Windows Server 2003 Recommended Baseline Security
Windows Server 2003 Recommended Baseline Security Windows Server 2003 Recommended Baseline Security
Unclassified ITSG for Windows Server 2003 4.4.3.61 System cryptography: Force strong key protection for user keys stored on the computer machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2 The ‘forcekeyprotection’ value determines if user keys (e.g. SMIME) require a password each time they are to be used. The setting ‘2’ requires entry of a password each time a private key is used. This ensures that a session that requires key material is used with the owner’s knowledge. 4.4.3.62 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1 The ‘fipsalgorithmpolicy’ determines if Transport Layer Security / Secure Socket Layer (TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. The setting ‘1’ requires the use of the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In the Federal Government, this setting is required for all servers to remain compliant to cryptographic policies. 4.4.3.63 System objects: Default owner for objects created by members of the Administrators group machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1 The ‘nodefaultadminowner’ value determines if objects created by members of the Administrators group are owned by the group or the object creator. The setting ‘1’ makes objects owned by the creator. This ensures actions of an individual administrator can be isolated and audited. 4.4.3.64 System objects: Require case insensitivity for non-Windows subsystems machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4, 1 The ‘obcaseinsensitive’ value determines if case insensitivity is required for non-Windows subsystems. The setting ‘1’ requires case insensitivity for non-Windows subsystems. This disables the ability for non-Windows sub-systems to create files that are inaccessible to the Windows system. It also disables the ability to block access to other files with the same name in upper case. 4.4.3.65 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) machine\system\currentcontrolset\control\session manager\protectionmode=4, 1 The ‘protectionmode’ registry setting determines if permissions on internal system objects (e.g. symbolic links) is strengthened. The setting ‘1’ strengthens protection on internal system objects. It allows non-administrators to view shared objects they did not create, but not modify. 68 March 2004 Server Policy Files
Windows Server 2003 Recommended Baseline Security (ITSG-20) 4.4.3.66 System settings: Optional subsystems machine\system\currentcontrolset\control\session manager\subsystems\optional=7, The ‘optional’ value defines which subsystems are used to support applications. The empty setting disallows any optional subsystems. The use of sub-systems should be justified with operational requirements. Unless required, no subsystem should be enabled. 4.4.3.67 Use Certificate Rules on Windows Executables for Software Restriction Policies machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled=4, 0 The ‘authenticodeenabled’ value determines the use of certificate rules on Windows executables for software restriction policies. The setting ‘0’ does not use certificate rules on Windows executables for software restriction policies. 4.5 Event Log Microsoft guidance indicates that the total size of all event logs should not exceed 300MB. If this value is exceeded, the system may not log or record the failure. While the interface may allow values up to 4GB, there is a risk of losing log entries for values beyond 300 MB. The following policy will utilize full available space for allocation between event logs. 4.5.1 Log Size 4.5.1.1 Maximum application log size MaximumLogSize = 76800 (in [Application Log] section) The ‘MaximumLogSize’ determines the size of the Application event log. The setting ‘76800’ creates a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 153,000 events. This will allow the system to run for an extended period-oftime without having to roll the log file. NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period. 4.5.1.2 Maximum security log size MaximumLogSize = 153600 (in [Security Log] section) The ‘MaximumLogSize’ determines the size of the Security event log. The setting ‘153600’ creates a 153600 KB log file. With an average of 500 bytes per event, this log file will accommodate over 307,200 events. This allows the system to run for an extended period-of-time without having to roll the log file. NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period. Server Policy Files March 2004 69
- Page 38 and 39: Unclassified ITSG for Windows Serve
- Page 40 and 41: Unclassified ITSG for Windows Serve
- Page 42 and 43: Unclassified ITSG for Windows Serve
- Page 44 and 45: Unclassified ITSG for Windows Serve
- Page 46 and 47: Unclassified ITSG for Windows Serve
- Page 48 and 49: Unclassified ITSG for Windows Serve
- Page 50 and 51: Unclassified ITSG for Windows Serve
- Page 52 and 53: Unclassified ITSG for Windows Serve
- Page 54 and 55: Unclassified ITSG for Windows Serve
- Page 56 and 57: Unclassified ITSG for Windows Serve
- Page 58 and 59: Unclassified ITSG for Windows Serve
- Page 60 and 61: Unclassified ITSG for Windows Serve
- Page 62 and 63: Unclassified ITSG for Windows Serve
- Page 64 and 65: Unclassified ITSG for Windows Serve
- Page 66 and 67: Unclassified ITSG for Windows Serve
- Page 68 and 69: Unclassified ITSG for Windows Serve
- Page 70 and 71: Unclassified ITSG for Windows Serve
- Page 72 and 73: Unclassified ITSG for Windows Serve
- Page 74 and 75: Unclassified ITSG for Windows Serve
- Page 76 and 77: Unclassified ITSG for Windows Serve
- Page 78 and 79: Unclassified ITSG for Windows Serve
- Page 80 and 81: Unclassified ITSG for Windows Serve
- Page 82 and 83: Unclassified ITSG for Windows Serve
- Page 84 and 85: Unclassified ITSG for Windows Serve
- Page 86 and 87: Unclassified ITSG for Windows Serve
- Page 90 and 91: Unclassified ITSG for Windows Serve
- Page 92 and 93: Unclassified ITSG for Windows Serve
- Page 94 and 95: Unclassified ITSG for Windows Serve
- Page 96 and 97: Unclassified ITSG for Windows Serve
- Page 98 and 99: Unclassified ITSG for Windows Serve
- Page 100 and 101: Unclassified ITSG for Windows Serve
- Page 102 and 103: Unclassified ITSG for Windows Serve
- Page 104 and 105: Unclassified ITSG for Windows Serve
- Page 106 and 107: Unclassified ITSG for Windows Serve
- Page 108 and 109: Unclassified ITSG for Windows Serve
- Page 110 and 111: Unclassified ITSG for Windows Serve
- Page 112 and 113: Unclassified ITSG for Windows Serve
- Page 114 and 115: Unclassified ITSG for Windows Serve
- Page 116 and 117: Unclassified ITSG for Windows Serve
- Page 118 and 119: Unclassified ITSG for Windows Serve
- Page 120 and 121: Unclassified ITSG for Windows Serve
- Page 122 and 123: Unclassified ITSG for Windows Serve
- Page 124 and 125: Unclassified ITSG for Windows Serve
- Page 126 and 127: Unclassified ITSG for Windows Serve
- Page 128 and 129: Unclassified ITSG for Windows Serve
- Page 130 and 131: Unclassified ITSG for Windows Serve
- Page 132 and 133: Unclassified ITSG for Windows Serve
- Page 134 and 135: Unclassified ITSG for Windows Serve
- Page 136 and 137: Unclassified ITSG for Windows Serve
Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />
4.4.3.61 System cryptography: Force strong key protection for user keys stored on the<br />
computer<br />
machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2<br />
The ‘forcekeyprotection’ value determines if user keys (e.g. SMIME) require a password each<br />
time they are to be used. The setting ‘2’ requires entry of a password each time a private key is<br />
used. This ensures that a session that requires key material is used with the owner’s knowledge.<br />
4.4.3.62 System cryptography: Use FIPS compliant algorithms for encryption, hashing,<br />
and signing<br />
machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1<br />
The ‘fipsalgorithmpolicy’ determines if Transport Layer <strong>Security</strong> / Secure Socket Layer<br />
(TLS/SSL) <strong>Security</strong> Provider supports only TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher<br />
suite. The setting ‘1’ requires the use of the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher<br />
suite. In the Federal Government, this setting is required for all servers to remain compliant to<br />
cryptographic policies.<br />
4.4.3.63 System objects: Default owner for objects created by members of the<br />
Administrators group<br />
machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1<br />
The ‘nodefaultadminowner’ value determines if objects created by members of the<br />
Administrators group are owned by the group or the object creator. The setting ‘1’ makes objects<br />
owned by the creator. This ensures actions of an individual administrator can be isolated and<br />
audited.<br />
4.4.3.64 System objects: Require case insensitivity for non-<strong>Windows</strong> subsystems<br />
machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4, 1<br />
The ‘obcaseinsensitive’ value determines if case insensitivity is required for non-<strong>Windows</strong><br />
subsystems. The setting ‘1’ requires case insensitivity for non-<strong>Windows</strong> subsystems. This<br />
disables the ability for non-<strong>Windows</strong> sub-systems to create files that are inaccessible to the<br />
<strong>Windows</strong> system. It also disables the ability to block access to other files with the same name in<br />
upper case.<br />
4.4.3.65 System objects: Strengthen default permissions of internal system objects (e.g.<br />
Symbolic Links)<br />
machine\system\currentcontrolset\control\session manager\protectionmode=4, 1<br />
The ‘protectionmode’ registry setting determines if permissions on internal system objects (e.g.<br />
symbolic links) is strengthened. The setting ‘1’ strengthens protection on internal system objects.<br />
It allows non-administrators to view shared objects they did not create, but not modify.<br />
68 March 2004 <strong>Server</strong> Policy Files