Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2

Total Page:16

File Type:pdf, Size:1020Kb

Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 Microsoft Corporation Published: May 2011 Authors: Starr Andersen, Greg Marshall, Eric Mitchell, Roland Winkler Abstract The purpose of this guide is to provide you with a reference to security settings that provide countermeasures for specific threats against current versions of the Windows operating systems. This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, Aero, AppLocker, BitLocker, BranchCache, Internet Explorer, MS-DOS, Outlook, ReadyBoost, SQL Server, Win32, Windows, Windows Live, Windows Media, Windows NT, Windows, Windows Server, and Windows Vista are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners. Contents Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 ................................................................................................................................... 4 Threats and Countermeasures Guide: Account Policies ................................................................. 7 Threats and Countermeasures Guide: Advanced Security Audit Policy ........................................ 29 Threats and Countermeasures Guide: User Rights ....................................................................... 63 Threats and Countermeasures Guide: Security Options ............................................................. 107 Threats and Countermeasures Guide: Event Log ........................................................................ 206 Threats and Countermeasures Guide: System Services .............................................................. 215 Threats and Countermeasures Guide: Software Restriction Policies.......................................... 361 Threats and Countermeasures Guide: Application Control Policies ........................................... 364 Threats and Countermeasures Guide: External Storage Devices ................................................ 366 Threats and Countermeasures Guide: Additional Resources ..................................................... 387 Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 This guide is a reference to the security settings in Windows Server® 2008 R2 and Windows® 7 that provide countermeasures for specific threats against the current versions of the operating systems. Note For a web version of this document, see Threats and Countermeasures Guide in the Windows Server Technical Library. Many of the countermeasures that are described in this guide are not intended for specific computer roles in the companion guides, or in some cases, for any roles at all. These countermeasures help ensure compatibility, usability, manageability, availability, or performance. Generally, as security increases, functionality decreases, and vice versa. However, there are exceptions, and some security countermeasures actually help improve functionality. Each section begins with a brief explanation of what is in the section, followed by a list of subsection headings, each of which corresponds to a setting or group of settings. Each subsection includes a brief explanation of what the countermeasure does and the following subsections: Vulnerability Explains how an attacker might exploit a feature or its configuration. Countermeasure Explains how to implement the countermeasure. Potential impact Explains the possible negative consequences of countermeasure implementation. For example, the section Domain Level Account Policies begins with the following subsections: Account Policies Enforce password history Vulnerability Countermeasure Potential impact 4 Maximum password age Vulnerability Countermeasure Potential impact This pattern is repeated throughout this guide. Settings that are closely related are presented in a single subsection. For example, in the Security Options section, four related settings are placed into the same subsection as follows: Microsoft network client and server: Digitally sign communications Microsoft network client: Digitally sign communications (always) Microsoft network server: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network server: Digitally sign communications (if client agrees) This guide focuses on Group Policy settings that are considered security settings, and those that are intended to help organizations manage their environments are not documented. This guide examines only the settings and features in Windows Server 2008 R2 and Windows 7 that can help organizations secure their enterprises against specific threats. Settings and features that were added in service packs after the release of Windows 7 and Windows Server 2008 R2, or functionalities that may have been added by software released after those service packs, may not be discussed in this guide. Also, management features and those security features that are not configurable by administrators are not described in this guide. The information that is provided within this guide should help you and members of your organization understand the countermeasures that are available in the current versions of the operating systems. Section overviews This guide consists of the following sections, which provide a reference to the settings that you should consider when planning the security policy for your organization. Threats and Countermeasures Guide: Account This section discusses the Group Policy settings Policies that are applied at the domain level: password policies, account lockout policies, and Kerberos 5 protocol authentication policies. Threats and Countermeasures Guide: Advanced This section discusses the use of advanced Security Audit Policy audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed. Threats and Countermeasures Guide: User Rights This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights. Threats and Countermeasures Guide: Security This section provides guidance about security Options settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behavior, and logon prompts. Threats and Countermeasures Guide: Event Log This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7. Threats and Countermeasures Guide: System Windows Server 2008 R2 and Windows 7 Services include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled. Threats and Countermeasures Guide: Software This section provides a brief overview of the 6 Restriction Policies Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization. Threats and Countermeasures Guide: Application This section provides a brief overview of the Control Policies AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization. Threats and Countermeasures Guide: External This section describes Group Policy settings Storage Devices that can be used to limit, prevent, or allow the use of external storage devices in networked computers. Threats and Countermeasures Guide: Additional This section provides links to additional Resources information sources about Windows security topics from Microsoft that you may find useful. Threats and Countermeasures Guide: Account Policies This section of the Threats and Countermeasures Guide discusses Group Policy settings that are applied at the domain level. The default setting values for these policies, which are collectively referred to as Account Policies settings, are included in the built-in Default Domain Controllers Policy Group Policy Object (GPO). Account Policies overview There are three folders in the Account Policies folder: Password Policy 7 Account Lockout Policy Kerberos Policy A single Windows Server® 2008 R2 domain can have one of each of these policies. If these policies are set at any level below the domain level in Active Directory® Domain Services, they affect only local accounts on member servers. The Account Policies settings in Group Policy are applied at the domain level. Default values
Recommended publications
  • Universidad Nacional De Chimborazo Facultad De Ingeniería Carrera De Electrónica Y Telecomunicaciones
    UNIVERSIDAD NACIONAL DE CHIMBORAZO FACULTAD DE INGENIERÍA CARRERA DE ELECTRÓNICA Y TELECOMUNICACIONES Proyecto de Investigación previo a la obtención del título de Ingeniero en Electrónica y Telecomunicaciones TRABAJO DE TITULACIÓN DISEÑO Y SIMULACIÓN DE UNA RED DE COMUNICACIÓN EN VAGONES DE FERROCARRILES A TRAVÉS DE LA UTILIZACIÓN DE LOS ESTÁNDARES IEC 61375 PARA LA RUTA TREN DEL HIELO I (RIOBAMBA – URBINA – LA MOYA – RIOBAMBA) Autor: Denis Andrés Maigualema Quimbita Tutor: Ing. PhD. Ciro Diego Radicelli García Riobamba - Ecuador Año 2020 I Los miembros del tribunal de graduación del proyecto de investigación de título: “DISEÑO Y SIMULACIÓN DE UNA RED DE COMUNICACIÓN EN VAGONES DE FERROCARRILES A TRAVÉS DE LA UTILIZACIÓN DE LOS ESTÁNDARES IEC 61375 PARA LA RUTA TREN DEL HIELO I (RIOBAMBA – URBINA – LA MOYA – RIOBAMBA)”, presentado por: Denis Andrés Maigualema Quimbita, y dirigido por el Ing. PhD. Ciro Diego Radicelli García. Una vez revisado el informe final del proyecto de investigación con fines de graduación escrito en el cual consta el cumplimento de las observaciones realizadas, remite la presente para uso y custodia en la Biblioteca de la Facultad de Ingeniería de la UNACH. Para constancia de lo expuesto firman. Ing. PhD. Ciro Radicelli Tutor Dr. Marlon Basantes Miembro del tribunal Ing. José Jinez Miembro del tribunal II DECLARACIÓN EXPUESTA DE TUTORÍA En calidad de tutor del tema de investigación: “DISEÑO Y SIMULACIÓN DE UNA RED DE COMUNICACIÓN EN VAGONES DE FERROCARRILES A TRAVÉS DE LA UTILIZACIÓN DE LOS ESTÁNDARES IEC 61375 PARA LA RUTA TREN DEL HIELO I (RIOBAMBA – URBINA – LA MOYA – RIOBAMBA ". Realizado por el Sr.
    [Show full text]
  • FY 2018 Adopted Non-Government Standards
    U.S DEPARTMENT OF ENERGY TECHNICAL STANDARDS PROGRAM TSL-1 APPENDIX B: Non-Government Standards (NGS) Adopted by DOE 10 AMD 1 Standard for Portable Fire Extinguishers 2012 NESC Handbook National Electrical Safety Code(NESC) Handbook A 112.18.1M Plumbing Fixture Fittings A 112.19.6 Hydraulic Requirements for Water Closets and Urinals AA SAA-46-516124 Anodized Architectural Aluminum AA Specifications for Aluminum Structures AA STFA-601711 The Surface Treatment and Finishing of Aluminum and Its Alloys AABC National Standard for Total System Balance Air Distribution-Hydronic Systems-Sound-Vibration- Field Surveys for Energy Audits AAHC Standards of the Accreditation Association for Ambulatory Health Care (AAAHC), Core and Adjunct Standards AAMA 1002.10 Aluminum Insulating Storm Products for Windows and Sliding Glass Doors AAMA 1002.9 Voluntary Specifications for Aluminum Combination Storm Windows for External Applications AAMA 101 Voluntary Specifications for Aluminum Prime Windows and Sliding Glass Doors AAMA 101/I.S.2 Voluntary Specifications for Aluminum, Vinyl (PVC) and Wood Windows and Glass Doors AAMA 1102.7 Voluntary Specifications for Aluminum Storm Doors AAMA 611 Anodized Architectural Aluminum AAMA 800 Sealant Specifications for Use with Architectural Aluminum AASHTO BM-2 Manual for Bridge Maintenance AASHTO GDHS-2 A Policy on Geometric Design of Highways and Streets AASHTO GSDB Guide Specification for Seismic Isolation Design U.S DEPARTMENT OF ENERGY TECHNICAL STANDARDS PROGRAM TSL-1 APPENDIX B: Non-Government Standards (NGS) Adopted
    [Show full text]
  • Competency Models
    SCIENCE, TECHNOLOGY, ENGINEERING & MATHEMATICS Architectural and Engineering Managers ACCCP Engineering and Technology Alabama Competency Model Architectural and Engineering Managers Code 1 Tier 1: Personal Effectiveness Competencies 1.1 Interpersonal Skills: Displaying the skills to work effectively with others from diverse backgrounds. 1.1.1 Demonstrating sensitivity/empathy 1.1.1.1 Show sincere interest in others and their concerns. 1.1.1.2 Demonstrate sensitivity to the needs and feelings of others. 1.1.1.3 Look for ways to help people and deliver assistance. 1.1.2 Demonstrating insight into behavior Recognize and accurately interpret the communications of others as expressed through various 1.1.2.1 formats (e.g., writing, speech, American Sign Language, computers, etc.). 1.1.2.2 Recognize when relationships with others are strained. 1.1.2.3 Show understanding of others’ behaviors and motives by demonstrating appropriate responses. 1.1.2.4 Demonstrate flexibility for change based on the ideas and actions of others. 1.1.3 Maintaining open relationships 1.1.3.1 Maintain open lines of communication with others. 1.1.3.2 Encourage others to share problems and successes. 1.1.3.3 Establish a high degree of trust and credibility with others. 1.1.4 Respecting diversity 1.1.4.1 Demonstrate respect for coworkers, colleagues, and customers. Interact respectfully and cooperatively with others who are of a different race, culture, or age, or 1.1.4.2 have different abilities, gender, or sexual orientation. Demonstrate sensitivity, flexibility, and open-mindedness when dealing with different values, 1.1.4.3 beliefs, perspectives, customs, or opinions.
    [Show full text]
  • Posture Perfect
    Posture Perfect J. Barr J. Carlos F. Lopera F. Petersen 4/27/2016 Contents 1 Executive Summary 1 2 Project Overview 3 2.1 Project Motivation . 3 2.1.1 Life Expectancy Due to Excessive Sitting . 4 2.1.2 Health Effects Caused by Excessive Sitting . 4 2.2 Objective and Goals . 6 2.3 Project Specifications and Requirements . 7 2.3.1 Hardware Requirements . 7 2.3.2 Software Requirements . 8 3 Research Related to Project Definition 11 3.1 Anatomy of Spine . 11 3.1.1 Proper Sitting Posture . 13 3.1.2 Benefits of Proper Sitting Posture . 14 3.1.3 Staying Active . 15 3.1.4 Realigning Your Back . 15 3.1.5 Weight Distribution . 16 3.2 Existing Solutions . 17 3.2.1 Lumo Lift . 18 3.2.2 Lumo Back . 19 3.2.3 Darma . 20 3.2.4 Zikto Arki . 21 3.3 Relevant Technologies . 23 3.3.1 Pressure Sensors . 23 3.3.2 Proximity Sensors . 25 3.3.3 Distance/Imaging Sensors . 27 3.3.4 Block Diagram . 30 3.3.5 Vibration Motors . 30 3.3.6 Microcontroller . 35 3.3.7 Electrography . 36 3.3.8 Wireless Communication and Wireless Networks . 37 3.3.9 Operating System Compatibility . 40 3.4 Component Specifications . 43 3.4.1 Communication Specifications . 43 i 3.5 Power Specifications . 46 3.5.1 Power Solution . 46 3.5.2 Rechargeable Battery Requirements . 46 3.5.3 Battery Types . 47 3.5.4 Charging System . 49 3.6 Application Specifications . 51 3.7 Platform Specifications .
    [Show full text]
  • FY 2019 Adopted Non-Government
    U.S DEPARTMENT OF ENERGY TECHNICAL STANDARDS PROGRAM TSL-1 APPENDIX B: Non-Government Standards (NGS) Adopted by DOE 10 AMD 1 Standard for Portable Fire Extinguishers 2012 NESC Handbook National Electrical Safety Code(NESC) Handbook 310.2R-2013 International Concrete Repair Institute (ICRI) Selecting and Specifying Concrete Surface Preparation for Sealers, Coatings Polymer Overlays, and Concrete Repair A 112.18.1M Plumbing Fixture Fittings A 112.19.6 Hydraulic Requirements for Water Closets and Urinals AA SAA-46-516124 Anodized Architectural Aluminum AA Specifications for Aluminum Structures AA STFA-601711 The Surface Treatment and Finishing of Aluminum and Its Alloys AABC National Standard for Total System Balance Air Distribution-Hydronic Systems-Sound-Vibration- Field Surveys for Energy Audits AAHC Standards of the Accreditation Association for Ambulatory Health Care (AAAHC), Core and Adjunct Standards AAMA 1002.10 Aluminum Insulating Storm Products for Windows and Sliding Glass Doors AAMA 1002.9 Voluntary Specifications for Aluminum Combination Storm Windows for External Applications AAMA 101 Voluntary Specifications for Aluminum Prime Windows and Sliding Glass Doors AAMA 101/I.S.2 Voluntary Specifications for Aluminum, Vinyl (PVC) and Wood Windows and Glass Doors AAMA 1102.7 Voluntary Specifications for Aluminum Storm Doors AAMA 611 Anodized Architectural Aluminum AAMA 800 Sealant Specifications for Use with Architectural Aluminum AASHTO AAB Above and Beyond – The Environmental and Social Contributions of America’s Highway Programs
    [Show full text]
  • Microsoft Confidential For: Connect User Hardware – Windows Engineering Guide for X86-Based Platforms
    Hardware – Windows Engineering Guide for x86-based Platforms Microsoft Corporation August, 2013 Abstract The Hardware Windows Engineering Guide provides a roadmap to follow through the hardware component sourcing and selection process. Version: 1.2 Microsoft Confidential for: Connect User Hardware – Windows Engineering Guide for x86-based Platforms Microsoft Confidential. © 2013 Microsoft Corporation. All rights reserved. These materials are confidential to and maintained as a trade secret by Microsoft Corporation. Information in these materials is restricted to Microsoft authorized recipients only. Any use, distribution or public discussion of, and any feedback to, these materials are subject to the terms of the attached license. By providing any feedback on these materials to Microsoft, you agree to the terms of that license. Microsoft Corporation Technical Documentation License Agreement (Standard) READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE MATERIALS, WHETHER AN INDIVIDUAL OR AN ENTITY ("YOU"). IF YOU HAVE ACCESSED THIS AGREEMENT IN THE PROCESS OF DOWNLOADING MATERIALS ("MATERIALS") FROM A MICROSOFT WEB SITE, BY CLICKING "I ACCEPT", DOWNLOADING, USING OR PROVIDING FEEDBACK ON THE MATERIALS, YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY ACCESSING, USING OR PROVIDING FEEDBACK ON THE ATTACHED MATERIALS, YOU AGREE TO THESE TERMS. 1. For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree
    [Show full text]
  • Position Paper on Standardization for Iot Technologies
    Internet of Things Position Paper on Standardization for IoT technologies EUROPEAN RESEARCH CLUSTER ON THE INTERNET OF THINGS January, 2015 “Innovation is the specific instrument of entrepreneurship... the act that endows resources with a new capacity to create wealth.” Peter F. Drucker HINGS T IERC Coordinators: Ovidiu Vermesan, Coordinator IERC Cluster, [email protected] Peter Friess, Coordinator IERC Cluster, European Commission, [email protected] Editors Patrick Guillemin, NTERNET OF Friedbert Berens, I Ovidiu Vermesan, Peter Friess, Marco Carugi, George Percivall Contributing SDOs, Projects and Initiatives BUTLER, CEN/CENELEC, ETSI, IEEE, IETF, ISO, ITU-T, OASIS, OGC, PROBE-IT, GS1 Additional Contributing Experts LUSTER ON THE THE ON LUSTER Marilyn Arndt, C Latif Ladid, Bart De Lathouwer, Steve Liang, Arne Bröring, Pascal Thubert, Richard Rees, Trevor Pierce ESEARCH Henri Barthel R Acknowledgements The IERC would like to thank the European Commission services for their support in the planning and preparation of this document. The recommendations and opinions expressed in this document do not necessarily represent those of the European Commission. The views expressed herein do not commit the European Commission in any way. UROPEAN UROPEAN E © European Communities, 2015. Reproduction authorised for non-commercial purposes provided the source is acknowledge. - IERC ••• 2/142 IERC Table of content Table of content ..................................................................................................... 3 Executive
    [Show full text]
  • Windows Hardware Certification Requirements
    Windows Hardware Certification Requirements Client and Server Systems December 2011 This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2011 Microsoft. All rights reserved. Microsoft, Windows and Windows Server are trademarks of the Microsoft group of companies. UPnP™ is a certification mark of the UPnP™ Implementers Corp. All other trademarks are property of their respective owners. Page 1 of 293 Microsoft Corporation Technical Documentation License Agreement READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE MATERIALS, WHETHER AN INDIVIDUAL OR AN ENTITY ("YOU"). IF YOU HAVE ACCESSED THIS AGREEMENT IN THE PROCESS OF DOWNLOADING MATERIALS ("MATERIALS") FROM A MICROSOFT WEB SITE, BY CLICKING "I ACCEPT", DOWNLOADING, USING OR PROVIDING FEEDBACK ON THE MATERIALS, YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY ACCESSING, USING OR PROVIDING FEEDBACK ON THE ATTACHED MATERIALS, YOU AGREE TO THESE TERMS. For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree as follows: 1. You may review these Materials only (a) as a reference to assist You in planning and designing Your product, service or technology ("Product") to interface with a Microsoft Product as described in these Materials; and (b) to provide feedback on these Materials to Microsoft. All other rights are retained by Microsoft; this agreement does not give You rights under any Microsoft patents.
    [Show full text]
  • System Information Report Written At: 06/16/17 07:20:43 System Name: JEBS-PC [System Summary (C:\Users\Jebel\Desktop\System Info.Nfo)]
    System Information report written at: 06/16/17 07:20:43 System Name: JEBS-PC [System Summary (C:\Users\jebel\Desktop\System_Info.nfo)] Item Value OS Name Microsoft Windows 10 Pro Version 10.0.15063 Build 15063 Other OS Description Not Available OS Manufacturer Microsoft Corporation System Name JEBS-PC System Manufacturer BIOSTAR Group System Model A880G+ System Type x64-based PC System SKU To Be Filled By O.E.M. Processor AMD Phenom(tm) II X4 850 Processor, 3300 Mhz, 4 Core(s), 4 Logical Processor(s) BIOS Version/DateAmerican Megatrends Inc. 080016, 9/21/2011 SMBIOS Version 2.6 Embedded Controller Version 255.255 BIOS Mode Legacy BaseBoard Manufacturer BIOSTAR Group BaseBoard Model Not Available BaseBoard Name Base Board Platform Role Desktop Secure Boot StateUnsupported PCR7 Configuration Binding Not Possible Windows DirectoryC:\WINDOWS System Directory C:\WINDOWS\system32 Boot Device \Device\HarddiskVolume1 Locale United States Hardware Abstraction Layer Version = "10.0.15063.0" User Name JEBS-PC\jebel Time Zone Eastern Daylight Time Installed Physical Memory (RAM) 8.00 GB Total Physical Memory 7.94 GB Available Physical Memory 4.13 GB Total Virtual Memory 15.9 GB Available Virtual Memory 11.4 GB Page File Space 8.00 GB Page File C:\pagefile.
    [Show full text]