DOCSLIB.ORG

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP Solutions for Security and Compliance Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP Version 2.0 Published: December 2005 For the latest information, please see www.microsoft.com/technet/security © 2005 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. Threats and Countermeasures iii Contents 1 1 Introduction to Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP..............................................1 Chapter Summaries ............................................ 4 Tools and Templates ........................................................ 6 2 7 Domain Level Policies.............................................. ...........................7 Account Policies ........................................................................... 7 More Information ......................................................................... 21 3 22 Audit Policy...................................................................................... .22 Audit Settings .................................................................. 24 More Information ......................................................................... 31 4 32 User Rights...................................................................... .................32 User Rights Assignment Settings ....................................................... 32 More Information ......................................................................... 58 5 59 Security Options................................................... ............................59 Security Options Settings ..................................................... 59 More Information ..................................................................... .. 111 6 112 Event Log................................................................................. .......112 Event Log Settings ..................................................... 112 More Information ..................................................................... .. 118 7 119 System Services...................................................................... ........119 Services Overview ......................................................................... 120 Do Not Set Permissions on Service Objects ....... 122 Descriptions of System Services .............................................. 125 More Information ..................................................................... .. 177 8 178 Software Restriction Policies..................................................... ......178 The Threat of Malicious Software .......................... .. 178 More Information ..................................................................... .. 179 9 180 iv Threats and Countermeasures Windows XP and Windows Server 2003 Administrative Templates. .180 Computer Configuration Settings ...................... 181 User Configuration Settings .............................. 232 More Information ..................................................................... .. 258 10 260 Additional Registry Entries..................................................... .........260 Customized Security Configuration Editor ....................................... 260 TCP/IP-Related Registry Entries .............................. .. 263 Miscellaneous Registry Entries ......................................... .. 270 Registry Entries Available in Windows XP with SP2 and Windows Server 2003 with SP1 ..................................................... 283 Registry Entries Available in Windows XP with SP2 ........ 286 Registry Entries Available in Windows Server 2003 with SP1 . 288 More Information ..................................................................... .. 290 11 291 Additional Countermeasures.................................. .........................291 Configuring Windows Firewall ............................................... 310 More Information ..................................................................... .. 311 12 312 Conclusion................................................................. .....................312 More Information ..................................................................... .. 312 Acknowledgments..................................................................... ......315 Threats and Countermeasures v Feedback The Microsoft Solutions for Security and Compliance team would appreciate your thoughts about this and other security solutions. Have an opinion? Let us know on the Security Solutions Blog for the IT Professional at http://blogs.technet.com/secguide. Or e-mail your feedback to the following address: [email protected]. We look forward to hearing from you. 1 Introduction to Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP The purpose of this guide is to provide you with a reference to security settings that provide countermeasures for specific threats against current versions of the Microsoft® Windows® operating systems. This guide is a companion for two other publications that are available from Microsoft: • Windows Server 2003 Security Guide , available online at http://go.microsoft.com/fwlink/?LinkId=14845 • Windows XP Security Guide , available online at http://go.microsoft.com/fwlink/?LinkId=14839 Many of the countermeasures that are described in this guide are not intended for specific computer roles in the companion guides, or in some cases for any roles at all. These countermeasures help assure compatibility, usability, manageability, availability, or performance. Although often stated, it is nonetheless worth repeating that security and functionality are the opposite extremes of a continuum; the greater the level of security, the lower the level of functionality, and vice versa. There are exceptions, and some security countermeasures actually help to improve functionality, but for the most part this adage holds true. The chapter structure of this guide is similar to the way the major setting sections display in the user interface of the Group Policy Object Editor. Each chapter begins with a brief explanation of what is in the chapter, followed by a list of subsection headers, each of which corresponds to a setting or group of settings. (These settings are listed in the Microsoft Excel® workbook that is described later in this chapter.) Each subsection includes a brief explanation of what the countermeasure does, and includes the following three additional subsections: • Vulnerability. Explains how an attacker might exploit a feature or its configuration. • Countermeasure. Explains how to implement the countermeasure. • Potential Impact. Explains the possible negative consequences of countermeasure implementation. 2 Threats and Countermeasures For example, Chapter 2, "Domain Level Policies," begins with the following sections: Account Policies • Enforce password history • Vulnerability • Countermeasure • Potential Impact • Maximum Password Age • Vulnerability • Countermeasure • Potential Impact This pattern is repeated throughout this guide. Settings that are closely related are presented in a single section. For example, in Chapter 5, "Security Options," four settings are all placed into the “Microsoft network client and server: Digitally sign communications (four related settings)” section. These settings include the following: • Microsoft Network Client: Digitally Sign Communications (Always) • Microsoft Network Server: Digitally Sign Communications (Always) • Microsoft Network Client: Digitally Sign Communications (If Server Agrees) • Microsoft Network Server: Digitally Sign Communications (If Client Agrees) Although many Group Policy settings are documented in this guide, those that are intended to help organizations manage their environments are not documented. This guide only examines the settings and features in Microsoft Windows Server™ 2003 with SP1 and Windows XP with SP2 that can help organizations secure their enterprises against specific threats. Settings and features that were added subsequent to those Service Packs, or functionalities that may be added by software released after those Service Packs, are not discussed in this guide. Also, management features and those security features that are not configurable by administrators are not described in this guide. The information that is provided within this guide should help you and your organization understand the countermeasures that are available in current versions of the Windows operating system, but for prescriptive guidance about what settings to use for specific scenarios please refer to the two companion guides: • Windows Server 2003 Security Guide, available online at http://go.microsoft.com/fwlink/?LinkId=14845 • Windows XP Security Guide, available online at http://go.microsoft.com/fwlink/?LinkId=14839 The Microsoft Excel workbook "Windows Default Security and Services Configuration" (included with this guide) documents the default settings. The first worksheet ("Windows Server 2003 Defaults") details all of the default Group Policy settings that are available in Windows Server 2003. This worksheet includes the following columns: • The H column, Policy Setting Name in User Interface, is the name of the setting as it appears in the Windows Server 2003 Group Policy Editor
Load more

Recommended publications
  • Solve Errors Caused by Corrupt System Files
    System File Corruption Errors Solved S 12/1 Repair Errors Caused by Missing or Corrupt System Files With the information in this article you can: • Find out whether corrupt system files could be causing all your PC problems • Manually replace missing system files using your Windows installation CD • Use System File Checker to repair broken Windows system files • Boost the memory available to Windows File Protection for complete system file protection Missing or corrupt system files can cause many problems when using your PC, from cryptic error messages to mysterious system crashes. If one of the key files needed by Windows has gone missing or become corrupt, you may think that the only way to rectify the situation is to re-install Windows. Fortunately, nothing that drastic is required, as Microsoft have included several tools with Windows that allow you to replace corrupt or missing files with new, fresh copies directly from your Windows installation CD. Now, whenever you find that an important .DLL file has been deleted or copied over, you won’t have to go to the trouble of completely re-installing your system – simply replace the offending file with a new copy. Stefan Johnson: “One missing file can lead to your system becoming unstable and frequently crashing. You may think that the only way to fix the problem is to re-install Windows, but you can easily replace the offending file with a fresh copy from your Windows installation CD.” • Solve errors caused by corrupt system files ................... S 12/2 • How to repair your missing system file errors ..............
    [Show full text]
  • IIS Security and Programming Countermeasures
    IIS Security and Programming Countermeasures By Jason Coombs ([email protected]) Introduction This is a book about how to secure Microsoft Internet Information Services for administrators and programmers whose work includes a requirement for information security, a computer industry specialty field commonly referred to as infosec. In this book the terms information security and infosec are used interchangeably with the more friendly term data security. This is not a book about hacking, cracking, and the tools and techniques of the bad guys, the so-called black hat hackers. This book teaches computer professionals and infosec specialists how to build secure solutions using IIS. It is your duty to secure and defend networked information systems for the benefit of the good guys who are your end users, clients, or less technical coworkers. There is nothing you can do that will transform a programmable computer running Microsoft Windows from its vulnerable condition to an invulnerable one. Every general purpose programmable computer is inherently vulnerable because it is controlled by software and is designed to allow new software to be installed or executed arbitrarily. Network computing based on programmable general purpose computers will never be safe from an information security perspective. Eliminating the feature of general purpose programmability from a networked computer and replacing its software with firmware reduces but does not eliminate vulnerabilities. These are immutable realities of present day computing and, as always, reality represents your biggest challenge. Microsoft is in business to get as much of your money as possible using whatever means will work at a given moment and in this respect they know virtually no equal in the software business.
    [Show full text]
  • Faq Av Bridge Va 999 821
    Contents 1 Vaddio IP Streaming Features and Functionality................................................................................. 2 1.1 Frequently Asked Questions ........................................................................................................ 2 1.2 Streaming Configuration.............................................................................................................. 4 1.3 Application Examples................................................................................................................... 5 1.3.1 Distribution Application (Single Stream-to-Multiple Clients)............................................... 5 1.3.2 Recording/Archive Application ............................................................................................ 6 2 Compatibility Summary ....................................................................................................................... 7 2.1 Vaddio Lab Tested Interoperability.............................................................................................. 7 2.2 Field Test Media Players or Server............................................................................................... 7 3 Media Player/Server Interoperability .................................................................................................. 8 3.1 Quicktime Media Player............................................................................................................... 8 3.2 VLC Player .................................................................................................................................
    [Show full text]
  • I Feasibility of Streaming Media for Transportation Research And
    Feasibility of Streaming Media For Transportation Research and Implementation Final Report Prepared by: Drew M. Coleman July 2007 Research Project SPR-2231 Report No. 2231-F-05-11 Connecticut Department of Transportation Bureau of Engineering and Highway operations Division of Research Keith R. Lane, P.E. Director of Research and Materials James M. Sime, P.E. Manager of Research i TECHNICAL REPORT DOCUMENTATION PAGE 1. Report No. 2. Government Accession 3. Recipients Catalog No. 2231-F-05-11 No. 4. Title and Subtitle 5. Report Date Feasibility of Streaming Media for July 2007 Transportation Research and 6. Performing Organization Code Implementation SPR-2231 7. Author(s) Drew M. Coleman 8. Performing Organization Report No. 2231-F-05-11 9. Performing Organization Name and 10. Work Unit No. (TRIS) Address 11. Contract or Grant No. Connecticut Department of Transportation CT Study No. SPR-2231 Division of Research 13. Type of Report and Period Covered 280 West Street Final Report Rocky Hill, CT 06067-3502 February 2001-June 2007 12. Sponsoring Agency Name and Address Connecticut Department of Transportation 2800 Berlin Turnpike 14. Sponsoring Agency Code Newington, CT 06131-7546 SPR-2231 15. Supplementary Notes Conducted in cooperation with the U.S. Department of Transportation, Federal Highway Administration 16. Abstract This report is intended to serve as a guide for transportation personnel in the development and dissemination of streaming video-based presentations. These were created using streaming media production tools, then delivered via network and Web-based media servers, and finally, viewed from the end-users’ PC- desktops. The study focuses on three popular streaming media technology platforms: RealNetworks®, Microsoft® and Apple®.
    [Show full text]
  • [MS-MSSOD]: Media Streaming Server Protocols Overview
    [MS-MSSOD]: Media Streaming Server Protocols Overview This document provides an overview of the Media Streaming Server Protocols Overview Protocol Family. It is intended for use in conjunction with the Microsoft Protocol Technical Documents, publicly available standard specifications, network programming art, and Microsoft Windows distributed systems concepts. It assumes that the reader is either familiar with the aforementioned material or has immediate access to it. A Protocol System Document does not require the use of Microsoft programming tools or programming environments in order to implement the Protocols in the System. Developers who have access to Microsoft programming tools and environments are free to take advantage of them. Intellectual Property Rights Notice for Open Specifications Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
    [Show full text]
  • WAF/CDP V3.7.1 User Guide
    WAFS/CDP v3.7.1 User Guide GlobalSCAPE, Inc. (GSB) 4500 Lockhill-Selma Road, Suite 150 Address: San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical Support: (210) 366-3993 Web Support: http://www.globalscape.com/support/ © 2004-2010 GlobalSCAPE, Inc. All Rights Reserved July 21, 2010 Table of Contents GlobalSCAPE Replication Software ............................................................................................................. 7 What's New? .............................................................................................................................................. 7 For the Best WAFS/CDP Experience .................................................................................................... 8 Getting Started .............................................................................................................................................. 9 WAFS Quick Start ..................................................................................................................................... 9 CDP Quick Start ...................................................................................................................................... 11 Quick Reference ...................................................................................................................................... 13 File-Naming Conventions ........................................................................................................................ 13 WAFS/CDP
    [Show full text]
  • Windows Poster 20-12-2013 V3
    Microsoft® Discover the Open Specifications technical documents you need for your interoperability solutions. To obtain these technical documents, go to the Open Specifications Interactive Tiles: open specifications poster © 2012-2014 Microsoft Corporation. All rights reserved. http://msdn.microsoft.com/openspecifications/jj128107 Component Object Model (COM+) Technical Documentation Technical Documentation Presentation Layer Services Technical Documentation Component Object Model Plus (COM+) Event System Protocol Active Directory Protocols Overview Open Data Protocol (OData) Transport Layer Security (TLS) Profile Windows System Overview Component Object Model Plus (COM+) Protocol Active Directory Lightweight Directory Services Schema WCF-Based Encrypted Server Administration and Notification Protocol Session Layer Services Windows Protocols Overview Component Object Model Plus (COM+) Queued Components Protocol Active Directory Schema Attributes A-L Distributed Component Object Model (DCOM) Remote Protocol Windows Overview Application Component Object Model Plus (COM+) Remote Administration Protocol Directory Active Directory Schema Attributes M General HomeGroup Protocol Supplemental Shared Abstract Data Model Elements Component Object Model Plus (COM+) Tracker Service Protocol Active Directory Schema Attributes N-Z Peer Name Resolution Protocol (PNRP) Version 4.0 Windows Data Types Services General Application Services Services Active Directory Schema Classes Services Peer-to-Peer Graphing Protocol Documents Windows Error Codes ASP.NET
    [Show full text]
  • Microsoft Windows Common Criteria Evaluation Security Target
    Microsoft Common Criteria Security Target Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 version 1809 (October 2018 Update) Microsoft Windows Server 2019 (October 2018 Update) Security Target Document Information Version Number 0.05 Updated On June 18, 2019 Microsoft © 2019 Page 1 of 126 Microsoft Common Criteria Security Target Version History Version Date Summary of changes 0.01 June 27, 2018 Initial draft 0.02 December 21, 2018 Updates from security target evaluation 0.03 February 21, 2019 Updates from evaluation 0.04 May 6, 2019 Updates from GPOS PP v4.2.1 0.05 June 18, 2019 Public version Microsoft © 2019 Page 2 of 126 Microsoft Common Criteria Security Target This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. This work is licensed under the Creative Commons Attribution-NoDerivs- NonCommercial License (which allows redistribution of the work). To view a copy of this license, visit http://creativecommons.org/licenses/by-nd-nc/1.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
    [Show full text]
  • Windows Intruder Detection Checklist
    Windows Intruder Detection Checklist http://www.cert.org/tech_tips/test.html CERT® Coordination Center and AusCERT Windows Intruder Detection Checklist This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team). printable version A. Introduction B. General Advice Pertaining to Intrusion Detection C. Look for Signs that Your System may have been Compromised 1. A Word on Rootkits 2. Examine Log Files 3. Check for Odd User Accounts and Groups 4. Check All Groups for Unexpected User Membership 5. Look for Unauthorized User Rights 6. Check for Unauthorized Applications Starting Automatically 7. Check Your System Binaries for Alterations 8. Check Your Network Configurations for Unauthorized Entries 9. Check for Unauthorized Shares 10. Check for Any Jobs Scheduled to Run 11. Check for Unauthorized Processes 12. Look Throughout the System for Unusual or Hidden Files 13. Check for Altered Permissions on Files or Registry Keys 14. Check for Changes in User or Computer Policies 15. Ensure the System has not been Joined to a Different Domain 16. Audit for Intrusion Detection 17. Additional Information D. Consider Running Intrusion Detection Systems If Possible 1. Freeware/shareware Intrusion Detection Systems 2. Commercial Intrusion Detection Systems E. Review Other AusCERT and CERT Documents 1. Steps for Recovering from a Windows NT Compromise 2. Windows NT Configuration Guidelines 3. NIST Checklists F. Document Revision History A. Introduction This document outlines suggested steps for determining whether your Windows system has been compromised. System administrators can use this information to look for several types of break-ins. We also encourage you to review all sections of this document and modify your systems to address potential weaknesses.
    [Show full text]
  • Progettazione Di Una Piattaforma Per Lo Streaming Video E La Sincronizzazione Di Contenuti Multimediali
    Università degli studi di Padova Facoltà di scienze MM. FF. NN. Laurea in Informatica Progettazione di una piattaforma per lo streaming video e la sincronizzazione di contenuti multimediali Laureando: Roberto Baldin Matricola: 561592 Relatore: Dott.ssa Ombretta Gaggi Anno accademico 2008/2009 Indice 1 Introduzione 1 1.1 Descrizione dell’azienda QBGROUP . 1 1.2 Descrizione dello stage . 2 2 Streaming server 5 2.1 Introduzione . 5 2.1.1 Concetto di streaming, storia e protocolli . 5 2.1.2 Confronto tra progressive download, pseudo streaming e streaming . 6 2.2 Scelta del server di streaming . 7 2.2.1 Configurazione hardware e software del server . 7 2.2.2 Soluzioni individuate . 8 2.2.3 Installazione di Adobe Flash Media Streaming Server . 8 2.2.4 Installazione di Red5 Media Server . 11 2.2.5 Installazione di Windows Media Services . 15 2.2.6 Confronto tra le soluzioni e benchmark . 16 2.3 Completamento configurazione del server di streaming . 17 2.3.1 Problematiche di accessibilità dei contenuti . 17 2.3.2 Scelta del client . 21 2.3.3 Formati e caratteristiche dei video . 21 2.3.4 Automazione della procedura di conversione . 25 3 Sincronizzazione di contenuti multimediali 31 3.1 Introduzione . 31 3.1.1 Strumenti e tecnologie utilizzate . 32 3.1.2 SMIL: Synchronized Multimedia Integration Language . 36 i 3.2 Sviluppo di un’applicazione web per la sincronizzazione di contenuti multi- mediali . 39 3.2.1 Sviluppo di un’applicazione per la sincronizzazione tra video e slide 39 3.2.2 Sviluppo di un player SMIL per il web .
    [Show full text]
  • Configuring Remote Desktop Features in Horizon 7
    Configuring Remote Desktop Features in Horizon 7 OCT 2020 VMware Horizon 7 7.13 Configuring Remote Desktop Features in Horizon 7 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2018-2020 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 2 Contents 1 Configuring Remote Desktop Features in Horizon 7 8 2 Configuring Remote Desktop Features 9 Configuring Unity Touch 10 System Requirements for Unity Touch 10 Configure Favorite Applications Displayed by Unity Touch 11 Configuring Flash URL Redirection for Multicast or Unicast Streaming 13 System Requirements for Flash URL Redirection 15 Verify that the Flash URL Redirection Feature Is Installed 16 Set Up the Web Pages for Flash URL Redirection 16 Set Up Client Devices for Flash URL Redirection 17 Disable or Enable Flash URL Redirection 17 Configuring Flash Redirection 18 System Requirements for Flash Redirection 19 Install and Configure Flash Redirection 20 Use Windows Registry Settings to Configure Flash Redirection 22 Configuring HTML5 Multimedia Redirection 23 System Requirements for HTML5 Multimedia Redirection 24 Install and Configure HTML5 Multimedia Redirection 25 Install the VMware Horizon HTML5 Redirection Extension for Chrome 27 Install the VMware Horizon HTML5 Redirection Extension for Edge 28 HTML5 Multimedia Redirection Limitations 29 Configuring Browser Redirection 29 System Requirements for Browser Redirection
    [Show full text]
  • [MS-MSSO]: Media Streaming Server System Overview
    [MS-MSSO]: Media Streaming Server System Overview Intellectual Property Rights Notice for Protocol Documentation . Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies. Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL’s, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications. No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft's Open Specification Promise (available here: http://www.microsoft.com/interop/osp) or the Community Promise (available here: http://www.microsoft.com/interop/cp/default.mspx). If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected].
    [Show full text]