I wonder if you could help me? We’re planning to setup over a dozen networked XP workstations, using W2k as the server platform. To start with we’re imaging XP Toshiba Satellite Pro laptops and eventually move onto PC workstations (using Compaq EVO PCs)
We have made up a list of security restrictions and tie downs:
Boot Up/Login Restrictions
===================
The Boot-up sequence should be C: D: A:
A Set-up configuration password should be used where possible to prevent changing the boot-up sequence.
There should be no other operating systems present – only XP
The latest Service Pack / IE security updates should be installed
The Administrator username should be renamed.
Invoke ‘Ctrl + Alt + Delete’ to ensure secure logons - uncheck the ‘Use the welcome screen’ in ‘Select logon and logoff options’.
Account Policies
===========
Password Policy
===========
Enforce Password History – 4 Passwords remembered
Maximum Password Age – 60 Days
Minimum Password Age – 5 Days
Minimum Password Length – 6 Characters
Password must meet complexity requirements – Enabled:
(Passwords using combination of uppercase & lowercase text,numbers and symbols)
Store Password using reversible encryption for all users in the domain – Disabled
Account Lockout Policy
================
Account lockout duration – 5 minutes
Account lockout threshold – 3 invalid logon attempts
Reset account lockout counter after – 1 minute
Local Policies:
==========
Audit Policy
========
Audit account logon events – Success and Failure
Audit account management – Success and Failure
Audit directory service access – No auditing
Audit logon events – No auditing
Audit object access – Failure
Audit policy change – Success and Failure
Audit process tracking – No auditing
Audit system events – Failure
User Rights Assignment
=================
Access this computer from the network – Everyone, administrators, users, and backup operators
Act as part of the operating system – No setting
Add workstations to domain – No setting
Adjust memory quotas for a process – Local service, network service, administrators
Allow logon through terminal services – administrators, remote desktop users
Back up files and directories – administrators, back up operators
By pass traverse checking everyone, administrators, Users, Backup Operators
Change the system time – admin, power users
Create a page file – administrators
Create a token object – no setting
Create permanent shared objects no setting
Debug programs – administrators
Deny access to this computer from the network – security team logons and guest
Deny logon as a batch job – no setting
Deny logon as a service – no setting
Deny logon locally – security team logons and guest
Deny logon through terminal services – no setting
Enable computer and user accounts to be trusted for delegation –no setting
Force shutdown from a remote system – administrators
General security audits – local service, network service
Increase scheduling priority – administrators
Load and unload device drivers – administrators
Lock pages in memory – no setting
Log on as a batch job – appropriate security team logons
Log on as a service – system, network service
Log on locally – guest, administrators, users, power users, back up operators
Manage auditing and security log – administrators
Modify firmware environment values – administrators
Perform volume maintenance tasks – administrators
Profile single process – administrators, power users
Profile system performance – administrators
Remove computer from docking station – administrators, users, and power users
Replace a process level token – local service, network service
Restores files and directories – administrators, back up operators
Shut down the system- administrators, users, power users, back up operators
Synchronize directory service data – no setting
Take ownership of files or other objects – administrators
Security Options
============
Accounts: admin account status – enabled
Accounts: guest account status – disabled
Accounts: limit local account use of blank passwords to console logon only – enabled
Accounts: rename admin account – to appropriate reference no of machine
Accounts: rename guest account – Guest
Audit: Audit the access of global system objects – disabled
Audit: Audit the use of back up and restore privilege – disabled
Audit: shut down the system immediately if unable to log security audits –disabled
Devices: Allow undock without having to log on – enabled
Devices: allowed to format and eject removable media – administrator
Devices: prevent users from installing printer drivers – disabled
Devices: restrict cd-rom access to locally logged-on users only – disabled
Devices: restrict floppy drive access to locally logged-on users only – disabled
Devices: unassigned driver installation behaviour – warn but allow installation
Domain controller: allow server operators to schedule tasks – not defined
Domain Controller: LDAP server signing requirements – not defined
Domain Controller: refuse machine account password changes – not defined
Domain Member: digitally encrypt or sign secure channel data (always) – enabled
Domain Member: digitally encrypt secure channel data (when possible) – enabled
Domain Member: digitally sign secure channel data (when possible) – enabled
Domain Member: disable machine account password changes – disabled
Domain Member: maximum machine account password age – 30 days
Domain Member: require strong (windows 2000 or later) session key – disabled
Interactive Logon: do not display last user name – disabled
Interactive Logon: do not require CTRL+ALT+DEL – disabled
Interactive Logon: message text for users attempting to logon – authorised users only etc.
Interactive Logon: number of previous logons to cache (in case domain controller not available) – 10 logons
Interactive Logon: prompt user before password expiration – 14 days
Interactive Logon: require domain controller authentication to unlock workstation – disabled
Interactive Logon: smart card removal behaviour: no action
Microsoft Network Client: digitally sign communications (always) – disabled
Microsoft Network Client: digitally sign communications (if server agrees) – enabled
Microsoft Network Client: send unencrypted passwords to third party SMB servers – disabled
Microsoft Network Server: amount of idle time required before suspending session – 15 minutes
Microsoft Network Server: digitally sign communications (always) – disabled
Microsoft Network Server: digitally sign communications (if client aggress) – disabled
Microsoft Network Server: disconnect clients when logon hours expire – enabled
Network access: allow anonymous SID/Name transaction – disabled
Network Access: do not allow anonymous enumeration of SAM accounts – enabled
Network Access: do not allow anonymous enumeration of SAM accounts and shares – disabled
Network Access: do not allow storage of credentials or .NET passports for network authentications – disabled
Network Access: let everyone permissions apply to anonymous users – disabled
Network Access: shares that can be accessed anonymously – COMCFG, DFS$
Network Access: shares and security model for local accounts – Guest only – local users authenticate as guest
Network security: do not store LAN Manager hash value on next password change – disabled
Network Security: force logoff when logon expire – disabled
Network Security: LAN Manager authentication level – Send LM & NTLM responses
Network Security: LDAP client signing requirements – Negotiate signing
Network Security: minimum session security for NTLM SSP based (including secure RPC) clients – No minimum
Network Security: minimum session security for NTLM SSP based (including secure RPC) servers – No Minimum
Recovery Console: Allow automatic administrative logon – disabled
Recovery Console: allow floppy copy ad access to all drive and all folders – disabled
Shutdown: Allows system to be shut down without having to log on – enabled
Shutdown: Clear virtual memory page file – disabled
System Cryptography: use FIPS compliant algorithms for encryption, hashing, and signing – disabled
System Objects: Default owner for objects created by members of the administrators group – object creator
System Objects: require case insensitivity for non-Windows subsystem – enabled
System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) – enabled
Public Key Policies
=============
Encrypting File System - there is no policy defined.
Software Restrictions Policy - there are no policies defined
IP Security Policies on Local Computer - there are no policies assigned
I would be extremely grateful if you could let me know if you can think of any other alternation that I could make to tighten desktop security. I thought about it long and hard but cannot think of anything else.
Many thanks,
Dan
We have made up a list of security restrictions and tie downs:
Boot Up/Login Restrictions
===================
The Boot-up sequence should be C: D: A:
A Set-up configuration password should be used where possible to prevent changing the boot-up sequence.
There should be no other operating systems present – only XP
The latest Service Pack / IE security updates should be installed
The Administrator username should be renamed.
Invoke ‘Ctrl + Alt + Delete’ to ensure secure logons - uncheck the ‘Use the welcome screen’ in ‘Select logon and logoff options’.
Account Policies
===========
Password Policy
===========
Enforce Password History – 4 Passwords remembered
Maximum Password Age – 60 Days
Minimum Password Age – 5 Days
Minimum Password Length – 6 Characters
Password must meet complexity requirements – Enabled:
(Passwords using combination of uppercase & lowercase text,numbers and symbols)
Store Password using reversible encryption for all users in the domain – Disabled
Account Lockout Policy
================
Account lockout duration – 5 minutes
Account lockout threshold – 3 invalid logon attempts
Reset account lockout counter after – 1 minute
Local Policies:
==========
Audit Policy
========
Audit account logon events – Success and Failure
Audit account management – Success and Failure
Audit directory service access – No auditing
Audit logon events – No auditing
Audit object access – Failure
Audit policy change – Success and Failure
Audit process tracking – No auditing
Audit system events – Failure
User Rights Assignment
=================
Access this computer from the network – Everyone, administrators, users, and backup operators
Act as part of the operating system – No setting
Add workstations to domain – No setting
Adjust memory quotas for a process – Local service, network service, administrators
Allow logon through terminal services – administrators, remote desktop users
Back up files and directories – administrators, back up operators
By pass traverse checking everyone, administrators, Users, Backup Operators
Change the system time – admin, power users
Create a page file – administrators
Create a token object – no setting
Create permanent shared objects no setting
Debug programs – administrators
Deny access to this computer from the network – security team logons and guest
Deny logon as a batch job – no setting
Deny logon as a service – no setting
Deny logon locally – security team logons and guest
Deny logon through terminal services – no setting
Enable computer and user accounts to be trusted for delegation –no setting
Force shutdown from a remote system – administrators
General security audits – local service, network service
Increase scheduling priority – administrators
Load and unload device drivers – administrators
Lock pages in memory – no setting
Log on as a batch job – appropriate security team logons
Log on as a service – system, network service
Log on locally – guest, administrators, users, power users, back up operators
Manage auditing and security log – administrators
Modify firmware environment values – administrators
Perform volume maintenance tasks – administrators
Profile single process – administrators, power users
Profile system performance – administrators
Remove computer from docking station – administrators, users, and power users
Replace a process level token – local service, network service
Restores files and directories – administrators, back up operators
Shut down the system- administrators, users, power users, back up operators
Synchronize directory service data – no setting
Take ownership of files or other objects – administrators
Security Options
============
Accounts: admin account status – enabled
Accounts: guest account status – disabled
Accounts: limit local account use of blank passwords to console logon only – enabled
Accounts: rename admin account – to appropriate reference no of machine
Accounts: rename guest account – Guest
Audit: Audit the access of global system objects – disabled
Audit: Audit the use of back up and restore privilege – disabled
Audit: shut down the system immediately if unable to log security audits –disabled
Devices: Allow undock without having to log on – enabled
Devices: allowed to format and eject removable media – administrator
Devices: prevent users from installing printer drivers – disabled
Devices: restrict cd-rom access to locally logged-on users only – disabled
Devices: restrict floppy drive access to locally logged-on users only – disabled
Devices: unassigned driver installation behaviour – warn but allow installation
Domain controller: allow server operators to schedule tasks – not defined
Domain Controller: LDAP server signing requirements – not defined
Domain Controller: refuse machine account password changes – not defined
Domain Member: digitally encrypt or sign secure channel data (always) – enabled
Domain Member: digitally encrypt secure channel data (when possible) – enabled
Domain Member: digitally sign secure channel data (when possible) – enabled
Domain Member: disable machine account password changes – disabled
Domain Member: maximum machine account password age – 30 days
Domain Member: require strong (windows 2000 or later) session key – disabled
Interactive Logon: do not display last user name – disabled
Interactive Logon: do not require CTRL+ALT+DEL – disabled
Interactive Logon: message text for users attempting to logon – authorised users only etc.
Interactive Logon: number of previous logons to cache (in case domain controller not available) – 10 logons
Interactive Logon: prompt user before password expiration – 14 days
Interactive Logon: require domain controller authentication to unlock workstation – disabled
Interactive Logon: smart card removal behaviour: no action
Microsoft Network Client: digitally sign communications (always) – disabled
Microsoft Network Client: digitally sign communications (if server agrees) – enabled
Microsoft Network Client: send unencrypted passwords to third party SMB servers – disabled
Microsoft Network Server: amount of idle time required before suspending session – 15 minutes
Microsoft Network Server: digitally sign communications (always) – disabled
Microsoft Network Server: digitally sign communications (if client aggress) – disabled
Microsoft Network Server: disconnect clients when logon hours expire – enabled
Network access: allow anonymous SID/Name transaction – disabled
Network Access: do not allow anonymous enumeration of SAM accounts – enabled
Network Access: do not allow anonymous enumeration of SAM accounts and shares – disabled
Network Access: do not allow storage of credentials or .NET passports for network authentications – disabled
Network Access: let everyone permissions apply to anonymous users – disabled
Network Access: shares that can be accessed anonymously – COMCFG, DFS$
Network Access: shares and security model for local accounts – Guest only – local users authenticate as guest
Network security: do not store LAN Manager hash value on next password change – disabled
Network Security: force logoff when logon expire – disabled
Network Security: LAN Manager authentication level – Send LM & NTLM responses
Network Security: LDAP client signing requirements – Negotiate signing
Network Security: minimum session security for NTLM SSP based (including secure RPC) clients – No minimum
Network Security: minimum session security for NTLM SSP based (including secure RPC) servers – No Minimum
Recovery Console: Allow automatic administrative logon – disabled
Recovery Console: allow floppy copy ad access to all drive and all folders – disabled
Shutdown: Allows system to be shut down without having to log on – enabled
Shutdown: Clear virtual memory page file – disabled
System Cryptography: use FIPS compliant algorithms for encryption, hashing, and signing – disabled
System Objects: Default owner for objects created by members of the administrators group – object creator
System Objects: require case insensitivity for non-Windows subsystem – enabled
System Objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) – enabled
Public Key Policies
=============
Encrypting File System - there is no policy defined.
Software Restrictions Policy - there are no policies defined
IP Security Policies on Local Computer - there are no policies assigned
I would be extremely grateful if you could let me know if you can think of any other alternation that I could make to tighten desktop security. I thought about it long and hard but cannot think of anything else.
Many thanks,
Dan
