Improvements to XP Security restrictions

Discussion in 'Windows Desktop Systems' started by Steely, Mar 25, 2002.

  1. Steely

    Steely OSNN Addict

    Messages:
    71
    Location:
    Wolverhampton, United kingdom
    I wonder if you could help me? We’re planning to setup over a dozen networked XP workstations, using W2k as the server platform. To start with we’re imaging XP Toshiba Satellite Pro laptops and eventually move onto PC workstations (using Compaq EVO PCs)

    We have made up a list of security restrictions and tie downs:

    Boot Up/Login Restrictions
    ===================
    The Boot-up sequence should be C: D: A:
    A Set-up configuration password should be used where possible to prevent changing the boot-up sequence.
    There should be no other operating systems present – only XP
    The latest Service Pack / IE security updates should be installed
    The Administrator username should be renamed.
    Invoke ‘Ctrl + Alt + Delete’ to ensure secure logons - uncheck the ‘Use the welcome screen’ in ‘Select logon and logoff options’.

    Account Policies
    ===========

    Password Policy
    ===========

    Enforce Password History – 4 Passwords remembered
    Maximum Password Age – 60 Days
    Minimum Password Age – 5 Days
    Minimum Password Length – 6 Characters
    Password must meet complexity requirements – Enabled:
    (Passwords using combination of uppercase & lowercase text,numbers and symbols)
    Store Password using reversible encryption for all users in the domain – Disabled

    Account Lockout Policy
    ================

    Account lockout duration – 5 minutes
    Account lockout threshold – 3 invalid logon attempts
    Reset account lockout counter after – 1 minute

    Local Policies:
    ==========

    Audit Policy
    ========

    Audit account logon events – Success and Failure
    Audit account management – Success and Failure
    Audit directory service access – No auditing
    Audit logon events – No auditing
    Audit object access – Failure
    Audit policy change – Success and Failure
    Audit process tracking – No auditing
    Audit system events – Failure

    User Rights Assignment
    =================

    Access this computer from the network – Everyone, administrators, users, and backup operators
    Act as part of the operating system – No setting
    Add workstations to domain – No setting
    Adjust memory quotas for a process – Local service, network service, administrators
    Allow logon through terminal services – administrators, remote desktop users
    Back up files and directories – administrators, back up operators
    By pass traverse checking everyone, administrators, Users, Backup Operators
    Change the system time – admin, power users
    Create a page file – administrators
    Create a token object – no setting
    Create permanent shared objects no setting
    Debug programs – administrators
    Deny access to this computer from the network – security team logons and guest
    Deny logon as a batch job – no setting
    Deny logon as a service – no setting
    Deny logon locally – security team logons and guest
    Deny logon through terminal services – no setting
    Enable computer and user accounts to be trusted for delegation –no setting
    Force shutdown from a remote system – administrators
    General security audits – local service, network service
    Increase scheduling priority – administrators
    Load and unload device drivers – administrators
    Lock pages in memory – no setting
    Log on as a batch job – appropriate security team logons
    Log on as a service – system, network service
    Log on locally – guest, administrators, users, power users, back up operators
    Manage auditing and security log – administrators
    Modify firmware environment values – administrators
    Perform volume maintenance tasks – administrators
    Profile single process – administrators, power users
    Profile system performance – administrators
    Remove computer from docking station – administrators, users, and power users
    Replace a process level token – local service, network service
    Restores files and directories – administrators, back up operators
    Shut down the system- administrators, users, power users, back up operators
    Synchronize directory service data – no setting
    Take ownership of files or other objects – administrators

    Security Options
    ============

    Accounts: admin account status – enabled
    Accounts: guest account status – disabled
    Accounts: limit local account use of blank passwords to console logon only – enabled
    Accounts: rename admin account – to appropriate reference no of machine
    Accounts: rename guest account – Guest
    Audit: Audit the access of global system objects – disabled
    Audit: Audit the use of back up and restore privilege – disabled
    Audit: shut down the system immediately if unable to log security audits –disabled
    Devices: Allow undock without having to log on – enabled
    Devices: allowed to format and eject removable media – administrator
    Devices: prevent users from installing printer drivers – disabled
    Devices: restrict cd-rom access to locally logged-on users only – disabled
    Devices: restrict floppy drive access to locally logged-on users only – disabled
    Devices: unassigned driver installation behaviour – warn but allow installation
    Domain controller: allow server operators to schedule tasks – not defined
    Domain Controller: LDAP server signing requirements – not defined
    Domain Controller: refuse machine account password changes – not defined
    Domain Member: digitally encrypt or sign secure channel data (always) – enabled
    Domain Member: digitally encrypt secure channel data (when possible) – enabled
    Domain Member: digitally sign secure channel data (when possible) – enabled
    Domain Member: disable machine account password changes – disabled
    Domain Member: maximum machine account password age – 30 days
    Domain Member: require strong (windows 2000 or later) session key – disabled
    Interactive Logon: do not display last user name – disabled
    Interactive Logon: do not require CTRL+ALT+DEL – disabled
    Interactive Logon: message text for users attempting to logon – authorised users only etc.
    Interactive Logon: number of previous logons to cache (in case domain controller not available) – 10 logons
    Interactive Logon: prompt user before password expiration – 14 days
    Interactive Logon: require domain controller authentication to unlock workstation – disabled
    Interactive Logon: smart card removal behaviour: no action
    Microsoft Network Client: digitally sign communications (always) – disabled
    Microsoft Network Client: digitally sign communications (if server agrees) – enabled
    Microsoft Network Client: send unencrypted passwords to third party SMB servers – disabled
    Microsoft Network Server: amount of idle time required before suspending session – 15 minutes
    Microsoft Network Server: digitally sign communications (always) – disabled
    Microsoft Network Server: digitally sign communications (if client aggress) – disabled
    Microsoft Network Server: disconnect clients when logon hours expire – enabled
    Network access: allow anonymous SID/Name transaction – disabled
    Network Access: do not allow anonymous enumeration of SAM accounts – enabled
    Network Access: do not allow anonymous enumeration of SAM accounts and shares – disabled
    Network Access: do not allow storage of credentials or .NET passports for network authentications – disabled
    Network Access: let everyone permissions apply to anonymous users – disabled
    Network Access: shares that can be accessed anonymously – COMCFG, DFS$
    Network Access: shares and security model for local accounts – Guest only – local users authenticate as guest
    Network security: do not store LAN Manager hash value on next password change – disabled
    Network Security: force logoff when logon expire – disabled
    Network Security: LAN Manager authentication level – Send LM & NTLM responses
    Network Security: LDAP client signing requirements – Negotiate signing
    Network Security: minimum session security for NTLM SSP based (including secure RPC) clients – No minimum
    Network Security: minimum session security for NTLM SSP based (including secure RPC) servers – No Minimum
    Recovery Console: Allow automatic administrative logon – disabled
    Recovery Console: allow floppy copy ad access to all drive and all folders – disabled
    Shutdown: Allows system to be shut down without having to log on – enabled
    Shutdown: Clear virtual memory page file – disabled
    System Cryptography: use FIPS compliant algorithms for encryption, hashing, and signing – disabled
    System Objects: Default owner for objects created by members of the administrators group – object creator
    System Objects: require case insensitivity for non-Windows subsystem – enabled
    System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) – enabled

    Public Key Policies
    =============

    Encrypting File System - there is no policy defined.
    Software Restrictions Policy - there are no policies defined
    IP Security Policies on Local Computer - there are no policies assigned

    I would be extremely grateful if you could let me know if you can think of any other alternation that I could make to tighten desktop security. I thought about it long and hard but cannot think of anything else.

    Many thanks,

    Dan
     
  2. DrX

    DrX Guest

    Looks fine to me , great work :)


    One thing

    Account lockout duration – 5 minutes - seems very short to me we set ours to at least 48Hrs.

    If they need to get in , call us.