- 10.8.20.5 Technical Controls
- 10.8.20.6 Deviations
- Exhibit 10.8.20-1 Backup and Recovery Configuration Settings
- Exhibit 10.8.20-2 Account Policies
- Exhibit 10.8.20-3 User Password Settings
- Exhibit 10.8.20-4 Security Options
- Exhibit 10.8.20-5 User Rights
- Exhibit 10.8.20-6 Program Files Folder Permissions
- Exhibit 10.8.20-7 System Directory (C:\/Windows(Winnt)\/System32) File and Folder Permissions
- Exhibit 10.8.20-8 System Drive (C:) File and Folder Permissions
- Exhibit 10.8.20-9 System Root (C:\/Windows(Winnt)) File and Folder Permissions
- Exhibit 10.8.20-10 Server User Home Directories File and Folder Permissions
- Exhibit 10.8.20-11 Other Drives, Files and Folders File and Folder Permissions
- Exhibit 10.8.20-12 Group Policy Setting
- Exhibit 10.8.20-13 Registry Permissions
- Exhibit 10.8.20-14 Registry Configurations
- Exhibit 10.8.20-15 DHCP Server Settings
- Exhibit 10.8.20-16 Allowable exceptions for an Active Directory Domain Controller
- Exhibit 10.8.20-17 Windows Explorer Settings
- Exhibit 10.8.20-18 Internet Explorer Configuration Table
- Exhibit 10.8.20-19 Internet Explorer Zones Configuration Tables
- Exhibit 10.8.20-20 RDP-TCP (Terminal Services) Configuration Table
- Exhibit 10.8.20-21 Audit Policy
- Exhibit 10.8.20-22 Event Log
- Exhibit 10.8.20-23 System Services
- Exhibit 10.8.20-24 Common Windows Ports and Descriptions
- Exhibit 10.8.20-25 Temporary IIS/SQL Settings
- Exhibit 10.8.20-26 WINS Server Security Settings
- Exhibit 10.8.20-27 Exchange Server Security Settings
- Exhibit 10.8.20-28 Virtual Machines System Services
- Exhibit 10.8.20-29 Enterprise Disk Encryption (EDE) Base Servers
- Exhibit 10.8.20-30 Server Proxy Configuration
- Exhibit 10.8.20-31 Internet Explorer Exception Settings for Symantec, Blackberry and Altiris
- Exhibit 10.8.20-32 Glossary
- Exhibit 10.8.20-33 References
- Exhibit 10.8.20-34 IRM 10.8.20 FDCC Deviations
-
For all TCP port numbers and UDP port numbers, use normal TCP/UDP numbers.
-
All ports not specifically required for normal business operations shall be disabled.
-
The IP Protocol ID shall use the following standards:
-
Protocol 1 - ICMP
-
Protocol 2 - IGMP
-
Protocol 3 - GGP
-
Protocol 4 - IP in IP encapsulation
-
Protocol 5 - ST stream
-
Protocol 6 - TCP
-
Protocol 7 - Often used for Computer Based Training
-
Protocol 8 - EGP
-
See Exhibit 10.8.20-24. A list of common Windows ports and the relative descriptions are defined in Exhibit 10.8.20-24.
-
-
Network data within a site (local network and subnets) is secured by the authentication protocol. For an additional level of security, administrators and users can choose to encrypt network data within a site. Using Internet Protocol Security, one can encrypt all network communication for specific clients, or for all clients in a domain. Network data passing in and out of a site (across intranets, extranets, or an Internet gateway) can be secured using the following utilities:
-
Internet Protocol Security (IPSec) - a suite of cryptography-based protection services and security protocols;
-
Routing and Remote Access - configures remote access protocols and routing; and
-
Internet Authentication Service (IAS) - provides security and authentication for dial-in users.
-
-
The encrypted file system provides a mechanism to secure data, which is maintained and resident on local hard drives and/or servers. This protects files from being accessed via the network, by unauthorized personnel.
-
While this provides protection for files stored on the hard drives, files, once e-mailed, transferred, etc. will become unencrypted. The EFS protection is to protect the system, when an unauthorized user gains access to the files and directories, via the network or through a local logon policy.
-
Recovery agents shall be established and managed to ensure data will not be lost, if the employee leaves or the system crashes. Where the system does not support this, e.g., XP, procedures shall be provided to users to ensure data may be recovered.
-
EFS shall be used on all systems where any SBU data resides, including taxpayer data.
-
The SA shall create and encrypt an "SBU Data" folder for encrypted data.
-
SA shall encrypt any temp directories on systems that use EFS.
-
-
The IRS shall utilize Public Key Infrastructure (PKI) within its implementation of Windows Server 2003 and Active Directory. PKI is a system of digital certificates, certification authorities (CAs) and other registration authorities (RAs) that verify and authenticate the validity of each party that is involved in an electronic transaction through the use of public key cryptography.
-
At minimum, IRS owned laptops, portables, and workstations operated outside of IRS facilities shall use encryption software to protect SBU data.
-
In Large Case sites, where Windows domains are configured, these shall be exempt from the encryption requirement, as long as:
-
Physical security controls are in place.
-
The domain is not connected to the IRS network.
-
A deviation has been requested from the Cybersecurity (formally Mission Assurance and Security Services (MA&SS)), identifying the large case site, and the need for systems, which are off premise, without encryption.
-
-
Encryption shall be performed using algorithms determined to be compliant with Federal Information Processing Standards Publication (FIPS) 140-2, Security Requirements for Cryptographic Modules.
-
Approved COTS product information is available from the End User Equipment and Services (EUES) intranet web site, accessed via the authorized IRS intranet home page, at http://irweb.irs.gov/.
-
All data encrypted by EFS on workstations attached to the Windows Server environment shall be recoverable. By default, the Administrator Account on the Domain Controllers shall be designated as the Default Recovery Agents (DRAs). Additional DRAs will be needed and they will have the requirement of actually performing the recovery of data.
-
The DAA shall ensure the documentation of the DRA architecture with the IRS enterprise, within the DAA’s respective area(s) of responsibility. All actions taken by the DRAs shall be audited and reviewed by the DAA’s Data Security organization to ensure these are used, as appropriate.
-
Windows installations shall include 128-bit browser encryption, which is allowed for only US and Canadian use.
-
For specific Internet Explorer security, including items relating to systems and communication protection, see IRM 10.8.20.5.2.12 - Internet Explorer Security.
-
-
The following are explanations of the Windows specific Security Options dealing with network data protection.
-
Domain member: Digitally encrypt or sign secure channel data (always)
Windows 2000 - Secure channel: Digitally encrypt or sign secure channel data (always) -
Domain member: Digitally Encrypt Secure Channel Data (when possible)
Windows 2000 - Secure channel: Digitally encrypt secure channel data (when possible) -
Domain member: Digitally sign secure channel data (when possible)
-
Domain member: Require strong (Windows 2000 or later) session key
Windows 2000 - Secure channel: Require strong (Windows 2000 or later) session key -
Network Access: Do not allow storage of credentials or .NET passports for network authentication
-
Microsoft Network Client: Digitally sign communications (always)
Windows 2000 - Digitally sign client communication (always) -
Microsoft Network Client: Digitally sign communications (if server agrees)
Windows 2000: Digitally sign client communications (when possible) -
Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers
Windows 2000 - Send unencrypted password to connect to third-party SMB servers -
Microsoft Network Server: Digitally sign communications (always)
Windows 2000: Digitally sign communications (always) -
Microsoft Network Server: Digitally sign communications (if client agrees)
Windows 2000: Digitally sign communications (when possible) -
Network Security: LAN manager authentication level
Windows 2000 - LAN Manager authentication level -
Network Security: LDAP client signing requirements
-
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
-
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
-
System Cryptography: Force strong key protection for user keys stored on the computer
-
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
-
See Exhibit 10.8.20-4. Network Data Protection Security Options are contained in the Security Options Exhibit 10.8.20-4.
-
See Exhibit 10.8.20-32. Definitions for the Network Data Protection Security Options are contained in Exhibit 10.8.20-32, Glossary. See Network Data Protection.
-
-
The following are explanations of the Windows specific Security Options dealing with the protection of information remnants that could leave a system exposed.
-
Network Security: Do not store LAN Manager password hash value on next password change
The SAM database typically stores a LANManager (LM) hash of account passwords. The SAM database should be secure on the workstation; however, if it is captured, the LM hash can be retrieved. Many vulnerabilities exist with the LM authentication model, and brute force attacks usually succeed with ease. Removing the LM hash from the SAM database helps protect the local account passwords. -
Shutdown: Clear virtual memory pagefile
(Windows 2000 - Clear virtual memory pagefile when system shuts down)
Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of"virtual" memory available to the computer.-
See Exhibit 10.8.20-4. Values for Security Options for Protection of Information Remnants are contained in the Security Options Exhibit 10.8.20-4.
-
-
Hummingbird shall not be installed on Servers.
-
For workstations that require Hummingbird, the following minimal installation and installation modification shall be implemented. This minimal installation will only allow the X-windows component of Hummingbird to be utilized.
-
Perform Minimal Installation
-
Install the following components:
i) Exceed:
(1) Exceed Fonts -
The following components, and any sub-components, shall not be installed:
i) Accessories (All)
ii) Administrative Tools (All)
iii) The following Exceed components:
(1) Exceed Connection Tools
(2) Exceed Tools (All)
(3) Xweb
iv) Hummingbird FTP
v) Hummingbird Inetd (All)
vi) HostExplorer (All) -
Modify the basic Minimal Install
i) The following Shortcuts shall be removed from C:\/Documents and Settings\/All Users\/Start Menu\/Programs\/Hummingbird Connectivity 10
(1) Shortcut for User Files
(2) Shortcut for Exceed => Exceed XDCMP Broadcast
(3) Shortcut for Exceed => Exceed
-
-
Configure Xconfig
(Browse to the following file and open by double clicking: %SystemDrive%\/Program Files\/Hummingbird\/Connectivity\/10.00\/Default User\/Exceed\/Exceed.xcfg)-
Set Password for Xconfig
The SA shall provide a password by selecting Quick Links => Change My Password. The password shall meet minimum password requirements as defined in IRM 10.8.1. -
Security, Access Control and System Administration Settings
Select the "Security, Access Control and System Administration" category. The following settings can be updated from this menu:
i) Set default user xhost.txt as Host Access Control List
Under the "Security" Tab, configure "Host Access Control List" to select "File => %SystemDrive%\/Program Files\/Hummingbird\/Connectivity\/10.00\/Default User\/Exceed\/xhost.txt" . To do this, select Browse and then browse to defined location. Note: By default the browse begins in the %SystemDrive\/Documents and Settings\/<username>\/....directory.
ii) Update xhost.txt to contain authorized hosts
Under the "Security " Tab, select "Edit" next to "File => xhost.txt" . The SA shall ensure this file contains only authorized hosts.
iii) Do Not Allow Clients to Modify Host Access List
Under the "Security" Tab, ensure " Allow Clients to Modify Host Access List" is not selected.
-
-
Set Hummingbird Directory File Permissions
See Exhibit 10.8.20-6, Program Files Folder Permissions for Hummingbird Directory File Permissions.
-
The mandatory requirements for Window Server 2003 operating Microsoft Exchange Server are detailed in Exhibit 10.8.20-27.
-
The mandatory requirements for operating Virtual Machines are detailed in Exhibit 10.8.20-28.
-
Deviations from this policy shall be processed according to IRM 10.8.1.
See IRM 10.8.20.4.1.1.2 for explanations
Backup and Recovery Configuration Setting | XP Workstation | 2000 Server | 2003 Server | |
---|---|---|---|---|
Baseline system backup or imaging Tools such as Microsoft's Ntbackup.exe, Iomega's Back-IT UP, or Symantec's Ghost | Yes | |||
Emergency Repair Disks (ERD) Created with Ntbackup.exe GUI program. Now only backs up autoexec.nt, config.nt and setup.log. It no longer contains security information. | No | Yes | Yes | |
Regular system backups, including System State data Tools such as Microsoft's Ntbackup.exe, Iomega's Back-IT UP, or Symantec's Ghost | Yes | |||
Data and Application backups; Tools such as Microsoft's Ntbackup.exe, Iomega's Back-IT UP, or Symantec's Ghost |
Yes | |||
Safe Mode Usage (F8 during startup) Available by Default on all Systems | Yes | Yes | Yes | |
Safe Mode with Networking Available by Default on all Systems | Yes | Yes | Yes | |
Safe Mode with Command Prompt Available by Default on all Systems | Yes | Yes | Yes | |
Recovery Console The Recovery Console shall be installed from the Install CDROM by using the /CMDCONS flag. |
No | |||
See IRM 10.8.20.5.1.7. for explanations
Account Policy | XP Workstation | 2000 Server |
2003 Server |
|
---|---|---|---|---|
Password Policy | ||||
Enforce Password History | See IRM 10.8.1 | See IRM 10.8.1 | See IRM 10.8.1 | |
Maximum Password Age | 60 days or less (cannot be equal to 0) | 60 days or less (cannot be equal to 0) | 60 days or less (cannot be equal to 0) | |
Minimum Password Age | 1 day or greater | 1 day or greater | 1 day or greater | |
Minimum Password Length | 12 Characters or greater | 12 Characters or greater | 12 Characters or greater | |
Password Complexity | Enabled, See IRM 10.8.1 for more information. |
Enabled, See IRM 10.8.1 for more information. |
Enabled, See IRM 10.8.1 for more information. |
|
Store passwords using reversible encryption | Disabled | Disabled | Disabled | |
Account Lockout Policy | ||||
Account Lockout Duration | 15 minutes or greater | 15 minutes or greater | 15 minutes or greater | |
Account Lockout Threshold | 5 invalid logon attempts or less (cannot be equal to 0) | 5 invalid logon attempts or less (cannot be equal to 0) | 5 invalid logon attempts or less (cannot be equal to 0) | |
Reset account lockout counter after | 15 minutes or greater | 15 minutes or greater | 15 minutes or greater | |
Kerberos Policy | ||||
Enforce user logon restrictions | Enabled | Enabled | Enabled | |
Maximum lifetime for service ticket | 600 Minutes | 600 Minutes | 600 Minutes | |
Maximum lifetime for user ticket | 10 Hours | 10 Hours | 10 Hours | |
Maximum lifetime for user ticket renewal | 7 Days | 7 Days | 7 Days | |
Maximum tolerance for computer clock synchronization | 5 Minutes | 5 Minutes | 5 Minutes |
See IRM 10.8.20.5.1.8. for explanations.
User Password Setting | XP Workstation | 2000 Server | 2003 Server | |
---|---|---|---|---|
User Must Change Password at Next Logon | Enabled / Checked (when account is created or password reset) |
Enabled / Checked (when account is created or password reset) |
Enabled / Checked (when account is created or password reset) |
|
Password Never Expires * only possible exceptions are Service accounts. |
Never Enabled / Checked * Possibly enabled for Service accounts. |
Never Enabled / Checked * Possibly enabled for Service accounts. |
Never Enabled / Checked * Possibly enabled for Service accounts. |
|
Enable Automatic Logon * Only possible exception is during unattended installations of the operating system. |
Disabled * Can be enabled only during unattended installations of the operating system and shall not be used on production systems. |
Disabled * Can be enabled only during unattended installations of the operating system and shall not be used on production systems. |
Disabled * Can be enabled only during unattended installations of the operating system and shall not be used on production systems. |
|
Security Option | XP Workstation | 2000 Server | 2003 Server | Reference | |
---|---|---|---|---|---|
Accounts: Administrator account status | Enabled | N/A
(Though not a security option in 2000, account shall be Enabled) |
Enabled | See IRM 10.8.20.5.1.9. | |
Accounts: Guest account status | Disabled | N/A
(Though not a security option in 2000, account shall be Disabled) |
Disabled | See IRM 10.8.20.5.1.9. | |
Accounts: Limit local account use of blank passwords to console logon only | Enabled | N/A | Enabled | See IRM 10.8.20.5.1.9. | |
Accounts:
Rename administrator account 2000 - Rename administrator account |
Shall be renamed | Shall be renamed | Shall be renamed | See IRM 10.8.20.5.1.9. | |
Accounts:
Rename guest account 2000 - Rename guest account |
Shall be renamed | Shall be renamed | Shall be renamed | See IRM 10.8.20.5.1.9. | |
Audit:
Audit the access of global system objects 2000 - Audit the access of global system objects |
Disabled | Disabled | Disabled | See IRM 10.8.20.5.3.3. | |
Audit:
Audit the use of backup and restore privilege 2000 - Audit the use of backup and restore privilege |
Disabled | Not Defined | Not Defined | See IRM 10.8.20.5.3.3. | |
Audit:
Shut down system immediately if unable to log security audits 2000 - Shut down system immediately if unable to log security audits |
Disabled | Disabled | Disabled | See IRM 10.8.20.5.3.3. | |
DCOM:
Machine Access Restrictions in Security Descriptor Definition Language (SDDL)
syntax (Available in 2003 SP1 and XP SP2 or greater only) |
Not Defined | N/A | Not Defined | See IRM 10.8.20.5.2.6. | |
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (Available in 2003 SP1 and XP SP2 or greater only) | Not Defined | N/A | Not Defined | See IRM 10.8.20.5.2.6. | |
Devices: Allow undock without having to log on | Disabled | N/A | Disabled | See IRM 10.8.20.5.2.5. | |
Devices:
Allowed to format and eject removable media 2000 - Allowed to eject removable NTFS media |
Administrators | Administrators | Administrators | See IRM 10.8.20.5.2.5. | |
Devices:
Prevent users from installing printer drivers 2000 - Prevent users from installing printer drivers |
Disabled | Enabled | Enabled | See IRM 10.8.20.5.2.5. | |
Devices:
Restrict CD-ROM access to locally logged-on user only 2000 - Restrict CD-ROM access to locally logged-on user only |
Disabled | Enabled | Enabled | See IRM 10.8.20.5.2.5. | |
Devices:
Restrict floppy access to locally logged-on user only 2000 - Restrict floppy access to locally logged-on user only |
Disabled | Enabled | Enabled | See IRM 10.8.20.5.2.5. | |
Devices:
Unsigned driver installation behavior 2000 - Unsigned driver installation behavior |
Do not allow installation* * Note:See Exhibit 10.8.20-34for deviated setting. |
Warn, but allow installation | Warn, but allow installation | See IRM 10.8.20.5.2.5. | |
Domain
controller: Allow server operators to schedule tasks 2000 - Allow server operators to schedule tasks (domain controllers only) |
Not Defined | Not Defined | Not Defined | See IRM 10.8.20.5.2.4. | |
Domain controller: LDAP server signing requirements | Not Defined | N/A | Not Defined | See IRM 10.8.20.5.2.4. | |
Domain controller: Refuse machine account password changes | Not Defined | N/A | N/A | See IRM 10.8.20.5.2.4. | |
Domain
member: Digitally encrypt or sign secure channel data (always) 2000 - Secure channel: Digitally encrypt or sign secure channel data (always) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Domain
member: Digitally encrypt secure channel data (when possible) 2000 - Secure channel: Digitally encrypt secure channel data (when possible) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Domain member: Digitally
sign secure channel data (when possible) 2000 - Secure channel: Digitally sign secure channel data (when possible) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Domain
member: Disable machine account password changes 2000 - Prevent system maintenance of computer account password |
Disabled | Disabled | Disabled | See IRM 10.8.20.5.1.10. | |
Domain member: Maximum machine account password age | 30 days or less | N/A | 30 days or less | See IRM 10.8.20.5.1.10. | |
Domain
member: Secure channel: Require strong (Windows 2000 or later) session key 2000 - Secure channel: Require strong (Windows 2000 or later) session key |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Interactive logon: Display user information when the session is locked | N/A | N/A | Do not display user information | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Do not display last user name 2000 - Do not display last user name in logon screen |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Do not require CTRL+ALT+Delete 2000 - Disable CTRL+ALT+DEL requirement for logon |
Disabled | Disabled | Disabled | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Message text for users attempting to log on 2000 - Message text for users attempting to log on |
This system is for
the use of authorized users only. Individuals using this computer system without
authority or in excess of their authority are subject to having all their
activities on this system monitored and recorded by system personnel. Anyone
using this system expressly consents to such monitoring and is advised that
if such monitoring reveals possible evidence of criminal activity system personal
may provide the evidence of such monitoring to law enforcement officials.* * Note:See Exhibit 10.8.20-34. for deviated setting. |
See IRM 10.8.1 | See IRM 10.8.1 | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Message title for users attempting to log on 2000 - Message title for users attempting to log on |
Warning* * Note:See Exhibit 10.8.20-34for deviated setting. |
See IRM 10.8.1 | See IRM 10.8.1 | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Number of previous logons to cache 2000 - Number of previous logons to cache (in case domain controller is not available) |
2 | 2 | 2 | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Prompt user to change password before expiration 2000 - Prompt user to change password before expiration |
14 days or greater | 14 days or greater | 14 days or greater | See IRM 10.8.20.5.1.10. | |
Interactive logon: Require Domain Controller authentication to unlock workstation | Disabled | N/A | Enabled | See IRM 10.8.20.5.1.10. | |
Interactive logon: Require smart card | Not Defined | N/A | Disabled | See IRM 10.8.20.5.1.10. | |
Interactive
logon: Smart card removal behavior 2000 - Smart card removal behavior |
Lock Workstation | Lock Workstation | Lock Workstation | See IRM 10.8.20.5.1.10. | |
Microsoft
network client: Digitally sign communications (always) 2000 - Digitally sign client communication (always) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Microsoft
network client: Digitally sign communications (if server agrees) 2000 - Digitally sign client communications (when possible) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Microsoft
network client: Send unencrypted password to connect to third-party SMB servers 2000 - Send unencrypted password to connect to third-party SMB servers |
Disabled | Disabled | Disabled | See IRM 10.8.20.5.4.3.6. | |
Microsoft
network server: Amount of idle time required before suspending session 2000 - Amount of idle time required before disconnecting session |
15 minutes or less | 15 minutes or less | 15 minutes or less | See IRM 10.8.20.5.1.10. | |
Microsoft
network server: Digitally sign communications (always) 2000 - Digitally sign server communications (always) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Microsoft
network server: Digitally sign communications (if client agrees) 2000 - Digitally sign server communications (when possible) |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.4.3.6. | |
Microsoft
network server: Disconnect clients when logon hours expire 2000 - Automatically log off users when logon time expires |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.1.10. | |
Network access: Allow anonymous SID/Name translation | Disabled | N/A | Disabled | See IRM 10.8.20.5.2.6. | |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | N/A | Enabled | See IRM 10.8.20.5.2.6. | |
Network
access: Do not allow anonymous enumeration of SAM accounts and shares 2000 - Additional restrictions for anonymous connections |
Enabled | No Access Without Explicit Anonymous Permissions | Enabled | See IRM 10.8.20.5.2.6. | |
Network access: Do not allow storage of credentials or .NET passports for network authentication | Enabled | N/A | Enabled | See IRM 10.8.20.5.4.3.6. | |
Network access: Let Everyone permissions apply to anonymous users | Disabled | N/A | Disabled | See IRM 10.8.20.5.2.6. | |
Network access: Named pipes that can be accessed anonymously | COMNAP, COMNODE, SQL\/QUERY, SPOOLSS, LLSRPC, browser |
NULL (This can only be set in the registry - See Exhibit 10.8.20-14.NamedSessionPipe Registry Setting) |
NULL | See IRM 10.8.20.5.2.6. | |
Network access: Remotely accessible registry paths | System\/CurrentControlSet\/Control\/ProductOptions, System\/CurrentControlSet\/Control\/Print\/Printers, System\/CurrentControlSet\/Control\/Server Applications, System\/CurrentControlSet\/Services\/Eventlog, Software\/Microsoft\/OLAP Server, Software\/Microsoft\/Windows NT\/CurrentVersion, System\/CurrentControlSet\/Control\/ContentIndex, System\/CurrentControlSet\/Control\/Terminal Server, System\/CurrentControlSet\/Control\/Terminal Server\/UserConfig, System\/CurrentControlSet\/Control\/Terminal Server\/DefaultUserConfiguration |
NULL (or key does not exist) (This can only be set in the registry - See Exhibit 10.8.20-14, AllowedPaths\/Machine Registry Setting) |
NULL (or key does not exist) |
See IRM 10.8.20.5.2.6. | |
Network access: Remotely accessible registry paths and subpaths | N/A | N/A | NULL (or key does not exist) |
See IRM 10.8.20.5.2.6. | |
Network access: Restrict anonymous access to Named Pipes and Shares | N/A | N/A | Enabled | See IRM 10.8.20.5.2.6. | |
Network access: Shares that can be accessed anonymously | COMCFG, DFS$ |
NULL (This can only be set in the registry - See Exhibit 10.8.20-14.NullSessionsShares Registry Setting) |
NULL | See IRM 10.8.20.5.2.6. | |
Network access: Sharing and security model for local accounts | Classic - Local users authenticate as themselves | N/A | Classic - Local users authenticate as themselves | See IRM 10.8.20.5.2.6. | |
Network security: Do not store LAN Manager password hash value on next password change | Enabled | N/A | Enabled | See IRM 10.8.20.5.4.3.7. | |
Network security: Force logoff when logon hours expire | Enabled | N/A | Enabled | See IRM 10.8.20.5.1.10. | |
Network
security: LAN Manager authentication level 2000 - LAN Manager authentication level |
Send NTLMv2 response only / Refuse LM and NTLM | Send NTLMv2 response only / Refuse LM and NTLM | Send NTLMv2 response only / Refuse LM and NTLM | See IRM 10.8.20.5.4.3.6. | |
Network security: LDAP client signing requirements | Negotiate SigningNote:Require Signing is also acceptable. |
N/A | Negotiate SigningNote:Require Signing is also acceptable. |
Negotiate Signing
(value = 1); Require Signing (value = 2) See IRM 10.8.20.5.4.3.6. |
|
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require message
integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption |
N/A | Require message
integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption |
See IRM 10.8.20.5.4.3.6. | |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require message
integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption |
N/A | Require message
integrity, Require message confidentiality, Require NTLMv2 session security, Require 128-bit encryption |
See IRM 10.8.20.5.4.3.6. | |
Recovery
console: Allow automatic administrative logon 2000 - SAME |
Disabled | Disabled | Disabled | See IRM 10.8.20.4.1.2. | |
Recovery
console: Allow floppy copy and access to all drives and all folders 2000 - SAME |
Disabled | Disabled | Disabled | See IRM 10.8.20.4.1.2. | |
Shutdown:
Allow System to be Shut Down Without Having to Log On 2000 - Allow System to be Shut Down Without Having to Log On |
Enabled | Not Defined | Not Defined | See IRM 10.8.20.5.1.10 | |
Shutdown:
Clear virtual memory pagefile 2000 - Clear virtual memory pagefile when system shutsdown |
Disable | Disable | Disable | See IRM 10.8.20.5.4.3.7. | |
System Cryptography: Force strong key protection for user keys stored on the computer | N/A | N/A | User shall enter a password each time they use a key | See IRM 10.8.20.5.4.3.6. | |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Enabled* * Note:See Exhibit 10.8.20-34for deviated setting. |
N/A | Disabled | See IRM 10.8.20.5.4.3.6. | |
System objects: Default owner for objects created by members of the Administrators group | Object Creator | N/A | Object Creator | See IRM 10.8.20.5.2.7. | |
System objects: Require case insensitivity for non-Windows subsystems | Enabled | N/A | Enabled | See IRM 10.8.20.5.2.7. | |
System
objects: Strengthen default permissions of internal system objects 2000 - Strengthen default permissions of global system objects |
Enabled | Enabled | Enabled | See IRM 10.8.20.5.2.7. | |
System Settings: Optional subsystems | POSIX (This can only be set in the registry - See Exhibit 10.8.20-14. OS2/POSIX: Remove OS2 value from Optional Registry Value) |
POSIX (This can only be set in the registry - See Exhibit 10.8.20-14. OS2/POSIX: Remove OS2 value from Optional Registry Value) |
POSIX | See IRM 10.8.20.5.2.7. | |
System Settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | N/A | N/A | Not Defined | See IRM 10.8.20.5.2.7. |
See IRM 10.8.20.5.2.2 for explanations.
Note:
It is acceptable to configure user right settings to be more restrictive than those defined below for all operating systems.
User Right | XP Workstation | 2000 Server | 2003 Server | |
---|---|---|---|---|
Access this computer from the network | Administrators | Administrators, Authenticated Users |
Administrators, Authenticated Users |
|
Act as part of the operating system | No one* * Note:See Exhibit 10.8.20-34for deviated setting. |
Tivoli_Admin_Privileges | Tivoli_Admin_Privileges | |
Add workstations to domain | Not Defined | No one | No one | |
Adjust memory quotas for
a process (2000: Increase quotas) |
NETWORK SERVICE, LOCAL SERVICE, Administrators* * Note:See Exhibit 10.8.20-34for deviated setting. |
Tivoli_Admin_Privileges | Tivoli_Admin_Privileges | |
Allow logon through Terminal Services | Administrators, Remote Desktop Users |
N/A | Administrators, Remote Desktop Users |
|
Back up files and directories | Administrators | Administrators, Backup Operators |
Administrators, Backup Operators |
|
Bypass traverse checking *When the Tivoli account is installed |
Administrators, Users** ** Note:See Exhibit 10.8.20-34 for deviated setting. |
Authenticated Users, tmersrvd* |
Authenticated Users, tmersrvd* |
|
Change the system time | Administrators | Administrators | Administrators, Local Service |
|
Create a pagefile | Administrators | Administrators | Administrators | |
Create a token object | No one | No one | No one | |
Create Global Objects | Administrators, Interactive, SERVICE |
Administrators, SERVICE |
Administrators, SERVICE |
|
Create permanent shared objects | No one | No one | No one | |
Debug programs | Administrators | No one | No one | |
Deny access to this computer
from the network (only applicable if account exists) |
Guests, Support_388945a0 |
ANONYMOUS LOGON, Guests, Renamed Guest Account (if enabled), All Non-Operating System Service Accounts |
ANONYMOUS LOGON, Guests, Support_388945a0, Renamed Guest Account (if enabled), All Non-Operating System Service Accounts |
|
Deny logon as a batch job (only applicable if account exists) |
Guests, Support_388945a0 |
Guests, Renamed Guest Account (if enabled) |
Guests, SUPPORT_388945a0, Renamed Guest Account (if enabled) |
|
Deny logon as a service | No one | No one | No one | |
Deny logon locally | Guests, Support_388945a0 |
Guests | Guests, Support_388945a0 |
|
Deny logon through Terminal
Services (only applicable if account exists) |
Guests | N/A | Guests, SUPPORT_388945a0, Renamed Guest Account (if enabled) |
|
Enable computer and user accounts to be trusted for delegation | Not Defined | No one | No one | |
Force shutdown from a remote system | Administrators | Administrators | Administrators | |
Generate security audits | NETWORK SERVICE, LOCAL SERVICE |
No one | No one | |
Increase scheduling priority | Administrators | Administrators | Administrators | |
Impersonate a client after authentication | Administrators, SERVICE |
Administrators, SERVICE |
Administrators, SERVICE |
|
Load and unload device drivers | Administrators | Administrators | Administrators | |
Lock pages in memory | No one | No one | No one | |
Log on as a batch job | No one | LocalLogonBatch | LocalLogonBatch | |
Log on as a service | NETWORK SERVICE, LOCAL SERVICE |
LocalLogonService | LocalLogonService | |
Log on locally (2003: Allow Log on Locally) *When the Tivoli account is installed. |
Administrators, Users* * Note:See Exhibit 10.8.20-34for deviated settings. |
Administrators, Backup Operators, tmersrvd*, LocalLogonAllowed |
Administrators, Backup Operators, tmersrvd*, LocalLogonAllowed |
|
Manage auditing and security log | Administrators | Administrators | Administrators | |
Modify firmware environment values | Administrators | Administrators | Administrators | |
Perform volume maintenance tasks | Administrators | N/A | Administrators | |
Profile single process | Administrators | Administrators | Administrators | |
Profile system performance | Administrators | Administrators | Administrators | |
Remove computer from docking station | Administrators, Users |
Administrators | Administrators | |
Replace a process level token | NETWORK SERVICE, LOCAL SERVICE* * Note:See Exhibit 10.8.20-34 for deviated setting. |
Tivoli_Admin_Privileges | NETWORK SERVICE, LOCAL SERVICE, Tivoli_Admin_Privileges |
|
Restore files and directories | Administrators | Administrators, Backup Operators |
Administrators, Backup Operators |
|
Shut down the system | Administrators, Users |
Administrators | Administrators | |
Synchronize directory service data | No one | No one | No one | |
Take ownership of files or other objects | Administrators | Administrators | Administrators |
See IRM 10.8.20.5.2.8.3 for explanations.
Windows 2000 Server
Program Files Folder | User | 2000 Server | |
---|---|---|---|
%ProgramFiles% | Administrators | Full Control | |
Authenticated Users | None | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%ProgramFiles%\/tivoli (All other permissions are inherited) |
TMERSRVD | Full Control | |
%Program Files%\/Common Files\/SpeechEngines\/Microsoft\/TTS (SpeechEngines\/TTS on 2000) |
Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%ProgramFiles%\/ Resource Kit** | Administrators | Full Control | |
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control |
Windows XP and 2003 Server
System Directory File/Folder | User | XP Workstation | 2003 Server |
---|---|---|---|
%SystemDirectory%\/config | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
CREATOR OWNER | Full Control | Full Control | |
Security Admins | RX | RX | |
%SystemDirectory%\/config\/systemprofile | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/dllcache | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
CREATOR OWNER | Full Control | Full Control | |
%SystemDirectory%\/arp.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/at.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/attrib.exe | Administrators | Full Control | Full Control |
System | Full Control | Full Control | |
%SystemDirectory%\/cacls.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/debug.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/edlin.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/eventcreate.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/eventtriggers.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/ftp.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/mshta.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/nbtstat.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/net.exe * | Administrators | Full Control* | Full Control |
SYSTEM | Full Control* | Full Control | |
*
Note:See Exhibit 10.8.20-34for deviated setting. |
|||
%SystemDirectory%\/net1.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/netsh.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/netstat.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/nslookup.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/ntbackup.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/rcp.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/reg.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/regedt32.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/regini.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/regsvr32.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/rexec.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/route.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/rsh.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/sc.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/secedit.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/subst.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/Systeminfo.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/telnet.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/tftp.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDirectory%\/tlntsvr.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control |
Windows 2000 Server
System Directory File/Folder | User | 2000 Server |
---|---|---|
%SystemDirectory% Contains many operating system DLLs, drivers, and executable programs. |
Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
TMERSRVD | RX | |
%SystemDirectory%\/CatRoot | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/config Contains registry hive files. |
Administrators | Full Control |
Security Admins | RX | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
%SystemDirectory%\/config\/systemprofile (Do not allow permissions on this folder to be replaced.) |
Administrators | N/A |
SYSTEM | N/A | |
%SystemDirectory%\/dhcp | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/dllcache | Administrators | Full Control |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/drivers | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/net.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/rexec.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/rsh.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/secedit.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/ShellExt | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/wbem | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/DTCLog | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/GroupPolicy (Does not exist on an Active Directory Domain Controller) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
%SystemDirectory%\/ias | Administrators | Full Control |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/Export | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/LogFiles | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/ipconfig.exe | Administrators | Full Control |
Authenticated Users | RWX | |
SYSTEM | Full Control | |
INTERACTIVE | N/A | |
SERVICE | N/A | |
BATCH | N/A | |
%SystemDirectory%\/mui | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
%SystemDirectory%\/Ntbackup.exe file only File system backup program. |
Administrators | Full Control |
SYSTEM | Full Control | |
Backup Operators | Full Control | |
%SystemDirectory%\/ NTMSData | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/rcp.exe file only Program used to execute remote procedure calls. |
Administrators | Full Control |
SYSTEM | Full Control | |
INTERACTIVE | N/A | |
SERVICE | N/A | |
BATCH | N/A | |
%SystemDirectory%\/ regedt32.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/ ReinstallBackups | Administrators | Full Control |
Authenticated Users | RX | |
CREATOR OWNER | Full Control | |
Replicator | RX | |
SYSTEM | Full Control | |
%SystemDirectory%\/LogFiles\/ShutDown | Administrators | N/A |
SYSTEM | N/A | |
%SystemDirectory%\/setup | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
%SystemDirectory%\/wbem\/mof | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
%SystemDirectory%\/wbem\/repository | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
%SystemDirectory%\/wbem\/logs | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
NETWORK SERVICE | N/A | |
LOCAL SERVICE | N/A | |
%SystemDirectory%\/arp.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/at.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/attrib.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/cacls.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/debug.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/edlin.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/eventcreate.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/eventtriggers.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/ftp.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/mshta.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/nbtstat.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/net1.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/netsh.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/netstat.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/nslookup.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/ntbackup.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/rcp.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/reg.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/regedt32.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/regini.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/regsvr32.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/rexec.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/route.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/rsh.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/sc.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/secedit.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/subst.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/Systeminfo.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/telnet.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/tftp.exe | Administrators | Full Control |
SYSTEM | Full Control | |
%SystemDirectory%\/tlntsvr.exe | Administrators | Full Control |
SYSTEM | Full Control |
Windows XP and 2003 Server
System Drive File/Folder | User | XP Workstation | 2003 Server |
---|---|---|---|
%SystemDrive%\/Documents and Settings\/<User Profile Directory> | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
CREATOR OWNER | Full Control | Full Control | |
<Profile Account> | Full Control | Full Control | |
%SystemDrive%\/Documents and Settings\/Administrator | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemDrive%\/i386Note:This directory may exist on drive other than system drive. |
Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control |
Windows 2000 Server
System Drive File/Folder | User | 2000 Server | |
---|---|---|---|
%SystemDrive% | Administrators | Full Control | |
Authenticated Users | RWX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ autoexec.bat** | Administrators | Full Control | |
Authenticated Users | RX | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ boot.ini | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/ config.sys** | Administrators | Full Control | |
Authenticated Users | RX | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ IO.SYS | Administrators | Full Control | |
Authenticated Users | RX | ||
SYSTEM | Full Control | ||
%SystemDrive%\/i386Note:This directory may exist on drive other than system drive. |
Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/ MSDOS.SYS | Administrators | Full Control | |
Authenticated Users | RX | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ ntbootdd.sys on alpha systems only | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/ntdetect.com | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/ntldr | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/ Documents and Settings | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ Documents and Settings\/<User Profile Directory> | Administrators | Full Control | |
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
<Profile Account> | Full Control | ||
%SystemDrive%\/ Documents and Settings\/Administrator | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/Documents and Settings\/All Users | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ Documents and Settings\/All Users\/ Application Data\/Symantec\/ LiveUpdate | Administrators | Full Control | |
Authenticated Users | Modify | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ Documents and Settings\/Default User | Administrators | Full Control | |
Authenticated Users | Read | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemDrive%\/ Pagefile.sys | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemDrive%\/perflogs (If Exists) |
Administrators | Full Control | |
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
Performance Monitor Users | RX | ||
NETWORK SERVICE | Modify | ||
Performance Log Users | Modify | ||
%SystemDrive%\/ System Volume Information | SYSTEM | Full Control | |
Administrators | Full Control | ||
CREATOR OWNER | Full Control | ||
%SystemDrive%\/ Temp | Administrators | Full Control | |
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
Authenticated User | None | ||
%SystemDrive%\/ Tivoli (All other permissions are inherited) | TMERSRVD | Full Control | |
Windows XP and 2003 Server
System Root File/Folder | User | XP Workstation | 2000 Server |
---|---|---|---|
%SystemRoot%\/repair | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control | |
%SystemRoot%\/regedit.exe | Administrators | Full Control | Full Control |
SYSTEM | Full Control | Full Control |
Windows 2000 Server
System Root File/Folder | User | 2000 Server | |
---|---|---|---|
%SystemRoot% | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/tivoli (to be added to default permissions) |
TMERSRVD | RX | |
%SystemRoot%\/addins | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/AppPatch | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/ Connection Wizard | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/debug | Administrators | Full Control | |
Authenticated Users | Read | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Debug\/UserMode | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemRoot%\/Driver Cache | Administrators | Full Control | |
Authenticated Users | Read | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/explorer.exe | Administrator | Full Control | |
SYSTEM | Full Control | ||
Authenticated Users | RX | ||
%SystemRoot%\/Help | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/java | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/mui | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/msagent | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/regedit.exe | Administrators | Full Control | |
SYSTEM | Full Control | ||
%SystemRoot%\/Registration | Administrators | Full Control | |
Authenticated Users | Read Only (R) | ||
SYSTEM | Full Control | ||
%SystemRoot%\/repair | Administrators | Full Control | |
SYSTEM | Full Control | ||
CREATOR OWNER | Full Control | ||
%SystemRoot%\/security | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/speech ** | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Tasks | Administrators | Full Control | |
Authenticated Users | RWX | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Temp | Administrators | Full Control | |
Authenticated Users | RWX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
TMERSVRD | RWX | ||
%SystemRoot%\/security\/templates | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/twain_32 | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Web | Administrators | Full Control | |
Authenticated Users | RX | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/system.ini, *.exe, *.dll, msdfmap.ini, mib.bin, _default.pif, explorer.scf, clock.avi | Authenticated Users | RX | |
Administrators | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/System\/stdole.tlb, setup.inf | Authenticated Users | RX | |
Administrators | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Inf\/*.inf, *.adm, unregmp2.exe | Authenticated Users | RX | |
Administrators | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Fonts\/*.*(all files within directory) | Authenticated Users | RX | |
Administrators | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/Media\/*.*(all files within directory) | Authenticated Users | RX | |
Administrators | Full Control | ||
SYSTEM | Full Control | ||
%SystemRoot%\/$*Uninstall* | Administrators | Full Control | |
SYSTEM | Full Control |
Server User Home Directories | |||
---|---|---|---|
User | XP Workstation | 2000 Server | 2003 Server |
Administrators | N/A | Full Control | Full Control |
%Username% | N/A | Modify | Modify |
SYSTEM | N/A | Full Control | Full Control |
Subsequent System Drives and Partitions | |||
---|---|---|---|
User | XP Workstation | 2000 Server | 2003 Server |
Everyone | N/A | Everyone Group shall not be present on any non-operating system drive or partition. | N/A |
See IRM 10.8.20.5.2.10.13 for explanations.
Group Policy Setting | |||
---|---|---|---|
User | XP Workstation | 2000 Server | 2003 Server |
Default GPO | |||
Enterprise Admins | Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Domain Admins | Read | Read | Read |
SYSTEM | Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
ENTERPRISE DOMAIN CONTROLLERS | Read | Read | Read |
IRS GPO Admins | Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Authenticated Users | Default Permissions via GPO Security Filtering (Read, Apply) |
Default Permissions via GPO Security Filtering (Read, Apply) |
Default Permissions via GPO Security Filtering (Read, Apply) |
Single-Purpose GPO | |||
Enterprise Admins | Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Domain Admins | Read | Read | Read |
SYSTEM | Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
ENTERPRISE DOMAIN CONTROLLERS | Read | Read | Read |
IRS GPO Admins | Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
Edit Settings Delete Modify Security |
DS\/GPO Read-Only Users | Read | Read | Read |
Authenticated UsersNote:This group is removed from GPO Security Filtering and Delegation |
None | None | None |
<Security Filtering Group>Note:Added to GPO Security Filtering |
Read Apply |
Read Apply |
Read Apply |
The Domain Level GPO shall be set to "No Override" to prevent other GPO’s from overriding policy set by this GPO. |
See IRM 10.8.20.5.2.9 for
explanations.
All values are applicable for keys
and subkeys except Creator Owner which is subkeys only.
Registry Permission for Windows XP and 2003 Server
Registry Key or Value | User | XP Workstation | 2003 Server |
---|---|---|---|
HKLM\/System\/CurrentControlSet\/Control\/SecurePipeServers\/winreg | Administrators | Full Control | Full Control |
Backup Operators | Read(QENR) | Read(QENR) | |
LOCAL SERVICE | Read(QENR) | Read(QENR) |
HKEY Classes Root for Windows 2000 Server
Registry Key or Value | User | 2000 Server |
---|---|---|
HKEY Classes Root | ||
CLASSES_ROOT | Administrators | Full Control |
Authenticated Users | QSCENR | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
CLASSES_ROOT\/.hlp | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
CLASSES_ROOT\/helpfile | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control |
HKEY Local Machine Software Keys and Values for Windows 2000 Server
Registry Key or Value | User | 2000 Server |
---|---|---|
HKEY Local Machine Software Keys and Values | ||
MACHINE\/Software Note: Permissions shall propagate to subdirectories. |
Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SOFTWARE\/Classes | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Classes\/.hlp | Administrators | Full Control |
SYSTEM | Full Control | |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/Classes\/HelpFile | Administrators | Full Control |
SYSTEM | Full Control | |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/ADs\/Providers\/LDAP\/Extensions | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/ADs\/Providers\/NDS | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/ADs\/Providers\/NWCOMPAT | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/ADs\/Providers\/WinNT | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Command Processor | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Cryptography | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Cryptography\/Calais | Administrators | Full Control |
CREATOR OWNER | Full Control | |
Local Service | N/A | |
SYSTEM | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Driver Signing | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/DeviceManager | Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/EnterpriseCertificates | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/EventSystem | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/MSDTC | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Non-Driver Signing | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/NetDDE | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Ole | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/OS/2 Subsystem for NT | Administrators | Full Control |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Rpc | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Secure | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Speech | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/SystemCertificates | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Tracing | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows | Administrators | Full Control |
Authenticated Users | Special (QSCENR) | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/Software\/Microsoft\/Windows\/CurrentVersion | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Explorer\/User Shell Folders | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Reliability | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows\/ Help | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Run | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/RunOnce | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/RunOnceEx | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Group
Policy (Do not allow permissions on this Key to be replaced.) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Installer (Do not allow permissions on this Key to be replaced.) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Policies (Do not allow permissions on this Key to be replaced.) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows\/CurrentVersion\/Telephony (All permissions are applied to 'This Object and Child Objects') |
Administrator | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
Network Service | N/A | |
Local Service | N/A | |
Authenticated Users | Read | |
MACHINE\/Software\/Microsoft\/Windows NT\/CurrentVersion | Authenticated Users | Read |
Administrators | Full Control | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/Accessibility | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ AEDebug | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows
NT\/CurrentVersion\/Asr\/Commands (Windows 2000: MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/AsrCommands) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
Backup Operators | Read | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/Classes | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ Compatibility | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ Drivers32 | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/EFS | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ Font Drivers | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ FontMapper | Administrators | Full Control |
Authenticated Users | (QSCENR) | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/Image File Execution Options | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ IniFileMapping | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/Perflib | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | N/A | |
Performance Log Users | N/A | |
Performance Monitor Users | N/A | |
Network Service | N/A | |
Local Service | N/A | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/Ports | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/ProfileList | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/SecEdit | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/Setup\/ RecoveryConsole | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ Svchost | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/Time Zones | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ Windows | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Policies | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows NT\/ CurrentVersion\/ Winlogon | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SOFTWARE\/Microsoft\/wbem | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
Network Service | N/A | |
MACHINE\/ SOFTWARE\/ Microsoft\/Windows\/ CurrentVersion\/ Shell Extensions | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/ SOFTWARE\/ Program Groups | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
Terminal Server User | Read | |
MACHINE\/ SOFTWARE\/ Secure | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
Terminal Server User | Read | |
MACHINE\/ SOFTWARE\/ Windows 3.1 Migration Status | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control |
HKEY Local Machine System Keys and Values for Windows 2000 Server
Registry Key or Value | User | 2000 Server |
---|---|---|
HKEY Local Machine System Keys and Values | ||
MACHINE\/System | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ Computername | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/Class (Propagate inheritable permissions to all SubKeys) |
(Allow Inheritable permissions from the parent to Propagate) | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ ContentIndex | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ Keyboard Layout | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/LSA\/JD | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/LSA\/Skew1 | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/LSA\/GBG | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/LSA\/Data | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/Network (All other permissions are inherited) |
Network Configuration Operators | Group does not exist in 2000 |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ Print\/Printers | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/ProductOptions | Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ SecurePipeServers | Administrators | Full Control |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ SecurePipeServers \/winreg | Administrators | Full Control |
SYSTEM | Full Control | |
Local Service | N/A | |
Backup Operators | Read (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Control\/ServiceCurrent | SYSTEM | Full Control |
Everyone | QENR | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/ Session Manager | Administrators | Full Control |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Control\/WMI\/Security | Administrators | Full Control |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Services (Propagate inheritable permissions to all SubKeys) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
CREATOR OWNER | Full Control | |
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/Dhcp | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
Network Service | N/A | |
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/AppMgmt\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/ClipSrv\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/EventLog\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/kdc\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/NetDDE\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/NetDDEdsdm\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/RpcSs\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/Samss\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/SCardSvr\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/TapiSrv\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/W32Time\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/WMI\/Security | Administrators | Full Control |
SYSTEM | Full Control (This Key Only) |
|
MACHINE\/SYSTEM\/CurrentControlSet\/Services\/EventLog (Propagate inheritable permissions to all SubKeys) |
Administrators | Full Control |
Authenticated Users | Read | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/
Enum (Do not allow permissions on this Key to be replaced.) |
Administrators | Full Control |
SYSTEM | Full Control | |
Authenticated Users | Read | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Hardware Profiles | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Services\/ LanmanServer\/ Shares | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Services\/Schedule | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Services\/Tcpip | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control | |
Network Service | N/A | |
Network Configuration Operators | N/A | |
MACHINE\/SYSTEM\/ CurrentControlSet\/ Services\/UPS | Administrators | Full Control |
Authenticated Users | Read | |
CREATOR OWNER | Full Control | |
SYSTEM | Full Control |
HKEY USERS for Windows 2000 Server
Registry Key or Value | User | 2000 Server | |
---|---|---|---|
HKEY USERS | |||
USERS\/.DEFAULT | Administrators | Full Control | |
Authenticated Users | (QSCENR) | ||
SYSTEM | Full Control | ||
CREATOR OWNER | Full Control | ||
USERS\/.DEFAULT\/Software\/Microsoft\/NetDDE | Administrators | Full Control | |
SYSTEM | Full Control | ||
Creator Owner | Full Control | ||
USERS\/.DEFAULT\/ Software\/Microsoft\/ Windows\/ CurrentVersion\/ Policies | Administrators | Full Control | |
Authenticated Users | Read | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control | ||
USERS\/.DEFAULT\/SOFTWARE\/Microsoft\/SystemCertificates\/Root\/ProtectedRoots (Do not allow permissions on this key to be replaced.) |
Administrators | Full Control | |
Authenticated Users | Read | ||
CREATOR OWNER | Full Control | ||
SYSTEM | Full Control |
Subject | Information | XP Workstation | 2000 Server | 2003 Server | Comments | |
---|---|---|---|---|---|---|
General Security Settings: | ||||||
Delete Roaming Cache | Key: Hkey_Local_Machine\/Software\/Microsoft\/Windows
NT\/CurrentVersion\/Winlogon\/DeleteRoamingCache Type: REG_DWORD Value: 1 = Enable |
Value = 1 | Value = 1 | Value = 1 | ||
Disable Media Autorun Feature | Key: Hkey_Local_Machine\/Software\/Microsoft\/Windows\/CurrentVersion\/Policies\/Explorer\/NoDriveTypeAutoRun Type: REG_DWORD, Value: 0 = Permit AutoRun Value: 255 = Disable for All Media |
Value = 255 | Value = 255 | Value = 255 | ||
Disable CD-Rom Autorun | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Services\/CDROM\/Autorun Type: DWORD Value: 0 to disable |
Value = 0 | Value = 0 | Value = 0 | ||
Disable saving of dial up password | HKEY_LOCAL_MACHINE\/System\/CurrentControlSet\/Services\/Rasman\/Parameters\/DisableSavePassword Type: REG_DWORD |
Value = 1 | N/A | N/A | ||
Do Not Allow Automatic Administrator Logon | Key: Hkey_Local_Machine\/Software\/Microsoft\/
Windows NT\/CurrentVersion\/Winlogon\/AutoAdminLogon Type: String (REG_SZ) Value: 0 = Disable (Not Allowed) |
Value = 0 | Value = 0 | Value = 0 | Note: This registry setting, when set to 1, allows a user to automatically logon at any Windows networked computer without giving a password. | |
Enable DCOM | Key: Hkey_Local_Machine\/Software\/Microsoft\/OLE\/EnableDCOM Type: String (REG_SZ) Value: = Y (to Enable); N (to disable) |
Value = Y | Value = Y | Value = Y | Systems that are to be deployed in networks that provide any type of service to the Internet or non-controlled systems should have the DCOM service disabled, in addition to other prudent hardening configuration settings. | |
Enable 3DES Encryption for EFS | Key: Hkey_Local_Machine\/Software\/Microsoft\/Windows
NT\/CurrentVersion\/EFS\/AlgorithmID Name: EFS Using 3DES Type: REG_DWORD Value: 3DES - Decimal 26115 (Hex 6603) Note: AES_256 - Decimal 26128 (Hex 6610) is acceptable if Operating System supports this setting. |
N/A | Value = Decimal 26115 (Hex 6603) | N/A | 3DES: Key Value = 26115 (Hex: 6603) (Compatible with Windows XP and later.) Note: Windows 2000 with SP 2 or later (i.e. High Encryption Pack installed) will support 3DES. |
|
Enable NoDefaultExempt for IPSec Filtering | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/IPSEC\/NoDefaultExempt Type: REG_DWORD Value: 0, 1, 2 or 3. 0 = Multicast, broadcast, RSVP, Kerberos, and ISAKMP traffic are exempt from IPSec filtering. This is the default filtering behavior for Windows 2000 and XP. Use this setting only if you have to for compatibility with an existing IPsec policy or Windows 2000 and XP behavior. 1 = Kerberos and RSVP traffic are not exempt from IPSec filtering, but multicast, broadcast and ISAKMP traffic are exempt. 2 = Multicast and broadcast traffic are not exempt from IPSec filtering, but RSVP, Kerberos, and ISAKMP traffic are exempt. 3 = Only ISAKMP traffic is exempt from IPSec filtering. This is the default filtering behavior for Windows Server 2003. |
Not Defined | Not Defined | Not Defined | ||
Enable Secure Boot | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Control\/LSA\/SecureBoot Type: REG_DWORD Value: 1 = Store Key locally Value: 2 = Password at Startup Value: 3 = Store Key on floppy |
Value = 1 | Value = 1 | Value = 1 | This is the default setting. | |
Hide computer from the browse list | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Services\/Lanmanserver\/Parameters\/Hidden Type: REG_DWORD Value: 1 (Enabled), 0 (Disabled) |
Not Defined | Not Defined | Not Defines | ||
Prevent Generation of 8.3 Filenames | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Control\/FileSystem\/NtfsDisable8dot3NameCreation Type: REG_DWORD Value: 0 = Enable (Allow Creation) |
Value = 0 | Value = 0 | Value = 0 | ||
Restrict Access to Null Session Pipes | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Services\/LanmanServer\/Parameters\/NullSessionPipes Type: REG_MULTI_SZ |
Set in Security Options -
See Exhibit 10.8.20-4- Network access: Named pipes that can be accessed anonymously |
Null | Set in Security Options -
See Exhibit 10.8.20-4. - Network access: Named pipes that can be accessed anonymously |
||
Restrict Access to Null Session Shares | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Services\/LanmanServer\/Parameters\/NullSessionShares Type: REG_MULTI_SZ |
Set in Security Options - See Exhibit 10.8.20-4. - Network Access: Shares That Can Be Accessed Anonymously | Null | Set in Security Options - See Exhibit 10.8.20-4. - Network Access: Shares That Can Be Accessed Anonymously | ||
Safe Dll Search Mode | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Control\/Session
Manager\/SafeDllSearchMode Type: REG_DWORD Value: = 1 (Search System and Windows directories first.) (Enabled) Value: = 0 (Search current directory first) (Disabled) |
Value = 1 | Value = 1 | Value = 1 | ||
Security Event Log Warning Level | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Services\/EventLog\/Security\/WarningLevel Type: REG_DWORD Value: (Percentage of the Security Event Log.) |
Value = 90 or less | Value = 90 or less | Value = 90 or less | Percentage threshold for the security event log at which
the system will generate a warning entry. Note: SP3 or greater is required for Windows 2000. |
|
The time in seconds before the screen saver grace period expires | HKLM\/SOFTWARE\/Microsoft\/Windows NT\/CurrentVersion\/Winlogon\/ScreenSaverGracePeriod Type: REG_DWORD (0 - Recommended) |
Value = 0 | Value = 0 | Value = 0 | ||
Winreg Allowed Paths. | Key: Hkey_Local_Machine\/\/System\/CurrentControlSet\/Control\/SecurePipeServers\/Winreg\/AllowedPaths\/Machine Type: REG_MULTI_SZ Value: NULL |
Set in Security Options - See Exhibit 10.8.20-4. - Network Access: Remotely Accessible Registry Paths) | Value = NULL (or key does not exist) | Value = NULL (or key does not exist) (Set in Security Options - See Exhibit 10.8.20-4. - Network Access: Remotely Accessible Registry Paths and Sub-Paths) | ||
TCP/IP Security Settings | ||||||
Allow Automatic Detection of MTU Size | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/EnablePMTUDiscovery Type: REG_DWORD Value: = 1 (Recommended) (Enabled) Value: = 0 (Default) (Disabled) |
Value = 1 | Value = 1 | Value = 1 | EnablePMTUDiscovery: When this parameter is set to 1 (True) TCP attempts to discover the Maximum Transmission Unit (MTU or largest packet size) over the path to a remote host. By discovering the Path MTU and limiting TCP segments to this size, TCP can eliminate fragmentation at routers along the path that connect networks with different MTUs. Fragmentation adversely affects TCP throughput and network congestion. Setting this parameter to 0 causes an MTU of 576 bytes to be used for all connections that are not to hosts on the local subnet. | |
Allow ICMP Redirects to Override OSPF Routes | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/EnableICMPRedirect Type: REG_DWORD Value: = 0 (Recommended) (Disabled - Not Allowed) Value: = 1 (Default) |
Value = 0 | Value = 0 | Value = 0 | EnableICMPRedirects: parameter controls whether Windows 2000 will alter its route table in response to ICMP redirect messages that are sent to it by network devices such as a routers. | |
Allow IRDP to Detect and Configure Default Gateway Addresses | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/PerformRouterDiscovery Type: REG_DWORD Value: = 0 (Recommended) (Disabled) Value: = 1 (Enabled) Value: = 2 (Enable only if DHCP sends the router discover option) |
Value = 0 | Value = 0 | Value = 0 | PerformRouterDiscovery : Parameter controls whether Windows 2000 attempts to perform router discovery per RFC 1256 on a per-interface basis. | |
Allow the computer to ignore NetBIOS name release requests except from WINS servers | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/NoNameReleaseOnDemand Type: REG_DWORD Value: = 1 (Recommended) (Enabled) Value: = 0 (Default) (Disabled) |
Value = 1 | Value = 1 | Value = 1 | NoNameReleaseOnDemand: parameter determines whether the
computer releases its NetBIOS name when it receives a name-release request
from the network. It was added to allow the administrator to protect the machine
against malicious name-release attacks. Note: This key does not get installed as part of the default Windows 2000 installation. |
|
Enable Dead GateWay Detection | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/EnableDeadGWDetect Type: REG_DWORD Value: = 0 (Disabled) Value: = 1 (Default) |
Value = 0 | Value = 0 | Value = 0 | EnableDeadGWDetect: When this parameter is 1, TCP is allowed to perform dead-gateway detection. With this feature enabled, TCP may ask IP to change to a backup gateway if a number of connections are experiencing difficulty. Backup gateways may be defined in the Advanced section of the TCP/IP configuration dialog in the Network Control Panel. | |
How Many Dropped Requests to Initiate SYN Protection | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/TCPMaxPortsExhausted Type: REG_DWORD |
Value = 5 or less | Value = 5 or less | Value = 5 or less | This parameter controls the point at which SYN-ATTACK protection starts to operate. SYN-ATTACK protection begins to operate when TcpMaxPortsExhausted connect requests have been refused by the system because the available backlog for connections is set at 0. | |
How Many Times Unacknowledged Data is Retransmitted | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/TcpMaxDataRetransmissions Type: REG_DWORD |
Value = 3 or less | Value = 3 or less | Value = 3 or less | Value: how many times TCP retransmits an unacknowledged data segment on an existing connection. | |
How Often Keep-Alive packets are Sent | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/KeepAliveTime Type: REG_DWORD Value: = 300,000 (5 Minutes) (Recommended) Value: = 7,200,000 (Two Hours) (Default) |
Value = 300,000 or less | Value = 300,000 or less | Value = 300,000 or less | KeepAliveTime: parameter controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote system is still reachable and functioning, it acknowledges the keep-alive transmission. Keep-alive packets are not sent by default. This feature may be enabled on a connection by an application. | |
IP Source Routing Protection Level | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/DisableIPSourceRouting Type: REG_DWORD Value: 0 = No additional protection, source routed packets are allowed. Value: 1 = Medium, source routed packets ignored when IP forwarding is enabled. Value: 2 = Highest protection, source routing is completely disabled. |
Value = 2 | Value = 2 | Value = 2 | ||
Syn Attack Protection Level | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/SynAttackProtect Type: REG_DWORD Value: = 0 (Disabled) (No syn attack protection) Value: = 1 (Enabled) (Reduced retransmission retries and delayed RCE (route cache entry) creation if the TcpMaxHalfOpen and TcpMaxHalfOpenRetried settings are satisfied.) - 2000 and XP; SYN attack protection enabled - 2003 Value: = 2 (Enabled for Windows 2000) (Adds delayed indication to Winsock to setting of 1) (For Windows 2000 only) |
Value = 1 | Value = 2 | Value = 1 | Synattack protection involves reducing the amount of retransmissions
for the SYN-ACKS, which will reduce the time for which resources have to remain
allocated. The allocation of route cache entry resources is delayed until
a connection is made. If synattackprotect = 2, then the connection indication
to AFD is delayed until the three-way handshake is completed. Also, note that
actions taken by the protection mechanism can only occur if the TcpMaxHalfOpen
and TcpMaxHalfOpenRetried settings are exceeded. Cautionary note: Setting SynAttackProtect=2 incombination with TcpMaxHalfOpen=100 and TcpMaxHalfOpenRetried=80 could cause IIS servers to Blue Screen under real loads even when testing reveals no problem. |
|
SYN-ACK Retransmissions Unacknowledged Connection Requests | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/TcpMaxConnectResponseRetransmissions Type: REG_DWORD Value: 0 - No retransmission, half-open connections dropped after 3 seconds Value: 1 - 3 seconds, half-open connections dropped after 9 seconds Value: 2 - 3 and 6 seconds, half-open connections dropped after 21 seconds Value: 3 - 3, 6, and 9 seconds, half-open connections dropped after 45 seconds |
Value = 2 | Value = 2 | Value = 2 | Default Value = 2 This parameter determines the number of times that TCP retransmits a SYN before aborting the attempt. The retransmission time-out is doubled with each successive retransmission in a given connect attempt. The initial time-out value is three seconds. | |
TCP Maximum Half Open Connections | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/TcpMaxHalfOpen Type: REG_DWORD |
Value = 100 or less | Value = 100 (Server) or less Value = 500 (Advanced Server) or less |
Value = 500 or less | TcpMaxHalfOpen parameter controls the number of connections in the SYN-RCVD state allowed before SYN-ATTACK protection begins to operate. If SynAttackProtect is set to 1, ensure that this value is lower than the AFD listen backlog on the port you want to protect. | |
TCP Maximum Half Open Retried Connections | Key: Hkey_Local_Machine\/SYSTEM\/CurrentControlSet\/Services\/Tcpip\/Parameters\/TcpMaxHalfOpenRetried Type: REG_DWORD |
Value = 80 or less | Value = 80 (Server) or less Value = 400 (Advanced Server) or less |
Value = 400 or less | TcpMaxHalfOpenRetried parameter controls the number of connections in the SYN-RCVD state for which there has been at least one retransmission of the SYN sent, before SYN-ATTACK attack protection begins to operate. | |
Additional Registry Settings: | ||||||
Remove the Debugger Key Value | Key: Hkey_Local_Machine\/Software\/Microsoft\/Windows NT\/CurrentVersion\/ AEDebug\/Debugger | Remove the Debugger Value from this key. | Remove the Debugger Value from this key. | Remove the Debugger Value from this key. | ||
Winreg Subkey Must Exist. | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Control\/SecurePipeServers\/winreg | Verify that key exists. | Verify that key exists. | Verify that key exists. | Winreg subkey must exist. | |
Remove OS2 value from Optional Registry Value | Key: Hkey_Local_Machine\/System\/CurrentControl Set\/Control\/Session Manager\/Subsystem\/Optional | Value = POSIX | Value = POSIX | Value = POSIX (Set in Security Options - See Exhibit 10.8.20-4 - System Settings: Optional subsystems ) |
Edit out the OS/2 strings from the optional value. Note: Tivoli needs POSIX to operate. |
|
OS2/POSIX: Remove the POSIX Subsystem from the Registry | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Control\/Session Manager\/Subsystems\/POSIX | Value = %SystemRoot%\/system32\/psxss.exe | Value = %SystemRoot%\/system32\/psxss.exe | Value = %SystemRoot%\/system32\/psxss.exe | Remove all key values except POSIX (%SystemRoot%\/system32\/psxss.exe)
Do NOT Delete the entire value. Note: Tivoli needs POSIX to operate. |
|
OS2/POSIX: Remove the OS/2 Subsystem from the Registry | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Control\/Session Manager\/Subsystems\/os2 | If existing, delete entire key value. | If existing, delete entire key value. | If existing, delete entire key value. | ||
Remove OS2 related key: os2LibPath | Key: Hkey_Local_Machine\/System\/CurrentControlSet\/Control\/Session Manager\/Environment\/os2LibPath | If existing, delete entire key value. | If existing, delete entire key value. | If existing, delete entire key value. | To fully prevent any OS/2 based attacks, all registry keys dealing with this subsystem shall be removed. If the subsystem executables have been removed from the %SystemRoot%\/system32 folder, the subsystem can be reactivated if the registry keys still exist. | |
Event Log Backup - Security Log | Key: HKLM\/SYSTEM\/CurrentControlSet\/Services\/EventLog\/Security\/AutoBackupLogFiles | Not Defined | Value = 1 | Value = 1 | ||
Event Log Backup - Application Log | Key: HKLM\/SYSTEM\/CurrentControlSet\/Services\/EventLog\/Application\/AutoBackupLogFiles | Not Defined | Value = 1 | Value = 1 | ||
Event Log Backup - System Log | Key:HKLM\/SYSTEM\/CurrentControlSet\/Services\/EventLog\/System\/AutoBackupLogFiles | Not Defined | Value = 1 | Value = 1 | ||
-
See IRM 10.8.20.5.4.1.1 for explanations.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
DHCP Server Security Settings | ||
---|---|---|
System Services | ||
Display Name | Service Name | Start Up State |
DHCP Server | DHCPServer | Automatic |
-
Note: settings apply to both Windows 2000 and 2003.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
User Rights | ||
---|---|---|
Policy | Security Setting | |
Access this computer from the network | Administrators, Authenticated Users, Enterprise Domain Controllers |
|
Add Workstations to domain | Administrators | |
Allow Logon Locally | Administrators, tmersrvd |
|
Enable Computer and user accounts to be trusted for delegation | Administrators | |
Shut Down the System | Administrators, Server Operators |
|
Security Options | ||
Domain controller: Refuse machine account password changes | Disabled | |
Network Access: Named Pipes that can be accessed anonymously | COMNAP, COMNODE, SQL\/QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON, Lsarpc, samr |
|
Event Log Settings | ||
Retain DNS log | Not Defined | |
Retain directory service log | Not Defined | |
Retain file replication log | Not Defined | |
Audit Policy | ||
Audit directory services access (AuditDSAccess) | Failure | |
System Services | ||
Distributed File System | Dfs | Automatic |
DNS Server | DNS | Automatic |
File Replication | NtFrs | Automatic |
Intersite Messaging | IsmServ | Automatic |
Kerberos Key Distribution Center | kdc | Automatic |
Remote Procedure Call (RPC) Locator | RpcLocator | Manual |
See IRM 10.8.20.5.2.11 for explanations.
Setting | State | ||
---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |
All defined settings are in the User Configuration Tab. Note: If setting also exists in Computer Configuration Tab, may apply setting there. |
|||
Windows Explorer General Settings | |||
Turn On Classic Shell (2000: Enable Classic Shell) |
Enabled | Enabled | Enabled |
Allow only per user or approved shell extensions (2000: Only allow approved Shell extensions) |
Enabled | Enabled | Enabled |
Do not track Shell shortcuts during roaming | Enabled | Enabled | Enabled |
Request credential for network installations | Enabled | Enabled | Enabled |
Remove CD Burning features | Not Defined | N/A | Enabled |
Turn off caching of thumbnail pictures | Enabled | N/A | Enabled |
Turn off shell protocol protected mode | Disabled | N/A | Disabled |
Active Desktop General Settings | |||
Disable Active Desktop | Enabled | Enabled | Enabled |
Enable Active Desktop | Disabled | Disabled | Disabled |
See IRM 10.8.20.5.2.12 for explanations.
Note:
It is acceptable to configure Internet Explorer settings to be more restrictive than those defined in Exhibit 10.8.20-18 for all operating systems.
Setting | State | ||
---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |
All defined settings are in the User Configuration Tab Note: If setting also exists in Computer Configuration Tab, may apply setting there. |
|||
Internet Explorer General Settings | |||
Disable changing proxy settings | Enabled | Enabled | Enabled |
Turn off Crash Detection | Enabled | N/A | Enabled |
Do not allow users to enable or disable add-ons | Enabled | N/A | Enabled |
Internet Explorer - Internet Control Panel | |||
Disable the Security page | Enabled | Enabled | Enabled |
Internet Explorer - Internet Control Panel - Advanced Page | |||
Automatically check for Internet Explorer updates | Disabled | N/A | Disabled |
Allow Install on Demand (Internet Explorer) | Disabled | N/A | Disabled |
Allow Install on Demand (except Internet Explorer) | Disabled | N/A | Disabled |
Allow software to run or install even if the signature is invalid | Disabled | N/A | Disabled |
Empty Temporary Internet Files Folder | Enabled | N/A | Enabled |
Internet Explorer - Security Features - MK Protocol Security Restriction | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Internet Explorer - Security Features - Consistent Mime Handling | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Internet Explorer - Security Features - Mime Sniffing Safety Feature | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Internet Explorer - Security Features - Scripted Window Security Restrictions | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Internet Explorer - Security Features - Protection From Zone Elevation | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Internet Explorer - Security Features - Restrict ActiveX Install | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Internet Explorer - Security Features - Restrict File Download | |||
Internet Explorer Processes | Enabled | N/A | Enabled |
Note:
It is acceptable to configure Internet Explorer settings to be more restrictive than those defined in Exhibit 10.8.20-19 for all operating systems.
Internet Explorer - Internet Control Panel - Security Page - Internet Zone
Setting | State | ||
---|---|---|---|
Windows XP |
Windows 2000 |
Windows 2003 |
|
All defined settings are in the User Configuration Tab Note: If setting also exists in Computer Configuration Tab, may apply setting there. |
|||
Internet Explorer - Internet Control Panel - Security Page - Internet Zone | |||
Run .NET Framework-reliant components signed with Authenticode | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Run .NET Framework-reliant components not signed with Authenticode | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Download signed ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Download unsigned ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Initialize and Script ActiveX controls not marked safe | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Run ActiveX controls and plug-ins | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Script ActiveX controls marked safe for scripting | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow File download | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Font download | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Java permissions | Setting Enabled and set to High Safety | N/A | Setting Enabled and set to High Safety |
Access data sources across domains | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow active content over restricted protocols to access my computer | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Automatic prompting for file downloads | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Automatic prompting for ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow META REFRESH | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow script-initiated windows without size or position constraints | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow binary and script behaviors | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Display Mixed Content | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Do not prompt for client certificate selection when no certificates or only one certificate exists | Not Configured | N/A | Not Configured |
Allow Drag and drop or copy and paste files | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Installation of desktop items | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Launching applications and files in an IFRAME | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Navigate sub-frames across different domains | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Open files based on content, not file extension | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Software channel permissions | Setting Enabled and set to High Safety | N/A | Setting Enabled and set to High Safety |
Submit non-encrypted form data | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Use Pop-up Blocker | Not Configured | N/A | Not Configured |
Userdata persistence | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Web sites in less privileged Web content zones can navigate into this zone | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Active Scripting | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow paste operations via script | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Scripting of Java Applets | Setting Enabled and set to Enabled | N/A | Setting Enabled and set to Enabled |
Logon options | Setting Enabled and set to Prompt for username and password | N/A | Setting Enabled and set to Prompt for username and password |
Internet Explorer - Internet Control Panel - Security Page - Intranet Zone
Setting | State | ||
---|---|---|---|
Windows XP |
Windows 2000 |
Windows 2003 |
|
All defined settings are in the User Configuration Tab Note: If setting also exists in Computer Configuration Tab, may apply setting there. |
|||
Internet Explorer - Internet Control Panel - Security Page - Intranet Zone | |||
Run .NET Framework-reliant components signed with Authenticode | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Run .NET Framework-reliant components not signed with Authenticode | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Download signed ActiveX controls | Setting Enabled and set to Enabled | N/A | Setting Enabled and set to Enabled |
Download unsigned ActiveX controls | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Initialize and Script ActiveX controls not marked safe | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Run ActiveX controls and plug-ins | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Script ActiveX controls marked safe for scripting | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow File download | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow Font download | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Java permissions | Setting Enabled and set to Medium Safety | N/A | Setting Enabled and set to Medium Safety |
Access data sources across domains | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow active content over restricted protocols to access my computer | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Automatic prompting for file downloads | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Automatic prompting for ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow META REFRESH | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow script-initiated windows without size or position constraints | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow binary and script behaviors | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Display Mixed Content | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Do not prompt for client certificate selection when no certificates or only one certificate exists | Not Configured | N/A | Not Configured |
Allow Drag and drop or copy and paste files | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow Installation of desktop items | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Launching applications and files in an IFRAME | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Navigate sub-frames across different domains | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Open files based on content, not file extension | Setting Enabled and set to Enable | N/A | Setting Enabled and set to Enables |
Software channel permissions | Setting Enabled and set to Medium Safety | N/A | Setting Enabled and set to Medium Safety |
Submit non-encrypted form data | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Use Pop-up Blocker | Not Configured | N/A | Not Configured |
Userdata persistence | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Web sites in less privileged Web content zones can navigate into this zone | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Active Scripting | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow paste operations via script | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Scripting of Java Applets | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Logon options | Setting Enabled and set to Automatic Logon Only in Intranet Zone | N/A | Setting Enabled and set to Automatic Logon Only in Intranet Zone |
Internet Explorer - Internet Control Panel - Security Page - Trusted Site Zone
Setting | State | ||
---|---|---|---|
Windows XP |
Windows 2000 |
Windows 2003 |
|
All defined settings are in the User Configuration Tab Note: If setting also exists in Computer Configuration Tab, may apply setting there. |
|||
Internet Explorer - Internet Control Panel - Security Page - Trusted Site Zone | |||
Run .NET Framework-reliant components signed with Authenticode | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Run .NET Framework-reliant components not signed with Authenticode | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Download signed ActiveX controls | Setting Enabled and set to Enable | N/A | Setting Enabled and set to Enable |
Download unsigned ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Initialize and Script ActiveX controls not marked safe | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Run ActiveX controls and plug-ins | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Script ActiveX controls marked safe for scripting | Setting Enabled and set to Enabled | N/A | Setting Enabled and set to Enabled |
Allow File download | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow Font download | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Java permissions | Setting Enabled and set to High Safety | N/A | Setting Enabled and set to High Safety |
Access data sources across domains | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Allow active content over restricted protocols to access my computer | Setting Enabled and set to Prompt | Setting Enabled and set to Prompt | |
Automatic prompting for file downloads | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Automatic prompting for ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow META REFRESH | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow script-initiated windows without size or position constraints | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow binary and script behaviors | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Display Mixed Content | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Do not prompt for client certificate selection when no certificates or only one certificate exists | Not Configured | N/A | Not Configured |
Allow Drag and drop or copy and paste files | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Allow Installation of desktop items | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Launching applications and files in an IFRAME | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Navigate sub-frames across different domains | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Open files based on content, not file extension | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Software channel permissions | Setting Enabled and set to High Safety | N/A | Setting Enabled and set to High Safety |
Submit non-encrypted form data | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Use Pop-up Blocker | Not Configured | N/A | Not Configured |
Userdata persistence | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Web sites in less privileged Web content zones can navigate into this zone | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Active Scripting | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Allow paste operations via script | Setting Enabled and set to Prompt | N/A | Setting Enabled and set to Prompt |
Scripting of Java Applets | Setting Enabled and set to Enabled | N/A | Setting Enabled and set to Enabled |
Logon options | Setting Enabled and set to Prompt for username and password | N/A | Setting Enabled and set to Prompt for username and password |
Internet Explorer - Internet Control Panel - Security Page - Restricted Site Zone
Setting | State | ||
---|---|---|---|
Windows XP |
Windows 2000 |
Windows 2003 |
|
All defined settings are in the User Configuration Tab Note: If setting also exists in Computer Configuration Tab, may apply setting there. |
|||
Internet Explorer - Internet Control Panel - Security Page - Restricted Site Zone | |||
Run .NET Framework-reliant components signed with Authenticode | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Run .NET Framework-reliant components not signed with Authenticode | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Download signed ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Download unsigned ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Initialize and Script ActiveX controls not marked safe | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Run ActiveX controls and plug-ins | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Script ActiveX controls marked safe for scripting | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow File download | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Font download | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Java permissions | Setting Enabled and set to Disable Java | N/A | Setting Enabled and set to Disable Java |
Access data sources across domains | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow active content over restricted protocols to access my computer | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Automatic prompting for file downloads | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Automatic prompting for ActiveX controls | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow META REFRESH | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow script-initiated windows without size or position constraints | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow binary and script behaviors | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Display Mixed Content | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Do not prompt for client certificate selection when no certificates or only one certificate exists | Not Configured | N/A | Not Configured |
Allow Drag and drop or copy and paste files | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Installation of desktop items | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Launching applications and files in an IFRAME | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Navigate sub-frames across different domains | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Open files based on content, not file extension | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Software channel permissions | Setting Enabledand set to High Safety | N/A | Setting Enabledand set to High Safety |
Submit non-encrypted form data | Setting Enabledand set to Enable | N/A | Setting Enabledand set to Enable |
Use Pop-up Blocker | Not Configured | Not Configured | Not Configured |
Userdata persistence | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Web sites in less privileged Web content zones can navigate into this zone | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow Active Scripting | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Allow paste operations via script | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Scripting of Java Applets | Setting Enabled and set to Disable | N/A | Setting Enabled and set to Disable |
Logon options | Setting Enabled and set to Prompt for user name and password | N/A | Setting Enabled and set to Prompt for user name and password |
See IRM 10.8.20.5.2.14 for explanations.
Terminal Services General Settings
Setting | State | Comments | |||
---|---|---|---|---|---|
Windows XP |
Windows 2000 |
Windows 2003 |
|||
All defined settings are in Group Policy - Computer Configuration Tab | |||||
Terminal Services General Settings | |||||
Allow users to connect remotely using terminal services | Enabled (if Remote Desktop is required for operation) *See Comments |
N/A | Enabled (if Remote Desktop is required for operation) *See Comments |
If this setting is set to Disabled, other systems will
not be able to connect to this system through terminal services. Therefore
all other terminal service settings defined in this table are not required
since terminal services (and consequently Remote Desktop) is disabled. To set this on XP or 2003, without using Group Policy, right click on " My Computer" and select Properties. Go to the "Remote " tab. To enable Remote Desktop select "Allow users to connect remotely to this computer," which can be found in the Remote Desktop section. |
|
Restrict Terminal Services users to a single remote session | Enabled | N/A | Enabled | In standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Server Settings Tab. "Restrict each user to one session" shall be set to Yes. | |
Do not allow local administrators to customize permissions | Enabled | N/A | Enabled | Permissions are defined at the end of this table. | |
Set rules for remote control of Terminal Services user sessions | Enabled - No remote control allowed | "Do Not Allow Remote Control"
shall
be selected. *See Comments |
Enabled - No remote control allowed | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Remote Control Tab. "Do Not Allow Remote Control" shall be selected. | |
Client/Server Data Redirection
Setting | State | Comments | |||
---|---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |||
All defined settings are in Group Policy - Computer Configuration Tab | |||||
Client/Server Data Redirection | |||||
Do not allow clipboard redirection | Enabled | Clipboard mapping disabled *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "Clipboard mapping" shall be selected under "Disable the following:" | |
Allow audio redirection | Disabled | Audio mapping disabled *See Comments |
Disabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "Audio mapping" shall be selected under " Disable the following:" | |
Do not allow COM port redirection | Enabled | COM Port mapping disabled *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "COM port mapping" shall be selected under "Disable the following:" | |
Do not allow client printer redirection | Enabled | Windows Printer mapping disabled *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "Windows printer mapping" shall be selected under "Disable the following:" | |
Do not allow LPT port redirection | Enabled | LPT port mapping disabled *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "LPT port mapping" shall be selected under "Disable the following:" | |
Do not allow drive redirection | Enabled | Drive mapping disabled *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "Drive mapping" shall be selected under " Disable the following:" | |
Do not set default client printer to be default printer in a session | Enabled | "Default to main client printer"
shall
not be selected *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Client Settings Tab. "Default to main client printer" shall not be selected. | |
Terminal Services - Encryption and Security
Setting | State | Comments | |||
---|---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |||
All defined settings are in Group Policy - Computer Configuration Tab | |||||
Terminal Services - Encryption and Security | |||||
Always prompt client for password upon connection | Enabled | "Always prompt for password"
shall
be selected *See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Logon Settings Tab. "Always prompt for password" shall be selected. | |
Set client connection encryption level | Enabled - Encryption Level = High Level | "Encryption Level"
shall be set to
High. FIPS Compliant on Windows 2003 is also acceptable. *See Comments |
Enabled Encryption Level = High Level | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the General Tab. "Encryption Level" shall be set to High. FIPS Compliant on Windows 2003 is also acceptable. | |
Terminal Services - Encryption and Security - RPC Security Policy Tab
Setting | State | Comments | ||
---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | ||
All defined settings are in Group Policy - Computer Configuration Tab | ||||
Terminal Services - Encryption and Security - RPC Security Policy Tab | ||||
Secure Server (Require Security) |
Enabled | N/A | Enabled |
Terminal Services - Temporary Folders
Setting | State | Comments | |||
---|---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |||
All defined settings are in Group Policy - Computer Configuration Tab | |||||
Terminal Services - Temporary Folders | |||||
Do not use temp folders per session | Disabled | "Use temporary folders per session"
shall
be set to Yes *See Comments |
Disabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Server Settings Tab. "Use temporary folders per session" shall be set to Yes. | |
Do not delete temp folder upon exit | Disabled | "Delete temporary folders on exit"
shall
be set to Yes. *See Comments |
Disabled | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Server Settings Tab. "Delete temporary folders on exit" shall be set to Yes. | |
Terminal Services - Client
Setting | State | Comments | ||
---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | ||
All defined settings are in Group Policy - Computer Configuration Tab | ||||
Terminal Services - Client | ||||
Do not allow passwords to be saved | Enabled | Enabled | Enabled |
Terminal Services - Sessions
Setting | State | Comments | |||
---|---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |||
All defined settings are in Group Policy - Computer Configuration Tab | |||||
Terminal Services - Sessions | |||||
Set time limit for disconnected sessions | Enabled - End of a disconnected Session = 1 minute or less (cannot be equal to 0). | "End a disconnected session"
= 1 minute
or less (cannot be equal to 0). *See Comments |
Enabled - End of a disconnected Session = 1 minute or less (cannot be equal to 0). | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Sessions Tab. | |
Sets a time limit for active but idle Terminal Services sessions | Not Defined | Not Defined | Not Defined | ||
Allow reconnection from original client only | Not Defined | Not Defined | Not Defined | ||
Terminate session when time limits are reached | Enabled | "When session limit is reached or connection
is broken"
shall be set to "End Session."
*See Comments |
Enabled | In Windows 2000 or standalone 2003 systems, using the
Terminal Services Configuration Tool, this can be set in the Sessions Tab. When "session limit is reached or connection is broken" shall be set to "End Session." |
|
Terminal Service Permissions
Setting | State | Comments | ||
---|---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | ||
All defined settings are in Group Policy - Computer Configuration Tab | ||||
Terminal Service Permissions (Cannot be set with Group Policy) *See Comment Below |
||||
Administrator | FULL | FULL | FULL | In Windows 2000 or standalone 2003 systems, using the Terminal Services Configuration Tool, this can be set in the Permissions Tab. |
SYSTEM | FULL | FULL | FULL | |
Remote Desktop Users | User Access (Allow: User Access, Guest Access, Query Information, Logon, Connect) | User Access (Allow: User Access, Guest Access, Query Information, Logon, Connect) | User Access (Allow: User Access, Guest Access, Query Information, Logon, Connect) | On 2003 once the "Do not allow local administrators to customize permissions" is set to Enabled via GPO (as required by policy) the permissions on the systems cannot be modified. Therefore in order for the permissions to be modified that shall be done before that setting is enforced. |
LOCAL SERVICE | N/A | N/A | Special (Allow: Query Information, Message) | |
NETWORK SERVICE | N/A | N/A | Special (Allow: Query Information, Message) |
See IRM 10.8.20.5.3.2 for explanations.
XP Workstation | 2000 Server | 2003 Server | |
---|---|---|---|
Audit account logon events (AuditAccountLogon) |
Success, Failure | Success, Failure | Success, Failure |
Audit account management (AuditAccountManage) |
Success, Failure | Success, Failure | Success, Failure |
Audit directory services access (AuditDSAccess) |
Failure | No Auditing | No Auditing ( See Exhibit 10.8.20-16 for Active Directory Domain Controllers setting) |
Audit logon events (AuditLogonEvents) |
Success, Failure | Success, Failure | Success, Failure |
Audit object access (AuditObjectAcess) |
Failure | Failure | Failure |
Audit policy change (AuditPolicyChange) |
Success | Success, Failure | Success, Failure |
Audit privilege use (AuditPrivilegeUse) |
Failure | Failure | Failure |
Audit process tracking (AuditProcessTracking) |
No Auditing | No Auditing | No Auditing |
Audit system events (AuditSystemEvents) |
Success | Success, Failure | Success, Failure |
See IRM 10.8.20.5.3.6.1 for explanations.
XP Workstation | 2000 Server | 2003 Server | ||
---|---|---|---|---|
Maximum Application Log Size | 16384KB or greater | 16384KB or greater | 16384KB or greater | |
Maximum Security Log Size | 81920KB or greater | 81920KB or greater | 81920KB or greater | |
Maximum System Log Size | 16384KB or greater | 16384KB or greater | 16384KB or greater | |
Prevent local guests group
from accessing application log (2000: Restrict Guest Access to Application Log) |
Enable | Enable | Enable | |
Prevent local guests group
from accessing security log (2000: Restrict Guest Access to Security Log) |
Enable | Enable | Enable | |
Prevent local guests group
from accessing system log (2000: Restrict Guest Access to Systems Log) |
Enable | Enable | Enable | |
Retention Method for Application Log | Not Defined | Do not overwrite events (Clear Logs Manually) |
Do not overwrite events (Clear Logs Manually) |
|
Retention Method for Security Log | Not Defined | Do not overwrite events (Clear Logs Manually) |
Do not overwrite events (Clear Logs Manually) |
|
Retention Method for Systems Log | Not Defined | Do not overwrite events (Clear Logs Manually) |
Do not overwrite events (Clear Logs Manually) |
|
Retain Application Log | Enabled | Not Defined | Not Defined | |
Retain Security Log | Enabled | Not Defined | Not Defined | |
Retain System Log | Enabled | Not Defined | Not Defined | |
Shutdown the system when audit log is full | N/A | Disabled | N/A | |
Retain DNS log | N/A | Not Defined | N/A | |
Retain directory service log | N/A | Not Defined | N/A | |
Retain file replication log | N/A | Not Defined | N/A |
-
See IRM 10.8.20.5.4.1 for explanations.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
Display Name (Service Name) | XP Workstation | 2000 Server | 2003 Server | |
---|---|---|---|---|
Alerter (Alerter) |
Disabled | Disabled | Disabled | |
Application Experience Lookup Service (AeLookupSvc) |
N/A | N/A | Automatic | |
Application Layer Gateway
Service (ALG) |
Disabled | N/A | Disabled | |
Application Management (AppMgmt) |
Disabled | Disabled | Disabled | |
ATI hotkey poller (ati2evxx) |
Disabled | Disabled | Disabled | |
Automatic Updates (Wuauserv) |
Not Defined | Not Defined | Not Defined | |
Background Intelligent Transfer
service (BITS) |
Manual | Not Defined | Not Defined | |
BlackICE (BlackICE) |
Automatic | N/A | N/A | |
Cisco Systems, Inc VPN Service (CVPND) |
Automatic | N/A | N/A | |
ClipBook (ClipSrv) |
Disabled | Disabled | Disabled | |
COM+ Event System (EventSystem) |
Manual | Manual | Manual | |
COM+ System Application (ComSysApp) |
Manual | N/A | Manual | |
Computer Browser (Browser) |
Disabled | Automatic | Automatic | |
Cryptographic services (CryptSvc) |
Automatic | N/A | Automatic | |
Symantec Antivirus Definition
Watcher (DefWatch) For Symantec 8.x.x.x; DefWatch (DefWatch) |
Automatic | Automatic | Automatic | |
DCOM Server Process Launcher (DcomLaunch) |
Automatic | N/A | Automatic | |
DHCP Client (Dhcp) |
Automatic | Automatic | Automatic | |
Distributed File System (Dfs) |
N/A | Disabled | Disabled | |
Distributed Link Tracking
client (TrkWks) |
Disabled | Disabled | Disabled | |
Distributed Link Tracking
Server (TrkSvr) |
N/A | Disabled | Disabled | |
Distributed Transaction Coordinator (MSDTC) |
Disabled | Disabled | Disabled | |
DNS Client (Dnscache) |
Automatic | Automatic | Automatic | |
EAFRCliManager (EAFRCliManager) | Automatic | Disabled | Disabled | |
Error Reporting Service (ERSvc) |
Disabled | N/A | Disabled | |
Event Log (Eventlog) |
Automatic | Automatic | Automatic | |
Fast User Switching (FastUserSwitching Compatibility) |
Disabled | N/A | Disabled | |
Fax (fax) |
Disabled | Disabled | Disabled | |
File Replication (NtFrs) |
N/A | Disabled | Disabled | |
FTP Publishing Service (MSFtpsvc) |
Disabled | Disabled | Disabled | |
Help and Support (Helpsvc) |
Automatic | N/A | Disabled | |
HTTP SSL (HTTPFilter) |
Disabled | N/A | Disabled | |
Human interface device access (HidServ) |
Automatic | N/A | Disabled | |
IMAPI CD-Burning COM Service (ImapiService) |
Automatic | N/A | Disabled | |
Indexing Service (CiSvc) |
Disabled | Disabled | Disabled | |
Interix Subsystem Startup (zzInterix) |
Disable | Disable | Disable | |
Intersite Messaging (IsmServ) |
N/A | Disabled | Disabled | |
IPSec services (2000: IPSec Policy Agent) (Policy Agent) |
Automatic | Automatic | Automatic | |
issDaemon (issDaemon) | N/A | Automatic | Automatic | |
Kerberos Key Distribution
Center (Kdc) |
N/A | Disabled | Disabled | |
License Logging Service (LicenseService) |
N/A | Disabled | Disabled | |
Logical Disk Manager (dmserver) |
Manual | Manual | Manual | |
Logical Disk Manager Administrative
Service (dmadmin) |
Manual | Manual | Manual | |
Messenger (Messenger) |
Disabled | Disabled | Disabled | |
MS software shadow copy provider (Swprv) |
Manual | N/A | Manual | |
Net Logon (Netlogon) |
Automatic | Automatic | Automatic | |
NetMeeting Remote Desktop Sharing (mnmsrvc) |
Disabled | Disabled | Disabled | |
Network connections (Netmann) |
Manual | Manual | Manual | |
Network DDE (NetDDE) |
Disabled | Disabled | Disabled | |
Network DDE DSDM (NetDDEdsdm) |
Disabled | Disabled | Disabled | |
Network Location Awareness (Nla) |
Manual | N/A | Manual | |
NT LM Security Support Provider (NtLmSsp) |
Manual | Automatic | Automatic | |
Performance Logs and Alerts (SysmonLog) |
Manual | Manual | Manual | |
Plug and Play (PlugPlay) |
Automatic | Automatic | Automatic | |
Portable Media Serial Number (WmdmPmSN) |
Disabled | N/A | Disabled | |
Print Spooler (Spooler) |
Automatic | Automatic | Automatic | |
Protected Storage (ProtectedStorage) |
Automatic | Automatic | Automatic | |
QoS RSVP (rsvp) |
Disabled | Disabled | Disabled | |
Quest In Trust Agent (adcscm) | Automatic | Automatic | Automatic | |
Quest In Trust Agent Installer (adcscm_install) | Manual | Manual | Manual | |
Quest In Trust for Active Directory (QcmSrvc) | Automatic | Automatic | Automatic | |
Remote Access Auto Connection
Manager (RasAuto) |
Disabled | Disabled | Disabled | |
Remote Access Connection
Manager (RasMan) |
Disabled* * Note:See See Exhibit 10.8.20-34. for deviated setting. |
Disabled | Disabled | |
Remote Desktop Help session
manager (RDSessMgr) |
Disabled | N/A | Disabled | |
Remote Procedure Call (RPC) (RpcSs) |
Automatic | Automatic | Automatic | |
Remote Procedure Call (RPC)
Locator (RpcLocator) |
Disabled | Disabled | Disabled | |
Remote Registry Service (RemoteRegistry) |
Automatic | Automatic | Automatic | |
Removable Storage (NtmsSvc) |
Disabled | Disabled | Disabled | |
Routing and Remote Access (RemoteAccess) |
Disabled | Disabled | Disabled | |
Secondary Logon (2000: Run As service) (SecLogon) |
Automatic | Automatic | Automatic | |
Security Accounts Manager (SamSs) |
Automatic | Automatic | Automatic | |
Security Center (wscsvc) |
Automatic | N/A | N/A | |
Server (lanmanserver) |
Automatic | Automatic | Automatic | |
Shell Hardware Detection (ShellHWDetection) |
Manual | N/A | Disabled | |
Smart Card (SCardSvr) |
Disabled | Disabled | Disabled | |
Special Administration Console
Helper (Sacsvr) |
N/A | N/A | Disabled | |
Symantec Anti-Virus (Symantec AntiVirus) For Symantec 8.x.x.x: Symantec AntiVirus Client (Norton Antivirus Server) |
Automatic | Automatic | Automatic | |
SavRoam (SavRoam) |
Automatic | Automatic | Automatic | |
SSDP Discovery Service (SSDPSRV) |
Disabled | Disabled | Disabled | |
Symatec Event Manager (ccEvtMgr) |
Automatic | Automatic | Automatic | |
Symantec Network Drivers Service (SNDSrvc) |
Manual | Manual | Manual | |
Symantec Settings Manager (ccSetMgr) |
Automatic | Automatic | Automatic | |
Symantec SPBBCSvc (SPBBCSvs) |
Automatic | Automatic | Automatic | |
Symantec LiveUpdate (LiveUpdate) |
Manual | Manual | Manual | |
System Event notification (SENS) |
Automatic | Automatic | Automatic | |
System Restore Service (srservice) |
Automatic | N/A | N/A | |
Task Scheduler (Schedule) |
Disabled | Automatic | Automatic | |
TCP/IP NetBIOS Helper Service (Lmhosts) |
Automatic | Automatic | Automatic | |
Telnet (TlntSvr) |
Disabled | Disabled | Disabled | |
Telephony (TapiSrv) |
Not Defined | Disabled | Disabled | |
Terminal Services (TermService) |
Manual | Automatic | Automatic | |
Terminal Services Session
Directory (Tssdis) |
N/A | N/A | Disabled | |
Themes (Themes) |
Disabled | N/A | Disabled | |
Tivoli Endpoint (lcfd) |
Automatic | Automatic | Automatic | |
Uninterruptible Power Suppl (UPS) |
Manual | Manual | Manual | |
Universal Plug and Play device
host (UPNPhost) |
Disabled | N/A | N/A | |
Upload manager (uploadmgr) |
N/A | N/A | Disabled | |
Utility Manager (utilman) |
N/A | Manual | N/A | |
Virtual Disk Service (Vds) |
N/A | N/A | Disabled | |
Volume Shadow copy (VSS) |
Manual | N/A | Manual | |
WebClient (WebClient) |
Disabled | N/A | Disabled | |
Windows Audio (AudioSrv) |
Automatic | N/A | Disabled | |
Windows Firewall/Internet
Connection Sharing (SharedAccess) (2000: Internet Connection Sharing) |
Not Defined | Disabled | Not Defined | |
Windows Image Acquisition (WIA) (Stisvc) |
Manual | N/A | Disabled | |
Windows Installer (MSIServer) |
Automatic | Automatic | Automatic | |
Windows Management Instrumentation (winmgmt) |
Automatic | Automatic | Automatic | |
Windows Management Instrumentation
Driver Extensions (Wmi) |
Manual | Manual | Manual | |
Windows Time (W32Time) |
Automatic | Automatic | Automatic | |
WinHTTP Web Proxy Auto-Discovery
Service (WinHTTPAutoProxySvc) |
Disabled | Disabled | Disabled | |
Wireless Zero Configuration (2000: Wireless Configuration) (WZCSVC) |
Disabled | Disabled | Disabled | |
WMI Performance Adapter (WmiApSrv) |
Manual | N/A | Manual | |
Workstation (lanmanworkstation) |
Automatic | Automatic | Automatic | |
World Wide Web Publishing Service (W3SVC) |
Disabled | Disabled | Disabled | |
Unknown Service | Any other services shall be identified as "unknown" and assumed to pose security risk until the appropriate management stakeholders (at minimum: System Owner, Program/Project Office, System Support Management, DAA) create and sign coordinated written documentation regarding the business case justification, additional controls to compensate for vulnerabilities, and the acceptance of the associated risks. |
Services That Shall Not Be Present On a Baseline Server or Workstation
Display Name | Service Name | |
---|---|---|
.NET Framework Support Service | CORRTSvc | |
ADAM_EDE<Domain Name> | ADAM_EDE<Domain Name> | |
ASP.NET State Service | aspnet_state | |
Bluetooth Support Service | BthServ | |
Certificate Services | CertSvc | |
Client Service for Netware | NWCWorkstation | |
Client Service for NFS | Client for NFS | |
Cluster Service | ClusSvc | |
DHCP Server | DHCPServer | |
DNS Server | DNS | |
Fax | Fax | |
File Server for Macintosh | MacFile | |
FTP Publishing Service | MSFtpsvc | |
Hummingbird InetD Service | HCLInetd | |
Hummingbird Jconfig Daemon | Jconfigd | |
IAS Jet Database Access | IASJet | |
IAS Service | IAS | |
IIS Admin Service | IISADMIN | |
Infrared Monitor | Irmon | |
Intel File Transfer | Intel File Transfer | |
Intel PDS | Intel PDS | |
IP Version 6 Helper Service | 6to4 | |
Message Queuing | msmq | |
Message Queuing Down Level Clients | mqds | |
Message Queuing Triggers | Mqtgsvc | |
Microsoft POP3 Service | POP3SVC | |
Microsoft Exchange Information Store | MSExchangeIS | |
Microsoft Exchange Management | MSExchangeMGMT | |
Microsoft Exchange MTA Stacks | MSExchangeMTA | |
Microsoft Exchange System Attendant | MSExchangeSA | |
Microsoft Exchange Routing Engine | RESvc | |
MSSQLSERVER and/or MSSQL$<InstanceName> |
MSSQLSERVER and/or MSSQL$<InstanceName> |
|
MSSQLServerADHelper | MSSQLServerADHelper | |
NetMeeting Remote Desktop Sharing | mnmsrvc | |
Network News Transport Protocol (NNTP) | NntpSvc | |
Perl Socket | PerlSock | |
Print Server for Macintosh | MacPrint | |
Remote Administration Service | SrvcSurg | |
Remote Installation Services | BINLSVC | |
Remote Server Manager | appmgr | |
Remote Server Monitor | Appmon | |
Remote Shell | RshSvc | |
Remote Storage Notification | Remote_Storage_User_Link | |
Remote Storage Server | Remote_Storage_Server | |
Resultant Set of Policy Provider | RSoPProv | |
SAP Agent | nwsapagent | |
Server for NFS | NfsSvc | |
Server for PCNFS | Pcnfsd | |
Simple Mail Transport Protocol (SMTP) | SMTPSVC | |
Simple TCP/IP Services | SimpTcp | |
Single Instance Storage Groveler | Groveler | |
Smart Card Helper | SCardDrv | |
SNMP Service | SNMP | |
SNMP Trap Service | SNMPTRAP | |
SQLSERVERAGENT and/or | SQLSERVERAGENT and/or | |
SQLAgent$<InstanceName> | SQLAgent$<InstanceName> | |
SSDP Discovery Service | SSDPSRV | |
Symantec Mail Security for Microsoft Exchange | SMSMSE | |
Symantec Mail Security Spam Statistics | SAVFMSESpamStatsManager | |
TCP/IP Print Server | LPDSVC | |
Telnet | TlntSvr | |
Terminal Services Licensing | TermServLicensing | |
Trivial FTP Daemon (TFTP) | tftpd | |
User Name Mapping | Mapsvc | |
VMware Tools Service | VMTools | |
Web Element Manager | elementmgr | |
Windows Cron Service | CronService | |
Windows Media Services | WMServer | |
Windows System Resource Manager (WSRM) | WindowsSystemResourceManager | |
WINS | WINS | |
World Wide Web Publishing Service | W3SVC |
See IRM 10.8.20.5.4.2 for explanations.
Common Windows Ports and Descriptions | |||
---|---|---|---|
Protocol | Name | Application | Description |
42/tcp | nameserver | name | WINS replication |
88/tcp | kerberos | krb5 kerberos-sec | Kerberos secure authentication |
88/udp | kerberos | krb5 kerberos-sec | Kerberos secure authentication |
135/tcp | epmap | loc-srv | Remote procedure call (RPC) mapper |
137/udp | netbios-ns | nbname | NETBIOS query requests |
138/udp | netbios-dgm | nbdatagram | NETBIOS Datagram Service |
139/tcp | netbios-ssn | nbsession | NETBIOS query responses |
389/tcp | ldap | Lightweight Directory Access Protocol (LDAP) | |
389/udp | ldap | Lightweight Directory Access Protocol (LDAP) | |
445/tcp | microsoft-ds | SMB protocol without NETBIOS (CIFS) | |
464/tcp | kpasswd | Kerberos passwords | |
464/udp | kpasswd | Kerberos passwords | |
544/tcp | kshell | krcmd | Kerberos remote shell (Kshell) |
636/tcp | ldaps | sldap | LDAP over TLS/SSL |
3268/tcp | Global Catalog with LDAP | ||
3269/tcp | Global Catalog with LDAP and SSL encryption | ||
3389/tcp | Terminal server |
-
The following are settings related to IIS and SQL. These settings will be migrated to the individual IIS and SQL IRMs and removed from this IRM. They are here as place holders while those IRMs are being created.
-
For information on Defining Functional Roles, see IRM 10.8.20.4.2.5.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
IIS Settings: (Web Server)
Changes to the User Rights Table 10.8.20-05.
User Right | 2000 Server | 2003 Server | |
---|---|---|---|
Access this computer from the network | Administrators Authenticated Users IWAM or IWAM_<ComputerName> ASPNET |
Administrators Authenticated Users IWAM or IWAM_<ComputerName> ASPNET |
|
Adjust memory quotas for a process | Tivoli_Admin_Privileges IWAM or IWAM_<ComputerName> |
Tivoli_Admin_Privileges IWAM or IWAM_<ComputerName> |
|
Bypass traverse checking | Authenticated Users tmersrvd IIS_WPG |
Authenticated Users tmersrvd IIS_WPG |
|
Deny access to this computer from the network | ANONYMOUS LOGON Built-in Administrator Renamed Guest Account (if enabled) All NON-Operating System Service Accounts |
ANONYMOUS LOGON Built-in Administrator Support_388945a0 Renamed Guest Account (if enabled) All NON-Operating System Service Accounts |
|
Impersonate a client after authentication | Administrators Service ASPNET IIS_WPG |
Administrators Service ASPNET IIS_WPG |
|
Log on as a batch job | LOCAL SERVICE IWAM or IWAM_<ComputerName> IIS_WPG ASPNET LocalLogonBatch |
LOCAL SERVICE IWAM or IWAM_<ComputerName> IIS_WPG ASPNET LocalLogonBatch |
|
Log on as a service | NETWORK SERVICE ASPNET LocalLogonService |
NETWORK SERVICE ASPNET LocalLogonService |
|
Additions to the System Services Table 10.8.20-23 (Web Server)
Display Name (Service Name) |
2000 Server | 2003 Server | |
---|---|---|---|
Distributed Transaction Coordinator (MSDTC) |
Automatic | Automatic | |
HTTP SSL (HTTPFilter) |
N/A | Automatic | |
IIS Admin (IISAdmin) |
Automatic | Automatic | |
World Wide Web Publishing
Service (W3SVC) |
Automatic | Automatic | |
SQL Settings: (Relational Database)
Additions to the User Rights Table 10.8.20-05.
User Right | 2000 Server | 2003 Server |
---|---|---|
Acting as part of the operating system | Tivoli_Admin_Privileges LocalSQLService |
Tivoli_Admin_Privileges LocalSQLService |
Bypass traverse checking | Authenticated Users tmersrvd LocalSQLService |
Authenticated Users tmersrvd LocalSQLService |
Lock pages in memory | LocalSQLService | LocalSQLService |
Log on as a batch job | LocalLogonBatch LocalSQLService |
LocalLogonBatch LocalSQLService |
Log on as a service | LocalLogonService LocalSQLService |
LocalLogonService LocalSQLService |
Replace a process level token | Tivoli_Admin_Privileges LocalSQLService |
NETWORK SERVICE LOCAL SERVICE Tivoli_Admin_Privileges LocalSQLService |
SQL Settings: (Relational Database)
Additions to the System Services Table 10.8.20-23.
Display Name (Service Name) | 2000 Server | 2003 Server | |
Distributed Transaction (MSDTC) |
Automatic | Automatic | |
MSSQLServer or MSSQL$Instance (Name for a named instance) |
Automatic | Automatic | |
-
For information on Defining Functional Roles, see IRM 10.8.20.4.2.5.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
WINS Server Security Settings | ||
---|---|---|
System Services | ||
Display Name | Service Name | Start Up State |
Windows Internet Name Service (WINS) | WINS | Automatic |
-
Settings only apply to Windows 2003 Server operating Microsoft Exchange Server.
-
For information on Defining Functional Roles, see IRM 10.8.20.4.2.5.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
Exchange Server Security Settings | |||
---|---|---|---|
System Services (Windows 2003) | |||
Display Name | Service Name | Start Up State | |
Microsoft Exchange Information Store | MSExchangeIS | Automatic | |
Microsoft Exchange Management | MSExchangeMGMT | Automatic | |
Microsoft Exchange MTA Stacks | MSExchangeMTA | Automatic | |
Microsoft Exchange System Attendant | MSExchangeSA | Automatic | |
Microsoft Exchange Routing Engine | RESvc | Automatic | |
Symantec Mail Security for Microsoft Exchange | smsmse | Automatic | |
Symantec Mail Security Spam Statistics | SAVFMSESpamStatsManager | Manual | |
IIS Admin Service | IISADMIN | Automatic | |
Simple Mail Transport Protocol (SMTP) | SMTPSVC | Automatic | |
World Wide Web Publishing Service | W3SVC | Automatic | |
HTTP SSL | HTTPFilter | Manual | |
Remote Procedure Call (RPC) Locator | RpcLocator | Manual |
Exchange Server Security Settings | ||
---|---|---|
User Rights | ||
User Right | Windows 2003 | |
Log On As A Service | <DomainName>\/MIISsvc | |
Deny Access to this Computer from the Network | Anonymous Logon |
Exchange Server Security Settings | ||
---|---|---|
File/Folder Permissions (Windows 2003) | ||
File Share Name | Share Permission | NTFS Permission |
Resource$ | Everyone - Read | Everyone - RX |
Address | Everyone - Read | Everyone - RX |
-
For information on Defining Functional Roles, see IRM 10.8.20.4.2.5.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
Display Name | XP Workstation | 2000 Server | 2003 Server | |
---|---|---|---|---|
Windows Time (W32Time) |
Not Defined | Not Defined | Not Defined | |
VMware Tools Service (VMTools) | Automatic | Automatic | Automatic | |
-
This exhibit is for the system services for base servers with EDE.
-
For information on Defining Functional Roles, see IRM 10.8.20.4.2.5.
-
For all services with a required start-up state of disabled, they shall have a permission of Administrator: Full, System: Full, and Interactive: Read. (Note: This is also applicable for services that are required to not be present on baseline system, if these services do exist on a system).
Display Name | XP Workstation | 2000 Server | 2003 Server |
---|---|---|---|
ADAM_EDE<Domain Name> | Do not install | Do not install | Automatic |
Setting | State | ||
---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |
Note: If all of the following controls are in place, then all requirements defined in Exhibit 10.8.20-18 and 10.8.20-19 (with the exception of Intranet Zone settings) are not applicable for the Server. If any of the following requirements are not correctly set, then all settings defined in Exhibit 10.8.20-18 and 10.8.20-19 will apply. | |||
User Configuration - Administrative Templates - Windows Components - Internet Explorer | |||
Disable Changing Proxy Settings | See Exhibit 10.8.20–18 | Enabled | Enabled |
Computer Configuration - Administrative Templates - Windows Components - Internet Explorer | |||
Make Proxy Settings Per Machine (rather than per user) | Not Defined | Enabled (recommended) | Enabled (recommended) |
User Configuration - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings | |||
Enable Proxy Settings | Not Defined | Enabled | Enabled |
Use the Same Proxy Server for All Addresses | Not Defined | Enabled | Enabled |
Proxy Servers | Not Defined | localhost or 127.0.0.1 | localhost or 127.0.01 |
Note:
For information on Defining Functional Roles, see IRM 10.8.20.4.2.5.
Setting | State | ||
---|---|---|---|
Windows XP | Windows 2000 | Windows 2003 | |
Note: These configuration settings apply only to Symantec, Blackberry and Altiris Servers. | |||
User Configuration - Windows Settings - Internet Explorer Maintenance - Connection - Proxy Settings | |||
Enable Proxy Settings | N/A | Not Defined | Not Defined |
Use the Same Proxy Server for All Addresses | N/A | Not Defined | Not Defined |
Proxy Servers | N/A | Not Defined | Not Defined |
Definitions for words utilized within
the text of this IRM:
-A-
ACCOUNT POLICIES
Account Policies: Enforce Password History (PasswordHistorySize)
Prevents users from toggling among favorite passwords and reduces
the chance a hacker/password cracker will discover passwords.
Account Policies: Maximum Password Age
Period
of time a user is allowed to have a password before being required to change
it.
Account Policies: Minimum Password Age
Period
of time a user must wait after changing a password before changing it again.
Account Policies: Minimum Password Length
The
minimum length for a password.
Account Policies: Passwords Complexity Requirements
Passwords
must contain characters from 3 of 4 classes: upper case letters, lower case
letters, numbers, special characters. Also, passwords cannot be the same as
the user’s logon name. Complexity requirements will take effect the
next time a user changes his password. Existing passwords are not affected.
Account Policies: Store Passwords Using Reversible Encryption
Windows password models is that they use one-way encryption. That
is, the passwords are encrypted to a numeric value, called a "
hash."
This hash cannot be decrypted to directly discover the original
password. In order to support some applications and their authentication,
Microsoft permits the ability to store passwords using reversible encryption.
Account Policies: Account Lockout Duration
Determines
the number of minutes a locked out account remains locked out before automatically
becoming unlocked. Only has meaning when an Account lockout threshold is specified.
Account Policies: Account Lockout Threshold
Determines
the number of failed logon attempts that will cause a user account to be locked
out.
Account Policies: Reset Account Lockout Counter After
Determines the number of minutes that must elapse after a failed
logon attempt before the bad logon attempt counter is reset to 0 bad logons.
Account Policies: Enforce User Logon Restrictions
When
this option is enabled, the KDC validates every request for a session ticket
by examining the user rights policy on the target computer to verify that
the user has the right either to log on locally or to access the computer
from the network. It is also a check to ensure the requesting account is still
valid. Verification is optional because the extra step takes time and may
slow network access to services. The default is Enabled.
Account Policies: Maximum Lifetime For Service Ticket
"A service ticket"
is a session ticket. Settings
are in minutes. The setting must be more than ten minutes and less than the
setting for "Maximum user ticket lifetime."
Default value:
10 hours.
Account Policies: Maximum Lifetime For User Ticket
A "user ticket"
is a TGT and must be renewed after this time.
Default value: 10 hours.
Account Policies: Maximum Lifetime For User Ticket Renewal
This is the maximum lifetime of a ticket [either a Ticket Granting
Ticket (TGT) or a session ticket, although the policy specifies this is for
a "user ticket"
]. No ticket can be renewed after this
time. Default value: 7 days.
Account Policies: Maximum Tolerance For Computer Clock
Synchronization
When the KDC clock is this many minutes different
from the Kerberos client's clock, tickets are not issued for the client. This
is a deterrent in Replay attacks. Settings are in minutes. Default value:
5 minutes.
ADAM_EDE<domain name> Service
This is the
control service for the GuardianEdge based ADAM datastore instance. The production
instance name is EDE for the DS domain.
AUDIT
Audit: Audit the Access of Global System Objects
(Windows 2000 - Audit the access of global system objects)
Global
system objects typically only provide interesting audit information to developers.
Some examples of these kernel objects include mutexes, semaphores and DOS
devices.
Audit: Audit the Use of Backup and Restore Privilege
(Windows 2000 - Audit the use of backup and restore
privilege)
When enabled, this setting will generate a log entry
for every file which is backed up or restored using the "Backup
or Restore"
privilege.
Audit: Shut Down System Immediately if Unable to Log
Security Alerts
(Windows 2000 - Shut down system
immediately if unable to log security audits)
A SA may choose not
to overwrite events when the event log is full. Assuming that logs are sized
appropriately, routinely backed up and cleared, this could indicate a security
incident. In the specialized security environment, the inability to log events
may be just cause to halt the server.
AUDIT POLICIES
Audit Policies: Audit Account Logon Events
Auditing
logon events will track successful and failed logon attempts from the local
console, the network, or batch or service accounts using domain logon credentials.
Audit Policies: Audit Account Management
In
order to track successful and failed attempts to create new users or groups,
rename users or groups, enable or disable users, or change accounts’
passwords, enable auditing for Account Management events.
Audit Policies: Audit Directory Service Access
No
auditing of Directory Service Access is required on Windows 2000 Servers that
are member or stand-alone servers, because Directory Service Access can only
be audited on Windows 2000 (or later) domain controllers.
Audit Policies: Audit Logon Events
Auditing
logon events will track successful and failed logon attempts from the local
console, the network, or batch or service accounts using local machine logon
credentials.
Audit Policies: Audit Object Access
In order
to track users’ access to files, go to that file or folder, edit the
security properties for that object, and enable.
Audit Policies: Audit Policy Change
If audit
policies are audited, changes to User Rights, Audit Policies, or Trust Policies
will produce events in the Security Event Log.
Audit Policies: Audit Privilege Use
Auditing
privilege use enables auditing for any operation that would require a user
account to make use of extra privileges that it has already been assigned.
Audit Policies: Audit Process Tracking
Each
time an application or a user starts, stops, or otherwise changes a process,
it will create an event in the event log. This creates a very large event
log very quickly, and the information is not normally exceptionally useful.
Audit Policies: Audit System Events
Auditing
System events is very important. System events include starting or shutting
down the computer, full event logs, or other security related events that
have impact across the entire system.
-D-
DEVICES
Devices: Allow Undock Without Having to Log On
Some
laptop docking stations have a hardware eject button that can actually be
locked by software on the laptop. Setting this option to disabled provides
greater security; however, without proper training a user may physically damage
the hardware. This setting has no effect unless the server is running on a
laptop.
Devices: Allowed to Format and Eject Removable Media
(Windows 2000 - Allowed to eject removable NTFS
media)
This setting governs the type of users which have authority
to remove NTFS formatted media from the computer.
Devices: Prevent users from installing printer drivers
(Windows 2000 - Prevent users from installing printer
drivers)
When printer drivers are installed onto an operating system,
their code is installed directly into the privileged space of the operating
system kernel. This allows printer drivers to accomplish tasks that are beyond
the actual user’s capability. Unfortunately, it also opens the operating
system up to execute malicious code in the form of a "Trojan
Horse"
printer driver.
Devices: Restrict CD-ROM Access to Locally Logged-On
User Only
(Windows 2000 - Restrict CD-ROM access
to locally logged-on user only)
With sufficient privileges, users
can create network shares from any folder on a Windows computer. This extends
to sharing a CD-ROM drive externally. This setting would restrict use of the
shared CD-ROM drive to the local interactive logon.
Devices: Restrict Floppy Access to Locally Logged-On
User Only
(Windows 2000 - Restrict floppy access
to locally logged-on user only)
With sufficient privileges, users
can create network shares from any folder on a Windows computer. This extends
to sharing a floppy drive externally. This setting would restrict use of the
shared floppy drive to the local interactive logon.
Devices: Unsigned Driver Installation Behavior
(Windows 2000 - Unsigned driver installation behavior)
Microsoft
has generally shipped drivers with a digital signature, expressing that Microsoft
itself has certified the drivers as valid, and tested not to perform actions
that constitute foul play. Unfortunately, not all drivers (even from Microsoft)
are distributed with digital signatures.
DIRECTORY REPLICATION
Directory Replication: Domain data
The domain
data contains information about objects within a domain. This is the information
typically thought of as directory information such as e-mail contacts, user
and computer account attributes, and published resources that are of interest
to administrators and users. For example, when a user account is added to
a network, a user account object and attribute data are stored in the domain
data. When changes to your organization’s directory objects occur, such
as object creation, deletion, or attribute modification, this data is stored
in the domain data.
Directory Replication: Configuration data
The
configuration data describes the topology of the directory. This configuration
data includes a list of all domains, trees, and forests, and the locations
of the domain controllers and global catalogs.
Directory Replication: Schema data
The schema
is the formal definition of all object and attribute data that can be stored
in the directory. Windows Server 2003 includes a default schema that defines
many object types, such as user and computer accounts, groups, domains, organizational
units, and security policies. Administrators and programmers can extend the
schema by defining new object types and attributes, or by adding new attributes
for existing objects. Schema objects are protected by ACLs, ensuring that
only authorized users can alter the schema.
DOMAIN CONTROLLER
Domain Controller: Allow Server Operators to Schedule
Tasks
(Windows 2000 - Allow server operators to schedule
tasks - domain controllers only)
When enabled, server operators
can add tasks using the AT command. By default, AT runs under the local system
account, which has administrative rights on the machine. When this setting
is disabled, server operators can still schedule tasks with the task scheduler;
however, these tasks will run under their domain credentials and not under
the local system account.
Domain Controller: LDAP Server Signing Requirements
This
option can be set to Require Signature or None (signing is not required unless
the client requests it). Data signing helps protect against man-in-the-middle
attacks, but does not protect the confidentiality of data in transit. Require
signing to provide the assurance of mutual authentication for this communications
channel.
Domain Controller: Refuse Machine Account Password Changes
This setting will allow the domain to prevent the computer from
changing the computer account password. This setting has no effect on computers
other than Domain Controllers.
-E-
EAFRCliManager Service
This is the GuardianEdge
framework service that manages the GE product on the client to provide the
filter for reads and writes to/from removable media. This service also communicates
with the ADAM servers to report back the current configurations on the client
workstation.
Enterprise Disk Encryption
Enterprise Disk
Encryption is a software protection tool, using SecureDoc software from WinMagic,
to secure information stored on personal computers when they are turned off.
Without EDE, users are vulnerable to unauthorized disclosure of sensitive
but unclassified (SBU) data - including taxpayer data - if systems are lost
or stolen. The EDE solution includes an installation of a service on several
servers and a client that will be installed on all IRS workstations.
-F-
Federal Desktop Core
Configuration (FDCC)
Under the direction of OMB and in collaboration
with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided the following
resources to help agencies test, implement, and deploy the Microsoft Windows
XP and Vista Federal Desktop Core Configuration (FDCC) baseline. For further
information, check the NIST Website at: http://fdcc.nist.gov/.
-N-
NETWORK ACCESS
Network Access: Allow Anonymous SID/Name Translation
Each object within Active Directory obtains a unique binary SID.
The operating system controls access to resources by their SID. SID formatting
is well known, and some SIDs (e.g., local administrator and local guest) have
properties which divulge the actual purpose of the account. Disable this option
to prevent the null user from translating the binary SID into the actual account
name.
Network Access: Do Not Allow Anonymous Enumeration of
SAM Accounts
Enabled means only truly authenticated logins may enumerate
other accounts. Disabled means all accounts can be gathered through the null
session.
Network Access: Do Not Allow Anonymous Enumeration of
SAM Accounts and Shares
In addition to protecting the list of user
accounts, it also controls the list of network file shares established on
the workstation.
Network Access: Let Everyone Permissions Apply to Anonymous
Users
Many resources across the network are accessible to the "Everyone"
group. This special group contains all accounts;
however, it does not contain the anonymous user. Enabling this option adds
the "null user"
to the "Everyone"
group,
escalating privileges of this account. The "Everyone"
group
is assigned to many network resources by default.
Network Access: Named Pipes that can be Accessed Anonymously
Named Pipes are communications channels between two processes.
The process may or may not be located on the same computer, and communications
are peer-to-peer rather than client-to-server. Each pipe is assigned an ACL.
Network Access: Remotely Accessible Registry Paths
(For XP, this setting includes subpaths)
This setting
defines the registry paths which can be accessed from another computer.
Network Access: Remotely accessible registry paths and
subpaths
This setting defines the registry paths and corresponding
child paths which can be accessed from another computer. Remote registry access
depends on the remote registry service and requires authentication.
Network Access: Restrict anonymous access to Named Pipes
and Shares
When enabled, the anonymous restrictions on shares and
named pipes take effect to prevent null sessions from accessing these resources.
Network Access: Shares that can be Accessed Anonymously
ACLs restrict access to published network shares hosted by a workstation.
Shares can be published to the "Everyone"
group, but this
does not include the unauthenticated null user. Adding specific shares to
this list grants access to the unauthenticated user. Note that NTFS permissions
on the share still apply.
Network Access: Sharing and Security Model for Local
Accounts
Remote users often must present logon credentials to the
workstation to gain access. Occasionally, they may present credentials for
a local account on the workstation. In the "Classic"
security
model, even though a remote user is using local credentials, they still gain
access based on restrictions for the local account. However, the "
Guest Only"
model remaps the remote user to the guest account, so they
will only be able to access resources available to guests.
Network Access: DCOM: Machine Access Restrictions in
Security Descriptor Definition Language (SDDL) Syntax
(Available in 2003 SP1 and XP SP2 or greater only)
This setting
is used to grant access to all the computers to particular users for DCOM
application in the enterprise through Group Policy.
Network Access: DCOM: Machine Launch Restrictions in
Security Descriptor Definition Language (SDDL) Syntax
(Available in 2003 SP1 and XP SP2 or greater only)
This setting
is used to grant launch or activation permissions to all the computers to
particular users for DCOM application in the enterprise through Group Policy.
NETWORK DATA PROTECTION
Network Data Protection: Domain member: Digitally encrypt
or sign secure channel data (always)
(Windows 2000
- Secure channel: Digitally encrypt or sign secure channel data - always)
Secure Channels are normally established between workstations or
servers and Domain Controllers. This data can include password authentication
hashes. Signing the data encapsulates it in a digital signature that authenticates
the recipient. Encrypting the data signs it and masks it, making the data
indecipherable if it is intercepted over the network.
Network Data Protection: Domain member: Digitally Encrypt
Secure Channel Data (when possible)
(Windows 2000
- Secure channel: Digitally encrypt secure channel data - when possible)
Encrypting
the secure channel authenticates the computers at both ends of the conversation
(signs) and encrypts the data to prevent interception of that data. It has
no effect outside of a domain environment.
Network Data Protection: Domain member: Digitally Sign
Secure Channel Data (when possible)
Digitally signing the Secure
Channel data provides authentication of all members of a "Conversation
"
and prevents a "Man in the middle"
type of attack.
This option has no effect outside of a domain environment.
Network Data Protection: Domain member: Require Strong
(Windows 2000 or later) Session Key
(Windows 2000
- Secure channel: Require strong (Windows 2000 or later) session key)
This
setting applies specifically to the NetLogon secure channel established between
workstations and domain controllers. This setting only impacts workstations
which have joined a domain.
Network Data Protection: Network Access: Do Not Allow
Storage of Credentials or .NET Passports for Network Authentication
This
setting controls behavior of the "Stored User Names and Passwords
"
feature of Windows XP. This feature stores NTLM, Kerberos, Passport
and SSL authentication; it should not be confused with the Internet Explorer
authentication cache, since it is managed separately. Some documents refer
to this setting as "Network Access: Do not allow Stored User
Names and Passwords to safe passwords or credentials for domain authentication.
"
Network Data Protection: Microsoft Network Client: Digitally
sign communications (always)
(Windows 2000 - Digitally
sign client communication - always)
This setting applies specifically
to communications using the Server Message Block (SMB) protocol. When enabled,
the client will negotiate signed communications with any SMB server. If the
server cannot support SMB signing (typically servers prior to Windows 2000),
communications will fail.
Network Data Protection: Microsoft Network Client: Digitally
sign communications (if server agrees)
(Windows 2000:
Digitally sign client communications - when possible)
This setting
applies specifically to communications using the Server Message Block (SMB)
protocol. When enabled, the client will negotiate signed communications with
any SMB server supporting SMB signing (typically Windows 2000 and later).
Unsigned communications will still succeed with servers that do not support
message signing.
Network Data Protection: Microsoft Network Client: Send
Unencrypted Password to Connect to Third-Party SMB Servers
(Windows 2000 - Send unencrypted password to connect to third-party
SMB servers)
Governs whether the password to connect to third-party
SMB servers is encrypted or not.
Network Data Protection: Microsoft Network Server: Digitally
Sign Communications (always)
(Windows 2000: Digitally
sign communications - always)
Workstation may require all SMB traffic
to be digitally signed. Workstations act as servers when remote devices connect
to published shares; many workstation management systems also use SMB protocols.
Network Data Protection: Microsoft Network Server: Digitally
Sign Communications (if client agrees)
(Windows 2000:
Digitally sign communications - when possible)
The workstation should
request signed communications wherever possible.
Network Data Protection: Network Security: LAN manager
authentication level
(Windows 2000 - LAN Manager
authentication level)
The default, and weakest option, is the first:
send LM and NTLM responses. As a result, using NTLM is ineffective because
both protocols are sent together. In order to take a much more effective stand
to protect network authentication, set LAN Manager Authentication Level to "Send NTLMv2 response only\/refuse LM and NTLM."
Enabling this
setting may have adverse effects on the ability to communicate with other
Windows machines unless the change is made network-wide. If unable to require
a certain level of LM Authentication, back down to "Send LM
and NTLM – Use NTLMv2 session security if negotiated"
and try
network authentication again.
Network Data Protection: Network Security: LDAP Client
Signing Requirements
Similar to the SMB protocol, the LDAP protocol
supports signing. LDAP, "Lightweight Directory Access Protocol,
"
provides one means for the client to talk to active directory. LDAP
protocol is text-based, but supports authentication to gain access to sensitive
sections of the directory. Require signing to provide the assurance of mutual
authentication for this communications channel.
Network Data Protection: Network Security: Minimum Session
Security for NTLM SSP Based (including secure RPC) Clients
NTLM
authentication can provide a security service to manage connection between
various clients and servers, including through the Remote Procedure Call (RPC)
service. Windows improved the security model for secure, authenticated client-server
communications; this setting manages the new features for communications established
by this workstation.
Network Data Protection: Network Security: Minimum Session
Security for NTLM SSP Based (including secure RPC) Servers
Similar
to "Network Security: Minimum session security for NTLM SSP
based (including secure RPC) clients,"
this setting manages features
for communication services provided by this workstation to other computers.]
Network Data Protection: System Cryptography: Force Strong
Key Protection for User Keys Stored on the Computer
Strong Key protection
helps keep private keys safe when they are stored on the local computer by
locking the key with a password. This option requires users to enter the password
when the key is first used, or every time the key is used. The password is
not synchronized with the domain account password. This option applies to
user keys which are managed through the data protection Application Programming
Interface (API).
Network Data Protection: System Cryptography: Use FIPS
Compliant Algorithms for Encryption, Hashing, and Signing
Enabling
the requirement for FIPS compliant system cryptography will limit the workstation’s
ability to interact with SSL encrypted web sites that do not support these
encryption mechanisms. This will likely have an effect on most non-IIS served
web sites.
-S-
SYSTEM SERVICES
System Services: Alerter
The alerter service
is normally used to send messages between processes on one computer "alerting"
the status of certain functions to the user’s
console, including the execution of print jobs. It also works in conjunction
with the Messenger service to send these same messages between computers on
a network.
System Services: Application Layer Gateway Service
This
subcomponent of the Internet Connection Sharing (ICS) / Internet Connection
Firewall (ICF) service provides support for independent software vendors (ISVs)
to write protocol plug-ins that allow their proprietary network protocols
to pass through the firewall and work behind ICS.
System Services: Application Management
Provides
software installation services, such as Assign, Publish, and Remove. This
service processes requests to enumerate, install, and remove applications
deployed via a corporate network.
System Services: ATI Hotkey Poller
Provides
the ability to hot key display settings (ATI video cards)
System Services: Automatic Updates
Enables
the download of updates from Microsoft’s Windows Update Web site. This
service keeps the workstation / server up-to-date automatically with the latest
updates, drivers and enhancements from Microsoft.
System Services: Background Intelligent Transfer Service
(BITS)
BITS transfers files asynchronously between a client and
an HTTP server. BITS is a background file transfer mechanism and queue manager.
System Services: Certificate Services
Services
related to being a certificate server.
System Services: ClipBook
Enables the Clipbook
Viewer to create and share "pages"
of data to be viewed
by remote computers.
System Services: COM+ Events System
Provides
automatic distribution of events to subscribing COM (Component Object Model)
components. COM+ Events extend the COM+ programming model to support late-bound
events or method calls between the publisher or subscriber and the event system.
System Services: COM+ System Application
The
COM+ system application hosts COM+ services and manages COM+ application configuration
and tracking.
System Services: Computer Browser
Maintains
an up-to-date list of computers on a network, and supplies the list to programs
that request it.
System Services: Cryptographic Services
Provides
key management services for a computer. The Cryptographic Service is comprised
of three management services: Catalog Database Service, Protected Root Service,
and Key Service.
System Services: DCOM Server Process Launcher
Provides
launch functionality for DCOM services.
System Services: DefWatch
Used in detecting
out of date virus definitions for Symantec Antivirus and updating them.
System Services: DHCP Client
Dynamic Host Configuration
Protocol (DHCP) Client manages network configuration by registering and updating
IP addresses and Domain Name Server (DNS) names for the workstation / server.
System Services: DHCP Server
Dynamic Host Configuration
Protocol (DHCP) Server centrally manages TCP/IP information by automatically
assigning an IP number as a workstation accesses the network.
System Services: Distributed File System
The
Distributed File System (DFS) service manages logical volumes distributed
across a local or wide area network. DFS is a single hierarchical file system,
the contents of which are distributed across the network.
System Services: Distributed Link Tracking Client
Maintains
links between the NTFS file system files within a computer or across computers
in a network domain.
System Services: Distributed Link Tracking Server
Installed
on a domain controllers. The Tracking Server uses one of the Active Directory
containers as its storage.
System Services: Distributed Transaction Coordinator
Coordinates transactions that are distributed across multiple computer
systems and/or resource managers, such as databases, message queues, file
systems, or other transaction-protected resource managers.
System Services: DNS Client
The Domain Name
System (DNS) client service resolves and caches DNS names.
System Services: Error Reporting Service
The
Error Reporting Service provides an infrastructure for collecting, storing
and reporting kernel mode, operating system and application faults to Microsoft.
System Services: Event Log
This service logs
event messages issued by programs and the Windows operating system. Event
Log reports contain information that can be useful in diagnosing problems.
System Services: Fast User Switching
Provides
management services for applications that require assistance in a multiple
user environment.
System Services: Fax
The Fax service, a TAPI-compliant
service, provides fax capabilities from a computer.
System Services: File Replication
Enables files
to be automatically copied and maintained simultaneously on multiple servers.
System Services: FTP Publishing Service
Provides
File Transfer Protocol (FTP) connectivity and administration through the Internet
Information Service (IIS) snap-in.
System Services: Help and Support
Provides
Help and Support application and framework functionality.
System Services: HTTP SSL
This service implements
the secure hypertext transfer protocol (HTTPS) for the HTTP service, using
the Secure Socket Layer (SSL). If this service is disabled, any services that
explicitly depend on it will fail to start.
System Services: Human Interface Device Access
This
service provides generic access to specific functions contained within controls
collections on HID (Human Interface Devices).
System Services: IIS Admin Service
IIS Admin
service manages the IIS metabase and updates the Microsoft Windows operating
system registry for the WWW service, FTP service, SMTP service, and NNTP service.
System Services: IMAPI CD-Burning COM Service
This
service manages burning CDs through the IMAPI (Image Mastering Applications
Programming Interface) COM interface and performs CD-R writes when requested
by the user through Windows explorer, WMP (Windows Media Player) or 3rd party
applications which use this API.
System Services: Indexing Service
Indexes contents
and properties of files on local and remote computers and provides rapid access
to files through a flexible querying language.
System Services: Infrared Monitor
Supports
infrared devices installed on the computer and detects other devices that
are in range.
System Services: Intel File Transfer
Part of
Intel's LANDesk Management Suite 6 and the Common Base Agent (CBA) - used
for communicating between the core server and managed clients.
System Services: Intel PDS
A Windows computer
running Symantec AV runs the Intel PDS Service. Intel PDS listens for ping
packets from servers. It responds with a pong packet containing information
on how to communicate with RTVScan.
System Services: Interix Subsystem
Startup
Service used by an Interix utility. If set to manual, will start when an Interix
utility starts.
System Services: Internet Connection Sharing
Provides
NAT (network address translation), addressing and name resolution services
for all computers on a home or small-office network through a dial-up or broadband
connection.
System Services: Intersite Messaging
Intersite
Messaging enables messages to be exchanged between computers running Windows
Server sites. (Component of IIS).
System Services: IPSec Services
Provides end-to-end
security between clients and servers on TCP/IP networks. Manages IP security
(IPSEC) policy, starts the Internet Key Exchange (IKE) and coordinates IPSEC
policy settings with the IP security driver.
System Services: Kerberos Key Distribution Center
Enables
users to log on to the network using the Kerberos v5 authentication protocol.
System Services: License Logging Service
Tracks
Client Access License usage for server products, such as Internet Information
Server (IIS), Terminal Services, File and Print services, as well as other
products such as SQL Server and Microsoft Exchange Server.
System Services: Logical Disk Manager
Detects
and monitors new hard disk drives and sends disk volume information to Logical
Disk Manager Administrative Service for configuration.
System Services: Logical Disk Manager Administrative
Service
Performs administrative service for disk management requests.
This service is started only when configuring a drive or partition or when
a new drive is detected.
System Services: Messenger
Transmits net send
and alerter service messages between clients and servers.
System Services: Microsoft POP3 Service
Allows
the machine to act as a POP3 server.
System Services: MS Software Shadow Copy Provider
Manages
software-based shadow copies taken by the Volume Shadow Copy service.
System Services: Net Logon
Maintains a secure
channel between a computer and the domain controller for authenticating users
and services.
System Services: NetMeeting Remote Desktop Sharing
Allows
authorized users to remotely access a Windows desktop from another PC over
a corporate intranet by using Microsoft NetMeeting conferencing software.
System Services: Network Connections
Manages
objects in the Network Connections folder, in which both network and remote
connections can be viewed.
System Services: Network DDE
Provides network
transport and security for DDE (dynamic data exchange) by applications running
on the same computer or on different computers.
System Services: Network DDE DSDM
Manages shared
DDE and is used by Network DDE. This service is used only by Network DDE to
manage shared DDE conversations.
System Services: Network Location Awareness (NLA)
Collects
and stores network configuration information such as IP address and Domain
name changes as well as location change information and notifies applications
when this information changes.
System Services: Network News Transport Protocol (NNTP)
NNTP is a member of the TCP/IP suite of protocols used to distribute
network news messages to NNTP servers and clients (newsreaders) on the Internet.
System Services: NT LM Security Support Provider
LSA
for the system.
System Services: Performance Logs and Alerts
Collects
performance data from local or remote computers based on preconfigured schedule
parameters, then writes the data to a log or triggers an alert.
System Services: Plug and Play
Enables a computer
to recognize and adapt to hardware changes with little or no user input.
System Services: Portable Media Serial Number
Retrieves
the serial number of a portable music player connected to the computer.
System Services: Print Spooler
Manages all
local and network print queues and controls print jobs.
System Services: Protected Storage
Provides
protected storage for sensitive data, such as private keys, to prevent access
by unauthorized services processes or users.
System Services: QoS RSVP
This service is started
when an application uses the (Generic Quality of Service) GQoS API requesting
a specific quality of service on the end-to-end connection it uses.
System Services: Remote Access Auto Connection Manager
Creates a connection to a remote network whenever a program references
a remote DNS or NetBIOS name or address.
System Services: Remote Access Connection Manager
Manages
dial-up and virtual private networks (VPN) connections from a computer to
the Internet or other remote networks.
System Services: Remote Desktop Help Session Manager
Manages and controls the Remote Assistance feature within the Help
and Support Center application (helpctr.exe).
System Services: Remote Procedure Call (RPC)
Microsoft
RPC is a powerful, robust, efficient, and secure interprocess communication
(IPC) mechanism that enables data exchange and invocation of functionality
residing in a different process.
System Services: Remote Procedure Call (RPC) Locator
Enables
RPC clients using the RpcNs* family of APIs to locate RPC servers and manages
the RPC name service database.
System Services: Remote Registry Service
Enables
remote users to modify registry settings on a computer, provided the remote
users have the required permissions.
System Services: Removable Storage
Manages
removable media drives and libraries. This service maintains a catalog of
identifying information for removable media used by a system, including tapes,
CDs, and so on.
System Services: Routing and Remote Access
The
Routing and Remote Access (RRAS) service provides multi-protocol LAN-to-LAN,
LAN-to-WAN, virtual private network (VPN), and network address translation
(NAT) routing services.
System Services: Secondary Logon
(Windows 2000: Run As)
The Secondary Logon (Run As) service allows
the user to create processes in the context of different security principals.
Common use of this service is for administrators, who may log on as a restricted
user and use secondary logon (run as) to temporarily run an application as
Administrator.
System Services: Security Accounts Manager (SAM)
The
SAM is a protected subsystem that manages user and group account information.
System Services: Security Center
Provides a
central location for changing security settings, learning more about security,
and ensuring that users’ computers are up to date with the essential
security settings that are recommended by Microsoft.
System Services: Server
Provides RPC support
for file, print and named pipe sharing over the network.
System Services: Simple Mail Transport Protocol (SMTP)
The SMTP service is used as an e-mail submission and relay agent.
It can accept and queue e-mail for remote destinations and retry at specified
intervals.
System Services: Shell Hardware Detection
This
service provides notifications for AutoPlay hardware events.
System Services: Smart Card
Manages and controls
access to a smart card inserted into a smart card reader attached to the computer.
System Services: Smart Card Helper
Enables
support for legacy non-plug and play smart-card readers used by a computer.
System Services: Simple Network Management Protocol (SNMP)
Service
Allows monitoring and management of a network from a single
workstation or several workstations.
System Services: SNMP Trap
Service that receives
and logs SNMP TRAP and INFORM messages.
System Services: Special Administration Console Helper
Allows administrators to remotely access a command prompt using
Emergency Management Services (2003 only).
System Services: SSDP Discovery Service
Enables
discovery of UPnP devices (Universal Plug and Play) on a home network.
System Services: Symantec Anti-Virus Client
Client
for the Symantec anti-virus software.
System Services: System Event Notification
Tracks
system events such as Windows logon network and power events. Notifies COM+
Event System subscribers of these events.
System Services: System Restore Service
System
Restore is a component of Windows XP Professional that can be used to restore
a computer to a previous state, if a problem occurs, without losing your personal
data files (such as Microsoft Word documents, browsing history, drawings,
favorites, or e-mail).
System Services: Task Scheduler
The Task Scheduler
service allows automated tasks to be performed on a computer.
System Services: TCP/IP NetBIOS Helper Service
Provides
support for NetBIOS over TCP/IP (NetBT) and NetBIOS name resolution for clients
on a network; thus, enabling users to share files, print, and log on to the
network.
System Services: Telephony
Provides TAPI (Telephony
API) support for programs that control telephony devices and IP-based voice
connections on the local computer and through the LAN on servers that are
also running the service.
System Services: Telnet
Telnet Server for Windows
provides ASCII terminal sessions to Telnet clients.
System Services: Terminal Services
Provides
a multisession environment that allows client devices to access a virtual
Windows desktop session and Windows-based programs running on the server.
System Services: Terminal Services Licensing
The
client license management service for Microsoft Windows Terminal Services.
System Services: Terminal Services Session Directory
Database that keeps track of which users are running which sessions
on which servers.
System Services: Themes
Provides user experience
theme management services.
System Services: Tivoli Endpoint
Service used
by Tivoli Endpoint software.
System Services: Uninterruptible Power Supply
Manages
communications with an Uninterruptible Power Supply (UPS) connected to the
computer by a serial port.
System Services: Universal Plug and Play Device Host
Provides support to host Universal Plug and Play devices.
System Services: Upload Manager
The Upload
Manager service manages the synchronous and asynchronous file transfers between
clients and servers on the network.
System Services: Utility Manager
Starts and
configures accessibility tools from one window. Utility Manager allows faster
access to some accessibility tools and also displays the status of the tools
or devices that it controls.
System Services: Volume Shadow Copy
Manages
volume snapshots used by backup applications.
System Services: WebClient
The WebClient service
allows Win32 applications to access documents on the Internet.
System Services: Windows Audio
Provides support
for sound and related Windows Audio event functions.
System Services: Windows Image Acquisition (WIA)
Provides
image acquisition services for scanners and cameras.
System Services: Windows Installer
Windows
Installer manages the installation and removal of applications by applying
a set of centrally defined setup rules during the installation process.
System Services: Windows Management Instrumentation
Provides
system management information.
System Services: Windows Management Instrumentation Driver
Extensions
This service monitors all drivers and event trace providers
that are configured to publish WMI or event trace information.
System Services: Windows Time
The Windows Time
service maintains date and time synchronization on all computers running on
a Microsoft Windows network.
System Services: WinHTTP Web Proxy Auto-Discovery (WPAD)
WPAD is a protocol to enable an HTTP client to automatically discover
a proxy configuration. If this service is stopped or disabled, the WPAD protocol
will be executed within the HTTP client's process instead of an external service
process; there would be no loss of functionality as a result.
System Services: WINS
Service to allow a machine
to function as a Windows Internet Naming Service server.
System Services: Wireless Zero Configuration
(Windows 2000: Wireless Configuration)
Enables automatic
configuration for IEEE 802.11 wireless adapters for wireless communications.
System Services: WMI Performance Adapter
Provides
performance library information from WMI HiPerf providers.
System Services: Workstation
Provides network
connections and communications. The workstation service is a user-mode wrapper
for the Microsoft Networks redirector.
System Services: World Wide Web Publishing Service
This
service provides HTTP services for applications on the Windows platform.
USER PASSWORD
User Password: User Must Change Password at Next Logon
When enabled this forces the user to change their passwords upon
their next logon.
User Password: Password Never Expires
When
enabled, this allows a user account to have a password that never expires.
User Password: Enable Automatic Logon
Windows
has the ability to automatically log a particular user account on to the system
at startup, without requiring password authentication.
-U-
USER RIGHTS
User Rights: Access This Computer from the Network
The
ability to access a computer from the network is a user right that can be
granted or revoked on any machine as appropriate. If this list is left empty,
no user accounts can be used to gain access to the resources of this computer
from the network.
User Rights: Act as Part of the Operating System
The
operating system works in a special security context called "
LocalSystem."
This security context has the ability to do things that
normal users and administrative users cannot. Granting this user right to
users or groups will give them the ability to exceed normal privilege, regardless
of their group membership.
User Rights: Add Workstations to Domain
By
granting this right to a user account, the account will be allowed to add
ten computers to the domain. The user receives an error when adding the eleventh
computer, and the action fails. In order to add an unlimited number of machines
to the domain, grant users the "Create Computer Accounts"
right
for an Organizational Unit in Active Directory.
User Rights: Adjust Memory Quotas for a Process
This
policy setting defines the accounts which can adjust the maximum amount of
memory assigned to a process.
User Rights: Allow Logon through Terminal Services
If
terminal services are enabled, the use of this setting can explicitly control
which users are allowed to remotely access the workstation.
User Rights: Back Up Files and Directories
This
user right grants a user or group the ability to circumvent normal Windows
file security for the purposes of backing up files and folders.
User Rights: Bypass Traverse Checking
The Bypassing
Traverse Checking user right allows access to files or folders regardless
of the user’s permissions to the parent folder. In other words, prevents
the inheritance of permissions. Unfortunately, it is necessary to grant this
right to users to allow normal operation of applications on a workstation.
This right also allows the account to receive notification of file and directory
changes.
User Rights: Change the System Time
Changing
the system time on Windows XP computers is especially important to restrict
in a domain environment because of the role that time synchronization plays
in Kerberos authentication.
User Rights: Create a Pagefile
Protects the
potentially sensitive information that can be stored in a pagefile.
User Rights: Create a Token Object
User Rights:
Create a Token Object Allows the creation of a security access token.
User Rights: Create Global Objects
The user
right required for a user account to create global objects in a Terminal Services
session.
User Rights: Create Permanent Shared Objects
The
right to create permanent shared objects shall only be used by applications
in the Windows kernel.
User Rights: Debug Programs
Any user can debug
his or her programs, but this right allows a user to debug other processes
on a machine.
User Rights: Deny Access to this Computer from the Network
The "Deny Access"
user rights always supersede
the "Allow Access"
user rights, so that if a user is listed
under both user rights, that user will be denied access. If there are no users
who should be allowed access to a computer from the network, the Everyone
group should be listed in the "Deny Access to this computer
from the network"
user right.
User Rights: Deny Logon as a Batch Job
Just
like the other "Deny…"
user rights, a user listed
here will be denied access to logon as a batch job, even if he has been explicitly
granted that right.
User Rights: Deny Logon as a Service
Just like
the other "Deny…"
user rights, a user listed here
will be denied access to logon as a service, even if he has been explicitly
granted that right.
User Rights: Deny Logon Locally
Just like the
other "Deny…"
user rights, a user listed here will
be denied access to logon as a service, even if he has been explicitly granted
that right.
User Rights: Deny logon through Terminal Services
Similar
to the other "Deny…"
rights, groups and accounts
in this list will not be able to connect to the workstation using terminal
services.
User Rights: Enable Computer and User Accounts to be
Trusted for Delegation
When a user is granted this right, they are
able to change the "trusted for delegation"
setting on
other domain accounts. Misuse of this right could lead to impersonation attacks
through the Kerberos authentication protocol.
User Rights: Force Shutdown from a Remote System
This
grants a user the right to shut down a computer from the network.
User Rights: Generate Security Audits
This
user right allows a user or process to generate events to be added to the
Windows Security Event Log.
User Rights: Increase Scheduling Priority
The
scheduling priority is one of the settings that can be altered as needed for
performance tuning, but normal users should not have the ability to change
the priority of other processes.
User Rights: Load and Unload Device Drivers
Device
drivers execute as highly privileged applications on a Windows computer because
they directly interface the hardware with the operating system. These drivers
can be the source of "Trojan Horse"
applications, and
shall be restricted where possible. This setting actually applies to the installation
of Plug and Play device drivers.
User Rights: Lock Pages in Memory
The right
to lock pages in memory is the ability to force data in physical memory to
remain in physical memory, and not be paged to disk, which can seriously degrade
system performance.
User Rights: Log On as a Batch Job
The right
to log on as a batch job means that the listed user has the ability to log
on using the batch queue facility.
User Rights: Log On as a Service
Most applications
that do not directly interact with the logged on user (and many that do) actually
operate as a service. These services almost always execute under the LocalSystem
security credentials. If a service needs to be executed in a user context,
that user would have to be listed here.
User Rights: Log On Locally
Any user who logs
on locally to a computer must be listed here, either by individual user names,
or by the "users"
group.
User Rights: Manage Auditing and Security Log
The
ability to manage the security event log is the equivalent to the ability
for an intruder to cover his tracks and destroy evidence of what has been
done to a computer system. This user right should be highly restricted, possibly
even to only a subset of SAs.
User Rights: Modify Firmware Environment Values
Individual
users have the ability to change their own environment variables, but only
Administrators and accounts that hold this right can change the environment
variables of other users on a system.
User Rights: Perform Volume Maintenance Tasks
The
most common volume maintenance tasks are "defrag"
and "chkdsk."
In addition to the potential performance impact, this
right could also allow low-level access to files bypassing standard permission
constraints.
User Rights: Profile Single Process
This user
right grants the ability for one user to monitor the performance of another
user or non-system process.
User Rights: Profile System Performance
The
Profile system performance user right allows a user or group of users to monitor
system performance, including system processes.
User Rights: Remove Computer from Docking Station
Allows
removal of a computer from a docking station.
User Rights: Replace a Process Level Token
The
ability to replace a process level token essentially means that a process
can change the authentication authority of its own child-processes.
User Rights: Restore Files and Directories
In
conjunction with the "Backup files and directories"
user
right, this can be very dangerous if a user backs up certain security related
information, alters it, and restores it back to the same place.
User Rights: Shut Down the System
Users granted
this right have the ability to shut down the computer. This only takes effect
if users are required to log on to shut down a system.
User Rights: Synchronize Directory Service Data
This
right allows the account to read all the data in Active Directory in order
to perform synchronization.
User Rights: Take Ownership of Files or Other Objects
A user who "owns"
a file has greater authority
over that file than even the permissions would suggest. The right to take
ownership of a file is equivalent to the ability to compromise an entire file
system.
This policy was developed based on best practices and guidance consistent with publication of the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) Defense Information Systems Agency (DISA), and the Center for Internet Security (CIS).
The following deviations are in effect for Windows XP:
Policy Path | XP Workstation Policy Setting Name | Deviated Setting |
---|---|---|
Computer Configuration\/Windows Settings\/Security Settings\/File System | %SystemRoot%\/system32\/net.exe | Administrators and System (Full Control), Authenticated Users (RX) |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/Security Options | System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Disabled |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/Security Options | Devices: Unsigned driver installation behavior | Warn but allow installation |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/User Rights Assignment | Act as part of the operating system | Tivoli_Admin_Privileges |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/User Rights Assignment | Log on locally | Administrators, Users, tmersrvd* *When Tivoli account is installed. |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/User Rights Assignment | Replace a process level token | NETWORK SERVICE, LOCAL SERVICE, Tivoli_Admin_Privileges |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/User Rights Assignment | Adjust memory quotas for a process | NETWORK SERVICE, LOCAL SERVICE, Administrators, Tivoli_Admin_Privileges |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/User Rights Assignment | Bypass traverse checking | Administrators, Users, tmersrvd* *When Tivoli account is installed. |
Computer Configuration\/Windows Settings\/Security Settings\/System Services | Remote Access Connection Manager | Manual |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/Security Options | Interactive logon: Message text for users attempting to logon | See IRM 10.8.1. |
Computer Configuration\/Windows Settings\/Security Settings\/Local Policies\/Security Options | Interactive logon: Message title for users attempting to logon | See IRM 10.8.1. |