Windows Server 2003 Recommended Baseline Security
Share Embed Flag
Download ePaper

Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security Windows Server 2003 Recommended Baseline Security

cse.cst.gc.ca
from cse.cst.gc.ca More from this publisher
19.06.2014 Views

Unclassified ITSG for Windows Server 2003 4.4.3.61 System cryptography: Force strong key protection for user keys stored on the computer machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2 The ‘forcekeyprotection’ value determines if user keys (e.g. SMIME) require a password each time they are to be used. The setting ‘2’ requires entry of a password each time a private key is used. This ensures that a session that requires key material is used with the owner’s knowledge. 4.4.3.62 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1 The ‘fipsalgorithmpolicy’ determines if Transport Layer Security / Secure Socket Layer (TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. The setting ‘1’ requires the use of the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In the Federal Government, this setting is required for all servers to remain compliant to cryptographic policies. 4.4.3.63 System objects: Default owner for objects created by members of the Administrators group machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1 The ‘nodefaultadminowner’ value determines if objects created by members of the Administrators group are owned by the group or the object creator. The setting ‘1’ makes objects owned by the creator. This ensures actions of an individual administrator can be isolated and audited. 4.4.3.64 System objects: Require case insensitivity for non-Windows subsystems machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4, 1 The ‘obcaseinsensitive’ value determines if case insensitivity is required for non-Windows subsystems. The setting ‘1’ requires case insensitivity for non-Windows subsystems. This disables the ability for non-Windows sub-systems to create files that are inaccessible to the Windows system. It also disables the ability to block access to other files with the same name in upper case. 4.4.3.65 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) machine\system\currentcontrolset\control\session manager\protectionmode=4, 1 The ‘protectionmode’ registry setting determines if permissions on internal system objects (e.g. symbolic links) is strengthened. The setting ‘1’ strengthens protection on internal system objects. It allows non-administrators to view shared objects they did not create, but not modify. 68 March 2004 Server Policy Files

Windows Server 2003 Recommended Baseline Security (ITSG-20) 4.4.3.66 System settings: Optional subsystems machine\system\currentcontrolset\control\session manager\subsystems\optional=7, The ‘optional’ value defines which subsystems are used to support applications. The empty setting disallows any optional subsystems. The use of sub-systems should be justified with operational requirements. Unless required, no subsystem should be enabled. 4.4.3.67 Use Certificate Rules on Windows Executables for Software Restriction Policies machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled=4, 0 The ‘authenticodeenabled’ value determines the use of certificate rules on Windows executables for software restriction policies. The setting ‘0’ does not use certificate rules on Windows executables for software restriction policies. 4.5 Event Log Microsoft guidance indicates that the total size of all event logs should not exceed 300MB. If this value is exceeded, the system may not log or record the failure. While the interface may allow values up to 4GB, there is a risk of losing log entries for values beyond 300 MB. The following policy will utilize full available space for allocation between event logs. 4.5.1 Log Size 4.5.1.1 Maximum application log size MaximumLogSize = 76800 (in [Application Log] section) The ‘MaximumLogSize’ determines the size of the Application event log. The setting ‘76800’ creates a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 153,000 events. This will allow the system to run for an extended period-oftime without having to roll the log file. NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period. 4.5.1.2 Maximum security log size MaximumLogSize = 153600 (in [Security Log] section) The ‘MaximumLogSize’ determines the size of the Security event log. The setting ‘153600’ creates a 153600 KB log file. With an average of 500 bytes per event, this log file will accommodate over 307,200 events. This allows the system to run for an extended period-of-time without having to roll the log file. NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period. Server Policy Files March 2004 69

Unclassified ITSG for <strong>Windows</strong> <strong>Server</strong> <strong>2003</strong><br />

4.4.3.61 System cryptography: Force strong key protection for user keys stored on the<br />

computer<br />

machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2<br />

The ‘forcekeyprotection’ value determines if user keys (e.g. SMIME) require a password each<br />

time they are to be used. The setting ‘2’ requires entry of a password each time a private key is<br />

used. This ensures that a session that requires key material is used with the owner’s knowledge.<br />

4.4.3.62 System cryptography: Use FIPS compliant algorithms for encryption, hashing,<br />

and signing<br />

machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1<br />

The ‘fipsalgorithmpolicy’ determines if Transport Layer <strong>Security</strong> / Secure Socket Layer<br />

(TLS/SSL) <strong>Security</strong> Provider supports only TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher<br />

suite. The setting ‘1’ requires the use of the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher<br />

suite. In the Federal Government, this setting is required for all servers to remain compliant to<br />

cryptographic policies.<br />

4.4.3.63 System objects: Default owner for objects created by members of the<br />

Administrators group<br />

machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1<br />

The ‘nodefaultadminowner’ value determines if objects created by members of the<br />

Administrators group are owned by the group or the object creator. The setting ‘1’ makes objects<br />

owned by the creator. This ensures actions of an individual administrator can be isolated and<br />

audited.<br />

4.4.3.64 System objects: Require case insensitivity for non-<strong>Windows</strong> subsystems<br />

machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive=4, 1<br />

The ‘obcaseinsensitive’ value determines if case insensitivity is required for non-<strong>Windows</strong><br />

subsystems. The setting ‘1’ requires case insensitivity for non-<strong>Windows</strong> subsystems. This<br />

disables the ability for non-<strong>Windows</strong> sub-systems to create files that are inaccessible to the<br />

<strong>Windows</strong> system. It also disables the ability to block access to other files with the same name in<br />

upper case.<br />

4.4.3.65 System objects: Strengthen default permissions of internal system objects (e.g.<br />

Symbolic Links)<br />

machine\system\currentcontrolset\control\session manager\protectionmode=4, 1<br />

The ‘protectionmode’ registry setting determines if permissions on internal system objects (e.g.<br />

symbolic links) is strengthened. The setting ‘1’ strengthens protection on internal system objects.<br />

It allows non-administrators to view shared objects they did not create, but not modify.<br />

68 March 2004 <strong>Server</strong> Policy Files

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!