Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security Windows Server 2003 Recommended Baseline Security
Unclassified ITSG for Windows Server 2003 4.4.3.20 Domain member: Digitally sign secure channel data (when possible) machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4, 1 The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from session hijack. 4.4.3.21 Domain member: Disable machine account password changes machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4, 0 The ‘disablepasswordchange’ registry value determines if a domain controller will accept machine account password changes. The setting ‘0’ allows machine account password changes. If the password change were disallowed, the systems could not change their computer passwords. This would leave them susceptible to password-guessing attacks. 4.4.3.22 Domain member: Maximum machine account password age machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4, 42 The ‘maximumpasswordage’ registry value determines the maximum number days between password changes. The setting ‘42’ requires the password to be changed at least every forty-two days. This ensures the password is changed often to thwart password-guessing attacks. 4.4.3.23 Domain member: Require strong (Windows 2000 or later) session key machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4, 1 The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the secure channel. If disabled, the client must negotiate key strength with the Domain Controller. This setting ensures the highest level of protection for secure channel data. 4.4.3.24 Interactive logon: Do not display last user name machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername =4, 1 The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen with the last username that logged on. The setting ‘1’ does not display the last username. This setting withholds vital information to prevent attacks. 4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL machine\software\microsoft\windows\currentversion\policies\system\disablecad=4, 0 The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon. The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The Windows architecture security 60 March 2004 Server Policy Files
Windows Server 2003 Recommended Baseline Security (ITSG-20) is predicated on the CTL+ALT+DEL key sequence to initiate user authentication. It provides unassailable hardware initiation of the logon sequence; this helps thwart Trojan Horse routines. 4.4.3.26 Interactive logon: Message text for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7, DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED The ‘legalnoticetext’ registry value is presented to the user prior to entry of username and password. The value shown is the text presented. This may help an organization in the event of legal proceedings. 4.4.3.27 Interactive logon: Message title for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1 “DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED” The ‘legalnoticecaption’ registry value is presented to the user as the title of the window that contains the ‘legalnoticetext’ text. The value shown is the text presented. This may help an organization in the event of legal proceedings. 4.4.3.28 Interactive logon: Number of previous logons to cache (in case domain controller is not available) machine\software\microsoft\windowsnt\currentversion\winlogon\cachedlogonscount=1,"0" The ‘cachedlogonscount’ registry value determines the number of unique user whom logon information is locally cached. The setting ‘0’ does not cache logon information locally. This ensures the user establishes a current security token with the Domain Controller. This prevents disabled users access via cached logon credentials. 4.4.3.29 Interactive logon: Prompt user to change password before expiration machine\software\microsoft\windowsnt\currentversion\winlogon\passwordexpirywarning=4, 14 The ‘passwordexpirywarning’ registry value determines how many days in advance the user is notified of password expiration. This setting warns the user 14 days before password expiry. The user will continue to be reminded until the password expiry date. 4.4.3.30 Interactive logon: Require Domain Controller authentication to unlock workstation machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4, 1 The ‘forceunlocklogon’ registry value determines if a domain controller must be contacted to unlock a computer. The setting ‘1’ requires contact with a domain controller. This ensures the user establishes a current security token with the Domain Controller. This also disallows disabled users access via cached logon credentials. Server Policy Files March 2004 61
- Page 30 and 31: Unclassified ITSG for Windows Serve
- Page 32 and 33: Unclassified ITSG for Windows Serve
- Page 34 and 35: Unclassified ITSG for Windows Serve
- Page 36 and 37: Unclassified ITSG for Windows Serve
- Page 38 and 39: Unclassified ITSG for Windows Serve
- Page 40 and 41: Unclassified ITSG for Windows Serve
- Page 42 and 43: Unclassified ITSG for Windows Serve
- Page 44 and 45: Unclassified ITSG for Windows Serve
- Page 46 and 47: Unclassified ITSG for Windows Serve
- Page 48 and 49: Unclassified ITSG for Windows Serve
- Page 50 and 51: Unclassified ITSG for Windows Serve
- Page 52 and 53: Unclassified ITSG for Windows Serve
- Page 54 and 55: Unclassified ITSG for Windows Serve
- Page 56 and 57: Unclassified ITSG for Windows Serve
- Page 58 and 59: Unclassified ITSG for Windows Serve
- Page 60 and 61: Unclassified ITSG for Windows Serve
- Page 62 and 63: Unclassified ITSG for Windows Serve
- Page 64 and 65: Unclassified ITSG for Windows Serve
- Page 66 and 67: Unclassified ITSG for Windows Serve
- Page 68 and 69: Unclassified ITSG for Windows Serve
- Page 70 and 71: Unclassified ITSG for Windows Serve
- Page 72 and 73: Unclassified ITSG for Windows Serve
- Page 74 and 75: Unclassified ITSG for Windows Serve
- Page 76 and 77: Unclassified ITSG for Windows Serve
- Page 78 and 79: Unclassified ITSG for Windows Serve
- Page 82 and 83: Unclassified ITSG for Windows Serve
- Page 84 and 85: Unclassified ITSG for Windows Serve
- Page 86 and 87: Unclassified ITSG for Windows Serve
- Page 88 and 89: Unclassified ITSG for Windows Serve
- Page 90 and 91: Unclassified ITSG for Windows Serve
- Page 92 and 93: Unclassified ITSG for Windows Serve
- Page 94 and 95: Unclassified ITSG for Windows Serve
- Page 96 and 97: Unclassified ITSG for Windows Serve
- Page 98 and 99: Unclassified ITSG for Windows Serve
- Page 100 and 101: Unclassified ITSG for Windows Serve
- Page 102 and 103: Unclassified ITSG for Windows Serve
- Page 104 and 105: Unclassified ITSG for Windows Serve
- Page 106 and 107: Unclassified ITSG for Windows Serve
- Page 108 and 109: Unclassified ITSG for Windows Serve
- Page 110 and 111: Unclassified ITSG for Windows Serve
- Page 112 and 113: Unclassified ITSG for Windows Serve
- Page 114 and 115: Unclassified ITSG for Windows Serve
- Page 116 and 117: Unclassified ITSG for Windows Serve
- Page 118 and 119: Unclassified ITSG for Windows Serve
- Page 120 and 121: Unclassified ITSG for Windows Serve
- Page 122 and 123: Unclassified ITSG for Windows Serve
- Page 124 and 125: Unclassified ITSG for Windows Serve
- Page 126 and 127: Unclassified ITSG for Windows Serve
- Page 128 and 129: Unclassified ITSG for Windows Serve
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
4.4.3.20 Domain member: Digitally sign secure channel data (when possible)<br />
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4, 1<br />
The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when<br />
possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data<br />
is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from<br />
session hijack.<br />
4.4.3.21 Domain member: Disable machine account password changes<br />
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4, 0<br />
The ‘disablepasswordchange’ registry value determines if a domain controller will accept<br />
machine account password changes. The setting ‘0’ allows machine account password changes.<br />
If the password change were disallowed, the systems could not change their computer<br />
passwords. This would leave them susceptible to password-guessing attacks.<br />
4.4.3.22 Domain member: Maximum machine account password age<br />
machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4, 42<br />
The ‘maximumpasswordage’ registry value determines the maximum number days between<br />
password changes. The setting ‘42’ requires the password to be changed at least every forty-two<br />
days. This ensures the password is changed often to thwart password-guessing attacks.<br />
4.4.3.23 Domain member: Require strong (<strong>Windows</strong> 2000 or later) session key<br />
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4, 1<br />
The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel<br />
communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the<br />
secure channel. If disabled, the client must negotiate key strength with the Domain Controller.<br />
This setting ensures the highest level of protection for secure channel data.<br />
4.4.3.24 Interactive logon: Do not display last user name<br />
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername<br />
=4, 1<br />
The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen<br />
with the last username that logged on. The setting ‘1’ does not display the last username. This<br />
setting withholds vital information to prevent attacks.<br />
4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL<br />
machine\software\microsoft\windows\currentversion\policies\system\disablecad=4, 0<br />
The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon.<br />
The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The <strong>Windows</strong> architecture security<br />
60 March 2004 <strong>Server</strong> Policy Files