copyright notice
accesses since January 1, 2017

Better-than-Nothing Security Practices™

for Securing Windows 7 Professional

v 1.0

Hal Berghel

Alexies Fabian

Jacob Uecker

 

This web page is a checklist for securing a Windows 7 Professional workstation. The best way to implement security for such a workstation is through a domain controller using Active Directory and Group Policy. Given that an administrator for such a domain is unavailable there must be a way to implement some form of security, even if it's not the best methodology. We have tried to provide such an implementation, in the form of a checklist. Keep in mind that these steps are only recommendations to help harden a system; they are not concrete. We have tried to make this from the standpoint of a secure environment. With this in mind, you might find that our ideas don't match your environment. If you decide that such a setting is too strict, you can relax it a bit, but be aware of the possible attack vectors (which is just as important).

Many of these settings were meant for the default install of Windows 7 Professional. If you have Service Pack 1 installed as well, some of the configuration changes will have been changed for you and they have been noted in red italics. However, all configurations should be checked on the box to make sure nothing has changed.

We take no responsibility whatsoever for the implications that these settings will have on your computer. It is always important to try these changes on a test machine before changing your infrastructure. We have tried to provide the consequences of each setting, but there is no doubt many more exist.

If you have any suggestions or comments please let us know.

The checklist steps are followed by a detailed description of why the steps are necessary.  

Copyright © 2016 by Hal Berghel and Alexies Fabian. All Rights Reserved.

 

Note: These instructions assume that Windows Start menu is set to Basic View, which is the default theme for Windows 7. The necessary steps will be different if your Start menu is not set to Basic View. To change this, simply right-click an empty space on the Desktop and select Personalize. Scroll down and under "Basic and High Contrast Themes" and select Windows 7 Basic.

 

1. Account Policies
  1. Disable Guest Account
    1. Create Guest Password
      1. Open a Command Prompt
      2. Type in "command" and hit Enter
      3. Type in "net user guest *" and hit Enter
      4. In place of <password>, hit random keys (the more the better; upper bound is 128 characters. Make sure to include characters from all of the character sets: upper and lowercase, numbers, and symbols. Don't forget to use the space too!)
      5. Press Enter
    2. Disable Guest and Support accounts
      1. Start>Control Panel>System and Security>Administrative Tools>Computer Management>Local Users and Groups>Users
      2. Double-click on "Guest"
      3. Inspect the value: "Account is disabled" and "User cannot change password". The most secure setting is when these boxes are checked.
      4. Inspect the value: "Password never expires" The most secure setting is when this box is unchecked.
      5. Click OK
      6. Repeat for HomeGroup and all other accounts that are not valid user accounts. This includes HelpAssistant, Support accounts, ASPNET, SQLDebugger, etc.
  2. Disable Remote Access to computer
    1. Right Click on "Computer" from the Start menu or right-click on the "Computer" icon in Windows Explorer
    2. Click on "Properties"
    3. Click on the "Remote settings" tab
    4. Under Remote Assistance, inspect the checkbox: "Allow Remote Assistance connections to this computer". The most secure setting is to uncheck this checkbox.
    5. Under Remote Desktop, click "Don't allow connections to this computer" for additional security.
    6. Hit "OK"
  3. Disable HomeGroup File Sharing
    1. Open Windows Explorer
    2. Go to Tools>Folder options...
    3. If the menu bar is not showing, press Alt
    4. Under the View tab, turn off "Use Sharing Wizard (Recommended)"
    5. Click OK
    6. Through Windows Explorer, right-click "Homegroup"
    7. Choose "Change HomeGroup settings"
    8. Click "Leave HomeGroup"
    9. Choose "Change advanced sharing settings"
    10. Ensure that the following are selected: "Turn off network discovery", "Turn off file and printer sharing", "Turn off Public folder sharing(people logged on to this computer can still access these folders)", "Use 128-bit encryption to help protect file sharing connections(recommended)", "Turn on password protected sharing" and "Use user accounts and passwords to connect to other computers".
    11. Under Media Streaming, click on "Choose media streaming options"
    12. Make sure to show device on 'All network' and click 'Block all'
    13. Click ok
    14. Click 'Save changes'
      1. If a pop-up appears, you may choose to log off later or log off now.
    15. Click on 'Choose what you want to share, and view the homegroup password'
    16. Uncheck all boxes
    17. Click Next
    18. Click Finish
    19. Select 'Leave the HomeGroup' > Leave the HomeGroup
    20. Click Finish
  4. Change Access Privileges to Hard Drives
    1. Make sure HomeGroup is off (above step)
    2. Open "Computer"
    3. For each hard drive :
      1. Right Click on the drive
      2. Select Properties
      3. Click on the "Sharing" tab
      4. Click on the "Advanced Sharing" button
      5. Make sure that the box for "Share this folder" is unchecked
      6. Click OK to exit the Advanced Sharing window
      7. Click on the "Security" tab
      8. Click on "Users"
      9. Make sure that the checkbox for 'Full control', 'Modify' and 'Write' are unchecked
      10. Click OK
      11. Click close to exit the drive properties window

2. Local Security Policies

    Initiate each of the following changes with the following:

    1. Start>Settings>Control Panel
    2. Double Click on "Administrative Tools"
    3. Double Click on "Local Security Policy "

    Account Policies

    Password Policies

    For each of the following, expand "Account Policies" and click on "Password Policy"

    1. Enforce Password History
      1. Double click "Enforce password history"
      2. Check the value. We consider 24 (or some reasonably large number) reasonable
      3. Click OK
    2. Maximum Password Age
      1. Double click "Maximum password age"
      2. Check the value. We consider 30 (or a reasonable password cycling period) reasonable
      3. Click OK
    3. Minimum Password Age
      1. Double click "Minimum password age"
      2. Check the value. We consider 1 reasonable.
      3. Click OK
    4. Minimum Password Length
      1. Double click "Minimum password length"
      2. Check the value. The most secure setting is 14 (the largest value allowed)
      3. Click OK
    5. Password Complexity
      1. Double click "Password must meet complexity requirements"
      2. Check the value. The most secure setting is "Enabled"
      3. Click OK
    6. Reversible Encryption (already set by default, but wise to check)
      1. Double click "Store password using reversible encryption for all users in the domain"
      2. Check the value. The most secure setting is "Disabled"
      3. Click OK

    Account Lockout Policy

    For each of the following, expand "Account Policies"and click on "Account Lockout Policy

    1. Account Lockout Duration
      1. Double click "Account lockout duration"
      2. Check the value. We consider 30 to be reasonable.
      3. Click OK
    2. Account Lockout Threshold
      1. Double click "Account lockout threshold"
      2. Check the value. We consider 5 to be reasonable.
      3. Click OK
    3. Reset Account Lockout Counter After
      1. Double click "Reset account lockout counter after"
      2. Check the value. We consider 30 to be reasonable.
      3. Click OK

    Local Policies

    Audit Policies

    For each of the following, expand "Local Policies"and click on "Audit Policy"

    1. Audit Account Logon Events
      1. Double Click "Audit account logon events"
      2. Inspect the values. The most secure setting is "Success" and "Failure"
      3. Click "Apply"
      4. Click "OK"
    2. Audit Account Management
      1. Double Click "Audit account management"
      2. Inspect the values. The most secure setting is "Success" and "Failure"
      3. Click "Apply"
      4. Click "OK"
    3. Audit Directory Service Access (already set by default, but wise to check)
      1. Double Click "Audit Directory Service Access"
      2. Inspect the values. The best setting is "No Auditing" (uncheck both "success" and "failure")
      3. Click "Apply"
      4. Click "OK"
    4. Audit Logon Events
      1. Double Click "Audit  logon events"
      2. Inspect the values. The most secure setting is "Success" and "Failure"
      3. Click "Apply"
      4. Click "OK"
    5. Audit Object Access
      1. Double Click "Audit object access"
      2. Inspect the values. The best setting is "Failure"
      3. Click "Apply"
      4. Click "OK"
    6. Audit Policy Changes
      1. Double Click "Audit policy changes"
      2. Inspect the values. The most secure setting is "Success" and "Failure"
      3. Click "Apply"
      4. Click "OK"
    7. Audit Privilege Use
      1. Double Click "Audit privilege use "
      2. Inspect the values. They best setting is "Failure"
      3. Click "Apply"
      4. Click "OK"
    8. Audit Process Tracking (already set by default, but wise to check)
      1. Double Click "Audit Process Tracking"
      2. Inspect the values. The best setting is "No Auditing" (uncheck both "success" and "failure")
      3. Click "OK"
    9. Audit System Events
      1. Double Click "Audit system events"
      2. Inspect the values. The most secure setting is "Success" and "Failure"
      3. Click "Apply"
      4. Click "OK"

    User Rights Assignment

    For each of the following, expand "Local Policies" and click on "User Rights Assignment"

    1. Who can access Credential Manager as a trusted caller
      1. Double Click on "Access Credential Manager as a trusted caller"
      2. The most secure option is to remove all the groups from the list
      3. Click OK
    2. Who can access the computer from the network
      1. Double Click on "Access this computer from the network"
      2. The most secure option is to remove all the groups except "Administrators"
      3. Click OK
    3. Who can act as part of the operating system (should be set correctly by default)
      1. Double Click on "Act as part of the operating system"
      2. The most secure option is to remove all the groups from the list
      3. Click OK
    4. Who can add workstations to domain (should be set correctly by default)
      1. Double Click on "Add workstations to domain"
      2. The most secure option is to remove all the groups from the list
      3. Click OK
    5. Who can adjust memory quotas for a process (should be set correctly by default)
      1. Double Click on "Adjust memory quotas for a process"
      2. The most secure setting is to remove all groups except "Administrators", "LOCAL SERVICE", and "NETWORK SERVICE"
      3. Click OK
    6. Who can log on locally
      1. Double Click on "Allow log on locally"
      2. The most secure setting is to remove all groups except "Administrators" and authorized "Users"
      3. Click OK
    7. Who can logon through Remote Desktop Services
      1. Double Click on "Allow logon through Remote Desktop Services"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    8. Who can backup files and directories
      1. Double Click on "Back up files and directories"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    9. Who can bypass traverse checking
      1. Double Click on "Bypass traverse checking"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    10. Who can change the system time
      1. Double Click on"Change the system time"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    11. Who can change the time zone
      1. Double Click on "Change the time zone"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    12. Who can create a pagefile (should be set correctly by default)
      1. Double Click on "Create a pagefile"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    13. Who can create a token object (should be set correctly by default)
      1. Double Click on "Create a token object"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    14. Who can create global objects (should be set correctly by default -- Service Pack 2 option only)
      1. Double Click on "Create global objects"
      2. The most secure setting is to remove all groups except "Administrators", "INTERACTIVE", and "SERVICE".
      3. Click OK
    15. Who can create permanent share objects (should be set correctly by default)
      1. Double Click on "Create permanent shared objects"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    16. Who can create symbolic links (should be set correctly by default)
      1. Double Click on "Create permanent symbolic links"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    17. Who can debug programs (should be set correctly by default)
      1. Double Click on "Debug programs"
      2. The most secure setting is to remove all groups from the list except "Administrators"
      3. Click OK
    18. Deny access to computer from the network
      1. Double Click on "Deny access to this computer from the network"
      2. The most secure setting is to remove all groups from the list except "Guest", "SUPPORT_388945a0" (or subsitutes), and "HelpAssistant"
      3. If they are not listed, click on "Add User or Group..."
      4. Type in "Guest"
      5. Click "Check Names"
      6. The name of the computer with Guest should appear, click OK
      7. Repeat for "SUPPORT_388945a0" and "HelpAssistant"(use check names to determine if these accounts are on the computer. If not, ignore).
    19. Who is denied ability to log on as a batch job (should be set correctly by default)
      1. Double Click on "Deny logon as a batch job"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    20. Who is denied log on as a service (should be set correctly by default)
      1. Double Click on "Deny logon as a service"
      2. The most secure setting remove all groups from the list
      3. Click OK
    21. Who is denied from logging on locally
      1. Double Click on "Deny logon locally"
      2. The most secure setting is remove all groups from the list except "Guest", "SUPPORT_388945a0","HelpAssistant"
      3. If they are not listed, click on "Add User or Group..."
      4. Type in "Guest" and click "Check Names"
      5. The name of the computer with Guest should appear, click OK
      6. Repeat for "SUPPORT_388945a0" and "HelpAssistant"
    22. Who is denied from logging on through Remote Desktop Services
      1. Double Click on "Deny logon through Remote Desktop Services"
      2. The most secure setting remove all groups except "Everyone"
      3. If "Everyone" is not listed click on "Add User or Group..."
      4. Type in Everyone, and click "Check Names"
      5. Click OK
      6. Click OK
    23. Enable computer and user accounts to be trusted for delegation (should be set correctly by default)
      1. Double Click on "Enable computer and user accounts to be trusted for delegation"
      2. The most secure setting is to remove all users from the list
      3. Click OK
    24. Who can force a shutdown from a remote system (should be set correctly by default)
      1. Double Click on "Force shutdown from a remote system"
      2. The most secure setting is to remove all users and groups from the list except "Administrators"
      3. Click OK
    25. Who can generate security audits (should be set correctly by default)
      1. Double Click on "Generate security audits"
      2. The most secure setting is to remove all groups except "LOCAL SERVICE" and "NETWORK SERVICE"
      3. Click OK
    26. Who can impersonate clients after authentication
      1. Double click on "Impersonate a client after authentication"
      2. The most secure setting is to remove all groups from the list.
      3. Click OK
    27. Who can increase process working set (should be set correctly by default)
      1. Double click on "Increase a process working set"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    28. Who can increase scheduling priority (should be set correctly by default)
      1. Double click on "Increase scheduling priority"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    29. Who can load and unload drivers (should be set correctly by default)
      1. Double Click on "Load and unload device drivers "
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    30. Who can lock pages in memory (should be set correctly by default)
      1. Double Click on "Lock pages in memory"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    31. Who can log on as a batch job
      1. Double Click on "Log on as a batch job"
      2. The most secure setting is to remove all groups from the list except "Administrator"
      3. Click OK
    32. Who can log on as a service (should be set correctly by default on Service Pack 1 and 2 machines)
      1. Double Click on "Log on as a service"
      2. The most secure setting is to remove all groups from the list except "NETWORK SERVICE" and "SYSTEM" (Note: Some SP2 machines only have "NETWORK SERVICE" listed. This is normal and doesn't need to be changed)
      3. Click OK
    33. Who can manage auditing and security logs (should be set correctly by default)
      1. Double Click on "Manage auditing and security log"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    34. Who can an object label (should be set correctly by default)
      1. Double Click on "Modify an object label"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    35. Who can modify firmware environment values (should be set correctly by default)
      1. Double Click on "Modify firmware environment values"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    36. Who can perform volume maintenance tasks (should be set correctly by default)
      1. Double Click on "Perform volume maintenance tasks"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    37. Who can profile a single process
      1. Double Click on "Profile single process"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    38. Who can profile system performance (should be set correctly by default)
      1. Double Click on "Profile system performance"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    39. Who can remove computer from docking station (should be set correctly by default)
      1. Double Click on "Remove computer from docking station"
      2. The most secure setting is to remove all groups except "Administrators", "Power Users" and "Users"
      3. Click OK
    40. Who can replace a process level token (should be set correctly by default)
      1. Double Click on "Replace a process level token"
      2. The most secure setting is to remove all groups except "LOCAL SERVICE" and "NETWORK SERVICE"
      3. Click OK
    41. Who can restore files and directories
      1. Double Click "Restore files and directories"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK
    42. Who can shut down the system
      1. Double Click "Shut down the system"
      2. The most secure setting is to remove all groups except "Administrators", "Power Users", and "Users"
      3. Click OK
    43. Who can synchronize directory service data (should be set correctly by default)
      1. Double Click "Synchronize directory service data"
      2. The most secure setting is to remove all groups from the list
      3. Click OK
    44. Who can take ownership of files and other objects (should be set correctly by default)
      1. Double Click on "Take ownership of files and other objects"
      2. The most secure setting is to remove all groups except "Administrators"
      3. Click OK

    Security Options

    For each of the following, expand "Local Policies" and click on "Security Options"

    1. Administrator account status (should be set correctly by default)
      1. Double Click on "Accounts: Administrator account status"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    2. Guest account access (should be set correctly by default)
      1. Double Click on "Accounts: Guest account status"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    3. Blank passwords at console only
      1. Double Click on "Accounts: Limit local account use of blank passwords to console logon only"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    4. Rename the Administrator account
      1. Double Click on "Accounts: Rename administrator account"
      2. It's most secure to type in a name to serve as the "Administrator" account
      3. Click OK
    5. Rename the Guest account
      1. Double Click on "Accounts: Rename guest account"
      2. It's most secure to type in a name to serve as the guest account (sdllfhasklgfh890237)
      3. Click OK
    6. Audit access of global system objects (should be set correctly by default)
      1. Double Click on "Audit: Audit the access of global system objects"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    7. Audit the use of Backup and Restore privilege (should be set correctly by default)
      1. Double Click on "Audit: Audit use of Backup and Restore privilege"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    8. Force Audit Policy Subcategory Settings
      1. Double Click on "Audit: Force audit policy subcategory settings (Windows Vista or later)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    9. Shutdown computer if error in audit logs (should be set correctly by default)
      1. Double Click on "Audit: Shut down system immediately if unable to log security audits"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    10. DCOM Access Restrictions (should be set correctly by default)
      1. Double Click on "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax"
      2. Leave the Security Descriptor blank
      3. Click OK
    11. DCOM Launch Restrictions (should be set correctly by default)
      1. Double Click on "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Syntax"
      2. Leave the Security Descriptor blank
      3. Click OK
    12. Allow undock without logging in
      1. Double Click on "Devices: Allow undock without having to log on"
      2. Click on "Disabled" or "Enabled", as your prefer
      3. Click OK
    13. Who is allowed to format and eject removable media (should be set correctly by default)
      1. Double Click on "Devices: Allowed to format and eject removable media"
      2. Inspect the value. The most secure setting is to set the pulldown menu on "Administrator"
      3. Click OK
    14. Prevention of users installing printer drivers
      1. Double Click on "Devices: Prevent users from installing printer drivers"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    15. Restrict the CD-ROM to locally logged in users (should be set correctly by default)
      1. Double Click on "Devices: Restrict CD-ROM access to locally logged-on user only"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    16. Restrict the floppy to locally logged in users (should be set correctly by default)
      1. Double Click on "Devices: Restrict floppy access to locally logged-on users only"
      2. Inpect the value. The most secure setting is "Enabled"
      3. Click OK
    17. Allow Server Operators to Schedule Tasks
      1. Double Click on "Domain controller: Allow server operators to schedule task"
      2. Inpect the value. The most secure setting is "Disabled"
      3. Click OK
    18. LDAP Server Signing Requirements
      1. Double Click on "Domain controller: LDAP server signing requirements"
      2. Inpect the value. The most secure setting is to set the pulldown menu on "Require signing"
      3. Click OK
    19. Refuse Machine Account Password Changes
      1. Double Click on "Domain controller: Refuse Machine Account Password Changes"
      2. Inpect the value. The most secure setting is to "Disabled"
      3. Click OK
    20. Encrypt or sign secure channel data(always) (should be set correctly by default)
      1. Double Click on "Domain member: Digitally encrypt or sign secure channel data (always)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    21. Encrypt secure channel data (when possible) (should be set correctly by default)
      1. Double Click on "Domain member: Digitally encrypt secure channel data (when possible)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    22. Sign secure channel data (when possible) (should be set correctly by default)
      1. Double Click on "Domain member: Digitally sign secure channel data (when possible)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    23. Disable Machine Account Password Changes(should be set correctly by default)
      1. Double Click on "Domain member: Disable machine account password changes"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    24. Maximum Machine Account Password Age(should be set correctly by default)
      1. Double Click on "Domain member: Maximum account password age"
      2. Inspect the value. We consider 30 (or a reasonable password cycling period) reasonable
      3. Click OK
    25. Require Strong Session Key(should be set correctly by default)
      1. Double Click on "Domain member: Require strong (Windows 2000 or later) session key"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    26. Display user information when the session is locked
      1. Double Click on "Interactive logon: Display user informtaion when the session is locked"
      2. Inspect the value. The most secure setting is to select "Do not display user information" from the pulldown menu
      3. Click OK
    27. Display last username logged in
      1. Double Click on "Interactive logon: Do not display last user name"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    28. Don't require Ctrl+Alt+Del to log on
      1. Double Click "Interactive logon: Do not require CTRL+ALT+ DEL "
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    29. Message text for users logging on
      1. Double Click "Interactive logon: Message text for users attempting to log on"
      2. You may leave this entry blank or enter a message regarding the consequences of unauthorized access (eg. "Any unauthorized user will be prosecuted. If you are unauthorized, terminate access now."
      3. Click OK
    30. Message title for users logging on
      1. Double Click "Interactive logon: Message title for users attempting to log on"
      2. You may leave this entry blank or enter a title as a warning-message policy (eg. "WARNING: This system is for authorized users only"
      3. Click OK
    31. Number of logons to cache locally
      1. Double Click "Interactive logon: Number of previous logons to cache (in case domain controller is not available)"
      2. Inspect the value. The most secure setting is to set the value to 0
      3. Click OK
    32. Number of days before password expiration to prompt user
      1. Double Click "Interactive logon: Prompt user to change password before expiration"
      2. Inspect the value. We consider a setting of 14 days reasonable
      3. Click OK
    33. Domain Controller required to unlock workstation (should be set correctly by default)
      1. Double Click "Interactive logon: Require Domain Controller authentication to unlock workstation"
      2. Inspect the value. The value should be "Disabled"
      3. Click OK
    34. Smart card required to login (should be set correctly by default)
      1. Double Click "Interactive logon: Require Smart Card"
      2. Inspect the value. The value should be "Disabled"
      3. Click OK
    35. Smart card removal behavior
      1. Double Click "Interactive logon: Smart card removal behavior"
      2. Inspect the value. The most secure setting is to select "Lock Workstation" or "Force Logoff" from the pulldown menu
      3. Click OK
    36. Client - Digitally sign communications (always)
      1. Double Click on "Microsoft network client: Digitally sign communications(always)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    37. Client - Digitally sign communications (if server agrees) (should be set correctly by default)
      1. Double Click on "Microsoft network client: Digitally sign communications (if server agrees)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    38. Send unencrypted passwords to 3rd party SMB servers (should be set correctly by default)
      1. Double Click on "Microsoft network client: Send unencrypted password to third-party SMB servers"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    39. Amount of time before session is suspended (should be set correctly by default)
      1. Double Click on "Microsoft network server: Amount of idle time required before suspending session"
      2. Inspect the value. We consider 15 minutes reasonable
      3. Click on OK
    40. Server - Digitally sign communications (always)
      1. Double Click on "Microsoft network server: Digitally sign communications(always)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    41. Server - Digitally sign communications (if client agrees)
      1. Double Click on "Microsoft network server: Digitally sign communications (if client agrees)"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    42. Disconnect clients when logon hours expire (should be set correctly by default)
      1. Double Click on "Microsoft network server: Disconnect clients when logon hours expire"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    43. Allow anonymous SID/Name translation (should be set correctly by default)
      1. Double Click on "Network access: Allow anonymous SID/Name translation"
      2. Inspect the value. If available, the most secure setting is click on "Disabled"
      3. Click OK
    44. Do not allow anonymous enumeration of SAM accounts (should be set correctly by default)
      1. Double Click on "Network access: Do not allow anonymous enumeration of SAM accounts"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    45. Disable anonymous enumeration of SAM accounts and shares
      1. Double Click on "Network access: Do not allow anonymous enumeration of SAM accounts and shares "
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    46. Do not allow storage of passwords and credentials for network authentication
      1. Double Click on "Network access: Do not allow storage of passwords and credentials for network authentication"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    47. Let Everyone permission apply to anonymous users (should be set correctly by default)
      1. Double Click on "Network access: Let Everyone permissions apply to anonymous users"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    48. Named pipes that can be accessed anonymously
      1. Double Click on "Network access: Named Pipes that can be accessed anonymously"
      2. See detailed description
      3. Click OK
    49. Remotely accessible registry paths
      1. Double Click on "Network access: Remotely accessible registry paths"
      2. The most secure setting is to delete all the entries
      3. Click OK
    50. Remotely accessible registry paths and sub-paths
      1. Double Click on "Network access: Remotely accessible registry paths and sub-paths"
      2. The most secure setting is to delete all the entries
      3. Click OK
    51. Restrict anonymous access to Named Pipes and Shares
      1. Double Click on "Network access: Restrict anonymous access to Named Pipes and Shares"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    52. Shares accessible anonymously
      1. Double Click on "Network access: Shares that can be accessed anonymously"
      2. The most secure setting is to delete all the entries
      3. Click OK
    53. Sharing and security model for local accounts (should be set correctly by default)
      1. Double Click on "Network access: Sharing and security model for local accounts"
      2. Inspect the value. The most secure setting is to choose "Classic: local users authenticate as themselves"
      3. Click OK
    54. Allow Local System to use computer identity for NTLM
      1. Double Click on "Network security: Allow Local System to use computer identity for NTLM"
      2. Inspect the value. The most secure setting is"Enabled"
      3. Click OK
    55. Allow LocalSystem NULL session fallback
      1. Double Click on "Network security: Allow LocalSystem NULL session fallback"
      2. Inspect the value. The most secure setting is"Disabled"
      3. Click OK
    56. Allow PKU2U authentication requests to this computer to use online identities
      1. Double Click on "Network security: Allow PKU2U authentication requests to this computer to use online identities"
      2. Inspect the value. The most secure setting is"Disabled"
      3. Click OK
    57. Configure encryption types allowed for Kerberos
      1. Double Click on "Network security: Configure encryption types allowed for Kerberos"
      2. Inspect the value. The most secure setting is to select "RC4_HMAC_MD5","AES128_HMAC_SHA1"and "AES256_HMAC_SHA1"
      3. Click OK
    58. Do not store LAN Manager password (should be set correctly by default)
      1. Double Click on "Network security: Do not store LAN Manager hash value on next password change"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    59. Force logoff
      1. Double Click on "Network security: Force logoff when logon hours expire"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    60. Password authentication level
      1. Double Click on "Network security: LAN Manager authentication level"
      2. Inspect the value. The most secure setting is "Send NTLMv2 response only\refuse LM NTLM"
      3. Click OK
    61. LDAP client signing requirements (should be set correctly by default)
      1. Double Click on "Network security: LDAP client signing requirements"
      2. Inspect the value. The most secure setting is "Negotiate signing"
      3. Click OK
    62. Minimum session security for NTLM SSP based clients
      1. Double Click on "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients"
      2. Inspect the values. We find checking boxes next to "Require NTLMv2 session security" and "Require 128-bit encryption" to be reasonable
      3. Click OK
    63. Minimum session security for NTLM SSP based servers
      1. Double Click on "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers"
      2. Inspect the values. We find checking boxes next to "Require NTLMv2 session security" and "Require 128-bit encryption" to be reasonable.
      3. Click OK
    64. Add remote server exceptions for NTLM authentication
      1. Double Click on "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication"
      2. See detailed description
      3. Click OK
    65. Add server exeptions in the domain
      1. Double Click on "Network security: Restrict NTLM: Add server exceptions in this domain"
      2. See detailed description
      3. Click OK
    66. Audit Incoming NTLM Traffic
      1. Double Click on "Network security: Restrict NTLM: Audit Incoming NTLM Traffic"
      2. Inspect the value. The most secure setting is to choose "Disable" from the pulldown menu
      3. Click OK
    67. Audit NTLM authentication in the domain
      1. Double Click on "Network security: Restrict NTLM: Audit NTLM authenication in this domain"
      2. Inspect the value. The most secure setting is to choose "Disable" from the pulldown menu
      3. Click OK
    68. Incoming NTLM traffic
      1. Double Click on "Network security: Restrict NTLM: Incoming NTLM traffic"
      2. Inspect the value. The most secure setting is to choose "Deny all domain accounts" or "Deny all accounts" from the pulldown menu
      3. Click OK
    69. NTLM Authentication
      1. Double Click on "Network security: NTLM authentication in this domain"
      2. See detailed description
      3. Click OK
    70. Outgoing NTLM traffic to remote servers
      1. Double Click on "Network security: Outgoing NTLM traffic to remote servers
      2. Inspect the value. The most secure setting is to choose "Deny all" from the pulldown menu
      3. Click OK
    71. Allow automatic administrative logon under recovery console (should be set correctly by default)
      1. Double Click on "Recovery Console: Allow automatic administrative logon"
      2. Inspect the values. The most secure setting is "Disabled"
      3. Click OK
    72. Allow floppy copy and access to all drives and folders under recovery console (should be set correctly by default)
      1. Double Click on "Recover Console: Allow floppy copy and access to all drives and folders"
      2. Inspect the values. The most secure setting is "Disabled"
      3. Click OK
    73. Allow system shutdown without logging in
      1. Double Click on "Shutdown: Allow system to be shut down without having to log on"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    74. Clear pagefile on shutdown
      1. Double Click on "Shutdown: Clear virtual memory pagefile"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    75. Force strong key protection
      1. Double Click on "System Cryptography: Force strong key protection for user keys stored on the computer"
      2. Inspect the value. The most secure setting is to choose "User must enter a password each time they use a key" from the pulldown menu
      3. Click OK
    76. Use FIPS compliant algorithms for encryption, hashing and signing (should be set correctly by default)
      1. Double Click on "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
      2. Inspect the value. We find "Disabled" to be a reasonable setting
      3. Click OK
    77. Require case insensitivity for non-Windows subsystems (should be set correctly by default)
      1. Double Click on "System objects: Require case insensitivity for non-Windows subsystems"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    78. Strengthen default permissions of internal system objects (should be set correctly by default)
      1. Double Click on "System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    79. Optional subsystems
      1. Double Click on "System settings: Optional subsystems
      2. The most secure setting is to remove all subsystems from the list
      3. Click OK
    80. Certificate Rules on Windows Executables
      1. Double Click on "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    81. Admin Approval Mode for Administrator account(should be set correctly by default)
      1. Double Click on "User Account Control:Admin Approval Mode for the Built-in Administrator Account"
      2. Inspect the value. The most secure setting is "Enabled"
      3. Click OK
    82. UIAcess applications prompting for elevation(should be set correctly by default)
      1. Double Click on "User Account Control:Allow UIAccess applications to prompt for elevation without using the secure desktop"
      2. Inspect the value. The most secure setting is "Disabled"
      3. Click OK
    83. Behavior of the elevation prompt
      1. Double Click on "User Account Control:Behavior of the elevation prompt for administrators in Admin Approval Mode"
      2. Inspect the value. The most secure setting is to choose "Prompt for consent" from the pulldown menu
      3. Click OK
    84. Behavior of the elevation prompt(should be set correctly by default)
      1. Double Click on "User Account Control: Behavior of the elevation prompt for standard users"
      2. Inspect the value. The most secure setting is to choose "Automatically deny elevation requests" from the pulldown menu. However, if the user has both standard and administrative account, then choosing "Prompt for credentials" can be used as well.
      3. Click OK
    85. Prompt for application installations(should be set correctly by default)
      1. Double Click on "User Account Control: Detect application installations and prompt for elevation"
      2. Inspect the value. The most secure setting is "Enable"
      3. Click OK
    86. Only elevate signed and validated executables
      1. Double Click on "User Account Control: Only elevate executables that are signed and validated"
      2. Inspect the value. The most secure setting is "Enable"
      3. Click OK
    87. Only elevate safely stored UIAccess applications (should be set correctly by default)
      1. Double Click on "User Account Control: Only elevate UIAccess applications that are installed in secure locations"
      2. Inspect the value. The most secure setting is "Enable"
      3. Click OK
    88. Run all administrators in Admin Approval Mode(should be set correctly by default)
      1. Double Click on "User Account Control: Only elevate UIAccess applications that are installed in secure locations"
      2. Inspect the value. The most secure setting is "Enable"
      3. Click OK
    89. Run all administrators in Admin Approval Mode(should be set correctly by default)
      1. Double Click on "User Account Control: Switch to the secure desktop when prompting for elevation"
      2. Inspect the value. The most secure setting is "Enable"
      3. Click OK
    90. Virtualizing file and registry write failures(should be set correctly by default)
      1. Double Click on "User Account Control: Virtualize file and registry write failures to per-user locations"
      2. Inspect the value. The most secure setting is "Enable"
      3. Click OK

3. Other Security Issues

Miscellaneous Registry Modifications

  1. Disable Memory Dump Files
    1. Stop Debugging Information Storage
      1. Right Click on "Computer" and choose "Properties"
      2. Click on "Advanced system settings" located on the left hand side
      3. Under Startup and Recovery, click "Settings"
      4. The most secure setting is to change the pulldown menu under "Write debugging information" to none)
      5. Click OK
      6. Click OK
      7. Note - This setting can also be acheived through the registry:
        HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>CrashControl>CrashDumpEnabled = 0

      8. Click the Start Button
      9. Go to your hard drive (in most cases, this is known as 'Local Disk (C:)') and double-click on 'Windows'
      10. If a file named MEMORY.dmp is found, deleting it would be safer for the system.
      11. If a folder named "Minidump" can be located in the same directory, it would be best to delete its contents as well.
    2. Stop Application Crash Dump files
      1. Click on Start menu
      2. In the search box, type "regedit" and press Enter
      3. Click "Yes" when a pop-up box shows
      4. Navigate to HKEY_CURRENT_USER> SOFTWARE> Microsoft> Windows>Windows Error Reporting
      5. Double Click on "Disabled"
      6. Inspect the value. The most secure setting is to change the value to 0
      7. Click OK
      8. Click on the Start Button
      9. Choose "Computer"
      10. Double-click on your hard drive (in most cases, this is known as 'Local Disk (C:)')
      11. Go to "Users" and double-click on your username.
      12. Double-click "AppData"
      13. Note: If the folder "AppData" is not showing, you must configure the settings to show hidden folders by
        1. Control Panel>Appearance and Personalization
        2. Under folder options, choose "Show hidden files and folders"
        3. Choose "Show hidden fiels, folders, and drives"
      14. Next, go to "Local">CrashDumps
      15. If files with .dmp extensions are found, it is more secure to delete all of them.
    3. Stop Hibernation File (should be set correctly by default on some systems -- double check)
      1. Click on Start Button
      2. On the search bar, type in 'cmd.exe'
      3. Right-click on the command prompt and select 'Run as administrator'
      4. In the console, type in "powercfg -h off" to delete hibernation file and set hibernation off
      5. Click OK
  2. Automatically login administrator
    1. Open the registry editor through Start>Run...>regedit
    2. Navigate to HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft>Windows NT> Current Version>Winlogon
    3. Double Click on or add the DWORD value "AutoAdminLogon"
    4. If the DWORD key does not exist, create it by Edit>New>DWORD and type in "AutoAdminLogon"
    5. Check the data. The most secure setting is 0
    6. Click OK

Misc Modifications

  1. Stop Dangerous Services controlled through Local Services Administrator
    1. Start>Control Panel>System and Security>Administrative Tools>Services
    2. Double Click on "Computer Browser"
    3. Changing the Startup type to "Disabled" is the most secure setting
    4. The service may need to be stopped if it is currently running (click on the "Stop" button in the Service status section)
    5. Repeat for these services:
  2. SYSKEY
    1. Open command prompt
    2. Type in "syskey" and press Enter
    3. Inspect the value. Make sure that "Encryption Enabled" is selected
    4. Click 'Update'
    5. To select the appropriate security setting for your system, see detailed description
  3. EFS
    1. Encrypt the Files
      1. If your file system is currently FAT32, converting it to NTFS is much more secure
        1. Open a command prompt
        2. Type "convert drive: /fs:ntfs" where drive is the letter of the drive that needs to be converted
        3. Repeat for all drives
      2. Once converted to NTFS, open Computer
      3. Navigate to your user folder (not the My Documents folder but the parent of that folder inside the Documents & Settings folder. Ex: C:\Documents & Settings\user name )
      4. Right Click on the folder
      5. Choose Properties
      6. Under the General tab, click on "Advanced"
      7. Checking the box: "Encrypt contents to secure data" is much more secure
      8. Click OK
      9. Click OK again and when the dialog box asking to confirm the change, make sure radio button "Apply changes to this folder, subfolders and files" is set
      10. Click OK
      11. If you get a warning asking to Encrypt the file and the parent folder or just the file, select the file and the parent, and click OK
      12. Note: Some files are being used by the OS and can't be encrypted. Should this be the case, Windows will ask you if you want to ignore, retry or cancel. Click the "Ignore All" button.
    2. Create a recovery key
      1. Open Notepad
      2. Type in a 100+ random as possible string with special characters, upper-case andl ower-case letters, and numbers.
      3. Highlight and copy
      4. Open a command prompt and type "cipher /R:filename" where filename is the name of file you would like to save the recovery certificate and private key
      5. When prompted for the password, right-click on the titlebar
      6. Select Edit>Paste
      7. Repeat for the confirmation
      8. Save the .cer, .pfx, and notepad file to a secure medium and store
      9. Delete the file and run cipher /W to securely remove the file from the drive
  4. cipher.exe
    1. Empty your recycle bin
    2. From the command prompt, type "cipher /W:drive\..." where 'drive\...' is the drive letter and path (if desired) of the disk area to be scrubbed.
    3. Repeat for all drives and directories as needed
  5. Remove Script Extension Associations
    1. Open an Explorer window
    2. If the menu bar is not visible, press Alt
    3. Choose the menu Tools>Folder Options...
    4. Click on the "File Types" tab
    5. By changing the associations of *.JS, *.JSE, *.REG, *.VBE, and *.VBS to Wordpad or notepad is much more secure
    6. Click Close
  6. Disable Windows Script Host
    1. Download noscript.exe from Symantec
    2. Run the program to disable Windows Scripting.
  7. Encypt Offline Files
    1. Open Control Panel
    2. On the search bar, type in "Sync Center" and press Enter
    3. Go to Sync Center>Manage offline files
    4. Under the General tab, inspect to make sure that Offline Files is enabled (should be set correctly on default)
    5. Under the Encryption tab, clicking "Encrypt" is more secure
    6. Click OK
  8. Stop Internet Explorer History
    1. Open Internet Explorer
    2. If the menu bar is not visible, press Alt
    3. Choose menu Tools>Internet Options...
    4. In the Browsing history section under the General tab, click "Delete" and check "Delete browsing history on exit"
    5. Under the same section, click Settings
    6. In the "Temporary Internet Files" section, click the radio button entitled "Every time Internet Explorer is started" so your system is more secure
    7. In the "History" section, set the number of days to keep in history to a small value. We find 0 to be reasonable.
    8. Click OK
    9. Click OK
  9. Set Internet Explorer Zone and Cookies
    1. Open Internet Explorer
    2. Choose menu Tools>Internet Options...
    3. Click tab "Security"
    4. For each of the zones, clicking the "Default Level" button will keep your computer at a more secure level
    5. Click on the "Privacy" tab
    6. Click the "Advanced" button
    7. Clicking the "Override automatic cookie handling" checkbox will add security
    8. For both radio buttons, clicking on the Prompt option will alert you to any security problems.
    9. Click OK
  10. Stop Internet Explorer from saving passwords
    1. Open Internet Explorer
    2. Choose menu Tools>Internet Options...
    3. Click tab "Content"
    4. In the "AutoComplete" section, click on Settings
    5. Uncheck every box for added security
    6. Click on "Delete AutoComplete history..."
    7. When a pop-up appears, check every box except for "Preserve Favorites website data"
    8. Click "Delete"
    9. Click OK
  11. Internet Explorer Security Options
    1. Open Internet Explorer
    2. Choose menu Tools>Internet Options...
    3. Click tab "Advanced"
    4. Scroll down to the Security section
    5. Checking the boxes: "Check for server certificate revocation", "Check for signatures on downloaded programs", "Do not save encrypted pages to disk", "Empty temporary Internet files when browser is closed", "Use TLS 1.2", "Warn about certificate address mismatch*" and "Warn if changing between secure and not secure mode" will increase the security within IE
    6. Unchecking "Use SSL 2.0" and "Enable third-party browser extensions*" will also increase security
    7. Click OK
  12. Screen Saver Password
    1. Start>Settings>Control Panel>Appearance and Personalization>Display
    2. Click on the "Screen Saver" tab
    3. Pick a screen saver other than "(None)"
    4. Change the "Wait" option to 60 minutes (or as appropriate)
    5. Checking the "On resume, display logon screen" checkbox will add security to your machine
    6. Click OK

 

Detailed Descriptions  

Create Guest Password

Why do this?

Guest accounts are problematic for a number of perspectives. For one, if guest is enabled without a password, all remote access will default to “guest” on logon if the username is not listed in the accounts database or if simple file sharing is enabled. For another, anonymous logins are handled as requests to the guest account. In general, users of system should be forced to provide some sort of credentials as authentication. This includes usage of the console, remote resource access, and any other method of system access. One of the common classifications of exploits is a privilege escalation. In this type of exploit, the attacker will do something, like execute code that gives them privileges to do something that they would not otherwise be able to do. This type of exploit is well suited to Guest account access. Someone could gain access to the computer using the guest account and exploit a vulnerability which gives them privileges to completely control the system.

According to Microsoft Knowledge Base article 300489, the following applies to the Guest account:

Although all these restrictions do apply to a new guest account, there is now substitute for blocking any user from ever using the account. There will never be the option of any exploitation of the account.

If you shut the guest account off, why assign it a complex password? Simply put, so a hacker can't turn the guest account back on and use it. If guest is reactivated, it still has a password that needs to be cracked before it can be used. This is just another instance of defense-in-depth.

Remember that the password that is typed after "net use guest password:" should be random and very long (over 100 characters). You should utilize all types of characters (upper- and lower-case, numbers, and special characters). One of the most underused character in creating a strong password is the space bar. It is a perfectly valid character and adds another level of complexity in password creation.

What consequences will there be on my system?

It completely stops people from accessing your computer through the guest account, anonymous logins through the console or terminal services, null sessions and anonymous LDAP queries.

When a long, complex password is chosen for the guest account, it becomes virtually unusable. Unless someone can guess the password (given a few thousand years) the account becomes disabled. This means that anyone who wants to access the computer will now have to get a real user account to access the information. It also means that hackers who used the guest account to anonymously access data won't be able to do this anymore. Once the Guest account has been disabled, Simple File Sharing (discussed in another section) must be disabled as well. When Simple File Sharing is enabled (which is the default when 7 Pro uses a workgroup rather than a domain), all file sharing happens using the guest account. Obviously with the guest account inaccessible, the mode of file sharing has to be changed for any file sharing to operate.

Return

Disable Guest Account and Support accounts

Why do this?

For the same reasons outlined above. An active guest account is an extremely bad idea because it allows anyone access to data that possibly should not be seen. If there are people who need access to a file or program, they should have an account with a password. The Support accounts serve a number of purposes. The SUPPORT_####### (where ####### is a hexadecimal number) account that is installed in every Windows 7 machine is used for Microsoft customer support. It allows remote desktop sessions to be initiated in the form of an invitation to Microsoft customer care (or malicious attacker). HelpAssistant is a similar account, but it is used to invite people outside of the Microsoft Corporation to help with computer problems. The ASP.NET account is installed when Microsoft .NET framework is installed. It is necessary for Windows to run the asp.net worker process within the Internet Information Services. It is created so that the necessary process is not run with Administrator privileges. The SQLDebugger account is created by the install of applications Microsoft Visual Studio or SQL server. It serves much the same purpose of the ASP.NET account. These accounts are necessary for specific functions by specific programs. There are a number of ways that securing these accounts can be approached. If there is no need for the accounts, because there functionality is not required, they can be safely disabled. It is also possible to stop the use of these accounts from remote computers, on the console, as batch jobs, etc.

What consequences will there be on my system?

It completely stops people from accessing your computer through the guest account. Since the guest account shouldn't be used for normal purposes anyway, it should be not available for hackers to access your box without your permission. By disabling the other accounts, functionality that is needed from programs that require the accounts will also be disabled. While it's unlikely that the SUPPORT_ and HelpAssistant accounts will be needed, the ASP.NET and SQLDebugger accounts maybe depending on each individual situation.

Return

Disable Remote Access to Computer

Why do this?

Remote Assistance and Remote Desktop are services provided in Windows 7 that allow someone to connect to your computer over the network and use it as if they were sitting in front of it. This can be used in helping someone troubleshoot a problem. Rather than having to try to communicate over the phone and explain the problem, a support person can simply take control of the computer and fix whatever problem exists. This can also be an extremely useful tool. When a Windows server is deployed remotely in the field, access can still be made through Remote Desktop. This could be an incredibly useful tool because it could save a trip to the remote location. It could make more secure by tunneling the communication through a more secure communication channel like SSH or a VPN. Unfortunately, there is a dark side to Remote Desktop. Since it is so powerful, it could be used by an attacker to gain control of the system. Should an attack be found that could grant access to anyone, the system could be completely compromised.Additionally, programs exist that continually try to guess the password of accounts on the system. Some can even do this without being detected in the system logs. Keep in mind that other programs exist that can provide remote connectivity which are a little more secure.

What consequences will there be on my system?

By disabling Remote Access, you will no longer be able to access your computer through Remote Desktop. A common example of Remote Desktop is accessing the computer while on vacation. Remote Desktop can be very helpful since you can access your computer just as you were sitting in front of it, from thousands of miles away. By disabling the "remote invitations" feature, such invitations will no be able to be used. An account will have to be setup on the machine which allows access.

Note that when using Remote Desktop, all of the same functionality is available to you from your hotel in Sri Lanka as is available at the keyboard. The problem is that other people (hackers) could also have that same functionality if Remote Desktop is enabled.

Return

Disable File Sharing

Why do this?

HomeGroup is the mechanism by which Windows 7 shares files, folders and printers in a networked workgroup environment. This environment is generally the configuration that is used with most computers. In this mode, it is not part of an Active Directory structure. Under this policy, resources are shared without access restrictions unless stated otherwise. The default is to public, so anyone can see everything that is shared. This way, if one of the computers in your network is compromised, all computers should be considered as such because there is open sharing. This can be replaced with a more secure policy by shutting off HomeGroup. Each shared disk or folder then has an Access Control List (ACL) which describes who can use the shared resources. File sharing in general is something that should not be done in a secure environment because of the risks of exploitation. There is a small possibility that the file sharing itself could be exploited to gain access to other files. If this were to happen, an attacker could possibly add malicious files or delete critical files.

What consequences will there be on my system?

By shutting off the Sharing Wizard and leaving HomeGroup, users who count on the fact that there is no access restriction for the resource will now not have access. If your network can operate under the system of complete trust, then Sharing Wizard might work fine, but it is much safer to shut it off and follow the policy of least privilege. This dictates that each user should have the minimum amount of privilege to do their necessary tasks. While this model of sharing is much more usable, the additional effort involved in Advanced File Sharing is much more secure. In short, some network resources will be unavailable until redesigned.

Return

Change Access Privileges to Hard Drives

Why do this?

Windows 7 Professional has the default setting of giving the Everyone group read access to the drives. This means that all the users from any group (Administrators, Power Users, Guest) will have the ability to read files on the computer unless there is a Deny statement for a particular file or folder that stops access. Since deny statements take precedence over the allow statements, access can be stopped on a per file/folder basis. This is not an efficient method of limiting access. If a user would like to view a file, they should be given explicit privilege to dom so. A more secure policy is to remove the Everyone group so that a user must be part of the Administrators, Power Users, or Users group could access the resources. By default, when a new user is added, they will be added to either the Administrators group or the Users group. The Guest account and anonymous logins will not be allowed read access to any resources in the system. By doing this, a user has to be granted access to the system rather than being given access.

What consequences will there be on my system?

By removing the Everyone group privileges, it effectively only removes the guest account login abilities. This is due to the fact that all other accounts on the system should belong to the Users group as well as the Everyone group. When the Everyone group is removed from the file permissions access control list (ACL), the accounts that only belong to the Everyone group (and not to any others) will not have access. Since all persons accessing the computer should be given an individual account, there really should be no affect on the system. If there is some problem that results from this, a careful audit of the users and access to the system should be reviewed.

Return

 

Enforce Password History

Why do this?

People have a habit of using the same passwords over and over. When asked to change their password, they will often choose the same password as before, or they will rotate among a small set of passwords. This gives attackers a vulnerability to exploit. If an attacker finds one user's password, they will have access to the system much longer than if the password had been changed more often. By enforcing a password history, users will have to change their password to something new because the system will not allow the user to use a password that was used previously.

What consequences will there be on my system?

One of the consequences of making users choose a new password frequently and enforcing history is that users will have a more difficult time remembering all the new passwords. As a result, the user might resort to writing down the password and sticking in an accessible place, like underneath the keyboard, which could be a greater security risk.

Return

Maximum Password Age

Why do this?

Allowing a user to use the same password for a long period of time leaves an attacker that amount of time to undermine the system, should the password become compromised. By making the users change their password after a period of time, the attacker must work to maintain a presence on the system. If the amount of effort to obtain the password in the first place is sizeable, there is a good chance the attacker will need to do all that work over again to regain access to the computer (unless a backdoor was created). With today's password cracking software and faster hardware, attackers can crack passwords using brute force faster than ever before. Making users change their password more often greatly increases security because the attacker may spend days cracking the users password, only to find the user has changed it again.

What consequences will there be on my system?

There is a fine line between making the users change their password for security purposes and making the user change the password so much that it becomes a security risk. As stated above, if the user has to change the password often, he or she will simply start writing the current password down where it could be easily seen be anyone having physical access to the paper.

Return

Minimum Password Age

Why do this?

This setting controls the amount of time the user must wait before being able to change their password again. The main goal in setting this time is to make sure users can't change their password as required by the Maximum Password Age setting, and then cycle through a series of passwords to simply change their password back to what it was before, thereby undermining the Maximum Password Age and the Password History setting.

What consequences will there be on my system?

Users on the system will simply not be able to change their passwords immediately after changing them.

Return

Minimum Password Length

Why do this?

This setting is extremely important because it can stop the use of LAN Manager passwords as well as add complexity to the password, making it significantly harder to crack. LAN Manager passwords are limited to at most 14 characters. Creating a password longer than that ensures that the insecure LAN Manager password hash is not stored. Secondly, password complexity is a function of the number of possible characters raised to the power of the length. For example, if a password can only be composed of 26 characters, a password of five characters could be any one of 26^5 = 11,881,376 possibilities. If the length is increased to 15 characters the possibilities increase to 26^15 = 1.677 x 10^21. So the easiest way to increase the difficulty in cracking a password using brute-force is using a long length password. The maximum value for the LAN Manager field is 14; thus using a password 15 characters long will prevent storing LAN Manager passwords. However, since the minimum cannot be set to more than 14, management must enforce a separate policy requiring a password length of 15 or more.

What consequences will there be on my system?

Versions of Windows prior to Windows NT 4.0, which includes Windows 9x/ME and Windows for Workgroups do not allow long passwords, so they will be incompatible. It is recommended that these older systems not be allowed on any network attached to the Internet anyway because of numerous security vulnerabilities.

Return

Password Complexity

Why do this?

Enabling this feature enforces a strong password policy: passwords have to be at least six characters and must be made up of characters from three of four different categories (uppercase letters, lowercase letters, numbers, and special characters).
An attacker must know the character set used to generate the password. A larger character set means longer times required to crack the password using brute-force methods. Given that this setting enforces strong passwords, the attacker must run the attack with a large set of characters, increasing the amount of time needed to test all the combinations of passwords. Enabling this setting also stops a user from using any part of their username as the password, which is a common practice and extremely vulnerable to attack. Often this is the first guess that an attacker will try and leads to easy access of the system.

What consequences will there be on my system?

This makes the users have to choose passwords that are possibly more complex than they had been before. It could lead to users writing down their passwords.

Return

Reversible Encryption

Why do this?

This option controls whether or not the user's passwords should be stored as a two-way hash. Some applications request access to the passwords and this is facilitated through the use of reversible encryption. This is an extremely bad idea! It is essentially the same as not encrypting the passwords in the first place.

What consequences will there be on the system?

Having this option disabled may cause some programs to request the password instead of pulling it from the reversible encryption file. This added effort is, however, preferable to the security risk of having a two-way hash function to encrypt the passwords.

Return

Account Lockout Duration

Why do this?

One of the techniques of attacking a system to gain access is to guess user passwords. This can be straightforward in that, at the login screen different passwords are guessed until the correct one is chosen and the attacker is logged in. This can be prevented by enabling polices which render the account non-operational for a period of time after a number of failed attempts. This increases the time and effort that the attacker must expend to gain access to the system.

What consequences will there be on my system?

When passwords are more difficult to type a user can end up locking themselves out of their computer because they type their password wrong a number of times, consecutively. As a result, they are unable to login to their computer for a period of time. Consideration needs to be taken to ensure that the appropriate amount of guesses can be tried before account lockout. This is dependent on the policies set for password length and complexity. The right setting can then be created to minimize attacks but keep users from locking themselves out.

Return

Account Lockout Duration

What consequences will there be on my system?

See Account Lockout Duration

Return

Reset Account Lockout Counter

Why do this?

Whenever a user fails to enter the correct password, the number of failed logons is tallied in order activate an account lockout when needed. If this counter is never reset back to 0, users will be indefinitely locked out of their account.

What consequences will there be on my system?

Assigning a value that is greater than the duration of account lockout will result in the user having to wait twice as long for their account to be unlocked. This is because the counter still exceeds the lockout threshold even though the account is no longer locked.

Return

Audit Account Logon

Why do this?

Auditing is the task of keeping a record of different actions that take place in the system for further analysis. These events can be benign but they can also provide information to aid in tracking down an attacker or security hole in the system. It is necessary to maintain a balance between too much auditing and not enough because too much auditing can lead to such a large amount of information that parsing through it is difficult, but not enough offers little assistance when needed. By Auditing Account Logon Events, a record will be made if the local machine is used in authenticating logins. This type of event is usually triggered by Kerberos authentication. For example, if a domain account is used to login to a workstation, the domain controller that authenticated the login will contain the logged event. This probably won't generate any events on a stand-alone workstation, but it should be turned on in case the system is reused.

What consequences will there be on my system?

A record will be stored on disk detailing the authentication made.

Return

Audit Account Management

Why do this?

This auditing option will save information about the changes made to user accounts. For example, if an account is created or changed, it will be recorded. This can be an important tool if users complain that their password has been changed or you notice a new account. A record of the changes can be referenced to have a starting point for tracing any illegitimate activities. Without this kind of log, a starting point would not be available.

What consequences will there be on my system?

Records will be created when any account related activity takes place.

Return

Audit Directory Service Access

Why do this?

This option will log attempted and successful accesses to Active Directory objects within a domain controller. Thus, it is not applicable to workstations and should not be enabled.

What consequences will there be on my system?

There will be no affect on your system.

Return

Audit Logon Events

Why do this?

Auditing logon events will record information about the users who login and logout. This can be useful in building a fingerprint for the system. For example, one can notice that most users login at a certain time of day, or there are usually three users logged in at night. Once this fingerprint is established, it becomes much easier to see problems before and while they are occurring. Auditing logon events also helps to track down attacks on the system. You will be able to see a large number of unsuccessful attempts, for example.

What consequences will there be on my system?

Every user login or failed login attempt will be recorded whether the user be trying to login remotely or interactively.

Return

Audit Object Access

Why do this?

Almost everything in Windows is an object. Files, folders, registry keys, printers, etc are all objects and all objects have an Access Control List (ACL) which describes who can access the object and how it is audited. When a user tries to access something that they don't have access to, it will be recorded. It is not wise to record successes on this event because successful object accesses are extremely numerous. However, failures should be recorded because they give some insight to users trying to access things that they shouldn't, as well as having a way to reference the possible reasons why something can't be used.

What consequences will there be on my system?

Records will be created each time someone tries to access something that they don't have access privileges for. It could also act as a deterrent for users if they know they will be recorded trying to do something that they shouldn't.

Return

Audit Policy Change

Why do this?

Most of what has been recommended thus far has dealt with policy changes. When a policy change is done, it will be recorded. This can be used to see when something was changed, if it was changed by someone else. If an attacker were to get in the system and allow LAN Manager hashing through the local security policy, there would be a record of it. It is important to make sure that the Security Option, "Audit: Shut down system immediately if unable to log security audits" (registry key: HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control>Lsa> crashonauditfail = 0) is disabled. If enabled, it is possible that the system might crash when rebooted and when rebooted again, only the administrator will be able to login. The value will have to be changed before other users will be able to login. This problem has been fixed by a Microsoft patch. Details can be found here .

What consequences will there be on my system?

Records will continue to be created every time a policy change is made or failed to be made. As stated above, if the crashonauditfail value is enabled, only administrator will be able to login after two restarts (the first restart being a system crash).

Return

Audit Privilege Use

Why do this?

Each time a user does something that is considered their user right, the event is logged. This doesn't include backing up and restoring files, creating a token object or debugging programs. It is important to make sure that the Security Option in the Local Security Policy, "Audit: Audit the use of Backup and Restore privilege" is disabled. When this is turned on, the audit files will quickly become filled.

What consequences will there be on my system?

Records will be created that detail the attempt to access things that the user has no privilege for, as outlined by the User's Rights Assignments.

Return

Audit Process Tracking

Why do this?

This option is used only when your computer is believed to be under attack. It records events like program and process entrance and exit. Obviously this would generate large amounts of information and should only be used when necessary.

What consequences will there be on my system?

Every time a process starts or stops a record will be created.

Return

Audit System Events

Why do this?

Anything that the user does that affects system security or the audit logs will be recorded. It is an obvious advantage to know when and who tried to modify something that would affect system security. This information can be used to reprimand users who are abusing policy and making the system more vulnerable. All events such as restarting and shutdown of the computer, or failure to do so, will be recorded.

What cnsequences will there be on my system?

Events affecting system security will be recorded.

Return

Return

Access Creential Manager as a Trusted Caller

Why do this?

Credential Manager is used for backup/restore and storing log-in credentials such as usernames and passwords. It is important that no users are given the privelege to acess Credential Manager. Otherwise, they may be able to retrieve credentials of other users.

What consequences will there be on my system?

When all users are removed from the list, there will be no adverse effect on the system.

Return

Who can access the computer from the network

Why do this?

This option allows the groups of users listed to access the computer remotely through SMB sessions. It is a good idea to limit the users who should be authorized to log in remotely. The rule of least privilege implies that if there is no need for the user to access the computer over a network, they should not be allowed to do so. This helps to limit the number of accounts exploitable to an attacker. There is no reason why the Guest account should be allowed to log in remotely; it should be eliminated. Also, the Support account(s) are not needed, and should be disabled as well. This setting won't effect services other than SMB.

What consequences will there be on my system?

All accounts that are not part of one of the groups listed will be denied access to the computer from the network. The user accounts need to be looked over to make sure that a user with legitimate purpose is able to log in remotely. By removing it from the list, the support account will not be able log in to the computer. It should, however, be disabled to keep attackers from exploiting the account.

Return

Who can act as part of the Operating System

Why do this?

Letting a user act as part of the operating system gives that user more privileges than administrator. It is a low-level account that allows that user to bypass all access privileges, security permissions, and users rights. If this account should become under control of an attackers, it would allow that person complete control of the system. All other security measures would become worthless because they could simply be bypassed. Under normal operating procedures, such an account is unnecessary and should not be allowed.

What consequences will there be on my system?

If the principle of least privilege is followed, this will have no affect on the system because all necessary functions can be done without acting as part of the operating system. Administrator should be the most powerful account on the system and that should be guarded as the key to the system. No other account should be created with that power as it adds only to security risk.

Return

Who can add workstations to the domain

Why do this?

This user right only has relevance in a domain environment. Since we are considering how individual workstations should be locked down, there is no reason to add any group to this list. If the computer were in a domain, the users who should have this privilege have it as part of that account, they do not need to be given the privilege explicitly. This will keep attackers from adding an untrusted workstation to the domain.

What consequences will there be on my system?

When all users are removed from this list on an individual workstation, there will be no effect on the system, as it is not on a domain.

Return

Who can adjust memory quotas for a process

Why do this?

This gives a user the ability to change the maximum amount of memory that a process can consume. Since there is a limited amount of computer memory, this can be used to fine tune a system. By allowing a process a little more memory, it can function faster. But this ability can also be misused in creating a denial of service attack. If an attacker gives all the available memory to a single process, no other processes will function until that process releases it's memory. Obviously an attacker can use this as a tool to cripple a system.

What consequences will there be on my system?

This will have very little, if any, effect on your system. Even though the ability to change the memory quota exists, there will be no effect until it is actually used by the proper accounts.

Return

Who can logon locally

Why do this?

The users that can logon locally are those users who need to have physical, console access to the computer. This tends to be most computer users. There are, however, a number of users who should not be allowed to login, including guests and support accounts. The main advantage to creating a list of users who are able to login is that they need to be specified in the list before they can be allowed to login. These rights need to be specifically set before the person can login. This adds a little added protection from arbitrary user additions.

What consequences will there be on my system?

If a user is added, that user needs to be added to the list of users who are able to login locally. This can be through group membership or by simply adding that user individually. If that user is not added to the list, he or she will not be able to login.

Return

Who can logon through Terminal Services

Why do this?

This determines who can logon to the computer remotely through terminal services. The use of Remote Desktop requires this privilege. Because Remote Desktop shouldn't be allowed on secure workstations (or notebooks), there is no group that should be allowed this privilege. By removing all users and groups from this list, will help to secure the workstation from unwanted remote attackers. Obviously, this doesn't apply to workstations that also double as servers.

What consequences will there be on my system?

This will stop Remote Desktop logins and other terminal services through the network as there will be no users or groups that have privileges to terminal services.

Return

Who can backup files and directories

Why do this?

The ability to backup files and directories is extremely important to the long-term health of any computer system. The only problem is that combined with the ability to restore files, a user can make a backup of a file and restore it with access privileges. The ability to backup files supersedes the access privileges assigned to files. So a user with backup privileges can make a backup of a file to which they don't have regular access privileges. This is an obvious vulnerability because with a few more steps, a user can access a file they normally wouldn't have access to.

What consequences will there be on my system?

Part of an administrator's job could be to backup the system and restore files, should the need arise. Since the administrator already has privileges to access most files and directories on the system, it would not be a violation of privilege for the administrator to make backups. The only effect on the system would be that backups must be performed by the administrator, if this is not already the policy.

Return

Who can bypass traverse checking

Why do this?

Bypassing traverse checking means that a user can go through a part of the directory structure that they don't have access to to get to a part of the directory structure that they do have access to. For example if there is a folder C:\>windows\system32\config and the user has been denied access to the folder system32 but granted access to config, the user will be able to go through system32 to get to config. This option isn't particularly dangerous because the user will not be able to access anything in the denied folder, just pass through it. This could be a sign of improper access control administration so if there is a problem, it can serve as an alert to that fact.

What consequences will there be on my system?

This will have no effect on the system other than not allowing users to travel through directory trees to get to another directory. If this somehow affects their work, then they should be granted access to that directory tree, not the entire system.

Return

Who can change the system time

Why do this?

The ability to change system time by any user can affect Kerberos and other time critical functions. By allowing anyone to change this time, it is possible to thwart these functions. The administrator, who is in charge of the system, should be responsible for changing the time, should it need changing. Not only could changing the system time affect critical authentication systems, for example, it could be used to annoy other users. It would be aggravating if the clock were fifteen minutes behind which resulted in arriving late to an appointment.

What consequences will there be on my system?

This will simply allow the administrator to be the only one who can change the system time.

Return

Who can change the time zone

Why do this?

The time zone is essentially the System time added to the time zone offset so that the users can view their local time. Changing the time zone does not affect System time so it does not pose security risk. However, only Administrators should have the access to change it. This is so users can view the correct time in their local area.

What consequences will there be on my system?

This will simply allow the administrator to be the only one who can change the time zone.

Return

Who can create a pagefile

Why do this?

The ability to create a pagefile introduces a number of vulnerabilities to the system. Users with pagefiles can modify them or remove them which can lead to system instability. A more severe problem that is introduced with pagefiles is that nothing stored in the files are encrypted. This allows an attacker to retrieve some valuable information about the system without having to decrypt it.

What consequences will there be on my system?

Only administrators will be allowed to create pagefiles and change their size.

Return

Who can create a token object

Why do this?

A created token object can be used to access all resources. It's obvious that the ability to give access privileges to anyone could be used to give an attacker privileges to compromise the entire system. Only the Local Security Authority should be allowed to create token objects that give users privileges.

What consequences will there be on my system?

Removing everyone from the list has no effect on the system. The Local Security Authority will create the objects as necessary, and the system will function normally.

Return

Who can create global objects

Why do this?

These global objects are used within Terminal Service sessions. Although some applications may require the use of global objects, they are also a security risk. This right should only be given to trusted users.

What consequences will there be on my system?

None Administrator accounts may experience problems with some applications, but this is unlikely. This will likely be no adverse effects on the system.

Return

Who can create permanent share objects

Why do this?

Permanent shared objects are used internally by kernel-mode operations. All components that need to create these objects have the rights already assigned to them, so adding anything to the list is unnecessary.

What consequences will there be on my system?

There will be no affect on the system because all rights have been already assigned to those components that need it.

Return

Who can create symbolic links

Why do this?

Symbolic links work much like shortcuts in that they are a pointer to a file-system object and appear as a normal file or directory. This means that symbolic links work at a file-system level and could be used by attackers to change permissions on a file and modify, corrupt or destory data. Thus, this right should only be given to trusted users.

What consequences will there be on my system?

Only administrators will be allowed to create symbolic links.

Return

Who can debug programs

Why do this?

The ability to debug programs that are being run as other users presents a tremendous vulnerability. Attackers can use a technique called DLL injection to insert malicious code into the program being debugged which allows the attacker access to system components. The ability to debug programs that are running as other users should not be permitted in a secure environment, but if it is, the rights should be assigned to a particular group only. The ability to debug also opens up another problem. Sometimes the system state is saved if a program crashes to help programmers debug the problem. This information can be used to gather information about the system which can be used later in an attack.

What consequences will there be on my system?

When your computer runs into a stop error, information about the state of the machine will no longer be recorded.

Return

Explicitly deny access to computer from the network

Why do this?

The groups and users that are on this list will not be able to access the computer from the network. By placing people on this list, it provides further security against an attacker exploiting accounts from the network. Accounts that have been disabled should be found on this list, which will ensure greater security should they be turned back on again. This list supersedes the list allowing access to the computer from the network, so even if a group or user is found on both lists, they will be denied access. If no network access is required, it would be a good idea to place everyone on the list. The remote access that this list is concerned with is SMB (Server Messenger Block) which is available in many Microsoft operating systems.

What consequences will there be on my system?

All accounts that are found on this list will not be allowed to access the computer from the network.

Return

Who is denied logging on as a batch job

Why do this?

This allows a user to log in as a batch job. For example, a user can submit a job to the task scheduler and instead of that person being logged in interactively, they will be logged in as a batch job. This does allow a user to schedule programs to be executed by the task scheduler. A determination must be made as to which user(s) should be able to do this.

What consequences will there be on my system?

All accounts that are found on this list will not be allowed to be logged in as a batch job. These users won't be able to submit jobs to the task scheduler.

Return

Who is denied logging on as a service

Why do this?

This prevents a user from registering a process as a service. Service account passwords are saved on the hard drive in near plain-text. This means that the password could easily be recovered by an attacker trying to break into the computer.

What consequences will there be on my system?

Any user or group listed will not be able to register a process as a service. Some processes need to be registered as a service. If this occurs, a change may be necessary.

Return

Who is denied from logging on locally

Why do this?

This option can be used to specifically deny users the ability to login to the computer at the console. The main security feature with this user right is that unauthorized users will not be able to login to the computer. They must be removed from this list before they are able to login from the console. This doesn't, however, affect the use of the account with telnet, SMB, or anything else. Accounts that are known to the system at the time of configuration should be added to the list, such as Guest and the support accounts. This adds more assurance that the accounts will not be used without the consent of the administrator.

What consequences will there be on my system?

All accounts that are listed will not be able to login locally. This does not affect logins through SMB, telnet or any other service.

Return

Who is denied from logon on through Remote Desktop Services

Why do this?

This works much in the same way as the user right above which lets specific users use Remote Desktop Services. This, however, denies the right to any user on the list. Any user found on this list will not be able to login through Terminal Services. This supersedes the right to access above. This should be denied to everyone because Remote Desktop Services should not be active on a secure workstation. Should your workstation function as a server, the correct strategy would be to deny access to “Guest,” support accounts, and “HelpAssistant.”

What consequences will there be on my system?

This will have no effect on your system other than a little added insurance that no one will use your computer remotely. Even if Remote Desktop is turned on somehow, all users are still denied access to the machine.

Return

Enable computer and user accounts to be trusted for delegation

Why do this?

This allows a user to change the setting entitled "Trusted for Delegation" for users and objects within Active Directory. Misuse of this could allow the domain to be vulnerable to trojan horse attacks. Since we are dealing with workstations that are not connected to a domain, this right is of little concern. However, should the computer become connected to a domain, the right is already been set to a secure state. Also, it is more secure to let no one change the "Trusted for Delegation" field rather than someone.

What consequences will there be on my system?

This will have no effect on your system unless your computer is connected to a domain. If it is connected to a domain, the setting allows no one to set this setting, so the domain is not compromised.

Return

Who can force a shutdown from a remote system

Why do this?

This allows a user the ability to shutdown the computer from a remote location on the network. This is a dangerous settings because it allows someone to perform a denial of service on those users accessing the machine at the time of shutdown. Care must be taken to ensure only the proper users have access to this kind of control. Since administrators have near complete access to the machine, they should be trusted with this control. It is usually better to allow someone the ability to shutdown the computer in the event it really does need to be shutdown.

What consequences will there be on my system?

Allows a group of people the ability to shutdown the computer remotely. Shutdown occurs even if there are open processes and connections.

Return

Who can generate security audits

Why do this?

This allows a process to write to the security event logs. If there is a problem with the service or there is an event that should be audited according to the rules setup in the Local Security Policy, some process must log it. If there is no access, it can't be done. Care must be taken to make sure that too much access isn't given to users that should not be able to change the logs.

What consequences will there be on my system?

Those processes that are not allowed to audit to the security event log will not be able to do so. This means that valuable information about what is happening to the system could be lost.

Return

Who can impersonate clients after authentication

Why do this?

This option determines who allows a program to execute on behalf of the user. This could be a situation like executing commands on another computer. The security issue involved is malicious code begin run under the user's privileges. Most programs do not needs such privledges so all groups can safely be removed.

What consequences will there be on my system?

While most programs do not require this privledge, there are some that do. In this case, it may be necessary to add that user to a special group with this ability to perform these types of operations.

Return

Who can increase scheduling priority

Why do this?

This offers the users or groups under this list the ability to change the priority of a running process. A process with a high priority will be run more than a process with a lower scheduling priority. This can sometimes be used for maximum system utilization, but it could also be used in a denial of service attack. Giving a process a large priority will use up processor time. Care must be taken to ensure only responsible users have the ability to change the scheduling priority.

What consequences will there be on my system?

A change in scheduling priority will change the operation of the computer. Since processes with higher priority will take more of the CPU, a change in which process has the highest priority will change the way the system is running.

Return

Who can load and unload drivers

Why do this?

Drivers are a highly trusted program or set of programs that "drive" how a device interacts with the operating system. A compromise in drivers are a compromise to the entire system. Consequently, the ability to load and unload drivers needs to be allowed only with the most trusted users. If any user were able to load a driver, that user could load a piece of malicious code in the operating system which could, for example, open a backdoor to the system.

What consequences will there be on my system?

The users that are entrusted with the ability to load and unload drivers must, of course, do the loading and unloading of the drivers. So, if something changes and a new driver is needed, those users must be responsible.

Return

Who can lock pages in memory

Why do this?

Locking pages in memory will force pages of memory to remain in RAM instead of being paged out on disk. If this ability is disabled, it is possible to launch a denial of service attack on the machine where all of the available RAM is consumed, thereby rendering the computer useless until it is restarted. Therefore, no one should have this right.

What consequences will there be on my system?

The default setting is set to not allow anyone this right and that is the way it should stay. There will be no effect on the system, whatsoever.

Return

Who can log on as a batch job

Why do this?

Users who can login as a batch job are able to schedule tasks to be run at a later date. At the time of batch job execution, that person will be logged in as a batch job (as opposed to interactively). No users should be added to the list because the task scheduler automatically grants the correct rights without intervention.

What consequences will there be on my system?

Since the task scheduler will grant the necessary rights, there will be no effect to the system.

Return

Who can log on as a service

Why do this?

There is little need for a user to have the ability to login as a service. Some applications do require this right, so a determination needs to be made whether or not that feature should be allowed and if it's worth the risk. It follows the principle of least privilege that users should only be given the access that is needed. Logging in as a service is not a necessary function to most computing, especially on a workstation, so it should be allowed only to the NETWORK SERVICE.

What consequences will there be on my system?

Should there be a situation where a user or application needs the ability to login as a service, that ability will be cut off. Generally, there will be no effect on the system.

Return

Who can modify object labels

Why do this?

Objects have integrity labels working as a hierarchy system that allows processes with higher intregity level to modify those with lower integrity level. If an attacker gains access to modifying object label, they may elevate the priveleges of a malware and infiltrate the system.

What consequences will there be on my system?

If no users are included in this list, there will be no adverse effects on the system.

Return

Who can manage audit and security logs

Why do this?

Any user who can manage the logs also has the ability to clear the logs and specify how the logs should function. It can be extremely hard to discover the avenue of intrusion if the logs have been cleared by the intruder. Logs provide a way for administrators to track activity on the system. If any user can change the way that this is done, or remove all the logs, they serve no purpose. Only trusted user should have this ability.

What consequences will there be on my system?

Any changes in the way that the audits are performed or deletions of the logs must be done with administrator privileges. In some cases this simply means logging in as administrator. In other cases it means contacting another person.

Return

Who can modify firmware environment values

Why do this?

This feature controls the ability of a user to change system-wide environment variables that are used by programs to gather information about the system. These values can be changed by users or programs through different methods if they are listed here. In applications where the system environment variables are used to create a fingerprint of the system, this fingerprint will not give an accurate representation of the system, because things have been changed to give the illusion of another system. Under normal operations, the user should rarely, if ever, have the change environment variables.

What consequences will there be on my system?

If some user needs the ability to change the environment variables, this user will have to be granted specific privileges. As noted above, most users have no need for changing these values. Should the need arise, however, it is possible that the access will not be granted.

Return

Who can perform volume maintenance tasks

Why do this?

Windows comes with a number of utilities that perform maintenance on the drives, including Disk Defragmenter and Disk Cleanup. Obviously these utilities are essential to the health of the operating system but they also deal with very low-level operations on the drive. Because of this it is recommended that only trusted users have the ability to run them.

What consequences will there be on my system?

The user(s) that are entrusted with the ability to perform volume maintenance tasks need to be aware that they are responsible for the health of the system. This might mean the upkeep of many systems, which can be a large responsibility. So, as the security of the system has gone up, the usability has dropped, one of the fundamental principles in computer security.

Return

Who can profile a single process

Why do this?

When a process isn't running quite normally, one of the things that a user can do is profile the process to diagnose the problem. These profiles contain information about the performance of the process. Unfortunately, it can also contain sensitive information that could be used against the system. For this reason, only trusted users should be allowed to access this information. The goal is to make an attacker's job harder by keeping as much information from them as possible,

What consequences will there be on my system?

If your system runs software that needs to be profiled quite often, it is possible that more users will need to be added to this list. Specifically, software developers need a way to use software metrics in their programs to test the performance and security of their programs. However, in a secure environment, only the administrators should have this privilege. No other effects, other than denial of service to these profiles, will occur to normal users.

Return

Who can profile system performance

Why do this?

This is much the same as above, except that it deals with the running of system processes. This can be even more vulnerable than user processes because it is system processes that deal with much of the security matters. As stated above, the goal is to try to keep as much information as possible from the attackers.

What consequences will there be on my system?

The effects are the same as above, only those people needed to view software metrics and diagnostics will be affected by their access being cut off. If, however, they are legitimate administrators, they will be unaffected.

Return

Who can remove computer from docking station

Why do this?

Only notebooks that have docking stations will be affected by this setting. It is simply a restriction on that software aspect of undocking a notebook computer. Some users may undock the computer inappropriately which may cause some system instability. However, not giving users access rights to properly undock the computer will probably result in the user physically undocking the computer without having unassociated the docking station with their operating system software.

What consequences will there be on my system?

There will not be any changes because desktop computers will not have docking stations and notebook computers will allow all users access, so there should be no change.

Return

Who can replace a process level token

Why do this?

This could allow a user to change the token associated with a process to allow different permissions to be assigned. Obviously this is a huge circumvention of privilege. This should only be accessible through the system, not through users. There is no need for users to have this privilege.

What consequences will there be on my system?

There will be no effect on the system because it is a privilege that only the system should have. Users will remain unaffected.

Return

Who can restore files and directories

Why do this?

The ability to restore files and directories can be used with the ability to back up files and directories to compromise the file system. If an attacker gains these rights, they can back up the file and restore that file with the permissions that they require. The ability to restore must be entrusted with a responsible user. This user is usually the system administrator.

What consequences will there be on my system?

The restore functions must now be performed by the system administrator, as no other user will have privileges.

Return

Who can shut down the system

Why do this?

The ability to shut down the computer is usually granted to all users of the system. This is because little can happen to the system when it is shut down. It is difficult to compromise when there is no power running to it. This does change if the computer happens to be a server of some kind. In that case, shutting down the system will become a denial of service to users trying to connect. For workstations, this is not the case.

What consequences will there be on my system?

Since the ability to shut down the system is usually given to all users, there will be no changes.

Return

Who can synchronize directory service data

Why do this?

This setting is only relevant to domain controllers but it allows a user or group to perform "Active Directory Synchronization". This will allow a user to cause directory corruption on the domain controller. Since we are dealing with workstations, however, there should be no one listed.

What consequences will there be on my system?

There will be no effect on workstations.

Return

Who can take ownership of files and other objects

Why do this?

This allows a user to take ownership of files, printers, network connections, etc on the computer. Since owners are granted a large amount of permissions, the user can then modify the object or file. This is dangerous in that users are granted a large amount of privilege. They can bypass all security permissions on that object.

What consequences will there be on my system?

There will be no change to the system because all files and objects will remain owned by the proper authorities. The only effect will be enhanced security.

Return

Administrator Account Status

Why do this?

This setting controls the administrator's account. If enabled, the administrator account is active, otherwise, it is not. One security technique is to give another account administrative privileges and disable the account status of the administrator. This will fool some script-kiddies into trying to break into the administrator account, when it has been effectively disabled. The administrator will always be enabled in Safe Mode regardless of the setting here. Since administrators often need to perform maintenance on the system, it should probably be enabled.

What consequences will there be on my system?

The administrator will be able to login to the system.

Return

Guest Account Access

Why do this?

The guest account gives anonymous users a chance to use the computer resources. It is a much more secure policy to have all users of the system login to the system through an account. This way they can be tracked more effectively. The guest account should be disabled on every machine. Not only will this keep anonymous users from the console, but guests will not be able to login from the network either. Make sure to give to the Guest account a long password before disabling it.

What consequences will there be on my system?

The guest account will be disabled, and all users will have to be given accounts to login.

Return

Blank Passwords at Console Only

Why do this?

This settings determines whether a user who has a blank password will be able to login through the network. Blank passwords should not be allowed on either the console or the network. Since this is still an option, even with blank passwords turned off, it is smarter to enable it than to leave it disabled. This provides a little added insurance that if someone should be able to create a blank password, it won't be exploited from the network.

What consequences will there be on my system?

If any accounts were logging in using a blank password, they will no longer be able to. This is valid for all accounts, even for terminal services, etc.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa>limitblankpassworduse = 1

Return

Rename the Administrator Account

Why do this?

The biggest advantage to renaming the administrator account is confusing the script-kiddies. Script-kiddies, by definition, are not very intelligent and don't have a good understanding of how computers work. What they will try to do is attack the administrator account. Since this will not be found, they won't know how to precede. It makes that job of breaking into the account much more difficult, since now they have to determine which account is the administrator.

What consequences will there be on my system?

As far as the system is concerned, there is no longer an account named administrator. This means that all attempts to login under administrator will fail. This is true of console as well as network logins. The administrator will have to login under the new name.

Return

Rename the Guest account

Why do this?

For the same reason described above. Many attackers will target the guest account because it is often given privileges that it shouldn't have. The attacker won't be able to find an account named Guest, so he or she must now locate the account. Once the account is found, they will find that it is disabled. It is an added defense-in-depth strategy.

What consequences will there be on my system?

It will have no effect on your system because the guest account is disabled.

Return

Audit access of global system objects

Why do this?

When this option is enabled, there will be a large number of log entries because every access to a global system object will be logged. This includes things like semaphores, mutexes, events, etc. Can you imagine how many entries there would be if every event was logged? Save yourself the trouble and only use this option when absolutely necessary.

What consequences will there be on my system?

Having this option disabled will have no effect on your system because things will not be logged.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa>auditbaseobjects = 0

Return

Audit the use of backup and restore privilege

What do this?

This option is similar to the audit policy "Audit Privilege Use". The Audit Privilege Use option doesn't do full privilege auditing, for example like backup and restore privileges. To use this privilege level the Audit Privilege Use must be enabled. The result is the same as the above option, however, the audit logs will fill very quickly with all of the events that are generated. Only use this option when absolutely necessary.

What consequences will there be on my system?

Having this option disabled will not effect your system. Having it enabled will result in a large increase in events that are logged.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa>fullprivilegeauditing = 0

Return

Shutdown computer if error in audit logs

Why do this?

This option will shutdown the computer when the audit logs receive an error. This could be due to an error logging an event for some reason or it could be because the logs are full. When the computer receives an error, the computer will be shutdown. The administrator must then fix the error before normal operations can continue. This could be enabled on one-person systems but on systems with multiple users, it is probably not a good idea.

What consequences will there be on my system?

If there is some problem with the audit logs, the problem will persist until fixed. The shutting down of the computer is a security mechanism in which the computer will stop all normal operation until the problem is fixed. In this situation, normal operations will continue until the problem is fixed which can be a minor security problem.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa>crashonauditfail = 0

Return

DCOM Access Restrictions

Why do this?

According to Microsoft: "This policy setting determines which users or groups might access DCOM application[s] remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications". When no descriptor is defined, the users and groups are given explict Allow or Deny privileges on both the local and remote access. This will help improve the security of the system.

What consequences will there be on my system?

There will be no adverse consequences on the system.

Return

DCOM Launch Restrictions

Why do this?

According to Microsoft: "This policy setting determines which users or groups might launch or activateDCOM application[s] remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications". When no descriptor is defined, the users and groups are given explict Allow or Deny privileges on both the local and remote launch and activation. This will help improve the security of the system.

What consequences will there be on my system?

There will be no adverse consequences on the system.

Return

Allow undock without logging in

Why do this?

This option helps to protect the system from being undocked gracefully without logging in. Users must login to the computer and undock the station before removing it. To do this, they must also be allowed to under the users rights assignment. Obviously this key only has significance to those notebook computers that have a docking station. There will be no change on all desktop machines and undocking notebooks. This option has no control over whether or not the computer can be physically removed from the docking station. Anyone can always remove the computer from the station without shutting down the running services.

What consequences will there be on my system?

There will be no effect on desktop machines and notebooks that do not dock. Docking notebooks, however, will no longer be able to be undocked without logging in. Now users will need to login to the computer before starting the software undock process. Again, the computer can always be yanked from the docking station.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> undockwithoutlogon = 0

Return

Who is allowed to format and eject removable media

Why do this?

This is a listing of who is allowed to format and eject NTFS disks. Since formatting will remove all data from the disk and ejecting data will result in a denial of service for those that need it, it is best to allow only administrators privilege, which is the default.

What consequences will there be on my system?

Only administrators will have the privilege necessary to format and eject removable NTFS media.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion>WinLogon> AllocateDASD = 0

Return

Prevention of users installing printer drivers

Why do this?

The installation of printer drivers is something that needs to be trusted because drivers act on a very low level. If any user could install printer drivers, they could install very low-level programs that could corrupt the computer. Since the installation of printers does not happen very often, it is a much better, and more secure idea to have the administrator install the necessary drivers. This setting only deals with installing network printer drivers, not local printers.

What consequences will there be on my system?

An administrator will have to install the printer drivers.

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control> Print> Providers>LanMan Print Services> Servers>addprinterdetails = 1

Return

Restrict the CD-ROM to locally logged in users

Why do this?

In Windows, any process can access the CD-ROM. If there are two users, one logged it at the console (locally) and the other logged in over the network, the network will not be able to access the CD-ROM. This will help prevent a race condition, when two people try to access the same media at the same time. If there is only the network user logged in and no one is logged in locally, the network can then use the CD-ROM.

What consequences will there be on my system?

By enabling this option, you protect your CD-ROM drive from being accessed by two people at the same time. This does however, create a denial of service to the user on the network. If the locally logged in user is not using the CD-ROM and the network user wants to, he or she will not be able to simply because there is a user logged in at the console.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion>WinLogon> AllocateCDROMs = 1

Return

Restrict the floppy to locally logged in users

Why do this?

The situation is the same as above: this settings determines whether or not a local user and a remote user can access the floppy disk at the same time. It generally a good idea to allow only one user at a time access a particular resource like a floppy drive. Unfortunately, the only way to do this is to restrict the access to the local user only if there are two people logged on at the same time.

What consequences will there be on my system?

The floppy drive will no longer be accessible from the network if there is a user logged on at the console. If there is not, then the network user does have access.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion>WinLogon> allocatefloppies = 1

Return

Unsigned driver behavior

Why do this?

When a new hardware device is going to be used with the computer, there needs to be a way to communicate with that device. The way that this is done is through a driver. A driver is the interface between the device and the operating system. As a result of this the driver must exist at a very low-level. When a program has such low-level access, it is entrusted with a lot of privilege. This is where a security exploit can be created. If an attacker could manage to insert a bad driver, he or she could accomplish quite a bit. Consequently, Microsoft checks to see if a driver is digitally signed with a certificate before it is installed. Unfortunately, to be signed, Microsoft must trust the driver and inspections sometimes drag on long after the driver is released. This means that not all legitimate drivers are signed. If only signed drivers are allowed, there will be a great reduction in usability of just about every hardware device. This means that in the tradeoff between usability and security, security has to suffer a bit. Remember that if selecting the setting "Do not allow installation", someone could install the driver manually.

What consequences will there be on my system?

When a driver that is not digitally signed is installed on the system, the system will alert you to the problem. You will have the option of continuing or stopping the operation. Care should be taken to make sure that all drivers are from the legitimate source (out of the original hardware box). Otherwise it could result in a security hole in your system.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Driver Signing> Policy = 1

Return

Allow server operators to schedule tasks

Why do this?

This policy setting determines whether or not to allow server operators to submit jobs using the at command. By default, these jobs are ran under the Local System account which elevates the priveleges of the jobs. Disabling this setting prevents malicious programs from raising their priveleges and hogging resources.

What consequences will there be on my system?

Other than preventing server operators to submit jobs, there are no other effects on the computer.

Return

LDAP Server Signing Requirements

Why do this?

LDAP stands for Lighweight Directory Access Protocol and is an Internet protocol used by email and other programs to look up information such contact information, encryption certificates, etc. from a server. Because these servers may carry sensitive data, it is wise to enable this setting so that servers are able send data to clients without being modified by man-in-the-middle attacks.

What consequences will there be on my system?

If a server computer enables this policy setting, client computers must do so as well or else they will be unable to communicate with the server. Clients will also be unable to run LDAP queries against domain controller if their system does not support LDAP signing.

Return

Refuse machine account password changes

Why do this?

If the password of a domain member has been comprimised, it should be changed immediately to prevent any or further damage to the computer. Enabling this setting will restrict member computers from doing so. Thus, it is more secure to set the settings to "Disable".

What consequences will there be on my system?

This allows a domain controller to accept changes to a machine account's password.

Return

Encrypt or sign secure channel data (always)

Why do this?

If the computer is at some time connected to a domain, this setting makes certain that all communication that is done between the two is secure. It does this by forcing encryption or signing the data that is sent through the channel. Because some of the communication that is done through the channel has to do with the security settings of the domain, it is a wise idea to make sure that the data is secure.

What consequences will there be on my system?

The communication that is done between your system and the domain controller is made more secure through this setting. It does require that the domain controller be running at least Windows 2000 or Windows NT 4.0 with service pack 4 installed. Otherwise the channel will not be established.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Services>Netlogon> Parameters> requiresignorseal = 1

Return

Encrypt secure channel data (when possible)

Why do this?

If the domain controller that the computer is connected to will support encrypted traffic, it is used. Obviously this adds to security because an attacker would have to intercept the traffic and then would have to decrypt it. This should be used whenever possible.

What consequences will there be on my system?

There will be no effect on your system. Traffic will be more secure to and from the domain controller, if one is ever connected.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Services>Netlogon> Parameters> sealsecurechannel = 1

Return

Sign secure channel data (when possible)

Why do this?

If the domain controller that the computer is connected to will support signed traffic, it will be used. This will help the domain controller verify that the message had not been tampered with while in traffic. This should be used whenever possible.

What consequences will there be on my system?

There will be no effect on the system. Only if the computer is connected domain controller will this setting matter.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Services>Netlogon> Parameters> signsecurechannel = 1

Return

Disable machine account password changes

Why do this?

Passwords are used to establish secure connections between domain controllers and domain members before transmitting sensitive information. Thus, allowing computer accounts to change their passwords when needed is the most secure option.

What consequences will there be on my system?

There will be no effect on the system. Only if the computer is connected domain controller will this setting matter.

Return

Maximum machine acount password age

Why do this?

This sets how many days a domain member can keep their password before needing to change it. It is good practice to modify passwords every few weeks to protect accounts from brute-force attacks.

What consequences will there be on my system?

Domain members will need to enter a new password occassionally.

Return

Require strong (Windows 2000 or later) session key

Why do this?

These session keys are used to encrypt and decrypt messages that are transmitted between the domain member and the domain controller. Enabling this setting protects the channel from eavesdropping and session-hijiacking network attacks. Note: Only enable this setting if all trusted domains support strong keys.

What consequences will there be on my system?

System will be unable to join Windows NT 4.0 domains. There may be difficulties regarding the trust between a Windows NT domain and Active Directory domain as well.

Return

Display user information when session is locked.

Why do this?

If the username is displayed when session is locked, attacker will only have to figure out the password to breach the system. By disabling this feature, attackers will have to guess both username and password, which requires more effort and time.

What consequences will there be on my system?

System will not show the current user's information when the session is locked.

Return

Display last username logged in

Why do this?

When an attacker is trying to break in a system, he or she first must find a way in. One of the most common ways to do this is to find a username and password. If the last username is being displayed, half of the attackers work is done, all that is left is to find the password for the username. Since all users should know their username and password, it is trivial to have them enter both at login instead of just the password.

What consequences will there be on my system?

Users will be required to type in both their username and password at login. This not the case when the computer is locked. When the computer is locked, the username will appear in the correct box.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> dontdisplaylastusername = 1

Return

Don't require ctrl + alt + delete to logon

Why do this?

When this key is disabled it means that the user will have to press the key sequence: ctrl + alt + delete to logon to the system. If enabled, they will not have to. This key combination establishes a trusted path to the operating system which provides some security. When it is enabled, there is a security risk. Since it is extremely easy to do, it should be disabled.

What consequences will there be on my system?

When users want to logon to the system, they will be required to press the key combination, ctrl + alt + delete to get to the login screen.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> disablecad = 0

Return

Message text for users logging on

Why do this?

Generally used by organizations for legal purposes, this policy setting may be used to deter users from abusing the system or to warn attackers of the ramifications of their actions. If this policy is enabled, make sure that the message is approved by the company's legal and human resources representatives.

What consequences will there be on my system?

The message text will appear on the login screen.

Return

Message title for users logging on

Why do this?

This policy setting works much like a shorter and more brief version of the message text and is used to deter users from abusing the system.

What consequences will there be on my system?

A message title will appear on the login screen.

Return

Number of logons to cache locally

Why do this?

This setting sets the number of logons that are cached on the local machine when the domain controller becomes unavailable for some reason. Because we are dealing in an environment where the domain controller is nonexistent, this setting is really should be zero because there should not be any record kept on the system of the users logon credentials

What consequences will there be on my system?

If the computer becomes a member of a domain, the domain controller will have to be available to the domain or users will not be able to login.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion>Winlogon> cachedlogonscount = 0

Return

Number of days before password expiration to prompt user

Why do this?

This is the number of days before a users password is going to expire that they are given a warning. Usually it is smarter to give the user a little time to come up with a new password before making them change. It's often harder to think of a password at the spur of the moment. This doesn't change the requirement of the password, only the notification that it is going to expire.

What consequences will there be on my system?

Two weeks prior to password expiration, the user will be notified that their password is going to expire.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion>Winlogon> passwordexpirewarning = 14

Return

Domain Controller required to unlock workstation

Why do this?

This setting requires authentication with the domain controller before a workstation is unlocked. Sometimes a cached authentication can be used instead. However, since BTNSP assumes a domain environment is not being used, this option should not be enabled. In fact, enabling the option could result in an unlockable computer.

What consequences will there be on my system?

There will be no consequences if this option is left disabled.

Return

Smart Card required for login

Why do this?

A smart card provides a different kind of authentication over passwords. It means that a special card must be used to authenticate the user. If such a device is available, it should be used but without it this option could lock out all users.

What consequences will there be on my system?

There will be no consequences if this option is left disabled.

Return

Smart card removal behavior

Why do this?

When a user uses a smart card to login to the computer and removes the smart card, there is an action to be performed. Least secure is to do nothing, but that means that the smart card can be removed from one computer, used in another, and replaced without any actions. This is very insecure and defeats the purpose of smart cards. The appropriate action is to log the user off, no smart card, no access

What consequences will there be on my system?

If smart cards are used, they must be available to the system at all times of computer access or the user will be logged off.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> >CurrentVersion>Winlogon>scremoveoption = 1

Return

Client - Digitally sign communication (always)

Why do this?

This option forces clients to sign their communication if using SMB protocol. Using signatures stops man-in-the-middle attacks between the client and the server. Even if SMB communication is not used (and it shouldn't), this option should be enabled.

What consequences will there be on my system?

Because the system will be authenicating every packet that is transferred, there will be a performance hit.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>LanmanWorkstation> Parameters> requiresecuritysignature = 1

Return

Client - Digitally sign communication (If server agrees)

Why do this?

This is much like the setting above except it isn't forced. The client will sign SMB communications only if the server is enabled or forced to do so. This is a weaker version, but should be enabled.

What consequences will there be on my system?

There will be no effect on you system except added security.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>LanmanWorkstation> Parameters> enablesecuritysignature = 1

Return

Send unencrypted passwords to 3rd party SMB servers

Why do this?

If this is enabled, your computer will send unencrypted passwords over SMB to other computers. The idea was to be able to authenticate with computers that did not support password encryption. However, if the computer does not support this, you should not be connecting to it. Never send passwords in plaintext form over any network, ever.

What consequences will there be on my system?

Your computer will not be able to login to SMB servers that do not support password encryption authentication.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>LanmanWorkstation> Parameters> enableplaintextpassword = 0

Return

Amount of time before session is suspended

Why do this?

This controls the amount of time of inactivity that must pass before an SMB connection is disconnected. There is an interesting balance here because leaving an unattended SMB connection for a long period of time can lead to an exploit on both machines. However, reducing the time before the session expires will require credentials to be sent more often to reestablish the connection. In a secure environment, the legitimacy of the use of SMB should be considered. There may be a more secure method, such as SSH. Another consideration is how SMB is being used. This can often affect the idle time in transactions.

What consequences will there be on my system?

Any SMB session that is created between computers will be disconnected if left idle for this amount of time. The session must then be reestablished.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>lanmanserver> parameters> autodisconnect = 15

Return

Server - Digitally Sign Communications (always)

Why do this?

If the workstation that is being configured is going to be used as a server later on, this setting will help to ensure security. It determines whether or not communications that take place should be digitally signed. This setting is only valid when the computer is acting as the server. It is generally a good idea to have communication signed so it can be determined if the information had been tampered with through transit.

What consequences will there be on my system?

If the workstation becomes a server later on in it's life, it will digitally sign all SMB packets. This has the consequence that if the client that is receiving the signed packets can't read them, communication can not take place.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>lanmanserver> parameters> requiresecuritysignature = 1

Return

Server - Digitally Sign Communication (if client agrees)

Why do this?

This will only digitally sign SMB packets to the client if the client agrees. While this might ensure more functionality with older clients, it does sacrifice security. It is more secure to always sign SMB packets. This option should be enabled, however, because it makes sense to sign communication if the client agrees. It just make security sense to sign the packets even if the client doesn't agree, too! The client will need to be upgraded.

What consequences will there be on my system?

This will have no effect on your system because the issue addressed above will apply to clients that can't handle the signatures. In this setting, the client tells the server that it can handle the signatures, so use them.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>lanmanserver> parameters> enablesecuritysignature = 1

Return

Disconnect client when logon hours expire

Why do this?

This is another setting that is only valid when the computer is acting as a server and has clients logged on. Users can be assigned hours in which they are allowed to be logged on. If the user goes outside this time, the server will disconnect the session. This is consistent with policies that only allow certain users to be logged on to the computer at certain times. Because you can never be sure of the clients policies (even different departments can have different policies) it is best to enable this option.

What consequences will there be on my system?

This should not have an effect on your system because the policy for the user to log off is set by the client. When a user has remained logged in past the time that they are allowed, they will be kicked off the server.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>lanmanserver> parameters> enableforcedlogoff = 1

Return

Allow Anonymous SID/Name translation

Why do this?

This allows users to find out the SID for another user given their username. It also permits the opposite, looking up a username given an SID. The reason for not allowing this is simple: there is very little reason that a user would need to look up another users SID and vise-versa. Attackers could use this information to find usernames.

What consequences will there be on my system?

If there is a legitimate purpose for looking up this information about a different user, it will not be allowed. The user would have to request this information through the administrator, which is more secure.

Return

Do not allow anonymous enumeration of SAM accounts

Why do this?

This stops users who login anonymously from enumerating the SAM file to see the accounts therein. If it is disabled, an attacker can see all the usernames and other user information that should not be given out. Make sure that this is enabled or there is a tremendous security risk. This is one of the number one ways that attackers exploited Windows systems, so it is very well known.

What consequences will there be on my system?

Your system will be much more secure but there will be no consequences to performance and functionality.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Control>Lsa>RestrictAnonymousSAM = 1

Return

Disable anonymous enumeration of SAM accounts and shares

Why do this?

This follows the above setting. It allows or disables the ability of an anonymous user to view information about what shares are available on a computer as well as information about the accounts in the SAM file. When this setting is disabled, the anonymous user will be able to enumerate information on the shares that are on the computer. When enabled, the anonymous user will not be able to. The anonymous user should not be able to get any information about the system so it should be enabled.

What consequences will there be on my system?

If there is any user or service that counts on being able to enumerate SAM accounts or shares, they will no longer have access to this information. This should not be an issue in a secure environment.

Return

Do not allow storage of credentials and .NET passports

Why do this?

When this setting is enabled, it allows the computer to store credentials and passwords for different users on the local machine. These passwords or credentials could then be used to attack other systems because it is very likely that the passwords that are stored are used somewhere else as well. It is not a good idea to store more authentication information than is absolutely necessary.

What consequences will there be on my system?

The users will have to give their authentication details every time they login instead of having them stored on the local machine.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Control>Lsa>disabledomaincreds = 1

Return

Let Everyone permission apply to anonymous users

Why do this?

This decouples the anonymous user from the Everyone group. With this disabled, anonymous users will only have access to those resources that have been explicitly given to them (which should be nothing). There are some documents that state that this is equivalent to setting the above setting RestrictAnonymous to 2. Since changing RestrictAnonymous to 2 and disabling this can both be done with no adverse effects, they both should be done.

What consequences will there be on my system?

If anonymous users currently use your computer under permissions granted to them by the Everyone group, they will no longer have this access. It is never a good idea for this to be a policy. Anonymous users should not be allowed.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Control>Lsa>everyoneincludesanonymous = 0

Return

Named pipes that can be accessed automatically

Why do this?

Pipes facilitate communication between processes and are themselves processes. Some of these pipes are given names that are consistent from system to system. It is here that a list of pipes are accessible anonymously. This setting should follow the needs for that particular box. There are some pipes that are necessary and some that probably are not. Setting this requires some trial and error, I'm afraid.

What consequences will there be on my system?

This may shutdown some obscure service on your machine so care must be taken to find which pipes are necessary. If they are necessary, discover why and what affect this will have on security.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>lanmanserver> parameters> nullsessionpipes

Return

Remotely accessible registry paths

Why do this?

The registry is the heart and soul of the Windows operating system. Virtually everything that needs some sort of setting (which is just about everything) gets it from the registry. Almost everything that we have done to secure a Windows workstation has been dealing with the registry either directly or indirectly. Allowing people to read and modify the registry remotely is not a very good idea. Anytime that something is available from the Internet, it is vulnerable to attack. The registry should only be modifiable from the console.

What consequences will there be on my system?

This may make the administrators job very difficult if she counts on the ability to change registry settings remotely. Depending on the situation this may need to be changed, but it is not a very good idea to open up that vulnerability.

Return

Remotely accessible registry paths

Why do this?

See Remotely accessible registry paths

What consequences will there be on my system?

This may make the administrators job very difficult if she counts on the ability to change registry settings remotely. Depending on the situation this may need to be changed, but it is not a very good idea to open up that vulnerability.

Return

Restrict anonymous access to Named Pipes and Shares

Why do this?

Named pipes provide the communication between processes from the same computer or multiple computers of the same network while shares are the shared files between computers in a network. It is generally a bad idea to allow anonymous users to gain access to the system because these users cannot always be trusted.

What consequences will there be on my system?

Only authenticated users may have access to server pipes and shared folders.

Return

Shares accessible anonymously

Why do this?

Windows shares are essentially folders that are shared across the network. Most of the time, the users set up a share to be accessible by only a certain group of people (people with accounts). But it is possible to make a share accessible anonymously. Don't do it. There is very little reason to allow some of the data on your machine to be seen and modified by people you don't know. Remember: anonymous = bad. You always want to know the username of the person who is messing with your stuff.

What consequences will there be on my system?

If there is some service or user out there that is accessing these shares anonymously, they will no longer have access. This may not be such a bad thing. But depending on your environment, it might be. (Of course, then it's not really a secure environment, is it?)

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services>lanmanserver> parameters> nullsessionshares

Return

Sharing and security model for local accounts

Why do this?

There are two options here. The first is to do it the old-fashioned way. This means that all users who logon remotely must use their username and password. The other option is just to let anyone in as a guest. A guest account is the bane of security minds everywhere. By default, in a domain environment, users who wish to use the network to login must do it the old-fashioned way. If the computer is standalone, the guest account path is chosen by default. It is generally not a very good idea to allow anyone access to your shared resources. It should be noted that some services like telnet (don't use it anyway, right?) and Remote Desktop Services are not affected by this setting.

What consequences will there be on my system?

If a user wishes to access any kind of shared resource on the computer, it must be done through logging in with a username and password. Otherwise they will not be let in.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Control>Lsa>forceguest = 0

Return

Allow Local System to use computer identity for NTLM

Why do this?

NTLM is the protocol used for network authentication. When a service uses the computer's identity for connection, the computer's identity is used in the process for signing and encryption--providing additional protection to the data transmitted. If a service connects without identity, anonymous is then allowed.

What consequences will there be on my system?

User authentication is required when connecting to a computer that is running Windows Server 2008 or Windows Vista.

Return

Allow Local System NULL session fallback

Why do this?

A NULL session allows anonymous users to connect to an IPC(inter-process communication) network service and list system informations such as usernames, passwords, etc. If an attacker is able to retrieve the credentials of an administrator, then the whole system will be compromised.

What consequences will there be on my system?

Since this setting prevents services that use NULL session, it may cause some application incompatibility.

Return

Allow Local System NULL session fallback

Why do this?

Enabling this policy setting will allow the use of online identities (such as an email account) as a substitute for logon credentials, which permits a user to log on to a peer computer without having to use a domain or local account. This is highly insecure since an attacker may impersonate the real owner of the online identity and control the system remotely from there.

What consequences will there be on my system?

Online identities cannot be used for authentication.

Return

Configure encryption types allowed for Kerberos

Why do this?

Although encrypting data is always good practice, there are some encryption algorithms that have been broken. This means that decrypting the data takes less effort and time, leaving sensitive information vulnerable to attackers. Therefore, choosing the more robust algorithms provides more protection.

What consequences will there be on my system?

Kerberos protocol will only use the selected encryption types. This may cause troubles for interoperability with computers that run older versions of Windows

Return

Do not store LAN Manager Password
Password Authentication Level

Why do this?

In older versions of Windows, the user password was stored in a format called LAN Manager Hash. The protocol for this method is extremely weak. Not only is the protocol weak but the maximum length for a password is 14 characters. This means that anything longer is truncated. In addition, "salt" is not used to make the hash. This means that two identical passwords are stored as the same hash value. In a stronger algorithm, identical passwords would be saved as completely different values which makes it much more difficult to crack. Password cracking programs take advantage of this algorithm to find users passwords. Most LAN Manager passwords can be cracked in a matter of days, depending on the complexity. By removing the LAN Manager password, you will force the computer to store the password as the much stronger NTLM hash. This algorithm allows longer passwords and does use "salt". As a result, they are much harder to crack. In addition, by setting the value in LAN Manager authentication level to "Send NTLMv2 response only\refuse LM & NTLM" you will ensure that no easy to crack passwords are stored on your system.

What consequences will there be on my system?

By removing the LAN Manager password, you remove compatibility with Windows 9x/ME, OS/2, Windows for Workgroups, and Windows NT (prior to service pack 4) machines. These machines only store the LAN Manager password, so by not allowing it these systems will not be able to authenticate with your machine. Since these machines followed a very weak security model, they should not be allowed in a secure network anyway.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa>nolmhash = 1
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa>lmcompatibilitylevel = 5

Return

Force Logoff

Why do this?

This setting controls whether or not a user on the client machines is disconnected from a SMB session when they remain logged on past their valid logon hours. The logic here is, why should a user be allowed a SMB session longer than he or she is allowed to be logged in?

What consequences will there be on my system?

If a user is in the middle of an SMB session when their valid login time expires, they will be disconnected.

Return

Force Logoff

Why do this?

This setting controls whether or not a user on the client machines is disconnected from a SMB session when they remain logged on past their valid logon hours. The logic here is, why should a user be allowed a SMB session longer than he or she is allowed to be logged in?

What consequences will there be on my system?

If a user is in the middle of an SMB session when their valid login time expires, they will be disconnected.

Return

LDAP client signing requirements

Why do this?

This requirement puts limitations as to how the client and server negotiate signing of LDAP communications. The client and the server should negotiate some sort of signing requirements before data exchange takes place. This will help to prevent someone from performing a man-in-the-middle attack between the client and the server. If TLS/SSL are being used, this setting will be ignored.

What consequences will there be on my system?

There will be no effect on your system. There might be a small (one to two millisecond) delay in data communication because of the negotiation. In reality the negotiation is done in the literal blink of an eye.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM >CurrentControlSet> Services> LDAP>LDAPclientintegrity=1

Return

Minimum session security for NTLM SSP based clients

Why do this?

This setting controls the minimum security for an application-to-application session between clients. When setting the requirements for passwords, NTLMv2 must be used. There should be no change for NTLM SSP based clients.

What consequences will there be on my system?

As is the case with NTLMv2 passwords, there are some systems that do not support such strong password encryption. These applications will not be permitted to communicate with applications on NTLMv2 enabled clients.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa> MSV1_0>NTLMMinClientSec=537395200

Return

Minimum session security for NTLM SSP based servers

Why do this?

For the same reasons above, application-to-application communication on two servers should have the maximum amount of protection from attackers. This means using NTLMv2 and 128-bit encryption

What consequences will there be on my system?

As is the case with NTLMv2 passwords, there are some systems that do not support such strong password encryption. These applications will not be permitted to communicate with applications on NTLMv2 enabled clients

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa> MSV1_0>NTLMMinServerSec=537395200

Return

Allow automatic administrative logon under recovery console

Why do this?

The recovery console is a tool that is used to solve system problems. When it is invoked from startup, this setting determines whether or not the administrator is logged in automatically or not. Since this command line tool is usually only used by administrators to solve problems, there is the tendency to allow the automatic login to occur. This is not a very good idea in that it allows an attacker administrator access by simply invoking the recovery console. From there the attacker could add new users, or anything he or she wanted.

What consequences will there be on my system?

When the administrator wishes to login to the recovery console, she must do by providing her password. There will be no automatic logins.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Setup>RecoveryConsole> SecurityLevel = 0

Return

Allow floppy copy and access to all drives and folders under recovery console

Why do this?

With this setting enabled, a user who logs into the recovery console would have full access to all drives and folders. They would also have access to the recovery console's SET command which allows the setting of some environment variables. Giving users this access when they normally wouldn't have it is a violation of access privileges.

What consequences will there be on my system?

Users who log into the recovery console will not have full access to the drives and directories.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Setup>RecoveryConsole> SetCommand = 0

Return

Allow system shutdown without logging in

Why do this?

When this setting is enabled, anyone can shutdown the system even if they don't have the authority. By disabling it at least the system can only be shutdown by users who have basic login access. The only problem with this is that a user who does not have access to the machine might just unplug the machine which can damage the computer. If this is of concern in your environment, perhaps it would be safer to allow anyone to shutdown the machine and at least that way there would be a better chance of minimizing damage.

What consequences will there be on my system?

System shutdown must be done by logging in and choosing shutdown from the pulldown menu, instead of being able to click on the "Shut Down..." button in the login screen.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> shutdownwithoutlogon=0

Return

Clear pagefile at shutdown

Why do this?

During normal operations, Windows will pageout information into the pagefile. This helps improve performance but it also compromises security. Information about the state of the system and potentially even passwords could be stored unencrypted in these pagefiles. >This setting make sure that these files are deleted when the computer is shutdown.

What consequences will there be on my system?

This process increases the shutdown time of the computer substantially. The amount of time will vary from computer to computer, but as an example it added nearly 45 seconds to the shutdown time on my (slow) notebook.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> System>CurrentControlSet> Control> Session Manager> Memory Management>clearpagefileatshutdown=1

Return

Force Strong Key Protection

Why do this?

Private keys and public keys are asymmetric key pairs where one is solely used for encryption and the other for decryption. In addition to cryptography, these keys are also used for digital signatures, which guarantees that a document was produced by a specific user. The public key of a user is widely distributed throughout the general public; however, the private key must be kept secret and should only be known to its user. The private key, which is normally stored within the computer, can be accessed by a malicious user if the system has been compromised. By selecting "User must enter a password each time they use a key", it would be more difficult for an attacker to access the locally stored keys.

Note: When creating a password for your keys, make sure that is distinct from your domain password.

What consequences will there be on my system?

The user must enter a password each time they use a key to digitally sign a document. This could be an inconvenience to the user, especially when they must digitally sign a document frequently.

Return

Use FIPS compliant algorithms for encrypting, hashing and signing

Why do this?

The US Government has set standards on algorithms and those that comply with those requirements are considered FIPS compliant. This setting makes sure that the TLS/SSL encryption uses 3DES instead of DESX, RSA is used for authentication and exchange and SHA-1 is used for hashing. While these algorithms are probably not THE most secure in the world, it is a good idea to have a minimum standard on the algorithms that are used to encrypt, hash, and sign secure data.

What consequences will there be on my system?

When enabled, Windows will require that certain algorithms are used which are stronger. Unfortunately, this affects Internet Explorer and it's ability to see secure (HTTPS) sites. If you go in the "Internet Options" control panel to Advanced, and scroll down to the security section, you can turn TLS 1.0 on, which helps to view these sites. However, I have not been able to see all sites with this setting. Netscape, however, has no problem viewing https sites.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control>Lsa>FIPSalgrorithmpolicy = 1

Return

Default owner for objects created by members of the Administrators group

Why do this?

This setting determines who is named the creator of an object. The choices are the Administrator group or the objects creator. The suggested setting is the Administrator group because a security vulnerability exists with the other setting. If a member of the Administrator group creates an object and later on down the line is moved from the Administrator group, that person will retain control. By placing the Administrator group in charge, this risk is elevated.

What consequences will there be on my system?

The Administrator group will have creator privileges of an object created by anyone in that group.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> System>CurrentControlSet> Control>Lsa>NoDefaultAdminOwner = 0

Return

Require case insensitivity for non-Windows subsystems

Why do this?

When this is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects. There is no real security advantage to enabling or disabling this setting.

What consequences will there be on my system?

There will be no effect on your system by enabling this setting. Disabling might have some effect because now things must be referred to with the correct uppercase and lowercase characters.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> System>CurrentControlSet> Control> Session Manager> Kernel>ObCaseInsensitive = 1

Return

Strengthen default permissions of internal system objects

Why do this?

This strengthens the access control on resources that are shared throughout the system. This includes mutexes and semaphores, for example. When enabled, the restrictions on non-administrative users is greater.

What consequences will there be on my system?

There should be very little, but some fine tuning of permissions might be necessary due to the heightened restrictions.

These settings can also be achieved through the registry settings:

HKEY_LOCAL_MACHINE> SYSTEM>CurrentControlSet> Control> Session Manager>protectionmode = 1

Return

Optional Subsystems

Why do this?

If this setting is not set to a null value, subsystems such as POSIX will be started to support certain applications. The problem with this is when a user starts a process then logs off. The next user who logs on can potentially inherit the first user's priveleges (by accessing the same process) and use those priveleges to maliciously control the system.

What consequences will there be on my system?

Applications that are dependent on the POSIX subsystem will no longer be operable. Therefore, some settings must be reconfigured to accomodate the application.

Return

Certificate Rules on Windows Executables

Why do this?

Certificates are used as a way to prove the integrity of a website or a program. If a certificate has been compromised, it will be placed on a certification revocation list (CRL) that is accessible to the public. If this setting is enabled, the system must scan the CRL and validate the program prior to its execution.

What consequences will there be on my system?

Startup of program may become slower since this setting requires to check a CRL and validate the program's certificate and signature.

Return

Admin Approval Mode for Administrator acount

Why do this?

When this policy is disabled and a user logs on as a built-in administrator, all programs are ran with full administrative privileges. This is a security risk if the system has been compromised and a malicious program is able to run with elevated priveleges. It is much safer to leave this setting enabled so that the user is aware of which programs are running with an elevated status and if needed, can deny privilege elevation requests by the pernicious program.

What consequences will there be on my system?

When users are logged on as a local administrator, a prompt will appear every time a program requests for privelege elevation.

Return

UIAccess applications prompting for elevation

Why do this?

In Windows, desktop is an interface that allows the user to interact with a process. The login screen, start menu and pop-up prompts are all examples of the several desktops that are implemented in Windows. A secure desktop is different from other desktops in that it is created by winlogon.exe and cannot be accessed interacted with by other processes. This means that other applications cannot toggle a button or read/write into the textbox on your behalf, providing greater security on your system. If this setting is enabled, the secure desktop is automatically disabled and an elevation prompt appears on the interactive user's desktop whenever a program requires elevation. This increases your security risk since it allows other processes to interact with the prompt window, which could include snooping on your password or elevating malicious applications without your consent.

What consequences will there be on my system?

Secure desktop is used whenever a program requires elevation.

This setting can also be changed through:

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\par by changing the value of PromptOnSecureDesktop from 1 to 0

Return

Behavior of the elevation prompt for administrators - Admin Approval Mode

Why do this?

To prevent malicious applications from running in high privilege mode without the user's consent, do not select "Elevate without prompting." Any of the other options from the pulldown can be chosen to increase the system's security. By default, this setting is set to "Prompt for consent for non-Windows binaries." However, it is much safer to select "Prompt for consent" so that you are also aware of Microsoft applications that will be running in an elevated privelege.

What consequences will there be on my system?

Whenever a program asks for elevation, a prompt will pop-up to which the user can select 'Permit' or 'Deny'.

Return

Behavior of the elevation prompt for standard users - Standard Users

Why do this?

Since standard users should not have credentials as an administrator anyway, the safest option would be to select "Automatically deny elevation requests." However, if a user posseses both standard and administrator accounts, the most appropriate setting would be "Prompt for credentials on the secure desktop."

What consequences will there be on my system?

If "Automatically deny elevation requests" is selected, an administrator must log in to allow the program that requires elevation to run (which could be an inconvenience).

Return

Prompt for application installations

Why do this?

When a malicious program is given permission to run, it may install an unknown application that could cause damage to the system. If this setting is enabled, the user can prevent malicious installations into the system.

What consequences will there be on my system?

Whenever an application requires an elevation of privilege to install, the installation is detected and the user is prompted for elevation.

Return

Only elevate signed and validated executables

Why do this?

This setting ensures that applications requesting for an elevation in privilege can be trusted by validating all certificates signed by each certificate authority all the way up to the trusted root certificate.

What consequences will there be on my system?

Older, unsigned programs cannot be used while this setting is set to "Enable".

HKEY_LOCAL_MACHINE>Software Microsoft>Windows>CurrentVersion>Policies>System>ValidateAdminCodeSignatures = 1

Return

Only elevate safely stored UIAccess applications

Why do this?

In Windows, each process is marked with an "integrity level" which determines which processes can send messages to each other: processes with higher intergrity levels can send messages to processes that have lower or equal integrity level; however, processes with lower integrity level cannot send messages to processes with a higher integrity level. This restriction, called User Interface Privelege Isolation (UIPI) is used to mitigate the activities of malicious programs. There are times, however, when legitimate applications must bypass the UIPI restriction. To do so, they must have the UIAccess flag set to true. It would be dangerous if malicious programs could easily set this flag. So in order to make sure that only legitimate programs are using the UIAccess, the system should only elevate UIAccess programs that are placed in relatively secure directories, which are the following:

What consequences will there be on my system?

Applications that do not meet the security restrictions to for UIAccess will still start but without UIAccess privelege and can only interact with processes that have the same or lower integrity level.

Return

Run all administrators in Admin Approval Mode

Why do this?

During the initial startup of programs, each process, by default, do not have administrative priveleges. Therefore, in addition to installing software, these applications cannot make changes to the operating system, system files and register's contents(unless it belongs to that program). Whenever an application requests to be elevated to receive administrator priveleges, a User Account Control(UAC) prompt will pop up and wait for the user's approval/refusal. If turned off, this setting will disable UAC which could allow illegitimate programs to execute malicious activities without the user's consent/knowledge.

What consequences will there be on my system?

Once this setting is enabled, the PC must be restarted. If the user, by any chance, decides to disable this feature, all UAC related policies will also be disabled.

Return

Switch to secure desktop when prompting for elevation

Why do this?

Since secure desktops do not allow other processes to interact (or potentially meddle) with it, it is much more secure to choose "Enabled" for this policy setting.

What consequences will there be on my system?

When enabled, this setting will override the policy set on "User Account Control:Behavior of the elevation prompt for standard users" and all UAC prompts will appear on a secure desktop for standard users (unless it has been set to deny all elevation requests).

Return

Virtualizing file and registry write failures

Why do this?

Registry Virtualization basically means that, applications are prevented from writing to System Folders in Windows Vista, Windows 7 or Windows 8 file system and ALSO to the ‘machine wide keys’ in the registry. However, this does not prevent standard user accounts from installing or running applications. In Vista / 7, the UAC utilizes the Registry Virtualization Feature, to redirect attempts to write to subkeys of HKEY_LOCAL_MACHINE\SoftwareWhenever an application tries to write into a system folder, HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Policies, and then select System Whenever an application is unable to write to certain locations within the registry or the file system, their write failures are redirected . This feature is technically unnecessary for any system running an operating system that is more current than Windows Vista since applications nowadays redirect their write failures under secure directories. However, it never hurts to enable this setting since there is a chance that the user could run an old application that writes to unsecure location

What consequences will there be on my system?

If enabled, there will be no negative consequences for the system.

HKEY_LOCAL_MACHINE, Software, Microsoft, Windows, CurrentVersion, Policies, System, EnableVirtualization=1

Return

Disable Memory Dump Files

Why do this?

Although it is becoming less and less common, system crashes still occur and when they do, information about the system state is saved on disk for investigation. However, when was the last time that you looked at these files to diagnose a problem? These files contain large amounts of information about the system state and it is all saved unencrypted. Windows Error Reporting, on the other hand, saves information on application crash that is used to diagnose a problem. The effect is the same, however, information that should be saved encrypted or securely is left wide open for an attacker to snoop in. When the system hibernates, it stores all the information that is in memory on disk which can later be retrieved to either restore system state or used to find sensitive information.

What consequences will there be on my system?

If you are one of the few people who do look at these files, they will become unavailable to you. It is suggested that if a problem persists, only then turn on dump files and ensure that they have been shut off when all workwith them is complete. They should also be deleted securely with cipher.exe.

Return

Strengthen Permissions on Registry Keys

Why do this?

Each of the registry keys have their own permissions which control who can and can't access or modify the information inside. With the default installation of Windows 7 Pro, there are some keys that are given permissions that could make them vulnerable to an attack. The "Run" key is one. By default, the key is set to allow Power Users modification privileges. The Run key is one that has been used in launching viruses when the computer is started. The applications that are found under this key are executed as the user that is logged in. The attack will set the key to execute the malware when the computers is started. When an administrator logs in, the exploit is launched with Administrative privilege.

What consequences will there be on my system?

This will convert the permissions for Power User to those of User. The Power Users will no longer be able to modify or add new keys. Instead, they will only be able to read the entries.

Return

Stop POSIX Compliance

Why do this?

Some people who attack Windows machines come out of the Unix community. UNIX has a whole set of command line programs that have been ported to Windows for legacy compatibility. It is possible that an attacker would use these commands to take over your system. Since POSIX is only for legacy compatibility, they can be safely deleted to increase security.

What consequences will there be on my system?

Only if users on your system require POSIX compliance for legacy applications will your system be affected negatively. However, since these are legacy applications, it might be worth your while to find a newer replacementfor the older application, and upgrade the security.

Return

Safe DLL Searching

Why do this?

In the older versions of Windows, the default search order for a DLL is Applications Directory, Current Directory, System Directories, and finally, the Path Directories. This will give an attacker the opportunity to use a spoofed DLL in the current directory. The application would use that DLL file that could be trojaned or changed in some way, before it used the DLL that is in the System Directories. Now, the default search order for a DLL in Windows 7 is:

  1. directory from which the application loaded
  2. System directory
  3. 16-bit system directory
  4. Windows directory
  5. current working directory
  6. directories that are listed in the PATH environment variable
This eliminates the risk of spoofed DLL files in the current directory and although the default path algorithm already allows for a safe DLL search, it is much better to side with caution and explicitly configure this setting through the registry.

What consequences will there be on my system?

When an application requests a DLL file, the current directory will be one of the last paths looked into. This could have some effect on the computer if there are DLL files in the System/16-bit system/Windows Directory that match the name of DLLs in the current directory. The DLL files in the System/16-bit system/Windows Directories will be executed.

Return

Stop Default Shares

Why do this?

Windows creates a number of shares called Administrative Shares. These shares are created for administration over the domain. Since we are assuming that this workstation is not being connected to a domain, these shares only give an attacker an open point of attack. They can be disabled for the time that the computer is up and running, but when the computer is restarted, these shares will be active again. One must go through the registry to disable the shares permanently. This does not disable the IPC$ share which is used by hackers to enumerate user accounts on the machine. It is for this reason that Guest and anonymous users must be disabled.

What consequences will there be on my system?

The invisible file shares that are always on Windows machines will be disabled. If the computer is ever connected to a domain, it is possible that the key will need to be removed to ensure administrative access to the machine. While the computer is connected as a workstation to a LAN or standalone they probably will not have to be active.

Return

Disable Autoruns and CD Autoplay

Why do this?

It has been part of Windows for a long time that when a CD or other removable drives (such as a USB or a network drive) is first inserted into the system, Windows will automatically start a program. This can be dangerous if the program that starts automatically loads a virus of some kind on your computer. The virus could be a backdoor that opens your computer up to attacks from the Internet. The possibilities are literally endless. The best solution to this problem is to keep the computer from autoloading programs on your computer before you can check them for viruses.

What consequences will there be on my computer?

You will have to manually load the CD and other removable drives by double-clicking on the icon in Computer. It may be a pain but it is much safer.

Return

Hardcoding entries in the DNS cache

Why do this?

A Domain Name Server(DNS) server is a machine that translates a domain name, such as http://www.google.com, to an IP address and vice versa. When trying to visit a webpage, your computer will send a request to your ISP's name server. The server then responds with the IP address associated with the domain name to your computer. This allows your browser to contact the server of that web, who then delivers the requested Web page back to your browser. Whenever this lookup happens, the information is stored in a DNS cache (until the system is rebooted) and allows Windows to avoid sending the same queries to a name server multiple times. In some instances, hackers will change the entries listed within the name server. This leads to the name server returning an incorrect IP address to the user, who then may end up visiting a fake/malicious site instead. By adding permanent entries into your DNS cache,

What consequences will there be on my computer?

This setting will simply configure your system to ignore the IP address received from a name server and instead use the stored in the DNS cache. The results will be a faster performance since using a permanent entry in the DNS cache means that your computer doesn't need to request for IP address when trying to visit web sites. Though it doesn't have any adverse effects on your computer, it might cause an inconvenience when a domain name changes their IP address, in which case, can be fixed by updating the entry in your DNS cache.

Return

Disable RAS Password Storing

Why do this?

When a user connects to a RAS-related network, which include dial-up and VPNs, they are given an option to save the password for further use. If choose to do this, they password will be stored in the registry where they can be accessed easily with readily available tools. When RAS password storing is disabled, the option to save them is not given to the user and they must be entered every time.

What consequences will there be on my system?

Every time a user chooses to connect to a RAS-related network, they must provide the password. The storing of the password will not be available.

Return

Protect against Path MTU Attacks

Why do this?

The MTU is the maximum transmission unit of a packet through a network. Different networks have different MTUs, so packets may have to be fragmented as they travel from point A to point B. Fragmentation uses system resources both to fragment and to defragment a packet. The amount of resources used depends on how big the packet is, how much has been fragmented, etc. Windows uses a system for determining the MTU for a given path through a network. This "feature" has an unfortunate vulnerability. It is possible for an attacker to send information to a machine that sets the MTU of that machine. The attacker will set the MTU for the machine at 68 bytes, the absolute minimum. The attacker then sends large packets that must be forwarded. This consumes all of the system resources, resulting in a denial of service for the host. This setting helps prevent this attack.

What consequences will there be on my system?

This setting disables the dynamic size change of the MTU and sets it to 576 bytes. It is possible that this settings will cause problems on your network, so it must be tested thoroughly before implemented on all machines in the network.

Return

Protecting against SYN Floods

Why do this?

A TCP connection is started with something called a 3-way handshake. The initiating computer sends a packet with the SYN flag set. The responding computer sends a packet with the SYN and ACK flags set, and the initiating computer responds with an ACK of it's own. When the initial SYN is sent, the server computer allocates resources to store the information about the session. Attackers take advantage of this by sending lots of SYNs and not responding to the SYN/ACK with an ACK. If enough of these SYNs are sent, the services provided by the victim are denied to other trying to access them. This is called a Denial of Service (DoS). This setting helps to protect your computer from being a victim of a SYN flood. It controls the timing of allocation and resends to maximize resources.

What consequences will there be on my system?

This setting could cause problems on high latency networks where the number of retries are necessary for functionality. In this case a setting of 1 should be used. All computers that are accessible by the Internet should offer some protection.

Return

Preventing modification to Type of Service bits

Why do this?

In Windows, programs can have the ability to change the Type of Service bits in the IP heads. The Type of Service field is largely unused with normal IP communications, but it has fields that are used to increase the priority of the packet. If this option is allowed, applications have the ability to defeat bandwidth policy controls that have been set in place.

What consequences will there be on my system?

If, for some reason, there is an application that relies on this setting to communicate through IP, it will no longer function because this ability has been taken from it. This setting, like all others, should be tested before implementation takes place.

Return

Half-open TCP Connection Reset Time

Why do this?

When Windows responds to a SYN with a SYN/ACK it will wait a certain amount of time to resend it if an ACK hasn't been received. This helps to shorten the time before cleanup of the allocated resources occurs. If resources are reallocated sooner, the computer can handle more connections and lower it's chances of becoming a victim of a SYN flood.

What consequences will there be on my system?

If a user tries to connect to your computer that is a long distance away, your computer might reset the connection before the ACK arrives. This depends, of course, on the type of network that is being run. This value could correspondingly be adjusted. The higher the number, the longer it waits to reset. For a machine under attack, it could be set to 0 or 1.

Return

Amount of time kept in TIMED_WAIT

Why do this?

If you run the program netstat -n -p tcp to see the list of TCP connections for the computer. Under the State column, it is likely that you will see some connections in the TIMED_WAIT state. This is a state that the connection goes in before the connection is closed and the resources are reallocated. In RFC 793, this amount of time is defined as twice the maximum segment lifetime for the network. This is configurable and should be set at 96 to make sure that resources are reallocated quickly to ensure a DoS does not happen.

What consequences will there be on my system?

The only possible adverse effect on a system is if a connection is trying to be maintained over a connection that does not respond in the 96 second time limit. In this situation, connections will be dropped and the limit will have to raised.

Return

Interval for keeping a connection alive

Why do this?

When a TCP connection goes into a state where no data is being transfered, a keep-alive transmission needs to be sent every so often to make sure the connection isn't dropped. This setting makes a keep-alive transmission happen every five minutes.

What consequences will there by on my system?

There should be no consequence on your system. If the connection is still active, the remote computer will respond to the keep-alive packet. If not, the connection will be closed.

Return

Maximum number of refused SYNs before protection

Why do this?

This setting controls the number of connections that it will hold in the SYN_RCVD state. When the number of those is exceeded, the computer will institute SYN flood protection. Because one of the side-effects of a SYN flood is a large number of connections in the SYN_RCVD state, the computer will think that it is under attack and act accordingly.

What consequences will there be on my system?

If for some reason you are on a network that creates a large number of connects in the SYN_RCVD state, services could become inaccessible because SYN flood protection will have been enabled. This usually doesn't happen, so there should be no effect on your machine.

Return

Maximum number of retried SYN_RCVD

Why do this?

This setting controls the number of connections that it will hold in the SYN_RCVD state after a retransmission of a SYN-ACK has taken place. When the number of those is exceeded, the computer will institute SYN flood protection. Because one of the side-effects of a SYN flood is a large number of connections in the SYN_RCVD state, the computer will think that it is under attack and act accordingly.

What consequences will there be on my system?

If for some reason you are on a network that creates a large number of connects in the SYN_RCVD state, services could become inaccessible because SYN flood protection will have been enabled. This usually doesn't happen, so there should be no effect on your machine.

Return

Stop Dangerous Services controlled through Local Services Administrator

Why do this?

Windows is notorious for shipping their operating systems with nearly all services turned on. This includes programs such as telnet and ftp. These programs should not be allowed to run on any system because of their vulnerabilities. There is simply no reason to run them because there are numerous secure alternatives (SSH, Secure FTP, etc). There are a number of other programs listed that should be turned off because of their vulnerabilities. There is really no reason to let Remote Registry run on a system. Either the registry should be modified locally or should be modified through Group Policy distributed by a Domain Controller. All of the services that are listed provide access to the system from the network, or locally on the machine.

What consequences will there be on my system?

Shutting down services will have the obvious affect of denial of service for users who use these services. Should this occur, find out what service is needed and determine whether the use of that service is worth the rest to the system.

Return

Dangerous Executables

Why do this?

There are a number of programs that are included with Windows which contain a double-edged sword. These programs are necessary for certain functionality but are dangerous from a security standpoint. For example the 'arp' command can be used to view and manipulate the ARP table which may be necessary from a network administrator standpoint. However, someone could use this command to "poison" the ARP table into sending packets to the wrong device. These programs need to be checked to make sure that only the users who have legitimate purpose can run them. The executables in red are particularly dangerous, in that they are more likely to be used against your system by an attacker. Although some of these programs can't be deleted or disabled, we recommend using a program like TCPView (www.sysinternals.com) to monitor their behavior.

What consequences will there be on my system?

If the executables are checked to make sure that only the proper users have permissions, there will be no effect to the system.

Executables:

Arp.exe
at.exe
attrib.exe
atsvc.exe
Cacls.exe
Clipsrv.exe
cmd.exe
cscript.exe
command.com
Debug.exe
edit.exe
edlin.exe
finger.exe
ftp.exe
hypertrm.exe
htimage.exe
imagemap.exe
ipconfig.exe
issync.exe
msiexec.exe
nbtstat.exe
net.exe
net1.exe
Netsh.exe
netstat.exe
nslookup.exe
ping.exe
poledit.exe
posix.exe
qbasic.exe
qfecheck.exe
rcp.exe
rdisk.exe
regedit.exe
regedt32.exe
regini.exe
regsvr32.exe
rexec.exe
Route.exe
rsh.exe
runas.exe
RunOnce.exe
secfixup.exe
sysedit.exe
SysKey.exe
Tftp.exe
telnet.exe
tracert.exe
tskill.exe
uninst.exe
wscript.exe
xcopy.exe

Return

Disable NetBIOS over TCP/IP

Why do this?

Windows uses NetBIOS as a protocol for file sharing. It is an often sought after point of access for attackers because of its numerous vulnerabilities. Even if file sharing is activated, it should be disabled over TCP/IP, which could allow people on the Internet access to your file shares. Even more dangerous is the possibility that a virus or worm that is spreading over the Internet using the open network share to spread and infect your computer.

What consequences will there be on my system?

By disabling file sharing over TCP/IP through NetBIOS, it will simply do exactly that. No longer will you be able to use NetBIOS to share files over TCP/IP. Since this is not a safe way to conduct sharing, it is wise to shut it off. Most good firewalls will stop this traffic anyway as it is a common avenue for attacks, why not be a step ahead and ensure more safety?

Return

Secure Windows Media Player

Why do this?

  1. Files downloaded over a peer-to-peer(P2P) file sharing network is not always secure. Sometimes, these movies and music require Digital Rights Management(DRM) to be played and a prompt to download DRM, which can be laced with malware or spyware, will pop-up. By turning off automatic DRM download, you reduce your chances off downloading malware-infected movies and music.
  2. When Windows assigns your Media Player a unique ID, it places that ID in the registry. This ID can be used to identify your computer from any website that tries to access it, allowing it to identify you and create a profile of your Internet usage.
  3. The less information sent over to Microsoft, the more secure system is. Thus, disabling sending Player usage data is much safer for your system.
  4. Unless you know which scripts and what they do are running in the background, it is better to leave these settings disabled in case a malicious program is being ran in those scripts. In addition, some Web pages contain drive-by malware when visited so being prompted allows you to deny having to visit those pages.
  5. Windows Media Player will also keep track of the DVDs that you watch on your hard disk. When you insert a DVD and open Window Media Player, it contacts Microsoft for information about that movie. To stop this, you must not allow Media Player to contact Microsoft, hence Work Offline.

What consequences will there be on my system?

By disabling these settings, Media Player will no longer contact Microsoft servers to gather information about which movies you are watching. This will mean that the information that it returns about the movie or your usage will no longer be available.

Return

SYSKEY

Why do this?

SYSKEY is a way to further protect the Windows SAM file. The SAM file in Windows is the goldmine because it contains the username list along with the passwords. SYSKEY uses strong encryption to secure this file and prevent it from being modified or stolen. There are three ways that it does this:

    1. By requiring a password at startup - This option requires that a password be user defined and presented at every startup, even before the user logon screen.
    2. By requiring a floppy disk at startup - This option will create a password and place it on a floppy disk that must be present at every startup.
    3. By handling everything locally - This option will create a password and place it on the local hard drive. No user intervention is required.

As you can tell, there are a number of advantages and disadvantages to each. The biggest consideration is that once enabled, strong encryption can't be disabled. If the password is forgotten, or the floppy is lost, a repair disk must be used or the registry must be restored to it's original state before the encryption. This is a choice that must be made based on individual situations. Notice that the third option does not need any user input. This means that the key is being stored locally. If an attacker could recover that key, the encryption would be useless. This is probably the least secure option. The floppy disk must be kept secure and not accessible to anyone but the authorized users. If the attacker had access to the disk, it would defeat the purpose. Same idea with the password option. If the password is compromised, so is the system.

If strong encryption is enabled, a copy of the registry should be made before any encryption takes place. This will allow you to restore the changes made if anything should go wrong.

What consequences will there be on my system?

Depending on the strategy that is deployed, a floppy or password may be necessary for every boot. If either of those are lost, the registry must be restored. Using SYSKEY is serious business and all considerations should be thought through carefully before committing to a method. This choice can't be reversed.

Return

EFS

Why do this?

EFS is the Encrypting File System which supports encryption of files natively. This is extremely useful if the actual drive is compromised, it is much more difficult (but not impossible) for an attacker to read the data. A good rule of thumb is to have each user encrypt their own folder. The user must encrypt the parent to the "My Documents" folder because it contains the temporary directory which is often used by applications to store files. Since most users use the "My Documents" folder to store their documents, it is encrypted as well. Unlike SYSKEY, this encryption can be reversed through the same process. The files that are created are used to recover the information if something happens and the files can't be decrypted. These files will recover the information so they must be stored in a secure location.

What consequences will there be on my system?

EFS supports encryption natively so any encrypting and decrypting is done transparently. There is no noticeable difference.

Other information

For added convenience, you can add "Encypt" and "Decrypt" to the context menu. This allows easy encryption and decryption of files.
The registry key is: HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows>CurrentVersion> Explorer> Advanced
Add the DWORD value "EncryptionContextMenu" with the value of 1

Return

cipher.exe

Why do this?

When a file is deleted from a computer, the file is not actually deleted. Instead, the location on disk is marked usable. None of the data is actually touched, it is just marked available to be used. This is cheaper in terms of time and hard drive life. This, however, means that if a sensitive file is deleted from your computer, someone could still read it. Tools exist to read what the hard drive actually contains, not just what it says it contains. To combat this, cipher will go over your hard drive and write all the free space to 0x00 (or all zeros), then it will write 0xFF (or all ones), and finally on the third pass with will write random bits to the space. This will ensure that the hard drive free space cannot be read.

What consequences will there be on my system?

It is recommended that this process is done while no other processes are running (ie, in the middle of the night). Also, depending on the size of the hard drive being completely wiped, it could take awhile. The best practice is to pick a time that it will not affect your work output, and let it run. Make sure to lock the computer and remove the network connection when you do!

Return

Remove Scripting Extensions

Why do this?

In the past, some of the Internet worms that have caused many problems have been scripts. Your computer will become infected when the script is executed on your computer. When the extension mapping is changed, it will make it so all files that have a certain extension will be executed by WordPad. This will save your computer from coming under attack from a malicious script.

What consequences will there be on my system?

Sometimes software venders and even OEM manufacuters will create Visual Basic scripts that help with maintenace or simlar task. These will no longer be allowed to run on your computer. If your system/network relies on the ability to execute scripts, this setting should be considered very carefully.

Return

Disable Windows Scripting Host

Why do this?

For the same reasons outlined above. Many worms and some malicious code relies on the automatic execution of scripts by the Windows operating system. If this ability is removed, the threat is eliminated.

What consequences will there be on my system?

Any legitimate script will also not be able to execute. This could potentially be a problem depending on your system configuration.

Return

Encrypt Offline Files

Why do this?

If your computer is connected to a workgroup, this setting should be enabled. However, if your computer is a standalone with no file sharing, this setting can be ignored. The idea is that if files are shared between two or more computers, the files that are saved offline should be secure. This setting encrypts those files which have been saved offline. This way, an attacker who gets access to those files, will not be able to access them unless he or she can break the encryption. This is simply another layer of defense-in-depth.

What consequences will there be on my system?

The files that are saved will be encrypted in much the same manner as files that have been encrypted using the normal EFS system. The consequences are the same as are found using EFS.

Return

Stop Internet Explorer History

Why do this?

As you browse the Internet, all of the places that you visit will be saved in the history files. Depending on the sites visited, this log can contain sensitive information. Spyware, software that sends information back to a vender, could collect this information and relay it back to someone for spamming purposes for example. It is best to disable this feature of IE.

What consequences will there be on my system?

If there is a URL for a website that has been forgotten, the history will no longer provide a list of previously viewed pages. The browser will also no longer be able to autocomplete the URLs for you.

Return

Set Internet Explorer Zones and Cookies

Why do this?

Internet Explorer allows you to create a set of zones. These are a group of address that are categorized by their trust. Some IPs maybe trusted, while another set maybe untrusted. Each of these zones has a set of rules as to how the security should be handled. These security settings include how active content should be handled, how cookies should be handled, etc. The highest level of security will provide the most safety, however, it might require a downgrade everyone once and awhile when a trusted website is blocked due to the setting. Just make sure you reset the security setting to it's previous value. By making Internet Explorer prompt you before accepting a cookie creates another level of defense. Cookies can sometimes be used to gather information about you to be used for purposed you might not approve of.

What consequences will there be on my system?

The most obvious consequence will be the dramatic increase in messages that are displayed by Internet Explorer. It is important to understand that it is better to click away the pop-ups rather than sacrifice security. Another problem that might arise is that of functionality. There is a possiblity that with untrusted content not being displayed, certain websites will not function properly.

Return

Stop Internet Explorer from saving passwords

Why do this?

When using the Internet, users are often prompted to login to some sites. This usually means typing in a username and password. Due to the nature of humans, this password probably bears some resemblance to their username and password on the local computer. The web browser will often ask if the user would like to save this information on file to save the hassle of having to type it in again. This information is then saved on disk so it can be used later. This is an obvious security risk because if this information is recovered from the disk, the attacker can narrow down the possibilities of the user's password. Web browsers should not be allowed to save sensitive information for the user.

What consequences will there be on my system?

The user will have to type in their username and password for sites that require such information instead of having the browser fill in the information for them.

Return

Internet Explorer Security Options

Why do this?

These options help to create another barrier between the attacker and your computer. These settings help to upgrade the security that IE employs so it is harder for an attacker to exploit your system.

What consequences will there be on my system?

These options will add to the number of pop-up warnings that IE gives. It is also possible that older, very insecure sites will now be inaccessible.

Return

Screen Saver Password

Why do this?

When users go on break, to lunch, or just step away from their computer for a short period of time, they often forget to lock down their computer (Ctrl + Alt + Delete; Enter or Windows + L). This allows physical access to the computer for this period of time. An attacker can use this time to learn much about the network and the systems. This can be avoided through the use of passwords in screen savers. If the screen saver becomes active, it automatically locks the computer, and the user must type in their password to gain access.

What consequences will there be on my system?

The user's or an administrator's password must be entered to gain access to the computer after the screen saver has been activated. You don't want to do this any more often than is necessary and consistent with the security guidelines of your organization. "Office bunnies" who move about continuously might consider such hassle-free hardware alternatives as proximity detecting smart cards that automatically unlock computers when within a certain distance of the detector, and lock them when you walk away.

Return

Top