore process, rights 

are restricted to accounts that are required to use it. 



4.4.2.37 Shut down the system 

seshutdownprivilege = *S-1-5-32-544 

The ‘seshutdownprivilege’ grants the right to shut down the system locally. This policy grants 

the right to Administrators only. By restricting this privilege, the threat of inadevertent or 

malicious shutdowns is reduced. 

4.4.2.38 Synchronize directory service data 

sesyncagentprivilege = 

The ‘sesyncagentprivilege’ grants the right to read all objects and properties in the Directory. 

This policy revokes all privilege. Information gained from the Active Directory can be used to 

form an attack against the system. 

4.4.2.39 Take ownership of files or other objects 

setakeownershipprivilege = *S-1-5-32-544 

The ‘setakeownershipprivilege’ grants the right to take ownership of any securable object in the 

system. The act of changing ownership will be recorded in the logs. This policy grants privileges 

to Administrators only. 

4.4.3 Security Options 

This section includes values for all entries in the Security Options section of the policy GUI. It 

incorporates entries in the Security Options section of the Domain Policy as well as the Member 

Server Baseline. Please note all values are explicitly defined. This ensures that security is not 

dependent on default values. 

4.4.3.1 Accounts: Administrator account status 

EnableAdminAccount = 0 

The ‘EnableAdminAccount’ determines if the local administrator account is enabled. The setting 

‘0’ disables the local administrator account. This prevents widespread use and removes it as a 

target for attack. 

4.4.3.2 Accounts: Guest account status 

EnableGuestAccount = 0 

The ‘EnableGuestAccount‘ determines if the local guest account is enabled. The setting ‘0’ 

disables the local guest account. This prevents widespread use and removes it as a target for 

attack. 




4.4.3.3 Accounts: Limit local account use of blank passwords to console logon only 

machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4, 1 

The ‘limitblankpassworduse’ registry value determines if local accounts with blank passwords 

can be used to logon remotely. The setting ‘1’ disallows accounts with blank passwords to logon 

remotely. This ensures remote access requires an account name and password. 

4.4.3.4 Accounts: Rename administrator account 

NewAdministratorName = "johnsmith" 

The ‘NewAdministratorName’ keyword sets the local administrator account name. The setting 

‘johnsmith’ renames the local administrator account to johnsmith. Renaming the local 

administrator account makes it difficult for an attacker to misuse it. 

NOTE: 

This keyword should be omitted if a policy to rename the Administrator account on 

each system is enforced. If not, then at a minimum change it from ‘johnsmith’ to a 

local value. 

4.4.3.5 Accounts: Rename guest account 

NewGuestName = "janesmith" 

The ‘NewGuestName’ keyword sets the local guest account name. The setting ‘janesmith’ 

renames the local guest account to janesmith. Renaming the account makes it more difficult for 

an attacker to misuse it. 

NOTE: 

This keyword should be omitted if a policy to rename the Guest account on each 

system is enforced. If not, then at a minimum change it from ‘janesmith’ to a local 

value. 

4.4.3.6 Audit: Audit the access of global system objects 

machine\system\currentcontrolset\control\lsa\auditbaseobjects=4, 0 

The ‘auditbaseobjects’ registry setting determines if access to global system objects is audited. 

The setting ‘0’ disables audit access to global objects. 

4.4.3.7 Audit: Audit the use of Backup and Restore privilege 

machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3, 0 

The ‘fullprivilegeauditing’ determines if the system will audit the Backup and Restore privilege. 

The setting ‘0’ disables the audit of Backup and Restore privilege. 



4.4.3.8 Audit: Shut down system immediately if unable to log security audits 

machine\system\currentcontrolset\control\lsa\crashonauditfail=4, 1 

The ‘crashonauditfail’ registry value determines system behaviour when it fails to log security 

events. The setting ‘1’ shuts the system down when it cannot log. The government requires that 

comprehensive log data be carefully maintained. As a result, if the log files are full the system 

must not process further transactions. 

4.4.3.9 Devices: Allow undock without having to log on 

machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon=4, 0 

The ‘undockwithoutlogon’ registry value determines if a portable computer can undock without 

logon. The setting ‘0’ disallows the computer to be undocked without logon. 

4.4.3.10 Devices: Allowed to format and eject removable media 

machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,"0" 

The ‘allocatedasd’ registry value determines who can format and eject removable media. The 

setting ‘0’ permits Administrators to format and eject removable media. The ability to store large 

quantities of data (e.g. entire databases) makes should be restricted to trusted individuals. 

4.4.3.11 Devices: Prevent users from installing printer drivers 

services\servers\addprinterdrivers=4, 1 

The ‘addprinterdrivers’ registry value determines if users can add printer drivers. The setting ‘1’ 

prevents users from adding print drivers. This helps prevent the threat of users running malicious 

code in a privileged state. 

4.4.3.12 Devices: Restrict CD-ROM access to locally logged-on user only 

machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,"1" 

The ‘allocatecdroms’ registry value determines if the CD-ROM is equally accessible to local and 

remote users. The setting ‘1’ restricts remote access to the CD-ROM when in use by a local user. 

NOTE: 

The setting allows remote authorized users to access the CD-ROM if no one is logged 

on locally. 

4.4.3.13 Devices: Restrict floppy access to locally logged-on user only 

machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,"1" 

The ‘allocatefloppies’ registry value determines if the floppy drive is simultaneously accessible 

to local and remote users. The setting ‘1’ restricts remote access to when in use by a local user. 

NOTE: 

This setting allows remote access to the floppy drive if no one is logged on as a local 

user. 




4.4.3.14 Devices: Unsigned driver installation behavior 

machine\software\microsoft\driver signing\policy=3, 1 

The ‘policy’ registry value defines the unsigned driver installation behavior. The setting ‘1’ 

warns the user before the driver is installed. If this option is enforced, only drivers approved by 

the Windows Hardware Quality Lab (WHQL) are eligible. The decision to install drivers not 

found within WHQL is left to the Administrator. 

4.4.3.15 Domain controller: Allow server operators to schedule tasks 

machine\system\currentcontrolset\control\lsa\submitcontrol=4, 0 

The ‘submitcontrol’ registry value determines if system operators can schedule tasks. The setting 

‘0’ prevents system operators from scheduling tasks. A sufficient number of tasks can lead to a 

DoS condition. 

4.4.3.16 Domain controller: LDAP server signing requirements 

machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity=4, 2 

The ‘ldapserverintegrity’ registry value determines if the LDAP server requires a signature to 

negotiate with LDAP clients. The setting ‘2’ requires a client signature. Unsigned data is 

susceptible to man-in-the-middle attacks. This setting helps prevent session hijack. 

4.4.3.17 Domain controller: Refuse machine account password changes 

machine\system\currentcontrolset\services\netlogon\parameters\refusepasswordchange=4, 0 

The ‘refusepasswordchange’ registry setting determines if domain controllers accept changes to 

computer account passwords. The setting ‘0’ allows changing of computer account passwords. 

Regularly changed passwords reduce the threat of effective brute-force attacks. 

4.4.3.18 Domain member: Digitally encrypt or sign secure channel data (always) 

machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4, 1 

The ‘requiresignorseal’ registry value determines if the domain member will encrypt or sign 

secure channel data always. The setting ‘1’ encrypts or signs secure channel data. This setting 

prevents legacy systems (pre-Windows 2000) from joining a Domain. 

4.4.3.19 Domain member: Digitally encrypt secure channel data (when possible) 

machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4, 1 

The ‘sealsecurechannel’ registry value determines if a domain member requests encryption of all 

secure channel data. The setting ‘1’ requests encryption of all secure channel data. By encrypting 

Secure Channel data, the system prevents sensitive information being sent in the clear. This 

limits an attacker’s ability to gather information for an attack. 



4.4.3.20 Domain member: Digitally sign secure channel data (when possible) 

machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4, 1 

The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when 

possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data 

is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from 

session hijack. 

4.4.3.21 Domain member: Disable machine account password changes 

machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4, 0 

The ‘disablepasswordchange’ registry value determines if a domain controller will accept 

machine account password changes. The setting ‘0’ allows machine account password changes. 

If the password change were disallowed, the systems could not change their computer 

passwords. This would leave them susceptible to password-guessing attacks. 

4.4.3.22 Domain member: Maximum machine account password age 

machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4, 42 

The ‘maximumpasswordage’ registry value determines the maximum number days between 

password changes. The setting ‘42’ requires the password to be changed at least every forty-two 

days. This ensures the password is changed often to thwart password-guessing attacks. 

4.4.3.23 Domain member: Require strong (Windows 2000 or later) session key 

machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4, 1 

The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel 

communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the 

secure channel. If disabled, the client must negotiate key strength with the Domain Controller. 

This setting ensures the highest level of protection for secure channel data. 

4.4.3.24 Interactive logon: Do not display last user name 

machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername 

=4, 1 

The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen 

with the last username that logged on. The setting ‘1’ does not display the last username. This 

setting withholds vital information to prevent attacks. 

4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL 

machine\software\microsoft\windows\currentversion\policies\system\disablecad=4, 0 

The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon. 

The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The Windows architecture security 




is predicated on the CTL+ALT+DEL key sequence to initiate user authentication. It provides 

unassailable hardware initiation of the logon sequence; this helps thwart Trojan Horse routines. 

4.4.3.26 Interactive logon: Message text for users attempting to logon 

machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7, 

DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED 

The ‘legalnoticetext’ registry value is presented to the user prior to entry of username and 

password. The value shown is the text presented. This may help an organization in the event of 

legal proceedings. 

4.4.3.27 Interactive logon: Message title for users attempting to logon 

machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1 

“DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED” 

The ‘legalnoticecaption’ registry value is presented to the user as the title of the window that 

contains the ‘legalnoticetext’ text. The value shown is the text presented. This may help an 

organization in the event of legal proceedings. 

4.4.3.28 Interactive logon: Number of previous logons to cache (in case domain controller 

is not available) 

machine\software\microsoft\windowsnt\currentversion\winlogon\cachedlogonscount=1,"0" 

The ‘cachedlogonscount’ registry value determines the number of unique user whom logon 

information is locally cached. The setting ‘0’ does not cache logon information locally. This 

ensures the user establishes a current security token with the Domain Controller. This prevents 

disabled users access via cached logon credentials. 

4.4.3.29 Interactive logon: Prompt user to change password before expiration 

machine\software\microsoft\windowsnt\currentversion\winlogon\passwordexpirywarning=4, 

14 

The ‘passwordexpirywarning’ registry value determines how many days in advance the user is 

notified of password expiration. This setting warns the user 14 days before password expiry. The 

user will continue to be reminded until the password expiry date. 

4.4.3.30 Interactive logon: Require Domain Controller authentication to unlock 

workstation 

machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4, 1 

The ‘forceunlocklogon’ registry value determines if a domain controller must be contacted to 

unlock a computer. The setting ‘1’ requires contact with a domain controller. This ensures the 

user establishes a current security token with the Domain Controller. This also disallows disabled 

users access via cached logon credentials. 



4.4.3.31 Interactive logon: Require smart card 

machine\software\microsoft\windows\currentversion\policies\system\scforceoption=4, 0 

The ‘scforceoption’ registry value determines if a smart card is required to logon. The setting ‘0’ 

does not require a smart card to logon. The majority of servers will not require two-factor 

authentication. If this capability were a requirement, it should be enabled during the application 

of a role specific policy. 

4.4.3.32 Interactive logon: Smart card removal behaviour 

machine\software\microsoft\windowsnt\currentversion\winlogon\scremoveoption=1,"1" 

The ‘scremoveoption’ determines system behaviour when a smart card is removed. The setting 

‘1’ locks the workstation when removed. This ensures accountability for transactions that require 

smart card authentication. 

4.4.3.33 Microsoft network client: Digitally sign communications (always) 

machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature 

=4, 1 

The ‘requiresecuritysignature’ registry value determines if the SMB client requires packet 

signing. The setting ‘1’ requires packet signing. This setting provides for mutual authentication. 

This may prevent man-in-the-middle attacks and eliminate session hijacking. Legacy systems 

cannot support this requirement. 

4.4.3.34 Microsoft network client: Digitally sign communications (if server agrees) 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysign 

ature=4, 1 

The ‘enablesecuritysignature’ registry value determines if an SMB client attempts to negotiate 

SMB packet signing (if the server agrees). The setting ‘1’ causes the client to negotiate SMB 

signing. This setting provides for mutual authentication. This may prevent man-in-the-middle 

attacks and eliminate session hijacking. Legacy systems (i.e. Pre-Windows 2000) cannot support 

this requirement. 

4.4.3.35 Microsoft network client: Send unencrypted password to third-party SMB 

servers 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpas 

sword=4, 0 

The ‘enableplaintextpassword’ registry value determines if an SMB client sends plain text 

passwords to non-Microsoft SMB servers. The setting ‘0’ disables the use of clear-text 

passwords. The use of non-Microsoft SMB servers that do not accept encrypted passwords is 

disallowed in a High Security environment. Password security must always be enforced. 




4.4.3.36 Microsoft network server: Amount of idle time required before suspending 

session 

machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4, 15 

The ‘autodisconnect’ registry setting defines the amount of idle time in minutes before an SMB 

session is suspended. The setting ‘15’ suspends the SMB session after fifteen minutes of idle 

time. An idle session consumes resources. Attackers could set up sessions consuming resources 

to initiate a DoS attack. Additionally, idle sessions can cause SMB services to become slow or 

unresponsive. 

4.4.3.37 Microsoft network server: Digitally sign communications (always) 

machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature 

=4, 1 

The ‘requiresecuritysignature’ registry value determines if the server will always sign SMB 

communications. The setting ‘1’ always digitally signs SMB communications. This setting 

provides mutual authentication for all communication. Mutual authentication may prevent manin-the-middle 

attacks and eliminate session hijacking. Legacy (i.e. Pre-Windows 2000) systems 

cannot support this requirement. 

4.4.3.38 Microsoft network server: Digitally sign communications (if client agrees) 

machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature= 

4, 1 

The ‘enablesecuritysignature’ registry value signs SMB communications, if the client agrees. 

The setting ‘1’ signs SMB communications. This setting provides mutual authentication for all 

communication. Mutual authenitcation may prevent man-in-the-middle attacks and eliminate the 

session hijacking. Legacy (i.e. Pre-Windows 2000) systems cannot support this requirement. 

4.4.3.39 Microsoft network server: Disconnect clients when logon hours expire 

machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4, 1 

The ‘enableforcedlogoff’ registry value determines if a network connected user is disconnected 

outside of their hours of operation. The setting ‘1’ disconnects the user when logged on outside 

of their hours of operation. 

4.4.3.40 Network access: Allow anonymous SID/Name translation 

LSAAnonymousNameLookup = 0 

The ‘LSAAnonymousNameLookup’ determines if the system allows anonymous SID/NAME 

translation. The setting ‘0’ disallows the system to perform anonymous SID/NAME translation. 

If enabled, a user could use a well-known account SID to obtain usernames of the account. This 

may then be used to initiate a password guessing attack. 



4.4.3.41 Network access: Do not allow anonymous enumeration of SAM accounts 

machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4, 1 

The ‘restrictanonymoussam’ registry value determines if anonymous enumeration of SAM 

accounts is permitted. The setting ‘1’disallows anonymous enumeration of SAM accounts. The 

enumeration maps account names to a corresponding SID. When the SID is known, local Guest 

and Administrator accounts are exposed. Once identified, they are open to password guessing 

attacks. 

4.4.3.42 Network access: Do not allow anonymous enumeration of SAM accounts and 

shares 

machine\system\currentcontrolset\control\lsa\restrictanonymous=4, 1 

The ‘restrictanonymous’ registry value determines if anonymous enumeration of SAM accounts 

and shares is permitted. The setting ‘1’ disallows anonymous enumeration of SAM accounts and 

shares. The enumeration maps account names to a corresponding SID. When the SID is known, 

local Guest and Administrator accounts are exposed. Once identified, they are open to password 

guessing attacks. 

4.4.3.43 Network access: Do not allow storage of credentials or .NET Passports for 

network authentication 

machine\system\currentcontrolset\control\lsa\disabledomaincreds=4, 1 

The ‘disabledomaincreds’ registry value determines if passwords, credentials or Microsoft .NET 

passports are saved after initial domain authentication. The setting ‘1’ does not perform the save. 

4.4.3.44 Network access: Let Everyone permissions apply to anonymous users 

machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous=4, 0 

The ‘everyoneincludesanonymous’ value determines what additional permissions are granted for 

anonymous connections to a computer. The setting ‘0’ grants no additional permissions to 

anonymous users. This ensures unauthenticated users do not inherit the rights of the ‘everyone’ 

group. 

4.4.3.45 Network access: Named Pipes that can be accessed anonymously 

machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionpipes=7, 

The ‘nullsessionpipes’ value defines anonymous access to named pipes. The empty setting 

disallows anonymous access to named pipes. This ensures all system access is authorized. 




4.4.3.46 Network access: Remotely accessible registry paths 

machine\system\currentcontrolset\control\securepipeservers\winreg\allowedexactpaths\machi 

ne=7, 

The ‘allowedexactpaths\machine’ registry value defines which registry paths can be accessed 

over the network. This Baseline configuration has no requirement for remotely accessible 

registry information. 

4.4.3.47 Network access: Remotely accessible registry paths and Sub-paths 

machine\system\currentcontrolset\control\securepipeservers\winreg\allowedpaths\machine=7, 

The ‘allowedpaths\machine’ registry value defines registry paths and sub-paths that can be 

accessed over the network. This Baseline configuration has no requirement for remotely 

accessible registry information. 

4.4.3.48 Network access: Restrict anonymous access to Named Pipes and Shares 

machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess=4, 

1 

The ‘restrictnullsessaccess’ registry value determines if anonymous access is allowed to named 

pipes and shares. The setting ‘1’ disallows anonymous access to named pipes and shares. Access 

to resources is predicated on authorization for that resource. If anonymous access is granted, 

there would be no ability to identify who is accessing the objects. 

4.4.3.49 Network access: Shares that can be accessed anonymously 

machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares=7, 

The ‘nullsessionshares’ registry value defines which shares can be accessed anonymously over 

the network. The empty setting disallows anonymous access to any share. All system access 

should be authorized. Anonymous access prevents accurate authorization of shares. 

4.4.3.50 Network access: Sharing and security model for local accounts 

machine\system\currentcontrolset\control\lsa\forceguest=4, 0 

The ‘forceguest’ registry value determines the sharing and security model for local accounts. The 

setting ‘0’ requires user authentication to access resources. This allows individual access to be 

audited. 



4.4.3.51 Network security: Do not store LAN Manager hash value on next password 

change 

machine\system\currentcontrolset\control\lsa\nolmhash=4, 1 

The ‘nolmhash’ registry value determines if the LAN Manager hash value is stored on the next 

password change. The setting ‘1’ does not save the LAN Manager hash value. This prevents 

local storage of the password, which would be vulnerable to attack. 

NOTE: 

Upon enabling in operation, all passwords must be changed. 

4.4.3.52 Network Security: Force logoff when logon hours expire 

ForceLogoffWhenHourExpire = 1 

The ‘ForceLogoffWhenHourExpire’ keyword determines if locally logged on users are 

disconnected when working outside of defined hours. The setting ‘1’ disconnects the user outside 

of defined hours. Hours are defined within the “Active Directory Users and Computers”, the 

‘Computer Management” and “Local Users and Groups” interface. Account should be created 

with restrictions on hours of access; we recommend enforcement through disconnection outside 

specified hours. 

4.4.3.53 Network security: LAN Manager authentication level 

machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4, 5 

The ‘lmcompatibilitylevel’ value determines the level of LAN manager authentication. The 

setting ‘5’ sends NTLMv2 responses only and refuses LM & NTLM. This setting ensures only 

the most secure authentication mechanism is permitted. 

4.4.3.54 Network security: LDAP client signing requirements 

machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4, 1 

The ‘ldapclientintegrity’ value determines if the LDAP client negotiates signing to communicate 

with LDAP servers. The setting ‘2’ requires signing negotiation. This reduces the threat of a 

man-in-the-middle attacks. 

4.4.3.55 Network security: Minimum session security for NTLM SSP based (including 

secure RPC) clients 

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec=4, 537395248 

The ‘ntlmminclientsec’ value defines the minimum session security for NTLM SSP based 

(including secure RPC) clients. The setting ‘537395248’ enables all options, as recommended. 

This requires message integrity, confidentiality, NTLMv2 session security and 128-bit 

encryption be used for logon. 




4.4.3.56 Network security: Minimum session security for NTLM SSP based (including 

secure RPC) servers 

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec=4, 537395248 

The ‘ntlmminserversec’ registry value defines the minimum session security for NTLM SSP 

based (including secure RPC) servers. The setting ‘537395248’ enables all options, as 

recommended. This requires message integrity, confidentiality, NTLMv2 session security and 

128-bit encryption be used for logon. 

4.4.3.57 Recovery console: Allow automatic administrative logon 

machine\software\microsoft\windowsnt\currentversion\setup\recoveryconsole\securitylevel=4, 

0 

The ‘securitylevel’ value determines if the recovery console requires an Administrator password 

to logon. The setting ‘0’ requires an Administrators password. Enabling this setting to allow 

anyone to shut down a server is not recommended. 

4.4.3.58 Recovery console: Allow floppy copy and access to all drives and all folders 

machine\software\microsoft\windowsnt\currentversion\setup\recoveryconsole\setcommand=4, 

0 

The ‘setcommand’ registry value determines if the Recovery Console ‘SET’ command is 

available. The setting ‘4’ disables the ‘SET’ command. (e.g. Copy to removable media is 

disabled). 

4.4.3.59 Shutdown: Allow system to be shut down without having to log on 

machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4 

, 0 

The ‘shutdownwithoutlogon’ registry value determines if the system can be shutdown without 

the user logged on. The setting ‘0’ requires the user to logon. This ensures only authorized users 

may shut down the system. 

4.4.3.60 Shutdown: Clear virtual memory page file 

machine\system\currentcontrolset\control\sessionmanager\memory\management\clearpagefile 

atshutdown=4, 1 

The ‘clearpagefileatshutdown’ value determines if page file contents are overwritten on a clean 

shutdown. The setting ‘1’ causes clears the page file on a normal shutdown. Sensitive system and 

user information may be contained in the page file. By ensuring it is cleared, the risk that 

information be available to an attacker is reduced. 



4.4.3.61 System cryptography: Force strong key protection for user keys stored on the 

computer 

machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2 

The ‘forcekeyprotection’ value determines if user keys (e.g. SMIME) require a password each 

time they are to be used. The setting ‘2’ requires entry of a password each time a private key is 

used. This ensures that a session that requires key material is used with the owner’s knowledge. 

4.4.3.62 System cryptography: Use FIPS compliant algorithms for encryption, hashing, 

and signing 

machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1 

The ‘fipsalgorithmpolicy’ determines if Transport Layer Security / Secure Socket Layer 

(TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher 

suite. The setting ‘1’ requires the use of the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher 

suite. In the Federal Government, this setting is required for all servers to remain compliant to 

cryptographic policies. 

4.4.3.63 System objects: Default owner for objects created by members of the 

Administrators group 

machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1 

The ‘nodefaultadminowner’ value determines if objects created by members of the 

Administrators group are owned by the group or the object creator. The setting ‘1’ makes objects 

owned by the creator. This ensures actions of an individual administrator can be isolated and 

audited. 

4.4.3.64 System objects: Require case insensitivity for non-Windows subsystems 

machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4, 1 

The ‘obcaseinsensitive’ value determines if case insensitivity is required for non-Windows 

subsystems. The setting ‘1’ requires case insensitivity for non-Windows subsystems. This 

disables the ability for non-Windows sub-systems to create files that are inaccessible to the 

Windows system. It also disables the ability to block access to other files with the same name in 

upper case. 

4.4.3.65 System objects: Strengthen default permissions of internal system objects (e.g. 

Symbolic Links) 

machine\system\currentcontrolset\control\session manager\protectionmode=4, 1 

The ‘protectionmode’ registry setting determines if permissions on internal system objects (e.g. 

symbolic links) is strengthened. The setting ‘1’ strengthens protection on internal system objects. 

It allows non-administrators to view shared objects they did not create, but not modify. 




4.4.3.66 System settings: Optional subsystems 

machine\system\currentcontrolset\control\session manager\subsystems\optional=7, 

The ‘optional’ value defines which subsystems are used to support applications. The empty 

setting disallows any optional subsystems. The use of sub-systems should be justified with 

operational requirements. Unless required, no subsystem should be enabled. 

4.4.3.67 Use Certificate Rules on Windows Executables for Software Restriction Policies 

machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled=4, 0 

The ‘authenticodeenabled’ value determines the use of certificate rules on Windows executables 

for software restriction policies. The setting ‘0’ does not use certificate rules on Windows 

executables for software restriction policies. 

4.5 Event Log 

Microsoft guidance indicates that the total size of all event logs should not exceed 300MB. If this 

value is exceeded, the system may not log or record the failure. 

While the interface may allow values up to 4GB, there is a risk of losing log entries for values 

beyond 300 MB. The following policy will utilize full available space for allocation between 

event logs. 

4.5.1 Log Size 

4.5.1.1 Maximum application log size 

MaximumLogSize = 76800 (in [Application Log] section) 

The ‘MaximumLogSize’ determines the size of the Application event log. The setting ‘76800’ 

creates a 76800 KB log file. With an average of 500 bytes per event, this log file will 

accommodate over 153,000 events. This will allow the system to run for an extended period-oftime 

without having to roll the log file. 

NOTE: 

Due to the wide variety of event loads, we recommend monitoring the log files during 

the initial operational period. 

4.5.1.2 Maximum security log size 

MaximumLogSize = 153600 (in [Security Log] section) 

The ‘MaximumLogSize’ determines the size of the Security event log. The setting ‘153600’ 

creates a 153600 KB log file. With an average of 500 bytes per event, this log file will 

accommodate over 307,200 events. This allows the system to run for an extended period-of-time 

without having to roll the log file. 

NOTE: 





4.5.1.3 Maximum system log size 

MaximumLogSize = 76800 (in [System Log] section 

The ‘MaximumLogSize’ determines the size of the System event log. The setting ‘76800’ creates 

a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 

153,000 events. This allows the system to run for an extended period-of-time without having to 

roll the log file. 

NOTE: 



4.5.2 Guest Access 

4.5.2.1 Prevent local Guests group from accessing Applications, Security, and System 

logs 

RestrictGuestAccess = 1(in [Application Log] or [Security Log] or [System Log] section) 

The ‘RestrictGuestAccess’ keyword determines if accounts with ‘guest’ access can access the 

log. The setting ‘1’ disallows guest access to the log. Access to log information provides an 

attacker with valuable information to mount attacks on the system or users. As a result, only 

users who are authenticated are given access to the log files. 

4.5.3 Retention Method 

4.5.3.1 Retention method for application log 

AuditLogRetentionPeriod = 2(in [Application Log] or [Security Log] or [System Log] section) 

The ‘AuditLogRetentionPeriod’ keyword determines the system behaviour when the log is full. 

The setting ‘2’ shuts the system down if the log cannot be written. Use of this setting should be 

consistent with departmental log retention policy. 

4.6 System Services 

A large number of services are disabled in this guide. With each disabled service, we provide 

justification for the recommendation. In some cases, a more flexible approach may be needed. 

It is important to note that a disabled service may only be required occasionally. For example, 

the Performance Logs and Alerts service is disabled. However, to help fulfill a specific 

temporary need, the Administrator could enable a service, resolve an issue, and return the service 

to the original configuration. 




4.6.1 Services Explicitly Covered by Microsoft Guidance 

4.6.1.1 Alerter 

"alerter", 4, 

"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOC 

RSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS 

DRCWDWO;;;WD)" 

The Alerter service notifies selected users and computers of administrative alerts. This policy 

disables this service. 

4.6.1.2 Application Layer Gateway Service 

"alg", 4, 




The Application Layer Gateway Service is a subcomponent of the Internet Connection Sharing 

(ICS) / Internet Connection Firewall (ICF) Service. This supports independent software vendor 

plug-ins to allow proprietary protocols through the firewall and work behind ICS. This policy 

disables the service. 

4.6.1.3 Application Management 

"appmgmt", 4, 

"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD 

TLOCRSDRCWDWO;;;WD)" 

Application Management provides software installation services. This policy disables the 

service. 

4.6.1.4 ASP .NET State Service 

"aspnet_state", 4, 



The ASP .NET State Service provides support for out-of-process session states for ASP .NET. 

This policy disables the service. 

4.6.1.5 Automatic Updates 

"wuauserv", 4, 


RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 



The Automatic Updates Service enables the automated download and installation of software 

updates. This policy disables the service. 

4.6.1.6 Background Intelligent Transfer Service 

"bits", 4, 




The Background Intelligent Transfer Service is used to transfer files asynchronously between a 

client and an HTTP server. This policy disables the service. 

4.6.1.7 Certificate Services 

"certsvc", 4, 



The Certificate Services perform core functions for a Certification Authority. This policy 

disables the service. 

4.6.1.8 MS Software Shadow Copy Provider 

"swprv", 3, 



The MS Software Shadow Copy Provider supports the creation of file shadow copies used to 

perform system backups. This policy sets the startup to manual for the service. 

4.6.1.9 Client Service for Netware 

"nwcworkstation", 4, 



The Client Service for Netware provides access to files and printers on NetWare networks. This 

policy disables the service. 

4.6.1.10 ClipBook 

"clipsrv", 4, 




The Clipbook Service creates and shares ‘pages’ of data that may be viewed by remote users. 

This policy disables the service. 




4.6.1.11 Cluster Service 

"clussvc", 4, 



The Cluster Service supports membership in a High Availability environment (Cluster). The 

service is disabled. 

4.6.1.12 COM+ Event System 

"eventsystem", 3, 




The COM+ Event System Service extends the COM+ programming model. This policy sets the 

service startup to automatic. 

4.6.1.13 COM+ System Application 

"comsysapp", 4, 




The COM+ System Application Service manages the configuration and tracking of components 

based on COM+. The service is disabled. 

4.6.1.14 Computer Browser 

The Computer Browser Service maintains an up-to-date list of the computers on your network. 

4.6.1.14.1 Domain Member Baseline 

"browser", 2, 




This policy sets service startup to automatic. 

4.6.1.14.2 Workgroup Member Baseline 

"browser", 4, 




This policy disables service startup. 



4.6.1.15 Cryptographic Services 

"cryptsvc", 2, 




Cryptographic Services provide key management functionality for the computer. This policy sets 

the service to automatic startup. 

4.6.1.16 DHCP Client 

The DHCP Client service registers with DHCP and DNS servers in the domain. 

4.6.1.16.1 Domain Member Baseline 

"dhcp", 2, 




This policy sets the service to automatic startup. 

4.6.1.16.2 Workgroup Member Baseline 

"dhcp", 4, 





4.6.1.17 DHCP Server 

"dhcpserver", 4, 



The DHCP Server allocates IP addresses. The service is disabled. 

4.6.1.18 Distributed File System 

"dfs", 4, 


TLOCRSDRCWDWO;;;WD) 

The Distributed File System manages logical volumes across local or wide area networks. The 





4.6.1.19 Distributed Link Tracking Client 

"trkwks", 4, 



The Distributed Link Tracking Client Service ensures shortcuts (among others) work after the 

target has been moved. The service is disabled. 

4.6.1.20 Distributed Link Tracking Server 

"trksvr", 4, 



The Distributed Link Tracking Server stores information so files moved between volumes can be 

tracked. The service is disabled. 

4.6.1.21 Distributed Transaction Coordinator 

"msdtc", 4, 



The Distributed Transaction Coordinator Service manages transactions that involve multiple 

computer systems or resource managers. The service is disabled. 

4.6.1.22 DNS Client 

The DNS Client Service resolves and caches DNS names. 

4.6.1.22.1 Domain Member Server 

"dnscache", 2, 





4.6.1.22.2 Workgroup Member Server 








4.6.1.23 DNS Server 

"dns", 4, 



The DNS Server responds to queries for DNS names. The service is disabled. 

4.6.1.24 Error Reporting Service 

"ersvc", 4, 




The Error Reporting Service collects, stores, and reports unexpected application closures to 

Microsoft. The service is disabled. 

4.6.1.25 Event Log 

"eventlog", 2, 




The Event Log Service enables event log messages to be viewed. This policy sets the service to 

automatic startup. 

4.6.1.26 Fax Service 

"fax", 4, 



The Fax service provides Fax capabilities. The service is disabled. 

4.6.1.27 File Replication 

"ntfrs", 4, 



The File Replication Service automatically copies and maintains files on multiple Servers. The 


4.6.1.28 File Server for Macintosh 

"macfile", 4, 






The Macintosh File Service provides network file access to Macintosh computers. The service is 

disabled. 

4.6.1.29 FTP Publishing Service 

"msftpsvc", 4, 



The FTP Publishing Service provides connectivity and administration through the IIS snap-in. 

The service is disabled. 

4.6.1.30 Help and Support 

"helpsvc", 4, 




The Help and Support Service enables Help and Support Center to run. The service is disabled. 

4.6.1.31 HTTP SSL 

"httpfilter", 4, 




The HTTP SSL Service provides SSL functions to IIS. The service is disabled. 

4.6.1.32 Human Interface Device Access 

"hidserv", 4, 




The Human Interface Device Access service allows use of pre-defined hotbuttons. The service is 

disabled. 

4.6.1.33 IAS Jet Database Access 

"iasjet", 4, 




The IAS Jet Database Access service uses RADIUS to provide authentication, authorization and 

accounting services. The service is disabled. 



4.6.1.34 IIS Admin Service 

"iisadmin", 4, 




The IIS Admin Service allows administration of IIS components. The service is disabled. 

4.6.1.35 IMAPI CD-Burning COM Service 

"imapiservice", 4, 




The IMAPI CD-Burning Service manages CD burning. The service is disabled. 

4.6.1.36 Indexing Service 

"cisvc", 4, 




The Indexing Service indexes file contents and properties. The service is disabled. 

4.6.1.37 Infrared Monitor 

"irmon", 4, 



Infrared Monitor service enables file and image sharing through infrared devices. The service is 

disabled. 

4.6.1.38 Internet Authentication Service 

"ias", 4, 



Internet Authentication Service manages network authentication, authorization and accounting. 


4.6.1.39 Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) 

"sharedaccess", 4, 






The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service provides 

Internet services for small local networks. The service is disabled. 

4.6.1.40 Intersite Messaging 

"ismserv", 4, 



The Intersite Messaging Service is used for mail-based replication. The service is disabled. 

4.6.1.41 IP Version 6 Helper Service 

"6to4", 4, 



The IP Version 6 Helper Service offers IPV6 connectivity over existing IPV4 network. The 


4.6.1.42 IPSEC Policy Agent (IPSec Service) 

"policyagent", 2, 



The IPSEC Policy Agent (IPSec Service) provides encryption services to clients and servers on 

networks. This policy sets the service to automatic startup. 

4.6.1.43 Kerberos Key Distribution Centre 

"kdc", 4, 



The Kerberos Key Distribution Center Service allows user logon using Kerberos v5 

authentication protocol. The service is disabled. 

4.6.1.44 License Logging Service 

"licenseservice", 4, 



The License Logging service records client access licensing information. The service is disabled. 



4.6.1.45 Logical Disk Manager 

"dmserver", 3, 




The Logical Disk Manager service detects all new hard drives and sends disk volume 

information to the Logical Disk Manager Administration Service. This policy sets the service to 

manual startup. 

4.6.1.46 Logical Disk Manager Administrative Service 

"dmadmin", 3, 




The Logical Disk Manager Administration service performs requests for disk management. This 

policy sets the service to manual startup. 

4.6.1.47 Message Queuing 

"msmq", 4, 



The Message Queuing Service is the infrastructure and development tool for creating distributed 

messaging applications. The service is disabled. 

4.6.1.48 Message Queuing Down Level Clients 

"mqds", 4, 



The Message Queuing Down Level Clients service provides Active Directory access to Message 

Queuing Clients. The service is disabled. 

4.6.1.49 Message Queuing Triggers 

"mqtgsvc", 4, 



The Message Queuing Trigger Service provides rule-based analysis of messages arriving in the 

Message Queuing queue. The service is disabled. 




4.6.1.50 Messenger 

"messenger", 4, 



The Messenger Service sends Alerter Service messages between clients and servers. The service 

is disabled. 

4.6.1.51 Microsoft POP3 Service 

"pop3svc", 4, 



The Microsoft POP3 service provides e-mail transfer and retrieval services. The service is 

disabled. 

4.6.1.52 MSSQL$UDDI 

"mssql$uddi", 4, 



The MSSQL$UDDI service publishes and locates information about web services. The service is 

disabled. 

4.6.1.53 MSSQLServerADHelper 

"mssqlserver", 4, 



The SQL Server service provides SQL functionality for a server. The service is disabled. 

4.6.1.54 .NET Framework Support Service 

"corrtsvc", 4, 



The .NET Framework Support Service notifies a subscribing client when a specified process 

initializes the Client Runtime Service. The service is disabled. 

4.6.1.55 Netlogon 

The Netlogon Service authenticates users and services. 



4.6.1.56 Domain Member Server 

"netlogon", 2, 




4.6.1.57 Workgroup Member Server 





4.6.1.58 NetMeeting Remote Desktop Sharing 

"mnmsrvc", 4, 



The NetMeeting Remote Desktop Sharing Service enables access to a system with NetMeeting. 


4.6.1.59 Network Connections 

"netman", 3, 



The Network Communications Service manages objects in the Network Connections folder. This 

policy sets the service to manual startup. This will start the service automatically when the 

Network Connections interface is invoked. 

4.6.1.60 Network DDE 

"netdde", 4, 



The NetDDE Service provides network transport and security for DDE. The service is disabled. 

4.6.1.61 Network DDE DSDM 

"netddedsdm", 4, 



The NetDDEDSDM Service manages DDE network shares. The service is disabled. 




4.6.1.62 Network Location Awareness (NLA) 

"nla", 4, 



The Network Location Awareness service collects and stores network information. The service is 

disabled. 

4.6.1.63 Network News Transport Protocol (NNTP) 

"nntpsvc", 4, 



The Network News Transport Protocol (NNTP) service provides News Server capabilities. The 


4.6.1.64 NTLM Security Support Provider 

"ntlmssp", 4, 



The NTLM Security Support Provider service provides security to RPC programs. This enables 

users to log on using NTLM authentication in place of Kerberos. The service is disabled. 

4.6.1.65 Performance Logs and Alerts 

"sysmonlog", 4, 



The Performance Logs and Alerts Service collect performance data. The service is disabled. 

4.6.1.66 Plug and Play 

"plugplay", 4, 



The Plug and Play service allows a computer to adapt hardware configuration changes with little 

user input. The service is disabled. 



4.6.1.67 Portable Media Serial Number 

"wmdmpmsn", 4, 



The Portable Media Serial Number service retrieves serial numbers from any portable music 

player connected to the system. The service is disabled. 

4.6.1.68 Print Server for Macintosh 

"macprint", 4, 



The Macintosh Print service provides network printer access to Macintosh computers. The 


4.6.1.69 Print Spooler 

"spooler", 4, 



The Spooler service manages local and network print queues and controls all print jobs. The 


4.6.1.70 Protected Storage 

"protectedstorage", 2, 



The Protected Storage service protects storage of sensitive information from unauthorized 

services, processes or users. This policy sets the service to automatic startup. 

4.6.1.71 Remote Access Auto Connection Manager 

"rasauto", 4, 



The Remote Access Auto Connection Manager service detects unsuccessful attempts to a remote 

network or computer. It then provides an alternative method for connection. The service is 

disabled. 




4.6.1.72 Remote Access Connection Manager 

"rasman", 4, 



The Remote Access Connection Manager service manages dial-up and VPN connections to a 

server. The service is disabled. 

4.6.1.73 Remote Administration Service 

"srvcsurg", 4, 



The Remote Administration service provides an interface for Remote Server Administration 

Tools. The service is disabled. 

4.6.1.74 Remote Desktop Help Session Manager 

"rdsessmgr", 4, 



The Remote Desktop Help Session Manager service controls the Remote Assistance feature in 

the Help and Support Center application. The service is disabled. 

4.6.1.75 Remote Installation 

"binlsvc", 4, 



The Remote Installation Service is a Windows deployment feature. The service is disabled. 

4.6.1.76 Remote Procedure Call (RPC) 

"rpcss", 2, 



The Remote Procedure Call (RPC) service is a secure inter-process communication mechanism. 




4.6.1.77 Remote Procedure Call (RPC) Locator 

"rpclocator", 4, 



The RPC Locator Service enables RPC clients to locate RPC servers. The service is disabled. 

4.6.1.78 Remote Registry Service 

"remoteregistry", 4, 



The Remote Registry service enables remote users to modify registry settings on the system. The 


4.6.1.79 Remote Server Manager 

"appmgr", 4, 




The Remote Server Manager service acts as a Windows Management Instrumentation (WMI) 

instance provider for Remote Administration Alert Objects. It also acts as a WMI method 

provider for Remote Administration Tasks. The service is disabled. 

4.6.1.80 Remote Server Monitor 

"appmon", 4, 



The Remote Service Monitor service provides monitoring capability of resources on remotely 

managed systems. The service is disabled. 

4.6.1.81 Remote Storage Notification 

"remote_storage_user_link", 4, 



The Remote Storage Notification service notifies a user when accessing data on secondary 

storage units. The service is disabled. 




4.6.1.82 Remote Storage Server 

"remote_storage_server", 4, 



The Remote Storage Server stores infrequently used files in secondary storage. The service is 

disabled. 

4.6.1.83 Removable Storage 

"ntmssvc", 4, 



The Removable Storage service maintains a catalogue of information for removable media used 

by the system. The service is disabled. 

4.6.1.84 Resultant Set of Policy Provider 

"rsopprov", 4, 



The Resultant Set of Policy Provider service enables simulation of policy to determine the 

effects. The service is disabled. 

4.6.1.85 Routing and Remote Access 

"remoteaccess", 4, 



The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to-WAN, 

and NAT routing services. The service is disabled. 

4.6.1.86 SAP Agent 

"nwsapagent", 4, 



The SAP Agent service advertises services on an IPX network. The service is disabled. 



4.6.1.87 Secondary Logon 

"seclogon", 4, 



The Secondary Logon service allows users to create processes in different security contexts. The 


4.6.1.88 Security Accounts Manager 

"samss", 2, 



The Security Accounts Manager service manages user and group account information. This 

policy sets the service to automatic startup. 

4.6.1.89 Server 

"lanmanserver", 4, 



The Server service provides RPC, file, print, and Named pipe support over the network. This 

policy disables service startup. 

4.6.1.90 Shell Hardware Detection 

"shellhwdetection", 4, 



The Shell Hardware Detection service monitors and provides notification for AutoPlay hardware 

events. The service is disabled. 

4.6.1.91 Simple Mail Transport Protocol (SMTP) 

"smtpsvc", 4, 



The Simple Mail transfer Protocol (SMTP) service transports electronic mail across the network. 





4.6.1.92 Simple TCP/IP Services 

"simptcp", 4, 



Simple TCP/IP Services provide a variety of protocols. The service is disabled. The services 

configured are as follows: 

Echo Port 7 

Discard Port 9 

Character Generator Port 19 

Daytime Port 13 

Quote of the day Port 17 

4.6.1.93 Single Instance Storage Groveler 

"groveler", 4, 




The Single Instance Storage Groveler service supports Remote Installation service. The service 

is disabled. 

4.6.1.94 Smart Card 

"scardsvr", 4, 



The Smart Card service manages access to smart card readers. The service is disabled. 

4.6.1.95 SNMP Service 

"snmp", 4, 



The Simple Network Management Protocol (SNMP) service allows incoming SNMP requests to 

be processed by the system. The service is disabled. 

4.6.1.96 SNMP Trap Service 

"snmptrap", 4, 



The SNMP Trap service receives trap messages generated by SNMP agents. The service is 

disabled. 



4.6.1.97 Special Administration Console Helper 

"sacsvr", 4, 



The Special Administration Console Helper service performs remote management tasks. The 


4.6.1.98 SQLAgent$* (*UDDI or WebDB) 

"sqlagent$webdb", 4, 



The SQLAgent$webdb service monitors, and schedules jobs. The service is disabled. 

4.6.1.99 System Event Notification 

"sens", 2, 



The System Event Notification service provides monitoring and tracking services for system 

events. This policy sets the service to automatic startup. 

4.6.1.100 Task Scheduler 

"schedule", 4, 



The Task Scheduler service enables configuration and schedules of automated tasks on the 

system. The service is disabled. 

4.6.1.101 TCP/IP NetBIOS Helper Service 

The TCP/IP NetBIOS Helper service provides support for NetBIOS over TCP/IP. This is 

required for Domain membership. 


"lmhosts", 2, 







4.6.1.101.2 Workgroup Member server 

"lmhosts", 4, 




4.6.1.102 TCP/IP Print Server 

"lpdsvc", 4, 



The TCP/IP Print Server service enables TCP/IP based printing. The service is disabled. 

4.6.1.103 Telephony 

"tapisrv", 4, 



The Telephony service provides support for programs that control telephony and IP-based voice 

devices. The service is disabled. 

4.6.1.104 Telnet 

"tlntsvr", 4, 



The Telnet service provides ASCII terminal sessions to telnet clients. The service is disabled. 

4.6.1.105 Terminal Services 

"termservice", 4, 



Terminal Services allows users to access a virtual Windows desktop session. The service is 

disabled. 

4.6.1.106 Terminal Services Licensing 

"termservlicensing", 4, 



The Terminal Services Licensing service provides registered client licenses when connecting to a 

Terminal Server. The service is disabled. 



4.6.1.107 Terminal Services Session Directory 

"tssdis", 4, 



The Terminal Services Session Directory service provides a multi-session environment that 

allows access a virtual Windows desktop. The service is disabled. 

4.6.1.108 Themes 

"themes", 4, 



The Themes service provides theme management services. The service is disabled. 

4.6.1.109 Trivial FTP Daemon 

"tftpd", 4, 



The Trivial FTP Daemon is a File Transfer Protocol that does not require authentication. The 


4.6.1.110 Uninterruptible Power Supply 

"ups", 4, 



The Uninterruptible Power Supply service manages an uninterruptible power supply. The 


4.6.1.111 Upload Manager 

"uploadmgr", 4, 



The Upload Manager service manages file transfers between clients and servers. Driver data is 

anonymously uploaded from a customer computer to Microsoft. The service is disabled. 




4.6.1.112 Virtual Disk Service 

"vds", 4, 



The Virtual Disk service provides a single interface for managing block storage visualization. 


4.6.1.113 Volume Shadow Copy 

"vss", 3, 



The Volume Shadow Copy service manages and implements volume shadow copies used for 

backups. This policy sets the service to manual startup. 

4.6.1.114 WebClient 

"webclient", 4, 



The Webclient service allows Win32 applications to access documents on the Internet. The 


4.6.1.115 Web Element Manager 

"elementmgr", 4, 




The Web Element Manager service provides Web user interface elements for the Administration 

Web site at port 8098. The service is disabled. 

4.6.1.116 Windows Audio 

"audiosrv", 4, 




The Windows Audio service provides support for sound. The service is disabled. 



4.6.1.117 Windows Image Acquisition (WIA) 

"stisvc", 4, 



The Windows Image Acquisition (WIA) service supports scanners and cameras. The service is 

disabled. 

4.6.1.118 Windows Installer 

The Windows Installer service manages the installation and removal of applications. 


"msiserver", 2, 









4.6.1.119 Windows Internet Name Service (WINS) 

"wins", 4, 



The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The service is 

disabled. 

4.6.1.120 Windows Management Instrumentation 

"winmgmt", 2, 



The Windows Management Instrumentation service provides a common interface to access 

management information. This policy sets the service to automatic startup. 




4.6.1.121 Windows Management Instrumentation Driver Extensions 

"wmi", 4, 



The Windows Management Instrumentation Driver Extensions service monitors all drivers and 

event trace providers that publish WMI or event trace information. The service is disabled. 

4.6.1.122 Windows Media Services 

"wmserver", 4, 



Windows Media Services provide streaming media service over IP-based networks. The service 

is disabled. 

4.6.1.123 Windows System Resource Manager 

"windowssystemresourcemanager", 4, 



The Windows System Resource Manager service is a tool to help customers deploy applications. 


4.6.1.124 Windows Time 

"w32time", 2, 



The Windows Time service maintains date and time synchronization. This policy sets the service 

to automatic startup. 

4.6.1.125 WinHTTP Web Proxy Auto-Discovery Service 

"winhttpautoproxysvc", 4, 



The WinHTTP Web Proxy Auto – Discovery service implements Web Proxy Auto- discovery 

(WPAD) Protocol. The WPAD protocol is an HTTP client service that locates proxy servers. The 




4.6.1.126 Wireless Configuration 

"wzcsvc", 4, 



The Wireless Configuration service enables automatic configuration of IEEE 802.11 wireless 

adapters. The service is disabled. 

4.6.1.127 WMI Performance Adapter 

"wmiapsrv", 4, 



The WMI Performance Adapter service provides performance library information. The service is 

disabled. 

4.6.1.128 Workstation 

The Workstation service creates and maintains client network connections. 


"lanmanworkstation", 2, 









4.6.1.129 World Wide Web Publishing Service 

"w3svc", 4, 



The World Wide Web Publishing service provides Web connectivity and administration through 

the IIS snap-in. The service is disabled. 




4.6.2 Services Not Explicitly Covered by Microsoft Guidance 

The following service entries in the policy file are not represented in the GUI interface. 

"fastuserswitchingcompatibility", 4, 



The “fastuserswitchingcompatibility” is not a core requirement for a Windows 2003 server. The 


"mssql$webdb", 4, 



The MSSQL$webdb service is used to publish and locate information about web services. The 


"mssqlserveradhelper", 4, 



The MSSQLServerADHelper service enables SQL server and SQL Server Analysis Services to 

publish information in Active Directory. The service is disabled. 

"saldm", 4, 



The “saldm” is not a core requirement for a Windows 2003 server. The service is disabled. 

"sptimer", 4, 



The “sptimer” is not a core requirement for a Windows 2003 server. The service is disabled. 

"sqlserveragent", 4, 



The “sqlserveragent” is not a core requirement for a Windows 2003 server. The service is 

disabled. 

"winsip", 4, 



This is not a core requirement for a High Security server. The service is disabled. 



4.7 Additional Security Settings 

The following settings are in the policy file and organized similarily with the Windows Server 

2003 Security Guide. While the settings affect the Registry, they do not appear in the Registry 

section of the Policy GUI. 

4.7.1 Security Consideration for Network Attacks 

4.7.1.1 EnableICMPRedirect 

machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4, 0 

The ‘enableicmpredirect’ registry value causes TCP to find host routes. This overrides OSPF 

generated routes. The setting ‘0’ disables this capability. If enabled, a ten-minute timeout makes 

the system unavailable to the network. Disabling causes the system to rely on OSPF routing. 

4.7.1.2 SynAttackProtect 

machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4, 1 

The ‘synattackprotect’ registry value adjusts retransmissions of SYN-ACK. The setting ‘1’ 

causes connection timeouts faster when a SYN-ATTACK is detected. The setting reduces effort 

expended on unresponsive connections. 

4.7.1.3 EnableDeadGWDetect 

machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4, 0 

The ‘enabledeadgwdetect’ value allows TCP re-direction to a backup gateway. The setting ‘0’ 

disables this capability. If a system detects difficulties on a network, it will automatically switch 

to a different gateway. This may cause undesireable packet traversal over un-trusted networks. 

4.7.1.4 EnablePMTUDiscovery 

machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4, 0 

The ‘enablepmtudiscovery’ registry value determines if TCP automatically finds the maximum 

transmission unit (MTU) or the largest packet size to a remote host. The setting ‘0’ causes a 

fixed size packet be used for all connections to remote hosts. If enabled, an attacker could force a 

very small packet size. This results in a significant increase of network workload. This may also 

lead to a DoS condition. 

4.7.1.5 KeepAliveTime 

machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4, 300000 

The ‘keepalivetime’ registry value determines how often TCP verifes an idle connection is intact. 

The setting ‘300,000’ (5 minutes) is short enough to provide some defense against DoS 

conditions. This setting provides the ability to recover resources from unresponsive connections. 




4.7.1.6 DisableIPSourceRouting 

machine\system\currentcontrolset\services\tcpip\parameters\disableipsourcerouting=4, 2 

The ‘disableipsourcerouting’ value determines if the sender of a TCP packet can dictate the 

route. The setting ‘2’ disables this ability. Dictating packet routes can obscure an attacker’s 

location on the network. 

4.7.1.7 TcpMaxConnectResponseRetransmissions 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmi 

ssions=4, 2 

The ‘tcpmaxconnectresponseretransmissions’ value determines the number of attempts that TCP 

re-transmits a SYN packet before aborting. The setting ‘2’ limits the possibility of a DoS attack 

without affecting normal users. This setting reduces the effort expended on unresponsive 

connections. 

4.7.1.8 TcpMaxDataRetransmissions 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions=4, 3 

The ‘tcpmaxdataretransmissions’ defines the number of times unacknowledged data is retransmitted 

before disconnection. The setting ‘3’ reduces the success of a DoS attack. This is 

achieved by reducing the effort expended on unresponsive connections. 

4.7.1.9 PerformRouterDiscovery 

machine\system\currentcontrolset\services\tcpip\parameters\performrouterdiscovery=4, 0 

The ‘performrouterdiscovery’ value controls the use of Internet Router Discovery Protocol. The 

setting ‘0’ disables discovery and forces the use of known routers. If the system were to discover 

routers, an attacker could redirect packets to another destination. 

4.7.1.10 TCPMaxPortsExhausted 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxportsexhausted=4, 5 

The ‘tcpmaxportsexhausted’ value controls the point which SYN-ATTACK protection begins. 

The setting ‘5’ causes protection to start after five failures. This is the Microsoft standard for 

TCP/IP. The setting is a balance between performance and security. 

4.7.1.11 TCPMaxHalfOpen 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalfopen=4, 100 

The ‘tcpmaxhalfopen’ value defines the number of connections in the SYN state table before 

SYN attack protection begins. The setting of ‘100’ initiates SYN attack protection when the state 

table reaches one hundred connections. 



4.7.1.12 TCPMaxHalfOpenRetired 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalfopenretired=4, 80 

The ‘tcpmaxhalfopenretired’ value determines how many connections the server can maintain in 

the half-open state. The setting ‘80’ initiates SYN attack protection when the state table reaches 

eighty connections. 

4.7.1.13 NoNameReleaseOnDemand (TCP/IP) 

machine\system\currentcontrolset\services\tcpip\parameters\nonamereleaseondemand=4, 1 

The ‘nonamereleaseondemand’ registry determines if a system will release its NetBIOS name to 

another computer on request. The setting ‘1’ prevents disclosure of NetBIOS information. 

4.7.2 AFD.SYS Settings 

4.7.2.1 DynamicBacklogGrowthDelta 

machine\system\currentcontrolset\services\afd\parameters\dynamicbackloggrowthdelta=4, 10 

The ‘dynamicbackloggrowthdelta’ value defines the number of free connections to create when 

deemed necessary. The setting ‘10’ creates ten additional free connections. This setting ensures 

additional resources are not applied too quickly, avoiding a potential DoS condition. 

4.7.2.2 EnableDynamicBacklog 

machine\system\currentcontrolset\services\afd\parameters\enabledynamicbacklog=4, 1 

The ‘enabledynamicbacklog’ value enables dynamic backlog. The setting ‘1’ enables the 

backlog. This ensures the system manages port resources in a manner that mitigates DoS attacks. 

4.7.2.3 MinimumDynamicBacklog 

machine\system\currentcontrolset\services\afd\parameters\minimumdynamicbacklog=4, 20 

The ‘minimumdynamicbacklog’ value controls the minimum number of free ports on a listening 

end point. The setting ‘20’ allows a system to create more if there is less than twenty available. 

The setting is intended to ensure resources are available and limit the threat of DoS conditions. 

4.7.2.4 MaximumDynamicBacklog 

machine\system\currentcontrolset\services\afd\parameters\maximumdynamicbacklog=4, 

20000 

The ‘maximumdynamicbacklog’ value controls the number of ‘quasi-free’ connections allowed 

on a listening end point. The setting ‘20,000’ is recommended to mitigate a DoS attack. The 

setting reduces the resources allocated to incomplete connections. If creating additional free 

ports exceeds the value, a system will not be able to maintain additional sessions. 




4.7.3 Other Security Related Settings 

4.7.3.1 NoNameReleaseOnDemand (NetBIOS) 

machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand=4, 1 

The ‘nonamereleaseondemand’ value determines if a system releases its NetBIOS name upon a 

name-release request. The setting ‘1’ prevents a system from releasing the NetBIOS name, other 

than to WINS servers. This reduces information it provides to an unauthorized user. 

4.7.3.2 Enable the computer to stop generating 8.3 style filenames 

machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3namecreation=4, 1 

The ‘ntfsdisable8dot3namecreation’ value determines if a system will generate 8.3 file names. 

The setting ‘1’ prevents the 8.3 filename format. Generation of 8.3 file makes the task of name 

guessing easier for an attacker. Disabling this ensures only the full name is used to reference 

files. 

4.7.3.3 NoDriveTypeAutoRun 

machine\software\microsoft\windows\currentversion\policies\explorer\nodrivetypeautorun=4,2 

55 

The ‘nodrivetypeautorun’ value determines if autorun is enabled on connected drives. The 

setting ‘255’ disables autorun for all drives on the system. This ensures privileged users do not 

run unapproved software. Without restrictions, unapproved software may run inadvertently. 

4.7.3.4 The time in seconds before the screen saver grace period expires (0 

recommended) 

machine\system\software\microsoft\windowsnt\currentversion\winlogon\screensavergraceperi 

od=4, 0 

The ‘screensavergraceperiod’ value determines the amount of time (in seconds) to enforce the 

screen saver password. The setting ‘0’ enforces password lock with no time delay. This provides 

an immediate lock when the idle threshold is reached. 

4.7.3.5 Warning Level 

machine\system\currentcontrolset\services\eventlog\security\warninglevel=4, 90 

The ‘warninglevel’ value determines the maximum amount of security logs before a warning 

event is triggered. The setting ‘90’ triggers a warning when the Security log reaches 90% 

capacity. This will afford sufficient time to reset the log and determine reasons for the warning. 



4.7.3.6 Enable Safe DLL search mode (recommended) 

machine\system\currentcontrolset\control\session manager\safedllsearchmode=4, 1 

The ‘safedllsearchmode’ value determines the order DLLs are searched. The setting ‘1’ 

commands the system to first look in the PATH, then the current folder. This order ensures files 

in the current foder do not run in place of files in the users PATH. 

4.7.3.7 Disable Autorun on CD-ROM 

machine\system\currentcontrolset\control\services\CDRom\AutoRun=4, 1 

The ‘Disable Autorun on CD-Rom’ prevents automatic execution of programs upon insertion of 

a CD. The setting ‘1’disables the Autorun feature. This helps reduce the threat of malicious code 

infection through CD-Rom. 

4.7.3.8 Disable Administrative Shares 

machine\system\currentcontrolset\control\services\LanmanServer\Parameters\AutoShareServ 

er=4, 0 

The ‘AutoShareServer’ value determines if disk drives have administrative shares. The setting 

‘0’ disables administrative shares. 

4.7.3.9 Disable DCOM 

machine\Software\Microsoft\OLE\EnableDCOM=4, 0 

The ‘EnableDCOM’ value determines if DCOM is active. The setting ‘0’disables DCOM. 

4.7.4 Manual Activities 

The following elements could not be automated. They must be manually configured. 

NOTE: 

For 4.7.4.1 through 4.7.4.3, use the following procedure to reach the “Computer 

Configuration” level in either MMC (for Workgroup server) or Active Directory (for 

domain server). 

For a Domain server do the following: 

1. Invoke “Active Directory”. 

2. Right click “Public Server” OU and select “Properties”. 

3. Select the “Group Policy” tab. 

4. Select “CSE High Security – Baseline Policy”. 

5. Click “Edit”. 

The Computer Configuration entry is now displayed on the screen. 




For a Workgroup system do the following: 

1. Open a command window. 

2. Enter “MMC” and press “Enter”. 

3. “Console 1” dialog opens. 


5. Select “Add/Remove Snap-in”. 

6. “Add/Remove Snap-in” dialog displayed. 


8. “Add Standalone Snap-in” dialog displayed. 

9. Browse to and select “IP Security Policy Management”. 


11. “Select Computer or Domain” dialog displayed. 

12. Accept defaults and click “”Finish”. 



15. In the “root Console Window” 

16. Select “Group Policy Object Editor” 

17. Click on “Add”. 

18. “Select Group Policy Object” window opens. 

19. Click “Finish” to accept defaults. 



22. Click “+” beside “Local Computer Policy”. 

The Computer Configuration entry is now displayed on the screen. 

4.7.4.1 Set client connection encryption level 

Computer configuration\Administrative Templates\Windows Components\Terminal 

Services\Encryption and Security\Set client connection encryption level=High 

The “Set client encryption level” setting uses 128-bit encryption to protect Terminal Service 

sessions. This policy sets the value to High. 



4.7.4.2 Always prompt client for password upon connection 

Computer configuration\Administrative Templates\Windows Components\Terminal 

Services\Encryption and Security \Always prompt client for password upon 

connection\=Enabled 

The “Always prompt client for password upon connection\=Enabled” setting forces the user to 

logon to the local service. This policy enables password challenge upon connection. 

4.7.4.3 Report Errors 

Computer configuration\Administrative Templates\System\Error Reporting\=Disabled 

The “Error Reporting\=Disabled” setting prevents the system from reporting error conditions to 

Microsoft. 

4.7.4.4 Remove POSIX Subsystem Registry Key 

machine\system\currentcontrolset\control\session manager\subsystems\posix 

The ‘posix’ value determines if the POSIX subsystem is supported. This policy deletes the key. 

This prevents inadvertent use of the subsystem. 

4.7.4.5 Set BIOS Password 

The system BIOS should be password protected. This follows vendor specific procedures that are 

not outlined in this document. 

4.7.4.6 Disable Memory Dump 

Control Panel/System Properties/Advanced/Startup and Recovery-SettingsWrite Debugging 

Information=None 

The ability to dump memory in case of a program failure should be disabled. The likelihood of 

requiring a memory dump is low, however, if needed you may temporarily enable it. 

4.7.4.7 Boot Immediately to Windows 

My Computer/Properties/Advanced/Startup and Recovery-Settings/Time to display list of 

operating systems=0 

The ‘Time to display list of operating systems’ value determines the number of seconds the 

system displays Operating System options at boot time. The setting ‘0’ prevents alternate boot 

during normal operations. 

4.7.4.8 Disassociate .reg Files from the Registry Editor 

1. Start/Settings/Control Panel/Folder Options 

2. Select ‘REG’extension 




3. Click ‘Delete’ and Yes’ in the confirmation window 

4. Click ‘Close’ 

Disassociating the .reg extension from the registry editor prevents inadvertent modification of 

the registry. 

4.7.4.9 Remove Unnecessary Programs 

Start->Control Panel=>Add Remove Programs=>Add/Remove Window Components 

Remove CHAT. 

4.7.5 Access Controls 

Important files and registry values on the system should be protected. A good way of doing this 

is by use of Access Controls. The following sections provide suggestions for access controls. 

NOTE: 

Each installation must ensure the settings that follow are appropriate for their own 

environment. 



4.7.5.1 General File Access Controls 

Table 1 – General File Access Controls 

File/Folder Name 

Audit 

Administrators 

& System 

Authenticated 

Users 

Found 

Value 

C:\ Full Control Read 

C:\*.* Full Control Full Control 

C:\boot.ini S&F Full Control N/a 

C:\ntdetect.com S&F Full Control N/a 

C:\ntldr S&F Full Control N/a 

C:\ntbootdd.sys S&F Full Control N/a 

C:\autoexec.bat S&F Full Control Read 

C:\config.sys S&F Full Control Read 

C:\Program Files F Full Control Read & Execute 

C:\IO.sys S&F Full Control Change 

C:\MSDOS.sys S&F Full Control Change 

C:\Documents and Settings\All Users F Full Control Change 

C:\Documents and Settings\All Users\Documents F Full Control Read 

C:\Documents and Settings\All Users\Application Data F Full Control Read & Create 

C:\temp\*.* and subdirectories Full Control Traverse, Add 

C:\Users and subdirectories F Admin:rwxd 

Full Control 

C:\Users\Default and subdirectories F System: Full 

Control 

List 

Read Write 

Execute 

C:\WIN32APP and subdirectories S&F Full Control Read 

%windir% and subdirectories F Full Control Change 

%windir%\*.* F Full Control Read 

%windir%\*.ini F Full Control Change 

%windir%\LocalMon.dll Full Control Read 

%windir%\PrintMan.hlp Full Control Read 

%windir%\config\*.* S&F Full Control List 

%windir%\Help\*.* Full Control Read & Execute 

%windir%\repair\*.* and subdir S&F Administrator N/a 

%windir%\security S&F Full Control Read & Execute 





Audit 


& System 

Authenticated 

Users 

Found 

Value 

%windir%\system\*.* S&F Full Control Read 

%windir%\system32 F Full Control Read 

%windir%\system32\ 

autoexec.nt 

cmos.ram 

config.nt 

midimap.cfg 

S&F Full Control change 

%windir%\system32\passport.mid S&F Full Control Full Control 

%windir%\system32\CatRoot S&F Full Control N/a 

%windir%\system32\config S&F Full Control List 

%windir%\system32\config\*.* S&F Full Control List 

%windir%\system32\config\userdef S&F Full Control 

System:change 

Read 

%windir%\system32\dhcp and subdir Full Control Read 

%windir%\system32\dllcache S&F Full Control N/a 

%windir%\system32\drivers S&F Full Control Read 

%windir%\system32\ias S&F Full Control Read & Execute 

%windir%\system32\inetserv\Metabase.bin S&F Full Control Read & Execute 

%windir%\system32\inetserv\metaback S&F Full Control N/a 

%windir%\system32\mui S&F Full Control N/a 

%windir%\system32\os2\dll\oso001.009 Full Control Read 

%windir%\system32\os2\DLL\Doscalls.dll Full Control Read 

%windir%\system32\os2\dll\netapi.dll Full control Full control 

%windir%\system32\RAS\ S&F Full Control Read 

%windir%\system32\RAS\*.* S&F Full Control Read 

%windir%\system32\repl\export Full Control Change 

%windir%\system32\repl\export\scripts Full Control Read 

%windir%\system32\repl\ export\scripts\*.* Full Control Read 

%windir%\system32\repl\import Full Control Change 

%windir%\system32\repl\import\*.* Full Control Change 

%windir%\system32\repl\import\scripts\ Full Control Read 

%windir%\system32\repl\import\scripts\*.* Full Control Read 




Audit 


& System 

Authenticated 

Users 

Found 

Value 

%windir%\system32\ShellExt S&F Full Control N/a 

%windir%\system32\spool\ and subdir F Full Control Read 

%windir%\system32\spool\drivers\w32x86\1 Full Control Full Control 

%windir%\system32\spool\drivers\w32x86\winprint.dll Full Control Read 

%windir%\system32\Viewers\*.* F Full Control N/a 

%windir%\system32\wbem F Full Control Read & Execute 

%windir%\system32\wbem\mof S&F Full Control Read & Execute 

%windir%\system32\wins and subdir F Full Control Full Control 

%windir%\twain_32 Full Control File, Add Subdir 

%windir%\web Full Control Read & Execute 

%userprofile% F Full Control N/a 




4.7.5.2 General Registry Access Controls 

Table 2 – General Registry Access Controls 

Hive/Key Name Audit Administrator & 

System 

Authenticated 

Users 

HKLM\Software S&F Full Control Read 

HKLM\Software\Classes\helpfile F Full Control Read 

HKLM\Software\Classes\.hlp F Full Control Read 

HKLM\Software\Microsoft\Command Processor S&F Full Control Read 

HKLM\Software\Microsoft\Cryptography S&F Full Control Read 

HKLM\Software\Microsoft\Driver Signing S&F Full Control Read 

HKLM\Software\Microsoft\EnterpriseCertificates S&F Full Control Read 

HKLM\Software\Microsoft\Non-DriverSigning S&F Full Control Read 

HKLM\Software\Microsoft\NetDDE S&F Full Control Read 

HKLM\Software\Microsoft\Ole F Full Control Read 

HKLM\Software\Microsoft\Rpc S&F Full Control Read 

HKLM\Software\Microsoft\Secure S&F Full Control Read 

HKLM\Software\Microsoft\SystemCertificates S&F Full Control Read 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run S&F Full Control Read 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Aedebug S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\AsrCommands S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Classes F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Console F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\DiskQuota F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Drivers32 S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Font Drivers F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\FontMapper F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Image File 

Execution Options 

S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\IniFileMapping S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\PerfLib S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SecEdit S&F Full Control Read 



Hive/Key Name Audit Administrator & 

System 

Authenticated 

Users 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Time Zones S&F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows F Full Control Read 

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon S&F Full Control Read 

HKLM\Software\Policies S&F Full Control Read 

HKLM\System S&F Full Control Read 

HKLM\System\CurrentControlSet\Services S&F Full Control Read 

HKLM\SYSTEM\CurrentControlSet\Services\Schedule S&F Full Control None 

HKLM\System\CurrentControlSet\Control\SecurePipeServiers\Winreg S&F N/A Everyone=none 

HKLM\System\CurrentControlSet\Control\Session Manager\Executive S&F Full Control Read 

HKLM\System\CurrentControlSet\Control\TimeZoneInformation S&F Full Control Read 

HKLM\System\CurrentControlSet\Control\WMI\Security S&F Full Control None 

HKLM\Hardware S&F Full Control Everyone:Read 

HKLM\SAM S&F Full Control Everyone:Read 

HKLM\Security S&F Full Control N/A 

Hkey_Users (HKU) S&F Full Control N/A 

HKU\.Default S&F Full Control Read 

HKU\.Default\Software\Microsoft\NetDDE S&F Full Control N/A 




4.7.6 Variance from Microsoft Guidance 

The following table provides a list of settings that differ between the CSE guidance and 

Microsoft guidance. The parameter is identified along with the CSE value and Microsoft value. 

Table 3 – Variance from Microsoft Member Server Baseline 

# Parameter CSE Value Microsoft Value 

1 Minimum Password Length 8 12 

2 Audit Policy Change Success/Fail Success 

3 Audit System Events Success/Fail Success 

4 Add Workstations to Domain None Administrators 

5 Backup Files and Directories Backup Operators and 


6 Bypass Traverse Checking Users, Backup 

Operators,Administrators and 

Authenticated Users 

Default 

Default 

7 Create a Pagefile Administrators Default 

8 Create a Token Object None Default 

9 Create Global Objects Service and Administrators Default 

10 Create Permanent Shared Objects None Default 

11 Deny Logon as a Service Guests, Anonymous Logon, 

Administrators, Built-in 

Administrator, 

Support_388945a0 and Guest 

12 Deny Logon Locally Guests, Anonymous Logon, 

Built-in Administrator, 


Default 

Default 

13 Force shutdown from remote 

system 

None 


14 Lock Pages in Memory None Administrators 

15 Logon as a Service Network Service and Local 

Service 

Default 

16 Administrator Account Status Disabled Enabled 

17 Interactive logon: Message text for 

users attempting to logon 

18 Interactive logon: Message title for 

users attempting to log on 

19 Interactive Logon: Require Smart 

Card 

Departmental entry 

required 


required 

Do not require smart card 

“This system is restricted….” 

“IT IS AN OFFENSE….” 

Default 




20 Network Access: Allow 

Anonymous SID/Name Translation 

21 Network Access: Remotely 

accessible Registry paths 


accessible registry paths and subpaths 

23 

Network Security: Force logoff 

when logon hours expire 

Disabled 

None 

None 

Enabled 

Default 

System\CurrentControlSet\Control\Pr 

oduct Options 

System\CurrentControlSet\Control\S 

erver Applications 

Software\Microsoft\Windows 

NT\Current Version 


int\Printers 

System\CurrentControlSet\Services\E 

ventlog 

Software\Microsoft\OLAP Server 


NT\CurrentVersion\Print 


NT\CurrentVersion\Windows 

System\CurrentControlSet\Control\C 

ontentIndex 

System\CurrentControlSet\Control\T 

erminal Server 


erminal Server\UserConfig 


erminal 

Server\DefaultUserCOnfiguration 


NT\CurrentVersion\Perflib 

System\CurrentControlSet\services\S 

ysmonLog 

Default 

24 System Cryptography: Use FIPS 

compliant algorithms for 

encryption, hashing and signing 

25 Use Certificate Rules on Windows 

Executables for Software 

Restriction Policies 

26 Retention method for Application 

log 

Enabled 

Disabled 

Do not overwrite 

Disabled 

Default 

As needed 





27 Retention method for Security log Do not overwrite As needed 

28 Retention method for System log Do not overwrite As needed 

29 Automatic Updates Service Disabled Automatic 

30 Background Intelligent Transfer 

Service 

Disabled 

Manual 

31 Network Location Awareness Disabled Manual 

32 NTLM Security Support Provider Disabled Automatic 

33 Performance Logs and Alerts Disabled Manual 

34 Plug and Play Service Disabled Automatic 

35 Remote Administration Service Disabled Manual 

36 RemoteRegistry Service Disabled Automatic 

37 Server Service Disabled Automatic 

38 Terminal Services Disabled Automatic 

39 Windows Management 

Instrumentation Driver Extensions 

Disabled 

Manual 

40 WMI Performance Adapter Disabled Manual 

41 TCPMaxHalfOpen 100 No recommendation 

42 TCPMaxHalfOpenRetired 80 No recommendation 

43 NoNameReleaseOnDemand 

(TCP/IP) 

i) Enabled No recommendation 

44 Remove POSIX Subsystem 

Registry Key 


No recommendation 

45 Set BIOS Password Recommended No recommendation 

46 Disable Memory Dump Recommended No recommendation 

47 Boot Immediately to Windows Recommended ii) No Recommendation 

48 Disassociate .reg files from registry 

editor 


No Recommendation 



Table 4 – Variance from Microsoft Bastion Host Local Policy 


1 Minimum Password Length 8 12 

2 Audit Policy Change Success/Fail Success 

3 Audit System Events Success/Fail Success 

4 Add Workstations to Domain None Administrators 

5 Allow log on locally Administrators and Backup 

Operators 

6 Backup Files and Directories Backup Operators and 


7 Bypass Traverse Checking Users, Backup Operators, 

Administrators and 

Authenticated Users 


Default 

Default 

8 Create a Pagefile Administrators Default 

9 Create a Token Object None Default 

10 Create Global Objects Service and Administrators Default 

11 Create Permanent Shared Objects None Default 

12 Deny Logon as a Service Guests, Anonymous Logon, 

Administrators, Built-in 

Administrator, 


13 Deny Logon Locally Guests, Anonymous Logon, 

Built-in Administrator, 


Default 

Default 

14 Force shutdown from remote 

system 

None 


15 Lock Pages in Memory None Administrators 

16 Logon as a Service Network Service and Local 

Service 

Default 

17 Administrator Account Status Disabled Enabled 

18 Interactive logon: Message text for 

users attempting to logon 

19 Interactive logon: Message title for 

users attempting to log on 

20 Interactive Logon: Require Smart 

Card 

21 Network Access: Allow 

Anonymous SID/Name Translation 


required 


required 

Do not require smart card 

Disabled 

“This system is restricted….” 

“IT IS AN OFFENSE….” 

Default 

Default 






accessible Registry paths 


accessible registry paths and subpaths 

24 

Network Security: Force logoff 

when logon hours expire 

None 

None 

Enabled 


oduct Options 

System\CurrentControlSet\Control\S 

erver Applications 


NT\Current Version 


int\Printers 

System\CurrentControlSet\Services\E 

ventlog 

Software\Microsoft\OLAP Server 


NT\CurrentVersion\Print 


NT\CurrentVersion\Windows 

System\CurrentControlSet\Control\C 

ontentIndex 


erminal Server 


erminal Server\UserConfig 


erminal 

Server\DefaultUserCOnfiguration 


NT\CurrentVersion\Perflib 

System\CurrentControlSet\services\S 

ysmonLog 

Default 

25 System Cryptography: Use FIPS 

compliant algorithms for 

encryption, hashing and signing 

Enabled 

Disabled 

26 

Use Certificate Rules on Windows 

Executables for Software 

Restriction Policies 

Disabled 

Default 




27 Retention method for Application 

log 

Do not overwrite 

As needed 

28 Retention method for Security log Do not overwrite As needed 

29 Retention method for System log Do not overwrite As needed 

30 DNS Client Disable Enable 

31 Plug and Play Service Disabled Automatic 

32 TCPMaxHalfOpen 100 No recommendation 

33 TCPMaxHalfOpenRetired 80 No recommendation 

34 NoNameReleaseOnDemand 

(TCP/IP) 

35 Remove POSIX Subsystem 

Registry Key 

Enabled 




36 Set BIOS Password Recommended No recommendation 

37 Disable Memory Dump Recommended No recommendation 

38 Boot Immediately to Windows Recommended No Recommendation 

39 Disassociate .reg files from registry 

editor 


No Recommendation 




5 Role Based Server Policies 

The following policy files apply settings specific to the role they serve. They do not contain 

every setting required for a server; therefore apply these settings after the Baseline configuration. 

5.1 Role Based IPSec Policies 

Role based IP Security Policy is applied in a two-step process. The first step is to load the policy 

into the policy editor. The second step is to activate the policy. This is achieved with the Group 

Policy Editor. 

5.1.1 Load IPSec policy 

• Activate “Windows Explorer”. 

• Browse to location of desired IPSec policy file (must have .CMD extension). 

• Right click on policy command files and select “Open”. 

o Command window will open, execute the policy command file, and close. 

5.1.2 Activate IPSec Policy 

• Open a command window. 

• Enter “MMC” and press “Enter”. 

o “Console 1” dialog opens. 

• Click “File”. 

• Select “Add/Remove Snap-in”. 

o “Add/Remove Snap-in” dialog displayed. 

• Click “Add”. 

o “Add Standalone Snap-in” dialog displayed. 

• Browse to and select “IP Security Policy Management”. 

• Click “Add”. 

o “Select Computer or Domain” dialog displayed. 

• Accept defaults and click “”Finish”. 

• Click “Close”. 

• Click “OK”. 

• In the “Root Console Window”, click on “IP Security Policies on Local Computer”. 

• In right frame right click the desired IP Security policy and select “Assign”. 

• Right click the active policy and select “Properties”. 

Role Based Server Policies March 2004 117


• Select the “General” tab. 

• Click on the “Settings” button. 

o “Key Exchange Settings” dialog displayed. 

• Click the “Methods” button. 

o The “Key Exchange Methods” dialog displayed. 

• Remove all settings except the following (ensure they are in the order below): 

IKE 3DES SHA1 High (1024) 

IKE 3DES SHA1 Med (2) 



• Click “File”. 

• Click “Exit”. 

o “Microsoft Management Console” dialog displayed 

• Select “Yes” if you wish to save the settings (otherwise select “No”). 

5.2 Domain File Server Security Policy 

The domain-based file server allows authenticated users to access shared files in the domain. 

These shared files can use file protection to control access. Access attempts from outside a 

domain can authenticate with domain-based credentials. Once authenticated, access is granted 

based on domain policy. 

To fulfill file services, the Baseline configuration settings do not require further changes. 

5.2.1 Variance from Microsoft “Hardening File Servers” Guidance 

In the Microsoft hardening policy for Domain file servers, Distributed Files system and File 

Replication services are disabled. In the CSE Baseline configuration these same services are 

disabled; therefore they need not be disabled in the File Server policy. 

The remaining differences are a result of CSE and Microsoft Baseline configuration variance. 

It is important to note that the role-based policies cannot be viewed in isolation from the Baseline 

configuration. 

118 March 2004 Role Based Server Policies



5.2.2 [Service General Setting] 




"browser", 2, 



5.2.3 Domain File Server IPSec Policy 

The following file is supplied as part of the Microsoft Windows Server 2003 Security Guideline. 

The file must be modified to reflect correct domain controller addresses. Once modified, the 

procedure outlined in 5.1 Role Based IPSec Policies is used to apply the policy. 

REM (c) Microsoft Corporation 1997-2003 

REM Packet Filters for Server Hardening 

REM 

REM Name: PacketFilter-File.CMD 

REM Version: 1.0 

REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy 

REM that blocks all network traffic to a File Server except for what is 

REM explicitly allowed as described in the Windows 2003 Server Solution Guide. 

REM Please read the entire guide before using this CMD file. 

REM Revision History 

REM 0000 - Original February 05, 2003 

REM 0000 - Original April 03, 2003 

:IPSec Policy Definition 

netsh ipsec static add policy name="Packet Filters - File" description="Server 

Hardening Policy" assign=no 

:IPSec Filter List Definitions 

netsh ipsec static add filterlist name="CIFS/SMB Server" description="Server 

Hardening" 

netsh ipsec static add filterlist name="NetBIOS Server" description="Server Hardening" 

netsh ipsec static add filterlist name="Terminal Server" description="Server 

Hardening" 



netsh ipsec static add filterlist name="Domain Member" description="Server Hardening" 

netsh ipsec static add filterlist name="Monitoring" description="Server Hardening" 

netsh ipsec static add filterlist name="Block Domain Access" description="Server 

Hardening" 

netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server 

Hardening" 

:IPSec Filter Action Definitions 

netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to 

Pass" action=permit 

netsh ipsec static add filteraction name=Block description="Blocks Traffic" 

action=block 

:IPSec Filter Definitions 

netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me 

description="CIFS/SMB Server Traffic" protocol=TCP srcport=0 dstport=445 


description="CIFS/SMB Server Traffic" protocol=UDP srcport=0 dstport=445 

netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me 

description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=137 


description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=137 





netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me 

description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389 

netsh ipsec static add filter filterlist="Block Domain Access" srcaddr=me dstaddr=any 

description="Block Domain Access" protocol=TCP srcport=any dstport=1097 

netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me 

description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0 

REM NOTE: IP Address or server names of Domain Controllers must be hardcode into the 

dstaddr of the Domain Member filters defined below 

netsh ipsec static add filter filterlist="Domain Member" srcaddr=me 

dstaddr=192.168.0.1 description="Traffic to Domain Controller" protocol=any srcport=0 

dstport=0 

REM netsh ipsec static add filter filterlist="Domain Member" srcaddr=me 

dstaddr= description="Traffic to Domain Controller" protocol=any 

srcport=0 dstport=0 

REM NOTE: IP Address or server name of Monitoring server must be hard coded into the 

dstaddr of Monitoring filter defined below 

REM netsh ipsec static add filter filterlist="Monitoring" srcaddr=me dstaddr= description="Monitoring Traffic" protocol=any srcport=0 dstport=0 




:IPSec Rule Definitions 

netsh ipsec static add rule name="CIFS/SMB Server" policy="Packet Filters - File" 

filterlist="CIFS/SMB Server" kerberos=yes filteraction=SecPermit 

netsh ipsec static add rule name="NetBIOS Server Rule" policy="Packet Filters - File" 

filterlist="NetBIOS Server" kerberos=yes filteraction=SecPermit 

netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - File" 

filterlist="Terminal Server" kerberos=yes filteraction=SecPermit 

netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - File" 

filterlist="Domain Member" kerberos=yes filteraction=SecPermit 

netsh ipsec static add rule name="Block Domain Access Rule" policy="Packet Filters - 

File" filterlist="Block Domain Access" kerberos=yes filteraction=Block 

REM netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - File" 

filterlist="Monitoring" kerberos=yes filteraction=SecPermit 

netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet Filters - 

File" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block 

5.3 Domain Print Server Policy 

The domain print server allows authenticated users access to shared printers. These shared 

printers use access controls. Users outside a domain can authenticate with domain-based 

credentials. Once authenticated, access is granted based on domain policy. 

To fulfill print services, the Baseline configuration settings do not require further changes. 

5.3.1 Variance from Microsoft “Hardening Print Servers” Guidance 

The Microsoft role-based policy for print servers has two activities: 1) Start the print spooler and 

2) disable “Microsoft network server: Digitally sign communications (always)”. The CSE policy 

also starts the print spooler but differs in the handling of signatures. The Microsoft Security 

Options section recommends disabling “Microsoft network server: Digitally sign 

communications (always)”. Their reason is the user community would not be able to view the 

status of their print jobs. We did not observe this limitation in our lab. As a result, the option to 

digitally sign communications is enabled. 

The remaining differences are a result of the CSE and Microsoft Baseline configuration variance. 

It is important to note that the role-based policies cannot be viewed in isolation from the Baseline 

configuration. 

5.3.2 [Registry Values] 

machine\system\currentcontrolset\control\securepipeservers\winreg\allowedpaths\machine=7,Sof 

tware\Microsoft\Windows 

NT\CurrentVersion\Print,System\CurrentControlSet\Control\Print\Printers 





"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCR 

SDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 

"browser", 2, 



"spooler", 2, 



5.3.4 Domain Print Server IPSec Policy 

The following file is supplied as part of the Microsoft Windows Server 2003 Security Guideline. 

The file must be modified to reflect domain controller addresses. Once modified the procedure 

outlined in 5.1 Role Based IPSec Policies is used to apply the policy. 



REM 















Hardening" 






Hardening" 

netsh ipsec static add filterlist name="Domain Member" description="Server Hardening" 

netsh ipsec static add filterlist name="Monitoring" description="Server Hardening" 

netsh ipsec static add filterlist name="Block Domain Access" description="Server 

Hardening" 


Hardening" 





action=block 
















netsh ipsec static add filter filterlist="Block Domain Access" srcaddr=me dstaddr=any 

description="Block Domain Access" protocol=TCP srcport=any dstport=1097 



REM NOTE: IP Address or server names of Domain Controllers must be hard coded into the 

dstaddr of the Domain Member filters defined below 

netsh ipsec static add filter filterlist="Domain Member" srcaddr=me 

dstaddr=192.168.0.1 description="Traffic to Domain Controller" protocol=any srcport=0 

dstport=0 

REM netsh ipsec static add filter filterlist="Domain Member" srcaddr=me 

dstaddr= description="Traffic to Domain Controller" protocol=any 

srcport=0 dstport=0 

REM NOTE: IP Address or server name of Monitoring server must be hard coded into the 

dstaddr of Monitoring filter defined below 



REM netsh ipsec static add filter filterlist="Monitoring" srcaddr=me dstaddr= description="Monitoring Traffic" protocol=any srcport=0 dstport=0 








netsh ipsec static add rule name="Domain Member Rule" policy="Packet Filters - File" 

filterlist="Domain Member" kerberos=yes filteraction=SecPermit 

netsh ipsec static add rule name="Block Domain Access Rule" policy="Packet Filters - 

File" filterlist="Block Domain Access" kerberos=yes filteraction=Block 

REM netsh ipsec static add rule name="Monitoring Rule" policy="Packet Filters - File" 

filterlist="Monitoring" kerberos=yes filteraction=SecPermit 


File" filterlist 

5.4 Workgroup File Server Policy 

The workgroup file server allows authenticated users access to shared files on a system. These 

shared files can use file protection to control access. Users who access the file server can 

authenticate with user-based credentials. Once authenticated, access is granted based on user 

policy. 


Differences are a result of the CSE and Microsoft Baseline configuration variance. 


machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,4 








"browser", 2, 






5.4.4 Workgroup File Server IPSec Policy 

The following file has been modified from the one supplied as part of the Microsoft Windows 

Server 2003 Security Guideline. The procedure outlined in 5.1 Role Based IPSec Policies is used 

to apply the policy. 



REM 















Hardening" 



Hardening" 


Hardening" 







action=block 


























File" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block 

5.5 Workgroup Print Server Policy 

The workgroup print server allows authenticated users to access shared printers on the system. 

Access to these shared printers can be controlled. Users who attempt to access print servers can 

authenticate with user-based credentials. Once authenticated, appropriate access is granted. 


Differences are a result of the CSE and Microsoft Baseline configuration variance. 






machine\system\currentcontrolset\control\print\providers\lanman print 

services\servers\addprinterdrivers=4,0 











"browser", 2, 



"spooler", 2, 



5.5.4 Workgroup Print Server IPSec Policy 

The following file has been modified from the Microsoft Windows Server 2003 Security 

Guideline. The CSE IPSec policy does not reference Domain Controllers. Run the file as a 

command to load the policy. The procedure outlined in 5.1 Role Based IPSec Policies is used to 

apply the policy. 



REM 

REM Name: PacketFilter-Print.CMD 



REM that blocks all network traffic to a Print Server except for what is 









netsh ipsec static add policy name="Packet Filters - Print" description="Server 




Hardening" 



Hardening" 


Hardening" 





action=block 






















netsh ipsec static add rule name="CIFS/SMB Server" policy="Packet Filters - Print" 


netsh ipsec static add rule name="NetBIOS Server Rule" policy="Packet Filters - Print" 


netsh ipsec static add rule name="Terminal Server Rule" policy="Packet Filters - 

Print" filterlist="Terminal Server" kerberos=yes filteraction=SecPermit 


Print" filterlist="ALL Inbound Traffic" kerberos=yes filteraction=Block 







6 Server Policy Compliance: Inspection and Enforcement 

The manual approach for policy compliance is a feature of the Microsoft Operating System. This 

approach uses Microsoft Management Console (MMC) with the ‘Security Configuration and 

Analysis’ snap-in. This process applies to both the Domain and Workgroup environments. 

Appropriate configurations for the target server are required. Policies are loaded in MMC, the 

system is analyzed, and the results are presented on screen. If permissions do not match policy 

settings, items are identified with a red ‘x’ or the term ‘Investigate’. 

6.1 Configuration of Microsoft Management Console (MMC) 

The following steps perform compliance inspection with MMC. 

a. Open a ‘Command Prompt’ window. 

b. At the command prompt, type ‘mmc’. 

i. The ‘Console1’ GUI opens. 

c. Select File =>Add/Remove Snap-in. 

i. ‘Add/Remove Snap-in’ window appears. 

d. Click on ‘Add’ button. 

i. ‘Add Stand-alone Snap-in’ window opens. 

e. Scroll down to, and select ‘Security Configuration and Analysis’. 

f. Click ‘Add’ button. 

g. Click ‘Close’ button. 

i. Control is returned to the ‘Add/Remove Snap-in’ window. 

h. Click ‘OK’ button. 

6.2 Load Policy File and Computer Configuration 

Effective policy files for a system under inspection must be available. They consist of a Baseline 

configuration file and a role specific policy file. For a domain-based print server, “CSE High 

Security – Member Server Baseline.inf” and “CSE High Security – Member File Server.inf “ are 

used. Based on your Active Directory and policy files within your structure, additional files may 

be required. 

To load a policy file: 

a. Ensure the ‘Console1’ window is active. 

b. Right click on ‘Security Configuration and Analysis’. 

c. Select ‘Open Database’. 

i. The ‘Open Database’ window opens. 

d. Enter a name for the database (e.g. systemname-date). 

Compliance Inspection and Enforcement March 2004 131


e. Click ‘Open’ button. 

i. ‘Import Template’ window opens. 

f. Browse to the location of the Baseline configuration file and select it. 

g. Select ‘Clean this database before importing’. 

h. Click ‘Open’ button. 

i. Right click on ‘Security Configuration and Analysis’. 

j. Click ‘Import Template’. 

i. ‘Import Template’ window opens. 

k. Browse to the location of the role based policy file and select it. 

l. Click ‘Open’ button. 

m. Right click ‘Security Configuration and Analysis’. 

n. Select ‘Analyze Computer Now’. 

i. ‘Perform Analysis’ window opens. 

o. Click ‘OK’ to accept the log file location and perform analysis. 

6.3 Compare Resultant Policy and Computer Settings 

a. Click on the ‘+’ to expand ‘Security Configuration and Analysis’. 

b. Click on the ‘+’ to expand ‘Account Policies’. 

c. Click on ‘Password Policies’ (right side frame shows settings). 

NOTE: If any item in the database does not match the computer setting, a small 

red ‘x’ in the ‘Policy’ column appears. 

d. Repeat the process for all sub-groups in ‘Account Policies’, ‘Local Policies’, and 

‘Event Logs’. 

e. Click on ‘System Services’ (right frame shows service settings). 

NOTE: If any item in the database does not match the computer setting, a small 

red ‘x’ in the ‘System Service’ column appears. Additionally, if the security 

setting does not match, the ‘Permission’ column will display ‘Investigate’. 

f. To reset the configuration, simply reapply the policy. A domain server can be 

rebooted to force application of the policy. 

g. Policy configuration for a workgroup server must be reapplied manually. Please 

follow the procedure outlined in 5.1 Role Based IPSec Policies. 

132 March 2004 Compliance Inspection and Enforcement



Bibliography 

Author: Ben Smith and Brian Komer (with the Microsoft Security Team) 

Title: Microsoft Windows Security Resource Kit 

Editor: Julie Miller 

Edition: 1 st 

Publication Data: 

Publisher: Microsoft Press 

Place: One Microsoft Way 

Redmond, Washington 98052-6399 

Author: Kurt Dillard, Jose Maldonado and Brad Warrender 

Title: Microsoft Solutions for Security: Windows Server 2003 Security Guide 

Editor: Ried Bannecker, Wendy Cleary, John Cobb, Kelly McMahon and Jon Tobey 

Edition: 1 st 


Publisher: Microsoft Corporation 



Author: Kurt Dillard 

Title: Microsoft Solutions for Security: Threats and Countermeasures: Security Settings 

in Windows Server 2003 and Windows XP 

Editor: Ried Bannecker, John Cobb and Jon Tobey 

Edition: 1 st 





Author: Microsoft Press 

Title: Microsoft Windows Server 2003 Automating and Customizing Installations 

Editor: Maureen Willams Zimmerman 

Edition: 1 st 





Compliance Inspection and Enforcement March 2004 133



134 March 2004 Compliance Inspection and Enforcement



Annex A 

The Annex contains ‘raw’ files previously referenced in this document. Modify the contents with 

a text editor to manually create installation or policy files. Feel free to cut and paste as needed. 

A.1 Automated Domain Installation File 

; 

; Installation configuration file for Member Server of Domain 

; 

; To be used with the CSE Member Server Baseline configuration to install 

; and configure a secure Domain Server 

; 

; 

[Data] 




[GuiUnattended] 

AdminPassword="A_Strong_Password" 

OemSkipWelcome=1 


TimeZone=035 

AutoLogon=No 

[Identification] 

DomainAdmin=administrator 

DomainAdminPassword="A_Strong_Password" 

JoinDomain="cse-lab.local" 

MachineObjectOU="OU=File Servers, OU=Public Servers, DC=cse-lab, DC=local" 

Bibliography January 2003 135


[LicenseFilePrintData] 


AutoUsers=5 

[Unattended] 









[UserData] 

ComputerName=DServer1 

FullName="SEBT" 

OrgName="CSE-CST" 


[params.MS_TCPIP.Adapter01] 


DisableDynamicUpdate=No 

EnabelAdapterDomainNameregistration=No 

DefaultGateway=192.163.0.1 

DHCP=Yes 

DNSDomain=cse-lab.local 


Subnetmask=255.255.255.0 

136 March 2004 Bibliography



[NetOptionalComponents] 


DNS=0 

IAS=0 

ILS=0 

LDPSVC=0 

MacPrint=0 

MacSrv=0 

Netcm=0 

NetMonTools=0 

SimpTcp=0 

SNMP=0 

WINS=0 

[Compoents] 

AccessOpt=On 


aspnet=Off 




Calc=On 

certsrv=On 



charmap=On 

chat=Off 

Clipbook=Off 

cluster=Off 


deskpaper=Off 



dialer=Off 

fax=Off 



freecell=Off 

hearts=Off 

hypertrm=Off 

IEAccess=Off 

iis_asp=Off 


iis_ftp=Off 



iis_nntp=Off 


iis_smpt=Off 



iis_www=Off 



inetprint=Off 





mousepoint=On 


msmq_Core=Off 









msnexplr=Off 

mswordpad=On 

netcis=Off 

netoc=Off 

objectpkg=Off 

OEAccess=Off 

paint=Off 

pinball=Off 

Pop3Admin=Off 


Pop3Srv=Off 

rec=Off 

reminst=Off 


rstorage=Off 

solitaire=Off 

spider=Off 

templates=Off 



vol=Off 

WBEMSNMP=Off 

WMAccess=Off 

WMPOCM=Off 

wms=Off 



wms_isapi=Off 




zonegames=Off 

A.2 Automated Workgroup Installation File 

; 

; Installation configuration file for Member Server of Domain 

; 

; To be used with the CSE Member Server Baseline configuration to install 

; and configure a secure Domain Server 

; 

; 

[Data] 




[GuiUnattended] 

AdminPassword="A_Strong_Password" 

OemSkipWelcome=1 


TimeZone=35 

AutoLogon=No 

[Identification] 

JoinWorkgroup=cse-lab 

[LicenseFilePrintData] 


AutoUsers=5 




[Unattended] 




TargetPath=WINDOWS 

UnattendMode=FullUnattended 




[UserData] 

ComputerName=BServer1 

FullName="sebt" 

OrgName="cse-cst" 

ProductKey=xxxx-xxxx-xxx-xxxx-xxxx 

[Networking] 

InstallDefaultComponents=No 

[NetAdapters] 

Adapter1=params.Adapter1 

[params.Adapter1] 

INFID=* 

[NetClients] 

MS_MSClient=params.MS_MSClient 



[NetServices] 

MS_SERVER=params.MS_SERVER 

[NetProtocols] 

MS_TCPIP=params.MS_TCPIP 

[params.MS_TCPIP] 

DNS=No 

UseDomainNameDevolution=No 

EnableLMHosts=Yes 

AdapterSections=params.MS_TCPIP.Adapter1 

[params.MS_TCPIP.Adapter1] 


DHCP=No 

IPAddress=192.168.0.5 

SubnetMask=255.255.255.0 

DefaultGateway=192.168.0.1 

WINS=No 


[NetOptionalComponents] 


DNS=0 

IAS=0 

ILS=No 

LPDSVC=0 

MacPrint=0 

MacSrv=0 

Netcm=0 

NetMonTools=0 




SimpTcp=0 

SNMP=0 

WINS=0 

[Compoents] 

AccessOpt=On 


aspnet=Off 




Calc=On 

certsrv=On 



charmap=On 

chat=Off 

Clipbook=Off 

cluster=Off 


deskpaper=Off 

dialer=Off 


fax=Off 



freecell=Off 

hearts=Off 

hypertrm=Off 

IEAccess=Off 

iis_asp=Off 




iis_ftp=Off 



iis_nntp=Off 


iis_smpt=Off 



iis_www=Off 



inetprint=Off 





mousepoint=On 


msmq_Core=Off 






msnexplr=Off 

mswordpad=On 

netcis=Off 

netoc=Off 

objectpkg=Off 

OEAccess=Off 




paint=Off 

pinball=Off 

Pop3Admin=Off 


Pop3Srv=Off 

rec=Off 

reminst=Off 


rstorage=Off 

solitaire=Off 

spider=Off 

templates=Off 



vol=Off 

WBEMSNMP=Off 

WMAccess=Off 

WMPOCM=Off 

wms=Off 



wms_isapi=Off 


zonegames=Off 

A.3 CSE High Security – Member Server Baseline.inf 

[Unicode] 

Unicode=yes 

[Version] 

signature="$CHICAGO$" 



Revision=1 

[Profile Description] 

Description=Baseline template for all Member Servers in an environment with high security 

requirements. 

[System Access] 
















[System Log] 

MaximumLogSize = 16384 

AuditLogRetentionPeriod = 2 

RestrictGuestAccess = 1 

[Security Log] 




[Application Log] 







[Event Audit] 










[Registry Values] 

machine\system\software\microsoft\windows 

nt\currentversion\winlogon\screensavergraceperiod=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxportsexhausted=4,5 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions=4,3 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmissi 

ons=4,2 




machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4,1 

machine\system\currentcontrolset\services\tcpip\parameters\performrouterdiscovery=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4,300000 

machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\disableipsourcerouting=4,2 

machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity=4,2 

machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 

machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 

machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,1 



machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,1 

machine\system\currentcontrolset\services\netlogon\parameters\refusepasswordchange=4,0 

machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4,30 

machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 

machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand=4,1 

machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4,1 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignatu 

re=4,1 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignatur 

e=4,1 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpasswo 

rd=4,0 

machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess=4,1 

machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4, 

1 



machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,1 

machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 

machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15 

machine\system\currentcontrolset\services\eventlog\security\warninglevel=4,90 

machine\system\currentcontrolset\services\afd\parameters\minimumdynamicbacklog=4,20 

machine\system\currentcontrolset\services\afd\parameters\maximumdynamicbacklog=4,20000 

machine\system\currentcontrolset\services\afd\parameters\enabledynamicbacklog=4,1 

machine\system\currentcontrolset\services\afd\parameters\dynamicbackloggrowthdelta=4,10 


machine\system\currentcontrolset\control\session manager\safedllsearchmode=4,1 

machine\system\currentcontrolset\control\session manager\protectionmode=4,1 

machine\system\currentcontrolset\control\session manager\memory 

management\clearpagefileatshutdown=4,1 

machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4,1 





machine\system\currentcontrolset\control\securepipeservers\winreg\allowedexactpaths\machine= 

7, 



machine\system\currentcontrolset\control\lsa\submitcontrol=4,0 

machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4,1 

machine\system\currentcontrolset\control\lsa\restrictanonymous=4,1 

machine\system\currentcontrolset\control\lsa\nolmhash=4,1 

machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4,1 

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec=4,537395248 

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec=4,537395248 


machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1 

machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 

machine\system\currentcontrolset\control\lsa\forceguest=4,0 

machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4,1 

machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous=4,0 

machine\system\currentcontrolset\control\lsa\disabledomaincreds=4,1 

machine\system\currentcontrolset\control\lsa\crashonauditfail=4,1 

machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 

machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3namecreation=4,1 

machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled=4,0 

machine\software\policies\microsoft\cryptography\forcekeyprotection=4,2 

machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon=4,0 

machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,0 

machine\software\microsoft\windows\currentversion\policies\system\scforceoption=4,0 

machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7,This 

system is restricted to authorized users. Individuals attempting unauthorized access will be 

prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of 

the information in the background. 

machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,"IT 

IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION." 



machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4 

,1 

machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0 


5 


machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,"1" 

machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 

machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4,1 

machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,"0" 




machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 

machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 

machine\software\microsoft\driver signing\policy=3,1 

machine\system\currentcontrolset\control\services\LanmanServer\Parameters\AutoShareServer= 

4, 0 


[Privilege Rights] 





sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5-32-544 

secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544 





sedenybatchlogonright = *S-1-5-32-546,*S-1-5-7 

sedenyinteractivelogonright = *S-1-5-32-546,*S-1-5-7 




sedenynetworklogonright = ,*S-1-5-32-546,*S-1-5-7 

sedenyremoteinteractivelogonright = *S-1-5-32-546,*S-1-5-7 

sedenyservicelogonright = *S-1-5-32-546,*S-1-5-7,*S-1-5-32-544 







selockmemoryprivilege = *S-1-5-32-544 

semachineaccountprivilege = *S-1-5-32-544 


senetworklogonright = *S-1-5-9,*S-1-5-11,*S-1-5-32-544 















[Service General Setting] 

"6to4", 4, 

"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDT 

LOCRSDRCWDWO;;;WD)" 



"alerter", 4, 


SDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR 

CWDWO;;;WD)" 

"alg", 4, 



CWDWO;;;WD)" 

"appmgmt", 4, 



"appmgr", 4, 



CWDWO;;;WD)" 

"appmon", 4, 









CWDWO;;;WD)" 

"binlsvc", 4, 



"bits", 4, 



CWDWO;;;WD)" 

"browser", 2, 



CWDWO;;;WD)" 

"certsvc", 4, 



"cisvc", 4, 






CWDWO;;;WD)" 

"clipsrv", 4, 



CWDWO;;;WD)" 

"clussvc", 4, 






CWDWO;;;WD)" 







CWDWO;;;WD)" 

"dfs", 4, 



"dhcp", 2, 



CWDWO;;;WD)" 




"dmadmin", 3, 



CWDWO;;;WD)" 




CWDWO;;;WD)" 

"dns", 4, 








CWDWO;;;WD)" 




CWDWO;;;WD)" 

"ersvc", 4, 



CWDWO;;;WD)" 




CWDWO;;;WD)" 




CWDWO;;;WD)" 




"fax", 4, 






CWDWO;;;WD)" 

"helpsvc", 4, 



CWDWO;;;WD)" 

"hidserv", 4, 



CWDWO;;;WD)" 







CWDWO;;;WD)" 

"ias", 4, 



"iasjet", 4, 



CWDWO;;;WD)" 




CWDWO;;;WD)" 




CWDWO;;;WD)" 

"irmon", 4, 



"ismserv", 4, 



"kdc", 4, 












"lmhosts", 2, 





"lpdsvc", 4, 



"macfile", 4, 









"mnmsrvc", 4, 



"mqds", 4, 



"mqtgsvc", 4, 



"msdtc", 4, 









"msmq", 4, 


















"netdde", 4, 









"netman", 3, 



"nla", 4, 



"nntpsvc", 4, 



"ntfrs", 4, 



"ntlmssp", 4, 



"ntmssvc", 4, 

















"pop3svc", 4, 






"rasauto", 4, 



"rasman", 4, 





















"rpcss", 2, 









"sacsvr", 4, 



"saldm", 4, 



"samss", 2, 












"sens", 2, 









"simptcp", 4, 



"smtpsvc", 4, 



"snmp", 4, 








"spooler", 4, 



"sptimer", 4, 












"stisvc", 4, 



"swprv", 3, 






"tapisrv", 4, 









"tftpd", 4, 






"themes", 4, 



"tlntsvr", 4, 



"trksvr", 4, 



"trkwks", 4, 



"tssdis", 4, 






"ups", 4, 



"vds", 4, 



"vss", 3, 



"w32time", 2, 



"w3svc", 4, 














"winmgmt", 2, 



"wins", 4, 



"winsip", 4, 






"wmi", 4, 












"wzcsvc", 4, 



A.4 CSE High Security – Workgroup Server Baseline.inf 

[Unicode] 

Unicode=yes 

[Version] 


Revision=1 





Description=Baseline template for all Workgroup Servers in an environment with high security 

requirements. 

[System Access] 
















[System Log] 




[Security Log] 




[Application Log] 






[Event Audit] 











machine\system\software\microsoft\windows 

nt\currentversion\winlogon\screensavergraceperiod=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxportsexhausted=4,5 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions=4,3 

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmissi 

ons=4,2 




machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4,1 

machine\system\currentcontrolset\services\tcpip\parameters\performrouterdiscovery=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4,300000 

machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4,0 

machine\system\currentcontrolset\services\tcpip\parameters\disableipsourcerouting=4,2 

machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity=4,2 

machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 

machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 

machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,1 

machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,1 




machine\system\currentcontrolset\services\netlogon\parameters\refusepasswordchange=4,0 

machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4,30 

machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 

machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand=4,1 

machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4,1 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignatu 

re=4,1 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignatur 

e=4,1 

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpasswo 

rd=4,0 

machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess=4,1 

machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4, 

1 



machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,1 

machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 

machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15 

machine\system\currentcontrolset\services\eventlog\security\warninglevel=4,90 

machine\system\currentcontrolset\services\afd\parameters\minimumdynamicbacklog=4,20 

machine\system\currentcontrolset\services\afd\parameters\maximumdynamicbacklog=4,20000 

machine\system\currentcontrolset\services\afd\parameters\enabledynamicbacklog=4,1 

machine\system\currentcontrolset\services\afd\parameters\dynamicbackloggrowthdelta=4,10 


machine\system\currentcontrolset\control\session manager\safedllsearchmode=4,1 

machine\system\currentcontrolset\control\session manager\protectionmode=4,1 

machine\system\currentcontrolset\control\session manager\memory 

management\clearpagefileatshutdown=4,1 

machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4,1 


machine\system\currentcontrolset\control\securepipeservers\winreg\allowedexactpaths\machine= 

7, 





machine\system\currentcontrolset\control\lsa\submitcontrol=4,0 

machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4,1 

machine\system\currentcontrolset\control\lsa\restrictanonymous=4,1 

machine\system\currentcontrolset\control\lsa\nolmhash=4,1 

machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4,1 

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec=4,537395248 

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec=4,537395248 


machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1 

machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0 

machine\system\currentcontrolset\control\lsa\forceguest=4,0 

machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4,1 

machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous=4,0 

machine\system\currentcontrolset\control\lsa\disabledomaincreds=4,1 

machine\system\currentcontrolset\control\lsa\crashonauditfail=4,1 

machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0 

machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3namecreation=4,1 

machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled=4,0 

machine\software\policies\microsoft\cryptography\forcekeyprotection=4,2 

machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon=4,0 

machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,0 

machine\software\microsoft\windows\currentversion\policies\system\scforceoption=4,0 

machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7,This 

system is restricted to authorized users. Individuals attempting unauthorized access will be 

prosecuted. If unauthorized. 

machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,"IT 

IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION." 

machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4 

,1 

machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0 





5 


machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,"1" 

machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 

machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4,1 

machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,"0" 




machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand=4,0 

machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 

machine\software\microsoft\driver signing\policy=3,1 

machine\system\currentcontrolset\control\services\LanmanServer\Parameters\AutoShareServer= 

4, 0 


[Privilege Rights] 





sechangenotifyprivilege = *S-1-5-32-544,*S-1-5-32-545,*S-1-5-32-551,*S-1-5-11 

secreateglobalprivilege = *S-1-5-32-544,*S-1-5-6 





sedenybatchlogonright = *S-1-5-32-546,*S-1-5-7 

sedenyinteractivelogonright = *S-1-5-32-546,*S-1-5-7 

sedenynetworklogonright = *S-1-5-7,*S-1-5-32-546 

sedenyremoteinteractivelogonright = *S-1-5-32-546,*S-1-5-7 

sedenyservicelogonright = *S-1-5-32-546,*S-1-5-7 









selockmemoryprivilege = *S-1-5-32-544 

semachineaccountprivilege = *S-1-5-32-544 


senetworklogonright = *S-1-5-32-544,*S-1-5-11 
















"6to4", 4, 



"alerter", 4, 






"alg", 4, 



"appmgmt", 4, 



"appmgr", 4, 



"appmon", 4, 









"binlsvc", 4, 



"bits", 4, 



"browser", 4, 



"certsvc", 4, 



"cisvc", 4, 



"clipsrv", 4, 



"clussvc", 4, 














"dfs", 4, 



"dhcp", 4, 






"dmadmin", 3, 






"dns", 4, 









"ersvc", 4, 















"fax", 4, 






"helpsvc", 4, 



"hidserv", 4, 






"ias", 4, 



"iasjet", 4, 









"irmon", 4, 



"ismserv", 4, 





"kdc", 4, 












"lmhosts", 4, 



"lpdsvc", 4, 



"macfile", 4, 









"mnmsrvc", 4, 



"mqds", 4, 



"mqtgsvc", 4, 



"msdtc", 4, 












"msmq", 4, 















"netdde", 4, 









"netman", 3, 



"nla", 4, 



"nntpsvc", 4, 





"ntfrs", 4, 



"ntlmssp", 4, 



"ntmssvc", 4, 















"pop3svc", 4, 






"rasauto", 4, 



"rasman", 4, 
























"rpcss", 2, 






"sacsvr", 4, 



"saldm", 4, 



"samss", 2, 












"sens", 2, 











"simptcp", 4, 



"smtpsvc", 4, 



"snmp", 4, 






"spooler", 4, 



"sptimer", 4, 












"stisvc", 4, 



"swprv", 3, 









"tapisrv", 4, 









"tftpd", 4, 



"themes", 4, 



"tlntsvr", 4, 



"trksvr", 4, 



"trkwks", 4, 



"tssdis", 4, 






"ups", 4, 



"vds", 4, 





"vss", 3, 



"w32time", 2, 



"w3svc", 4, 












"winmgmt", 2, 



"wins", 4, 



"winsip", 4, 






"wmi", 4, 















"wzcsvc", 4, 



A.5 CSE High Security – Member File Server.inf 

; (c) Microsoft Corporation 1997-2003 

; 

; Security Configuration Template for Security Configuration Editor 

; 

; Template Name: High Security - Bastion Host.inf 

; Template Version: 1.0 

; 

;This Security Configuration Template provides settings to support the 

;Windows Server 2003 Bastion Host settings for the Windows 

;Server 2003 Security Guide. Please read the entire guide before using 

;this template. 

; 

; Release History 

; 0001 - Original April 23, 2003 

[Unicode] 

Unicode=yes 

[Version] 


Revision=1 







"browser", 2, 



A.6 CSE High Security – Member Print Server.inf 


; 


; 

; Template Name: High Security - Print Server.inf 


; 


;Windows Server 2003 Print Server Role settings for the Windows 



; 




Incremental Settings for a Print Server in an environment with high security requirements. 

[Unicode] 

Unicode=yes 

[Version] 





Revision=1 









"browser", 2, 



"spooler", 2, 



A.7 CSE High Security – Workgroup File Server.inf 


; 


; 



; 





; 





[Unicode] 

Unicode=yes 

[Version] 


Revision=1 







"browser", 2, 



A.8 CSE High Security – Workgroup Print Server.inf 


; 


; 



; 








; 



[Unicode] 

Unicode=yes 

[Version] 


Revision=1 










"browser", 2, 



"spooler", 2,

Windows Server 2003 Recommended Baseline Security

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?