Windows Server 2003 Recommended Baseline Security

More documents

Recommendations

Info

Unclassified ITSG for Windows Server 2003 4.4.3.8 Audit: Shut down system immediately if unable to log security audits machine\system\currentcontrolset\control\lsa\crashonauditfail=4, 1 The ‘crashonauditfail’ registry value determines system behaviour when it fails to log security events. The setting ‘1’ shuts the system down when it cannot log. The government requires that comprehensive log data be carefully maintained. As a result, if the log files are full the system must not process further transactions. 4.4.3.9 Devices: Allow undock without having to log on machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon=4, 0 The ‘undockwithoutlogon’ registry value determines if a portable computer can undock without logon. The setting ‘0’ disallows the computer to be undocked without logon. 4.4.3.10 Devices: Allowed to format and eject removable media machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,"0" The ‘allocatedasd’ registry value determines who can format and eject removable media. The setting ‘0’ permits Administrators to format and eject removable media. The ability to store large quantities of data (e.g. entire databases) makes should be restricted to trusted individuals. 4.4.3.11 Devices: Prevent users from installing printer drivers services\servers\addprinterdrivers=4, 1 The ‘addprinterdrivers’ registry value determines if users can add printer drivers. The setting ‘1’ prevents users from adding print drivers. This helps prevent the threat of users running malicious code in a privileged state. 4.4.3.12 Devices: Restrict CD-ROM access to locally logged-on user only machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,"1" The ‘allocatecdroms’ registry value determines if the CD-ROM is equally accessible to local and remote users. The setting ‘1’ restricts remote access to the CD-ROM when in use by a local user. NOTE: The setting allows remote authorized users to access the CD-ROM if no one is logged on locally. 4.4.3.13 Devices: Restrict floppy access to locally logged-on user only machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,"1" The ‘allocatefloppies’ registry value determines if the floppy drive is simultaneously accessible to local and remote users. The setting ‘1’ restricts remote access to when in use by a local user. NOTE: This setting allows remote access to the floppy drive if no one is logged on as a local user. 58 March 2004 Server Policy Files
Windows Server 2003 Recommended Baseline Security (ITSG-20) 4.4.3.14 Devices: Unsigned driver installation behavior machine\software\microsoft\driver signing\policy=3, 1 The ‘policy’ registry value defines the unsigned driver installation behavior. The setting ‘1’ warns the user before the driver is installed. If this option is enforced, only drivers approved by the Windows Hardware Quality Lab (WHQL) are eligible. The decision to install drivers not found within WHQL is left to the Administrator. 4.4.3.15 Domain controller: Allow server operators to schedule tasks machine\system\currentcontrolset\control\lsa\submitcontrol=4, 0 The ‘submitcontrol’ registry value determines if system operators can schedule tasks. The setting ‘0’ prevents system operators from scheduling tasks. A sufficient number of tasks can lead to a DoS condition. 4.4.3.16 Domain controller: LDAP server signing requirements machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity=4, 2 The ‘ldapserverintegrity’ registry value determines if the LDAP server requires a signature to negotiate with LDAP clients. The setting ‘2’ requires a client signature. Unsigned data is susceptible to man-in-the-middle attacks. This setting helps prevent session hijack. 4.4.3.17 Domain controller: Refuse machine account password changes machine\system\currentcontrolset\services\netlogon\parameters\refusepasswordchange=4, 0 The ‘refusepasswordchange’ registry setting determines if domain controllers accept changes to computer account passwords. The setting ‘0’ allows changing of computer account passwords. Regularly changed passwords reduce the threat of effective brute-force attacks. 4.4.3.18 Domain member: Digitally encrypt or sign secure channel data (always) machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4, 1 The ‘requiresignorseal’ registry value determines if the domain member will encrypt or sign secure channel data always. The setting ‘1’ encrypts or signs secure channel data. This setting prevents legacy systems (pre-Windows 2000) from joining a Domain. 4.4.3.19 Domain member: Digitally encrypt secure channel data (when possible) machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4, 1 The ‘sealsecurechannel’ registry value determines if a domain member requests encryption of all secure channel data. The setting ‘1’ requests encryption of all secure channel data. By encrypting Secure Channel data, the system prevents sensitive information being sent in the clear. This limits an attacker’s ability to gather information for an attack. Server Policy Files March 2004 59
Page 1 and 2:
IT Security Guidance Windows Server
Page 3 and 4:
Windows Server 2003 Recommended Bas
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29: Unclassified ITSG for Windows Serve
Page 128 and 129:
Unclassified ITSG for Windows Serve
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
show all

Windows Server 2003 Recommended Baseline Security

Create successful ePaper yourself

Delete template?

Save as template?