Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
4.3.2.3 Reset account lockout counter after<br />
ResetLockoutCount = 15<br />
The ‘ResetLockoutCount’ defines the length of time (in minutes) before a lockout reset occurs.<br />
The setting ‘15’ resets the lockout to zero after fifteen minutes. This value needs to be<br />
synchronized with ‘LockoutDuration’ so the user can logon when the ‘LockoutDuration’ has<br />
expired.<br />
4.3.3 Kerberos Policy<br />
There are no Kerberos settings in the Workgroup <strong>Baseline</strong> configuration.<br />
4.3.3.1 Enforce user logon restrictions<br />
TicketValidateClient = 1<br />
The ‘TicketValidateClient’ determines if Kerberos V5 Key Distribution Centre authentication is<br />
required. The setting ‘1’ requires the use of Kerberos Authentication.<br />
4.3.3.2 Maximum lifetime for the service ticket<br />
MaxServiceAge = 600<br />
The ‘MaxServiceAge’ defines the number of minutes a service ticket will be valid. The setting<br />
‘600’ allows the ticket to be used for ten hours.<br />
4.3.3.3 Maximum lifetime for user ticket<br />
MaxTicketAge = 10<br />
The ‘MaxTicketAge’ defines the maximum hours a user’s ticket granting ticket may be used.<br />
The setting ‘10’ indicates that the ticket granting ticket must be replaced or renewed after ten<br />
hours.<br />
4.3.3.4 Maximum lifetime for user ticket renewal<br />
MaxRenewAge = 7<br />
The ‘MaxRenewAge’ defines the number of days a ticket granting ticket may be renewed after<br />
issuance. The setting ‘7’ allows a ticket granting ticket to be renewed for seven days.<br />
4.3.3.5 Maximum tolerance for computer clock synchronization<br />
MaxClockSkew = 5<br />
The ‘MaxClockSkew’ defines the maximum amount of time a system clock can be different<br />
from the Domain Controller clock. The setting of ‘5’ indicates systems more than 5 minutes<br />
different than the Domain Controller clock will be refused.<br />
<strong>Server</strong> Policy Files March 2004 47