v 1.1.1
Hal Berghel
Jacob Uecker
This web page is a checklist for securing a Windows XP Professional workstation. The best way to implement security for such a workstation is through a domain controller using Active Directory and Group Policy. Given that an administrator for such a domain is unavailable there must be a way to implement some form of security, even if it's not the best methodology. We have tried to provide such an implementation, in the form of a checklist. Keep in mind that these steps are only recommendations to help harden a system; they are not concrete. We have tried to make this from the standpoint of a secure environment. With this in mind, you might find that our ideas don't match your environment. If you decide that such a setting is too strict, you can relax it a bit, but be aware of the possible attack vectors (which is just as important).
Many of these settings were meant for the default install of Windows XP Professional. If you have Service Pack 1 or 2 installed as well, some of the configuration changes will have been changed for you and they have been noted in red italics. However, all configurations should be checked on the box to make sure nothing has changed.
We take no responsibility whatsoever for the implications that these settings will have on your computer. It is always important to try these changes on a test machine before changing your infrastructure. We have tried to provide the consequences of each setting, but there is no doubt many more exist.
If you have any suggestions or comments please let us know.
The checklist steps are followed by a detailed description of why the steps are necessary.
Copyright © 2003 by Hal Berghel and Jacob Uecker. All Rights Reserved.
Note: These instructions assume that Windows Start menu is set to Classic View. The necessary steps will be different if your Start menu is not set to Classic View. To change this, simply right-click on the Start button and select properties. Click on the "Start Menu" (top) radio button.
2. Local Security Policies
Initiate each of the following changes with the following:
Account Policies
Password Policies
For each of the following, expand "Account Policies" and click on "Password Policy"
Account Lockout Policy
For each of the following, expand "Account Policies" and click on "Account Lockout Policy
Local Policies
Audit PoliciesFor each of the following, expand "Local Policies" and click on "Audit Policy"
User's Rights
For each of the following, expand "Local Policies" and click on "User Rights Assignment"
Security Options
For each of the following, expand "Local Policies" and click on "Security Options"
3. Other Security Issues
Miscellaneous Registry Modifications
Misc Modifications
Why do this?
Guest accounts are problematic for a number of perspectives. For one, if guest is enabled without a password, all remote access will default to “guest” on logon if the username is not listed in the accounts database or if simple file sharing is enabled. For another, anonymous logins are handled as requests to the guest account. In general, users of system should be forced to provide some sort of credentials as authentication. This includes usage of the console, remote resource access, and any other method of system access. One of the common classifications of exploits is a privilege escalation. In this type of exploit, the attacker will do something, like execute code that gives them privileges to do something that they would not otherwise be able to do. This type of exploit is well suited to Guest account access. Someone could gain access to the computer using the guest account and exploit a vulnerability which gives them privileges to completely control the system.
According to Microsoft Knowledge Base article 300489, the following applies to the Guest account:
Although all these restrictions do apply to a new guest account, there is now substitute for blocking any user from ever using the account. There will never be the option of any exploitation of the account.
If you shut the guest account off, why assign it a complex password? Simply put, so a hacker can't turn the guest account back on and use it. If guest is reactivated, it still has a password that needs to be cracked before it can be used. This is just another instance of defense-in-depth.
Remember that the password that is typed after "net use guest password:" should be random and very long (over 100 characters). You should utilize all types of characters (upper- and lower-case, numbers, and special characters). One of the most underused character in creating a strong password is the space bar. It is a perfectly valid character and adds another level of complexity in password creation.
What consequences will there be on my system?
It completely stops people from accessing your computer through the guest account, anonymous logins through the console or terminal services, null sessions and anonymous LDAP queries.
When a long, complex password is chosen for the guest account, it becomes virtually unusable. Unless someone can guess the password (given a few thousand years) the account becomes disabled. This means that anyone who wants to access the computer will now have to get a real user account to access the information. It also means that hackers who used the guest account to anonymously access data won't be able to do this anymore. Once the Guest account has been disabled, Simple File Sharing (discussed in another section) must be disabled as well. When Simple File Sharing is enabled (which is the default when XP Pro uses a workgroup rather than a domain), all file sharing happens using the guest account. Obviously with the guest account inaccessible, the mode of file sharing has to be changed for any file sharing to operate.
Disable Guest Account and Support accounts
Why do this?
For the same reasons outlined above. An active guest account is an extremely bad idea because it allows anyone access to data that possibly should not be seen. If there are people who need access to a file or program, they should have an account with a password. The Support accounts serve a number of purposes. The SUPPORT_####### (where ####### is a hexadecimal number) account that is installed in every Windows XP machine is used for Microsoft customer support. It allows remote desktop sessions to be initiated in the form of an invitation to Microsoft customer care (or malicious attacker). HelpAssistant is a similar account, but it is used to invite people outside of the Microsoft Corporation to help with computer problems. The ASP.NET account is installed when Microsoft .NET framework is installed. It is necessary for Windows to run the asp.net worker process within the Internet Information Services. It is created so that the necessary process is not run with Administrator privileges. The SQLDebugger account is created by the install of applications Microsoft Visual Studio or SQL server. It serves much the same purpose of the ASP.NET account. These accounts are necessary for specific functions by specific programs. There are a number of ways that securing these accounts can be approached. If there is no need for the accounts, because there functionality is not required, they can be safely disabled. It is also possible to stop the use of these accounts from remote computers, on the console, as batch jobs, etc.
What consequences will there be on my system?
It completely stops people from accessing your computer through the guest account. Since the guest account shouldn't be used for normal purposes anyway, it should be not available for hackers to access your box without your permission. By disabling the other accounts, functionality that is needed from programs that require the accounts will also be disabled. While it's unlikely that the SUPPORT_ and HelpAssistant accounts will be needed, the ASP.NET and SQLDebugger accounts maybe depending on each individual situation.
Disable Remote Access to Computer
Why do this?
Remote Assistance and Remote Desktop are services provided in Windows XP that allow someone to connect to your computer over the network and use it as if they were sitting in front of it. This can be used in helping someone troubleshoot a problem. Rather than having to try to communicate over the phone and explain the problem, a support person can simply take control of the computer and fix whatever problem exists. This can also be an extremely useful tool. When a Windows server is deployed remotely in the field, access can still be made through Remote Desktop. This could be an incredibly useful tool because it could save a trip to the remote location. It could make more secure by tunneling the communication through a more secure communication channel like SSH or a VPN. Unfortunately, there is a dark side to Remote Desktop. Since it is so powerful, it could be used by an attacker to gain control of the system. Should an attack be found that could grant access to anyone, the system could be completely compromised. Additionally, programs exist that continually try to guess the password of accounts on the system. Some can even do this without being detected in the system logs. Keep in mind that other programs exist that can provide remote connectivity which are a little more secure.
What consequences will there be on my system?
By disabling Remote Access, you will no longer be able to access your computer through Remote Desktop. A common example of Remote Desktop is accessing the computer while on vacation. Remote Desktop can be very helpful since you can access your computer just as you were sitting in front of it, from thousands of miles away. By disabling the "remote invitations" feature, such invitations will no be able to be used. An account will have to be setup on the machine which allows access.
Note that when using Remote Desktop, all of the same functionality is available to you from your hotel in Sri Lanka as is available at the keyboard. The problem is that other people (hackers) could also have that same functionality if Remote Desktop is enabled.
Why do this?
Simple File Sharing is the mechanism by which Windows XP shares files and folders in the networked workgroup environment. The workgroup environment is generally the configuration that is used with most computers. In this mode, it is not part of an Active Directory structure. Under this policy, resources are shared without access restrictions. There are no passwords, so anyone can see everything that is shared. This way, if one of the computers in your network is compromised, all computers should be considered as such because there is open sharing. This can be replaced with a more secure policy by shutting off Simple File Sharing. Each shared disk or folder then has an Access Control List (ACL) which describes who can use the shared resources. This setting is also accessible through the registry key: HKLM> System> CurrentControlSet> Control> Lsa> forceguest. The value should be 0. File sharing in general is something that should not be done in a secure environment because of the risks of exploitation. There is a small possibility that the file sharing itself could be exploited to gain access to other files. If this were to happen, an attacker could possibly add malicious files or delete critical files.
What consequences will there be on my system?
By shutting off Simple File Sharing users who count on the fact that there is no access restriction for the resource will now not have access. If your network can operate under the system of complete trust, then Simple File Sharing might work fine, but it is much safer to shut it off and follow the policy of least privilege. This dictates that each user should have the minimum amount of privilege to do their necessary tasks. While this model of sharing is much more usable, the additional effort involved in Advanced File Sharing is much more secure. In short, some network resources will be unavailable until redesigned.
Change Access Privileges to Hard Drives
Why do this?
Windows XP Professional has the default setting of giving the Everyone group read access to the drives. This means that all the users from any group (Administrators, Power Users, Guest) will have the ability to read files on the computer unless there is a Deny statement for a particular file or folder that stops access. Since deny statements take precedence over the allow statements, access can be stopped on a per file/folder basis. This is not an efficient method of limiting access. If a user would like to view a file, they should be given explicit privilege to do so. A more secure policy is to remove the Everyone group so that a user must be part of the Administrators, Power Users, or Users group could access the resources. By default, when a new user is added, they will be added to either the Administrators group or the Users group. The Guest account and anonymous logins will not be allowed read access to any resources in the system. By doing this, a user has to be granted access to the system rather than being given access.
What consequences will there be on my system?
By removing the Everyone group privileges, it effectively only removes the guest account login abilities. This is due to the fact that all other accounts on the system should belong to the Users group as well as the Everyone group. When the Everyone group is removed from the file permissions access control list (ACL), the accounts that only belong to the Everyone group (and not to any others) will not have access. Since all persons accessing the computer should be given an individual account, there really should be no affect on the system. If there is some problem that results from this, a careful audit of the users and access to the system should be reviewed.
Stop “Everyone” from Sharing
Why do this?
When a share is created in Windows XP Professional, it is created with a default set of permissions. They allow anyone to read what is being shared. Of course different permissions exist to connect to the computer so the permissions for the share don't necessarily allow anyone to connect to the computer. See “Disable Simple File Sharing” and Local Security Policy settings involving network connections for more information. While giving read access to the share doesn't give people the ability to put a malicious virus, for example, but it could allow someone access to files that are private and/or proprietary. The best thing to do is not share any files over the network. When this is absolutely unacceptable, it is best to allow specific individuals or groups access to the shared resources. While this significantly increases authentication and accounting on the system this is not really a bad thing. Because authentication and account is being used, there is a record of who accessed what and when.
What consequences does this have on my system?
This will most likely have no effect on your system. The only way that connectivity would change is if Simple File Sharing were turned on, the group Everyone were allowed to access the computer in the User Right's section, and no other access restriction stops the anonymous user. While this is probably the case in a default install of Windows XP, any tightening down of security would stop the connections.
Why do this?
People have a habit of using the same passwords over and over. When asked to change their password, they will often choose the same password as before, or they will rotate among a small set of passwords. This gives attackers a vulnerability to exploit. If an attacker finds one user's password, they will have access to the system much longer than if the password had been changed more often. By enforcing a password history, users will have to change their password to something new because the system will not allow the user to use a password that was used previously.
What consequences will there be on my system?
One of the consequences of making users choose a new password frequently and enforcing history is that users will have a more difficult time remembering all the new passwords. As a result, the user might resort to writing down the password and sticking in an accessible place, like underneath the keyboard, which could be a greater security risk.
Why do this?
Allowing a user to use the same password for a long period of time leaves an attacker that amount of time to undermine the system, should the password become compromised. By making the users change their password after a period of time, the attacker must work to maintain a presence on the system. If the amount of effort to obtain the password in the first place is sizeable, there is a good chance the attacker will need to do all that work over again to regain access to the computer (unless a backdoor was created). With today's password cracking software and faster hardware, attackers can crack passwords using brute force faster than ever before. Making users change their password more often greatly increases security because the attacker may spend days cracking the users password, only to find the user has changed it again.
What consequences will there be on my system?
There is a fine line between making the users change their password for security purposes and making the user change the password so much that it becomes a security risk. As stated above, if the user has to change the password often, he or she will simply start writing the current password down where it could be easily seen be anyone having physical access to the paper.Why do this?
This setting controls the amount of time the user must wait before being able to change their password again. The main goal in setting this time is to make sure users can't change their password as required by the Maximum Password Age setting, and then cycle through a series of passwords to simply change their password back to what it was before, thereby undermining the Maximum Password Age and the Password History setting.
What consequences will there be on my system?
Users on the system will simply not be able to change their passwords immediately after changing them.
Why do this?
This setting is extremely important because it can stop the use of LAN Manager passwords as well as add complexity to the password, making it significantly harder to crack. LAN Manager passwords are limited to at most 14 characters. Creating a password longer than that ensures that the insecure LAN Manager password hash is not stored. Secondly, password complexity is a function of the number of possible characters raised to the power of the length. For example, if a password can only be composed of 26 characters, a password of five characters could be any one of 26^5 = 11,881,376 possibilities. If the length is increased to 15 characters the possibilities increase to 26^15 = 1.677 x 10^21. So the easiest way to increase the difficulty in cracking a password using brute-force is using a long length password. The maximum value for the LAN Manager field is 14; thus using a password 15 characters long will prevent storing LAN Manager passwords. However, since the minimum cannot be set to more than 14, management must enforce a separate policy requiring a password length of 15 or more.
What consequences will there be on my system?
Versions of Windows prior to Windows NT 4.0, which includes Windows 9x/ME and Windows for Workgroups do not allow long passwords, so they will be incompatible. It is recommended that these older systems not be allowed on any network attached to the Internet anyway because of numerous security vulnerabilities.
Why do this?
Enabling this feature enforces a strong password policy: passwords have to be at least six characters and must be made up of characters from three of four different categories (uppercase letters, lowercase letters, numbers, and special characters).
An attacker must know the character set used to generate the password. A larger character set means longer times required to crack the password using brute-force methods. Given that this setting enforces strong passwords, the attacker must run the attack with a large set of characters, increasing the amount of time needed to test all the combinations of passwords. Enabling this setting also stops a user from using any part of their username as the password, which is a common practice and extremely vulnerable to attack. Often this is the first guess that an attacker will try and leads to easy access of the system.
What consequences will there be on my system?
This makes the users have to choose passwords that are possibly more complex than they had been before. It could lead to users writing down their passwords.
Why do this?
This option controls whether or not the user's passwords should be stored as a two-way hash. Some applications request access to the passwords and this is facilitated through the use of reversible encryption. This is an extremely bad idea! It is essentially the same as not encrypting the passwords in the first place.
What consequences will there be on the system?
Having this option disabled may cause some programs to request the password instead of pulling it from the reversible encryption file. This added effort is, however, preferable to the security risk of having a two-way hash function to encrypt the passwords.
Why do this?
One of the techniques of attacking a system to gain access is to guess user passwords. This can be straightforward in that, at the login screen different passwords are guessed until the correct one is chosen and the attacker is logged in. This can be prevented by enabling polices which lock the account out for a period of time. This means that the attacker will have the chance to guess a limited number of times before the account becomes non-operational for a period of time. This increases the time and effort that the attacker must expend to gain access to the system.
What consequences will there be on my system?
When passwords are more difficult to type a user can end up locking themselves out of their computer because they type their password wrong a number of times, consecutively. As a result, they are unable to login to their computer for a period of time. Consideration needs to be taken to ensure that the appropriate amount of guesses can be tried before account lockout. This is dependent on the policies set for password length and complexity. The right setting can then be created to minimize attacks but keep users from locking themselves out.
Why do this?
Auditing is the task of keeping a record of different actions that take place in the system for further analysis. These events can be benign but they can also provide information to aid in tracking down an attacker or security hole in the system. It is necessary to maintain a balance between too much auditing and not enough because too much auditing can lead to such a large amount of information that parsing through it is difficult, but not enough offers little assistance when needed. By Auditing Account Logon Events, a record will be made if the local machine is used in authenticating logins. This type of event is usually triggered by Kerberos authentication. For example, if a domain account is used to login to a workstation, the domain controller that authenticated the login will contain the logged event. This probably won't generate any events on a stand-alone workstation, but it should be turned on in case the system is reused.
What consequences will there be on my system?
A record will be stored on disk detailing the authentication made.
Why do this?
This auditing option will save information about the changes made to user accounts. For example, if an account is created or changed, it will be recorded. This can be an important tool if users complain that their password has been changed or you notice a new account. A record of the changes can be referenced to have a starting point for tracing any illegitimate activities. Without this kind of log, a starting point would not be available.
What consequences will there be on my system?
Records will be created when any account related activity takes place.
Audit Directory Service Access
Why do this?
This option will log attempted and successful accesses to Active Directory objects within a domain controller. Thus, it is not applicable to workstations and should not be enabled.
What consequences will there be on my system?
There will be no affect on your system.
Why do this?
Auditing logon events will record information about the users who login and logout. This can be useful in building a fingerprint for the system. For example, one can notice that most users login at a certain time of day, or there are usually three users logged in at night. Once this fingerprint is established, it becomes much easier to see problems before and while they are occurring. Auditing logon events also helps to track down attacks on the system. You will be able to see a large number of unsuccessful attempts, for example.
What consequences will there be on my system?
Every user login or failed login attempt will be recorded whether the user be trying to login remotely or interactively.
Why do this?
Almost everything in Windows is an object. Files, folders, registry keys, printers, etc are all objects and all objects have an Access Control List (ACL) which describes who can access the object and how it is audited. When a user tries to access something that they don't have access to, it will be recorded. It is not wise to record successes on this event because successful object accesses are extremely numerous. However, failures should be recorded because they give some insight to users trying to access things that they shouldn't, as well as having a way to reference the possible reasons why something can't be used.
What consequences will there be on my system?
Records will be created each time someone tries to access something that they don't have access privileges for. It could also act as a deterrent for users if they know they will be recorded trying to do something that they shouldn't.
Why do this?
Most of what has been recommended thus far has dealt with policy changes. When a policy change is done, it will be recorded. This can be used to see when something was changed, if it was changed by someone else. If an attacker were to get in the system and allow LAN Manager hashing through the local security policy, there would be a record of it. It is important to make sure that the Security Option, "Audit: Shut down system immediately if unable to log security audits" (registry key: HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> crashonauditfail = 0) is disabled. If enabled, it is possible that the system might crash when rebooted and when rebooted again, only the administrator will be able to login. The value will have to be changed before other users will be able to login. This problem has been fixed by a Microsoft patch. Details can be found here .
What consequences will there be on my system?
Records will continue to be created every time a policy change is made or failed to be made. As stated above, if the crashonauditfail value is enabled, only administrator will be able to login after two restarts (the first restart being a system crash).
Why do this?
Each time a user does something that is considered their user right, the event is logged. This doesn't include backing up and restoring files, creating a token object or debugging programs. It is important to make sure that the Security Option in the Local Security Policy, "Audit: Audit the use of Backup and Restore privilege" is disabled. When this is turned on, the audit files will quickly become filled.
What consequences will there be on my system?
Records will be created that detail the attempt to access things that the user has no privilege for, as outlined by the User's Rights Assignments.
Why do this?
This option is used only when your computer is believed to be under attack. It records events like program and process entrance and exit. Obviously this would generate large amounts of information and should only be used when necessary.
What consequences will there be on my system?
Every time a process starts or stops a record will be created.
Why do this?
Anything that the user does that affects system security or the audit logs will be recorded. It is an obvious advantage to know when and who tried to modify something that would affect system security. This information can be used to reprimand users who are abusing policy and making the system more vulnerable. All events such as restarting and shutdown of the computer, or failure to do so, will be recorded.
What cnsequences will there be on my system?
Events affecting system security will be recorded.
Who can access the computer from the network
Why do this?
This option allows the groups of users listed to access the computer remotely through SMB sessions. It is a good idea to limit the users who should be authorized to log in remotely. The rule of least privilege implies that if there is no need for the user to access the computer over a network, they should not be allowed to do so. This helps to limit the number of accounts exploitable to an attacker. There is no reason why the Guest account should be allowed to log in remotely; it should be eliminated. Also, the Support account(s) are not needed, and should be disabled as well. This setting won't effect services other than SMB.
What consequences will there be on my system?
All accounts that are not part of one of the groups listed will be denied access to the computer from the network. The user accounts need to be looked over to make sure that a user with legitimate purpose is able to log in remotely. By removing it from the list, the support account will not be able log in to the computer. It should, however, be disabled to keep attackers from exploiting the account.
Who can act as part of the Operating System
Why do this?
Letting a user act as part of the operating system gives that user more privileges than administrator. It is a low-level account that allows that user to bypass all access privileges, security permissions, and users rights. If this account should become under control of an attackers, it would allow that person complete control of the system. All other security measures would become worthless because they could simply be bypassed. Under normal operating procedures, such an account is unnecessary and should not be allowed.
What consequences will there be on my system?
If the principle of least privilege is followed, this will have no affect on the system because all necessary functions can be done without acting as part of the operating system. Administrator should be the most powerful account on the system and that should be guarded as the key to the system. No other account should be created with that power as it adds only to security risk.
Who can add workstations to the domain
Why do this?
This user right only has relevance in a domain environment. Since we are considering how individual workstations should be locked down, there is no reason to add any group to this list. If the computer were in a domain, the users who should have this privilege have it as part of that account, they do not need to be given the privilege explicitly. This will keep attackers from adding an untrusted workstation to the domain.
What consequences will there be on my system?
When all users are removed from this list on an individual workstation, there will be no effect on the system, as it is not on a domain.
Who can adjust memory quotas for a process
Why do this?
This gives a user the ability to change the maximum amount of memory that a process can consume. Since there is a limited amount of computer memory, this can be used to fine tune a system. By allowing a process a little more memory, it can function faster. But this ability can also be misused in creating a denial of service attack. If an attacker gives all the available memory to a single process, no other processes will function until that process releases it's memory. Obviously an attacker can use this as a tool to cripple a system.
What consequences will there be on my system?
This will have very little, if any, effect on your system. Even though the ability to change the memory quota exists, there will be no effect until it is actually used by the proper accounts.
Who can logon through Terminal Services
Why do this?
This determines who can logon to the computer remotely through terminal services. The use of Remote Desktop requires this privilege. Because Remote Desktop shouldn't be allowed on secure workstations (or notebooks), there is no group that should be allowed this privilege. By removing all users and groups from this list, will help to secure the workstation from unwanted remote attackers. Obviously, this doesn't apply to workstations that also double as servers.
What consequences will there be on my system?
This will stop Remote Desktop logins and other terminal services through the network as there will be no users or groups that have privileges to terminal services.
Who can backup files and directories
Why do this?
The ability to backup files and directories is extremely important to the long-term health of any computer system. The only problem is that combined with the ability to restore files, a user can make a backup of a file and restore it with access privileges. The ability to backup files supersedes the access privileges assigned to files. So a user with backup privileges can make a backup of a file to which they don't have regular access privileges. This is an obvious vulnerability because with a few more steps, a user can access a file they normally wouldn't have access to.
What consequences will there be on my system?
Part of an administrator's job could be to backup the system and restore files, should the need arise. Since the administrator already has privileges to access most files and directories on the system, it would not be a violation of privilege for the administrator to make backups. The only effect on the system would be that backups must be performed by the administrator, if this is not already the policy.
Who can bypass traverse checking
Why do this?
Bypassing traverse checking means that a user can go through a part of the directory structure that they don't have access to to get to a part of the directory structure that they do have access to. For example if there is a folder C:\>windows\system32\config and the user has been denied access to the folder system32 but granted access to config, the user will be able to go through system32 to get to config. This option isn't particularly dangerous because the user will not be able to access anything in the denied folder, just pass through it. This could be a sign of improper access control administration so if there is a problem, it can serve as an alert to that fact.
What consequences will there be on my system?
This will have no effect on the system other than not allowing users to travel through directory trees to get to another directory. If this somehow affects their work, then they should be granted access to that directory tree, not the entire system.
Who can change the system time
Why do this?
The ability to change system time by any user can affect Kerberos and other time critical functions. By allowing anyone to change this time, it is possible to thwart these functions. The administrator, who is in charge of the system, should be responsible for changing the time, should it need changing. Not only could changing the system time affect critical authentication systems, for example, it could be used to annoy other users. It would be aggravating if the clock were fifteen minutes behind which resulted in arriving late to an appointment.
What consequences will there be on my system?
This will simply allow the administrator to be the only one who can change the system time.
Why do this?
The ability to create a pagefile introduces a number of vulnerabilities to the system. Users with pagefiles can modify them or remove them which can lead to system instability. A more severe problem that is introduced with pagefiles is that nothing stored in the files are encrypted. This allows an attacker to retrieve some valuable information about the system without having to decrypt it.
What consequences will there be on my system?
Only administrators will be allowed to create pagefiles and change their size.
Why do this?
A created token object can be used to access all resources. It's obvious that the ability to give access privileges to anyone could be used to give an attacker privileges to compromise the entire system. Only the Local Security Authority should be allowed to create token objects that give users privileges.
What consequences will there be on my system?
Removing everyone from the list has no effect on the system. The Local Security Authority will create the objects as necessary, and the system will function normally.
Why do this?
These global objects are used within Terminal Service sessions. Although some applications may require the use of global objects, they are also a security risk. This right should only be given to trusted users.
What consequences will there be on my system?
None Administrator accounts may experience problems with some applications, but this is unlikely. This will likely be no adverse effects on the system.
Who can create permanent share objects
Why do this?
Permanent shared objects are used internally by kernel-mode operations. All components that need to create these objects have the rights already assigned to them, so adding anything to the list is unnecessary.
What consequences will there be on my system?
There will be no affect on the system because all rights have been already assigned to those components that need it.
Why do this?
The ability to debug programs that are being run as other users presents a tremendous vulnerability. Attackers can use a technique called DLL injection to insert malicious code into the program being debugged which allows the attacker access to system components. The ability to debug programs that are running as other users should not be permitted in a secure environment, but if it is, the rights should be assigned to a particular group only. The ability to debug also opens up another problem. Sometimes the system state is saved if a program crashes to help programmers debug the problem. This information can be used to gather information about the system which can be used later in an attack.
What consequences will there be on my system?
When your computer runs into a stop error, information about the state of the machine will no longer be recorded.
Explicitly deny access to computer from the network
Why do this?
The groups and users that are on this list will not be able to access the computer from the network. By placing people on this list, it provides further security against an attacker exploiting accounts from the network. Accounts that have been disabled should be found on this list, which will ensure greater security should they be turned back on again. This list supersedes the list allowing access to the computer from the network, so even if a group or user is found on both lists, they will be denied access. If no network access is required, it would be a good idea to place everyone on the list. The remote access that this list is concerned with is SMB (Server Messenger Block) which is available in many Microsoft operating systems.
What consequences will there be on my system?
All accounts that are found on this list will not be allowed to access the computer from the network.
Who is denied logging on as a batch job
Why do this?
This allows a user to log in as a batch job. For example, a user can submit a job to the task scheduler and instead of that person being logged in interactively, they will be logged in as a batch job. This does allow a user to schedule programs to be executed by the task scheduler. A determination must be made as to which user(s) should be able to do this.
What consequences will there be on my system?
All accounts that are found on this list will not be allowed to be logged in as a batch job. These users won't be able to submit jobs to the task scheduler.
Who is denied logging on as a service
Why do this?
This prevents a user from registering a process as a service. Service account passwords are saved on the hard drive in near plain-text. This means that the password could easily be recovered by an attacker trying to break into the computer.
What consequences will there be on my system?
Any user or group listed will not be able to register a process as a service. Some processes need to be registered as a service. If this occurs, a change may be necessary.
Who is denied from logging on locally
Why do this?
This option can be used to specifically deny users the ability to login to the computer at the console. The main security feature with this user right is that unauthorized users will not be able to login to the computer. They must be removed from this list before they are able to login from the console. This doesn't, however, affect the use of the account with telnet, SMB, or anything else. Accounts that are known to the system at the time of configuration should be added to the list, such as Guest and the support accounts. This adds more assurance that the accounts will not be used without the consent of the administrator.
What consequences will there be on my system?
All accounts that are listed will not be able to login locally. This does not affect logins through SMB, telnet or any other service.
Who is denied from logon on through Terminal Services
Why do this?
This works much in the same way as the user right above which lets specific users use Terminal Services. This, however, denies the right to any user on the list. Any user found on this list will not be able to login through Terminal Services. This supersedes the right to access above. This should be denied to everyone because Remote Desktop, which uses Terminal Services, should not be active on a secure workstation. Should your workstation function as a server, the correct strategy would be to deny access to “Guest,” support accounts, and “HelpAssistant.”
What consequences will there be on my system?
This will have no effect on your system other than a little added insurance that no one will use your computer remotely. Even if Remote Desktop is turned on somehow, all users are still denied access to the machine.
Enable computer and user accounts to be trusted for delegation
Why do this?
This allows a user to change the setting entitled "Trusted for Delegation" for users and objects within Active Directory. Misuse of this could allow the domain to be vulnerable to trojan horse attacks. Since we are dealing with workstations that are not connected to a domain, this right is of little concern. However, should the computer become connected to a domain, the right is already been set to a secure state. Also, it is more secure to let no one change the "Trusted for Delegation" field rather than someone.
What consequences will there be on my system?
This will have no effect on your system unless your computer is connected to a domain. If it is connected to a domain, the setting allows no one to set this setting, so the domain is not compromised.
Who can force a shutdown from a remote system
Why do this?
This allows a user the ability to shutdown the computer from a remote location on the network. This is a dangerous settings because it allows someone to perform a denial of service on those users accessing the machine at the time of shutdown. Care must be taken to ensure only the proper users have access to this kind of control. Since administrators have near complete access to the machine, they should be trusted with this control. It is usually better to allow someone the ability to shutdown the computer in the event it really does need to be shutdown.
What consequences will there be on my system?
Allows a group of people the ability to shutdown the computer remotely. Shutdown occurs even if there are open processes and connections.
Who can generate security audits
Why do this?
This allows a process to write to the security event logs. If there is a problem with the service or there is an event that should be audited according to the rules setup in the Local Security Policy, some process must log it. If there is no access, it can't be done. Care must be taken to make sure that too much access isn't given to users that should not be able to change the logs.
What consequences will there be on my system?
Those processes that are not allowed to audit to the security event log will not be able to do so. This means that valuable information about what is happening to the system could be lost.
Who can impersonate clients after authentication
Why do this?
This option determines who allows a program to execute on behalf of the user. This could be a situation like executing commands on another computer. The security issue involved is malicious code begin run under the user's privileges. Most programs do not needs such privledges so all groups can safely be removed.
What consequences will there be on my system?
While most programs do not require this privledge, there are some that do. In this case, it may be necessary to add that user to a special group with this ability to perform these types of operations.
Who can increase scheduling priority
Why do this?
This offers the users or groups under this list the ability to change the priority of a running process. A process with a high priority will be run more than a process with a lower scheduling priority. This can sometimes be used for maximum system utilization, but it could also be used in a denial of service attack. Giving a process a large priority will use up processor time. Care must be taken to ensure only responsible users have the ability to change the scheduling priority.
What consequences will there be on my system?
A change in scheduling priority will change the operation of the computer. Since processes with higher priority will take more of the CPU, a change in which process has the highest priority will change the way the system is running.
Who can load and unload drivers
Why do this?
Drivers are a highly trusted program or set of programs that "drive" how a device interacts with the operating system. A compromise in drivers are a compromise to the entire system. Consequently, the ability to load and unload drivers needs to be allowed only with the most trusted users. If any user were able to load a driver, that user could load a piece of malicious code in the operating system which could, for example, open a backdoor to the system.
What consequences will there be on my system?
The users that are entrusted with the ability to load and unload drivers must, of course, do the loading and unloading of the drivers. So, if something changes and a new driver is needed, those users must be responsible.
Why do this?
Locking pages in memory will force pages of memory to remain in RAM instead of being paged out on disk. If this ability is disabled, it is possible to launch a denial of service attack on the machine where all of the available RAM is consumed, thereby rendering the computer useless until it is restarted. Therefore, no one should have this right.
What consequences will there be on my system?
The default setting is set to not allow anyone this right and that is the way it should stay. There will be no effect on the system, whatsoever.
Why do this?
Users who can login as a batch job are able to schedule tasks to be run at a later date. At the time of batch job execution, that person will be logged in as a batch job (as opposed to interactively). No users should be added to the list because the task scheduler automatically grants the correct rights without intervention.
What consequences will there be on my system?
Since the task scheduler will grant the necessary rights, there will be no effect to the system.
Why do this?
There is little need for a user to have the ability to login as a service. Some applications do require this right, so a determination needs to be made whether or not that feature should be allowed and if it's worth the risk. It follows the principle of least privilege that users should only be given the access that is needed. Logging in as a service is not a necessary function to most computing, especially on a workstation, so it should be allowed only to the NETWORK SERVICE.
What consequences will there be on my system?
Should there be a situation where a user or application needs the ability to login as a service, that ability will be cut off. Generally, there will be no effect on the system.
Why do this?
The users that can login locally are those users who need to have physical, console access to the computer. This tends to be most computer users. There are, however, a number of users who should not be allowed to login, including guests and support accounts. The main advantage to creating a list of users who are able to login is that they need to be specified in the list before they can be allowed to login. These rights need to be specifically set before the person can login. This adds a little added protection from arbitrary user additions.
What consequences will there be on my system?
If a user is added, that user needs to be added to the list of users who are able to login locally. This can be through group membership or by simply adding that user individually. If that user is not added to the list, he or she will not be able to login.
Who can manage audit and security logs
Why do this?
Any user who can manage the logs also has the ability to clear the logs and specify how the logs should function. It can be extremely hard to discover the avenue of intrusion if the logs have been cleared by the intruder. Logs provide a way for administrators to track activity on the system. If any user can change the way that this is done, or remove all the logs, they serve no purpose. Only trusted user should have this ability.
What consequences will there be on my system?
Any changes in the way that the audits are performed or deletions of the logs must be done with administrator privileges. In some cases this simply means logging in as administrator. In other cases it means contacting another person.
Who can modify firmware environment values
Why do this?
This feature controls the ability of a user to change system-wide environment variables that are used by programs to gather information about the system. These values can be changed by users or programs through different methods if they are listed here. In applications where the system environment variables are used to create a fingerprint of the system, this fingerprint will not give an accurate representation of the system, because things have been changed to give the illusion of another system. Under normal operations, the user should rarely, if ever, have the change environment variables.
What consequences will there be on my system?
If some user needs the ability to change the environment variables, this user will have to be granted specific privileges. As noted above, most users have no need for changing these values. Should the need arise, however, it is possible that the access will not be granted.
Who can perform volume maintenance tasks
Why do this?
Windows comes with a number of utilities that perform maintenance on the drives, including Disk Defragmenter and Disk Cleanup. Obviously these utilities are essential to the health of the operating system but they also deal with very low-level operations on the drive. Because of this it is recommended that only trusted users have the ability to run them.
What consequences will there be on my system?
The user(s) that are entrusted with the ability to perform volume maintenance tasks need to be aware that they are responsible for the health of the system. This might mean the upkeep of many systems, which can be a large responsibility. So, as the security of the system has gone up, the usability has dropped, one of the fundamental principles in computer security.
Who can profile a single process
Why do this?
When a process isn't running quite normally, one of the things that a user can do is profile the process to diagnose the problem. These profiles contain information about the performance of the process. Unfortunately, it can also contain sensitive information that could be used against the system. For this reason, only trusted users should be allowed to access this information. The goal is to make an attacker's job harder by keeping as much information from them as possible,
What consequences will there be on my system?
If your system runs software that needs to be profiled quite often, it is possible that more users will need to be added to this list. Specifically, software developers need a way to use software metrics in their programs to test the performance and security of their programs. However, in a secure environment, only the administrators should have this privilege. No other effects, other than denial of service to these profiles, will occur to normal users.
Who can profile system performance
Why do this?
This is much the same as above, except that it deals with the running of system processes. This can be even more vulnerable than user processes because it is system processes that deal with much of the security matters. As stated above, the goal is to try to keep as much information as possible from the attackers.
What consequences will there be on my system?
The effects are the same as above, only those people needed to view software metrics and diagnostics will be affected by their access being cut off. If, however, they are legitimate administrators, they will be unaffected.
Who can remove computer from docking station
Why do this?
Only notebooks that have docking stations will be affected by this setting. It is simply a restriction on that software aspect of undocking a notebook computer. Some users may undock the computer inappropriately which may cause some system instability. However, not giving users access rights to properly undock the computer will probably result in the user physically undocking the computer without having unassociated the docking station with their operating system software.
What consequences will there be on my system?
There will not be any changes because desktop computers will not have docking stations and notebook computers will allow all users access, so there should be no change.
Who can replace a process level token
Why do this?
This could allow a user to change the token associated with a process to allow different permissions to be assigned. Obviously this is a huge circumvention of privilege. This should only be accessible through the system, not through users. There is no need for users to have this privilege.
What consequences will there be on my system?
There will be no effect on the system because it is a privilege that only the system should have. Users will remain unaffected.
Who can restore files and directories
Why do this?
The ability to restore files and directories can be used with the ability to back up files and directories to compromise the file system. If an attacker gains these rights, they can back up the file and restore that file with the permissions that they require. The ability to restore must be entrusted with a responsible user. This user is usually the system administrator.
What consequences will there be on my system?
The restore functions must now be performed by the system administrator, as no other user will have privileges.
Why do this?
The ability to shut down the computer is usually granted to all users of the system. This is because little can happen to the system when it is shut down. It is difficult to compromise when there is no power running to it. This does change if the computer happens to be a server of some kind. In that case, shutting down the system will become a denial of service to users trying to connect. For workstations, this is not the case.
What consequences will there be on my system?
Since the ability to shut down the system is usually given to all users, there will be no changes.
Who can synchronize directory service data
Why do this?
This setting is only relevant to domain controllers but it allows a user or group to perform "Active Directory Synchronization". This will allow a user to cause directory corruption on the domain controller. Since we are dealing with workstations, however, there should be no one listed.
What consequences will there be on my system?
There will be no effect on workstations.
Who can take ownership of files and other objects
Why do this?
This allows a user to take ownership of files, printers, network connections, etc on the computer. Since owners are granted a large amount of permissions, the user can then modify the object or file. This is dangerous in that users are granted a large amount of privilege. They can bypass all security permissions on that object.
What consequences will there be on my system?
There will be no change to the system because all files and objects will remain owned by the proper authorities. The only effect will be enhanced security.
Why do this?
This setting controls the administrator's account. If enabled, the administrator account is active, otherwise, it is not. One security technique is to give another account administrative privileges and disable the account status of the administrator. This will fool some script-kiddies into trying to break into the administrator account, when it has been effectively disabled. The administrator will always be enabled in Safe Mode regardless of the setting here. Since administrators often need to perform maintenance on the system, it should probably be enabled.
What consequences will there be on my system?
The administrator will be able to login to the system.
Why do this?
The guest account gives anonymous users a chance to use the computer resources. It is a much more secure policy to have all users of the system login to the system through an account. This way they can be tracked more effectively. The guest account should be disabled on every machine. Not only will this keep anonymous users from the console, but guests will not be able to login from the network either. Make sure to give to the Guest account a long password before disabling it.
What consequences will there be on my system?
The guest account will be disabled, and all users will have to be given accounts to login.
Blank Passwords at Console Only
Why do this?
This settings determines whether a user who has a blank password will be able to login through the network. Blank passwords should not be allowed on either the console or the network. Since this is still an option, even with blank passwords turned off, it is smarter to enable it than to leave it disabled. This provides a little added insurance that if someone should be able to create a blank password, it won't be exploited from the network.
What consequences will there be on my system?
If any accounts were logging in using a blank password, they will no longer be able to. This is valid for all accounts, even for terminal services, etc.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> limitblankpassworduse = 1
Rename the Administrator Account
Why do this?
The biggest advantage to renaming the administrator account is confusing the script-kiddies. Script-kiddies, by definition, are not very intelligent and don't have a good understanding of how computers work. What they will try to do is attack the administrator account. Since this will not be found, they won't know how to precede. It makes that job of breaking into the account much more difficult, since now they have to determine which account is the administrator.
What consequences will there be on my system?
As far as the system is concerned, there is no longer an account named administrator. This means that all attempts to login under administrator will fail. This is true of console as well as network logins. The administrator will have to login under the new name.
Why do this?
For the same reason described above. Many attackers will target the guest account because it is often given privileges that it shouldn't have. The attacker won't be able to find an account named Guest, so he or she must now locate the account. Once the account is found, they will find that it is disabled. It is an added defense-in-depth strategy.
What consequences will there be on my system?
It will have no effect on your system because the guest account is disabled.
Audit access of global system objects
Why do this?
When this option is enabled, there will be a large number of log entries because every access to a global system object will be logged. This includes things like semaphores, mutexes, events, etc. Can you imagine how many entries there would be if every event was logged? Save yourself the trouble and only use this option when absolutely necessary.
What consequences will there be on my system?
Having this option disabled will have no effect on your system because things will not be logged.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> auditbaseobjects = 0
Audit the use of backup and restore privilege
What do this?
This option is similar to the audit policy "Audit Privilege Use". The Audit Privilege Use option doesn't do full privilege auditing, for example like backup and restore privileges. To use this privilege level the Audit Privilege Use must be enabled. The result is the same as the above option, however, the audit logs will fill very quickly with all of the events that are generated. Only use this option when absolutely necessary.
What consequences will there be on my system?
Having this option disabled will not effect your system. Having it enabled will result in a large increase in events that are logged.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> fullprivilegeauditing = 0
Shutdown computer if error in audit logs
Why do this?
This option will shutdown the computer when the audit logs receive an error. This could be due to an error logging an event for some reason or it could be because the logs are full. When the computer receives an error, the computer will be shutdown. The administrator must then fix the error before normal operations can continue. This could be enabled on one-person systems but on systems with multiple users, it is probably not a good idea.
What consequences will there be on my system?
If there is some problem with the audit logs, the problem will persist until fixed. The shutting down of the computer is a security mechanism in which the computer will stop all normal operation until the problem is fixed. In this situation, normal operations will continue until the problem is fixed which can be a minor security problem.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> crashonauditfail = 0
Why do this?
According to Microsoft: "This policy setting determines which users or groups might access DCOM application[s] remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications". When no descriptor is defined, the users and groups are given explict Allow or Deny privileges on both the local and remote access. This will help improve the security of the system.
What consequences will there be on my system?
There will be no adverse consequences on the system.
Why do this?
According to Microsoft: "This policy setting determines which users or groups might launch or activateDCOM application[s] remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications". When no descriptor is defined, the users and groups are given explict Allow or Deny privileges on both the local and remote launch and activation. This will help improve the security of the system.
What consequences will there be on my system?
There will be no adverse consequences on the system.
Allow undock without logging in
Why do this?
This option helps to protect the system from being undocked gracefully without logging in. Users must login to the computer and undock the station before removing it. To do this, they must also be allowed to under the users rights assignment. Obviously this key only has significance to those notebook computers that have a docking station. There will be no change on all desktop machines and undocking notebooks. This option has no control over whether or not the computer can be physically removed from the docking station. Anyone can always remove the computer from the station without shutting down the running services.
What consequences will there be on my system?
There will be no effect on desktop machines and notebooks that do not dock. Docking notebooks, however, will no longer be able to be undocked without logging in. Now users will need to login to the computer before starting the software undock process. Again, the computer can always be yanked from the docking station.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> undockwithoutlogon = 0
Who is allowed to format and eject removable media
Why do this?
This is a listing of who is allowed to format and eject NTFS disks. Since formatting will remove all data from the disk and ejecting data will result in a denial of service for those that need it, it is best to allow only administrators privilege, which is the default.
What consequences will there be on my system?
Only administrators will have the privilege necessary to format and eject removable NTFS media.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> WinLogon> AllocateDASD = 0
Prevention of users installing printer drivers
Why do this?
The installation of printer drivers is something that needs to be trusted because drivers act on a very low level. If any user could install printer drivers, they could install very low-level programs that could corrupt the computer. Since the installation of printers does not happen very often, it is a much better, and more secure idea to have the administrator install the necessary drivers. This setting only deals with installing network printer drivers, not local printers.
What consequences will there be on my system?
An administrator will have to install the printer drivers.
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Print> Providers> LanMan Print Services> Servers> addprinterdetails = 1
Restrict the CD-ROM to locally logged in users
Why do this?
In Windows, any process can access the CD-ROM. If there are two users, one logged it at the console (locally) and the other logged in over the network, the network will not be able to access the CD-ROM. This will help prevent a race condition, when two people try to access the same media at the same time. If there is only the network user logged in and no one is logged in locally, the network can then use the CD-ROM.
What consequences will there be on my system?
By enabling this option, you protect your CD-ROM drive from being accessed by two people at the same time. This does however, create a denial of service to the user on the network. If the locally logged in user is not using the CD-ROM and the network user wants to, he or she will not be able to simply because there is a user logged in at the console.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> WinLogon> AllocateCDROMs = 1
Restrict the floppy to locally logged in users
Why do this?
The situation is the same as above: this settings determines whether or not a local user and a remote user can access the floppy disk at the same time. It generally a good idea to allow only one user at a time access a particular resource like a floppy drive. Unfortunately, the only way to do this is to restrict the access to the local user only if there are two people logged on at the same time.
What consequences will there be on my system?
The floppy drive will no longer be accessible from the network if there is a user logged on at the console. If there is not, then the network user does have access.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> WinLogon> allocatefloppies = 1
Why do this?
When a new hardware device is going to be used with the computer, there needs to be a way to communicate with that device. The way that this is done is through a driver. A driver is the interface between the device and the operating system. As a result of this the driver must exist at a very low-level. When a program has such low-level access, it is entrusted with a lot of privilege. This is where a security exploit can be created. If an attacker could manage to insert a bad driver, he or she could accomplish quite a bit. Consequently, Microsoft checks to see if a driver is digitally signed with a certificate before it is installed. Unfortunately, to be signed, Microsoft must trust the driver and inspections sometimes drag on long after the driver is released. This means that not all legitimate drivers are signed. If only signed drivers are allowed, there will be a great reduction in usability of just about every hardware device. This means that in the tradeoff between usability and security, security has to suffer a bit. Remember that if selecting the setting "Do not allow installation", someone could install the driver manually.
What consequences will there be on my system?
When a driver that is not digitally signed is installed on the system, the system will alert you to the problem. You will have the option of continuing or stopping the operation. Care should be taken to make sure that all drivers are from the legitimate source (out of the original hardware box). Otherwise it could result in a security hole in your system.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Driver Signing> Policy = 1
Encrypt or sign secure channel data (always)
Why do this?
If the computer is at some time connected to a domain, this setting makes certain that all communication that is done between the two is secure. It does this by forcing encryption or signing the data that is sent through the channel. Because some of the communication that is done through the channel has to do with the security settings of the domain, it is a wise idea to make sure that the data is secure.
What consequences will there be on my system?
The communication that is done between your system and the domain controller is made more secure through this setting. It does require that the domain controller be running at least Windows 2000 or Windows NT 4.0 with service pack 4 installed. Otherwise the channel will not be established.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> Netlogon> Parameters> requiresignorseal = 1
Encrypt secure channel data (when possible)
Why do this?
If the domain controller that the computer is connected to will support encrypted traffic, it is used. Obviously this adds to security because an attacker would have to intercept the traffic and then would have to decrypt it. This should be used whenever possible.
What consequences will there be on my system?
There will be no effect on your system. Traffic will be more secure to and from the domain controller, if one is ever connected.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> Netlogon> Parameters> sealsecurechannel = 1
Sign secure channel data (when possible)
Why do this?
If the domain controller that the computer is connected to will support signed traffic, it will be used. This will help the domain controller verify that the message had not been tampered with while in traffic. This should be used whenever possible.
What consequences will there be on my system?
There will be no effect on the system. Only if the computer is connected domain controller will this setting matter.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Services> Netlogon> Parameters> signsecurechannel = 1
Display last username logged in
Why do this?
When an attacker is trying to break in a system, he or she first must find a way in. One of the most common ways to do this is to find a username and password. If the last username is being displayed, half of the attackers work is done, all that is left is to find the password for the username. Since all users should know their username and password, it is trivial to have them enter both at login instead of just the password.
What consequences will there be on my system?
Users will be required to type in both their username and password at login. This not the case when the computer is locked. When the computer is locked, the username will appear in the correct box.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> dontdisplaylastusername = 1
Don't require ctrl + alt + delete to logon
Why do this?
When this key is disabled it means that the user will have to press the key sequence: ctrl + alt + delete to logon to the system. If enabled, they will not have to. This key combination establishes a trusted path to the operating system which provides some security. When it is enabled, there is a security risk. Since it is extremely easy to do, it should be disabled.
What consequences will there be on my system?
When users want to logon to the system, they will be required to press the key combination, ctrl + alt + delete to get to the login screen.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> disablecad = 0
Number of logons to cache locally
Why do this?
This setting sets the number of logons that are cached on the local machine when the domain controller becomes unavailable for some reason. Because we are dealing in an environment where the domain controller is nonexistent, this setting is really should be zero because there should not be any record kept on the system of the users logon credentials
What consequences will there be on my system?
If the computer becomes a member of a domain, the domain controller will have to be available to the domain or users will not be able to login.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Winlogon> cachedlogonscount = 0
Number of days before password expiration to prompt user
Why do this?
This is the number of days before a users password is going to expire that they are given a warning. Usually it is smarter to give the user a little time to come up with a new password before making them change. It's often harder to think of a password at the spur of the moment. This doesn't change the requirement of the password, only the notification that it is going to expire.
What consequences will there be on my system?
Two weeks prior to password expiration, the user will be notified that their password is going to expire.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Winlogon> passwordexpirewarning = 14
Domain Controller required to unlock workstation
Why do this?
This setting requires authentication with the domain controller before a workstation is unlocked. Sometimes a cached authentication can be used instead. However, since BTNSP assumes a domain environment is not being used, this option should not be enabled. In fact, enabling the option could result in an unlockable computer.
What consequences will there be on my system?
There will be no consequences if this option is left disabled.
Why do this?
A smart card provides a different kind of authentication over passwords. It means that a special card must be used to authenticate the user. If such a device is available, it should be used but without it this option could lock out all users.
What consequences will there be on my system?
There will be no consequences if this option is left disabled.
Why do this?
When a user uses a smart card to login to the computer and removes the smart card, there is an action to be performed. Least secure is to do nothing, but that means that the smart card can be removed from one computer, used in another, and replaced without any actions. This is very insecure and defeats the purpose of smart cards. The appropriate action is to log the user off, no smart card, no access
What consequences will there be on my system?
If smart cards are used, they must be available to the system at all times of computer access or the user will be logged off.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Winlogon> scremoveoption = 1
Client - Digitally sign communication (always)
Why do this?
This option forces clients to sign their communication if using SMB protocol. Using signatures stops man-in-the-middle attacks between the client and the server. Even if SMB communication is not used (and it shouldn't), this option should be enabled.
What consequences will there be on my system?
Because the system will be authenicating every packet that is transferred, there will be a performance hit.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> LanmanWorkstation> Parameters> requiresecuritysignature = 1
Client - Digitally sign communication (If server agrees)
Why do this?
This is much like the setting above except it isn't forced. The client will sign SMB communications only if the server is enabled or forced to do so. This is a weaker version, but should be enabled.
What consequences will there be on my system?
There will be no effect on you system except added security.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> LanmanWorkstation> Parameters> enablesecuritysignature = 1
Send unencrypted passwords to 3rd party SMB servers
Why do this?
If this is enabled, your computer will send unencrypted passwords over SMB to other computers. The idea was to be able to authenticate with computers that did not support password encryption. However, if the computer does not support this, you should not be connecting to it. Never send passwords in plaintext form over any network, ever.
What consequences will there be on my system?
Your computer will not be able to login to SMB servers that do not support password encryption authentication.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> LanmanWorkstation> Parameters> enableplaintextpassword = 0
Amount of time before session is suspended
Why do this?
This controls the amount of time of inactivity that must pass before an SMB connection is disconnected. There is an interesting balance here because leaving an unattended SMB connection for a long period of time can lead to an exploit on both machines. However, reducing the time before the session expires will require credentials to be sent more often to reestablish the connection. In a secure environment, the legitimacy of the use of SMB should be considered. There may be a more secure method, such as SSH. Another consideration is how SMB is being used. This can often affect the idle time in transactions.
What consequences will there be on my system?
Any SMB session that is created between computers will be disconnected if left idle for this amount of time. The session must then be reestablished.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> lanmanserver> parameters> autodisconnect = 15
Server - Digitally Sign Communications (always)
Why do this?
If the workstation that is being configured is going to be used as a server later on, this setting will help to ensure security. It determines whether or not communications that take place should be digitally signed. This setting is only valid when the computer is acting as the server. It is generally a good idea to have communication signed so it can be determined if the information had been tampered with through transit.
What consequences will there be on my system?
If the workstation becomes a server later on in it's life, it will digitally sign all SMB packets. This has the consequence that if the client that is receiving the signed packets can't read them, communication can not take place.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> lanmanserver> parameters> requiresecuritysignature = 1
Server - Digitally Sign Communication (if client agrees)
Why do this?
This will only digitally sign SMB packets to the client if the client agrees. While this might ensure more functionality with older clients, it does sacrifice security. It is more secure to always sign SMB packets. This option should be enabled, however, because it makes sense to sign communication if the client agrees. It just make security sense to sign the packets even if the client doesn't agree, too! The client will need to be upgraded.
What consequences will there be on my system?
This will have no effect on your system because the issue addressed above will apply to clients that can't handle the signatures. In this setting, the client tells the server that it can handle the signatures, so use them.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> lanmanserver> parameters> enablesecuritysignature = 1
Disconnect client when logon hours expire
Why do this?
This is another setting that is only valid when the computer is acting as a server and has clients logged on. Users can be assigned hours in which they are allowed to be logged on. If the user goes outside this time, the server will disconnect the session. This is consistent with policies that only allow certain users to be logged on to the computer at certain times. Because you can never be sure of the clients policies (even different departments can have different policies) it is best to enable this option.
What consequences will there be on my system?
This should not have an effect on your system because the policy for the user to log off is set by the client. When a user has remained logged in past the time that they are allowed, they will be kicked off the server.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> lanmanserver> parameters> enableforcedlogoff = 1
Allow Anonymous SID/Name translation
Why do this?
This allows users to find out the SID for another user given their username. It also permits the opposite, looking up a username given an SID. The reason for not allowing this is simple: there is very little reason that a user would need to look up another users SID and vise-versa. Attackers could use this information to find usernames.
What consequences will there be on my system?
If there is a legitimate purpose for looking up this information about a different user, it will not be allowed. The user would have to request this information through the administrator, which is more secure.
Do not allow anonymous enumeration of SAM accounts
Why do this?
This stops users who login anonymously from enumerating the SAM file to see the accounts therein. If it is disabled, an attacker can see all the usernames and other user information that should not be given out. Make sure that this is enabled or there is a tremendous security risk. This is one of the number one ways that attackers exploited Windows systems, so it is very well known.
What consequences will there be on my system?
Your system will be much more secure but there will be no consequences to performance and functionality.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Control> Lsa> RestrictAnonymousSAM = 1
Disable anonymous enumeration of SAM accounts and shares
Why do this?
This follows the above setting. It allows or disables the ability of an anonymous user to view information about what shares are available on a computer as well as information about the accounts in the SAM file. When this setting is disabled, the anonymous user will be able to enumerate information on the shares that are on the computer. When enabled, the anonymous user will not be able to. The anonymous user should not be able to get any information about the system so it should be enabled.
What consequences will there be on my system?
If there is any user or service that counts on being able to enumerate SAM accounts or shares, they will no longer have access to this information. This should not be an issue in a secure environment.
Do not allow storage of credentials and .NET passports
Why do this?
When this setting is enabled, it allows the computer to store credentials and passwords for different users on the local machine. These passwords or credentials could then be used to attack other systems because it is very likely that the passwords that are stored are used somewhere else as well. It is not a good idea to store more authentication information than is absolutely necessary.
What consequences will there be on my system?
The users will have to give their authentication details every time they login instead of having them stored on the local machine.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Control> Lsa> disabledomaincreds = 1
Let Everyone permission apply to anonymous users
Why do this?
This decouples the anonymous user from the Everyone group. With this disabled, anonymous users will only have access to those resources that have been explicitly given to them (which should be nothing). There are some documents that state that this is equivalent to setting the above setting RestrictAnonymous to 2. Since changing RestrictAnonymous to 2 and disabling this can both be done with no adverse effects, they both should be done.
What consequences will there be on my system?
If anonymous users currently use your computer under permissions granted to them by the Everyone group, they will no longer have this access. It is never a good idea for this to be a policy. Anonymous users should not be allowed.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Control> Lsa> everyoneincludesanonymous = 0
Named pipes that can be accessed automatically
Why do this?
Pipes facilitate communication between processes and are themselves processes. Some of these pipes are given names that are consistent from system to system. It is here that a list of pipes are accessible anonymously. This setting should follow the needs for that particular box. There are some pipes that are necessary and some that probably are not. Setting this requires some trial and error, I'm afraid.
What consequences will there be on my system?
This may shutdown some obscure service on your machine so care must be taken to find which pipes are necessary. If they are necessary, discover why and what affect this will have on security.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> lanmanserver> parameters> nullsessionpipes
Remotely accessible registry paths
Why do this?
The registry is the heart and soul of the Windows operating system. Virtually everything that needs some sort of setting (which is just about everything) gets it from the registry. Almost everything that we have done to secure a Windows workstation has been dealing with the registry either directly or indirectly. Allowing people to read and modify the registry remotely is not a very good idea. Anytime that something is available from the Internet, it is vulnerable to attack. The registry should only be modifiable from the console.
What consequences will there be on my system?
This may make the administrators job very difficult if she counts on the ability to change registry settings remotely. Depending on the situation this may need to be changed, but it is not a very good idea to open up that vulnerability.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> SecurityPipeServers> Winreg> AllowedPaths> Machine
Why do this?
Windows shares are essentially folders that are shared across the network. Most of the time, the users set up a share to be accessible by only a certain group of people (people with accounts). But it is possible to make a share accessible anonymously. Don't do it. There is very little reason to allow some of the data on your machine to be seen and modified by people you don't know. Remember: anonymous = bad. You always want to know the username of the person who is messing with your stuff.
What consequences will there be on my system?
If there is some service or user out there that is accessing these shares anonymously, they will no longer have access. This may not be such a bad thing. But depending on your environment, it might be. (Of course, then it's not really a secure environment, is it?)
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> lanmanserver> parameters> nullsessionshares
Sharing and security model for local accounts
Why do this?
There are two options here. The first is to do it the old-fashioned way. This means that all users who logon remotely must use their username and password. The other option is just to let anyone in as a guest. A guest account is the bane of security minds everywhere. By default, in a domain environment, users who wish to use the network to login must do it the old-fashioned way. If the computer is standalone, the guest account path is chosen by default. It is generally not a very good idea to allow anyone access to your shared resources. It should be noted that some services like telnet (don't use it anyway, right?) and Terminal Services are not affected by this setting.
What consequences will there be on my system?
If a user wishes to access any kind of shared resource on the computer, it must be done through logging in with a username and password. Otherwise they will not be let in.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Control> Lsa> forceguest = 0
Do not store LAN Manager Password
Password Authentication Level
Why do this?
In older versions of Windows, the user password was stored in a format called LAN Manager Hash. The protocol for this method is extremely weak. Not only is the protocol weak but the maximum length for a password is 14 characters. This means that anything longer is truncated. In addition, "salt" is not used to make the hash. This means that two identical passwords are stored as the same hash value. In a stronger algorithm, identical passwords would be saved as completely different values which makes it much more difficult to crack. Password cracking programs take advantage of this algorithm to find users passwords. Most LAN Manager passwords can be cracked in a matter of days, depending on the complexity. By removing the LAN Manager password, you will force the computer to store the password as the much stronger NTLM hash. This algorithm allows longer passwords and does use "salt". As a result, they are much harder to crack. In addition, by setting the value in LAN Manager authentication level to "Send NTLMv2 response only\refuse LM & NTLM" you will ensure that no easy to crack passwords are stored on your system.
What consequences will there be on my system?
By removing the LAN Manager password, you remove compatibility with Windows 9x/ME, OS/2, Windows for Workgroups, and Windows NT (prior to service pack 4) machines. These machines only store the LAN Manager password, so by not allowing it these systems will not be able to authenticate with your machine. Since these machines followed a very weak security model, they should not be allowed in a secure network anyway.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa>nolmhash = 1
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Control>Lsa>lmcompatibilitylevel = 5
Why do this?
This setting controls whether or not a user on the client machines is disconnected from a SMB session when they remain logged on past their valid logon hours. The logic here is, why should a user be allowed a SMB session longer than he or she is allowed to be logged in?
What consequences will there be on my system?
If a user is in the middle of an SMB session when their valid login time expires, they will be disconnected.
LDAP client signing requirements
Why do this?
This requirement puts limitations as to how the client and server negotiate signing of LDAP communications. The client and the server should negotiate some sort of signing requirements before data exchange takes place. This will help to prevent someone from performing a man-in-the-middle attack between the client and the server. If TLS/SSL are being used, this setting will be ignored.
What consequences will there be on my system?
There will be no effect on your system. There might be a small (one to two millisecond) delay in data communication because of the negotiation. In reality the negotiation is done in the literal blink of an eye.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM > CurrentControlSet> Services> LDAP> LDAPclientintegrity=1
Minimum session security for NTLM SSP based clients
Why do this?
This setting controls the minimum security for an application-to-application session between clients. When setting the requirements for passwords, NTLMv2 must be used. There should be no change for NTLM SSP based clients.
What consequences will there be on my system?
As is the case with NTLMv2 passwords, there are some systems that do not support such strong password encryption. These applications will not be permitted to communicate with applications on NTLMv2 enabled clients.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> MSV1_0> NTLMMinClientSec=537395200
Minimum session security for NTLM SSP based servers
Why do this?
For the same reasons above, application-to-application communication on two servers should have the maximum amount of protection from attackers. This means using NTLMv2 and 128-bit encryption
What consequences will there be on my system?
As is the case with NTLMv2 passwords, there are some systems that do not support such strong password encryption. These applications will not be permitted to communicate with applications on NTLMv2 enabled clients
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> MSV1_0> NTLMMinServerSec=537395200
Allow automatic administrative logon under recovery console
Why do this?
The recovery console is a tool that is used to solve system problems. When it is invoked from startup, this setting determines whether or not the administrator is logged in automatically or not. Since this command line tool is usually only used by administrators to solve problems, there is the tendency to allow the automatic login to occur. This is not a very good idea in that it allows an attacker administrator access by simply invoking the recovery console. From there the attacker could add new users, or anything he or she wanted.
What consequences will there be on my system?
When the administrator wishes to login to the recovery console, she must do by providing her password. There will be no automatic logins.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Setup> RecoveryConsole> SecurityLevel = 0
Allow floppy copy and access to all drives and folders under recovery console
Why do this?
With this setting enabled, a user who logs into the recovery console would have full access to all drives and folders. They would also have access to the recovery console's SET command which allows the setting of some environment variables. Giving users this access when they normally wouldn't have it is a violation of access privileges.
What consequences will there be on my system?
Users who log into the recovery console will not have full access to the drives and directories.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows NT> CurrentVersion> Setup> RecoveryConsole> SetCommand = 0
Allow system shutdown without logging in
Why do this?
When this setting is enabled, anyone can shutdown the system even if they don't have the authority. By disabling it at least the system can only be shutdown by users who have basic login access. The only problem with this is that a user who does not have access to the machine might just unplug the machine which can damage the computer. If this is of concern in your environment, perhaps it would be safer to allow anyone to shutdown the machine and at least that way there would be a better chance of minimizing damage.
What consequences will there be on my system?
System shutdown must be done by logging in and choosing shutdown from the pulldown menu, instead of being able to click on the "Shut Down..." button in the login screen.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Policies> System> shutdownwithoutlogon=0
Why do this?
During normal operations, Windows will pageout information into the pagefile. This helps improve performance but it also compromises security. Information about the state of the system and potentially even passwords could be stored unencrypted in these pagefiles. This setting make sure that these files are deleted when the computer is shutdown.
What consequences will there be on my system?
This process increases the shutdown time of the computer substantially. The amount of time will vary from computer to computer, but as an example it added nearly 45 seconds to the shutdown time on my (slow) notebook.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> System> CurrentControlSet> Control> Session Manager> Memory Management> clearpagefileatshutdown=1
Use FIPS compliant algorithms for encrypting, hashing and signing
Why do this?
The US Government has set standards on algorithms and those that comply with those requirements are considered FIPS compliant. This setting makes sure that the TLS/SSL encryption uses 3DES instead of DESX, RSA is used for authentication and exchange and SHA-1 is used for hashing. While these algorithms are probably not THE most secure in the world, it is a good idea to have a minimum standard on the algorithms that are used to encrypt, hash, and sign secure data.
What consequences will there be on my system?
When enabled, Windows will require that certain algorithms are used which are stronger. Unfortunately, this affects Internet Explorer and it's ability to see secure (HTTPS) sites. If you go in the "Internet Options" control panel to Advanced, and scroll down to the security section, you can turn TLS 1.0 on, which helps to view these sites. However, I have not been able to see all sites with this setting. Netscape, however, has no problem viewing https sites.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Lsa> FIPSalgrorithmpolicy = 1
Default owner for objects created by members of the Administrators group
Why do this?
This setting determines who is named the creator of an object. The choices are the Administrator group or the objects creator. The suggested setting is the Administrator group because a security vulnerability exists with the other setting. If a member of the Administrator group creates an object and later on down the line is moved from the Administrator group, that person will retain control. By placing the Administrator group in charge, this risk is elevated.
What consequences will there be on my system?
The Administrator group will have creator privileges of an object created by anyone in that group.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> System> CurrentControlSet> Control> Lsa> NoDefaultAdminOwner = 0
Require case insensitivity for non-Windows subsystems
Why do this?
When this is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects. There is no real security advantage to enabling or disabling this setting.
What consequences will there be on my system?
There will be no effect on your system by enabling this setting. Disabling might have some effect because now things must be referred to with the correct uppercase and lowercase characters.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> System> CurrentControlSet> Control> Session Manager> Kernel> ObCaseInsensitive = 1
Strengthen default permissions of internal system objects
Why do this?
This strengthens the access control on resources that are shared throughout the system. This includes mutexes and semaphores, for example. When enabled, the restrictions on non-administrative users is greater.
What consequences will there be on my system?
There should be very little, but some fine tuning of permissions might be necessary due to the heightened restrictions.
These settings can also be achieved through the registry settings:
HKEY_LOCAL_MACHINE> SYSTEM> CurrentControlSet> Control> Session Manager> protectionmode = 1
Why do this?
Although it is becoming less and less common, system crashes still occur and when they do, information about the system state is saved on disk for investigation. However, when was the last time that you looked at these files to diagnose a problem? These files contain large amounts of information about the system state and it is all saved unencrypted Dr. Watson, on the other hand, saves information on application crash that is used to diagnose a problem. The effect is the same, however, information that should be saved encrypted or securely is left wide open for an attacker to snoop in. When the system hibernates it stores all the information that is in memory on disk which can later be retrieved to either restore system state or used to find sensitive information.
What consequences will there be on my system?
If you are one of the few people who do look at these files, they will become unavailable to you. It is suggested that if a problem persists, only then turn on dump files and ensure that they have been shut off when all work with them is complete. They should also be deleted securely with cipher.exe.
Strengthen Permissions on Registry Keys
Why do this?
Each of the registry keys have their own permissions which control who can and can't access or modify the information inside. With the default installation of Windows XP Pro, there are some keys that are given permissions that could make them vulnerable to an attack. The "Run" key is one. By default, the key is set to allow Power Users modification privileges. The Run key is one that has been used in launching viruses when the computer is started. The applications that are found under this key are executed as the user that is logged in. The attack will set the key to execute the malware when the computers is started. When an administrator logs in, the exploit is launched with Administrative privilege.
What consequences will there be on my system?
This will convert the permissions for Power User to those of User. The Power Users will no longer be able to modify or add new keys. Instead, they will only be able to read the entries.
Why do this?
Some people who attack Windows machines come out of the Unix community. UNIX has a whole set of command line programs that have been ported to Windows for legacy compatibility. It is possible that an attacker would use these commands to take over your system. Since POSIX is only for legacy compatibility, they can be safely deleted to increase security.
What consequences will there be on my system?
Only if users on your system require POSIX compliance for legacy applications will your system be affected negatively. However, since these are legacy applications, it might be worth your while to find a newer replacement for the older application, and upgrade the security.
Why do this?
In versions of Windows XP prior to Service Pack 1, the default search order for a DLL is Applications Directory, Current Directory, System Directories, and finally, the Path Directories. This will give an attacker the opportunity to use a spoofed DLL in the current directory. The application would use that DLL file that could be trojaned or changed in some way, before it used the DLL that is in the System Directories. SP1 changed this behavior to check the System Directories before it looked in the Current Directory. This eliminates the risk of spoofed DLL files in the current directory.
What consequences will there be on my system?
When an application requests a DLL file, it will look in the System Directories before it searches in the current directory. This could have some effect on the computer, if there are DLL files in the System Directory that match the name of DLLs in the current directory. The DLL files in the System Directories will be executed.
Why do this?
Windows creates a number of shares called Administrative Shares. These shares are created for administration over the domain. Since we are assuming that this workstation is not being connected to a domain, these shares only give an attacker an open point of attack. They can be disabled for the time that the computer is up and running, but when the computer is restarted, these shares will be active again. One must go through the registry to disable the shares permanently. This does not disable the IPC$ share which is used by hackers to enumerate user accounts on the machine. It is for this reason that Guest and anonymous users must be disabled.
What consequences will there be on my system?
The invisible file shares that are always on Windows machines will be disabled. If the computer is ever connected to a domain, it is possible that the key will need to be removed to ensure administrative access to the machine. While the computer is connected as a workstation to a LAN or standalone they probably will not have to be active.
Why do this?
It has been part of Windows for a long time that when a CD is first inserted in the drive, Windows will automatically start a program. This can be dangerous if the program that starts automatically loads a virus of some kind on your computer. The virus could be a backdoor that opens your computer up to attacks from the Internet. The possibilities are literally endless. The best solution to this problem is to keep the computer from autoloading programs on your computer before you can check them for viruses.
What consequences will there be on my computer?
You will have to manually load the CD by double-clicking on the icon in My Computer. It may get to be a pain but it is much safer.
Why do this?
When a user connects to a RAS-related network, which include dial-up and VPNs, they are given an option to save the password for further use. If choose to do this, they password will be stored in the registry where they can be accessed easily with readily available tools. When RAS password storing is disabled, the option to save them is not given to the user and they must be entered every time.
What consequences will there be on my system?
Every time a user chooses to connect to a RAS-related network, they must provide the password. The storing of the password will not be available.
Protect against Path MTU Attacks
Why do this?
The MTU is the maximum transmission unit of a packet through a network. Different networks have different MTUs, so packets may have to be fragmented as they travel from point A to point B. Fragmentation uses system resources both to fragment and to defragment a packet. The amount of resources used depends on how big the packet is, how much has been fragmented, etc. Windows uses a system for determining the MTU for a given path through a network. This "feature" has an unfortunate vulnerability. It is possible for an attacker to send information to a machine that sets the MTU of that machine. The attacker will set the MTU for the machine at 68 bytes, the absolute minimum. The attacker then sends large packets that must be forwarded. This consumes all of the system resources, resulting in a denial of service for the host. This setting helps prevent this attack.
What consequences will there be on my system?
This setting disables the dynamic size change of the MTU and sets it to 576 bytes. It is possible that this settings will cause problems on your network, so it must be tested thoroughly before implemented on all machines in the network.
Why do this?
A TCP connection is started with something called a 3-way handshake. The initiating computer sends a packet with the SYN flag set. The responding computer sends a packet with the SYN and ACK flags set, and the initiating computer responds with an ACK of it's own. When the initial SYN is sent, the server computer allocates resources to store the information about the session. Attackers take advantage of this by sending lots of SYNs and not responding to the SYN/ACK with an ACK. If enough of these SYNs are sent, the services provided by the victim are denied to other trying to access them. This is called a Denial of Service (DoS). This setting helps to protect your computer from being a victim of a SYN flood. It controls the timing of allocation and resends to maximize resources.
What consequences will there be on my system?
This setting could cause problems on high latency networks where the number of retries are necessary for functionality. In this case a setting of 1 should be used. All computers that are accessible by the Internet should offer some protection.
Preventing modification to Type of Service bits
Why do this?
In Windows, programs can have the ability to change the Type of Service bits in the IP heads. The Type of Service field is largely unused with normal IP communications, but it has fields that are used to increase the priority of the packet. If this option is allowed, applications have the ability to defeat bandwidth policy controls that have been set in place.
What consequences will there be on my system?
If, for some reason, there is an application that relies on this setting to communicate through IP, it will no longer function because this ability has been taken from it. This setting, like all others, should be tested before implementation takes place.
Half-open TCP Connection Reset Time
Why do this?
When Windows responds to a SYN with a SYN/ACK it will wait a certain amount of time to resend it if an ACK hasn't been received. This helps to shorten the time before cleanup of the allocated resources occurs. If resources are reallocated sooner, the computer can handle more connections and lower it's chances of becoming a victim of a SYN flood.
What consequences will there be on my system?
If a user tries to connect to your computer that is a long distance away, your computer might reset the connection before the ACK arrives. This depends, of course, on the type of network that is being run. This value could correspondingly be adjusted. The higher the number, the longer it waits to reset. For a machine under attack, it could be set to 0 or 1.
Amount of time kept in TIMED_WAIT
Why do this?
If you run the program netstat -n -p tcp to see the list of TCP connections for the computer. Under the State column, it is likely that you will see some connections in the TIMED_WAIT state. This is a state that the connection goes in before the connection is closed and the resources are reallocated. In RFC 793, this amount of time is defined as twice the maximum segment lifetime for the network. This is configurable and should be set at 96 to make sure that resources are reallocated quickly to ensure a DoS does not happen.
What consequences will there be on my system?
The only possible adverse effect on a system is if a connection is trying to be maintained over a connection that does not respond in the 96 second time limit. In this situation, connections will be dropped and the limit will have to raised.
Interval for keeping a connection alive
Why do this?
When a TCP connection goes into a state where no data is being transfered, a keep-alive transmission needs to be sent every so often to make sure the connection isn't dropped. This setting makes a keep-alive transmission happen every five minutes.
What consequences will there by on my system?
There should be no consequence on your system. If the connection is still active, the remote computer will respond to the keep-alive packet. If not, the connection will be closed.
Maximum number of refused SYNs before protection
Why do this?
This setting controls the number of connections that it will hold in the SYN_RCVD state. When the number of those is exceeded, the computer will institute SYN flood protection. Because one of the side-effects of a SYN flood is a large number of connections in the SYN_RCVD state, the computer will think that it is under attack and act accordingly.
What consequences will there be on my system?
If for some reason you are on a network that creates a large number of connects in the SYN_RCVD state, services could become inaccessible because SYN flood protection will have been enabled. This usually doesn't happen, so there should be no effect on your machine.
Maximum number of retried SYN_RCVD
Why do this?
This setting controls the number of connections that it will hold in the SYN_RCVD state after a retransmission of a SYN-ACK has taken place. When the number of those is exceeded, the computer will institute SYN flood protection. Because one of the side-effects of a SYN flood is a large number of connections in the SYN_RCVD state, the computer will think that it is under attack and act accordingly.
What consequences will there be on my system?
If for some reason you are on a network that creates a large number of connects in the SYN_RCVD state, services could become inaccessible because SYN flood protection will have been enabled. This usually doesn't happen, so there should be no effect on your machine.
Why do this?
The Shared Documents folder is something that could be turned into a security risk. It is a folder that allows all users to share files and folders. It can't be protected by a password which makes it risky. By itself it is okay, but it can be abused so this is how you remove it.
What consequences will there be on my system?
There will no longer by a Shared Documents folder that gives all users access to a file or folder.
Stop Dangerous Services controlled through Local Services Administrator
Why do this?
Windows is notorious for shipping their operating systems with nearly all services turned on. This includes programs such as telnet and ftp. These programs should not be allowed to run on any system because of their vulnerabilities. There is simply no reason to run them because there are numerous secure alternatives (SSH, Secure FTP, etc). There are a number of other programs listed that should be turned off because of their vulnerabilities. There is really no reason to let Remote Registry run on a system. Either the registry should be modified locally or should be modified through Group Policy distributed by a Domain Controller. All of the services that are listed provide access to the system from the network, or locally on the machine.
What consequences will there be on my system?
Shutting down services will have the obvious affect of denial of service for users who use these services. Should this occur, find out what service is needed and determine whether the use of that service is worth the rest to the system.
Why do this?
There are a number of programs that are included with Windows which contain a double-edged sword. These programs are necessary for certain functionality but are dangerous from a security standpoint. For example the 'arp' command can be used to view and manipulate the ARP table which may be necessary from a network administrator standpoint. However, someone could use this command to "poison" the ARP table into sending packets to the wrong device. These programs need to be checked to make sure that only the users who have legitimate purpose can run them. The executables in red are particularly dangerous, in that they are more likely to be used against your system by an attacker. Although some of these programs can't be deleted or disabled, we recommend using a program like TCPView (www.sysinternals.com) to monitor their behavior.
What consequences will there be on my system?
If the executables are checked to make sure that only the proper users have permissions, there will be no effect to the system.
Executables:
Arp.exe
at.exe
attrib.exe
atsvc.exe
Cacls.exe
Clipsrv.exe
cmd.exe
cscript.exe
command.com
Debug.exe
edit.exe
edlin.exe
finger.exe
ftp.exe
hypertrm.exe
htimage.exe
imagemap.exe
ipconfig.exe
issync.exe
msiexec.exe
nbtstat.exe
net.exe
net1.exe
Netsh.exe
netstat.exe
nslookup.exe
ping.exe
poledit.exe
posix.exe
qbasic.exe
qfecheck.exe
rcp.exe
rdisk.exe
regedit.exe
regedt32.exe
regini.exe
regsvr32.exe
rexec.exe
Route.exe
rsh.exe
runas.exe
RunOnce.exe
secfixup.exe
sysedit.exe
SysKey.exe
Tftp.exe
telnet.exe
tracert.exe
tskill.exe
uninst.exe
wscript.exe
xcopy.exe
Why do this?
Windows uses NetBIOS as a protocol for file sharing. It is an often sought after point of access for attackers because of its numerous vulnerabilities. Even if file sharing is activated, it should be disabled over TCP/IP, which could allow people on the Internet access to your file shares. Even more dangerous is the possibility that a virus or worm that is spreading over the Internet using the open network share to spread and infect your computer.
What consequences will there be on my system?
By disabling file sharing over TCP/IP through NetBIOS, it will simply do exactly that. No longer will you be able to use NetBIOS to share files over TCP/IP. Since this is not a safe way to conduct sharing, it is wise to shut it off. Most good firewalls will stop this traffic anyway as it is a common avenue for attacks, why not be a step ahead and ensure more safety?
Turn off Windows Media Player "supercookie"
Why do this?
Windows assigns your Media Player a unique ID and places it in the registry. This ID can be used to identify your computer from any website that tries to access it. This allows any website to identify you and create a profile of your Internet usage. Windows Media Player will also keep track of the DVDs that you watch on your hard disk. When you insert a DVD and open Window Media Player, it contacts Microsoft for information about that movie. To stop this, you must not allow Media Player to contact Microsoft, hence Work Offline.
What consequences will there be on my system?
By disabling these settings, Media Player will no longer contact Microsoft servers to gather information about which movies you are watching. This will mean that the information that it returns about the movie will no longer be available.
Why do this?
SYSKEY is a way to further protect the Windows SAM file. The SAM file in Windows is the goldmine because it contains the username list along with the passwords. SYSKEY uses strong encryption to secure this file and prevent it from being modified or stolen. There are three ways that it does this:
As you can tell, there are a number of advantages and disadvantages to each. The biggest consideration is that once enabled, strong encryption can't be disabled. If the password is forgotten, or the floppy is lost, a repair disk must be used or the registry must be restored to it's original state before the encryption. This is a choice that must be made based on individual situations. Notice that the third option does not need any user input. This means that the key is being stored locally. If an attacker could recover that key, the encryption would be useless. This is probably the least secure option. The floppy disk must be kept secure and not accessible to anyone but the authorized users. If the attacker had access to the disk, it would defeat the purpose. Same idea with the password option. If the password is compromised, so is the system.
If strong encryption is enabled, a copy of the registry should be made before any encryption takes place. This will allow you to restore the changes made if anything should go wrong.
What consequences will there be on my system?
Depending on the strategy that is deployed, a floppy or password may be necessary for every boot. If either of those are lost, the registry must be restored. Using SYSKEY is serious business and all considerations should be thought through carefully before committing to a method. This choice can't be reversed.
Why do this?
EFS is the Encrypting File System which supports encryption of files natively. This is extremely useful if the actual drive is compromised, it is much more difficult (but not impossible) for an attacker to read the data. A good rule of thumb is to have each user encrypt their own folder. The user must encrypt the parent to the "My Documents" folder because it contains the temporary directory which is often used by applications to store files. Since most users use the "My Documents" folder to store their documents, it is encrypted as well. Unlike SYSKEY, this encryption can be reversed through the same process. The files that are created are used to recover the information if something happens and the files can't be decrypted. These files will recover the information so they must be stored in a secure location.
What consequences will there be on my system?
EFS supports encryption natively so any encrypting and decrypting is done transparently. There is no noticeable difference.
Other information
For added convenience, you can add "Encypt" and "Decrypt" to the context menu. This allows easy encryption and decryption of files.
The registry key is: HKEY_LOCAL_MACHINE> SOFTWARE> Microsoft> Windows> CurrentVersion> Explorer> Advanced
Add the DWORD value "EncryptionContextMenu" with the value of 1
Why do this?
When a file is deleted from a computer, the file is not actually deleted. Instead, the location on disk is marked usable. None of the data is actually touched, it is just marked available to be used. This is cheaper in terms of time and hard drive life. This, however, means that if a sensitive file is deleted from your computer, someone could still read it. Tools exist to read what the hard drive actually contains, not just what it says it contains. To combat this, cipher will go over your hard drive and write all the free space to 0x00 (or all zeros), then it will write 0xFF (or all ones), and finally on the third pass with will write random bits to the space. This will ensure that the hard drive free space cannot be read.
What consequences will there be on my system?
It is recommended that this process is done while no other processes are running (ie, in the middle of the night). Also, depending on the size of the hard drive being completely wiped, it could take awhile. The best practice is to pick a time that it will not affect your work output, and let it run. Make sure to lock the computer and remove the network connection when you do!
Why do this?
One of the features of the Administrator account is that it cannot be locked out. This means that passwords can be tried over and over without the worry that a lockout will be placed on the account so no further guesses can be tried. An added bonus is that when the correct password is found, the entire system will have been completely compromised. This tool enforces strong password policy on the Administrator account which is essential on any system.
What consequences will there be on my system?
These options will, in fact, lockout the administrator account on the network. If the password is incorrectly guessed a number of times, the account over the network will become inactive. The Administrator will still be able to login on the console. Future password that are created must have a mixture of upper- and lower-case letters, numbers, or special symbols.
Why do this?
In the past, some of the Internet worms that have caused many problems have been scripts. Your computer will become infected when the script is executed on your computer. When the extension mapping is changed, it will make it so all files that have a certain extension will be executed by WordPad. This will save your computer from coming under attack from a malicious script.
What consequences will there be on my system?
Sometimes software venders and even OEM manufacuters will create Visual Basic scripts that help with maintenace or simlar task. These will no longer be allowed to run on your computer. If your system/network relies on the ability to execute scripts, this setting should be considered very carefully.
Disable Windows Scripting Host
Why do this?
For the same reasons outlined above. Many worms and some malicious code relies on the automatic execution of scripts by the Windows operating system. If this ability is removed, the threat is eliminated.
What consequences will there be on my system?
Any legitimate script will also not be able to execute. This could potentially be a problem depending on your system configuration.
Why do this?
If your computer is connected to a workgroup, this setting should be enabled. However, if your computer is a standalone with no file sharing, this setting can be ignored. The idea is that if files are shared between two or more computers, the files that are saved offline should be secure. This setting encrypts those files which have been saved offline. This way, an attacker who gets access to those files, will not be able to access them unless he or she can break the encryption. This is simply another layer of defense-in-depth.
What consequences will there be on my system?
The files that are saved will be encrypted in much the same manner as files that have been encrypted using the normal EFS system. The consequences are the same as are found using EFS.
Stop Internet Explorer History
Why do this?
As you browse the Internet, all of the places that you visit will be saved in the history files. Depending on the sites visited, this log can contain sensitive information. Spyware, software that sends information back to a vender, could collect this information and relay it back to someone for spamming purposes for example. It is best to disable this feature of IE.
What consequences will there be on my system?
If there is a URL for a website that has been forgotten, the history will no longer provide a list of previously viewed pages. The browser will also no longer be able to autocomplete the URLs for you.
Set Internet Explorer Zones and Cookies
Why do this?
Internet Explorer allows you to create a set of zones. These are a group of address that are categorized by their trust. Some IPs maybe trusted, while another set maybe untrusted. Each of these zones has a set of rules as to how the security should be handled. These security settings include how active content should be handled, how cookies should be handled, etc. The highest level of security will provide the most safety, however, it might require a downgrade everyone once and awhile when a trusted website is blocked due to the setting. Just make sure you reset the security setting to it's previous value. By making Internet Explorer prompt you before accepting a cookie creates another level of defense. Cookies can sometimes be used to gather information about you to be used for purposed you might not approve of.
What consequences will there be on my system?
The most obvious consequence will be the dramatic increase in messages that are displayed by Internet Explorer. It is important to understand that it is better to click away the pop-ups rather than sacrifice security. Another problem that might arise is that of functionality. There is a possiblity that with untrusted content not being displayed, certain websites will not function properly.
Stop Internet Explorer from saving passwords
Why do this?
When using the Internet, users are often prompted to login to some sites. This usually means typing in a username and password. Due to the nature of humans, this password probably bears some resemblance to their username and password on the local computer. The web browser will often ask if the user would like to save this information on file to save the hassle of having to type it in again. This information is then saved on disk so it can be used later. This is an obvious security risk because if this information is recovered from the disk, the attacker can narrow down the possibilities of the user's password. Web browsers should not be allowed to save sensitive information for the user.
What consequences will there be on my system?
The user will have to type in their username and password for sites that require such information instead of having the browser fill in the information for them.
Internet Explorer Security Options
Why do this?
These options help to create another barrier between the attacker and your computer. These settings help to upgrade the security that IE employs so it is harder for an attacker to exploit your system.
What consequences will there be on my system?
These options will add to the number of pop-up warnings that IE gives. It is also possible that older, very insecure sites will now be inaccessible.
Why do this?
When users go on break, to lunch, or just step away from their computer for a short period of time, they often forget to lock down their computer (Ctrl + Alt + Delete; Enter or Windows + L). This allows physical access to the computer for this period of time. An attacker can use this time to learn much about the network and the systems. This can be avoided through the use of passwords in screen savers. If the screen saver becomes active, it automatically locks the computer, and the user must type in their password to gain access.
What consequences will there be on my system?
The user's or an administrator's password must be entered to gain access to the computer after the screen saver has been activated. You don't want to do this any more often than is necessary and consistent with the security guidelines of your organization. "Office bunnies" who move about continuously might consider such hassle-free hardware alternatives as proximity detecting smart cards that automatically unlock computers when within a certain distance of the detector, and lock them when you walk away.