Windows Server 2003 Recommended Baseline Security

More documents

Recommendations

Info

Unclassified ITSG for Windows Server 2003 4.4.3.51 Network security: Do not store LAN Manager hash value on next password change machine\system\currentcontrolset\control\lsa\nolmhash=4, 1 The ‘nolmhash’ registry value determines if the LAN Manager hash value is stored on the next password change. The setting ‘1’ does not save the LAN Manager hash value. This prevents local storage of the password, which would be vulnerable to attack. NOTE: Upon enabling in operation, all passwords must be changed. 4.4.3.52 Network Security: Force logoff when logon hours expire ForceLogoffWhenHourExpire = 1 The ‘ForceLogoffWhenHourExpire’ keyword determines if locally logged on users are disconnected when working outside of defined hours. The setting ‘1’ disconnects the user outside of defined hours. Hours are defined within the “Active Directory Users and Computers”, the ‘Computer Management” and “Local Users and Groups” interface. Account should be created with restrictions on hours of access; we recommend enforcement through disconnection outside specified hours. 4.4.3.53 Network security: LAN Manager authentication level machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4, 5 The ‘lmcompatibilitylevel’ value determines the level of LAN manager authentication. The setting ‘5’ sends NTLMv2 responses only and refuses LM & NTLM. This setting ensures only the most secure authentication mechanism is permitted. 4.4.3.54 Network security: LDAP client signing requirements machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4, 1 The ‘ldapclientintegrity’ value determines if the LDAP client negotiates signing to communicate with LDAP servers. The setting ‘2’ requires signing negotiation. This reduces the threat of a man-in-the-middle attacks. 4.4.3.55 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec=4, 537395248 The ‘ntlmminclientsec’ value defines the minimum session security for NTLM SSP based (including secure RPC) clients. The setting ‘537395248’ enables all options, as recommended. This requires message integrity, confidentiality, NTLMv2 session security and 128-bit encryption be used for logon. 66 March 2004 Server Policy Files
Windows Server 2003 Recommended Baseline Security (ITSG-20) 4.4.3.56 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec=4, 537395248 The ‘ntlmminserversec’ registry value defines the minimum session security for NTLM SSP based (including secure RPC) servers. The setting ‘537395248’ enables all options, as recommended. This requires message integrity, confidentiality, NTLMv2 session security and 128-bit encryption be used for logon. 4.4.3.57 Recovery console: Allow automatic administrative logon machine\software\microsoft\windowsnt\currentversion\setup\recoveryconsole\securitylevel=4, 0 The ‘securitylevel’ value determines if the recovery console requires an Administrator password to logon. The setting ‘0’ requires an Administrators password. Enabling this setting to allow anyone to shut down a server is not recommended. 4.4.3.58 Recovery console: Allow floppy copy and access to all drives and all folders machine\software\microsoft\windowsnt\currentversion\setup\recoveryconsole\setcommand=4, 0 The ‘setcommand’ registry value determines if the Recovery Console ‘SET’ command is available. The setting ‘4’ disables the ‘SET’ command. (e.g. Copy to removable media is disabled). 4.4.3.59 Shutdown: Allow system to be shut down without having to log on machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4 , 0 The ‘shutdownwithoutlogon’ registry value determines if the system can be shutdown without the user logged on. The setting ‘0’ requires the user to logon. This ensures only authorized users may shut down the system. 4.4.3.60 Shutdown: Clear virtual memory page file machine\system\currentcontrolset\control\sessionmanager\memory\management\clearpagefile atshutdown=4, 1 The ‘clearpagefileatshutdown’ value determines if page file contents are overwritten on a clean shutdown. The setting ‘1’ causes clears the page file on a normal shutdown. Sensitive system and user information may be contained in the page file. By ensuring it is cleared, the risk that information be available to an attacker is reduced. Server Policy Files March 2004 67
Page 1 and 2:
IT Security Guidance Windows Server
Page 3 and 4:
Windows Server 2003 Recommended Bas
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14:
Page 15:
Page 18 and 19:
Page 20 and 21:
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
Unclassified ITSG for Windows Serve
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37: Unclassified ITSG for Windows Serve
Page 136 and 137:
Page 138 and 139:
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
show all

Windows Server 2003 Recommended Baseline Security

Create successful ePaper yourself

Delete template?

Save as template?