| Setting: | CIS Recommended | Further Explanation |
| 1 Service Packs and Hotfixes | ||
| 1.1 Major Service Pack and Hotfix Requirements | ||
| 1.1.1 Current Service Pack Installed | SP1a for XP, SP4 for 2000 | |
| 1.2 Minor Service Pack and Hotfix Requirements | ||
| 1.2.1 Hotfixes recognized by Ecora | All Critical and Important Hotfixes | |
| 2 Auditing and Account Policies | ||
| 2.1 Major Auditing and Account Policies Requirements | ||
| 2.1.1 Minimum Password Length | 8 Characters | In
general, password length and password complexity requirements are used to
protect against password guessing attacks. Password length significantly increases resistance to brute force attacks. A single extra character makes a large difference: even if passwords are case insensitive and alphanumeric, one extra password means the typical brute force attack will take 36 times as long (10 digits plus 26 letters) to complete. In addition to password guessing attacks, some legacy Microsoft protocols suffer from a limitation which makes an eight character password particularly important. These protocols effectively break down passwords into seven character “chunks”. This creates two significant vulnerabilities: • First, passwords with seven or fewer characters are quickly identified. • Second, since a fourteen character password effectively becomes two seven character passwords, it is actually only twice as secure as a seven character password. In order to protect against the first vulnerability, the general consensus requires passwords to be eight characters or more. Protection against the second vulnerability, however, can only be provided through the use of stronger authentication protocols. In particular, LAN Manager (LANMan) and NTLM authentication contains this limitation; however, NTLMv2 and Kerberos are not affected by this. See 3.2.1.47, which discuss how to require NTLMv2 or Kerberos authentication, and how to disable storage of LANMan password hashes. |
| 2.1.2 Maximum Password Age | 90 days | All
passwords must be changed regularly to ensure they are known only by
individuals authorized to use the account. |
| 2.2 Minor Auditing and Account Policies Requirements | ||
| 2.2.1 Audit Policy (minimums) | Audit
Policy defines the significant events which a computer should log. The log
entries, or events, perform two important roles: they provide a means for near-real-time monitoring of the system, and they allow investigation of actions which occurred in the past. |
|
| 2.2.1.1 Audit Account Logon Events | Success and Failure | Audit
logon events track all attempts to access the workstation. These may come
from a local interactive logon, a network logon, a batch process, or even a service. Failed account logon may show a trend for password attacks; successful logon events are important to identify which user was logged on to the workstation at a given time. |
| 2.2.1.2 Audit Account Management | Success and Failure | In
order to track successful and failed attempts to create new users or groups,
rename users or groups, enable or disable users, or change accounts’ passwords, enable auditing for Account Management events. Successful account management events are also generated when an account is locked out, so these events become important in determining the cause of an account lockout. |
| 2.2.1.3 Audit Directory Service Access | <Not Defined> | No
auditing of Directory Service Access is required on Windows XP
Professional because Directory Service Access can only be audited on Windows 2000 (or later) domain controllers. |
| 2.2.1.4 Audit Logon Events | Success and Failure | Logon
Events will identify which accounts are accessing resources on the workstation. These events are generated only when local machine credentials are used. Even if a workstation is domain member, it is still possible to log on to the workstation using a local account. |
| 2.2.1.5 Audit Object Access | Failure (minimum) | It
is possible to track when specific users access specific files. This option
only produces events when one or more objects are actively being audited. In order to track user access to specific files or directories, navigate to the file or folder, edit the security properties for that object, and enable auditing the object. |
| 2.2.1.6 Audit Policy Change | Success (minimum) | When
the “Audit Policy Change” option is set, changes to User Rights, Audit
Policies, or Trust Policies will produce events in the Security Event Log. |
| 2.2.1.7 Audit Privilege Use | Failure (minimum) | Auditing
privilege use enables auditing for any operation that would require a
user account to make use of extra privileges that it has already been assigned. If this is enabled, Events will be generated in the Security Event Log if a user or process attempts to bypass traverse checking, debug programs, create a token object, replace a process level token, or generate security audits. |
| 2.2.1.8 Audit Process Tracking | <Not Defined> | When
this option is enabled, an event is generated each time an application or a
user starts, stops, or otherwise changes a process. This creates a very large event log very quickly, and the information is not normally exceptionally useful, unless you are tracking a very specific behavior. As such, auditing process tracking is not required, and is only recommended when absolutely necessary. |
| 2.2.1.9 Audit System Events | Success (minimum) | Auditing
System events is very important. System events include starting or
shutting down the computer, full event logs, or other security related events that have impact across the entire system. Auditing of Success and Failure events should be enabled. |
| 2.2.2 Account Policy | ||
| 2.2.2.1 Minimum Password Age | 1 day | The
recommended password policy requires users to change passwords regularly,
and requires the password to be different from those cached in history. When the minimum password age is set to 0, a user can change passwords repeatedly. It is possible for the user to continue changing passwords until yesterday’s password is flushed from the cache, and then re-use the old password. This activity is prevented by limiting password changes to once a day. |
| 2.2.2.2 Maximum Password Age | 90 days | See section 2.1.2 |
| 2.2.2.3 Minimum Password Length | 8 characters | See section 2.1.1 |
| 2.2.2.4 Password Complexity | Enabled | Complex passwords further mitigate the risk of a brute force password attack by significantly increasing the set of all possible passwords. This is done by requiring passwords to include a combination of upper and lowercase letters, numbers and symbols (special characters) in the password. |
| 2.2.2.5 Password History | 24 passwords remembered | Passwords
should be changed on a regular basis. By that same rule, users should not
be permitted to use the same few passwords over and over again. The Enforce Password History setting determines how many previous passwords are stored to ensure that users do NOT cycle through regular passwords. The NSA requirement of 24 passwords remembered should be viable for public use as well. |
| 2.2.2.6 Store Passwords using Reversible Encryption | Disabled | The
Windows authentication model allows storage of a password hash rather than
the actual password. A password hash can not be decoded to regain the original password. Rather, to authenticate, the password must be hashed exactly the same way and compared with the original stored hash. If the values match, the correct password was presented, and access is granted. In order to support some applications and their authentication, Microsoft permits the ability to store passwords using reversible encryption. If at all possible, this should be avoided. This option is disabled by default, and should remain so. Any application that requires reversible encryption for passwords is purposely putting systems at risk. |
| 2.2.3 Account Lockout Policy | In order to protect against online password attacks, enforce an account lockout policy. | |
| 2.2.3.1 Account Lockout Duration | 15 minutes | Once
the criteria for a lockout are met, the account becomes locked. However,
the account will automatically become re-enabled once again after the duration specified in the “Account Lockout Duration.” Specify 0 minutes to have the account lockout until an administrator manually resets the account. |
| 2.2.3.2 Account Lockout Threshold | 50 attempts | The
user is given a number of attempts to enter the wrong password before their
account becomes locked. The “Account Lockout Threshold” defines this limit. |
| 2.2.3.3 Reset Account Lockout After | 15 minutes | Following
a bad logon, the system increments the count of invalid attempts for
this account. This counter continues to increment until the lockout threshold is reached, or the counter is reset. The “Reset Account Lockout After” setting defines how often the counter is reset. This setting must be less than or equal to the “Account Lockout Duration”, 2.2.3.1. |
| 2.2.4 Event Log Settings – Application, Security, and System Logs | All
system events are collected into event logs. Two additional settings control system behavior when the event log is full. Essentially there are two possibilities: • Continue logging events as they come but risk overwriting important events • Stop logging events Obviously, it is preferable to continue logging events so that useful information is not lost. However, consider the attacker that kicks off a fake event generator as the last step of the attack (for example, it might try to log in with the guest account hundreds of times a second knowing the guest account is disabled). If all events continue to be logged, the events from the actual attack will soon be overwritten. In this case, it would be preferable to stop logging events when the log fills. The Audit policy setting for “Log Retention Method” provides control over how the system reacts to a full log: • Overwrite Events as Needed continues logging all events, overwriting older event whenever necessary. • Overwrite by Days allows overwriting some events, but not all. Events older that a specific number of days can be cleared out. Once all the older events are overwritten, no new events are logged. • Do not overwrite (Clear logs manually) prevents overwriting events, and new events are lost when the event log fills. The event log must be cleared manually by the system administrator or an automated log management application. Setting the “Log Retention Method” to “Overwrite by Days” enables the “Log Retention” option. This specifies the number of days of event logs the system will preserve. It may seem advisable to make the event logs as large as possible. However, due to constraints in how the operating system handles the logs, all three log files must be mapped to memory during normal system operation. An excessively large setting may cause unexpected results as the logs grow beyond the ability for the operating system to load the file in memory. Therefore, this guide recommended combined size of all three log files is limited to 120Mb, although a combined size of up to 300Mb seems to work well. |
|
| 2.2.4.1 Application Log | ||
| 2.2.4.1.1 Maximum Event Log Size | 16 MB | |
| 2.2.4.1.2 Restrict Guest Access | Enabled | |
| 2.2.4.1.3 Log Retention Method | <Not Defined> | |
| 2.2.4.1.4 Log Retention | <Not Defined> | |
| 2.2.4.2 Security Log | ||
| 2.2.4.2.1 Maximum Event Log Size | 80 MB | |
| 2.2.4.2.2 Restrict Guest Access | Enabled | |
| 2.2.4.2.3 Log Retention Method | <Not Defined> | |
| 2.2.4.2.4 Log Retention | <Not Defined> | |
| 2.2.4.3 System Log | ||
| 2.2.4.3.1 Maximum Event Log Size | 16 MB | |
| 2.2.4.3.2 Restrict Guest Access | Enabled | |
| 2.2.4.3.3 Log Retention Method | <Not Defined> | |
| 2.2.4.3.4 Log Retention | <Not Defined> | |
| 3 Security Settings | ||
| 3.1 Major Security Settings | ||
| 3.1.1 Additional restrictions for anonymous connections | When
Microsoft made the transition from Windows 3.0 and 3.1 to Window 95 and Windows NT, many of the early networking programs used a “Null User” account to transfer data from one machine to another. A Null User is a zero length username with a zero length password. By default, it is still enabled on Windows NT and Windows 2000 machines today. This user does not have elevated rights on these computers, but it is considered a user, and still has the ability to gain information that would be valuable in the hands of an attacker. The first setting under “Security Options” is “Additional Restrictions for Anonymous Connections”. It can be set to “None. Rely on default permissions”, “Do not allow enumeration of SAM accounts or shares”, or “No access without explicit anonymous permissions”. In order to provide minimum protection against Null User exploitation, change this to “Additional Restrictions for Anonymous Connections”. Change this setting to the last choice, and protect your computer(s) from access by the Null User account. |
|
| 3.2 Minor Security Settings | ||
| 3.2.1 Security Options | ||
| 3.2.1.1 Allow Server Operators to Schedule Tasks | <Not Defined> | This
setting applies only to Windows 2000 Server Domain Controllers. It has no
effect on Windows XP workstations. |
| 3.2.1.2 Allow System to be Shut Down Without Having to Log On | Disabled | Some
systems run critical processes and should only be shut down by authorized
users. Occasionally, special processes could be evoked during system startup, sometimes even trojaned processes. In environments where abnormal system reboots could cause problems, require a logon prior to reboot. |
| 3.2.1.3 Allowed to eject removable NTFS media | Administrators | |
| 3.2.1.4 Amount of Idle Time Required Before Disconnecting Session | 15 Minutes | This
setting applies specifically to communications using the SMB protocol. When
a client establishes a connection with an SMB server, they exchange credentials, perform authentication, and set aside resources to manage the connection. After a period of inactivity, the client or server may close the connection to conserve resources. When the client again attempts to use the SMB server, it reestablishes the connection without interaction with the user. The reconnection typically happens fast enough to hide the activity from the user. |
| 3.2.1.5 Audit the access of global system objects | <Not Defined> | Global
system objects typically only provide interesting audit information to
developers. Some examples of these kernel objects include mutexes, semaphores and DOS devices. Normal system operation does not require auditing to this level of detail. |
| 3.2.1.6 Audit the use of backup and restore privilege | <Not Defined> | When
enabled, this setting will generate a log entry for every file which is
backed up or restored using the “Backup or Restore” privilege. During normal operations, this will generate a large amount of event entries, and is typically not required. |
| 3.2.1.7Automatically log off users when logon hours expire | Enabled | This
setting only applies to workstations joined to a domain, as logon hours can not be set for local accounts. The setting deals exclusively with connections using the SMB protocol, and not with the interactive logon session. Enabling this feature will disconnect all client connections when logon time limits are reached. By default, the workstation only enforces logon hours during session setup, and not afterwards. |
| 3.2.1.8 Clear Virtual Memory Pagefile | Enabled | Enabling
this options provides greater security by erasing the data during
normal operations; however, this may also significantly increase the time required to shut down the computer. When enabled, the hibernation file (hiberfil.sys) is also cleaned on shutdown. |
| 3.2.1.9 Digitally sign communications (always) | Enabled | This
setting applies specifically to communications using the Server Message
Block (SMB) protocol. When enabled, the client will negotiate signed communications with any SMB server. If the server can not support SMB signing (typically servers prior to Windows 2000), communications will fail. When possible, digitally sign client communication to protect against man-in-the-middle attacks, as it supports mutual authentication and protection against packet tampering. SMB signing does not impact network bandwidth; however, CPU resources will be used in generating and verifying SMB signatures. |
| 3.2.1.10 Digitally sign communications (if server agrees) | Enabled | This
setting applies specifically to communications using the Server Message
Block (SMB) protocol. When enabled, the client will negotiate signed communications with any server supporting SMB signing (typically Windows 2000 and later). Unsigned communications will still succeed with servers that do not support message signing. |
| 3.2.1.11 Digitally sign communications (always) | Enabled | Similar
to 3.2.1.9, the workstation may require all SMB traffic to be digitally
signed. Workstations act as servers when remote devices connect to published shares; many workstation management systems also use SMB protocols. |
| 3.2.1.12 Digitally sign communications (if client agrees) | Enabled | Similar
to 3.2.1.10, the workstation should request signed communications
wherever possible. This option is enabled by default, and should remain enabled. |
| 3.2.1.13 Do Not Display Last User Name | Enabled | Anyone
attempting to log into a computer may see the name of the last valid user
who logged on to that system. This does not prevent displaying the currently logged on user when unlocking a workstation. This information may seem trivial, but it helps an attacker tie a workstation to a particular individual, or may help an attacker gain access to a stolen mobile device. |
| 3.2.1.14 Disable CTRL+ALT+DEL requirement for logon | Disabled (Disabled means you will have to press CTRL+ALT+DEL to login) |
The
Windows operating system treats the CTRL+ALT+Delete key different from
any other. Operating system design prevents any application from intercepting and responding when these keys are pressed. When you type CTRL+ALT+Delete, you are guaranteed that the operating system authentication process will handle the request. With the CTRL+ALT+Delete requirement lifted, the user could actually be typing their password into a trojaned application, rather than the operating system authentication process. Remember, the trojaned application would not be able to respond had the user pressed CTRL+ALT+Delete. When a workstation does not require CTRL+ALT+Delete to log on, users will not see the dialog “Press CTRL+ALT+Delete To Log On.” Rather, the workstation simply presents the standard logon dialog. |
| 3.2.1.15 LAN Manager Authentication Level | Send NTLMv2, refuse LM | The
default, and weakest option, is the first: send LM & NTLM responses. As a
result, using NTLM is ineffective because both protocols are sent together. In order to take a much more effective stand to protect network authentication, set LAN Manager Authentication Level to “Send NTLMv2 response only\refuse LM & NTLM”. Enabling this setting may have adverse effects on your ability to communicate with other Windows machines unless the change is made network-wide. If you find that you are unable to require a certain level of LM Authentication, back down to “Send LM & NTLM – Use NTLMv2 session security if negotiated” and try your network authentication again. Communication with Windows 9x/Me machines requires the DSCLIENT.EXE utility from the Windows 2000 installation CD. |
| 3.2.1.16 Message Text for Users Attempting to Log On | <Custom, or DoJ Approved> | In
general, legal requirements dictate that users must be notified of security
practices when logging on to a system. The users should agree to acceptable usage policies, and be notified that the system may be monitored. The message is commonly referred to as a “logon banner”. |
| 3.2.1.17 Message Title for Users Attempting to Log On | <Custom, or DoJ Approved> | The
message title acts as part of the logon banner discussed above. The
workstation places this text as the title for the logon banner window. The text should be either neutral or a warning. Avoid inviting titles such as “Welcome”. |
| 3.2.1.18 Number of Previous Logons to Cache | 1 | When
a workstation belongs to a domain, users can log on to it using domain
credentials. The domain credentials can be cached in the local workstation’s Security Accounts Manager (SAM) database. On next logon, should no domain controller be available, the user can still log on locally by authenticating against the cached account information. When logging on using cached credentials, some account properties will not be enforced, since the domain controller maintains responsibility for enforcing account policy. The local SAM database does not “own” the account, so cached account passwords do not expire, and domain accounts can not be locked out when the domain is unavailable. |
| 3.2.1.19 Prevent system maintenance of computer account password | Disabled | |
| 3.2.1.20 Prevent users from installing printer drivers | <Not Defined> | Users
typically need the ability to install and configure their own printers.
However, printer driver installation loads code directly into the privileged space of the operating system kernel. The malicious user could choose to install an invalid or trojaned print driver to gain control on the system. |
| 3.2.1.21 Prompt User to Change Password Before Expiration | 14 days | Should
a user’s password be near its expiration date, the logon process warns the
user and asks if they would like to change the password. Once the password has expired, the user will be required to change the password to complete the logon. This setting governs the window of convenience between the time when the system offers the user to change the password, and the time when they are required to change the password. |
| 3.2.1.22 Recovery Console: Allow Automatic Administrative Logon | Disabled | If
configured, a boot to the recovery console could result in automatic logon,
and bypass the need for the password of the administrator account. Since this gives administrator access to anyone who can reboot the computer, the setting is generally disabled. |
| 3.2.1.23 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders | <Not Defined> | By
default, the Recovery Console only allows access to the root folder of each
drive, and the operating system folder (typically C:\Windows). The console also prevents copying files from the hard drive onto removable media. Although this protection can be bypassed by enabling floppy copy and drive access, the setting is disabled by default and should remain disabled. |
| 3.2.1.24 Rename Administrator Account | <Not Defined> | Often
disabling the Administrator account is not practical. However, simply knowing the name of an account on a machine can be valuable information to an attacker. In an attempt to hide the account, best practices recommend renaming the account to something unique for your implementation. |
| 3.2.1.25 Rename Guest Account | <Not Defined> | See
3.2.1.24. Similar to the Administrator account, the Guest account should be
renamed even if it is disabled. The operating system places additional safeguards on the Guest account, and it is less of a target than the Administrator account, but it still deserves significant attention warrant changing the account name. |
| 3.2.1.26 Restrict CD-ROM Access to Locally Logged-On User Only | <Not Defined> | With
sufficient privileges, users can create network shares from any folder on a
Windows XP workstation. This extends to sharing a CD-ROM drive externally. This setting would restrict use of the shared CD-ROM drive to the local interactive logon. Since different CDs can be inserted, the user may forget or be unaware that the information on the CD becomes remotely accessible. Also, unlike typical file shares, access control lists can not be placed on files and directories to control access and auditing. |
| 3.2.1.27 Restrict Floppy Access to Locally Logged-On User Only | <Not Defined> | Similar
to a CD-ROM drive (3.2.1.22 above), the floppy drive can be shared to
network users. Again, the user may not remember that the information on all inserted floppies becomes exposed. |
| 3.2.1.28 Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always) | Enabled | With
this setting enabled, all packets sent from the client will be signed. The
client will also encrypt the packets if the server supports it. A signed packet can not be spoofed or tampered; however, the payload remains untouched and could possibly be deciphered should it be intercepted. Encrypted packets can only be decrypted by the server. |
| 3.2.1.29 Secure Channel: Digitally Encrypt Secure Channel Data (When Possible) | Enabled | See
3.2.1.28 above. This setting provides greater compatibility than requiring
encryption or signing. |
| 3.2.1.30 Secure Channel: Digitally Sign Secure Channel Data (When Possible) | Enabled | See
3.2.1.28 above. This setting also provides compatibility with legacy
equipment. It prevents replay and man-in-the middle attacks when domain controllers support signing. However, by itself, this setting will not protect against packet sniffing to gather potentially sensitive information. |
| 3.2.1.31 Secure Channel: Require Strong (Windows 2000 or later) Session Key | Enabled | This
setting applies specifically to the NetLogon secure channel established
between workstations and domain controllers (see 3.2.1.18). This setting only impacts workstations which have joined a domain. |
| 3.2.1.32 Send Unencrypted Password to Connect to Third-Part SMB Server | Disabled | Would
you like your Windows XP computer to send your password in clear text
to another computer that requests authentication? The setting is disabled by default, and should remain so. |
| 3.2.1.33 Shut Down system immediately if unable to log | <Not Defined> | See
2.2.4. A system administrator may choose not to overwrite events when the
event log is full. Assuming that logs are sized appropriately, routinely backed up and cleared, this could indicate a security incident. In the high security environment, the inability to log events may be just cause to halt the server. |
| 3.2.1.34 Smart Card Removal Behavior | Lock Workstation | When
users authenticate with smart cards, the system can be set to lock or log out
the user when the smart card is removed. Any setting other than “No Action” is acceptable. In an environment that does not use Smart Cards, this setting has no effect. |
| 3.2.1.35 Strengthen default permissions of internal system objects | Enabled | This
setting actually digs deep into the operating system behavior and should be
left at the default setting (Enabled) unless explicitly required. “Internal system objects” are shared physical and logical resources such as semaphores and DOS device name; the objects all are created with access control lists (ACLs). When enabled, the ACL allows other non-administrative system processes to query internal system objects, but will not allow them to modify them. |
| 3.2.1.36 Unsigned Driver Installation Behavior | Warn, but allow | Drivers
interact with the kernel and hardware at a low level; improper drivers can
open the system to low level hardware and kernel problems. Additionally, trojaned drivers can open the system to compromise. Microsoft generally ships drivers with a digital signature, expressing that Microsoft itself has certified the drivers through their Windows Hardware Quality Lab. Unfortunately, not all drivers (even from Microsoft) have digital signatures. |
| 3.2.1.37 Unsigned non-driver installation behavior | <Not Defined> | According
to Microsoft, there are no “Non-Driver” devices to install. This
setting has no effect. |
| 3.2.2 Additional Registry Settings | ||
| 3.2.2.1 Suppress Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump | (REG_DWORD) 0 | Dr.
Watson is one of Microsoft’s utilities that handles errors in applications.
If an application produces an error that Dr. Watson can manage, it will dump the contents of memory for that application to a file for future analysis. In the process of writing the contents of memory to disk, it is entirely possible that password information could be written to disk as well, and later exploited. Set this value to zero to prevent Dr. Watson from writing crash dumps to disk. |
| 3.2.2.2 Disable Automatic Execution of the System Debugger: HKLM\Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto | (REG_DWORD) 0 | If
an application is executed in non-privileged memory, and the system debugger
is started, it is possible for that application to execute code in privileged memory space. Set this value to zero to prevent the system debugger from executing automatically. |
| 3.2.2.3 Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun | (REG_DWORD) 255 | Although
it is convenient for applications to automatically run when Windows
Explorer opens up, it can also cause applications to be executed against the wishes of an administrative user, and exploiting that privilege. Set this value to 255 to prevent any type of drive from automatically launching an application from Windows Explorer. |
| 3.2.2.4 Disable autoplay for current user: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ NoDriveTypeAutoRun | (REG_DWORD) 255 | Note:
Due to the inability to manage registry entries for each local user via
Security Templates, this setting is recommended, but not required or measured. |
| 3.2.2.5 Disable autoplay for the default profile: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun | (REG_DWORD) 255 | Similar
to the autoplay settings above, this enforces the policy for any new
profiles created on the workstation. |
| 3.2.2.6 Disable Automatic Logon: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon | (REG_DWORD) 0 | Windows
also has the ability to automatically log a user on every time that machine
starts up. Some users may prefer this as a feature. Some server based applications may require that a user log in before they can execute, so they require this activity as well. The problem with this “feature” is that in order for it to work, it stores the username and password for that user in plaintext in the registry. Set this value to zero to prevent any user from automatically logging in when the computer starts up. |
| 3.2.2.7 Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot | (REG_DWORD) 0 | If
someone manages to get enough control of your computer that they can plant
an application there, the next step is to force your computer to restart to register that app. One easy way to accomplish this task is to programmatically force an error that causes the computer to crash, or “Blue Screen” which will reboot the machine by default. Set this Value to zero to prevent this behavior from happening, and at least alert the user that something is wrong. |
| 3.2.2.8 Disable CD Autorun: HKLM\System\CurrentControlSet\ Services\CDrom\Autorun (REG_DWORD) | (REG_DWORD) 0 | If
malicious software is written to a CD, it can be executed by Windows Explorer
just by putting the CD in the drive. Set this value to zero to prevent any applications from automatically launching from the CD-ROM drive. |
| 3.2.2.9 Remove administrative shares on workstation (Professional): HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks | (REG_DWORD) 0 | Every
Windows NT/2000 computer automatically has “Administrative Shares”
installed by default. These are restricted to use by Administrators, but they expose each volume root, and the %systemroot% folder to the network as Admin$, C$, etc. These make remote administration convenient, but they also present a risk if someone manages to guess the password to an administrative account. WARNING: If you use administrative shares on your network for remote backups, antivirus support, or general remote administration, this will break your applications. Please ask your software vendors to design around this requirement in future versions of their applications. |
| 3.2.2.10 Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset | (REG_DWORD) 1 | Although
this standard advises end-users to shut down their Computer Browser service,
it is also likely that not everyone will be able or willing to do so. This registry setting provides protection against a vulnerability that allows the Computer Browse to be shut down. Set this value, to protect against this specific vulnerability. If you are not running the Computer Browser service, this setting will have no effect. More information is available at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q262694. |
| 3.2.2.11 Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting | (REG_DWORD) 2 | If
a Windows computer has two valid networking devices installed, it can be
configured to act as a router or a firewall, and pass network traffic from one interface to another. Whether this is the intended purpose or not, it can be done on any Windows computer. “Source Routing” traffic that passes through such a router can bypass certain routing rules by “spoofing” the device to think malicious network activity came from the protected side. Set this value to 2 in order to drop all source routed packets. |
| 3.2.2.12 Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect | (REG_DWORD) 0 | When
one TCP/IP Default Gateway fails, it is possible to force one computer to use
a second default gateway to complete the route path. In most cases, computers are not set up with multiple default gateways, relying on redundant routers instead. If an attacker can manipulate your default gateway, and this setting is not set to zero, he could route your network traffic to an alternate address. Set this value to zero to protect against this kind of attack. |
| 3.2.2.13 Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect | (REG_DWORD) 0 | In
order to prevent network ICMP traffic from being redirected from one computer
to another, set the EnableICMPRedirect value to zero. There is some confusion as to whether or not the value name is pluralized. For more information, please refer to the Microsoft article at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q293626. |
| 3.2.2.14 Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery | (REG_DWORD) 0 | When
data is transferred across a network, the data is broken down into packets.
These packets are not always a uniform size. When these packets are broken down into smaller sizes, they are supposed to be reassembled at the other end of a network route in the same order. This does not always go as planned, and can used in some network attacks. Set this value to 0 to force Windows to use a consistent 576 byte packet. More details are available at http://support.microsoft.com/?kbid=315669. |
| 3.2.2.15 Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime | (REG_DWORD) 300000 | The
KeepAliveTime determines how often the network subsystem attempts to verify
that a TCP session is still active. The setting of 300,000 works out to one request every five minutes. |
| 3.2.2.16 Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand | (REG_DWORD) 1 | By
default, a computer running NetBIOS will release its name upon request. In
order to protect against malicious name-release attacks, set this value to 1. Microsoft also references in at least one place that this is for Windows 2000 Service Pack 2 or greater. |
| 3.2.2.17 Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) | (REG_DWORD) 0 | This
setting prohibits the workstation from caching router advertisements. Since
router advertisements propogate through UDP, they can easily be spoofed. |
| 3.2.2.18 Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect | (REG_DWORD) 2 | One
of the first methods of launching Denial of Service attacks was to send a
flood of incomplete 3-way handshake requests. Each time the incomplete request was received by the target, a small portion of the target’s resources were set aside, waiting for the request to finish. When all of the resources were set aside, the target machine was no longer able to serve any more requests, and further service was denied. In order to prevent the success of this attack, set the SynAttackProtect value to 2, which allows the operating system to limit the amount of resources that are set aside until the 3-way handshake is completed. Setting SynAttackProtect to 1 provides minimal security, but for maximum protection, set it to 2. The next few settings also provide a measure of protection against Denial of Service or Distributed Denial of Service attacks. |
| 3.2.2.19 SYN Attack protection – Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen | (REG_DWORD) 100 | This
value determines how many incomplete handshake requests the network will
allow at one time. This provides protection if SynAttackProtect is set to 1. 100 is the default value on Windows XP Professional. |
| 3.2.2.20 SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) | (REG_DWORD) 80 | This
value indicates how many retransmitted SYN sessions are permitted. The
Default value is 80 for Windows XP Professional. |
| 3.2.2.21 Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\ NoDefaultExempt | (REG_DWORD) 1 | When
Kerberos authentication information is transferred between domain
controllers, or between domain controllers and member servers or workstations, it is not secured by default. Even when IPSec is used to encrypt that traffic, the Kerberos information is considered “exempt”. Set this value to 1 to ensure that all traffic, including Kerberos information is protected by IPSec. |
| 3.2.2.22 Hide workstation from Network Browser listing: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden | (REG_DWORD) 1 | If
the Computer Browser service is disabled, or if this computer is not part of
a domain, this setting has no effect. Otherwise, it will prevent the computer from announcing itself to the browser services of other computers, and only act as a “listener” on domain browse lists. |
| 3.2.2.23 Enable Safe DLL Search Mode: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode | (REG_DWORD) 1 | This
setting modifies the way in which Windows locates driver files (.dlls). A
value of 0 forces the operating system to search the current directory first; when set to 1, the system searches the windows system directory first |
| 4 Additional Security Protection | ||
| 4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause) | ||
| 4.1.1 Alerter | Disabled | The
alerter service is normally used to send messages between processes on
one computer “alerting” the status of certain functions to the user’s console, including the execution of print jobs. It also works in conjunction with the Messenger service to send these same messages between computers on a network. |
| 4.1.2 Automatic Updates | <Not Defined> | The
Automatic Updates service was first published with Windows XP. It
regularly checks the Microsoft web site in the background, and initiates the download of any new Critical Updates as they become available. It is designed to NOT use excessive network bandwidth. This service does not install anything itself, it makes updates ready to install. |
| 4.1.3 Background Intelligent Transfer Service | <Not Defined> | The
BITS service works in conjunction with the Automatic Updates service to
download Critical Updates from Microsoft’s Internet site, and make them available for installation. The service runs in the background, and makes use of unused and available bandwidth. |
| 4.1.4 Clipbook | Disabled | The
Clipbook service is used to share clipboard information between computers on
a network. In most cases, users don’t want to share that information with other computers. |
| 4.1.5 Computer Browser | <Not Defined> | The
Computer Browser (not to be confused with Internet browsers, such as
Internet Explorer or Netscape) keeps track of the computers on a network within a domain. It allows users to “browse” through Network Neighborhood to find the shared resources they need without knowing the exact name of that resource. Unfortunately, it allows anyone to browse to those resources before checking any sort of authentication or authorization. Disabling this service will require users to know the resources they are looking for, by name, and may result in an increased number of help desk calls. |
| 4.1.6 Fax Service | <Not Defined> | The
fax service is used for the unattended reception of incoming faxes. It is not
required for the sending, or manual reception of faxes. It does require that a computer be left running all the time, and have the modem set to auto-answer. Generally speaking, with the low cost of dedicated fax machines, the secure answer to most faxing needs would be to have a dedicated fax machine to receive faxes, while still using the computer to manually send faxes when appropriate. |
| 4.1.7 FTP Publishing Service | Disabled | The
FTP Publishing Service is part of the Internet Information Server suite of
Internet applications. It is not installed by default. It is used for making files on your local machine available to other users on your network or the Internet. Generally speaking, workstations do not share files with other computers. This service should be disabled, or removed. If it is going to be installed, it should be properly maintained, which is a subject beyond the scope of this benchmark. |
| 4.1.8 IIS Admin Service | Disabled | Also
part of the IIS suite of services, the IIS Admin Service manages the other
IIS services. If this service is not running, the other services that are part of the IIS suite will not function either. Disable this service. If possible, this should be removed from workstations. |
| 4.1.9 Indexing Service | <Not Defined> | This
service indexes files on the system in an attempt to improve search
performance. However, the service may occasionally consume excessive resources when compared to its usefulness. |
| 4.1.10 Messenger | Disabled | The
Messenger service works in tandem with the Alerter service. It allows
Alerter services of multiple computers to send alerts to each other over a network. Most users can live without the messenger and alerter services and still accomplish the tasks they need to do in the course of a normal day. On October 15, 2003, Microsoft released Security Bulletin 03-043. This bulletin is an advisory of a vulnerability in the Messenger service that allows an attacker to execute application code of his or her choice. Disable this service to prevent this, or as-yet unknown similar vulnerabilities from affecting a system. |
| 4.1.11 Net Logon | <Not Defined> | The
Net Logon service establishes the NetLogon secure channel with a domain controller. See 3.2.1.18 above. |
| 4.1.12 NetMeeting Remote Desktop Sharing | Disabled | Microsoft
has made one of the better collaboration tools that is available on the
market today, but at the same time they took that tool – NetMeeting – and tried to make it into a remote control utility for help desk personnel to take control of your computer in time of need. In a world of hacker attacks and buffer overflows, it seems like only a matter of time before an exploit is discovered, or it is just abused. If you don’t have a dedicated help desk, or your help desk doesn’t use NetMeeting Remote Desktop Sharing, disable this service. If your organization requires this service, it should understand that there may be a risk involved. |
| 4.1.13 Remote Desktop Help Session Manager | <Not Defined> | This
service supports the Remote Assistance functionality. Disable the service
to prohibit the use of Remote Assistance. |
| 4.1.14 Remote Registry Service | <Not Defined> | The
Windows Registry is essentially a database of settings and configuration
options that affect almost every function of a Windows XP computer. It determines how everything behaves at startup, shutdown, and everything in between. The purpose of the Remote Registry Services is to expose that database to the rest of the network through a NetBIOS connection. |
| 4.1.15 Routing and Remote Access | Disabled | The
Routing and Remote Access service is normally used either to facilitate
servers are Remote Access Servers, or to allow computers from one network to interact with computers on another. RRAS is not fully implemented on Windows XP Professional like it is in the server operating systems. Users generally don’t need RRAS on workstations. If this service can not be disabled, it should be locked down as much as possible. More information is available at http://www.microsoft.com/TechNet/columns/cableguy/cg0601.asp. |
| 4.1.16 Simple Mail Transfer Protocol (SMTP) | Disabled | Workstations
are not normally used as SMTP mail servers. This service is installed
as part of the IIS suite of applications. It should be disabled or removed entirely. |
| 4.1.17 Simple Network Management Protocol (SNMP) Service | Disabled | The
Simple Network Management Protocol (SNMP) has long been the accepted
standard for remote management through all network devices – routers, hubs, Unix, and Windows alike. It was recently discovered that SNMP has been proliferating a dangerously exploitable flaw for the past ten years or so. If you do not have a system actively using SNMP for remote management, disable it or remove it from the system |
| 4.1.18 Simple Network Management Protocol (SNMP) Trap | Disabled | Another
part of the SNMP protocol is the SNMP Trap service. Just like its
counterpart, it should be disabled and/or removed. |
| 4.1.19 Task Scheduler | <Not Defined> | The
Task Scheduler service supports queuing batch programs for future execution.
This could include virus scans, backups, or other system maintenance functions. With Windows XP, the task can run under alternate credentials, and does not necessarily have to run under the local system account. |
| 4.1.20 Telnet | Disabled | The
Telnet service is not often installed on workstations. It is used for
remote management of network devices, and offers a command-shell based form of network access to a computer. This is all well and good, but the traffic transferred by Telnet is not protected or encrypted in any way. If this is a requirement, take the time to look into a Secure Shell (SSH) remote management solution to fulfill your needs in a more secure manner. It is well worth the time and expense. |
| 4.1.21 Terminal Services | <Not Defined> | Terminal
services allow a remote graphical interface to the workstation. Similar
to pcAnywhere or Virtual Network Client (VNC) software packages, Terminal Services share using the Remote Desktop Protocol (RDP). Normal use of the terminal service on a workstation terminates the existing interactive logon session; however, if remote assistance is enabled, any existing session can be shared between two computers. |
| 4.1.22 Universal Plug and Play Device Host | Disabled | Universal
Plug and Play (UPnP) devices can be added to the network, and broadcast
their availability for management. UPnP should not be confused with the more common Plug and Play (PnP) features useful for hardware management. UPnP finds devices on the network; PnP finds devices physically installed into the computer. Few devices on the market currently require UPnP, and this service should be disabled unless explicitly required. |
| 4.1.23 World Wide Web Publishing Services | Disabled | The
grand-daddy of all exploitable services is Microsoft’s World Wide Web
service. It is the most often attacked web-server platform on the Internet today. As a result, it has had the most bugs found, and the most flaws exploited. This server is not installed by default, but should not exist on your average workstation. If it is not going to be properly maintained by personnel with an education in IIS security, it should be disabled or removed. |
| 4.2 User Rights | ||
| 4.2.1 Access this computer from the network | Users, Administrators | The
ability to access a computer from the network is a user right that can be
granted or revoked on any machine as appropriate. If this list is left empty, no user accounts can be used to gain access to the resources of this computer from the network. |
| 4.2.2 Act as part of the operating system | <None> | The
operating system works in a special security context called “LocalSystem”.
This security context has the ability to do things that normal users and administrative users can not. Granting this user right to users or groups will give them the ability to exceed normal privilege, regardless of their group membership. |
| 4.2.3 Add workstations to domain | <Not Applicable> | This
user right only applies to domain controllers, and has no effect on Windows
XP Professional. |
| 4.2.6 Back up files and directories | Administrators | This
user right grants a user or group the ability to circumvent normal Windows
file security for the purposes of backing up files and folders. It should be restricted when possible. |
| 4.2.7 Bypass traverse checking | Users | The
Bypassing Traverse Checking user right allows access to files or folders
regardless of the user’s permissions to the parent folder. In other words, prevents the inheritance of permissions. Unfortunately, it is necessary to grant this right to users to allow normal operation of applications on a workstation. |
| 4.2.8 Change the system time | Administrators | Changing
the system time on Windows XP computers is especially important to
restrict in a domain environment because of the role that time synchronization plays in Kerberos authentication. This should not be configurable to anyone except Administrators. |
| 4.2.9 Create a pagefile | Administrators | In
order to protect the potentially sensitive information that can be stored in
a pagefile, the creation of pagefiles should be restricted to Administrators. |
| 4.2.10 Create a token object | <None> | Allows
the creation of a security access token. This right should never be given to
any user. |
| 4.2.11 Create global objects | <None> | This user right is required for a user account to create global objects during Terminal Services sessions. Users can still create session-specific objects without being assigned this user right. |
| 4.2.12 Create permanent shared objects | <None> | The
right to create permanent shared objects should only be used by applications
in the Windows kernel. The kernel already has the right to create such objects, so no users should ever be granted this right. |
| 4.2.13 Debug Programs | Administrators | Any
user can debug his or her programs, but this right allows a user to debug
other processes on a machine. Users should not be granted this right except in an isolated development environment where possible. Microsoft is soon to release new Hotfix application technology that will require this right to apply patches. It promises fewer reboots for patches that need to be applied. In this light, Administrators still need this right to do their jobs. Hopefully, this will not be a permanent requirement, and can be eliminated in the future. |
| 4.2.14 Deny access to this computer from the network | Guests | The
“Deny Access” user rights always supercede the “Allow Access” user rights, so
that if a user is listed under both user rights, that user will be denied access. If there are no users who should be allowed access to a computer from the network, the Everyone group should be listed in the “Deny Access to this computer from the network” user right. |
| 4.2.15 Deny logon as a batch job | <Not Defined> | Just
like the other “Deny…” user rights, a user listed here will be denied access
to logon as a batch job, even if he has been explicitly granted that right. |
| 4.2.16 Deny logon as a service | <Not Defined> | Just
like the other “Deny…” user rights, a user listed here will be denied access
to logon as a service, even if he has been explicitly granted that right. |
| 4.2.17 Deny logon locally | <Not Defined> | Just
like the other “Deny…” user rights, a user listed here will be denied access
to logon to the console, even if he has been explicitly granted that right. |
| 4.2.18 Enable computer and user accounts to be trusted for delegation | <Not Applicable> | This
user right only applies to Domain Controllers. It has no effect on Windows
XP Professional. |
| 4.2.19 Force shutdown from a remote system | Administrators | This
grants a user the right to shut down a computer from the network. It should
only be granted to Administrators, and may be restricted to no users or groups at all. |
| 4.2.20 Generate security audits | Local Service, Network Service | This
user right allows a user or process to generate events to be added to the
Windows Security Event Log. |
| 4.2.21 Impersonate a client after authentication | <Not Defined> | Assigning
this privilege to a user allows programs running on behalf of that user to
impersonate impersonate A circumstance that occurs when Windows allows one process to take on the security attributes of another. a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) remote procedure call (RPC) A message-passing facility that allows a distributed application to call services that are available on various computers on a network. Used during remote administration of computers. or named pipes named pipes A portion of memory that can be used by one process to pass information to another process, so that the output of one is the input of the other. The second process can be local (on the same computer as the first) or remote (on a networked computer). ) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. |
| 4.2.22 Increase quotas | Administrators | |
| 4.2.23 Increase scheduling priority | Administrators | The
scheduling priority is one of the settings that can be altered as needed
for performance tuning, but normal users should not have the ability to change the priority of other processes. |
| 4.2.24 Load and unload device drivers | Administrators | Device
drivers execute as highly privileged applications on a Windows computer
because they directly interface the hardware with the operating system. These drivers can be the source of “Trojan Horse” applications, and should be restricted where possible. This setting actually applies to the installation of Plug and Play device drivers. |
| 4.2.25 Lock pages in memory | <None> | The
right to lock pages in memory is the ability to force data in physical memory
to remain in physical memory, and not be paged to disk, which can seriously degrade system performance. This user right is obsolete, and should remain empty. |
| 4.2.26 Log on as a batch job | <Not Defined> | The
right to log on as a batch job means that the listed user has the ability to
log on using the batch queue facility. By default, Administrators have this right, but very rarely use it. Remove all users and groups from this right. |
| 4.2.27 Log on as a service | <Not Defined> | Most
applications that do not directly interact with the logged on user (and many
that do) actually operate as a service. These services almost always execute under the LocalSystem security credentials. If a service needs to be executed in a user context, that user would have to be listed here. |
| 4.2.28 Log on locally | Users, Administrators | Anyone
who logs on locally to a computer must be listed here, either by individual
user names, or by the “users” group. |
| 4.2.29 Manage auditing and security log | Administrators | The
ability to manage the security event log is the equivalent to the ability for
an intruder to cover his tracks and destroy evidence of what has been done to a computer system. This user right should be highly restricted, possibly even to only a subset of system administrators. |
| 4.2.30 Modify firmware environment values | Administrators | Individual
users have the ability to change their own environment variables, but
only Administrators and accounts that hold this right can change the environment variables of other users on a system. |
| 4.2.31 Profile single process | Administrators | This
user right grants the ability for one user to monitor the performance of
another user or non-system process. |
| 4.2.32 Profile system performance | Administrators | The
Profile system performance user right allows a user or group of users to
monitor system performance, including system processes. |
| 4.2.33 Remove computer from docking station | Users, Administrators | This user right is just what you’d expect. |
| 4.2.34 Replace a process level token | Local Service, Network Service | The
ability to replace a process level token essentially means that a process can
change the authentication authority of its own child-processes. |
| 4.2.35 Restore files and directories | Administrators | In
conjunction with the “Backup files and directories” user right, this can be
very dangerous if a user backs up certain security related information, alters it, and restores it back to the same place. It should be restricted to Administrators. |
| 4.2.36 Shut down the system | Users, Administrators | Users
granted this right have the ability to shut down the computer. This only
takes effect if users are required to log on to shut down a system. |
| 4.2.37 Synchronize directory service data | <Not Applicable> | This user right has no effect on Windows XP Professional. |
| 4.2.38 Take ownership of file or other objects | Administrators | A
user who “owns” a file has greater authority over that file than even the
permissions would suggest. The right to take ownership of a file is equivalent to the ability to compromise an entire file system. |
| 4.3 Other System Requirements | ||
| 4.3.1 Ensure volumes are using the NTFS file system | All volumes | NTFS
interoperability has come a long way since its initial introduction. It can
be bypassed if the system can be rebooted, but it is the ONLY way that any file-level security can be enforced while system is operating. |
| 4.3.2 Disable NetBIOS | All Network Devices | By
default, the XP workstation will use both NetBIOS and DNS transports in
attempting to locate shared resources such as files and printers. However, Windows 2000 introduced the ability to eliminate NetBIOS and WINS for locating resources, in favor of a direct TCP connection through DNS. Disabling NetBIOS reduces the services running on the workstation. The NetBIOS name service runs on TCP and UDP port 137, the datagram service listens on UDP port 138 and the session service listens on TCP port 139. All SMB resource sharing applications will use TCP and UDP port 445, and ports 137, 138 and 139 can be firewalled. NetBIOS can only effectively be disabled if all shared resources on the client network run on Windows 2000 or later. See Microsoft Knowledge Base article 299977 for additional items to consider when disabling NetBIOS. Also see Knowledge Base article 315267 for information on how to disable NetBIOS on Windows XP. |
| 4.3.3 Enable the Internet Connection Firewall | <Not Defined> but Strongly Recommended | In
general, the Internet Connection Firewall (ICF) is available only when you
are connected directly to the Internet, but not for Local Area Network (LAN) connections. The firewall is also enabled on dial-up internet connections and shared internet connections. When enabled, the ICF blocks inbound traffic to your workstation unless a port is explicitly opened. The ICF typically is not necessary on internal networks where a firewall already exists between the client and the untrusted network. The ICF also supports activity logging. For more information about the Internet Connection Firewall on Windows XP, see Microsoft Knowledge Base Article 320855. |
| 4.3.4 Restricted Groups | Remote Desktop Users: <None> | With
Restricted Groups enabled, the operating system will evaluate local
group membership on boot and when group policy refreshes. Members in the “Restricted Groups” policy are compared against the actual, current group membership. If the accounts listed in the policy are not in the group, they are added. Conversely, if an account is in the group but not in the policy, it is removed. |
| 4.3.4.1 Remote Desktop Users | Use
this policy to explicitly control which users are allowed to use the remote
desktop service (Terminal Services). |
|
| 4.4 File and Registry Permissions | ||
| 4.4.1 File Permissions | * Unless stated otherwise, Administrators or System Full Control is full control for the designated folder and all contents. | |
| 4.4.1.1 %SystemDrive% | Administrators: Full; System: Full; Creator Owner: Full; Interactive: Read, Execute | |
| 4.4.1.2 %SystemRoot%\system32\at.exe | Administrators: Full; System: Full | |
| 4.4.1.3 %SystemRoot%\system32\attrib.exe | Administrators: Full; System: Full | |
| 4.4.1.4 %SystemRoot%\system32\cacls.exe | Administrators: Full; System: Full | |