Windows Server 2003 Recommended Baseline Security

More documents

Recommendations

Info

Unclassified ITSG for Windows Server 2003 4.4.3.20 Domain member: Digitally sign secure channel data (when possible) machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4, 1 The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from session hijack. 4.4.3.21 Domain member: Disable machine account password changes machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4, 0 The ‘disablepasswordchange’ registry value determines if a domain controller will accept machine account password changes. The setting ‘0’ allows machine account password changes. If the password change were disallowed, the systems could not change their computer passwords. This would leave them susceptible to password-guessing attacks. 4.4.3.22 Domain member: Maximum machine account password age machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4, 42 The ‘maximumpasswordage’ registry value determines the maximum number days between password changes. The setting ‘42’ requires the password to be changed at least every forty-two days. This ensures the password is changed often to thwart password-guessing attacks. 4.4.3.23 Domain member: Require strong (Windows 2000 or later) session key machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4, 1 The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the secure channel. If disabled, the client must negotiate key strength with the Domain Controller. This setting ensures the highest level of protection for secure channel data. 4.4.3.24 Interactive logon: Do not display last user name machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername =4, 1 The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen with the last username that logged on. The setting ‘1’ does not display the last username. This setting withholds vital information to prevent attacks. 4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL machine\software\microsoft\windows\currentversion\policies\system\disablecad=4, 0 The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon. The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The Windows architecture security 60 March 2004 Server Policy Files
Windows Server 2003 Recommended Baseline Security (ITSG-20) is predicated on the CTL+ALT+DEL key sequence to initiate user authentication. It provides unassailable hardware initiation of the logon sequence; this helps thwart Trojan Horse routines. 4.4.3.26 Interactive logon: Message text for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7, DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED The ‘legalnoticetext’ registry value is presented to the user prior to entry of username and password. The value shown is the text presented. This may help an organization in the event of legal proceedings. 4.4.3.27 Interactive logon: Message title for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1 “DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED” The ‘legalnoticecaption’ registry value is presented to the user as the title of the window that contains the ‘legalnoticetext’ text. The value shown is the text presented. This may help an organization in the event of legal proceedings. 4.4.3.28 Interactive logon: Number of previous logons to cache (in case domain controller is not available) machine\software\microsoft\windowsnt\currentversion\winlogon\cachedlogonscount=1,"0" The ‘cachedlogonscount’ registry value determines the number of unique user whom logon information is locally cached. The setting ‘0’ does not cache logon information locally. This ensures the user establishes a current security token with the Domain Controller. This prevents disabled users access via cached logon credentials. 4.4.3.29 Interactive logon: Prompt user to change password before expiration machine\software\microsoft\windowsnt\currentversion\winlogon\passwordexpirywarning=4, 14 The ‘passwordexpirywarning’ registry value determines how many days in advance the user is notified of password expiration. This setting warns the user 14 days before password expiry. The user will continue to be reminded until the password expiry date. 4.4.3.30 Interactive logon: Require Domain Controller authentication to unlock workstation machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4, 1 The ‘forceunlocklogon’ registry value determines if a domain controller must be contacted to unlock a computer. The setting ‘1’ requires contact with a domain controller. This ensures the user establishes a current security token with the Domain Controller. This also disallows disabled users access via cached logon credentials. Server Policy Files March 2004 61
Page 1 and 2:
IT Security Guidance Windows Server
Page 3 and 4:
Windows Server 2003 Recommended Bas
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Unclassified ITSG for Windows Serve
Page 30 and 31: Unclassified ITSG for Windows Serve
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
show all

Windows Server 2003 Recommended Baseline Security

Create successful ePaper yourself

Delete template?

Save as template?