andNTLMv2authenticationserver2003

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer:NNT-2003-32-BITNNTCISServer2003Benchmark_v3.
1.
0Level1MemberServerTotalscore:98.
26%113outof115rulespassed0outof115rulesdidnotpasscompletely2outof115rulesfailedOnNNT-2003-32-BIT-Byadminfortimeperiod28/07/201413:43:41to28/07/201413:43:41ComputerConfigurationWindowsSettingsSecuritySettings-AccountPolicies-AccountLockoutPolicyRules1.
1.
1.
1.
2.
1Set'Resetaccountlockoutcounterafter'to'15'ormoreDescription:ThispolicysettingdeterminesthelengthoftimebeforetheAccountlockoutthresholdresetstozero.
ThedefaultvalueforthispolicysettingisNotDefined.
IftheAccountlockoutthresholdisdefined,thisresettimemustbelessthanorequaltothevaluefortheAccountlockoutdurationsetting.
Ifyouleavethispolicysettingatitsdefaultvalueorconfigurethevaluetoanintervalthatistoolong,yourenvironmentcouldbevulnerabletoaDoSattack.
Anattackercouldmaliciouslyperformanumberoffailedlogonattemptsonallusersintheorganization,whichwilllockouttheiraccounts.
Ifnopolicyweredeterminedtoresettheaccountlockout,itwouldbeamanualtaskforadministrators.
Conversely,ifareasonabletimevalueisconfiguredforthispolicysetting,userswouldbelockedoutforasetperioduntilalloftheaccountsareunlockedautomatically.
Rationale:Userscanaccidentallylockthemselvesoutoftheiraccountsiftheymistypetheirpasswordmultipletimes.
Toreducethechanceofsuchaccidentallockouts,theResetaccountlockoutcounteraftersettingdeterminesthenumberofminutesthatmustelapsebeforethecounterthattracksfailedlogonattemptsandtriggerslockoutsisresetto0.
Pass:TheLocalSecurityPolicysettingfor'Resetaccountlockouttimerafter'issetto:localsecuritypolicy(30).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3311.
1.
1.
1.
2.
2Set'Accountlockoutduration'to'15'orgreaterDescription:Thispolicysettingdeterminesthelengthoftimethatmustpassbeforealockedaccountisunlockedandausercantrytologonagain.
Thesettingdoesthisbyspecifyingthenumberofminutesalockedoutaccountwillremainunavailable.
Ifthevalueforthispolicysettingisconfiguredto0,lockedoutaccountswillremainlockedoutuntilanadministratormanuallyunlocksthem.
Althoughitmightseemlikeagoodideatoconfigurethevalueforthispolicysettingtoahighvalue,suchaconfigurationwilllikelyincreasethenumberofcallsthatthehelpdeskreceivestounlockaccountslockedbymistake.
Usersshouldbeawareofthelengthoftimealockremainsinplace,sothattheyrealizetheyonlyneedtocallthehelpdeskiftheyhaveanextremelyurgentneedtoregainaccesstotheircomputer.
Rationale:Adenialofservice(DoS)conditioncanbecreatedifanattackerabusestheAccountlockoutthresholdandrepeatedlyattemptstologonwithaspecificaccount.
OnceyouconfiguretheAccountlockoutthresholdsetting,theaccountwillbelockedoutafterthespecifiednumberoffailedattempts.
IfyouconfiguretheAccountlockoutdurationsettingto0,thentheaccountwillremainlockedoutuntilanadministratorunlocksitmanually.
Pass:TheLocalSecurityPolicysettingfor'Accountlockoutduration'issetto:localsecuritypolicy(30).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3321.
1.
1.
1.
2.
3Set'Accountlockoutthreshold'issetto'6'orfewerDescription:Thispolicysettingdeterminesthenumberoffailedlogonattemptsbeforealockoccurs.
Authorizeduserscanlockthemselvesoutofanaccountbymistypingtheirpasswordorbyrememberingitincorrectly,orbychangingtheirpasswordononecomputerwhileloggedontoanothercomputer.
Thecomputerwiththeincorrectpasswordwillcontinuouslytrytoauthenticatetheuser,andbecausethepassworditusestoauthenticateisincorrect,alockoccurs.
Toavoidaccidentallockoutofauthorizedusers,settheaccountlockoutthresholdtoahighnumber.
Thedefaultvalueforthispolicysettingis0invalidlogonattempts,whichdisablestheaccountlockoutfeature.
Becauseitispossibleforanattackertousethislockoutstateasadenialofservice(DoS)bytriggeringalockoutonalargenumberofaccounts,yourorganizationshoulddeterminewhethertousethispolicysettingbasedonidentifiedthreatsandtherisksyouwanttomitigate.
Therearetwooptionstoconsiderforthispolicysetting.
ConfigurethevalueforAccountlockoutthresholdto0toensurethataccountswillnotbelockedout.
ThissettingvaluewillpreventaDoSattackthatattemptstolockoutaccountsinyourorganization.
Itwillalsoreducehelpdeskcalls,becauseuserswillnotbeabletolockthemselvesoutoftheiraccountsaccidentally.
However,thissettingvaluewillnotpreventabruteforceattack.
Thefollowingdefensesshouldalsobeconsidered:Apasswordpolicythatforcesalluserstohavecomplexpasswordsmadeupof8ormorecharacters.
Arobustauditingmechanism,whichwillalertadministratorswhenaseriesofaccountlockoutsoccursintheenvironment.
Forexample,theauditingsolutionshouldmonitorforsecurityevent539,whichisalogonfailure.
Thiseventidentifiesthattherewasalockontheaccountatthetimeofthelogonattempt.
Thesecondoptionis:ConfigurethevalueforAccountlockoutthresholdtoavaluethatprovidesuserswiththeabilitytomistypetheirpasswordseveraltimes,butlocksouttheaccountifabruteforcepasswordattackoccurs.
Thisconfigurationwillpreventaccidentalaccountlockoutsandreducehelpdeskcalls,butwillnotpreventaDoSattack.
Rationale:Passwordattackscanuseautomatedmethodstotrymillionsofpasswordcombinationsforanyuseraccount.
Theeffectivenessofsuchattackscanbealmosteliminatedifyoulimitthenumberoffailedlogonsthatcanbeperformed.
However,adenialofservice(DoS)attackcouldbeperformedonadomainthathasanaccountlockoutthresholdconfigured.
Anattackercouldprogrammaticallyattemptaseriesofpasswordattacksagainstallusersintheorganization.
Ifthenumberofattemptsisgreaterthantheaccountlockoutthreshold,theattackermightbeabletolockouteveryaccount.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(4).
SecuritySettings-AccountPolicies-PasswordPolicyRulesNNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3331.
1.
1.
1.
3.
1Set'Maximumpasswordage'to'60'orlessDescription:Thispolicysettingdefineshowlongausercanusetheirpasswordbeforeitexpires.
Valuesforthispolicysettingrangefrom0to999days.
Ifyousetthevalueto0,thepasswordwillneverexpire.
Thedefaultvalueforthispolicysettingis42days.
Becauseattackerscancrackpasswords,themorefrequentlyyouchangethepasswordthelessopportunityanattackerhastouseacrackedpassword.
However,thelowerthisvalueisset,thehigherthepotentialforanincreaseincallstohelpdesksupportduetousershavingtochangetheirpasswordorforgettingwhichpasswordiscurrent.
Rationale:Thelongerapasswordexiststhehigherthelikelihoodthatitwillbecompromisedbyabruteforceattack,byanattackergaininggeneralknowledgeabouttheuser,orbytheusersharingthepassword.
ConfiguringtheMaximumpasswordagesettingto0sothatusersareneverrequiredtochangetheirpasswordsisamajorsecurityriskbecausethatallowsacompromisedpasswordtobeusedbythemalicioususerforaslongasthevaliduserisauthorizedaccess.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(60).
1.
1.
1.
1.
3.
2Set'Enforcepasswordhistory'to'24'ormoreDescription:Thispolicysettingdeterminesthenumberofrenewed,uniquepasswordsthathavetobeassociatedwithauseraccountbeforeyoucanreuseanoldpassword.
Thevalueforthispolicysettingmustbebetween0and24passwords.
ThedefaultvalueforWindowsVistais0passwords,butthedefaultsettinginadomainis24passwords.
Tomaintaintheeffectivenessofthispolicysetting,usetheMinimumpasswordagesettingtopreventusersfromrepeatedlychangingtheirpassword.
Rationale:Thelongerauserusesthesamepassword,thegreaterthechancethatanattackercandeterminethepasswordthroughbruteforceattacks.
Also,anyaccountsthatmayhavebeencompromisedwillremainexploitableforaslongasthepasswordisleftunchanged.
Ifpasswordchangesarerequiredbutpasswordreuseisnotprevented,orifuserscontinuallyreuseasmallnumberofpasswords,theeffectivenessofagoodpasswordpolicyisgreatlyreduced.
Ifyouspecifyalownumberforthispolicysetting,userswillbeabletousethesamesmallnumberofpasswordsrepeatedly.
IfyoudonotalsoconfiguretheMinimumpasswordagesetting,usersmightrepeatedlychangetheirpasswordsuntiltheycanreusetheiroriginalpassword.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(24).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3341.
1.
1.
1.
3.
3Set'Storepasswordsusingreversibleencryption'to'Disabled'Description:Thispolicysettingdetermineswhethertheoperatingsystemstorespasswordsinawaythatusesreversibleencryption,whichprovidessupportforapplicationprotocolsthatrequireknowledgeoftheuser'spasswordforauthenticationpurposes.
Passwordsthatarestoredwithreversibleencryptionareessentiallythesameasplaintextversionsofthepasswords.
Rationale:Enablingthispolicysettingallowstheoperatingsystemtostorepasswordsinaweakerformatthatismuchmoresusceptibletocompromiseandweakensyoursystemsecurity.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(0).
1.
1.
1.
1.
3.
4Set'Minimumpasswordage'to'1'ormoreDescription:Thispolicysettingdeterminesthenumberofdaysthatyoumustuseapasswordbeforeyoucanchangeit.
Therangeofvaluesforthispolicysettingisbetween1and999days.
(Youmayalsosetthevalueto0toallowimmediatepasswordchanges.
)Thedefaultvalueforthissettingis0days.
Rationale:Usersmayhavefavoritepasswordsthattheyliketousebecausetheyareeasytorememberandtheybelievethattheirpasswordchoiceissecurefromcompromise.
Unfortunately,passwordsarecompromisedandifanattackeristargetingaspecificindividualuseraccount,withforeknowledgeofdataaboutthatuser,reuseofoldpasswordscancauseasecuritybreach.
Toaddresspasswordreuseacombinationofsecuritysettingsisrequired.
UsingthispolicysettingwiththeEnforcepasswordhistorysettingpreventstheeasyreuseofoldpasswords.
Forexample,ifyouconfiguretheEnforcepasswordhistorysettingtoensurethatuserscannotreuseanyoftheirlast12passwords,theycouldchangetheirpassword13timesinafewminutesandreusethepasswordtheystartedwith,unlessyoualsoconfiguretheMinimumpasswordagesettingtoanumberthatisgreaterthan0.
Youmustconfigurethispolicysettingtoanumberthatisgreaterthan0fortheEnforcepasswordhistorysettingtobeeffective.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3351.
1.
1.
1.
3.
5Set'Passwordmustmeetcomplexityrequirements'to'Enabled'Description:Thispolicysettingchecksallnewpasswordstoensurethattheymeetbasicrequirementsforstrongpasswords.
Whenthispolicyisenabled,passwordsmustmeetthefollowingminimumrequirements:Notcontaintheuser'sAccountnameorpartsoftheuser'sfullnamethatexceedtwoconsecutivecharactersBeatleastsixcharactersinlengthContaincharactersfromthreeofthefollowingfourcategories:Englishuppercasecharacters(AthroughZ)Englishlowercasecharacters(athroughz)Base10digits(0through9)Non-alphabeticcharacters(forexample,Acatch-allcategoryofanyUnicodecharacterthatdoesnotfallunderthepreviousfourcategories.
Thisfifthcategorycanberegionallyspecific.
Eachadditionalcharacterinapasswordincreasesitscomplexityexponentially.
Forinstance,aseven-character,alllower-casealphabeticpasswordwouldhave267(approximately8x109or8billion)possiblecombinations.
At1,000,000attemptspersecond(acapabilityofmanypassword-crackingutilities),itwouldonlytake133minutestocrack.
Aseven-characteralphabeticpasswordwithcasesensitivityhas527combinations.
Aseven-charactercase-sensitivealphanumericpasswordwithoutpunctuationhas627combinations.
Aneight-characterpasswordhas268(or2x1011)possiblecombinations.
Althoughthismightseemtobealargenumber,at1,000,000attemptsperseconditwouldtakeonly59hourstotryallpossiblepasswords.
Remember,thesetimeswillsignificantlyincreaseforpasswordsthatuseALTcharactersandotherspecialkeyboardcharacterssuchas"!
"or"@".
Properuseofthepasswordsettingscanhelpmakeitdifficulttomountabruteforceattack.
Rationale:Passwordsthatcontainonlyalphanumericcharactersareextremelyeasytodiscoverwithseveralpubliclyavailabletools.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(1).
1.
1.
1.
1.
3.
6Set'Minimumpasswordlength'to'14'ormoreDescription:Thispolicysettingdeterminestheleastnumberofcharactersthatmakeupapasswordforauseraccount.
Therearemanydifferenttheoriesabouthowtodeterminethebestpasswordlengthforanorganization,butperhaps"passphrase"isabettertermthan"password.
"InMicrosoftWindows2000orlater,passphrasescanbequitelongandcanincludespaces.
Therefore,aphrasesuchas"Iwanttodrinka$5milkshake"isavalidpassphrase;itisaconsiderablystrongerpasswordthanan8or10characterstringofrandomnumbersandletters,andyetiseasiertoremember.
Usersmustbeeducatedabouttheproperselectionandmaintenanceofpasswords,especiallywithregardtopasswordlength.
Inenterpriseenvironments,ensurethatthevaluefortheMinimumpasswordlengthsettingisconfiguredto8characters.
Thispolicysettingislongenoughtoprovideadequatesecurity.
Inhighsecurityenvironments,configurethevalueto12characters.
Rationale:Typesofpasswordattacksincludedictionaryattacks(whichattempttousecommonwordsandphrases)andbruteforceattacks(whichtryeverypossiblecombinationofcharacters).
Also,attackerssometimestrytoobtaintheaccountdatabasesotheycanusetoolstodiscovertheaccountsandpasswords.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(14).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:336SecuritySettings-LocalPolicies-SecurityOptionsRules1.
1.
1.
2.
1.
2Set'Accounts:Guestaccountstatus'to'Disabled'Description:ThispolicysettingdetermineswhethertheGuestaccountisenabledordisabled.
TheGuestaccountallowsunauthenticatednetworkuserstogainaccesstothesystem.
NotethatthissettingwillhavenoImpactwhenappliedtothedomaincontrollerorganizationalunitviagrouppolicybecausedomaincontrollershavenolocalaccountdatabase.
Itcanbeconfiguredatthedomainlevelviagrouppolicy,similartoaccountlockoutandpasswordpolicysettings.
Rationale:ThedefaultGuestaccountallowsunauthenticatednetworkuserstologonasGuestwithnopassword.
TheseunauthorizeduserscouldaccessanyresourcesthatareaccessibletotheGuestaccountoverthenetwork.
ThiscapabilitymeansthatanynetworkshareswithpermissionsthatallowaccesstotheGuestaccount,theGuestsgroup,ortheEveryonegroupwillbeaccessibleoverthenetwork,whichcouldleadtotheexposureorcorruptionofdata.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(0).
1.
1.
1.
2.
1.
3Set'Accounts:Limitlocalaccountuseofblankpasswordstoconsolelogononly'to'Enabled'Description:Thispolicysettingdetermineswhetherlocalaccountsthatarenotpasswordprotectedcanbeusedtologonfromlocationsotherthanthephysicalcomputerconsole.
Ifyouenablethispolicysetting,localaccountsthathaveblankpasswordswillnotbeabletologontothenetworkfromremoteclientcomputers.
Suchaccountswillonlybeabletologonatthekeyboardofthecomputer.
Rationale:Blankpasswordsareaseriousthreattocomputersecurityandshouldbeforbiddenthroughbothorganizationalpolicyandsuitabletechnicalmeasures.
Infact,thedefaultsettingsforWindowsServer2003ActiveDirectorydirectoryservicedomainsrequirecomplexpasswordsofatleastsevencharacters.
However,ifuserswiththeabilitytocreatenewaccountsbypassyourdomain-basedpasswordpolicies,theycouldcreateaccountswithblankpasswords.
Forexample,ausercouldbuildastand-alonecomputer,createoneormoreaccountswithblankpasswords,andthenjointhecomputertothedomain.
Thelocalaccountswithblankpasswordswouldstillfunction.
Anyonewhoknowsthenameofoneoftheseunprotectedaccountscouldthenuseittologon.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\limitblankpassworduse(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3371.
1.
1.
2.
1.
6Set'Systemobjects:DefaultownerforobjectscreatedbymembersoftheAdministratorsgroup'to'Objectcreator'Description:ThispolicysettingdetermineswhethertheAdministratorsgrouporanobjectcreatoristhedefaultownerofanysystemobjectsthatarecreated.
Whensystemobjectsarecreated,theownershipwillreflectwhichaccountcreatedtheobjectratherthanthemoregenericAdministratorsgroup.
Rationale:IfyouconfigurethispolicysettingtoAdministratorsgroup,itwillbeimpossibletoholdindividualsaccountableforthecreationofnewsystemobjects.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\nodefaultadminowner(1).
1.
1.
1.
2.
1.
7Set'Networkaccess:Sharesthatcanbeaccessedanonymously'to'None'Description:Thispolicysettingdetermineswhichnetworksharescanbeaccessedbyanonymoususers.
Thedefaultconfigurationforthispolicysettinghaslittleeffectbecauseallusershavetobeauthenticatedbeforetheycanaccesssharedresourcesontheserver.
Note:ItcanbeverydangeroustoaddothersharestothisGroupPolicysetting.
Anynetworkusercanaccessanysharesthatarelisted,whichcouldexposureorcorruptsensitivedata.
Note:Whenyouconfigurethissettingyouspecifyalistofoneormoreobjects.
Thedelimiterusedwhenenteringthelistisalinefeedorcarriagereturn,thatis,typethefirstobjectonthelist,presstheEnterbutton,typethenextobject,pressEnteragain,etc.
Thesettingvalueisstoredasacomma-delimitedlistingrouppolicysecuritytemplates.
Itisalsorenderedasacomma-delimitedlistinGroupPolicyEditor'sdisplaypaneandtheResultantSetofPolicyconsole.
Itisrecordedintheregistryasaline-feeddelimitedlistinaREG_MULTI_SZvalue.
Rationale:Itisverydangeroustoenablethissetting.
Anysharesthatarelistedcanbeaccessedbyanynetworkuser,whichcouldleadtotheexposureorcorruptionofsensitivedata.
Pass:localsecuritypolicy().
1.
1.
1.
2.
1.
8Set'Interactivelogon:Smartcardremovalbehavior'to'LockWorkstation'Description:Thispolicysettingdetermineswhathappenswhenthesmartcardforalogged-onuserisremovedfromthesmartcardreader.
Rationale:Userssometimesforgettolocktheirworkstationswhentheyareawayfromthem,allowingthepossibilityformalicioususerstoaccesstheircomputers.
Ifsmartcardsareusedforauthentication,thecomputershouldautomaticallylockitselfwhenthecardisremovedtoensurethatonlytheuserwiththesmartcardisaccessingresourcesusingthosecredentials.
.
Pass:TheLocalSecurityPolicysettingis:1.
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3381.
1.
1.
2.
1.
9Set'Networksecurity:MinimumsessionsecurityforNTLMSSPbased(includingsecureRPC)clients'to'Requiremessageintegrity,Requiremessageconfidentiality,RequireNTLMv2sessionsecurity,Require128-bitencryption'Description:ThispolicysettingdetermineswhichbehaviorsareallowedforapplicationsusingtheNTLMSecuritySupportProvider(SSP).
TheSSPInterface(SSPI)isusedbyapplicationsthatneedauthenticationservices.
ThesettingdoesnotmodifyhowtheauthenticationsequenceworksbutinsteadrequirecertainbehaviorsinapplicationsthatusetheSSPI.
ThepossiblevaluesfortheNetworksecurity:MinimumsessionsecurityforNTLMSSPbased(includingsecureRPC)clientssettingare:.
Requiremessageconfidentiality.
ThisoptionisonlyavailableinWindowsXPandWindowsServer2003,theconnectionwillfailifencryptionisnotnegotiated.
Encryptionconvertsdataintoaformthatisnotreadableuntildecrypted.
.
Requiremessageintegrity.
ThisoptionisonlyavailableinWindowsXPandWindowsServer2003,theconnectionwillfailifmessageintegrityisnotnegotiated.
Theintegrityofamessagecanbeassessedthroughmessagesigning.
Messagesigningprovesthatthemessagehasnotbeentamperedwith;itattachesacryptographicsignaturethatidentifiesthesenderandisanumericrepresentationofthecontentsofthemessage.
.
Require128-bitencryption.
Theconnectionwillfailifstrongencryption(128-bit)isnotnegotiated.
.
RequireNTLMv2sessionsecurity.
TheconnectionwillfailiftheNTLMv2protocolisnotnegotiated.
.
NotDefined.
Rationale:YoucanenablealloftheoptionsforthispolicysettingtohelpprotectnetworktrafficthatusestheNTLMSecuritySupportProvider(NTLMSSP)frombeingexposedortamperedwithbyanattackerwhohasgainedaccesstothesamenetwork.
Inotherwords,theseoptionshelpprotectagainstman-in-the-middleattacks.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec(537395248).

1.
1.
1.
2.
1.
10Set'Devices:Preventusersfrominstallingprinterdrivers'to'Enabled'Description:ItisfeasibleforaattackertodisguiseaTrojanhorseprogramasaprinterdriver.
Theprogrammayappeartousersasiftheymustuseittoprint,butsuchaprogramcouldunleashmaliciouscodeonyourcomputernetwork.
Toreducethepossibilityofsuchanevent,onlyadministratorsshouldbeallowedtoinstallprinterdrivers.
However,becauselaptopsaremobiledevices,laptopusersmayoccasionallyneedtoinstallaprinterdriverfromaremotesourcetocontinuetheirwork.
Therefore,thispolicysettingshouldbedisabledforlaptopusers,butalwaysenabledfordesktopusers.
Rationale:Itmaybeappropriateinsomeorganizationstoallowuserstoinstallprinterdriversontheirownworkstations.
However,youshouldallowonlyAdministrators,notusers,todosoonservers,becauseprinterdriverinstallationonaservermayunintentionallycausethecomputertobecomelessstable.
Amalicioususercouldinstallinappropriateprinterdriversinadeliberateattempttodamagethecomputer,orausermightaccidentallyinstallmalicioussoftwarethatmasqueradesasaprinterdriver.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\print\providers\lanmanprintservices\servers\addprinterdrivers(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3391.
1.
1.
2.
1.
11Set'Devices:Unsigneddriverinstallationbehavior'to'Warnbutallowinstallation'Description:Thispolicysettingdetermineswhathappenswhenanattemptismadetoinstalladevicedriver(bymeansofSetupAPI)thathasnotbeenapprovedandsignedbytheWindowsHardwareQualityLab(WHQL).
Dependingonhowyouconfigureit,thispolicysettingwillpreventtheinstallationofunsigneddriversorwarntheadministratorthatanunsigneddriverisabouttobeinstalled.
TheDevices:UnsigneddriverinstallationbehaviorsettingcanbeusedtopreventtheinstallationofdriversthathavenotbeencertifiedtorunonWindowsServer2003withSP1.
Onepotentialproblemwiththisconfigurationisthatunattendedinstallationscriptswillfailwhentheyattempttoinstallunsigneddrivers.
Rationale:Thispolicysettingwillnotpreventamethodthatisusedbysomeattacktoolsinwhichmalicious.
sysfilesarecopiedandregisteredtostartassystemservices.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(1).
1.
1.
1.
2.
1.
12Set'Recoveryconsole:Allowfloppycopyandaccesstoalldrivesandallfolders'to'Disabled'Description:ThispolicysettingmakestheRecoveryConsoleSETcommandavailable,whichallowsyoutosetthefollowingrecoveryconsoleenvironmentvariables:.
AllowWildCards.
Enableswildcardsupportforsomecommands(suchastheDELcommand).
.
AllowAllPaths.
Allowsaccesstoallfilesandfoldersonthecomputer.
.
AllowRemovableMedia.
Allowsfilestobecopiedtoremovablemedia,suchasafloppydisk.
.
NoCopyPrompt.
Doesnotpromptwhenoverwritinganexistingfile.
Rationale:AnattackerwhocancausethesystemtorestartintotheRecoveryConsolecouldstealsensitivedataandleavenoauditoraccesstrail.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\setup\recoveryconsole\setcommand(0).
1.
1.
1.
2.
1.
13Set'MSS:(DisableSavePassword)Preventthedial-uppasswordfrombeingsaved(recommended)'to'Enabled'Description:ThisentryappearsasMSS:(DisableSavePassword)Preventthedial-uppasswordfrombeingsaved(recommended)intheSCE.
Bydefault,Windowswilloffertheoptiontosavepasswordsfordial-upandVPNconnections,whichisnotdesirableonaserver.
YoucanaddthisregistryvaluetothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\subkey.
Rationale:Anattackerwhostealsamobileuser'scomputercouldautomaticallyconnecttotheorganization'snetworkiftheSaveThisPasswordcheckboxisenabledforthedial-upentry.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\rasman\parameters\disablesavepassword(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33101.
1.
1.
2.
1.
14Set'Networkaccess:RestrictanonymousaccesstoNamedPipesandShares'to'Enabled'Description:Whenenabled,thispolicysettingrestrictsanonymousaccesstoonlythosesharesandpipesthatarenamedintheNetworkaccess:NamedpipesthatcanbeaccessedanonymouslyandNetworkaccess:Sharesthatcanbeaccessedanonymouslysettings.
ThispolicysettingcontrolsnullsessionaccesstosharesonyourcomputersbyaddingRestrictNullSessAccesswiththevalue1intheHKLM\System\CurrentControlSet\Services\LanManServer\Parametersregistrykey.
Thisregistryvaluetogglesnullsessionsharesonorofftocontrolwhethertheserverservicerestrictsunauthenticatedclients'accesstonamedresources.
Nullsessionsareaweaknessthatcanbeexploitedthroughshares(includingthedefaultshares)oncomputersinyourenvironment.
Rationale:Nullsessionsareaweaknessthatcanbeexploitedthroughshares(includingthedefaultshares)oncomputersinyourenvironment.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\restrictnullsessaccess(1).
1.
1.
1.
2.
1.
15Set'MSS:(WarningLevel)Percentagethresholdforthesecurityeventlogatwhichthesystemwillgenerateawarning'to'90'Description:TheregistryvalueentryWarningLevelwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\registrykey.
TheentryappearsasMSS:(WarningLevel)PercentagethresholdforthesecurityeventlogatwhichthesystemwillgenerateawarningintheSCE.
ThissettingcangenerateasecurityauditintheSecurityeventlogwhenthelogreachesauser-definedthreshold.
NoteIflogsettingsareconfiguredtoOverwriteeventsasneededorOverwriteeventsolderthanxdays,thiseventwillnotbegenerated.
Rationale:IftheSecuritylogreaches90percentofitscapacityandthecomputerhasnotbeenconfiguredtooverwriteeventsasneeded,morerecenteventswillnotbewrittentothelog.
IfthelogreachesitscapacityandthecomputerhasbeenconfiguredtoshutdownwhenitcannolongerrecordeventstotheSecuritylog,thecomputerwillshutdownandwillnolongerbeavailabletoprovidenetworkservices.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\eventlog\security\warninglevel(90).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33111.
1.
1.
2.
1.
16Set'MSS:(SynAttackProtect)Synattackprotectionlevel(protectsagainstDoS)'to'ConnectionstimeoutsoonerifaSYNattackisdetected'Description:ThisentryappearsasMSS:(SynAttackProtect)Synattackprotectionlevel(protectsagainstDoS)intheSCE.
ThisentrycausesTCPtoadjustretransmissionofSYN-ACKs.
Whenyouconfigurethisentry,theoverheadofincompletetransmissionsinaconnectrequest(SYN)attackisreduced.
YoucanusethisentrytoconfigureWindowstosendrouterdiscoverymessagesasbroadcastsinsteadofmulticasts,asdescribedinRFC1256.
Bydefault,ifrouterdiscoveryisenabled,routerdiscoverysolicitationsaresenttotheall-routersmulticastgroup(224.
0.
0.
2).
NotapplicabletoWindowsVistaorWindowsServer2008.
Rationale:InaSYNfloodattack,theattackersendsacontinuousstreamofSYNpacketstoaserver.
Theserverleavesthehalf-openconnectionsopenuntilitisoverwhelmedandisnolongerabletorespondtolegitimaterequestsPass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect(1).

1.
1.
1.
2.
1.
17Set'Systemsettings:UseCertificateRulesonWindowsExecutablesforSoftwareRestrictionPolicies'to'Enabled'Description:Thispolicysettingdetermineswhetherdigitalcertificatesareprocessedwhensoftwarerestrictionpoliciesareenabledandauserorprocessattemptstorunsoftwarewithan.
exefilenameextension.
Itenablesordisablescertificaterules(atypeofsoftwarerestrictionpoliciesrule).
Withsoftwarerestrictionpolicies,youcancreateacertificaterulethatwillallowordisallowtheexecutionofAuthenticode-signedsoftware,basedonthedigitalcertificatethatisassociatedwiththesoftware.
Forcertificaterulestotakeeffectinsoftwarerestrictionpolicies,youmustenablethispolicysetting.
Rationale:Softwarerestrictionpolicieshelptoprotectusersandcomputersbecausetheycanpreventtheexecutionofunauthorizedcode,suchasvirusesandTrojanshorses.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\policies\microsoft\windows\safer\codeidentifiers\authenticodeenabled(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33121.
1.
1.
2.
1.
18Set'MSS:(AutoShareServer)EnableAdministrativeShares(recommendedexceptforhighlysecureenvironments)'to'Enabled'Description:ThisentryappearsasMSS:(AutoShareServer)EnableAdministrativeShares(notrecommendedexceptforhighlysecureenvironments)intheSCE.
Foradditionalinformation,seetheMicrosoftKnowledgeBasearticleHowtoremoveadministrativesharesinWindowsServer2008athttp://support.
microsoft.
com/kb/954422/en-us.
Rationale:Becausethesebuilt-inadministrativesharesarewell-knownandpresentonmostWindowscomputers,malicioususersoftentargetthemforbrute-forceattackstoguesspasswordsaswellasothertypesofattacks.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\autoshareserver(1).
1.
1.
1.
2.
1.
19Set'Shutdown:Clearvirtualmemorypagefile'to'Disabled'Description:Thispolicysettingdetermineswhetherthevirtualmemorypagefileisclearedwhenthesystemisshutdown.
Whenthispolicysettingisenabled,thesystempagefileisclearedeachtimethatthesystemshutsdownproperly.
Ifyouenablethissecuritysetting,thehibernationfile(Hiberfil.
sys)iszeroedoutwhenhibernationisdisabledonaportablecomputersystem.
Itwilltakelongertoshutdownandrestartthecomputer,andwillbeespeciallynoticeableoncomputerswithlargepagingfiles.
Rationale:ImportantinformationthatiskeptinrealmemorymaybewrittenperiodicallytothepagefiletohelpWindowshandlemultitaskingfunctions.
Anattackerwhohasphysicalaccesstoaserverthathasbeenshutdowncouldviewthecontentsofthepagingfile.
Theattackercouldmovethesystemvolumeintoadifferentcomputerandthenanalyzethecontentsofthepagingfile.
Althoughthisprocessistimeconsuming,itcouldexposedatathatiscachedfromrandomaccessmemory(RAM)tothepagingfile.
Caution:Anattackerwhohasphysicalaccesstotheservercouldbypassthiscountermeasurebysimplyunpluggingtheserverfromitspowersource.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\sessionmanager\memorymanagement\clearpagefileatshutdown(0).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33131.
1.
1.
2.
1.
20Set'Domainmember:Disablemachineaccountpasswordchanges'to'Disabled'Description:Thispolicysettingdetermineswhetheradomainmembercanperiodicallychangeitscomputeraccountpassword.
Ifyouenablethispolicysetting,thedomainmemberwillbepreventedfromchangingitscomputeraccountpassword.
Ifyoudisablethispolicysetting,thedomainmembercanchangeitscomputeraccountpasswordasspecifiedbytheDomainMember:Maximummachineaccountpasswordagesetting,whichbydefaultisevery30days.
Computersthatcannotautomaticallychangetheiraccountpasswordsarepotentiallyvulnerable,becauseanattackermightbeabletodeterminethepasswordforthesystem'sdomainaccount.
Rationale:Thedefaultconfigurationcomputersthatbelongtoadomainisthattheyareautomaticallyrequiredtochangethepasswordsfortheiraccountsevery30days.
Ifyoudisablethispolicysetting,computerswillretainthesamepasswordsastheircomputeraccounts.
Computersthatarenolongerabletoautomaticallychangetheiraccountpasswordareatriskfromanattackerwhocoulddeterminethepasswordforthecomputer'sdomainaccount.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange(0).
1.
1.
1.
2.
1.
21Set'Microsoftnetworkserver:Amountofidletimerequiredbeforesuspendingsession'to'15'Description:ThispolicysettingallowsyoutospecifytheamountofcontinuousidletimethatmustpassinanSMBsessionbeforethesessionissuspendedbecauseofinactivity.
AdministratorscanusethispolicysettingtocontrolwhenacomputersuspendsaninactiveSMBsession.
Ifclientactivityresumes,thesessionisautomaticallyreestablished.
Avalueof0willdisconnectanidlesessionasquicklyaspossible.
Themaximumvalueis99999,whichis208days;ineffect,thisvaluedisablesthesetting.
Rationale:EachSMBsessionconsumesserverresources,andnumerousnullsessionswillslowtheserverorpossiblycauseittofail.
AnattackercouldrepeatedlyestablishSMBsessionsuntiltheserver'sSMBservicesbecomesloworunresponsive.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect(15).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33141.
1.
1.
2.
1.
22Set'MSS:(NoNameReleaseOnDemand)AllowthecomputertoignoreNetBIOSnamereleaserequestsexceptfromWINSservers'to'Enabled'Description:TheregistryvalueentryNoNameReleaseOnDemandwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\registrykey.

TheentryappearsasMSS:(NoNameReleaseOnDemand)AllowthecomputertoignoreNetBIOSnamereleaserequestsexceptfromWINSserversintheSCE.
NetBIOSoverTCP/IPisanetworkprotocolthatamongotherthingsprovidesawaytoeasilyresolveNetBIOSnamesthatareregisteredonWindowsbasedsystemstotheIPaddressesthatareconfiguredonthosesystems.
ThissettingdetermineswhetherthecomputerreleasesitsNetBIOSnamewhenitreceivesaname-releaserequest.
Rationale:TheNetBTprotocolisdesignednottouseauthentication,andisthereforevulnerabletospoofing.
Spoofingmakesatransmissionappeartocomefromauserotherthantheuserwhoperformedtheaction.
Amalicioususercouldexploittheunauthenticatednatureoftheprotocoltosendaname-conflictdatagramtoatargetcomputer,whichwouldcausethecomputertorelinquishitsnameandnotrespondtoqueries.
Theresultofsuchanattackcouldbetocauseintermittentconnectivityissuesonthetargetcomputer,oreventopreventtheuseofNetworkNeighborhood,domainlogons,theNETSENDcommand,oradditionalNetBIOSnameresolution.
Formoreinformation,seetheMicrosoftKnowledgeBasearticle"MS00-047:NetBIOSVulnerabilityMayCauseDuplicateNameontheNetworkConflicts"athttp://support.
microsoft.
com/default.
aspxkbid=269239.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand(1).
1.
1.
1.
2.
1.
24Set'MSS:(KeepAliveTime)Howoftenkeep-alivepacketsaresentinmilliseconds'to'300000or5minutes(recommended)'Description:TheregistryvalueentryKeepAliveTimewasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\registrykey.
TheentryappearsasMSS:(KeepAliveTime)Howoftenkeep-alivepacketsaresentinmilliseconds(300,000isrecommended)intheSCE.
ThisvaluecontrolshowoftenTCPattemptstoverifythatanidleconnectionisstillintactbysendingakeep-alivepacket.
Iftheremotecomputerisstillreachable,itacknowledgesthekeep-alivepacket.
Rationale:Anattackerwhoisabletoconnecttonetworkapplicationscouldestablishnumerousconnectionstocauseadenialofservice(DoS)condition.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime(300000).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33151.
1.
1.
2.
1.
25Set'Shutdown:Allowsystemtobeshutdownwithouthavingtologon'to'Disabled'Description:Thispolicysettingdetermineswhetheracomputercanbeshutdownwhenauserisnotloggedon.
Ifthispolicysettingisenabled,theshutdowncommandisavailableontheWindowslogonscreen.
Itisrecommendedtodisablethispolicysettingtorestricttheabilitytoshutdownthecomputertouserswithcredentialsonthesystem.
Rationale:Userswhocanaccesstheconsolelocallycouldshutdownthecomputer.
Attackerscouldalsowalktothelocalconsoleandrestarttheserver,whichwouldcauseatemporarydenialofservice(DoS)condition.
Attackerscouldalsoshutdowntheserverandleaveallofitsapplicationsandservicesunavailable.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon(0).
1.
1.
1.
2.
1.
26Set'Interactivelogon:Donotdisplaylastusername'to'Enabled'Description:Thispolicysettingdetermineswhethertheaccountnameofthelastusertologontotheclientcomputersinyourorganizationwillbedisplayedineachcomputer'srespectiveWindowslogonscreen.
Enablethispolicysettingtopreventintrudersfromcollectingaccountnamesvisuallyfromthescreensofdesktoporlaptopcomputersinyourorganization.
Rationale:Anattackerwithaccesstotheconsole(forexample,someonewithphysicalaccessorsomeonewhoisabletoconnecttotheserverthroughTerminalServices)couldviewthenameofthelastuserwhologgedontotheserver.
Theattackercouldthentrytoguessthepassword,useadictionary,oruseabrute-forceattacktotryandlogon.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername(1).
1.
1.
1.
2.
1.
27Set'Networksecurity:LANManagerauthenticationlevel'to'SendNTLMv2responseonly.
RefuseLM&NTLM'Description:LANManager(LM)isafamilyofearlyMicrosoftclient/serversoftwarethatallowsuserstolinkpersonalcomputerstogetheronasinglenetwork.
Networkcapabilitiesincludetransparentfileandprintsharing,usersecurityfeatures,andnetworkadministrationtools.
InActiveDirectorydomains,theKerberosprotocolisthedefaultauthenticationprotocol.
However,iftheKerberosprotocolisnotnegotiatedforsomereason,ActiveDirectorywilluseLM,NTLM,orNTLMv2.
LANManagerauthenticationincludestheLM,NTLM,andNTLMversion2(NTLMv2)variants,andistheprotocolthatisusedtoauthenticateallWindowsclientswhentheyperformthefollowingoperations:JoinadomainAuthenticatebetweenActiveDirectoryforestsAuthenticatetodown-leveldomainsAuthenticatetocomputersthatdonotrunWindows2000,WindowsServer2003,orWindowsXPAuthenticatetocomputersthatarenotinthedomainThepossiblevaluesfortheNetworksecurity:LANManagerauthenticationlevelsettingare:SendLM&NTLMresponsesSendLM&NTLM—useNTLMv2sessionsecurityifnegotiatedNNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3316SendNTLMresponsesonly.
SendNTLMv2responsesonlySendNTLMv2responsesonly\refuseLM.
SendNTLMv2responsesonly\refuseLM&NTLMNotDefinedTheNetworksecurity:LANManagerauthenticationlevelsettingdetermineswhichchallenge/responseauthenticationprotocolisusedfornetworklogons.
Thischoiceaffectstheauthenticationprotocollevelthatclientsuse,thesessionsecuritylevelthatthecomputersnegotiate,andtheauthenticationlevelthatserversacceptasfollows:.
SendLM&NTLMresponses.
ClientsuseLMandNTLMauthenticationandneveruseNTLMv2sessionsecurity.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
SendLM&NTLMuseNTLMv2sessionsecurityifnegotiated.
ClientsuseLMandNTLMauthenticationanduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
SendNTLMresponseonly.
ClientsuseNTLMauthenticationonlyanduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
SendNTLMv2responseonly.
ClientsuseNTLMv2authenticationonlyanduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
SendNTLMv2responseonly\refuseLM.
ClientsuseNTLMv2authenticationonlyanduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersrefuseLM(acceptonlyNTLMandNTLMv2authentication).
.
SendNTLMv2responseonly\refuseLM&NTLM.
ClientsuseNTLMv2authenticationonlyanduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersrefuseLMandNTLM(acceptonlyNTLMv2authentication).
ThesesettingscorrespondtothelevelsdiscussedinotherMicrosoftdocumentsasfollows:.
Level0SendLMandNTLMresponse;neveruseNTLMv2sessionsecurity.
ClientsuseLMandNTLMauthentication,andneveruseNTLMv2sessionsecurity.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
Level1UseNTLMv2sessionsecurityifnegotiated.
ClientsuseLMandNTLMauthentication,anduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
Level2SendNTLMresponseonly.
ClientsuseonlyNTLMauthentication,anduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
Level3SendNTLMv2responseonly.
ClientsuseNTLMv2authentication,anduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersacceptLM,NTLM,andNTLMv2authentication.
.
Level4DomaincontrollersrefuseLMresponses.
ClientsuseNTLMauthentication,anduseNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersrefuseLMauthentication,thatis,theyacceptNTLMandNTLMv2.
.
Level5DomaincontrollersrefuseLMandNTLMresponses(acceptonlyNTLMv2).
ClientsuseNTLMv2authentication,useandNTLMv2sessionsecurityiftheserversupportsit.
DomaincontrollersrefuseNTLMandLMauthentication(theyacceptonlyNTLMv2).
Rationale:InWindowsVista,thissettingisundefined.
However,inWindows2000,WindowsServer2003,andWindowsXPclientsareconfiguredbydefaulttosendLMandNTLMauthenticationresponses(Windows95-basedandWindows98-basedclientsonlysendLM).
Thedefaultsettingonserversallowsallclientstoauthenticatewithserversandusetheirresources.
However,thismeansthatLMresponses—theweakestformofauthenticationresponse—aresentoverthenetwork,anditispotentiallypossibleforattackerstosniffthattraffictomoreeasilyreproducetheuser'spassword.
TheWindows95,Windows98,andWindowsNToperatingsystemscannotusetheKerberosversion5protocolforauthentication.
Forthisreason,inaWindowsServer2003domain,thesecomputersauthenticatebydefaultwithboththeLMandNTLMprotocolsfornetworkauthentication.
YoucanenforceamoresecureauthenticationprotocolforWindows95,Windows98,andWindowsNTbyusingNTLMv2.
Forthelogonprocess,NTLMv2usesasecurechanneltoprotecttheauthenticationprocess.
EvenifyouuseNTLMv2forearlierclientsandservers,Windows-basedclientsandserversthataremembersofthedomainwillusetheKerberosauthenticationprotocoltoauthenticatewithWindowsServer2003domaincontrollers.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel(5).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33171.
1.
1.
2.
1.
30Set'MSS:(AutoAdminLogon)EnableAutomaticLogon(notrecommended)'to'Disabled'Description:TheregistryvalueentryAutoAdminLogonwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\registrykey.
TheentryappearsasMSS:(AutoAdminLogon)EnableAutomaticLogon(notrecommended)intheSecurityConfigurationEditor.
ThissettingisseparatefromtheWelcomescreenfeatureinWindowsXPandWindowsVista;ifthatfeatureisdisabled,thissettingisnotdisabled.
Ifyouconfigureacomputerforautomaticlogon,anyonewhocanphysicallygainaccesstothecomputercanalsogainaccesstoeverythingthatisonthecomputer,includinganynetworkornetworkstowhichthecomputerisconnected.
Also,ifyouenableautomaticlogon,thepasswordisstoredintheregistryinplaintext,andthespecificregistrykeythatstoresthisvalueisremotelyreadablebytheAuthenticatedUsersgroup.
Foradditionalinformation,seetheKnowledgeBasearticle315231,HowtoturnonautomaticlogoninWindowsXP.
Rationale:Ifyouconfigureacomputerforautomaticlogon,anyonewhocanphysicallygainaccesstothecomputercanalsogainaccesstoeverythingthatisonthecomputer,includinganynetworkornetworksthatthecomputerisconnectedto.
Also,ifyouenableautomaticlogon,thepasswordisstoredintheregistryinplaintext.
ThespecificregistrykeythatstoresthissettingisremotelyreadablebytheAuthenticatedUsersgroup.
Asaresult,thisentryisappropriateonlyifthecomputerisphysicallysecuredandifyouensurethatuntrusteduserscannotremotelyseetheregistry.
Pass:TheLocalSecurityPolicysettingis:0.
1.
1.
1.
2.
1.
31Set'Networksecurity:MinimumsessionsecurityforNTLMSSPbased(includingsecureRPC)servers'to'Requiremessageintegrity,Requiremessageconfidentiality,RequireNTLMv2sessionsecurity,Require128-bitencryption'Description:ThispolicysettingdetermineswhichbehaviorsareallowedforapplicationsusingtheNTLMSecuritySupportProvider(SSP).
TheSSPInterface(SSPI)isusedbyapplicationsthatneedauthenticationservices.
ThesettingdoesnotmodifyhowtheauthenticationsequenceworksbutinsteadrequirecertainbehaviorsinapplicationsthatusetheSSPI.
ThepossiblevaluesfortheNetworksecurity:MinimumsessionsecurityforNTLMSSPbased(includingsecureRPC)serverssettingare:.
Requiremessageconfidentiality.
ThisoptionisonlyavailableinWindowsXPandWindowsServer2003,theconnectionwillfailifencryptionisnotnegotiated.
Encryptionconvertsdataintoaformthatisnotreadableuntildecrypted.
.
Requiremessageintegrity.
ThisoptionisonlyavailableinWindowsXPandWindowsServer2003,theconnectionwillfailifmessageintegrityisnotnegotiated.
Theintegrityofamessagecanbeassessedthroughmessagesigning.
Messagesigningprovesthatthemessagehasnotbeentamperedwith;itattachesacryptographicsignaturethatidentifiesthesenderandisanumericrepresentationofthecontentsofthemessage.
.
Require128-bitencryption.
Theconnectionwillfailifstrongencryption(128-bit)isnotnegotiated.
.
RequireNTLMv2sessionsecurity.
TheconnectionwillfailiftheNTLMv2protocolisnotnegotiated.
.
NotDefined.
Rationale:YoucanenablealloftheoptionsforthispolicysettingtohelpprotectnetworktrafficthatusestheNTLMSecuritySupportProvider(NTLMSSP)frombeingexposedortamperedwithbyanattackerwhohasgainedaccesstothesamenetwork.
Thatis,theseoptionshelpprotectagainstman-in-the-middleattacks.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec(537395248).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33181.
1.
1.
2.
1.
32Set'Systemobjects:Requirecaseinsensitivityfornon-Windowssubsystems'to'Enabled'Description:Thispolicysettingdetermineswhethercaseinsensitivityisenforcedforallsubsystems.
TheMicrosoftWin32subsystemiscaseinsensitive.
However,thekernelsupportscasesensitivityforothersubsystems,suchasthePortableOperatingSystemInterfaceforUNIX(POSIX).
BecauseWindowsiscaseinsensitive(butthePOSIXsubsystemwillsupportcasesensitivity),failuretoenforcethispolicysettingmakesitpossibleforauserofthePOSIXsubsystemtocreateafilewiththesamenameasanotherfilebyusingmixedcasetolabelit.
SuchasituationcanblockaccesstothesefilesbyanotheruserwhousestypicalWin32tools,becauseonlyoneofthefileswillbeavailable.
Rationale:BecauseWindowsiscase-insensitivebutthePOSIXsubsystemwillsupportcasesensitivity,failuretoenablethispolicysettingwouldmakeitpossibleforauserofthatsubsystemtocreateafilewiththesamenameasanotherfilebutwithadifferentmixofupperandlowercaseletters.
SuchasituationcouldpotentiallyconfuseuserswhentheytrytoaccesssuchfilesfromnormalWin32toolsbecauseonlyoneofthefileswillbeavailable.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\sessionmanager\kernel\obcaseinsensitive(1).
1.
1.
1.
2.
1.
34Set'Systemsettings:Optionalsubsystems'to''Description:Thispolicysettingdetermineswhichsubsystemsareusedtosupportapplicationsinyourenvironment.
Note:Whenyouconfigurethissettingyouspecifyalistofoneormoreobjects.
Thedelimiterusedwhenenteringthelistisalinefeedorcarriagereturn,thatis,typethefirstobjectonthelist,presstheEnterbutton,typethenextobject,pressEnteragain,etc.
Thesettingvalueisstoredasacomma-delimitedlistingrouppolicysecuritytemplates.
Itisalsorenderedasacomma-delimitedlistinGroupPolicyEditor'sdisplaypaneandtheResultantSetofPolicyconsole.
Itisrecordedintheregistryasaline-feeddelimitedlistinaREG_MULTI_SZvalue.
Rationale:ThePOSIXsubsystemisanInstituteofElectricalandElectronicEngineers(IEEE)standardthatdefinesasetofoperatingsystemservices.
ThePOSIXsubsystemisrequirediftheserversupportsapplicationsthatusethatsubsystem.
ThePOSIXsubsystemintroducesasecurityriskthatrelatestoprocessesthatcanpotentiallypersistacrosslogons.
Ifauserstartsaprocessandthenlogsout,thereisapotentialthatthenextuserwhologsontothecomputercouldaccesstheprevioususer'sprocess.
Thispotentialisdangerous,becauseanythingtheseconduserdoeswiththatprocesswillbeperformedwiththeprivilegesofthefirstuser.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\sessionmanager\subsystems\optional(,).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33191.
1.
1.
2.
1.
35Set'Devices:Allowedtoformatandejectremovablemedia'to'Administrators'Description:Thispolicysettingdetermineswhoisallowedtoformatandejectremovablemedia.
Youcanusethispolicysettingtopreventunauthorizedusersfromremovingdataononecomputertoaccessitonanothercomputeronwhichtheyhavelocaladministratorprivileges.
Rationale:Usersmaybeabletomovedataonremovablediskstoadifferentcomputerwheretheyhaveadministrativeprivileges.
Theusercouldthentakeownershipofanyfile,grantthemselvesfullcontrol,andviewormodifyanyfile.
Thefactthatmostremovablestoragedeviceswillejectmediabypressingamechanicalbuttondiminishestheadvantageofthispolicysetting.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon\allocatedasd(0).
1.
1.
1.
2.
1.
36Set'Microsoftnetworkclient:Digitallysigncommunications(always)'to'Enabled'Description:ThispolicysettingdetermineswhetherpacketsigningisrequiredbytheSMBclientcomponent.
Ifyouenablethispolicysetting,theMicrosoftnetworkclientcomputercannotcommunicatewithaMicrosoftnetworkserverunlessthatserveragreestosignSMBpackets.
Inmixedenvironmentswithlegacyclientcomputers,setthisoptiontoDisabledbecausethesecomputerswillnotbeabletoauthenticateorgainaccesstodomaincontrollers.
However,youcanusethispolicysettinginWindows2000orlaterenvironments.
NoteWhenWindowsVistabasedcomputershavethispolicysettingenabledandtheyconnecttofileorprintsharesonremoteservers,itisimportantthatthesettingissynchronizedwithitscompanionsetting,Microsoftnetworkserver:Digitallysigncommunications(always),onthoseservers.
Formoreinformationaboutthesesettings,seetheMicrosoftnetworkclientandserver:Digitallysigncommunications(fourrelatedsettings)sectioninChapter5oftheThreatsandCountermeasuresguide.
Rationale:Sessionhijackingusestoolsthatallowattackerswhohaveaccesstothesamenetworkastheclientorservertointerrupt,end,orstealasessioninprogress.
AttackerscanpotentiallyinterceptandmodifyunsignedSMBpacketsandthenforwardthemsothattheservermightperformundesirableactions.
Alternatively,theattackercouldposeastheserverorclientafterlegitimateauthenticationandgainunauthorizedaccesstodata.
SMBistheresourcesharingprotocolthatissupportedbytheWindowsoperatingsystems.
SMBsignaturesauthenticatebothusersandtheserversthathostthedata.
Ifeithersidefailstheauthenticationprocess,datatransmissionwillnottakeplace.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33201.
1.
1.
2.
1.
37Set'Interactivelogon:Promptusertochangepasswordbeforeexpiration'to'14'Description:Thispolicysettingdetermineshowfarinadvanceusersarewarnedthattheirpasswordwillexpire.
Itisrecommendedthatyouconfigurethispolicysettingto14daystosufficientlywarnuserswhentheirpasswordswillexpire.
Rationale:Itisrecommendedthatuserpasswordsbeconfiguredtoexpireperiodically.
Userswillneedtobewarnedthattheirpasswordsaregoingtoexpire,ortheymayinadvertentlybelockedoutofthecomputerwhentheirpasswordsexpire.
Thisconditioncouldleadtoconfusionforuserswhoaccessthenetworklocally,ormakeitimpossibleforuserstoaccessyourorganization'snetworkthroughdial-uporvirtualprivatenetwork(VPN)connections.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon\passwordexpirywarning(14).
1.
1.
1.
2.
1.
38Set'Domainmember:Maximummachineaccountpasswordage'to'30'Description:Thispolicysettingdeterminesthemaximumallowableageforacomputeraccountpassword.
Bydefault,domainmembersautomaticallychangetheirdomainpasswordsevery30days.
Ifyouincreasethisintervalsignificantlyorsetitto0sothatthecomputersnolongerchangetheirpasswords,anattackerwouldhavemoretimetoundertakeabruteforceattackagainstoneofthecomputeraccounts.
Rationale:InActiveDirectorybaseddomains,eachcomputerhasanaccountandpasswordjustlikeeveryuser.
Bydefault,thedomain-joinedcomputersautomaticallychangetheirdomainpasswordevery30days.
Ifyouincreasethisintervalsignificantly,orsetitto0sothatthecomputersnolongerchangetheirpasswords,anattackerwillhavemoretimetoundertakeabruteforceattacktoguessthepasswordofoneormorecomputeraccounts.
Pass:TheLocalSecurityPolicysettingis:30.
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33211.
1.
1.
2.
1.
39Set'MSS:(SafeDllSearchMode)EnableSafeDLLsearchmode(recommended)'to'Enabled'Description:TheregistryvalueentrySafeDllSearchModewasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\registrykey.
TheentryappearsasMSS:(SafeDllSearchMode)EnableSafeDLLsearchmode(recommended)intheSCE.
TheDLLsearchordercanbeconfiguredtosearchforDLLsthatarerequestedbyrunningprocessesinoneoftwoways:.
Searchfoldersspecifiedinthesystempathfirst,andthensearchthecurrentworkingfolder.
.
Searchcurrentworkingfolderfirst,andthensearchthefoldersspecifiedinthesystempath.
Whenenabled,theregistryvalueissetto1.
Withasettingof1,thesystemfirstsearchesthefoldersthatarespecifiedinthesystempathandthensearchesthecurrentworkingfolder.
Whendisabledtheregistryvalueissetto0andthesystemfirstsearchesthecurrentworkingfolderandthensearchesthefoldersthatarespecifiedinthesystempath.
Rationale:IfauserunknowinglyexecuteshostilecodethatwaspackagedwithadditionalfilesthatincludemodifiedversionsofsystemDLLs,thehostilecodecouldloaditsownversionsofthoseDLLsandpotentiallyincreasethetypeanddegreeofdamagethecodecanrender.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\sessionmanager\safedllsearchmode(1).

1.
1.
1.
2.
1.
41Set'MSS:(TcpMaxDataRetransmissions)Howmanytimesunacknowledgeddataisretransmitted(3recommended,5isdefault)'to'3'Description:TheregistryvalueentryTCPMaxDataRetransmissionswasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\registrykey.
TheentryappearsasMSS:(TcpMaxDataRetransmissions)Howmanytimesunacknowledgeddataisretransmitted(3recommended,5isdefault)intheSCE.
ThissettingcontrolsthenumberoftimesthatTCPretransmitsanindividualdatasegment(non-connectsegment)beforetheconnectionisaborted.
Theretransmissiontime-outisdoubledwitheachsuccessiveretransmissiononaconnection.
Itisresetwhenresponsesresume.
Thebasetime-outvalueisdynamicallydeterminedbythemeasuredround-triptimeontheconnection.
Rationale:Amalicioususercouldexhaustatargetcomputer'sresourcesifitneversentanyacknowledgmentmessagesfordatathatwastransmittedbythetargetcomputer.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions(3).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33221.
1.
1.
2.
1.
42Set'Domainmember:Digitallysignsecurechanneldata(whenpossible)'to'Enabled'Description:Thispolicysettingdetermineswhetheradomainmembershouldattempttonegotiatewhetherallsecurechanneltrafficthatitinitiatesmustbedigitallysigned.
Digitalsignaturesprotectthetrafficfrombeingmodifiedbyanyonewhocapturesthedataasittraversesthenetwork.
MicrosoftrecommendstoconfiguretheDomainmember:Digitallysignsecurechanneldata(whenpossible)settingtoEnabled.
Rationale:Whenacomputerjoinsadomain,acomputeraccountiscreated.
Afteritjoinsthedomain,thecomputerusesthepasswordforthataccounttocreateasecurechannelwiththedomaincontrollerforitsdomaineverytimethatitrestarts.
Requeststhataresentonthesecurechannelareauthenticatedandsensitiveinformationsuchaspasswordsareencryptedbutthechannelisnotintegrity-checked,andnotallinformationisencrypted.
Ifacomputerisconfiguredtoalwaysencryptorsignsecurechanneldatabutthedomaincontrollercannotsignorencryptanyportionofthesecurechanneldata,thecomputeranddomaincontrollercannotestablishasecurechannel.
Ifthecomputerisconfiguredtoencryptorsignsecurechanneldatawhenpossible,asecurechannelcanbeestablished,butthelevelofencryptionandsigningisnegotiated.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel(1).
1.
1.
1.
2.
1.
43Set'Domainmember:Digitallyencryptsecurechanneldata(whenpossible)'to'Enabled'Description:Thispolicysettingdetermineswhetheradomainmembershouldattempttonegotiateencryptionforallsecurechanneltrafficthatitinitiates.
Ifyouenablethispolicysetting,thedomainmemberwillrequestencryptionofallsecurechanneltraffic.
Ifyoudisablethispolicysetting,thedomainmemberwillbepreventedfromnegotiatingsecurechannelencryption.
MicrosoftrecommendstoconfiguretheDomainmember:Digitallyencryptsecurechanneldata(whenpossible)settingtoEnabled.
Rationale:WhenacomputerrunningWindowsNT,Windows2000,orlaterversionsofWindowsjoinsadomain,acomputeraccountiscreated.
Afteritjoinsthedomain,thecomputerusesthepasswordforthataccounttocreateasecurechannelwiththedomaincontrollerforitsdomaineverytimethatitrestarts.
Requeststhataresentonthesecurechannelareauthenticated—andsensitiveinformationsuchaspasswordsareencrypted—butthechannelisnotintegrity-checked,andnotallinformationisencrypted.
Ifacomputerisconfiguredtoalwaysencryptorsignsecurechanneldatabutthedomaincontrollercannotsignorencryptanyportionofthesecurechanneldata,thecomputeranddomaincontrollercannotestablishasecurechannel.
Ifthecomputerisconfiguredtoencryptorsignsecurechanneldatawhenpossible,asecurechannelcanbeestablished,butthelevelofencryptionandsigningisnegotiated.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33231.
1.
1.
2.
1.
45Set'Microsoftnetworkclient:Sendunencryptedpasswordtothird-partySMBservers'to'Disabled'Description:DisablethispolicysettingtopreventtheSMBredirectorfromsendingplaintextpasswordsduringauthenticationtothird-partySMBserversthatdonotsupportpasswordencryption.
Itisrecommendedthatyoudisablethispolicysettingunlessthereisastrongbusinesscasetoenableit.
Ifthispolicysettingisenabled,unencryptedpasswordswillbeallowedacrossthenetwork.
Rationale:Ifyouenablethispolicysetting,thecomputercantransmitpasswordsinplaintextacrossthenetworktoothercomputersthatofferSMBservices.
TheseothercomputersmaynotuseanyoftheSMBsecuritymechanismsthatareincludedwithrecentversionsWindows.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword(0).
1.
1.
1.
2.
1.
46Set'Interactivelogon:DonotrequireCTRL+ALT+DEL'to'Disabled'Description:ThispolicysettingdetermineswhetherusersmustpressCTRL+ALT+DELbeforetheylogon.
Ifyouenablethispolicysetting,userscanlogonwithoutthiskeycombination.
Ifyoudisablethispolicysetting,usersmustpressCTRL+ALT+DELbeforetheylogontoWindowsunlesstheyuseasmartcardforWindowslogon.
Asmartcardisatamper-proofdevicethatstoressecurityinformation.
Rationale:MicrosoftdevelopedthisfeaturetomakeiteasierforuserswithcertaintypesofphysicalimpairmentstologontocomputersthatrunWindows.
IfusersarenotrequiredtopressCTRL+ALT+DEL,theyaresusceptibletoattacksthattempttointercepttheirpasswords.
IfCTRL+ALT+DELisrequiredbeforelogon,userpasswordsarecommunicatedbymeansofatrustedpath.
AnattackercouldinstallaTrojanhorseprogramthatlookslikethestandardWindowslogondialogboxandcapturetheuser'spassword.
Theattackerwouldthenbeabletologontothecompromisedaccountwithwhateverlevelofprivilegethatuserhas.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windows\currentversion\policies\system\disablecad(0).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33241.
1.
1.
2.
1.
49Set'MSS:(ScreenSaverGracePeriod)Thetimeinsecondsbeforethescreensavergraceperiodexpires(0recommended)'to'0'Description:TheregistryvalueentryScreenSaverGracePeriodwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\registrykey.
TheentryappearsasMSS:(ScreenSaverGracePeriod)Thetimeinsecondsbeforethescreensavergraceperiodexpires(0recommended)intheSCE.
Windowsincludesagraceperiodbetweenwhenthescreensaverislaunchedandwhentheconsoleisactuallylockedautomaticallywhenscreensaverlockingisenabled.
Thissettingisconfiguredto0secondsforbothoftheenvironmentsthatarediscussedinthisguide.
Rationale:Thedefaultgraceperiodthatisallowedforusermovementbeforethescreensaverlocktakeseffectisfiveseconds.
Ifyouleavethedefaultgraceperiodconfiguration,yourcomputerisvulnerabletoapotentialattackfromsomeonewhocouldapproachtheconsoleandattempttologontothecomputerbeforethelocktakeseffect.
Anentrytotheregistrycanbemadetoadjustthelengthofthegraceperiod.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon\screensavergraceperiod(0).
1.
1.
1.
2.
1.
50Set'Microsoftnetworkclient:Digitallysigncommunications(ifserveragrees)'to'Enabled'Description:ThispolicysettingdetermineswhethertheSMBclientwillattempttonegotiateSMBpacketsigning.
TheimplementationofdigitalsigninginWindowsbasednetworkshelpstopreventsessionsfrombeinghijacked.
Ifyouenablethispolicysetting,theMicrosoftnetworkclientwillusesigningonlyiftheserverwithwhichitcommunicatesacceptsdigitallysignedcommunication.
MicrosoftrecommendstoenableTheMicrosoftnetworkclient:Digitallysigncommunications(ifserveragrees)setting.
NoteEnablingthispolicysettingonSMBclientsonyournetworkmakesthemfullyeffectiveforpacketsigningwithallclientsandserversinyourenvironment.
Rationale:Sessionhijackingusestoolsthatallowattackerswhohaveaccesstothesamenetworkastheclientorservertointerrupt,end,orstealasessioninprogress.
AttackerscanpotentiallyinterceptandmodifyunsignedSMBpacketsandthenthemsothattheservermightperformundesirableactions.
Alternatively,theattackercouldposeastheserverorclientafterlegitimateauthenticationandgainunauthorizedaccesstodata.
SMBistheresourcesharingprotocolthatissupportedbymanyWindowsoperatingsystems.
SMBsignaturesauthenticatebothusersandtheserversthathostthedata.
Ifeithersidefailstheauthenticationprocess,datatransmissionwillnottakeplace.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33251.
1.
1.
2.
1.
51Set'Domainmember:Digitallyencryptorsignsecurechanneldata(always)'to'Enabled'Description:Thispolicysettingdetermineswhetherallsecurechanneltrafficthatisinitiatedbythedomainmembermustbesignedorencrypted.
Ifasystemissettoalwaysencryptorsignsecurechanneldata,itcannotestablishasecurechannelwithadomaincontrollerthatisnotcapableofsigningorencryptingallsecurechanneltraffic,becauseallsecurechanneldatamustbesignedandencrypted.
MicrosoftrecommendstoconfiguretheDomainmember:Digitallyencryptorsignsecurechanneldata(always)settingtoEnabled.
Rationale:Whenacomputerjoinsadomain,acomputeraccountiscreated.
Afteritjoinsthedomain,thecomputerusesthepasswordforthataccounttocreateasecurechannelwiththedomaincontrollerforitsdomaineverytimethatitrestarts.
Requeststhataresentonthesecurechannelareauthenticatedandsensitiveinformationsuchaspasswordsareencryptedbutthechannelisnotintegrity-checked,andnotallinformationisencrypted.
Ifacomputerisconfiguredtoalwaysencryptorsignsecurechanneldatabutthedomaincontrollercannotsignorencryptanyportionofthesecurechanneldata,thecomputeranddomaincontrollercannotestablishasecurechannel.
Ifthecomputerisconfiguredtoencryptorsignsecurechanneldatawhenpossible,asecurechannelcanbeestablished,butthelevelofencryptionandsigningisnegotiated.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal(1).

1.
1.
1.
2.
1.
52Set'Systemobjects:Strengthendefaultpermissionsofinternalsystemobjects(e.
g.
SymbolicLinks)'to'Enabled'Description:Thispolicysettingdeterminesthestrengthofthedefaultdiscretionaryaccesscontrollist(DACL)forobjects.
ThesettinghelpssecureobjectsthatcanbelocatedandsharedamongprocessesanditsdefaultconfigurationstrengthenstheDACL,becauseitallowsuserswhoarenotadministratorstoreadsharedobjectsbutdoesnotallowthemtomodifyanythattheydidnotcreate.
Rationale:ThissettingdeterminesthestrengthofthedefaultDACLforobjects.
WindowsServer2003maintainsagloballistofsharedcomputerresourcessothatobjectscanbelocatedandsharedamongprocesses.
EachtypeofobjectiscreatedwithadefaultDACLthatspecifieswhocanaccesstheobjectsandwithwhatpermissions.
Ifyouenablethissetting,thedefaultDACLisstrengthenedbecausenon-administratorusersareallowedtoreadsharedobjectsbutnotmodifysharedobjectsthattheydidnotcreate.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\sessionmanager\protectionmode(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33261.
1.
1.
2.
1.
53Set'Networksecurity:DonotstoreLANManagerhashvalueonnextpasswordchange'to'Enabled'Description:ThispolicysettingdetermineswhethertheLANManager(LM)hashvalueforthenewpasswordisstoredwhenthepasswordischanged.
TheLMhashisrelativelyweakandpronetoattackcomparedtothecryptographicallystrongerMicrosoftWindowsNThash.
NoteOlderoperatingsystemsandsomethird-partyapplicationsmayfailwhenthispolicysettingisenabled.
Alsoyouwillneedtochangethepasswordonallaccountsafteryouenablethissetting.
Rationale:TheSAMfilecanbetargetedbyattackerswhoseekaccesstousernameandpasswordhashes.
Suchattacksusespecialtoolstocrackpasswords,whichcanthenbeusedtoimpersonateusersandgainaccesstoresourcesonyournetwork.
Thesetypesofattackswillnotbepreventedifyouenablethispolicysetting,butitwillbemuchmoredifficultforthesetypesofattackstosucceed.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\nolmhash(1).
1.
1.
1.
2.
1.
54Set'Networkaccess:Remotelyaccessibleregistrypathsandsub-paths'to'System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAPServer,Software\Microsoft\WindowsNT\CurrentVersion\PrintSofDescription:Thispolicysettingdetermineswhichregistrypathsandsub-pathswillbeaccessiblewhenanapplicationorprocessreferencestheWinRegkeytodetermineaccesspermissions.
Note:InWindowsXPthissettingiscalledNetworkaccess:Remotelyaccessibleregistrypaths,thesettingwiththatsamenameinWindowsVista,WindowsServer2008,andWindowsServer2003doesnotexistinWindowsXP.
Note:Whenyouconfigurethissettingyouspecifyalistofoneormoreobjects.
Thedelimiterusedwhenenteringthelistisalinefeedorcarriagereturn,thatis,typethefirstobjectonthelist,presstheEnterbutton,typethenextobject,pressEnteragain,etc.
Thesettingvalueisstoredasacomma-delimitedlistingrouppolicysecuritytemplates.
Itisalsorenderedasacomma-delimitedlistinGroupPolicyEditor'sdisplaypaneandtheResultantSetofPolicyconsole.
Itisrecordedintheregistryasaline-feeddelimitedlistinaREG_MULTI_SZvalue.
Rationale:Theregistrycontainssensitivecomputerconfigurationinformationthatcouldbeusedbyanattackertofacilitateunauthorizedactivities.
ThefactthatthedefaultACLsassignedthroughouttheregistryarefairlyrestrictiveandhelptoprotecttheregistryfromaccessbyunauthorizedusersreducestheriskofsuchanattack.
Pass:ConfiguredSettingislocalsecuritypolicy(11items:SYSTEM\CURRENTCONTROLSET\CONTROL\PRINT\PRINTERS,SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG,SOFTWARE\MICROSOFT\OLAPSERVER,SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\PRINT,SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION\WINDOWS,SYSTEM\CURRENTCONTROLSET\CONTROL\CONTENTINDEX,SYSTEM\CURRENTCONTROLSET\CONTROL\TERMINALSERVER,SYSTEM\CURRENTCONTROLSET\CONTROL\TERMINALSERVER\USERCONFIG,SYSTEM\CURRENTCONTROLSET\CONTROL\TERMINALSERVER\DEFAULT.
.
.
(truncated).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33271.
1.
1.
2.
1.
56Set'MSS:(DisableIPSourceRouting)IPsourceroutingprotectionlevel(protectsagainstpacketspoofing)'to'Highestprotection,sourceroutingiscompletelydisabled'Description:TheregistryvalueentryDisableIPSourceRoutingwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\registrykey.
TheentryappearsasMSS:(DisableIPSourceRouting)IPsourceroutingprotectionlevel(protectsagainstpacketspoofing)intheSCE.
IPsourceroutingisamechanismthatallowsthesendertodeterminetheIProutethatadatagramshouldtakethroughthenetwork.
ItisrecommendedtoconfigurethissettingtoNotDefinedforenterpriseenvironmentsandtoHighestProtectionforhighsecurityenvironmentstocompletelydisablesourcerouting.
Rationale:Anattackercouldusesourceroutedpacketstoobscuretheiridentityandlocation.
Sourceroutingallowsacomputerthatsendsapackettospecifytheroutethatthepackettakes.
Pass:TheLocalSecurityPolicysettingis:2.
1.
1.
1.
2.
1.
57Set'MSS:(PerformRouterDiscovery)AllowIRDPtodetectandconfigureDefaultGatewayaddresses(couldleadtoDoS)'to'Disabled'Description:TheregistryvalueentryPerformRouterDiscoverywasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\registrykey.
TheentryappearsasMSS:(PerformRouterDiscovery)AllowIRDPtodetectandconfigureDefaultGatewayaddresses(couldleadtoDoS)intheSCE.
ThissettingisusedtoenableordisabletheInternetRouterDiscoveryProtocol(IRDP),whichallowsthesystemtodetectandconfiguredefaultgatewayaddressesautomaticallyasdescribedinRFC1256onaper-interfacebasis.
Rationale:Anattackerwhohasgainedcontrolofacomputeronthesamenetworksegmentcouldconfigureacomputeronthenetworktoimpersonatearouter.
OthercomputerswithIRDPenabledwouldthenattempttoroutetheirtrafficthroughthealreadycompromisedcomputer.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\performrouterdiscovery(0).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33281.
1.
1.
2.
1.
58Set'MSS:(TcpMaxConnectResponseRetransmissions)SYN-ACKretransmissionswhenaconnectionrequestisnotacknowledged'to'3&;6seconds,half-openconnectionsdroppedafter21seconds'Description:ThisentryappearsasMSS:(TcpMaxConnectResponseRetransmissions)SYN-ACKretransmissionswhenaconnectionrequestisnotacknowledgedintheSCE.
ThisentrydeterminesthenumberoftimesthatTCPretransmitsaSYNbeforeitabortstheattempt.
Theretransmissiontime-outisdoubledwitheachsuccessiveretransmissioninagivenconnectattempt.
Theinitialtime-outvalueisthreeseconds.
NotapplicabletoWindowsVistaorWindowsServer2008.
Rationale:InaSYNfloodattack,theattackersendsacontinuousstreamofSYNpacketstoaserver.
Theserverleavesthehalf-openconnectionsopenuntilitisoverwhelmedandnolongerisabletorespondtolegitimaterequests.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmissions(2).
1.
1.
1.
2.
1.
59Set'Microsoftnetworkserver:Disconnectclientswhenlogonhoursexpire'to'Enabled'Description:Thispolicysettingdetermineswhethertodisconnectuserswhoareconnectedtothelocalcomputeroutsidetheiruseraccount'svalidlogonhours.
ItaffectstheSMBcomponent.
Ifyouenablethispolicysetting,clientsessionswiththeSMBservicewillbeforciblydisconnectedwhentheclient'slogonhoursexpire.
Ifyoudisablethispolicysetting,establishedclientsessionswillbemaintainedaftertheclient'slogonhoursexpire.
IfyouenablethispolicysettingyoushouldalsoenableNetworksecurity:Forcelogoffwhenlogonhoursexpire.
Ifyourorganizationconfigureslogonhoursforusers,itmakessensetoenablethispolicysetting.
Rationale:Ifyourorganizationconfigureslogonhoursforusers,thenitmakessensetoenablethispolicysetting.
Otherwise,userswhoshouldnothaveaccesstonetworkresourcesoutsideoftheirlogonhoursmayactuallybeabletocontinuetousethoseresourceswithsessionsthatwereestablishedduringallowedhours.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33291.
1.
1.
2.
1.
60Set'Networkaccess:LetEveryonepermissionsapplytoanonymoususers'to'Disabled'Description:Thispolicysettingdetermineswhatadditionalpermissionsareassignedforanonymousconnectionstothecomputer.
Ifyouenablethispolicysetting,anonymousWindowsusersareallowedtoperformcertainactivities,suchasenumeratethenamesofdomainaccountsandnetworkshares.
Anunauthorizedusercouldanonymouslylistaccountnamesandsharedresourcesandusetheinformationtoguesspasswordsorperformsocialengineeringattacks.
Rationale:Anunauthorizedusercouldanonymouslylistaccountnamesandsharedresourcesandusetheinformationtoattempttoguesspasswords,performsocialengineeringattacks,orlaunchdenialofservice(DoS)attacks.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous(0).
1.
1.
1.
2.
1.
61Set'Microsoftnetworkserver:Digitallysigncommunications(always)'to'Enabled'Description:ThispolicysettingdeterminesiftheserversideSMBserviceisrequiredtoperformSMBpacketsigning.
Enablethispolicysettinginamixedenvironmenttopreventdownstreamclientsfromusingtheworkstationasanetworkserver.
Rationale:Sessionhijackingusestoolsthatallowattackerswhohaveaccesstothesamenetworkastheclientorservertointerrupt,end,orstealasessioninprogress.
AttackerscanpotentiallyinterceptandmodifyunsignedSMBpacketsandthenmodifythetrafficandforwarditsothattheservermightperformundesirableactions.
Alternatively,theattackercouldposeastheserverorclientafterlegitimateauthenticationandgainunauthorizedaccesstodata.
SMBistheresourcesharingprotocolthatissupportedbymanyWindowsoperatingsystems.
SMBsignaturesauthenticatebothusersandtheserversthathostthedata.
Ifeithersidefailstheauthenticationprocess,datatransmissionwillnottakeplace.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33301.
1.
1.
2.
1.
62Set'Networksecurity:LDAPclientsigningrequirements'to'Negotiatesigning'orbetterDescription:ThispolicysettingdeterminesthelevelofdatasigningthatisrequestedonbehalfofclientsthatissueLDAPBINDrequests,asfollows:.
None(leastsecure).
TheLDAPBINDrequestisissuedwiththecaller-specifiedoptions.
.
Negotiatesigning.
IfTransportLayerSecurity/SecureSocketsLayer(TLS/SSL)hasnotbeenstarted,theLDAPBINDrequestisinitiatedwiththeLDAPdatasigningoptionsetinadditiontothecaller-specifiedoptions.
IfTLS/SSLhasbeenstarted,theLDAPBINDrequestisinitiatedwiththecaller-specifiedoptions.
.
Requiresignature(mostsecure).
ThislevelisthesameasNegotiatesigning.
However,iftheLDAPserver'sintermediatesaslBindInProgressresponsedoesnotindicatethatLDAPtrafficsigningisrequired,thecalleristoldthattheLDAPBINDcommandrequestfailed.
Note:ThispolicysettingdoesnothaveanyImpactonldap_simple_bindorldap_simple_bind_s.
NoMicrosoftLDAPclientsthatareincludedwithWindowsXPProfessionaluseldap_simple_bindorldap_simple_bind_stocommunicatewithadomaincontroller.
ThepossiblevaluesfortheNetworksecurity:LDAPclientsigningrequirementssettingare:.
None.
Negotiatesigning.
Requiresignature.
NotDefinedRationale:Unsignednetworktrafficissusceptibletoman-in-the-middleattacksinwhichanintrudercapturesthepacketsbetweentheclientandserver,modifiesthem,andthenforwardsthemtotheserver.
ForanLDAPserver,thissusceptibilitymeansthatanattackercouldcauseaservertomakedecisionsthatarebasedonfalseoraltereddatafromtheLDAPqueries.
Tolowerthisriskinyournetwork,youcanimplementstrongphysicalsecuritymeasurestoprotectthenetworkinfrastructure.
Also,youcanmakealltypesofman-in-the-middleattacksextremelydifficultifyourequiredigitalsignaturesonallnetworkpacketsbymeansofIPsecauthenticationheaders.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\ldap\ldapclientintegrity(1).
1.
1.
1.
2.
1.
63Set'Devices:Allowundockwithouthavingtologon'to'Disabled'Description:Thispolicysettingdetermineswhetheraportablecomputercanbeundockediftheuserdoesnotlogontothesystem.
EnablethispolicysettingtoeliminateaLogonrequirementandallowuseofanexternalhardwareejectbuttontoundockthecomputer.
Ifyoudisablethispolicysetting,ausermustlogonandhavebeenassignedtheRemovecomputerfromdockingstationuserrighttoundockthecomputer.
Rationale:Ifthispolicysettingisenabled,anyonewithphysicalaccesstoportablecomputersindockingstationscouldremovethemandpossiblytamperwiththem.
However,thevalueofimplementingthiscountermeasureisreducedbythefollowingfactors:.
Ifattackerscanrestartthecomputer,theycouldremoveitfromthedockingstationaftertheBIOSstartsbutbeforetheoperatingsystemstarts.
.
Thissettingdoesnotaffectservers,becausetheytypicallyarenotinstalledindockingstations.
.
Anattackercouldstealthecomputerandthedockingstationtogether.
Pass:TheLocalSecurityPolicysettingis:0.
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33311.
1.
1.
2.
1.
64Set'Audit:Audittheaccessofglobalsystemobjects'to'Disabled'Description:Thispolicysettingcreatesadefaultsystemaccesscontrollist(SACL)forsystemobjectssuchasmutexes(mutualexclusive),events,semaphores,andMS-DOSdevices,andcausesaccesstothesesystemobjectstobeaudited.
IftheAudit:Audittheaccessofglobalsystemobjectssettingisenabled,averylargenumberofsecurityeventscouldquicklyfilltheSecurityeventlog.
Rationale:Agloballyvisiblenamedobject,ifincorrectlysecured,couldbeacteduponbymalicioussoftwarethatknowsthenameoftheobject.
Forinstance,ifasynchronizationobjectsuchasamutexhadapoorlychosendiscretionaryaccesscontrollist(DACL),thenmalicioussoftwarecouldaccessthatmutexbynameandcausetheprogramthatcreatedittomalfunction.
However,theriskofsuchanoccurrenceisverylow.
Pass:TheLocalSecurityPolicysettingis:0.
1.
1.
1.
2.
1.
65Set'MSS:(AutoReboot)AllowWindowstoautomaticallyrestartafterasystemcrash(recommendedexceptforhighlysecureenvironments)'to'Enabled'Description:ThisentryappearsasMSS:(AutoReboot)AllowWindowstoautomaticallyrestartafterasystemcrash(recommendedexceptforhighlysecureenvironments)intheSCE.
Thisentry,whenenabled,permitsaservertoautomaticallyrebootafterafatalcrash.
Itisenabledbydefault,whichisundesirableonhighlysecureservers.
YoucanaddthisregistryvaluetothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\subkey.
Rationale:Thereissomeconcernthatacomputercouldgetstuckinanendlessloopoffailuresandreboots.
However,thealternativetothisentrymaynotbemuchmoreappealing—thecomputerwillsimplystoprunning.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\crashcontrol\autoreboot(1).
1.
1.
1.
2.
1.
66Set'Interactivelogon:Requiresmartcard'to'Disabled'Description:Microsoftrecommendsthatyouusethissetting,ifappropriatetoyourenvironmentandyourorganization'sbusinessrequirements,tohelpprotectendusercomputers.
Thispolicysettingrequiresuserstologontoacomputerwithasmartcard.
Note:ThissettingappliestoWindows2000computers,butitisnotavailablethroughtheSecurityConfigurationManagertoolsonthesecomputers.
Rationale:Itcanbedifficulttomakeuserschoosestrongpasswords,andevenstrongpasswordsarevulnerabletobrute-forceattacksifanattackerhassufficienttimeandcomputingresources.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windows\currentversion\policies\system\scforceoption(0).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33321.
1.
1.
2.
1.
68Set'Networkaccess:AllowanonymousSID/Nametranslation'to'Disabled'Description:Thispolicysettingdetermineswhetherananonymoususercanrequestsecurityidentifier(SID)attributesforanotheruser,oruseaSIDtoobtainitscorrespondingusername.
DisablethispolicysettingtopreventunauthenticatedusersfromobtainingusernamesthatareassociatedwiththeirrespectiveSIDs.
Rationale:Ifthispolicysettingisenabled,auserwithlocalaccesscouldusethewell-knownAdministrator'sSIDtolearntherealnameofthebuilt-inAdministratoraccount,evenifithasbeenrenamed.
Thatpersoncouldthenusetheaccountnametoinitiateapasswordguessingattack.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(0).
1.
1.
1.
2.
1.
69Set'Domainmember:Requirestrong(Windows2000orlater)sessionkey'to'Enabled'Description:Whenthispolicysettingisenabled,asecurechannelcanonlybeestablishedwithdomaincontrollersthatarecapableofencryptingsecurechanneldatawithastrong(128-bit)sessionkey.
Toenablethispolicysetting,alldomaincontrollersinthedomainmustbeabletoencryptsecurechanneldatawithastrongkey,whichmeansalldomaincontrollersmustberunningMicrosoftWindows2000orlater.
Ifcommunicationtonon-Windows2000baseddomainsisrequired,itisrecommendedthatyoudisablethispolicysetting.
Rationale:SessionkeysthatareusedtoestablishsecurechannelcommunicationsbetweendomaincontrollersandmembercomputersaremuchstrongerinWindows2000thantheywereinpreviousMicrosoftoperatingsystems.
Wheneverpossible,youshouldtakeadvantageofthesestrongersessionkeystohelpprotectsecurechannelcommunicationsfromattacksthattempttohijacknetworksessionsandeavesdropping.
(Eavesdroppingisaformofhackinginwhichnetworkdataisreadoralteredintransit.
Thedatacanbemodifiedtohideorchangethesender,orberedirected.
)Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey(1).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33331.
1.
1.
2.
1.
70Set'Networkaccess:Remotelyaccessibleregistrypaths'to'System\CurrentControlSet\Control\ProductOptionsSystem\CurrentControlSet\Control\ServerApplicationsSoftware\Microsoft\WindowsNT\CurrentVersion'Description:ThispolicysettingdetermineswhichregistrypathswillbeaccessibleafterreferencingtheWinRegkeytodetermineaccesspermissionstothepaths.
Note:ThissettingdoesnotexistinWindowsXP.
TherewasasettingwiththatnameinWindowsXP,butitiscalledNetworkaccess:RemotelyaccessibleregistrypathsandsubpathsinWindowsServer2003,WindowsVista,andWindowsServer2008.
Note:Whenyouconfigurethissettingyouspecifyalistofoneormoreobjects.
Thedelimiterusedwhenenteringthelistisalinefeedorcarriagereturn,thatis,typethefirstobjectonthelist,presstheEnterbutton,typethenextobject,pressEnteragain,etc.
Thesettingvalueisstoredasacomma-delimitedlistingrouppolicysecuritytemplates.
Itisalsorenderedasacomma-delimitedlistinGroupPolicyEditor'sdisplaypaneandtheResultantSetofPolicyconsole.
Itisrecordedintheregistryasaline-feeddelimitedlistinaREG_MULTI_SZvalue.
Rationale:Theregistryisadatabasethatcontainscomputerconfigurationinformation,andmuchoftheinformationissensitive.
Anattackercouldusethisinformationtofacilitateunauthorizedactivities.
Toreducetheriskofsuchanattack,suitableACLsareassignedthroughouttheregistrytohelpprotectitfromaccessbyunauthorizedusers.
Pass:ConfiguredSettingisSYSTEM\CURRENTCONTROLSET\CONTROL\PRODUCTOPTIONS,SYSTEM\CURRENTCONTROLSET\CONTROL\SERVERAPPLICATIONS,SOFTWARE\MICROSOFT\WINDOWSNT\CURRENTVERSION.
1.
1.
1.
2.
1.
71Set'Interactivelogon:Numberofpreviouslogonstocache(incasedomaincontrollerisnotavailable)'to'0'Description:ThispolicysettingdetermineswhetherausercanlogontoaWindowsdomainusingcachedaccountinformation.
Logoninformationfordomainaccountscanbecachedlocallytoallowuserstologonevenifadomaincontrollercannotbecontacted.
Thispolicysettingdeterminesthenumberofuniqueusersforwhomlogoninformationiscachedlocally.
Ifthisvalueissetto0,thelogoncachefeatureisdisabled.
Anattackerwhoisabletoaccessthefilesystemoftheservercouldlocatethiscachedinformationanduseabruteforceattacktodetermineuserpasswords.
Rationale:Thenumberthatisassignedtothispolicysettingindicatesthenumberofuserswhoselogoninformationtheserverswillcachelocally.
Ifthenumberissetto10,thentheservercacheslogoninformationfor10users.
Whenaneleventhuserlogsontothecomputer,theserveroverwritestheoldestcachedlogonsession.
Userswhoaccesstheserverconsolewillhavetheirlogoncredentialscachedonthatserver.
Anattackerwhoisabletoaccessthefilesystemoftheservercouldlocatethiscachedinformationanduseabruteforceattacktoattempttodetermineuserpasswords.
Tomitigatethistypeofattack,Windowsencryptstheinformationandobscuresitsphysicallocation.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon\cachedlogonscount(0).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33341.
1.
1.
2.
1.
73Set'Networkaccess:DonotallowanonymousenumerationofSAMaccountsandshares'to'Enabled'Description:ThispolicysettingcontrolstheabilityofanonymoususerstoenumerateSAMaccountsaswellasshares.
Ifyouenablethispolicysetting,anonymoususerswillnotbeabletoenumeratedomainaccountusernamesandnetworksharenamesontheworkstationsinyourenvironment.
TheNetworkaccess:DonotallowanonymousenumerationofSAMaccountsandsharessettingisconfiguredtoEnabledforthetwoenvironmentsthatarediscussedinthisguide.
Rationale:Anunauthorizedusercouldanonymouslylistaccountnamesandsharedresourcesandusetheinformationtoattempttoguesspasswordsorperformsocialengineeringattacks.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\restrictanonymous(1).
1.
1.
1.
2.
1.
74Set'Recoveryconsole:Allowautomaticadministrativelogon'to'Disabled'Description:Therecoveryconsoleisacommand-lineenvironmentthatisusedtorecoverfromsystemproblems.
Ifyouenablethispolicysetting,theadministratoraccountisautomaticallyloggedontotherecoveryconsolewhenitisinvokedduringstartup.
Rationale:TheRecoveryConsolecanbeveryusefulwhenyouneedtotroubleshootandrepaircomputersthatdonotstart.
However,itisdangeroustoallowautomaticlogontotheconsole.
Anyonecouldwalkuptotheserver,disconnectthepowertoshutitdown,restartit,selectRecoverConsolefromtheRestartmenu,andthenassumefullcontroloftheserver.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\setup\recoveryconsole\securitylevel(0).
1.
1.
1.
2.
1.
75Set'Audit:Shutdownsystemimmediatelyifunabletologsecurityaudits'to'Disabled'Description:ThispolicysettingdetermineswhetherthesystemshutsdownifitisunabletologSecurityevents.
ItisarequirementforTrustedComputerSystemEvaluationCriteria(TCSEC)-C2andCommonCriteriacertificationtopreventauditableeventsfromoccurringiftheauditsystemisunabletologthem.
Microsofthaschosentomeetthisrequirementbyhaltingthesystemanddisplayingastopmessageiftheauditingsystemexperiencesafailure.
Whenthispolicysettingisenabled,thesystemwillbeshutdownifasecurityauditcannotbeloggedforanyreason.
IftheAudit:Shutdownsystemimmediatelyifunabletologsecurityauditssettingisenabled,unplannedsystemfailurescanoccur.
Therefore,thispolicysettingisconfiguredtoNotDefinedforbothoftheenvironmentsthatarediscussedinthischapter.
Rationale:IfthecomputerisunabletorecordeventstotheSecuritylog,criticalevidenceorimportanttroubleshootinginformationmaynotbeavailableforreviewafterasecurityincident.
Also,anattackercouldpotentiallygeneratealargevolumeofSecuritylogeventstopurposelyforceacomputershutdown.
Pass:TheLocalSecurityPolicysettingis:0.
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33351.
1.
1.
2.
1.
76Set'Microsoftnetworkserver:Digitallysigncommunications(ifclientagrees)'to'Enabled'Description:ThispolicysettingdeterminesiftheserversideSMBserviceisabletosignSMBpacketsifitisrequestedtodosobyaclientthatattemptstoestablishaconnection.
Ifnosigningrequestcomesfromtheclient,aconnectionwillbeallowedwithoutasignatureiftheMicrosoftnetworkserver:Digitallysigncommunications(always)settingisnotenabled.
NoteEnablethispolicysettingonSMBclientsonyournetworktomakethemfullyeffectiveforpacketsigningwithallclientsandserversinyourenvironment.
Rationale:Sessionhijackingusestoolsthatallowattackerswhohaveaccesstothesamenetworkastheclientorservertointerrupt,end,orstealasessioninprogress.
AttackerscanpotentiallyinterceptandmodifyunsignedSMBpacketsandthenthemsothattheservermightperformundesirableactions.
Alternatively,theattackercouldposeastheserverorclientafterlegitimateauthenticationandgainunauthorizedaccesstodata.
SMBistheresourcesharingprotocolthatissupportedbymanyWindowsoperatingsystems.
SMBsignaturesauthenticatebothusersandtheserversthathostthedata.
Ifeithersidefailstheauthenticationprocess,datatransmissionwillnottakeplace.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature(1).
1.
1.
1.
2.
1.
77Set'Networkaccess:Sharingandsecuritymodelforlocalaccounts'to'Classic-localusersauthenticateasthemselves'Description:Thispolicysettingdetermineshownetworklogonsthatuselocalaccountsareauthenticated.
TheClassicoptionallowsprecisecontroloveraccesstoresources,includingtheabilitytoassigndifferenttypesofaccesstodifferentusersforthesameresource.
TheGuestonlyoptionallowsyoutotreatallusersequally.
Inthiscontext,allusersauthenticateasGuestonlytoreceivethesameaccessleveltoagivenresource.
Rationale:WiththeGuestonlymodel,anyuserwhocanauthenticatetoyourcomputeroverthenetworkdoessowithguestprivileges,whichprobablymeansthattheywillnothavewriteaccesstosharedresourcesonthatcomputer.
Althoughthisrestrictiondoesincreasesecurity,itmakesitmoredifficultforauthorizeduserstoaccesssharedresourcesonthosecomputersbecauseACLsonthoseresourcesmustincludeaccesscontrolentries(ACEs)fortheGuestaccount.
WiththeClassicmodel,localaccountsshouldbepasswordprotected.
Otherwise,ifGuestaccessisenabled,anyonecanusethoseuseraccountstoaccesssharedsystemresources.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\forceguest(0).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33361.
1.
1.
2.
1.
78Set'Networkaccess:DonotallowanonymousenumerationofSAMaccounts'to'Enabled'Description:ThispolicysettingcontrolstheabilityofanonymoususerstoenumeratetheaccountsintheSecurityAccountsManager(SAM).
Ifyouenablethispolicysetting,userswithanonymousconnectionscannotenumeratedomainaccountusernamesontheworkstationsinyourenvironment.
Thispolicysettingalsoallowsadditionalrestrictionsonanonymousconnections.
Rationale:Anunauthorizedusercouldanonymouslylistaccountnamesandusetheinformationtoperformsocialengineeringattacksorattempttoguesspasswords.
(Socialengineeringattackstrytodeceiveusersinsomewaytoobtainpasswordsorsomeformofsecurityinformation.
)Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\restrictanonymoussam(1).
1.
1.
1.
2.
1.
79Set'Interactivelogon:RequireDomainControllerauthenticationtounlockworkstation'to'Enabled'Description:Logoninformationisrequiredtounlockalockedcomputer.
Fordomainaccounts,theInteractivelogon:RequireDomainControllerauthenticationtounlockworkstationsettingdetermineswhetheritisnecessarytocontactadomaincontrollertounlockacomputer.
Ifyouenablethissetting,adomaincontrollermustauthenticatethedomainaccountthatisbeingusedtounlockthecomputer.
Ifyoudisablethissetting,logoninformationconfirmationwithadomaincontrollerisnotrequiredforausertounlockthecomputer.
However,ifyouconfiguretheInteractivelogon:Numberofpreviouslogonstocache(incasedomaincontrollerisnotavailable)settingtoavaluethatisgreaterthanzero,thentheuser'scachedcredentialswillbeusedtounlockthecomputer.
Note:ThissettingappliestoWindows2000computers,butitisnotavailablethroughtheSecurityConfigurationManagertoolsonthesecomputers.
Rationale:Bydefault,thecomputercachesinmemorythecredentialsofanyuserswhoareauthenticatedlocally.
Thecomputerusesthesecachedcredentialstoauthenticateanyonewhoattemptstounlocktheconsole.
Whencachedcredentialsareused,anychangesthathaverecentlybeenmadetotheaccount,suchasuserrightsassignments,accountlockout,ortheaccountbeingdisabledarenotconsideredorappliedaftertheaccountisauthenticated.
Userprivilegesarenotupdated,and(moreimportantly)disabledaccountsarestillabletounlocktheconsoleofthecomputer.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon\forceunlocklogon(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33371.
1.
1.
2.
1.
80Set'Networkaccess:Donotallowstorageofcredentialsor.
NETPassportsfornetworkauthentication'to'Enabled'Description:ThispolicysettingdetermineswhethertheStoredUserNamesandPasswordsfeaturemaysavepasswordsorcredentialsforlaterusewhenitgainsdomainauthentication.
Ifyouenablethispolicysetting,theStoredUserNamesandPasswordsfeatureofWindowsdoesnotstorepasswordsandcredentials.
Rationale:Passwordsthatarecachedcanbeaccessedbytheuserwhenloggedontothecomputer.
Althoughthisinformationmaysoundobvious,aproblemcanariseiftheuserunknowinglyexecuteshostilecodethatreadsthepasswordsandforwardsthemtoanother,unauthorizeduser.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\disabledomaincreds(1).
1.
1.
1.
2.
1.
81Set'MSS:(EnableDeadGWDetect)Allowautomaticdetectionofdeadnetworkgateways(couldleadtoDoS)'to'Disabled'Description:ThisentryappearsasMSS:(EnableDeadGWDetect)Allowautomaticdetectionofdeadnetworkgateways(couldleadtoDoS)intheSCE.
Whendeadgatewaydetectionisenabled,theIPmaychangetoabackupgatewayifanumberofconnectionsexperiencedifficulty.
NotapplicabletoWindowsVistaorWindowsServer2008.
Rationale:Anattackercouldforcetheservertoswitchgateways,potentiallytoanunintendedone.
Thiswouldbeverydifficulttodo,sothevalueofthisentryissmall.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect(0).

NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33381.
1.
1.
2.
1.
82Set'Systemcryptography:UseFIPScompliantalgorithmsforencryption,hashing,andsigning'to'Disabled'Description:ThispolicysettingdetermineswhethertheTransportLayerSecurity/SecureSocketsLayer(TLS/SSL)SecurityProvidersupportsonlytheTLS_RSA_WITH_3DES_EDE_CBC_SHAciphersuite.
Althoughthispolicysettingincreasessecurity,mostpublicWebsitesthataresecuredwithTLSorSSLdonotsupportthesealgorithms.
ClientcomputersthathavethispolicysettingenabledwillalsobeunabletoconnecttoTerminalServicesonserversthatarenotconfiguredtousetheFIPScompliantalgorithms.
NoteIfyouenablethispolicysetting,computerperformancewillbeslowerbecausethe3DESprocessisperformedoneachblockofdatainthefilethreetimes.
ThispolicysettingshouldonlybeenabledifyourorganizationisrequiredtobeFIPScompliant.
Important:ThissettingisrecordedindifferentregistrylocationsdependingupontheversionofWindowsbeingused.
ForWindowsXPandWindowsServer2003itisstoredatHKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,withWindowsVistaandlaterversionsofWindowsitisstoredatHKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled.
ThismeansthatyoumustuseWindowsXPorWindowsServer2003toeditgrouppoliciesandsecuritytemplateswhichwillbeappliedtocomputersrunningWindowsXPorWindowsServer2003.
However,wheneditinggrouppoliciesorsecuritytemplateswhichwillbeappliedtocomputersrunningWindowsVistaorWindowsServer2008youmustuseWindowsVistaorWindowsServer2008.
Rationale:Youcanenablethispolicysettingtoensurethatthecomputerwillusethemostpowerfulalgorithmsthatareavailablefordigitalencryption,hashingandsigning.
Useofthesealgorithmswillminimizetheriskofcompromiseofdigitallyencryptedorsigneddatabyanunauthorizeduser.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy(0).
1.
1.
1.
2.
1.
83Set'Audit:AudittheuseofBackupandRestoreprivilege'to'Disabled'Description:Thispolicysettingdetermineswhethertoaudittheuseofalluserprivileges,includingBackupandRestore,whentheAuditprivilegeusesettingisineffect.
Ifyouenablebothpolicies,anauditeventwillbegeneratedforeveryfilethatisbackeduporrestored.
IftheAudit:AudittheuseofBackupandRestoreprivilegesettingisenabled,averylargenumberofsecurityeventscouldquicklyfilltheSecurityeventlog.
Rationale:Whenbackupandrestoreisuseditcreatesacopyofthefilesystemthatisidenticaltothetargetofthebackup.
Makingregularbackupsandrestorevolumesisanimportantpartofayourincidentresponseplan,butamalicioususercouldusealegitimatebackupcopytogetaccesstoinformationorspoofalegitimatenetworkresourcetocompromiseyourenterprise.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(0).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33391.
1.
1.
2.
1.
84Set'MSS:(EnableICMPRedirect)AllowICMPredirectstooverrideOSPFgeneratedroutes'to'Disabled'Description:TheregistryvalueentryEnableICMPRedirectwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\registrykey.
TheentryappearsasMSS:(EnableICMPRedirect)AllowICMPredirectstooverrideOSPFgeneratedroutesintheSCE.
InternetControlMessageProtocol(ICMP)redirectscausethestacktoplumbhostroutes.
TheseroutesoverridetheOpenShortestPathFirst(OSPF)generatedroutes.
ItisrecommendedtoconfigurethissettingtoNotDefinedforenterpriseenvironmentsandtoDisabledforhighsecurityenvironments.
Rationale:Thisbehaviorisexpected.
Theproblemisthatthe10minutetime-outperiodfortheICMPredirect-plumbedroutestemporarilycreatesanetworksituationinwhichtrafficwillnolongerberoutedproperlyfortheaffectedhost.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect(0).

1.
1.
1.
2.
1.
85Set'MSS:(NoDefaultExempt)ConfigureIPSecexemptionsforvarioustypesofnetworktraffic.
'to'OnlyISAKMPisexempt(recommendedforWindowsServer2003)'Description:TheregistryvalueentryNoDefaultExemptwasaddedtothetemplatefileintheHKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\registrykey.
TheentryappearsasMSS:(NoDefaultExempt)ConfigureIPSecexemptionsforvarioustypesofnetworktrafficintheSCE.
ThedefaultexemptionstoIPsecpolicyfiltersaredocumentedintheonlinehelpforthespecificoperatingsystem.
ThesefiltersmakeitpossibleforInternetKeyExchange(IKE)andtheKerberosauthenticationprotocoltofunction.
ThefiltersalsomakeitpossibleforthenetworkQualityofService(QoS)tobesignaled(RSVP)whenthedatatrafficissecuredbyIPsec,andfortrafficthatIPsecmightnotsecuresuchasmulticastandbroadcasttraffic.
IPsecisincreasinglyusedforbasichost-firewallpacketfiltering,particularlyinInternet-exposedscenarios,andtheaffectofthesedefaultexemptionshasnotbeenfullyunderstood.
Therefore,someIPsecadministratorsmaycreateIPsecpoliciesthattheythinkaresecure,butarenotactuallysecureagainstinboundattacksthatusethedefaultexemptions.
Foradditionalinformation,seetheKnowledgeBasearticle811832,IPSecDefaultExemptionsCanBeUsedtoBypassIPsecProtectioninSomeScenarios.
Rationale:AsIPsecisincreasinglyusedforbasichost-firewallpacketfiltering,particularlyinInternet-exposedscenarios,theaffectofthesedefaultexemptionshasnotbeenfullyunderstood.
SomeIPsecadministratorsmaycreateIPsecpoliciesthattheythinkaresecure,butarenotactuallysecureagainstinboundattacksthatusethedefaultexemptions.
AttackerscouldforgenetworktrafficthatappearstoconsistoflegitimateIKE,RSVP,orKerberosprotocolpacketsbutdirectthemtoothernetworkservicesonthehost.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\ipsec\nodefaultexempt(3).
SecuritySettings-LocalPolicies-AuditPolicyRulesNNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33401.
1.
1.
2.
2.
1Set'Auditdirectoryserviceaccess'to'Failure'Description:ThispolicysettingdetermineswhethertoaudituseraccesstoanActiveDirectoryobjectthathasitsownspecifiedsystemaccesscontrollist(SACL).
IfyoudefinetheAuditdirectoryserviceaccesssetting,youcanspecifywhethertoauditsuccesses,failures,ornotaudittheeventtypeatall.
SuccessauditsgenerateanauditentrywhenausersuccessfullyaccessesanActiveDirectoryobjectthathasaspecifiedSACL.
FailureauditsgenerateanauditentrywhenauserunsuccessfullyattemptstoaccessanActiveDirectoryobjectthathasaspecifiedSACL.
IfyouenabletheAuditdirectoryserviceaccesssettingintheDCBPandconfigureSACLsondirectoryobjects,alargevolumeofentriescanbegeneratedintheSecuritylogsondomaincontrollers.
Youshouldonlyenablethissettingifyouactuallyintendtousetheinformationthatiscreated.
ThefollowingincludesimportantsecurityeventsthattheAuditdirectoryserviceaccesssettingrecordsintheSecuritylog:EventIDEventdescriptionIDDescription566Agenericobjectoperationtookplace.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(2).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33411.
1.
1.
2.
2.
2Set'Auditaccountlogonevents'to'Success,Failure'Description:Thispolicysettingdetermineswhethertoauditeachinstanceofauserwhologsontoorofffromanothercomputerthatvalidatestheaccount.
Authenticationofadomainuseraccountonadomaincontrollergeneratesanaccountlogoneventthatisloggedinthedomaincontroller'sSecuritylog.
AuthenticationofalocaluseronalocalcomputergeneratesalogoneventthatisloggedinthelocalSecuritylog.
Noaccountlogoffeventsarelogged.
ThefollowingtableincludestheimportantsecurityeventsthatthispolicysettinglogsintheSecuritylog.
TheseeventIDscanbeusefulwhenyouwanttocreatecustomalertstomonitoranysoftwaresuite,suchasMicrosoftOperationsManager(MOM).
Table4.
3AccountLogonEventsEventIDEventdescription672Anauthenticationservice(AS)ticketwassuccessfullyissuedandvalidated.
InWindowsServer2003withSP1,thetypeofthiseventwillbeSuccessAuditforsuccessfulrequestsorFailureAuditforfailedrequests.
673Aticketgrantingservice(TGS)ticketwasgranted.
ATGSisaticketthatisissuedbytheKerberosversion5TGSthatallowsausertoauthenticatetoaspecificserviceinthedomain.
WindowsServer2003withSP1willlogsuccessesandfailuresforthiseventtype.
674AsecurityprincipalrenewedanASticketoraTGSticket.
675Pre-authenticationfailed.
ThiseventisgeneratedonaKeyDistributionCenter(KDC)whenauserentersanincorrectpassword.
676Authenticationticketrequestfailed.
ThiseventisnotgeneratedbyWindowsServer2003withSP1.
OtherWindowsversionsusethiseventtoindicateanauthenticationfailurethatwasnotduetoincorrectcredentials.
677ATGSticketwasnotgranted.
ThiseventisnotgeneratedbyWindowsServer2003withSP1,whichusesafailureauditeventwithID672forthiscase.
678Anaccountwassuccessfullymappedtoadomainaccount.
681Logonfailure.
Adomainaccountlogonwasattempted.
Thiseventisonlygeneratedbydomaincontrollers.
682AuserhasreconnectedtoadisconnectedTerminalServersession.
683AuserdisconnectedaTerminalServersessionbutdidnotlogoff.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(3).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33421.
1.
1.
2.
2.
3Set'Auditlogonevents'to'Success,Failure'Description:TheprescribedGPOsfromMicrosoftincludesettingsthatconfiguretheauditcategoriespresentinpreviousversionsofWindows.
IfyouusethescriptandtheGPOsincludedwiththissecurityguidance,thesesettingswillnotapplytocomputersrunningWindowsVista.
TheGPOsintendedforuseinenterpriseenvironmentshavebeendesignedtoworkwithWindowsXPbasedcomputers.
SettingsforauditcategoriesareincludedintheseGPOssothatcomputersrunningWindowsXPinyourenvironmentreceivetherecommendedauditpolicysettingsforWindowsXPbasedcomputers.
YoucanconfiguretheAuditpolicysettingsinWindowsVistaatthefollowinglocationintheGroupPolicyObjectEditor:ComputerConfiguration\WindowsSettings\SecuritySettings\LocalPolicies\AuditPolicyRationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(3).
1.
1.
1.
2.
2.
4Set'Auditprocesstracking'to'NoAuditing'Description:Thispolicysettingdetermineswhethertoauditdetailedtrackinginformationforeventssuchasprogramactivation,processexit,handleduplication,andindirectobjectaccess.
EnablingAuditprocesstrackingwillgeneratealargenumberofevents,sotypicallyitissettoNoAuditing.
However,thissettingcanprovideagreatbenefitduringanincidentresponsefromthedetailedlogoftheprocessesstartedandthetimewhentheywerelaunched.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(0).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33431.
1.
1.
2.
2.
5Set'Auditaccountmanagement'to'Success,Failure'Description:Thispolicysettingdetermineswhethertoauditeachaccountmanagementeventonacomputer.
Examplesofaccountmanagementeventsinclude:.
Auseraccountorgroupiscreated,changed,ordeleted.
.
Auseraccountisrenamed,disabled,orenabled.
.
Apasswordissetorchanged.
Organizationsneedtobeabletodeterminewhocreates,modifies,ordeletesbothdomainandlocalaccounts.
Unauthorizedchangescouldindicatemistakenchangesmadebyanadministratorwhodoesnotunderstandhowtofolloworganizationalpolicies,butcouldalsoindicateadeliberateattack.
ThefollowingtableincludestheimportantsecurityeventsthatthispolicysettingrecordsintheSecuritylog.
TheseeventIDscanbeusefulwhenyouwanttocreatecustomalertstomonitoranysoftwaresuite,suchasMOM.
MostoperationalmanagementsoftwarecanbecustomizedwithscriptstocaptureorflageventsthatarebasedontheseeventIDs.
Table4.
4AccountManagementEventsEventIDEventdescription624Auseraccountwascreated.
627Auserpasswordwaschanged.
628Auserpasswordwasset.
630Auseraccountwasdeleted.
631Aglobalgroupwascreated.
632Amemberwasaddedtoaglobalgroup.
633Amemberwasremovedfromaglobalgroup.
634Aglobalgroupwasdeleted.
635Anewlocalgroupwascreated.
636Amemberwasaddedtoalocalgroup.
637Amemberwasremovedfromalocalgroup.
638Alocalgroupwasdeleted.
639Alocalgroupaccountwaschanged.
641Aglobalgroupaccountwaschanged.
642Auseraccountwaschanged.
643Adomainpolicywasmodified.
644Auseraccountwasautomaticallylocked.
645Acomputeraccountwascreated.
646Acomputeraccountwaschanged.
647Acomputeraccountwasdeleted.
648Alocalsecuritygroupwithsecuritydisabledwascreated.
Note:SECURITY_DISABLEDintheformalnamemeansthatthisgroupcannotbeusedtograntpermissionsinaccesschecks.
649Alocalsecuritygroupwithsecuritydisabledwaschanged.
650Amemberwasaddedtoasecurity-disabledlocalsecuritygroup.
651Amemberwasremovedfromasecurity-disabledlocalsecuritygroup.
652Asecurity-disabledlocalgroupwasdeleted.
653Asecurity-disabledglobalgroupwascreated.
654Asecurity-disabledglobalgroupwaschanged.
655Amemberwasaddedtoasecurity-disabledglobalgroup.
656Amemberwasremovedfromasecurity-disabledglobalgroup.
657Asecurity-disabledglobalgroupwasdeleted.
658Asecurity-enableduniversalgroupwascreated.
659Asecurity-enableduniversalgroupwaschanged.
660Amemberwasaddedtoasecurity-enableduniversalgroup.
661Amemberwasremovedfromasecurity-enableduniversalgroup.
662Asecurity-enableduniversalgroupwasdeleted.
663Asecurity-disableduniversalgroupwascreated.
664Asecurity-disableduniversalgroupwaschanged.
665Amemberwasaddedtoasecurity-disableduniversalgroup.
666Amemberwasremovedfromasecurity-disableduniversalgroup.
667Asecurity-disableduniversalgroupwasdeleted.
668Agrouptypewaschanged.
684Thesecuritydescriptorofadministrativegroupmemberswasset.
Note:Every60minutesonadomaincontroller,abackgroundthreadsearchesallmembersofadministrativegroups(suchasdomain,enterprise,andschemaadministrators)andappliesafixedsecuritydescriptoronthem.
Thiseventislogged.
685Nameofanaccountwaschanged.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(3).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33441.
1.
1.
2.
2.
6Set'Auditpolicychange'to'Success'(minimum)or'SuccessandFailure'Description:Thispolicysettingdetermineswhethertoauditeveryincidentofachangetouserrightsassignmentpolicies,WindowsFirewallpolicies,Trustpolicies,orchangestotheAuditpolicyitself.
Therecommendedsettingswouldletyouseeanyaccountprivilegesthatanattackerattemptstoelevate;forexample,byaddingtheDebugprogramsprivilegeortheBackupfilesanddirectoriesprivilege.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(3).
1.
1.
1.
2.
2.
7Set'Auditsystemevents'to'Success'(minimum)or'SuccessandFailure'Description:Thispolicysettingisveryimportantbecauseitallowsyoutomonitorsystemeventsthatsucceedandfail,andprovidesarecordoftheseeventsthatmayhelpdetermineinstancesofunauthorizedsystemaccess.
Systemeventsincludestartingorshuttingdowncomputersinyourenvironment,fulleventlogs,orothersecurity-relatedeventsthataffecttheentiresystem.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(1).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33451.
1.
1.
2.
2.
8Set'Auditprivilegeuse'to'Failure'(minimum)or'SuccessandFailure'Description:Thispolicysettingdetermineswhethertoauditeachinstanceofauserexercisingauserright.
IfyouconfigurethisvaluetoSuccess,anauditentryisgeneratedeachtimethatauserrightisexercisedsuccessfully.
IfyouconfigurethisvaluetoFailure,anauditentryisgeneratedeachtimethatauserrightisexercisedunsuccessfully.
Thispolicysettingcangenerateaverylargenumberofeventrecords.
Rationale:Ifauditsettingsarenotconfigured,itcanbedifficultorimpossibletodeterminewhatoccurredduringasecurityincident.
However,ifauditsettingsareconfiguredsothateventsaregeneratedforallactivitiestheSecuritylogwillbefilledwithdataandhardtouse.
Also,youcanusealargeamountofdatastorageaswellasadverselyaffectoverallcomputerperformanceifyouconfigureauditsettingsforalargenumberofobjects.
IffailureauditingisusedandtheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingintheSecurityOptionssectionofGroupPolicyisenabled,anattackercouldgeneratemillionsoffailureeventssuchaslogonfailuresinordertofilltheSecuritylogandforcethecomputertoshutdown,creatingaDenialofService.
Ifsecuritylogsareallowedtobeoverwritten,anattackercanoverwritepartoralloftheiractivitybygeneratinglargenumbersofeventssothattheevidenceoftheirintrusionisoverwritten.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(2).
SecuritySettings-LocalPolicies-UserRightsAssignmentRules1.
1.
1.
2.
3.
2Set'AllowlogonthroughTerminalServices'to'Administrators,RemotedesktopUsers'[Level1MemberServerOnly]Description:ThispolicysettingdetermineswhichusersorgroupshavetherighttologonasaTerminalServicesclient.
Remotedesktopusersrequirethisuserright.
IfyourorganizationusesRemoteAssistanceaspartofitshelpdeskstrategy,createagroupandassignitthisuserrightthroughGroupPolicy.
IfthehelpdeskinyourorganizationdoesnotuseRemoteAssistance,assignthisuserrightonlytotheAdministratorsgrouporusetherestrictedgroupsfeaturetoensurethatnouseraccountsarepartoftheRemoteDesktopUsersgroup.
RestrictthisuserrighttotheAdministratorsgroup,andpossiblytheRemoteDesktopUsersgroup,topreventunwantedusersfromgainingaccesstocomputersonyournetworkbymeansoftheRemoteAssistancefeature.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AnyaccountwiththeAllowlogonthroughTerminalServicesuserrightcanlogontotheremoteconsoleofthecomputer.
Ifyoudonotrestrictthisuserrighttolegitimateuserswhoneedtologontotheconsoleofthecomputer,unauthorizeduserscoulddownloadandrunmalicioussoftwaretoelevatetheirprivileges.
Pass:ConfiguredSettingislocalsecuritypolicy(2items:BUILTIN\ADMINISTRATORS,BUILTIN\REMOTEDESKTOPUSERS).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33461.
1.
1.
2.
3.
3Set'Takeownershipoffilesorotherobjects'to'Administrators'Description:Thispolicysettingallowsuserstotakeownershipoffiles,folders,registrykeys,processes,orthreads.
Thisuserrightbypassesanypermissionsthatareinplacetoprotectobjectstogiveownershiptothespecifieduser.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AnyuserswiththeTakeownershipoffilesorotherobjectsuserrightcantakecontrolofanyobject,regardlessofthepermissionsonthatobject,andthenmakeanychangestheywishtothatobject.
Suchchangescouldresultinexposureofdata,corruptionofdata,oradenialofservice(DoS)condition.
Pass:ConfiguredSettingislocalsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
4Set'Enablecomputeranduseraccountstobetrustedfordelegation'to'Administrators'Description:ThispolicysettingallowsuserstochangetheTrustedforDelegationsettingonacomputerobjectinActiveDirectory.
Abuseofthisprivilegecouldallowunauthorizeduserstoimpersonateotherusersonthenetwork.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:MisuseoftheEnablecomputeranduseraccountstobetrustedfordelegationuserrightcouldallowunauthorizeduserstoimpersonateotherusersonthenetwork.
Anattackercouldexploitthisprivilegetogainaccesstonetworkresourcesandmakeitdifficulttodeterminewhathashappenedafterasecurityincident.
Pass:localsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
6Set'Removecomputerfromdockingstation'to'Administrators'Description:ThispolicysettingallowstheuserofaportablecomputertoclickEjectPContheStartmenutoundockthecomputer.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AnyonewhohastheRemovecomputerfromdockingstationuserrightcanlogonandthenremoveaportablecomputerfromitsdockingstation.
Ifthissettingisnotdefined,ithasthesameeffectasifeveryonewasgrantedthisright.
However,thevalueofimplementingthiscountermeasureisreducedbythefollowingfactors:.
Ifattackerscanrestartthecomputer,theycouldremoveitfromthedockingstationaftertheBIOSstartsbutbeforetheoperatingsystemstarts.
.
Thissettingdoesnotaffectservers,becausetheytypicallyarenotinstalledindockingstations.
.
Anattackercouldstealthecomputerandthedockingstationtogether.
Pass:ConfiguredSettingislocalsecuritypolicy(BUILTIN\ADMINISTRATORS).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33471.
1.
1.
2.
3.
8Set'Debugprograms'to'Administrators'Description:Thispolicysettingdetermineswhichuseraccountswillhavetherighttoattachadebuggertoanyprocessortothekernel,whichprovidescompleteaccesstosensitiveandcriticaloperatingsystemcomponents.
Developerswhoaredebuggingtheirownapplicationsdonotneedtobeassignedthisuserright;however,developerswhoaredebuggingnewsystemcomponentswillneedit.
NoteMicrosoftreleasedseveralsecurityupdatesinOctober2003thatusedaversionofUpdate.
exethatrequiredtheadministratortohavetheDebugprogramsuserright.
Administratorswhodidnothavethisuserrightwereunabletoinstallthesesecurityupdatesuntiltheyreconfiguredtheiruserrights.
Thisisnottypicalbehaviorforoperatingsystemupdates.
Formoreinformation,seeKnowledgeBasearticle830846:WindowsProductUpdatesmaystoprespondingormayusemostoralltheCPUresources.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:TheDebugprogramsuserrightcanbeexploitedtocapturesensitivecomputerinformationfromsystemmemory,ortoaccessandmodifykernelorapplicationstructures.
Someattacktoolsexploitthisuserrighttoextracthashedpasswordsandotherprivatesecurityinformation,ortoinsertrootkitcode.
Bydefault,theDebugprogramsuserrightisassignedonlytoadministrators,whichhelpstomitigatetheriskfromthisvulnerability.
ThevalueofremovingthisuserrightfrommembersoftheAdministratorsgroupisdiminishedbythefactthatamalicioususerwhohasadministrativeprivilegescanbypassthecountermeasurebylaunchingprocessesundertheLocalSystemaccount.
Pass:ConfiguredSettingislocalsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
10Set'Adjustmemoryquotasforaprocess'to'Administrators,LOCALSERVICE,NETWORKSERVICE'Description:Thispolicysettingallowsausertoadjustthemaximumamountofmemorythatisavailabletoaprocess.
Theabilitytoadjustmemoryquotasisusefulforsystemtuning,butitcanbeabused.
Inthewronghands,itcouldbeusedtolaunchadenialofservice(DoS)attack.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AuserwiththeAdjustmemoryquotasforaprocessprivilegecanreducetheamountofmemorythatisavailabletoanyprocess,whichcouldcausebusiness-criticalnetworkapplicationstobecomeslowortofail.
Inthewronghands,thisprivilegecouldbeusedtostartadenialofservice(DoS)attack.
Pass:ConfiguredSettingislocalsecuritypolicy(3items:NTAUTHORITY\LOCALSERVICE,NTAUTHORITY\NETWORKSERVICE,BUILTIN\ADMINISTRATORS).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33481.
1.
1.
2.
3.
12Set'Shutdownthesystem'to'Administrators'Description:ThispolicysettingdetermineswhichuserswhoareloggedonlocallytothecomputersinyourenvironmentcanshutdowntheoperatingsystemwiththeShutDowncommand.
Misuseofthisuserrightcanresultinadenialofservicecondition.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:Theabilitytoshutdowndomaincontrollersshouldbelimitedtoaverysmallnumberoftrustedadministrators.
AlthoughtheShutdownthesystemuserrightrequirestheabilitytologontotheserver,youshouldbeverycarefulaboutwhichaccountsandgroupsyouallowtoshutdownadomaincontroller.
Whenadomaincontrollerisshutdown,itisnolongeravailabletoprocesslogons,serveGroupPolicy,andanswerLightweightDirectoryAccessProtocol(LDAP)queries.
IfyoushutdowndomaincontrollersthatpossessFlexibleSingleMasterOperations(FSMO)roles,youcandisablekeydomainfunctionality,suchasprocessinglogonsfornewpasswords—thePrimaryDomainController(PDC)Emulatorrole.
Pass:ConfiguredSettingislocalsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
14Set'Replaceaprocessleveltoken'to'LOCALSERVICE,NETWORKSERVICE'Description:Thispolicysettingallowsoneprocessorservicetostartanotherserviceorprocesswithadifferentsecurityaccesstoken,whichcanbeusedtomodifythesecurityaccesstokenofthatsub-processandresultintheescalationofprivileges.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:UserwiththeReplaceaprocessleveltokenprivilegeareabletostartprocessesasotheruserswhosecredentialstheyknow.
Theycouldusethismethodtohidetheirunauthorizedactionsonthecomputer.
(OnWindows2000-basedcomputers,useoftheReplaceaprocessleveltokenuserrightalsorequirestheusertohavetheAdjustmemoryquotasforaprocessuserrightthatisdiscussedearlierinthissection.
)Pass:ConfiguredSettingislocalsecuritypolicy(2items:NTAUTHORITY\LOCALSERVICE,NTAUTHORITY\NETWORKSERVICE).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33491.
1.
1.
2.
3.
20Set'Profilesystemperformance'to'Administrators'Description:Thispolicysettingallowsuserstousetoolstoviewtheperformanceofdifferentsystemprocesses,whichcouldbeabusedtoallowattackerstodetermineasystem'sactiveprocessesandprovideinsightintothepotentialattacksurfaceofthecomputer.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:TheProfilesystemperformanceuserrightposesamoderatevulnerability.
Attackerswiththisuserrightcouldmonitoracomputer'sperformancetohelpidentifycriticalprocessesthattheymightwishtoattackdirectly.
Attackersmayalsobeabletodeterminewhatprocessesareactiveonthecomputersothattheycouldidentifycountermeasuresthattheymayneedtoavoid,suchasantivirussoftwareoranintrusiondetectionsystem.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
22Set'Profilesingleprocess'to'Administrators'Description:Thispolicysettingdetermineswhichuserscanusetoolstomonitortheperformanceofnon-systemprocesses.
Typically,youdonotneedtoconfigurethisuserrighttousetheMicrosoftManagementConsole(MMC)Performancesnap-in.
However,youdoneedthisuserrightifSystemMonitorisconfiguredtocollectdatausingWindowsManagementInstrumentation(WMI).
RestrictingtheProfilesingleprocessuserrightpreventsintrudersfromgainingadditionalinformationthatcouldbeusedtomountanattackonthesystem.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:TheProfilesingleprocessuserrightpresentsamoderatevulnerability.
Anattackerwiththisuserrightcouldmonitoracomputer'sperformancetohelpidentifycriticalprocessesthattheymightwishtoattackdirectly.
Theattackermayalsobeabletodeterminewhatprocessesrunonthecomputersothattheycouldidentifycountermeasuresthattheymayneedtoavoid,suchasantivirussoftware,anintrusion-detectionsystem,orwhichotherusersareloggedontoacomputer.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
24Set'Createapagefile'to'Administrators'Description:Thispolicysettingallowsuserstochangethesizeofthepagefile.
Bymakingthepagefileextremelylargeorextremelysmall,anattackercouldeasilyaffecttheperformanceofacompromisedcomputer.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:Userswhocanchangethepagefilesizecouldmakeitextremelysmallormovethefiletoahighlyfragmentedstoragevolume,whichcouldcausereducedcomputerperformance.
Pass:ConfiguredSettingislocalsecuritypolicy(BUILTIN\ADMINISTRATORS).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33501.
1.
1.
2.
3.
25Set'Denylogonasabatchjob'to'Guests'Description:Thispolicysettingdetermineswhichaccountswillnotbeabletologontothecomputerasabatchjob.
Abatchjobisnotabatch(.
bat)file,butratherabatch-queuefacility.
AccountsthatusetheTaskSchedulertoschedulejobsneedthisuserright.
TheDenylogonasabatchjobuserrightoverridestheLogonasabatchjobuserright,whichcouldbeusedtoallowaccountstoschedulejobsthatconsumeexcessivesystemresources.
SuchanoccurrencecouldcauseaDoScondition.
Failuretoassignthisuserrighttotherecommendedaccountscanbeasecurityrisk.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AccountsthathavetheDenylogonasabatchjobuserrightcouldbeusedtoschedulejobsthatcouldconsumeexcessivecomputerresourcesandcauseaDoScondition.
Pass:ConfiguredSettingislocalsecuritypolicy(BUILTIN\GUESTS).
1.
1.
1.
2.
3.
26Set'DenylogonthroughTerminalServices'to'Guests'Description:ThispolicysettingdetermineswhetheruserscanlogonasTerminalServicesclients.
Afterthebaselinememberserverisjoinedtoadomainenvironment,thereisnoneedtouselocalaccountstoaccesstheserverfromthenetwork.
Domainaccountscanaccesstheserverforadministrationandend-userprocessing.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AnyaccountwiththerighttologonthroughTerminalServicescouldbeusedtologontotheremoteconsoleofthecomputer.
Ifthisuserrightisnotrestrictedtolegitimateuserswhoneedtologontotheconsoleofthecomputer,unauthorizedusersmightdownloadandrunmalicioussoftwarethatelevatestheirprivileges.
Fail:LocalSecurityPolicysetto:localsecuritypolicy(ASPNET)Remediation:Toimplementtherecommendedconfigurationstate,setthefollowingGroupPolicysettingtoGuests.
ComputerConfiguration\WindowsSettings\SecuritySettings\LocalPolicies\UserRightsAssignment\DenylogonthroughTerminalServicesImpact:IfyouassigntheDenylogonthroughTerminalServicesuserrighttoothergroups,youcouldlimittheabilitiesofuserswhoareassignedtospecificadministrativerolesinyouren.
.
.
(truncated).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33511.
1.
1.
2.
3.
29Set'Logonasaservice'to'NETWORKSERVICE'Description:Thispolicysettingallowsaccountstolaunchnetworkservicesortoregisteraprocessasaservicerunningonthesystem.
Thisuserrightshouldberestrictedonanycomputerinahighsecurityenvironment,butbecausemanyapplicationsmayrequirethisprivilege,itshouldbecarefullyevaluatedandtestedbeforeconfiguringitinanenterpriseenvironment.
OnWindowsVistabasedcomputers,nousersorgroupshavethisprivilegebydefault.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:Logonasaserviceisapowerfuluserrightbecauseitallowsaccountstolaunchnetworkservicesorservicesthatruncontinuouslyonacomputer,evenwhennooneisloggedontotheconsole.
Theriskisreducedbythefactthatonlyuserswithadministrativeprivilegescaninstallandconfigureservices.
AnattackerwhohasalreadyattainedthatlevelofaccesscouldconfiguretheservicetorunwiththeLocalSystemaccount.
Fail:LocalSecurityPolicysetto:localsecuritypolicy(ASPNET)Remediation:Toimplementtherecommendedconfigurationstate,setthefollowingGroupPolicysettingtoNETWORKSERVICE.
ComputerConfiguration\WindowsSettings\SecuritySettings\LocalPolicies\UserRightsAssignment\LogonasaserviceImpact:Onmostcomputers,thisisthedefaultconfigurationandtherewillbenonegativeImpact.
However,ifyouhaveinstalledoptionalcomponentssuchasASP.
NETorIIS,youmayneedtoassignth.
.
.
(truncated).
1.
1.
1.
2.
3.
30Set'Denyaccesstothiscomputerfromthenetwork'to'ANONYMOUSLOGON,Guests'Description:Thispolicysettingprohibitsusersfromconnectingtoacomputerfromacrossthenetwork,whichwouldallowuserstoaccessandpotentiallymodifydataremotely.
Inhighsecurityenvironments,thereshouldbenoneedforremoteuserstoaccessdataonacomputer.
Instead,filesharingshouldbeaccomplishedthroughtheuseofnetworkservers.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:Userswhocanlogontothecomputeroverthenetworkcanenumeratelistsofaccountnames,groupnames,andsharedresources.
Userswithpermissiontoaccesssharedfoldersandfilescanconnectoverthenetworkandpossiblyviewormodifydata.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(2items:BUILTIN\GUESTS,NTAUTHORITY\ANONYMOUSLOGON).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33521.
1.
1.
2.
3.
33Set'Allowlogonlocally'to'Administrators'Description:Thispolicysettingdetermineswhichuserscaninteractivelylogontocomputersinyourenvironment.
LogonsthatareinitiatedbypressingtheCTRL+ALT+DELkeysequenceontheclientcomputerkeyboardrequirethisuserright.
UserswhoattempttologonthroughTerminalServicesorIISalsorequirethisuserright.
TheGuestaccountisassignedthisuserrightbydefault.
Althoughthisaccountisdisabledbydefault,itisrecommendedthatyouenablethissettingthroughGroupPolicy.
However,thisuserrightshouldgenerallyberestrictedtotheAdministratorsandUsersgroups.
AssignthisuserrighttotheBackupOperatorsgroupifyourorganizationrequiresthattheyhavethiscapability.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AnyaccountwiththeAllowlogonlocallyuserrightcanlogonattheconsoleofthecomputer.
Ifyoudonotrestrictthisuserrighttolegitimateuserswhoneedtobeabletologontotheconsoleofthecomputer,unauthorizeduserscoulddownloadandrunmalicioussoftwaretoelevatetheirprivileges.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
37Set'Manageauditingandsecuritylog'to'Administrators'Description:ThispolicysettingdetermineswhichuserscanchangetheauditingoptionsforfilesanddirectoriesandcleartheSecuritylog.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:TheabilitytomanagetheSecurityeventlogisapowerfuluserrightanditshouldbecloselyguarded.
AnyonewiththisuserrightcancleartheSecuritylogtoeraseimportantevidenceofunauthorizedactivity.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(BUILTIN\ADMINISTRATORS).
1.
1.
1.
2.
3.
40Set'Modifyfirmwareenvironmentvalues'to'Administrators'Description:Thispolicysettingallowsuserstoconfigurethesystem-wideenvironmentvariablesthataffecthardwareconfiguration.
ThisinformationistypicallystoredintheLastKnownGoodConfiguration.
Modificationofthesevaluesandcouldleadtoahardwarefailurethatwouldresultinadenialofservicecondition.
WhenconfiguringauserrightintheSCMenteracommadelimitedlistofaccounts.
AccountscanbeeitherlocalorlocatedinActiveDirectory,theycanbegroups,users,orcomputers.
Rationale:AnyonewhoisassignedtheModifyfirmwareenvironmentvaluesuserrightcouldconfigurethesettingsofahardwarecomponenttocauseittofail,whichcouldleadtodatacorruptionoradenialofservice(DoS)condition.
Pass:TheLocalSecurityPolicysettingis:localsecuritypolicy(BUILTIN\ADMINISTRATORS).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:3353SecuritySettings-EventLogRules1.
1.
1.
3.
1Set'Retentionmethodforsystemlog'to'Overwriteseventsasneeded'Description:ThispolicysettingdeterminesthewrappingmethodfortheSystemlog.
ItisimperativethattheSystemlogisarchivedregularlyifhistoricaleventsaredesirableforeitherforensicsortroubleshootingpurposes.
Overwritingeventsasneededensuresthatthelogalwaysstoresthemostrecentevents,althoughthisconfigurationcouldresultinalossofhistoricaldata.
Rationale:Ifyousignificantlyincreasethenumberofobjectstoauditinyourorganization,thereisariskthattheSecuritylogwillreachitscapacityandforcethecomputertoshutdown.
Ifsuchashutdownoccurs,thecomputerwillbeunusableuntilanadministratorclearstheSecuritylog.
Topreventsuchashutdown,youcandisabletheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingthatisdescribedinSecurityOptionsandthenincreasetheSecuritylogsize.
IfyousettheEventlogretentionmethodtoManualorOverwriteeventsbydays,itispossibleforimportantrecenteventstonotberecordedorforaDoSattacktooccur.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\eventlog\system\retention(0).
1.
1.
1.
3.
2Set'Maximumapplicationlogsize'to'16384'Description:ThispolicysettingspecifiesthemaximumsizeoftheApplicationeventlog.
InWindowsVistaandWindowsServer2008thissettinghasbeenreplacedbyanothercalledSystem,locatedatComputerConfiguration\AdministrativeTemplates\WindowsComponents\EventLogService.
IfboththissettingandthenewoneareconfiguredthesettingatComputerConfiguration\AdministrativeTemplates\WindowsComponents\EventLogServicewilltakeprecedence.
Rationale:IfeventsarenotrecordeditmaybedifficultorimpossibletodeterminetherootcauseofsystemproblemsortheunauthorizedactivitiesofmalicioususersPass:TheLocalSecurityPolicysettingis:application(16384).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33541.
1.
1.
3.
3Set'Retentionmethodforsecuritylog'to'Overwriteseventsasneeded'Description:ThispolicysettingdeterminesthewrappingmethodfortheSecuritylog.
ItisimperativethattheSecuritylogisarchivedregularlyifhistoricaleventsaredesirableforeitherforensicsortroubleshootingpurposes.
Overwritingeventsasneededensuresthatthelogalwaysstoresthemostrecentevents,althoughthisconfigurationcouldresultinalossofhistoricaldata.
Rationale:Ifyousignificantlyincreasethenumberofobjectstoauditinyourorganization,thereisariskthattheSecuritylogwillreachitscapacityandforcethecomputertoshutdown.
Ifsuchashutdownoccurs,thecomputerwillbeunusableuntilanadministratorclearstheSecuritylog.
Topreventsuchashutdown,youcandisabletheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingthatisdescribedinSecurityOptionsandthenincreasetheSecuritylogsize.
IfyousettheEventlogretentionmethodtoManualorOverwriteeventsbydays,itispossibleforimportantrecenteventstonotberecordedorforaDoSattacktooccur.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\eventlog\security\retention(0).
1.
1.
1.
3.
4Set'Maximumsystemlogsize'to'16384'Description:ThispolicysettingspecifiesthemaximumsizeoftheSystemeventlog.
InWindowsVistaandWindowsServer2008thissettinghasbeenreplacedbyanothercalledSystem,locatedatComputerConfiguration\AdministrativeTemplates\WindowsComponents\EventLogService.
IfboththissettingandthenewoneareconfiguredthesettingatComputerConfiguration\AdministrativeTemplates\WindowsComponents\EventLogServicewilltakeprecedence.
Rationale:IfeventsarenotrecordeditmaybedifficultorimpossibletodeterminetherootcauseofsystemproblemsortheunauthorizedactivitiesofmalicioususersPass:TheLocalSecurityPolicysettingis:system(16384).
NNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33551.
1.
1.
3.
5Set'Maximumsecuritylogsize'to'81920'Description:ThispolicysettingspecifiesthemaximumsizeoftheSystemeventlog.
InWindowsVistaandWindowsServer2008thissettinghasbeenreplacedbyanothercalledSystem,locatedatComputerConfiguration\AdministrativeTemplates\WindowsComponents\EventLogService.
IfboththissettingandthenewoneareconfiguredthesettingatComputerConfiguration\AdministrativeTemplates\WindowsComponents\EventLogServicewilltakeprecedence.
Rationale:Ifyousignificantlyincreasethenumberofobjectstoauditinyourorganization,thereisariskthattheSecuritylogwillreachitscapacityandforcethecomputertoshutdownifyouenabledtheAudit:Shutdownsystemimmediatelyifunabletologsecurityauditssetting.
Ifsuchashutdownoccurs,thecomputerwillbeunusableuntilanadministratorclearstheSecuritylog.
Topreventsuchashutdown,youcandisabletheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingthatisdescribedinChapter5,"SecurityOptions,"andincreasetheSecuritylogsize.
Alternatively,youcanconfigureautomaticlogrotationasdescribedintheMicrosoftKnowledgeBasearticle"Theeventlogstopsloggingeventsbeforereachingthemaximumlogsize"athttp://support.
microsoft.
com/default.
aspxkbid=312571.
Pass:TheLocalSecurityPolicysettingis:security(81920).
1.
1.
1.
3.
6Set'Retentionmethodforapplicationlog'to'Overwriteseventsasneeded'Description:ThispolicysettingdeterminesthewrappingmethodfortheApplicationlog.
ItisimperativethattheApplicationlogisarchivedregularlyifhistoricaleventsaredesirableforeitherforensicsortroubleshootingpurposes.
Overwritingeventsasneededensuresthatthelogalwaysstoresthemostrecentevents,althoughthisconfigurationcouldresultinalossofhistoricaldata.
Rationale:Ifyousignificantlyincreasethenumberofobjectstoauditinyourorganization,thereisariskthattheSecuritylogwillreachitscapacityandforcethecomputertoshutdown.
Ifsuchashutdownoccurs,thecomputerwillbeunusableuntilanadministratorclearstheSecuritylog.
Topreventsuchashutdown,youcandisabletheAudit:ShutdownsystemimmediatelyifunabletologsecurityauditssettingthatisdescribedinSecurityOptionsandthenincreasetheSecuritylogsize.
IfyousettheEventlogretentionmethodtoManualorOverwriteeventsbydays,itispossibleforimportantrecenteventstonotberecordedorforaDoSattacktooccur.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\system\currentcontrolset\services\eventlog\application\retention(0).

AdministrativeTemplatesSystem-RemoteProcedureCallRulesNNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33561.
2.
2.
4.
2Set'RestrictionsforUnauthenticatedRPCclients'to'Enabled:Authenticated'Description:ThispolicysettingconfigurestheRPCRuntimeonanRPCservertorestrictunauthenticatedRPCclientsfromconnectingtotheRPCserver.
AclientwillbeconsideredanauthenticatedclientifitusesanamedpipetocommunicatewiththeserverorifitusesRPCSecurity.
RPCinterfacesthathavespecificallyaskedtobeaccessiblebyunauthenticatedclientsmaybeexemptfromthisrestriction,dependingontheselectedvalueforthispolicy.
Rationale:UnauthenticatedRPCcommunicationcancreateasecurityvulnerability.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\policies\microsoft\windowsnt\rpc\restrictremoteclients(1).

WindowsComponents-AutoPlayPoliciesRules1.
2.
3.
1.
1Set'TurnoffAutoplay'to'Enabled:Alldrives'Description:Autoplaystartstoreadfromadriveassoonasyouinsertmediainthedrive,whichcausesthesetupfileforprogramsoraudiomediatostartimmediately.
Anattackercouldusethisfeaturetolaunchaprogramtodamagethecomputerordataonthecomputer.
YoucanenabletheTurnoffAutoplaysettingtodisabletheAutoplayfeature.
Autoplayisdisabledbydefaultonsomeremovabledrivetypes,suchasfloppydiskandnetworkdrives,butnotonCD-ROMdrives.
NoteYoucannotusethispolicysettingtoenableAutoplayoncomputerdrivesinwhichitisdisabledbydefault,suchasfloppydiskandnetworkdrives.
Rationale:Anattackercouldusethisfeaturetolaunchaprogramtodamageaclientcomputerordataonthecomputer.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\nodrivetypeautorun(255).
WindowsComponents-WindowsInstallerRulesNNTCISServer2003Benchmark_v3.
1.
0Level1MemberServer.
xml28/07/201413:45:33571.
2.
3.
7.
1Set'Alwaysinstallwithelevatedprivileges'to'Disabled'Description:DirectsWindowsInstallertousesystempermissionswhenitinstallsanyprogramonthesystem.
Thissettingextendselevatedprivilegestoallprograms.
Theseprivilegesareusuallyreservedforprogramsthathavebeenassignedtotheuser(offeredonthedesktop),assignedtothecomputer(installedautomatically),ormadeavailableinAddorRemoveProgramsinControlPanel.
Thissettingletsusersinstallprogramsthatrequireaccesstodirectoriesthattheusermightnothavepermissiontovieworchange,includingdirectoriesonhighlyrestrictedcomputers.
Ifyoudisablethissettingordonotconfigureit,thesystemappliesthecurrentuser'spermissionswhenitinstallsprogramsthatasystemadministratordoesnotdistributeoroffer.
Note:ThissettingappearsbothintheComputerConfigurationandUserConfigurationfolders.
Tomakethissettingeffective,youmustenablethesettinginbothfolders.
Caution:Skilleduserscantakeadvantageofthepermissionsthissettinggrantstochangetheirprivilegesandgainpermanentaccesstorestrictedfilesandfolders.
NotethattheUserConfigurationversionofthissettingisnotguaranteedtobesecure.
Rationale:UserswithlimitedprivilegescanexploitthisfeaturebycreatingaWindowsInstallerinstallationpackagethatcreatesanewlocalaccountthatbelongstothelocalbuilt-inAdministratorsgroup,addstheircurrentaccounttothelocalbuilt-inAdministratorsgroup,installsmalicioussoftware,orperformsotherunauthorizedactivities.
Pass:TheLocalSecurityPolicysettingis:hkey_local_machine\software\policies\microsoft\windows\installer\alwaysinstallelevated(0).