Windows Security Hardening
• Unified CCE Security Hardening for Windows Server , on page 1 Unified CCE Security Hardening for Windows Server This topic contains the security baseline for hardening Windows Servers running Unified CCE. This baseline is essentially a collection of Microsoft group policy settings which are determined by using the Microsoft Security Compliance Manager 4.0 tool. In addition to the GPO settings provided in the table, disable the following settings: • NetBIOS • SMBv1
Note For more details about these configurations, see the Microsoft Windows Server documentation.
The baseline includes only those settings whose severity qualifies as Critical and Important. The settings with Optional and None severity qualification are not included in the baseline.
Setting Name Default Value Compliance
Network security: LAN Send NTLMv2 response only Send NTLMv2 response only. Manager authentication level Refuse LM & NTLM
Network Security: Restrict Not defined Not Defined NTLM: Audit NTLM authentication in this domain
Network Security: Restrict Not defined Not Defined NTLM: Incoming NTLM traffic
Interactive logon: Require Disabled Not Defined smart card
Windows Security Hardening 1 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Network Security: Restrict Not defined Not Defined NTLM: Add remote server exceptions for NTLM authentication
Network security: Allow Not defined Disabled LocalSystem NULL session fallback
Microsoft network client: Disabled Disabled Send unencrypted password to third-party SMB servers
Network security: Allow Not defined Enabled Local System to use computer identity for NTLM
Network security: Do not Enabled Enabled store LAN Manager hash value on next password change
Network Security: Allow Not defined Not Defined PKU2U authentication requests to this computer to use online identities
Network security: Minimum No minimum Require NTLMv2 session session security for NTLM security,Require 128-bit encryption SSP based (including secure RPC) servers
Microsoft network server: Off Not Defined Server SPN target name validation level
Interactive logon: Smart card No Action Lock Workstation removal behavior
Network security: Minimum No minimum Require NTLMv2 session session security for NTLM security,Require 128-bit encryption SSP based (including secure RPC) clients
Interactive logon: Number of 10 logons 4 logon(s) previous logons to cache (in case domain controller is not available)
Windows Security Hardening 2 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Network Security: Restrict Not defined Not Defined NTLM: NTLM authentication in this domain
Network Security: Restrict Not defined Not Defined NTLM: Outgoing NTLM traffic to remote servers
Network access: Let Disabled Disabled Everyone permissions apply to anonymous users
Network Security: Restrict Not defined Not Defined NTLM: Add server exceptions in this domain
Network Security: Restrict Not defined Not Defined NTLM: Audit Incoming NTLM Traffic
Network access: Do not allow Disabled Enabled anonymous enumeration of SAM accounts and shares
Network access: Do not allow Enabled Enabled anonymous enumeration of SAM accounts
Shutdown: Clear virtual Disabled Disabled memory pagefile
Network access: Remotely System\CurrentControlSet\Control\ System\CurrentControlSet\Control\ accessible registry paths ProductOptionsSystem\ ProductOptionsSystem\ CurrentControlSet\Control\ CurrentControlSet\Control\ Server Applications Software\Microsoft\ Server Applications WindowsNT\CurrentVersion Software\Microsoft\ WindowsNT\CurrentVersion
Network access: Shares that Not defined Not Defined can be accessed anonymously
Turn off the "Publish to Web" Not configured Not Configured task for files and folders
Shutdown: Allow system to Enabled Disabled be shut down without having to log on
System objects: Require case Enabled Enabled insensitivity for non-Windows subsystems
Windows Security Hardening 3 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Network access: Sharing and Classic - local users authenticate as Classic - local users authenticate as security model for local themselves themselves accounts
Interactive logon: Do not Disabled Disabled require CTRL+ALT+DEL
Devices: Allowed to format Administrators Administrators and eject removable media
Turn off the Windows Not configured Not Configured Messenger Customer Experience Improvement Program
System settings: Use Disabled Enabled Certificate Rules on Windows Executables for Software Restriction Policies
Turn off Search Companion Not configured Not Configured content file updates
Network access: Allow Disabled Disabled anonymous SID/Name translation
Network access: Remotely System\CurrentControlSet\Control\Print\ System\CurrentControlSet\Control\Print\ accessible registry paths and PrintersSystem\CurrentControlSet\Services\ PrintersSystem\CurrentControlSet\Services\ sub-paths Eventlog, Software\Microsoft\OLAP Eventlog, ServerSoftware\ Software\Microsoft\OLAP Microsoft\Windows ServerSoftware\ NT\CurrentVersion\Print Software\ Microsoft\Windows Microsoft\WindowsNT\CurrentVersion\ NT\CurrentVersion\Print Software\ Windows Microsoft\WindowsNT\CurrentVersion\ System\CurrentControlSet\Control\ Windows ContentIndexSystem\CurrentControlSet\ System\CurrentControlSet\Control\ Control\Terminal ServerSystem\ ContentIndexSystem\CurrentControlSet\ CurrentControlSet\Control\Terminal Control\Terminal ServerSystem\ Server\ CurrentControlSet\Control\Terminal UserConfigSystem\CurrentControlSet\ Server\ Control\Terminal Server\ UserConfigSystem\CurrentControlSet\ DefaultUserConfigurationSoftware\ Control\Terminal Server\ Microsoft\Windows DefaultUserConfigurationSoftware\ NT\CurrentVersion\PerflibSystem\ Microsoft\Windows CurrentControlSet\Services\SysmonLog NT\CurrentVersion\PerflibSystem\ CurrentControlSet\Services\SysmonLog
Recovery console: Allow Disabled Disabled automatic administrative logon
Windows Security Hardening 4 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Turn off Autoplay Not configured Enabled
Turn off Windows Update Disabled Not Configured device driver searching
Network access: Restrict Enabled Enabled anonymous access to Named Pipes and Shares
Recovery console: Allow Disabled Disabled floppy copy and access to all drives and all folders
Network access: Named Pipes None Not Defined that can be accessed anonymously
Audit Policy: System: IPsec No auditing Success and Failure Driver
Audit Policy: System: No auditing Success and Failure Security System Extension
Audit Policy: Account Success Success and Failure Management: Security Group Management
Audit: Force audit policy Not defined Enabled subcategory settings (Windows Vista or later) to override audit policy category settings
Audit Policy: Account No auditing Success and Failure Management: Other Account Management Events
Audit Policy: System: Success Success and Failure Security State Change
Audit Policy: Detailed No auditing Success Tracking: Process Creation
Audit Policy: System: Other Success and Failure Success and Failure System Events
Audit Policy: Logon-Logoff: Success Success Account Lockout
Audit Policy: Policy Change: Success Success and Failure Audit Policy Change
Windows Security Hardening 5 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Audit: Audit the access of Disabled Not Defined global system objects
Audit Policy: Logon-Logoff: Success Success Special Logon
Audit Policy: Account Success Success and Failure Management: User Account Management
Audit Policy: Account Logon: No auditing Success and Failure Credential Validation
Audit Policy: Logon-Logoff: Success Success and Failure Logon
Audit Policy: Account No auditing Success Management: Computer Account Management
Audit Policy: Privilege Use: No auditing Success and Failure Sensitive Privilege Use
Audit Policy: Logon-Logoff: Success Success Logoff
Audit Policy: Policy Change: Success Success Authentication Policy Change
Audit: Audit the use of Disabled Not Defined Backup and Restore privilege
Audit Policy: System: System Success and Failure Success and Failure Integrity
Turn off toast notifications on None Enabled the lock screen
Microsoft network server: 15 minutes 15 minute(s) Amount of idle time required before suspending session
Interactive logon: Message Not defined Not Defined text for users attempting to log on
Interactive logon: Machine Not defined 900 seconds inactivity limit
Microsoft network server: Enabled Enabled Disconnect clients when logon hours expire
Windows Security Hardening 6 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Interactive logon: Message Not defined Not Defined title for users attempting to log on
Network security: Force Disabled Enabled logoff when logon hours expire
Sign-in last interactive user None Disabled automatically after a system-initiated restart
Interactive logon: Display Not defined Not Defined user information when the session is locked
Interactive logon: Do not Disabled Enabled display last user name
Interactive logon: Machine Not defined 10 invalid logon attempts account lockout threshold
Allow Remote Shell Access Not configured Not Configured
Devices: Prevent users from Disabled Enabled installing printer drivers
Create global objects Administrators, Service, Local Service, Administrators, Service, Local Network Service Service, Network Service
Access this computer from Everyone, Administrators, Users, Administrators, Authenticated Users the network Backup Operators
Domain controller: Allow Not defined Not Defined server operators to schedule tasks
Modify an object label None No One
Generate security audits Local Service, Network Service Local Service, Network Service
Increase scheduling priority Administrators Administrators
Force shutdown from a Administrators Administrators remote system
Allow log on through Remote Administrators, Remote Desktop Users Administrators Desktop Services
Change the system time Local Service, Administrators Local Service, Administrators
Add workstations to domain Not defined (Authenticated Users for Not Defined domain controllers)
Windows Security Hardening 7 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Create a pagefile Administrators Administrators
Profile single process Administrators Administrators
Deny log on as a batch job No one Guests
Act as part of the operating No one No One system
Change the time zone Local Service, Administrators Local Service, Administrators
Synchronize directory service Not defined Not Defined data
Lock pages in memory No one No One
Access Credential Manager No one No One as a trusted caller
Create a token object No one No One
Debug programs Administrators Administrators
Deny log on as a service No one Guests
Deny access to this computer Guests Guests, NT AUTHORITY\Local from the network account and member of Administrators group
Back up files and directories Administrators, Backup Operators Administrators
Shut down the system Administrators, Backup Operators, Administrators Users
Deny log on locally Guests Guests
Replace a process level token Local Service, Network Service Local Service, Network Service
Modify firmware Administrators Administrators environment values
Allow log on locally Guest, Administrators, Users, Backup Administrators Operators
Restore files and directories Administrators, Backup Operators Administrators
Profile system performance Administrators,NT Administrators,NT Service\WdiServiceHost Service\WdiServiceHost
Log on as a batch job Administrators, Backup Operators Not Defined
Perform volume maintenance Administrators Administrators tasks
Windows Security Hardening 8 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Manage auditing and security Administrators Administrators log
Enable computer and user No one No One accounts to be trusted for delegation
Impersonate a client after Administrators, Service, Local Service, Administrators, Service, Local authentication Network Service Service, Network Service
Load and unload device Administrators Administrators drivers
Take ownership of files or Administrators Administrators other objects
Adjust memory quotas for a Local Service, Network Service, Administrators, Local Service, process Administrators Network Service
Log on as a service No one Not Defined
Create symbolic links Administrators Administrators
Create permanent shared No one No One objects
System cryptography: Force Disabled Not Defined strong key protection for user keys stored on the computer
Domain member: Require Disabled Enabled strong (Windows 2000 or later) session key
Windows Firewall: Domain: Yes No Allow unicast response
Windows Firewall: Domain: Yes Yes (default) Apply local firewall rules
Windows Firewall: Domain: Block Enabled Inbound connections
Windows Firewall: Private: On On Firewall state
Windows Firewall: Private: Yes Yes (default) Apply local connection security rules
Windows Firewall: Private: Yes No Allow unicast response
Windows Security Hardening 9 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Windows Firewall: Public: Yes Yes (default) Apply local firewall rules
Windows Firewall: Public: Yes Yes Apply local connection security rules
Windows Firewall: Public: On On Firewall state
Windows Firewall: Private: Allow Allow (default) Outbound connections
Windows Firewall: Domain: Allow Allow (default) Outbound connections
Windows Firewall: Domain: On On Firewall state
Windows Firewall: Public: Yes No Allow unicast response
Windows Firewall: Public: Block Enabled Inbound connections
Windows Firewall: Domain: Yes Yes (default) Apply local connection security rules
Windows Firewall: Private: Yes Yes (default) Display a notification
Windows Firewall: Domain: Yes Yes (default) Display a notification
Windows Firewall: Public: Yes Yes Display a notification
Windows Firewall: Public: Allow Allow (default) Outbound connections
Windows Firewall: Private: Block Enabled Inbound connections
Windows Firewall: Private: Yes Yes (default) Apply local firewall rules
Default Protections for None Enabled Internet Explorer
Password protect the screen Not Configured Enabled saver
Windows Security Hardening 10 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Local Poilcy Disabled Enabled User Account Control: Admin Approval Mode for the Built-in Administrator account Default Protections for None Enabled Software
User Account Control: Only Enabled Enabled elevate UIAccess applications that are installed in secure locations
Default Protections for None Enabled Popular Software
Apply UAC restrictions to None Enabled local accounts on network logons
User Account Control: Prompt for consent for non-Windows Prompt for consent on the secure Behavior of the elevation binaries desktop prompt for administrators in Admin Approval Mode
User Account Control: Allow Disabled Disabled UIAccess applications to prompt for elevation without using the secure desktop
Local Policy Enabled Enabled User Account Control: Virtualize file and registry write failures to per-user locations User Account Control: Switch Enabled Enabled to the secure desktop when prompting for elevation
User Account Control: Run Enabled Enabled all administrators in Admin Approval Mode
WDigest Authentication None Disabled
Windows Security Hardening 11 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
User Account Control: Prompt for credentials Automatically deny elevation Behavior of the elevation requests prompt for standard users
System ASLR None Enabled
System DEP Enabled: Application Opt-Out Enabled
System objects: Strengthen Enabled Enabled default permissions of internal system objects (e.g. Symbolic Links)
Enable screen saver Not Configured Enabled
Force specific screen saver Not Configured Enabled
Increase a process working Users Not Defined set
User Account Control: Detect Enabled Enabled application installations and prompt for elevation
System SEHOP Enabled: Application Opt-Out Enabled
Network Security: Configure Not defined Not Defined encryption types allowed for Kerberos
Set client connection Not configured Not Configured encryption level
Microsoft network client: Enabled Enabled Digitally sign communications (if server agrees)
Domain controller: LDAP Not defined Not Defined server signing requirements
Network security: LDAP Negotiate signing Negotiate signing client signing requirements
Microsoft network client: Disabled Enabled Digitally sign communications (always)
Microsoft network server: Disabled Enabled Digitally sign communications (always)
Windows Security Hardening 12 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Domain member: Digitally Enabled Enabled sign secure channel data (when possible)
Domain member: Digitally Enabled Enabled encrypt or sign secure channel data (always)
Microsoft network server: Disabled Enabled Digitally sign communications (if client agrees)
Domain member: Digitally Enabled Enabled encrypt secure channel data (when possible)
Specify the maximum log file 20480 KB Enabled size (KB)
Specify the maximum log file 20480 KB Enabled size (KB)
Specify the maximum log file 20480 KB Enabled size (KB)
Audit: Shut down system Disabled Disabled immediately if unable to log security audits
Accounts: Limit local account Enabled Enabled use of blank passwords to console logon only
Domain controller: Refuse Not defined Not Defined machine account password changes
Domain member: Disable Disabled Disabled machine account password changes
Domain member: Maximum 30 days 30 day(s) machine account password age
Network access: Do not allow Disabled Not Defined storage of passwords and credentials for network authentication
Windows Security Hardening 13 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Compliance
Interactive logon: Prompt user 14 days 14 day(s) to change password before expiration
Allow indexing of encrypted None Disabled files
Accounts: Rename Administrator Not Defined administrator account
Do not display network None Enabled selection UI
Allow Microsoft accounts to None Enabled be optional
Accounts: Administrator Enabled Not Defined account status
Accounts: Guest account Disabled Disabled status
Accounts: Rename guest Guest Not Defined account
Prevent enabling lock screen None Enabled slide show
Prevent enabling lock screen None Enabled camera
IRC Ports Not Defined Disabled
Outgoing Email Port 25 Not Defined Disabled
Advanced Audit Policy Success Success and Failure Configuration Audit Directory Service Access
Other Windows Hardening Considerations The following table lists the IIS settings with their corresponding default and possible values.
Windows Security Hardening 14 Windows Security Hardening Windows Security Hardening
Setting Name Default Value Supported Values
ASP.NET RemoteOnly • On: The system displays custom errors to both Application Custom remote systems and the local host. Error • Off: The system displays ASP.NET errors to both remote systems and the local host. • RemoteOnly: The system displays custom errors to the remote systems and ASP.NET errors to the local host.
Note You can use any of these options available without impacting the system functionality.
HTTPOnlyCookie Off Off
AllowUnlisted true true
requestFiltering .asax, .ascx, .master, .skin, .asax, .ascx, .master, .skin, .browser, .sitemap, .browser, .sitemap, .config, .cs, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .licx, File extensions .csproj, .vb, .vbproj, .webinfo, .resx, .resources, .mdb, .vjsproj, .java, .jsl, .ldb, blocked using false as .licx, .resx, .resources, .mdb, .dsdgm, .ssdgm, .lsad, .ssmap, .cd, .dsprototype, the value for the .vjsproj, .java, .jsl, .ldb, .dsdgm, .lsaprototype, .sdm, .sdmDocument, .mdf, .ldf, .ad, allowed attribute. .ssdgm, .lsad, .ssmap, .cd, .dd, .ldd, .sd, .adprototype, .lddprototype, .exclude, .dsprototype, .lsaprototype, .refresh, .compiled, .msgx, .vsdisco, .rules .sdm, .sdmDocument, .mdf, .ldf, .com, .doc, .docx, .docm, .jar, .hta, .vbs, .pdf, .sfx, .ad, .dd, .ldd, .sd, .adprototype, .bat, .dll, .tmp, .py, .msi, .msp, .gadget, .cmd, .vbe, .lddprototype, .exclude, .refresh, .jse, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .lnk, .compiled, .msgx, .vsdisco, .inf, .scf, .ws, .wsf, .scr, .pif .rules
Note Certain extensions, such as .exe, .htm and .dll, cannot be filtered in IIS.
Windows Security Hardening 15 Windows Security Hardening Windows Security Hardening
Windows Security Hardening 16