Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
4.4.3.14 Devices: Unsigned driver installation behavior<br />
machine\software\microsoft\driver signing\policy=3, 1<br />
The ‘policy’ registry value defines the unsigned driver installation behavior. The setting ‘1’<br />
warns the user before the driver is installed. If this option is enforced, only drivers approved by<br />
the <strong>Windows</strong> Hardware Quality Lab (WHQL) are eligible. The decision to install drivers not<br />
found within WHQL is left to the Administrator.<br />
4.4.3.15 Domain controller: Allow server operators to schedule tasks<br />
machine\system\currentcontrolset\control\lsa\submitcontrol=4, 0<br />
The ‘submitcontrol’ registry value determines if system operators can schedule tasks. The setting<br />
‘0’ prevents system operators from scheduling tasks. A sufficient number of tasks can lead to a<br />
DoS condition.<br />
4.4.3.16 Domain controller: LDAP server signing requirements<br />
machine\system\currentcontrolset\services\ntds\parameters\ldapserverintegrity=4, 2<br />
The ‘ldapserverintegrity’ registry value determines if the LDAP server requires a signature to<br />
negotiate with LDAP clients. The setting ‘2’ requires a client signature. Unsigned data is<br />
susceptible to man-in-the-middle attacks. This setting helps prevent session hijack.<br />
4.4.3.17 Domain controller: Refuse machine account password changes<br />
machine\system\currentcontrolset\services\netlogon\parameters\refusepasswordchange=4, 0<br />
The ‘refusepasswordchange’ registry setting determines if domain controllers accept changes to<br />
computer account passwords. The setting ‘0’ allows changing of computer account passwords.<br />
Regularly changed passwords reduce the threat of effective brute-force attacks.<br />
4.4.3.18 Domain member: Digitally encrypt or sign secure channel data (always)<br />
machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4, 1<br />
The ‘requiresignorseal’ registry value determines if the domain member will encrypt or sign<br />
secure channel data always. The setting ‘1’ encrypts or signs secure channel data. This setting<br />
prevents legacy systems (pre-<strong>Windows</strong> 2000) from joining a Domain.<br />
4.4.3.19 Domain member: Digitally encrypt secure channel data (when possible)<br />
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4, 1<br />
The ‘sealsecurechannel’ registry value determines if a domain member requests encryption of all<br />
secure channel data. The setting ‘1’ requests encryption of all secure channel data. By encrypting<br />
Secure Channel data, the system prevents sensitive information being sent in the clear. This<br />
limits an attacker’s ability to gather information for an attack.<br />
<strong>Server</strong> Policy Files March 2004 59