19.06.2014 Views

Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />

4.4.3.31 Interactive logon: Require smart card<br />

machine\software\microsoft\windows\currentversion\policies\system\scforceoption=4, 0<br />

The ‘scforceoption’ registry value determines if a smart card is required to logon. The setting ‘0’<br />

does not require a smart card to logon. The majority of servers will not require two-factor<br />

authentication. If this capability were a requirement, it should be enabled during the application<br />

of a role specific policy.<br />

4.4.3.32 Interactive logon: Smart card removal behaviour<br />

machine\software\microsoft\windowsnt\currentversion\winlogon\scremoveoption=1,"1"<br />

The ‘scremoveoption’ determines system behaviour when a smart card is removed. The setting<br />

‘1’ locks the workstation when removed. This ensures accountability for transactions that require<br />

smart card authentication.<br />

4.4.3.33 Microsoft network client: Digitally sign communications (always)<br />

machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature<br />

=4, 1<br />

The ‘requiresecuritysignature’ registry value determines if the SMB client requires packet<br />

signing. The setting ‘1’ requires packet signing. This setting provides for mutual authentication.<br />

This may prevent man-in-the-middle attacks and eliminate session hijacking. Legacy systems<br />

cannot support this requirement.<br />

4.4.3.34 Microsoft network client: Digitally sign communications (if server agrees)<br />

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysign<br />

ature=4, 1<br />

The ‘enablesecuritysignature’ registry value determines if an SMB client attempts to negotiate<br />

SMB packet signing (if the server agrees). The setting ‘1’ causes the client to negotiate SMB<br />

signing. This setting provides for mutual authentication. This may prevent man-in-the-middle<br />

attacks and eliminate session hijacking. Legacy systems (i.e. Pre-<strong>Windows</strong> 2000) cannot support<br />

this requirement.<br />

4.4.3.35 Microsoft network client: Send unencrypted password to third-party SMB<br />

servers<br />

machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpas<br />

sword=4, 0<br />

The ‘enableplaintextpassword’ registry value determines if an SMB client sends plain text<br />

passwords to non-Microsoft SMB servers. The setting ‘0’ disables the use of clear-text<br />

passwords. The use of non-Microsoft SMB servers that do not accept encrypted passwords is<br />

disallowed in a High <strong>Security</strong> environment. Password security must always be enforced.<br />

62 March 2004 <strong>Server</strong> Policy Files

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!