Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
4.4.3.31 Interactive logon: Require smart card<br />
machine\software\microsoft\windows\currentversion\policies\system\scforceoption=4, 0<br />
The ‘scforceoption’ registry value determines if a smart card is required to logon. The setting ‘0’<br />
does not require a smart card to logon. The majority of servers will not require two-factor<br />
authentication. If this capability were a requirement, it should be enabled during the application<br />
of a role specific policy.<br />
4.4.3.32 Interactive logon: Smart card removal behaviour<br />
machine\software\microsoft\windowsnt\currentversion\winlogon\scremoveoption=1,"1"<br />
The ‘scremoveoption’ determines system behaviour when a smart card is removed. The setting<br />
‘1’ locks the workstation when removed. This ensures accountability for transactions that require<br />
smart card authentication.<br />
4.4.3.33 Microsoft network client: Digitally sign communications (always)<br />
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature<br />
=4, 1<br />
The ‘requiresecuritysignature’ registry value determines if the SMB client requires packet<br />
signing. The setting ‘1’ requires packet signing. This setting provides for mutual authentication.<br />
This may prevent man-in-the-middle attacks and eliminate session hijacking. Legacy systems<br />
cannot support this requirement.<br />
4.4.3.34 Microsoft network client: Digitally sign communications (if server agrees)<br />
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysign<br />
ature=4, 1<br />
The ‘enablesecuritysignature’ registry value determines if an SMB client attempts to negotiate<br />
SMB packet signing (if the server agrees). The setting ‘1’ causes the client to negotiate SMB<br />
signing. This setting provides for mutual authentication. This may prevent man-in-the-middle<br />
attacks and eliminate session hijacking. Legacy systems (i.e. Pre-<strong>Windows</strong> 2000) cannot support<br />
this requirement.<br />
4.4.3.35 Microsoft network client: Send unencrypted password to third-party SMB<br />
servers<br />
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpas<br />
sword=4, 0<br />
The ‘enableplaintextpassword’ registry value determines if an SMB client sends plain text<br />
passwords to non-Microsoft SMB servers. The setting ‘0’ disables the use of clear-text<br />
passwords. The use of non-Microsoft SMB servers that do not accept encrypted passwords is<br />
disallowed in a High <strong>Security</strong> environment. Password security must always be enforced.<br />
62 March 2004 <strong>Server</strong> Policy Files