Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
<strong>Recommended</strong> <strong>Baseline</strong> <strong>Security</strong> (ITSG-20)<br />
is predicated on the CTL+ALT+DEL key sequence to initiate user authentication. It provides<br />
unassailable hardware initiation of the logon sequence; this helps thwart Trojan Horse routines.<br />
4.4.3.26 Interactive logon: Message text for users attempting to logon<br />
machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7,<br />
DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED<br />
The ‘legalnoticetext’ registry value is presented to the user prior to entry of username and<br />
password. The value shown is the text presented. This may help an organization in the event of<br />
legal proceedings.<br />
4.4.3.27 Interactive logon: Message title for users attempting to logon<br />
machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1<br />
“DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED”<br />
The ‘legalnoticecaption’ registry value is presented to the user as the title of the window that<br />
contains the ‘legalnoticetext’ text. The value shown is the text presented. This may help an<br />
organization in the event of legal proceedings.<br />
4.4.3.28 Interactive logon: Number of previous logons to cache (in case domain controller<br />
is not available)<br />
machine\software\microsoft\windowsnt\currentversion\winlogon\cachedlogonscount=1,"0"<br />
The ‘cachedlogonscount’ registry value determines the number of unique user whom logon<br />
information is locally cached. The setting ‘0’ does not cache logon information locally. This<br />
ensures the user establishes a current security token with the Domain Controller. This prevents<br />
disabled users access via cached logon credentials.<br />
4.4.3.29 Interactive logon: Prompt user to change password before expiration<br />
machine\software\microsoft\windowsnt\currentversion\winlogon\passwordexpirywarning=4,<br />
14<br />
The ‘passwordexpirywarning’ registry value determines how many days in advance the user is<br />
notified of password expiration. This setting warns the user 14 days before password expiry. The<br />
user will continue to be reminded until the password expiry date.<br />
4.4.3.30 Interactive logon: Require Domain Controller authentication to unlock<br />
workstation<br />
machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon=4, 1<br />
The ‘forceunlocklogon’ registry value determines if a domain controller must be contacted to<br />
unlock a computer. The setting ‘1’ requires contact with a domain controller. This ensures the<br />
user establishes a current security token with the Domain Controller. This also disallows disabled<br />
users access via cached logon credentials.<br />
<strong>Server</strong> Policy Files March 2004 61