Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
4.4.1.6 Audit policy change<br />
AuditPolicyChange = 3<br />
The ‘AuditPolicyChange’ defines the type of logon events that will be audited. The setting 3<br />
audits ‘success and ‘fail’ events. ‘Success’ events are used in investigations to determine access<br />
to the system and policy used at the time of the incident. ‘Fail’ attempts can determine if users<br />
are probing the system for vulnerabilities.<br />
4.4.1.7 Audit privilege use<br />
AuditPrivilegeUse = 3<br />
The ‘AuditPrivilegeUse’ defines logon events to be audited. The setting ‘3’ audits ‘success’ and<br />
‘fail’ events. ‘Success’ events are used to determine who was accessing the system at the time of<br />
the incident. ‘Fail’ attempts can determine if users are probing the system for vulnerabilities.<br />
4.4.1.8 Audit process tracking<br />
AuditProcessTracking = 0<br />
The ‘AuditProcessTracking’ defines logon events to be audited. The setting ‘0’ audits no events.<br />
The value of this information is weighed against the volume of data collected. Due to large<br />
volumes of data, the normal setting for this value is disabled. However, during an incident the<br />
information provided is invaluable. If an attack is suspected, we recommend the setting be<br />
enabled.<br />
4.4.1.9 Audit system events<br />
AuditSystemEvents = 3<br />
The’ AuditSystemEvents’ defines events to be audited. The setting ‘3’ audits ‘success’ and ‘fail’<br />
events. These events reflect the system shutdown and restarts, system security events, and events<br />
that affect the security log.<br />
4.4.2 User Rights Assignments<br />
4.4.2.1 Access this computer from the network<br />
senetworklogonright = *S-1-5-11,*S-1-5-32-544<br />
The ‘senetworklogonright’ grants network protocol access to the system (SMB, NetBIOS, CIFS,<br />
HTTP and COM+). The policy grants privileges to the Administrators and authenticated users.<br />
The ability to access the system from the network provides greater exposure for an attack.<br />
Restricting access reduces the exposure.<br />
<strong>Server</strong> Policy Files March 2004 49