Windows Server 2003 Recommended Baseline Security
Share Embed Flag
Download ePaper

Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security Windows Server 2003 Recommended Baseline Security

cse.cst.gc.ca
from cse.cst.gc.ca More from this publisher
19.06.2014 Views

Unclassified ITSG for Windows Server 2003 4.4.3.20 Domain member: Digitally sign secure channel data (when possible) machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4, 1 The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from session hijack. 4.4.3.21 Domain member: Disable machine account password changes machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4, 0 The ‘disablepasswordchange’ registry value determines if a domain controller will accept machine account password changes. The setting ‘0’ allows machine account password changes. If the password change were disallowed, the systems could not change their computer passwords. This would leave them susceptible to password-guessing attacks. 4.4.3.22 Domain member: Maximum machine account password age machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4, 42 The ‘maximumpasswordage’ registry value determines the maximum number days between password changes. The setting ‘42’ requires the password to be changed at least every forty-two days. This ensures the password is changed often to thwart password-guessing attacks. 4.4.3.23 Domain member: Require strong (Windows 2000 or later) session key machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4, 1 The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the secure channel. If disabled, the client must negotiate key strength with the Domain Controller. This setting ensures the highest level of protection for secure channel data. 4.4.3.24 Interactive logon: Do not display last user name machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername =4, 1 The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen with the last username that logged on. The setting ‘1’ does not display the last username. This setting withholds vital information to prevent attacks. 4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL machine\software\microsoft\windows\currentversion\policies\system\disablecad=4, 0 The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon. The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The Windows architecture security 60 March 2004 Server Policy Files

Windows Server 2003 Recommended Baseline Security (ITSG-20) is predicated on the CTL+ALT+DEL key sequence to initiate user authentication. It provides unassailable hardware initiation of the logon sequence; this helps thwart Trojan Horse routines. 4.4.3.26 Interactive logon: Message text for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7, DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED The ‘legalnoticetext’ registry value is presented to the user prior to entry of username and password. The value shown is the text presented. This may help an organization in the event of legal proceedings. 4.4.3.27 Interactive logon: Message title for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1 “DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED” The ‘legalnoticecaption’ registry value is presented to the user as the title of the window that contains the ‘legalnoticetext’ text. The value shown is the text presented. This may help an organization in the event of legal proceedings. 4.4.3.28 Interactive logon: Number of previous logons to cache (in case domain controller is not available) machine\software\microsoft\windowsnt\currentversion\winlogon\cachedlogonscount=1,"0" The ‘cachedlogonscount’ registry value determines the number of unique user whom logon information is locally cached. The setting ‘0’ does not cache logon information locally. This ensures the user establishes a current security token with the Domain Controller. This prevents disabled users access via cached logon credentials. 4.4.3.29 Interactive logon: Prompt user to change password before expiration machine\software\microsoft\windowsnt\currentversion\winlogon\passwordexpirywarning=4, 14 The ‘passwordexpirywarning’ registry value determines how many days in advance the user is notified of password expiration. This setting warns the user 14 days before password expiry. The user will continue to be reminded until the password expiry date. 4.4.3.30 Interactive logon: Require Domain Controller authentication to unlock workstation machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4, 1 The ‘forceunlocklogon’ registry value determines if a domain controller must be contacted to unlock a computer. The setting ‘1’ requires contact with a domain controller. This ensures the user establishes a current security token with the Domain Controller. This also disallows disabled users access via cached logon credentials. Server Policy Files March 2004 61

Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />

4.4.3.20 Domain member: Digitally sign secure channel data (when possible)<br />

machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4, 1<br />

The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when<br />

possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data<br />

is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from<br />

session hijack.<br />

4.4.3.21 Domain member: Disable machine account password changes<br />

machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4, 0<br />

The ‘disablepasswordchange’ registry value determines if a domain controller will accept<br />

machine account password changes. The setting ‘0’ allows machine account password changes.<br />

If the password change were disallowed, the systems could not change their computer<br />

passwords. This would leave them susceptible to password-guessing attacks.<br />

4.4.3.22 Domain member: Maximum machine account password age<br />

machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4, 42<br />

The ‘maximumpasswordage’ registry value determines the maximum number days between<br />

password changes. The setting ‘42’ requires the password to be changed at least every forty-two<br />

days. This ensures the password is changed often to thwart password-guessing attacks.<br />

4.4.3.23 Domain member: Require strong (<strong>Windows</strong> 2000 or later) session key<br />

machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4, 1<br />

The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel<br />

communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the<br />

secure channel. If disabled, the client must negotiate key strength with the Domain Controller.<br />

This setting ensures the highest level of protection for secure channel data.<br />

4.4.3.24 Interactive logon: Do not display last user name<br />

machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername<br />

=4, 1<br />

The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen<br />

with the last username that logged on. The setting ‘1’ does not display the last username. This<br />

setting withholds vital information to prevent attacks.<br />

4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL<br />

machine\software\microsoft\windows\currentversion\policies\system\disablecad=4, 0<br />

The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon.<br />

The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The <strong>Windows</strong> architecture security<br />

60 March 2004 <strong>Server</strong> Policy Files

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!