Secure configuration document

Transcription

1 Secure configuration document Windows 7 Draft 0.1. DEPARTMENT OF ELECTRONICS AND INFORMATION TECHNOLOGY Ministry of Communication and Information Technology, Government of India

2 Document Control S. No. Type of Information Document Data 1. Document Title Secure Configuration Document Windows 7 2. Document Code PR_SCD_Windows_7 3. Date of Release 4. Next Review Date 5. Document Owner DietY 6. Document Author(s) 7. Document Reviewer 8. Document Reference PR_Harden Document Approval S. No. Document Approver Approver Designation Approver ID Document Change History Version No. Revision Date Nature of Change Date of Approval Document Classification: Internal Page 5 of 53

3 Purpose This document is intended to guide Windows System administrators to secure Windows 7 Operating System. This document should be used to harden all Windows 7 desktops and laptops being used in e-gov service delivery environment. Security compliance on Windows 7 systems can be measured and reported considering the below mentioned control points as benchmark or criteria. How to use this Document The document covers the mandatory security configurations for Windows 7 OS. Please test the prescribed settings in the staging setup before deploying it to production environment. The Solution sections in control point/s below provide solutions and configurations as per industry best practices. The configurations also provide recommended values in a production environment, determined with practical experience in a production environment. The recommended values and parameters can be redefined specific to the environment if found not suitable or as desired. The SCD document may also provide suggestive steps to harden the target systems hosting other supporting technologies/tools and utilities prevalent in the industry. In case the target environment is not hosting such tools and technologies the control point can be marked Not Applicable while determining the compliance. The document also mentions the How to check section, the output of these can be utilized to capture in hardening reports. These reports can serve audit artifacts in meeting hardening compliance on a specific device. Document Classification: Internal Page 6 of 53

4 Table of Contents 1. ENFORCE PASSWORD AND ACCOUNT LOCKOUT POLICY ENABLE AUDIT AND LOGGING DETAILED AUDIT POLICY EVENT LOG WINDOWS FIREWALL WINDOWS UPDATE USER ACCESS CONTROL USER RIGHTS SECURITY OPTIONS REMOTE DESKTOP SERVICES INTERNET COMMUNICATION ADDITIONAL SECURITY SETTINGS USER POLICIES Document Classification: Internal Page 7 of 53

5 1. Enforce Password and Account Lockout policy Description Configure following password and account lockout policy 1. Enforce password history 2. Maximum password age 3. Minimum password age 4. Minimum password length 5. Password must meet complexity requirements 6. Store passwords using reversible encryption 7. Account lockout duration Impact Solution 8. Account lockout threshold In absence of password and account lockout policy implementation, can lead to unauthorized access. To establish the recommended configuration via GPO, set the following to the value prescribed in e-gov policy or Password management guidelines: 1. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history 2. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age 3. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age 4. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length 5. Computer Configuration\Windows Settings\Security Document Classification: Internal Page 8 of 53

6 Settings\Account Policies\Password Policy\Password must meet complexity requirements 6. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption 7. Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration 8. Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Document Classification: Internal Page 9 of 53

7 2. Enable Audit and Logging Description Windows 7 has detailed audit facilities that allow administrators to tune their audit policy with greater specificity. 1. Audit account logon events 2. Audit account management 3. Audit directory service access 4. Audit logon events 5. Audit object access 6. Audit policy change 7. Audit privilege use 8. Audit process tracking Impact Solution Audit and logging if disabled can lead to inefficient incident and event tracking. To establish the recommended configuration via GPO, set the following to the value prescribed e-gov policy or Audit logging guidelines: 1. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events 2. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management 3. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access 4. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events 5. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access 6. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change 7. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use Document Classification: Internal Page 10 of 53

8 8. Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. 3. Detailed Audit Policy Description This section articulates the detailed audit policies introduced in Windows Vista and later. The values prescribed in this section represent the minimum recommended level of auditing. 1. Audit Policy: System: IPsec Driver 2. Audit Policy: System: Security State Change 3. Audit Policy: System: Security System Extension 4. Audit Policy: System: System Integrity 5. Audit Policy: Logon-Logoff: Logoff 6. Audit Policy: Logon-Logoff: Logon 7. Audit Policy: Logon-Logoff: Special Logon 8. Audit Policy: Object Access: File System Impact Solution In absence of audit policy settings security incident tracking will be inefficient. To establish the recommended configuration via GPO, set the following to the value prescribed e-gov policy or Audit logging guidelines: 1. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit IPSec Driver\Audit Policy: System: IPsec Driver Document Classification: Internal Page 11 of 53

9 2. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit Security State Change\Audit Policy: System: Security State Change 3. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit Security System Extension\Audit Policy: System: Security System Extension 4. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\System\Audit System Integrity\Audit Policy: System: System Integrity 5. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Logon/Logoff\Audit Logoff\Audit Policy: Logon-Logoff: Logoff 6. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Logon/Logoff\Audit Logon\Audit Policy: Logon-Logoff: Logon 7. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Logon/Logoff\Audit Special Logon\Audit Policy: Logon-Logoff: Special Logon 8. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies - Local Group Policy Object\Object Access\Audit File System\Audit Policy: Object Access: File System How to check Navigate to the GPO articulated in the Remediation section and confirm Document Classification: Internal Page 12 of 53

10 it is set as prescribed. Document Classification: Internal Page 13 of 53

11 4. Event Log Description This control suggests the minimum and maximum size of event logs Application: 1. Maximum Log Size (KB) 2. Application: Retain old events 3. Security: Maximum Log Size (KB) 4. Security: Retain old events 5. System: Maximum Log Size (KB) 6. System: Retain old events Impact Solution In absence of any control of event log size can lead to compliance issues as well as inappropriate usage of resources. To establish the recommended configuration via GPO, set the following to the value prescribed e-gov policy or Audit Log procedure and guidelines: 1. Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Application: Maximum Log Size (KB) 2. Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Application: Retain old events 3. Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Security: Maximum Log Size (KB) 4. Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Security: Retain old events Document Classification: Internal Page 14 of 53

12 5. Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\System: Maximum Log Size (KB) 6. Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\System: Retain old events How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Document Classification: Internal Page 15 of 53

13 5. Windows Firewall Description This control defines if the Windows Firewall will use the settings for this profile to filter network traffic. 1. Windows Firewall: Domain: Firewall state 2. Windows Firewall: Domain: Inbound connections 3. Windows Firewall: Domain: Display a notification 4. Windows Firewall: Domain: Allow unicast response 5. Windows Firewall: Domain: Apply local firewall rules 6. Windows Firewall: Domain: Apply local connection security rules 7. Windows Firewall: Private: Firewall state 8. Windows Firewall: Private: Inbound connections 9. Windows Firewall: Private: Display a notification Impact Solution Absence of appropriate Firewall configurations can lead to remote attack surface of the system. To establish the recommended configuration via GPO, set the following to the value prescribed e-gov policy or Network Security procedure and guidelines 1. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Firewall state 2. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Inbound connections Document Classification: Internal Page 16 of 53

14 3. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Display a notification 4. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Allow unicast response 5. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local firewall rules 6. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local connection security rules 7. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Firewall state 8. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Inbound connections 9. Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Document Classification: Internal Page 17 of 53

15 Properties\Private Profile\Windows Firewall: Private: Display a notification How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Document Classification: Internal Page 18 of 53

16 6. Windows Update Description This control defines how Windows will receive security updates 1. Configure Automatic Updates 2. Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box 3. No auto-restart with logged on users for scheduled automatic updates installations 4. Reschedule Automatic Updates scheduled installations Impact Solution In case; windows systems are not upto date, can leave the system open to known and fixed vulnerabilities. To establish the recommended configuration via GPO, set the following to the value prescribed e-gov policy or Patch Management procedure and guidelines 1. Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates 2. Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box 3. Computer Configuration\Administrative Templates\Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations 4. Computer Configuration\Administrative Templates\Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations Document Classification: Internal Page 19 of 53

17 How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Document Classification: Internal Page 20 of 53

18 7. User Access Control Description This control defines how to manage user access. Impact Solution 1. User Account Control: Admin Approval Mode for the Built-in Administrator account 2. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode 3. User Account Control: Behavior of the elevation prompt for standard users 4. User Account Control: Detect application installations and prompt for elevation 5. User Account Control: Only elevate UIAccess applications that are installed in secure locations 6. User Account Control: Run all administrators in Admin Approval Mode 7. User Account Control: Switch to the secure desktop when prompting for elevation 8. User Account Control: Virtualize file and registry write failures to per-user locations 9. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop These recommended user account controls the access of builtin and other administrator accounts, the absence of such control can lead to security incidents due to ineffective user privileges and account management. To establish the recommended configuration via GPO, set the following to the value prescribed e-gov policy or User Access Management procedure and guidelines 1. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account 2. Computer Configuration\Windows Settings\Security Document Classification: Internal Page 21 of 53

19 Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode 3. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users 4. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation 5. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations 6. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode 7. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation 8. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations How to check 9. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Document Classification: Internal Page 22 of 53

20 8. User Rights Description Configure the following attributes of user rights for the user profiles on the system; as per the recommendations in solution section. 1. Access this computer from the network 2. Act as part of the operating 3. Adjust memory quotas for a process 4. Back up files and directories 5. Bypass traverse checking 6. Change the system time 7. Create a pagefile 8. Create a token object 9. Create global objects 10. Create permanent shared objects 11. Debug programs 12. Deny access to this computer from 13. Enable computer and user accounts to 14. Force shutdown from a remote system 15. Impersonate a client after authentication 16. Increase scheduling priority 17. Load and unload device drivers 18. Lock pages in memory 19. Manage auditing and security log 20. Modify firmware environment values Document Classification: Internal Page 23 of 53

21 21. Modify an object label 22. Perform volume maintenance tasks 23. Profile single process 24. Profile system performance 25. Remove computer from docking station 26. Replace a process level token 27. Shut down the system 28. Allow log on locally 29. Allow log on through Remote Desktop 30. Create symbolic links 31. Deny log on locally 32. Deny log on through Remote Desktop 33. Generate security audits 34. Increase a process working set 35. Log on as a batch job 36. Log on as a service 37. Restore files and directories 38. Take ownership of files or other 39. Access Credential Manager as a trusted Impact Solution In the absence of appropriate user rights configured in different types of user roles, incorrect ownership can be assigned to users leading to security breaches and inefficient incident tracking. To establish the recommended configuration via GPO, set the following to the value prescribed above: Document Classification: Internal Page 24 of 53

22 1. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network 2. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system 3. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process 4. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories 5. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking 6. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time 7. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile 8. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object 9. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects Document Classification: Internal Page 25 of 53

23 10. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects 11. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs 12. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network 13. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted 14. Computer Configuration\Windows Settings\Local Policies\User Rights 15. Assignment\Force shutdown from a remote system 16. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication 17. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority 18. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers 19. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory Document Classification: Internal Page 26 of 53

24 20. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log 21. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values 22. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label 23. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks 24. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process 25. Administrators, NT SERVICE\WdiServiceHost 26. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance 27. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Remove computer from docking station 28. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token 29. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the Document Classification: Internal Page 27 of 53

25 system 30. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally 31. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links 32. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally 33. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services 34. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits 35. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set 36. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job 37. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service Document Classification: Internal Page 28 of 53

26 38. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories 39. Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed in Solution section. Document Classification: Internal Page 29 of 53

27 9. Security Options Description Configure the following attributes of user rights for the user profiles on the system; as per the recommendations in solution section. 1. Network security: Minimum session security for NTLM SSP based (including secure RPC) servers 2. Network access: Remotely accessible registry paths and subpaths 3. Accounts: Rename administrator account 4. Accounts: Rename guest account 5. Accounts: Administrator account status 6. Accounts: Guest account status 7. Network access: Allow anonymous SID/Name translation 8. Accounts: Limit local account use of blank passwords to console logon only 9. Devices: Allowed to format and eject removable media 10. Devices: Prevent users from installing printer drivers 11. Devices: Restrict CD-ROM access to locally logged-on user only 12. Devices: Restrict floppy access to locally logged-on user only 13. Domain member: Digitally encrypt or sign secure channel data (always) 14. Domain member: Digitally encrypt secure channel data (when possible) 15. Domain member: Digitally sign secure channel data (when possible) Document Classification: Internal Page 30 of 53

28 16. Domain member: Disable machine account password changes 17. Domain member: Maximum machine account password age 18. Domain member: Require strong (Windows 2000 or later) session key 19. Interactive logon: Do not display last user name 20. Interactive logon: Number of previous logons to cache (in case domain controller is not available) 21. Interactive logon: Prompt user to change password before expiration 22. Interactive logon: Require Domain Controller authentication to unlock workstation 23. Interactive logon: Smart card removal behavior 24. Interactive logon: Message text for users attempting to log on 25. Interactive logon: Message title for users attempting to log on 26. Interactive logon: Require smart card 27. Microsoft network client: Digitally sign communications (always) 28. Microsoft network client: Digitally sign communications (if server agrees) 29. Microsoft network client: Send unencrypted password to thirdparty SMB servers 30. Microsoft network server: Amount of idle time required before suspending session 31. Microsoft network server: Digitally sign communications (always) 32. Microsoft network server: Digitally sign communications (if client agrees) Document Classification: Internal Page 31 of 53

29 33. Microsoft network server: Disconnect clients when logon hours expire 34. Microsoft network server: Server SPN target name validation level 35. MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) 36. MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) 37. MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes 38. MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) 39. MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds 40. MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic 41. MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers 42. MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) 44. MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Document Classification: Internal Page 32 of 53

30 46. MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 47. MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning 48. Network access: Do not allow anonymous enumeration of SAM accounts 49. Network access: Do not allow anonymous enumeration of SAM accounts and shares 50. Network access: Let Everyone permissions apply to anonymous users 51. Network access: Named Pipes that can be accessed anonymously 52. Network access: Remotely accessible registry paths 53. Network access: Restrict anonymous access to Named Pipes and Shares 54. Network access: Shares that can be accessed anonymously 55. Network access: Sharing and security model for local accounts 56. Network security: Do not store LAN Manager hash value on next password change 57. Network security: LAN Manager authentication level 58. Network security: LDAP client signing requirements 59. Network security: Minimum session security for NTLM SSP based (including secure RPC) clients 60. Recovery console: Allow automatic administrative logon 61. Recovery console: Allow floppy copy and access to all drives and Document Classification: Internal Page 33 of 53

31 all folders 62. Shutdown: Allow system to be shut down without having to log on 63. System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing 64. System objects: Require case insensitivity for non-windows subsystems 65. System objects: Strengthen default permissions of internal system objects (e 66. System cryptography: Force strong key protection for user keys stored on the computer 67. System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies 68. MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) 69. MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 70. Network security: Allow LocalSystem NULL session fallback 71. Network security: Allow Local System to use computer identity for NTLM Network Security: Allow PKU2U authentication requests to this computer to use online identities Impact 73. Interactive logon: Do not require CTRL+ALT+DEL In absence of absolute security policies configured in local system, domain, network variety of impacts can happen viz resource loss, data loss and other kinds of thefts. Document Classification: Internal Page 34 of 53

32 Solution To establish the recommended configuration via GPO, set the following to the value prescribed above: 1. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers 2. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths 3. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account 4. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account 5. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status 6. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status Document Classification: Internal Page 35 of 53

33 7. Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation 8. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only 9. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media 10. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers 11. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict CD- ROM access to locally logged-on user only 12. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict floppy access to locally logged- on user only 13. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) 14. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Document Classification: Internal Page 36 of 53

34 Digitally encrypt secure channel data (when possible) 15. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible) 16. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes 17. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age 18. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key 19. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name 20. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available) 21. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration 22. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation 23. Computer Configuration\Windows Settings\Security Document Classification: Internal Page 37 of 53

35 Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior 24. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on 25. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on 26. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card Note: Ensure that smart cards and smart card readers are provisioned before implementing this policy. 27. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) 28. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees) 29. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network Document Classification: Internal Page 38 of 53

36 client: Send unencrypted password to third-party SMB servers 30. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session 31. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) 32. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) 33. Computer Configuration\Windows Settings\Security Settings\Local olicies\security Options\Microsoft network server: Disconnect clients when logon hours expire 34. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level 35. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) 36. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting) IP source routing protection level Document Classification: Internal Page 39 of 53

37 (protects against packet spoofing) 37. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes 38. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) 39. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds 40. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic 41. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers 42. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop Document Classification: Internal Page 40 of 53

38 generating 8.3 style filenames (recommended) 43. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) 44. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) 45. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) 46. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 47. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning 48. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not Document Classification: Internal Page 41 of 53

39 allow anonymous enumeration of SAM accounts 49. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares 50. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users 51. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously 52. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths 53. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares 54. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed Anonymously 55. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts 56. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change Document Classification: Internal Page 42 of 53

40 57. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level 58. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements 59. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients 60. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon 61. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders 62. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on 63. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and Document Classification: Internal Page 43 of 53

41 signing 64. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-windows subsystems 65. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) 66. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer 67. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Use Certificate Rules on WindowsExecutables for Software Restriction Policies 68. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) 69. Computer Configuration\Windows Settings\Security Document Classification: Internal Page 44 of 53

42 Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 70. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback 71. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM 72. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities 73. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Document Classification: Internal Page 45 of 53

43 10. Remote Desktop Services Description Following configuration settings are recommended for Remote desktop services. 1. Always prompt for password upon connection 2. Set client connection encryption level 3. Do not allow drive redirection 4. Allow users to connect remotely using Remote Desktop Services 5. Do not allow passwords to be saved Impact Solution In absence of appropriate configurations remote desktop service exposes the system to hacking and data theft during a remote session. To establish the recommended configuration via GPO, set the following to the value prescribed above: 1. Computer Configuration\Administrative Templates\Windows Components\RemoteDesktop Services\Remote Desktop Session Host\Security\Always prompt for password upon connection 2. Computer Configuration\Administrative Templates\Windows Components\RemoteDesktop Services\Remote Desktop Session Host\Security\Set client connection encryption level. 3. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow drive redirection 4. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely using Remote Desktop Services 5. Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client\Do not allow passwords to be saved Document Classification: Internal Page 46 of 53

44 How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Alternatively, execute the following to determine if the system is configured as recommended: 1. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /v fpromptforpassword 2. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /v MinEncryptionLevel 3. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /v fdisablecdm 4. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /v fdenytsconnections 5. reg query HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services /v DisablePasswordSaving Document Classification: Internal Page 47 of 53

45 11. Internet Communication. Description Impact 1. Turn off downloading of print drivers over HTTP 2. Turn off the "Publish to Web" task for files and folders. 3. Turn off Internet download for Web publishing and online ordering wizards 4. Turn off printing over HTTP 5. Turn off Search Companion content file updates 6. Turn off the Windows Messenger Customer Experience Improvement Program 7. Turn off Windows Update device driver searching In absence of stringent security configurations for a system exposed to internet or intranet can lead to security incidents viz virus and other Information Security policy breaches. Solution 1. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\turn off downloading of print drivers over HTTP 2. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\turn off the "Publish to Web" task for files and folders 3. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\turn off Internet download for Web publishing and online ordering wizards 4. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\turn off printing over HTTP 5. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\turn off Search Document Classification: Internal Page 48 of 53

46 Companion content file updates 6. Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\turn off the Windows Messenger Customer Experience Improvement Program 7. Turn off Windows Update device driver searching. Enabling this setting prevents users from downloading and installing device drivers that reduces system stability and security. How to check Navigate to the GPO articulated in the Remediation section and confirm it is set as prescribed. Alternatively, execute the following to determine if the system is configured as recommended: 1. reg query HKLM\Software\Policies\Microsoft\Windows NT\Printers /v DisableWebPnPDownload 2. reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Expl orer /v NoPublishingWizard 3. reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Expl orer /v NoWebServices 4. reg query HKLM\Software\Policies\Microsoft\Windows NT\Printers /v DisableHTTPPrinting 5. reg query HKLM\Software\Policies\Microsoft\SearchCompanion /v DisableContentFileUpdates 6. reg query HKLM\Software\Policies\Microsoft\Messenger\Client /v CEIP Document Classification: Internal Page 49 of 53

47 7. reg query HKLM\Software\Policies\Microsoft\Windows\DriverSearching /vdontsearchwindowsupdate Document Classification: Internal Page 50 of 53

48 12. Additional Security Settings Description 1. Require a Password When a Computer Wakes (On Battery) 2. Require a Password When a Computer Wakes (Plugged In) 3. Allow Remote Shell Access For the SSLF desktop and SSLF laptop profile(s), the recommended value is Disabled. For the Enterprise desktop and Enterprise laptop profile(s), the recommended value is Not Defined. 4. Turn off Data Execution Prevention for Explorer 5. Do not process the legacy run list. The run list is the list of programs that Windows runs automatically when it starts. It is recommended that this setting be configured as described below: For the Enterprise desktop and Enterprise laptop profile(s), the recommended value is Not Configured. For the SSLF desktop and SSLF laptop profile(s), the recommended value is Enabled. 6. Registry policy processing should be enabled for all profiles. 7. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Impact Solution These are few desktop level security settings that if not configured can lead to data loss through end user using the system due to malicious intend to inappropriate handling of assets. To establish the recommended configuration via GPO, set the following to the value prescribed above: 1. Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Require a Password When a Computer Wakes (On Battery) Document Classification: Internal Page 51 of 53