Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
WORKING AIDE - WINDOWS SECURITY TEMPLATE SETTINGS
TED MAC DAIBHIDH, CD
Page 0 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Table of Contents
1 INTRODUCTION ...... 3 2 WINDOWS SECURITY TEMPLATES ...... 4 3 SECURITY SETTINGS ...... 5 3.1 PASSWORD ...... 4 3.2 ACCOUNT LOCKOUT...... 5 3.3 KERBEROS POLICY ...... 6 3.4 AUDIT POLICY ...... 7 3.5 USER RIGHTS ASSIGNMENTS ...... 8 3.6 SECURITY OPTIONS ...... 14 3.7 EVENT LOG SIZE ...... 27 3.8 GUEST ACCESS ...... 28 3.9 RETENTION METHOD ...... 28 3.10 SYSTEM SERVICES ...... 29 3.11 TCP/IP STACK HARDENING ...... 51 3.12 AFD.SYS ...... 53 3.13 OTHER SETTINGS ...... 54 4 ANNEXES ...... 56 4.1 GENERAL SECURITY SETTING VALUES ...... 56 4.2 WINDOWS SECURITY IDENTIFIERS (SIDS) ...... 59 4.3 COMMON ACCESS CONTROL LIST (ACL) SETTINGS ...... 66 4.4 SECURITY POLICY COMPARISON AND ANALYSIS ...... 74 5 REFERENCES ...... 80
Page 1 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
1 INTRODUCTION This purpose of this document is to aggregate several disparate documents and sources regarding Microsoft Windows security template settings; its purpose is to assist those with limited exposure in this regard should they find themselves tasked with a project requiring interpretation of these settings.
Page 2 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
2 WINDOWS SECURITY TEMPLATES1 Security templates are setup information (.inf) files that define system security settings (e.g. user rights, permissions, password policies, etc.) on a Windows host. Security templates can be either be deployed centrally using Group Policy objects (GPOs) or locally using tools such as secedit or MMC security plugins.
Windows installations have several standard security templates which can be found in the C:\Windows\Security\Templates folder. The standard security templates are:
a. Compatws.inf – required by older applications that need to have weaker security to access the Registry and the file system;
b. DC security.inf – used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003;
c. Hisecdc.inf – used to increase the security and communications with the domain controllers;
d. Hisecws.inf – used to increase security and communications for the client computers and member servers;
e. Notssid.inf – used to weaken security to allow older applications to run on Windows Terminal Services;
f. Ocfiless.inf – used for optional components that are installed after the main operating system is installed - this will support services such as Terminal Services and Certificate Services;
g. Securedc.inf – used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template;
h. Securews.inf – used to increase security and communications for the client computers and member servers; and
i. Setup security.inf – used to reapply the default security settings of a freshly installed computer.
1 Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004. Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-Windows-Security- Templates.html.
Page 3 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
3 SECURITY SETTINGS The sections below will define some of the individual security settings found in security templates. Where available, the CSEC recommended setting values2 will be provided and defined. 3.1 Password Enforce password history PasswordHistorySize = 24
„PasswordHistorySize‟ defines the number of passwords retained by the system. This history is compared with user input during password changes.
The setting „24‟ requires the user to select twenty-four unique passwords before they can re-use their first one. With a „MinimumPasswordAge‟ of two, the user would have to cycle their password every two days to get back to their original password.
Maximum password age MaximumPasswordAge = 42
„MaximumPasswordAge‟ defines the maximum number of days a user can keep the same password.
A setting of forty-two requires the user to change their password every forty-two days; combined with the „PasswordComplexity‟ and ‟PasswordLength‟ settings, these settings ensure the password is strong and resilient to attack.
Minimum password age MinimumPasswordAge = 2
„MinimumPasswordAge‟ defines how many days a user must wait between passwordchanges.
The setting „2‟ requires the user to wait two before they can change it again.
Minimum password length MinimumPasswordLength = 8
„MinimumPasswordLength‟ defines the minimum number of characters acceptable for a password.
The setting „8‟ requires the user to enter a password of eight characters or more; combined with the „PasswordComplexity‟ and „MaximumPasswordAge‟ settings, these settings ensure the password is strong and resilient to attack.
2 Communications Security Establishment Canada. “Windows Server 2003 Recommended Baseline Security (ITSG-20)”. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.
Page 4 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Password must meet complexity requirements PasswordComplexity = 1
„PasswordComplexity‟ defines password complexity requirements; this setting helps thwart brute-force attacks.
The setting „1‟ requires the user to enter a strong password that meets the criteria demonstrated below:
• Upper Case Character (A-Z)
• Lower Case Character (a-z)
• Base 10 Digits (0-9)
• Non-alphanumeric (! @ # $ % ^ &)
Store password using reversible encryption ClearTextPassword = 0
The „ClearTextPassword‟ keyword determines if the system stores passwords using reversible encryption. The setting „zero‟ disables reversible encryption.
NOTE: Never enable this option unless operational considerations outweigh the need to protect password information.
3.2 Account Lockout Account Lockout Duration LockoutDuration = 15
„LockoutDuration‟ defines the length of time (in minutes) that an account is disabled afterlockout; this value needs to be synchronized with „ResetLockoutCounter‟ so the user can logon when the „LockoutDuration‟ has expired.
The setting „15‟ disables the user‟s account for 15 minutes.
Account lockout threshold LockoutBadCount = 10
„LockoutBadCount‟ defines the number of failed logons allowed before the account is locked.
The setting „10‟ causes the user‟s account to be locked after 10 consecutive logon attempts. The setting prevents extended password guessing attacks.
Page 5 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Reset account lockout counter after ResetLockoutCount = 15
„ResetLockoutCount‟ defines the length of time (in minutes) before a lockout reset occurs; this value needs to be synchronized with „LockoutDuration‟ so the user can logon when the „LockoutDuration‟ has expired.
The setting „15‟ resets the lockout to zero after fifteen minutes. 3.3 Kerberos Policy Enforce user logon restrictions TicketValidateClient = 1
„TicketValidateClient‟ determines if Kerberos V5 Key Distribution Centre authentication is required.
The setting „1‟ requires the use of Kerberos Authentication.
Maximum lifetime for the service ticket MaxServiceAge = 600
„MaxServiceAge‟ defines the number of minutes a service ticket will be valid.
The setting „600‟ allows the ticket to be used for ten hours.
Maximum lifetime for user ticket MaxTicketAge = 10
„MaxTicketAge‟ defines the maximum hours a user‟s ticket granting ticket may be used.
The setting „10‟ indicates that the ticket granting ticket must be replaced or renewed after ten hours.
Maximum lifetime for user ticket renewal MaxRenewAge = 7
„MaxRenewAge‟ defines the number of days a ticket granting ticket may be renewed after issuance.
The setting „7‟ allows a ticket granting ticket to be renewed for seven days.
Maximum tolerance for computer clock synchronization MaxClockSkew = 5
„MaxClockSkew‟ defines the maximum amount of time a system clock can be different from the Domain Controller clock.
The setting of „5‟ indicates systems more than 5 minutes.
Page 6 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
3.4 Audit Policy Additional information regarding audit policy can be found in section 4.1.4 of the Annex. Audit account logon events AuditAccountLogon = 3
„AuditAccountLogon‟ defines types of logon events to audit; „success‟ events can determine who accessed the system during an incident. „Fail‟ events provide insight to password guessing attacks.
The setting „3‟ audits „success‟ and „fail‟ events.
Audit account management AuditAccountManage = 3
„AuditAccountManage‟ defines types of logon events to audit; „success‟ events can be used in investigations, monitoring accounts at the time of an incident. „Fail‟ attempts can determine if users are probing the system for vulnerabilities.
The setting „3‟ audits „success‟ and „fail‟ events.
Audit directory service access AuditDSAccess = 3
„AuditDSAccess„ defines types of logon events to audit; the Directory Service holds crucial information for the Domain. Knowledge of access during an incident can provide valuable information about Active Directory objects accessed during an attack.
The setting „3‟ audits „success‟ and „fail‟ events.
Audit logon events AuditLogonEvents = 3
„AuditLogonEvents‟ defines types of logon events to audit; „success‟ events can be used to determine who was accessing the system during an incident. „Fail‟ logon attempts can determine if the system is under a password guessing attack.
The setting „3‟ audits „success‟ and „fail‟ events.
Audit object access AuditObjectAccess = 2
„AuditObjectAccess‟ defines the type of logon events that will be audited; failed attempts can be monitored to determine if any users are probing the system for vulnerabilities.
The setting „2‟ audits failed events.
Page 7 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Audit policy change AuditPolicyChange = 3
„AuditPolicyChange‟ defines the type of logon events that will be audited; „success‟ events are used in investigations to determine access to the system and policy used at the time of the incident. „Fail‟ attempts can determine if users are probing the system for vulnerabilities.
The setting 3 audits „success and „fail‟ events.
Audit privilege use AuditPrivilegeUse = 3
„AuditPrivilegeUse‟ defines logon events to be audited; „Success‟ events are used to determine who was accessing the system at the time of the incident. „Fail‟ attempts can determine if users are probing the system for vulnerabilities.
The setting „3‟ audits „success‟ and „fail‟ events.
Audit process tracking AuditProcessTracking = 0
„AuditProcessTracking‟ defines logon events to be audited. Due to the large volumes of data generated if this setting is enabled, the normal setting for this value is disabled. However, during an incident the information provided is invaluable; if an attack is suspected, it is recommended that the setting be changed to „1‟ (enabled).
The setting „0‟ audits no events. The value of this information is weighed against the volume of data collected.
Audit system events AuditSystemEvents = 3
„AuditSystemEvents‟ defines events to be audited; these events reflect the system shutdown and restarts, system security events, and events that affect the security log.
The setting „3‟ audits „success‟ and „fail‟ events.
3.5 User Rights Assignments User rights assignments are designated using Windows Security Identifiers (SIDs); refer to Annex 4.2. Access this computer from the network senetworklogonright = *S-1-5-11,*S-1-5-32-544
„senetworklogonright‟ grants network protocol access to the system (SMB, NetBIOS, CIFS, HTTP and COM+). The policy grants privileges to the Administrators and authenticated users. The ability to access the system from the network provides greater exposure for an attack; restricting access reduces the exposure.
Page 8 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Act as part of the operating system setcbprivilege =
„setcbprivilege‟ grants an account the ability to act as part of the operating system. According to Microsoft, there is no reason why an account would require this privilege.
Add workstations to domain semachineaccountprivilege =
„semachineaccountprivilege‟ grants the right to add workstations to a domain. This policy grants no privilege; restricting this privilege helps maintain domain integrity.
Adjust memory quotas for a process seincreasequotaprivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20
„seincreasequotaprivilege‟ grants the ability to adjust memory quotas for a process. This policy grants privileges to Administrators, LOCAL SERVICE and NETWORK SERVICE accounts; if misused, DoS attacks are possible.
Allow log on locally seinteractivelogonright = *S-1-5-32-551,*S-1-5-32-544
„seinteractivelogonright‟ grants logon privilege to the local console. These privileges are given to Administrators and Backup operators. Local access is restricted to accounts that have legitimate reason for access; by restricting this privilege, system exposure is reduced.
Allow log on through Terminal Services seremoteinteractivelogonright = *S-1-5-32-544
„seremoteinteractivelogonright‟ grants the right to logon remotely through Terminal Services. This policy grants rights to Administrators; there is no requirement to allow users this form of access.
Backup files and directories sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
„sebackupprivilege‟ grants the right to backup files and directories. Rights are given to Administrators and Backup Operators if your policy does not allow administrators to backup then omit the Administrators group. The allocation of this privilege must be tightly controlled.
Bypass traverse checking sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5- 32-544 The „sechangenotifyprivilege‟ grants the right to bypass traverse checking in NTFS file systems and the Registry. This policy grants rights to Users, Backup Operators, Administrators and Authenticated users.
Page 9 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Change the system time sesystemtimeprivilege = *S-1-5-32-544
„sesystemtimeprivilege‟ grants the right to change the system time; this policy grants rights to Administrators. The system time is critical in incident investigation; without a consistent time, it is difficult to co-relate events on multiple systems.
Create a pagefile secreatepagefileprivilege = *S-1-5-32-544
„secreatepagefileprivilege‟ grants the right to create a page file. This policy grants rights to Administrators; restricting this to Administrators reduces the exposure to trusted individuals. Too large a page file can cause poor system performance.
Create a token object secreatetokenprivilege =
„secreatetokenprivilege‟ grants the right to create local security token objects; the privilege gives the ability to create or modify Access Tokens. This policy does not grant rights to anyone; doing this can prevent privilege escalation attacks and DoS conditions.
Create global objects secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544
„secreateglobalprivilege‟ grants the right to create objects available to all sessions; it can be used to affect other user‟s processes. This policy grants rights to Administrators and the SERVICE account.
Create permanent shared objects secreatepermanentprivilege =
„secreatepermanentprivilege‟ grants the right to create shared objects (folders, printers); users with this privilege could expose sensitive data to the network by creating a shared object. Only members of the Administrators group can create permanent shared objects.
Debug programs sedebugprivilege =
„sedebugprivilege‟ grants the right to debug any kernel process. Program debugging should never be done in a production environment; in the event it is required, grant rights for only for the time required to perform the debugging.
Page 10 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Deny access to this computer from the network sedenynetworklogonright = *S-1-5-32-546, *S-1-5-7
„sedenynetworklogonright‟ prevents access for a variety of network protocols; the policy applies the right to Guests and Anonymous Logon. The Administrators must add the local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator account.
NOTE: Given no reason for network access to the system for a group or user, access should be denied.
Deny log on as a batch job sedenybatchlogonright = *S-1-5-32-546, *S-1-5-7
„sedenybatchlogonright„ prevents the ability to create batch jobs; the batch facility could be used to schedule jobs that result in a DoS. This policy applies rights to Guests and Anonymous Logon; the Administrators must add the local accounts „Guest‟ and „Support_388945a0‟.
NOTE: Given no reason for batch logon access to the system for a group or user, access should be denied.
Deny log on as a service sedenyservicelogonright = *S-1-5-32-546,*S-1-5-32-544, *S-1-5-7
„sedenyservicelogonright‟ prevents access to a variety of network protocols. This policy applies the rights to Guests, Anonymous Logon and Administrators. Administrators must add the local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator account.
Deny log on locally sedenyinteractivelogonright = *S-1-5-32-546, *S-1-5-7
„sedenyinteractivelogonright‟ prevents local access to the system. This policy applies the rights to Guests and Anonymous Logon; administrators must add the local accounts „Guest‟ and „Support_388945a0‟.
NOTE: Given no reason for interactive access to the system for a group, access should be denied.
Deny log on through Terminal Services sedenyremoteinteractivelogonright = *S-1-5-32-546, *S-1-5-7
„sedenyremoteinteractivelogonright‟ prevents logon through terminal services. This policy applies rights to Guests and Anonymous Logon. Administrators must add the local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator.
NOTE: Given no reason for terminal services access for a group, access should be denied.
Page 11 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Enable computer and user accounts to be trusted for delegation seenabledelegationprivilege =
„seenabledelegationprivilege‟ grants the right to change „trusted for delegation‟ setting on Active Diretory objects; the misuse of this privilege could lead to impersonation of users in a Domain. This policy does not grant privileges to anyone.
Force shutdown from a remote system seremoteshutdownprivilege =
„seremoteshutdownprivilege‟ grants the right to shut the system down from a remote location; servers in a High Security zone require physical access to be shut down. This policy grants rights to no one.
Generate security audits seauditprivilege = *S-1-5-19,*S-1-5-20
„seauditprivilege‟ grants the right to generate records in the security logs; limiting rights to non-interactive accounts prevents DoS conditions caused by full logs. This policy grants rights to Network Service and Local Service.
Impersonate a client after authentication seimpersonateprivilege = *S-1-5-19,*S-1-5-20
„seimpersonateprivilege‟ grants the right for applications to impersonate that client; for superior security, privileges should be limited to non-interactive accounts. This policy grants rights to Local Service and Network Service.
Increase scheduling priority seincreasebasepriorityprivilege = *S-1-5-32-544
„seincreasebasepriorityprivilege‟ grants the right to increase process priority; this policy grants privileges to Administrators.
Load and unload device drivers seloaddriverprivilege = *S-1-5-32-544
„seloaddriverprivilege‟ grants the right to load and unload device drivers. Driver code can be run with elevated privileges; restricting privileges to Administrators reduces system exposure. This policy grants privileges to Administrators.
Lock pages in memory selockmemoryprivilege =
„selockmemoryprivilege‟ grants the right to keep data in physical memory. The abuse of privileges can result in starved memory resources and a DoS situation; restricting this privilege reduces exposure to this threat. This policy grants privileges to no one.
Page 12 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Log on as a batch job sebatchlogonright =
„sebatchlogonright‟ grants the right to submit batch jobs (log on as a batch job); The Task Scheduler could be used to invoke a DoS condition; limiting this privilege reduces the threat. This policy grants rights to no one.
Log on as a service seservicelogonright = *S-1-5-20,*S-1-5-19
„seservicelogonright‟ grants the right to logon as a service. This policy grants rights to Local Service and Network Service; interactive accounts are purposely excluded.
Manage auditing and security log sesecurityprivilege = *S-1-5-32-544
„sesecurityprivilege‟ grants the right to specify object access auditing options; this policy grants rights to Administrators. Administrators alone can determine the appropriate auditing level thereby ensuring that users of the system cannot reduce auditing and eliminate traces of their activity.
Modify firmware environment values sesystemenvironmentprivilege = *S-1-5-32-544
„sesystemenvironmentprivilege‟ grants rights to modify firmware environment values. The ability to change system configurations must be strictly controlled; this policy grants these rights to Administrators only.
Perform volume maintenance tasks semanagevolumeprivilege = *S-1-5-32-544
„semanagevolumeprivilege‟ grants rights to manage volumes or disks. The administrative function of volume and disk management can damage data on a disk; Restricting this privilege reduces the threat. This policy grants rights to Administrators only.
Profile single process seprofilesingleprocessprivilege = *S-1-5-32-544
„seprofilesingleprocessprivilege‟ grants the right to monitor performance of a non- system process. The ability to profile a process can provide information to be used as a basis of an attack; limiting privileges to Administrators reduces this threat. This policy grants these rights to Administrators.
Profile system performance sesystemprofileprivilege = *S-1-5-32-544
„sesystemprofileprivilege‟ grants the right to monitor performance of a system process. Profiling a system gathers information useful for an attack; limiting privileges to Administrators reduces this threat. This policy grants these rights to Administrators only.
Page 13 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Remove computer from docking station seundockprivilege = *S-1-5-32-544
„seundockprivilege‟ grants the right to undock the server. As a preventive measure, these privileges should be restricted; this policy grants these privileges to Administrators only.
Replace a process level token seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20
„seassignprimarytokenprivilege‟ grants the right to replace a process security token of a child process; this can be used to launch processes as another user, providing the ability to hide inappropriate activity on a system. These rights are granted to Local Service and Network Service.
Restore files and directories serestoreprivilege = *S-1-5-32-544
„serestoreprivilege‟ grants the right to bypass permissions when restoring objects. Due to the nature of the restore process, rights should be restricted to accounts that are required to use it. This policy grants privileges to Administrators only.
Shut down the system seshutdownprivilege = *S-1-5-32-544
„seshutdownprivilege‟ grants the right to shut down the system locally. Restricting this privilege reduces the threat of inadvertent or malicious shutdowns; this policy grants the right to Administrators only.
Synchronize directory service data sesyncagentprivilege =
„sesyncagentprivilege‟ grants the right to read all objects and properties in the Directory; information gained from the Active Directory can be used to form an attack against the system. This policy revokes all privileges.
Take ownership of files or other objects setakeownershipprivilege = *S-1-5-32-544
„setakeownershipprivilege‟ grants the right to take ownership of any securable object in the system. In addition to the act of changing ownership being recorded in the logs, this policy grants privileges to Administrators only.
3.6 Security Options Security options includes values for all entries in the Security Options section of the policy GUI, incorporating entries in the Security Options section of the Domain Policy as well as the Member Server Baseline. Please note all values are explicitly defined - this ensures that security is not dependent on default values.
Page 14 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Accounts: Administrator account status EnableAdminAccount = 0
„EnableAdminAccount‟ determines if the local administrator account is enabled. The setting „0‟ disables the local administrator account; this prevents widespread use and removes it as a target for attack.
Accounts: Guest account status EnableGuestAccount = 0
„EnableGuestAccount„ determines if the local guest account is enabled. The setting „0‟ disables the local guest account; this prevents widespread use and removes it as a target for attack.
Accounts: Limit local account use of blank passwords to console logon machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4, 1
„limitblankpassworduse‟ registry value determines if local accounts with blank passwords can be used to logon remotely. The setting „1‟ disallows accounts with blank passwords to logon remotely; this ensures remote access requires an account name and password.
Accounts: Rename administrator account NewAdministratorName = "johnsmith"
„NewAdministratorName‟ keyword sets the local administrator account name; renaming the local administrator account makes it difficult for an attacker to misuse the administrator account. The setting „johnsmith‟ renames the local administrator account to johnsmith.
NOTE: This keyword should be omitted if a policy to rename the Administrator account on each system is enforced. If not, then at a minimum change it from „johnsmith‟ to a local value.
Accounts: Rename guest account NewGuestName = "janesmith"
„NewGuestName‟ keyword sets the local guest account name; Renaming the account makes it more difficult for an attacker to misuse it. The setting „janesmith‟ renames the local guest account to janesmith.
NOTE: This keyword should be omitted if a policy to rename the Guest account on each system is enforced. If not, then at a minimum change it from „janesmith‟ to a local value.
Audit: Audit the access of global system objects machine\system\currentcontrolset\control\lsa\auditbaseobjects=4, 0
„auditbaseobjects‟ registry setting determines if access to global system objects is audited; the setting „0‟ disables audit access to global objects.
Page 15 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Audit: Audit the use of Backup and Restore privilege machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3, 0
„fullprivilegeauditing‟ determines if the system will audit the Backup and Restore privilege; the setting „0‟ disables the audit of Backup and Restore privilege.
Audit: Shut down system immediately if unable to log security audits machine\system\currentcontrolset\control\lsa\crashonauditfail=4, 1
The „crashonauditfail‟ registry value determines system behaviour when it fails to log security events; the setting „1‟ shuts the system down when it cannot log. The Canadian Federal government requires that comprehensive log data be carefully maintained; therefore, if the log files are full the system must not process further transactions.
Devices: Allow undock without having to log on machine\software\microsoft\windows\currentversion\policies\system\un dockwithoutlogon=4, 0
The „undockwithoutlogon‟ registry value determines if a portable computer can undock without logon; the setting „0‟ disallows the computer to be undocked without logon.
Devices: Allowed to format and eject removable media machine\software\microsoft\windowsnt\currentversion\winlogon\allocate dasd=1,"0"
The „allocatedasd‟ registry value determines who can format and eject removable media; the ability to store large quantities of data (e.g. entire databases) makes should be restricted to trusted individuals. The setting „0‟ permits Administrators to format and eject removable media.
Devices: Prevent users from installing printer drivers services\servers\addprinterdrivers=4, 1
The „addprinterdrivers‟ registry value determines if users can add printer drivers. The setting „1‟ prevents users from adding print drivers; this assists in preventing users running malicious code in a privileged state.
Devices: Restrict CD-ROM access to locally logged-on user only machine\software\microsoft\windowsnt\currentversion\winlogon\allocate cdroms=1,"1"
The „allocatecdroms‟ registry value determines if the CD-ROM is equally accessible to local and remote users. The setting „1‟ restricts remote access to the CD-ROM when in use by a local user.
NOTE: The setting allows remote authorized users to access the CD-ROM if no one is logged on locally.
Page 16 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Devices: Restrict floppy access to locally logged-on user only machine\software\microsoft\windowsnt\currentversion\winlogon\allocate floppies=1,"1"
The „allocatefloppies‟ registry value determines if the floppy drive is simultaneously accessible to local and remote users; the setting „1‟ restricts remote access to when in use by a local user.
NOTE: This setting allows remote access to the floppy drive if no one is logged on as a local user.
Devices: Unsigned driver installation behavior machine\software\microsoft\driversigning\policy=3, 1
The „policy‟ registry value defines the unsigned driver installation behaviour; if this option is enforced, only drivers approved by the Windows Hardware Quality Lab (WHQL) are eligible. The decision to install drivers not found within WHQL is left to the Administrator. The setting „1‟ warns the user before the driver is installed.
Domain controller: Allow server operators to schedule tasks machine\system\currentcontrolset\control\lsa\submitcontrol=4, 0
The „submitcontrol‟ registry value determines if system operators can schedule tasks; a DoS condition may be invoked if too many simultaneous tasks are executed. The setting „0‟ prevents system operators from scheduling tasks.
Domain controller: LDAP server signing requirements machine\system\currentcontrolset\services\ntds\parameters\ldapserveri ntegrity=4, 2
The „ldapserverintegrity‟ registry value determines if the LDAP server requires a signature to negotiate with LDAP clients; unsigned data is susceptible to man-in-the- middle attacks. This setting helps prevent session hijack.The setting „2‟ requires a client signature.
Domain controller: Refuse machine account password changes machine\system\currentcontrolset\services\netlogon\parameters\refusep asswordchange=4, 0
The „refusepasswordchange‟ registry setting determines if domain controllers accept changes to computer account passwords; regularly changed passwords reduce the threat of effective brute-force attacks. The setting „0‟ allows changing of computer account passwords.
Page 17 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Domain member: Digitally encrypt or sign secure channel data (always) machine\system\currentcontrolset\services\netlogon\parameters\require signorseal=4, 1
The „requiresignorseal‟ registry value determines if the domain member will encrypt or sign secure channel data always. The setting „1‟ encrypts or signs secure channel data; this value prevents legacy systems (pre-Windows 2000) from joining a Domain.
Domain member: Digitally encrypt secure channel data (when possible) machine\system\currentcontrolset\services\netlogon\parameters\sealsec urechannel=4, 1
The „sealsecurechannel‟ registry value determines if a domain member requests encryption of all secure channel data; encrypting Secure Channel data prevents sensitive information being sent in the clear, thereby limiting an attacker‟s ability to gather information for an attack. The setting „1‟ requests encryption of all secure channel data.
Domain member: Digitally sign secure channel data (when possible) machine\system\currentcontrolset\services\netlogon\parameters\signsec urechannel=4, 1
The „signsecurechannel‟ registry value determines if a system will sign secure channel data when possible; unsigned data is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from session hijack. The setting „1‟ enables the signing of secure channel data when possible.
Domain member: Disable machine account password changes machine\system\currentcontrolset\services\netlogon\parameters\disable passwordchange=4, 0
The „disablepasswordchange‟ registry value determines if a domain controller will accept machine account password changes; if the password change were disallowed, the systems could not change their computer passwords leaving them susceptible to password-guessing attacks. The setting „0‟ allows machine account password changes.
Domain member: Maximum machine account password age machine\system\currentcontrolset\services\netlogon\parameters\maxim umpasswordage=4, 42
The „maximumpasswordage‟ registry value determines the maximum number days between password changes. The setting „42‟ requires the password to be changed at least every forty-two days; this ensures the password is changed often to thwart password-guessing attacks.
Page 18 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Domain member: Require strong (Windows 2000 or later) session key machine\system\currentcontrolset\services\netlogon\parameters\require strongkey=4, 1
The „requirestrongkey‟ registry value determines if a domain member establishes secure channel communications requiring 128-bit encryption; if disabled, the client must negotiate key strength with the Domain Controller. The setting „1‟ requires 128-bit encryption of the secure channel; this setting ensures the highest level of protection for secure channel data.
Interactive logon: Do not display last user name machine\software\microsoft\windows\currentversion\policies\system\do ntdisplaylastusername=4, 1
The „dontdisplaylastusername‟ registry value determines if the system provides a logon screen with the last username that logged on. The setting „1‟ does not display the last username; this setting withholds vital information to prevent attacks.
Interactive logon: Do not require CTRL+ALT+DEL machine\software\microsoft\windows\currentversion\policies\system\dis ablecad=4, 0
The „disablecad‟ registry value determines if CTRL+ALT+DEL is required before a user logon. The setting „0‟ requires CTRL+ALT+DEL to initiate logon; it provides unassailable hardware initiation of the logon sequence; assisting in the thwarting of Trojan Horse routines.
Interactive logon: Message text for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\leg alnoticetext=7, TEXT FOR USER LOGON MUST BE SUPPLIED
The „legalnoticetext‟ registry value is presented to the user prior to entry of username and password; this may help an organization in the event of legal proceedings. The value shown is the text presented.
Interactive logon: Message title for users attempting to logon machine\software\microsoft\windows\currentversion\policies\system\leg alnoticecaption=1 “TEXT FOR USER LOGON MUST BE SUPPLIED”
The „legalnoticecaption‟ registry value is presented to the user as the title of the window that contains the „legalnoticetext‟ text; this may help an organization in the event of legal proceedings. The value shown is the text presented.
Interactive logon: Number of previous logons to cache (in case domain controller is not available) machine\software\microsoft\windowsnt\currentversion\winlogon\cachedl ogonscount=1,"0"
The „cachedlogonscount‟ registry value determines the number of unique user whom logon information is locally cached. The setting „0‟ does not cache logon information locally; this ensures the user establishes a current security token with the Domain Controller, thereby preventing disabled users access via cached logon credentials.
Page 19 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Interactive logon: Prompt user to change password before expiration machine\software\microsoft\windowsnt\currentversion\winlogon\passwo rdexpirywarning=4,14
The „passwordexpirywarning‟ registry value determines how many days in advance the user is notified of password expiration. This setting warns the user 14 days before password expiry; the user will continue to be reminded until the password expiry date.
Interactive logon: Require Domain Controller authentication to unlock workstation machine\software\microsoft\windowsnt\currentversion\winlogon\forceun locklogon=4, 1
The „forceunlocklogon‟ registry value determines if a domain controller must be contacted to unlock a computer. The setting „1‟ requires contact with a domain controller; this ensures the user establishes a current security token with the Domain Controller and also disallows disabled users access via cached logon credentials.
Interactive logon: Require smart card machine\software\microsoft\windows\currentversion\policies\system\scf orceoption=4, 0
The „scforceoption‟ registry value determines if a smart card is required to logon. The setting „0‟ does not require a smart card to logon. The majority of servers will not require two-factor authentication; if this capability is a requirement, it should be enabled during the application of a role specific policy.
Interactive logon: Smart card removal behaviour machine\software\microsoft\windowsnt\currentversion\winlogon\scremo veoption=1,"1"
The „scremoveoption‟ determines system behaviour when a smart card is removed. The setting „1‟ locks the workstation when removed; this ensures accountability for transactions that require smart card authentication.
Microsoft network client: Digitally sign communications (always) machine\system\currentcontrolset\services\lanmanserver\parameters\re quiresecuritysignature=4, 1
The „requiresecuritysignature‟ registry value determines if the SMB client requires packet signing. The setting „1‟ requires packet signing; this setting provides for mutual authentication and may prevent man-in-the-middle attacks thereby eliminatingsession hijacking. Legacy systems cannot support this requirement.
Page 20 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Microsoft network client: Digitally sign communications (if server agrees) machine\system\currentcontrolset\services\lanmanworkstation\paramete rs\enablesecuritysignature=4, 1
The „enablesecuritysignature‟ registry value determines if an SMB client attempts to negotiate SMB packet signing (if the server agrees). The setting „1‟ causes the client to negotiate SMB signing; this setting provides for mutual authentication and may prevent man-in-the-middle attacks thereby eliminating session hijacking. Legacy systems (i.e. Pre-Windows 2000) cannot support this requirement.
Microsoft network client: Send unencrypted password to third-party SMB serversmachine\system\currentcontrolset\services\lanmanworkstation\pa rameters\enableplaintextpassword=4, 0
The „enableplaintextpassword‟ registry value determines if an SMB client sends plain text passwords to non-Microsoft SMB servers. The setting „0‟ disables the use of clear-text passwords. The use of non-Microsoft SMB servers that do not accept encrypted passwords is disallowed in a High Security environment; password security must always be enforced.
Microsoft network server: Amount of idle time required before suspending sessionmachine\system\currentcontrolset\services\lanmanserver\parame ters\autodisconnect=4, 15
The „autodisconnect‟ registry setting defines the amount of idle time in minutes before an SMB session is suspended; the setting „15‟ suspends the SMB session after fifteen minutes of idle time. An idle session consumes system resources; attackers could set up sessions consuming resources to invoke a DoS condition. Further to the security ramifications, idle sessions can cause SMB services to become slow or unresponsive.
Microsoft network server: Digitally sign communications (always) machine\system\currentcontrolset\services\lanmanserver\parameters\re quiresecuritysignature=4, 1
The „requiresecuritysignature‟ registry value determines if the server will always sign SMB communications. The setting „1‟ always digitally signs SMB communications; this setting provides mutual authentication for all communication. Mutual authentication may prevent man-in-the-middle attacks thereby eliminating session hijacking. Legacy systems cannot support this requirement.
Page 21 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Microsoft network server: Digitally sign communications (if client agrees) machine\system\currentcontrolset\services\lanmanserver\parameters\en ablesecuritysignature=4, 1
The „enablesecuritysignature‟ registry value signs SMB communications, if the client agrees. The setting „1‟ signs SMB communications; this setting provides mutual authentication for all communication. Mutual authentication may prevent man-in- the-middle attacks and eliminate the possibility of session hijacking. Legacy (i.e. Pre- Windows 2000) systems cannot support this requirement.
Microsoft network server: Disconnect clients when logon hours expire machine\system\currentcontrolset\services\lanmanserver\parameters\en ableforcedlogoff=4, 1
The „enableforcedlogoff‟ registry value determines if a network connected user is disconnected outside of their hours of operation. The setting „1‟ disconnects the user when logged on outside of their hours of operation.
Network access: Allow anonymous SID/Name translation LSAAnonymousNameLookup = 0
The „LSAAnonymousNameLookup‟ determines if the system allows anonymous SID/NAME translation; if enabled, a user could use a well-known account SID to obtain usernames of the account which could facilitate a password guessing attack. The setting „0‟ disallows the system to perform anonymous SID/NAME translation.
Network access: Do not allow anonymous enumeration of SAM accounts machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4, 1
The „restrictanonymoussam‟ registry value determines if anonymous enumeration of SAM accounts is permitted. Successful enumeration maps account names to a corresponding SID; when the SID is known, local Guest and Administrator accounts are exposed and rendered vulnerable to password guessing attacks. The setting „1‟ disallows anonymous enumeration of SAM accounts.
Network access: Disallow anonymous enumeration of SAM accounts and shares machine\system\currentcontrolset\control\lsa\restrictanonymous=4, 1
The „restrictanonymous‟ registry value determines if anonymous enumeration of SAM accounts and shares is permitted. Successful enumeration maps account names to a corresponding SID; when the SID is known, local Guest and Administrator accounts are exposed and rendered vulnerable to password guessing attacks. The setting „1‟ disallows anonymous enumeration of SAM accounts.
Page 22 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Network access: Do not allow storage of credentials or .NET Passports for network authentication machine\system\currentcontrolset\control\lsa\disabledomaincreds=4, 1
The „disabledomaincreds‟ registry value determines if passwords, credentials or Microsoft .NET passports are saved after initial domain authentication. The setting „1‟ disallows the save.
Network access: Let Everyone permissions apply to anonymous users machine\system\currentcontrolset\control\lsa\everyoneincludesanonymo us=4, 0
The „everyoneincludesanonymous‟ value determines what additional permissions are granted for anonymous connections to a computer. The setting „0‟ grants no additional permissions to anonymous users; this ensures unauthenticated users do not inherit the rights of the „everyone‟ group.
Network access: Named Pipes that can be accessed anonymously machine\system\currentcontrolset\services\lanmanserver\parameters\nu llsessionpipes=7,
The „nullsessionpipes‟ value defines anonymous access to named pipes. The empty setting disallows anonymous access to named pipes; this ensures all system access is authorized.
Network access: Remotely accessible registry paths machine\system\currentcontrolset\control\securepipeservers\winreg\allo wedexactpaths\machine=7,
The „allowedexactpaths\machine‟ registry value defines which registry paths can be accessed over the network. As there is normally no requirement for remotely accessible registry information, the setting field is empty.
Network access: Remotely accessible registry paths and Sub-paths machine\system\currentcontrolset\control\securepipeservers\winreg\allo wedpaths\machine=7,
The „allowedpaths\machine‟ registry value defines registry paths and sub-paths that can be accessed over the network. This Baseline configuration has no requirement for remotely accessible registry information.
Network access: Restrict anonymous access to Named Pipes and Shares machine\system\currentcontrolset\services\lanmanserver\parameters\re strictnullsessaccess=4,1
The „restrictnullsessaccess‟ registry value determines if anonymous access is allowed to named pipes and shares. The setting „1‟ disallows anonymous access to named pipes and shares. Access to resources is predicated on authorization for that resource; if anonymous access is granted, there would be no ability to identify who is accessing the objects.
Page 23 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Network access: Shares that can be accessed anonymously machine\system\currentcontrolset\services\lanmanserver\parameters\nu llsessionshares=7,
The „nullsessionshares‟ registry value defines which shares can be accessed anonymously over the network. The empty setting disallows anonymous access to any share; all system access should be authorized. Anonymous access prevents accurate authorization of shares.
Network access: Sharing and security model for local accounts machine\system\currentcontrolset\control\lsa\forceguest=4, 0
The „forceguest‟ registry value determines the sharing and security model for local accounts. The setting „0‟ requires user authentication to access resources; this allows individual access to be audited.
Network security: Do not store LAN Manager hash value on next password change machine\system\currentcontrolset\control\lsa\nolmhash=4, 1
The „nolmhash‟ registry value determines if the LAN Manager hash value is stored on the next password change. The setting „1‟ does not save the LAN Manager hash value; this prevents local storage of the password, which would be vulnerable to attack.
NOTE: Upon enabling in operation, all passwords must be changed.
Network Security: Force logoff when logon hours expire ForceLogoffWhenHourExpire = 1
The „ForceLogoffWhenHourExpire‟ keyword determines if locally logged on users are disconnected when working outside of defined hours; the setting „1‟ disconnects the user outside of defined hours. Hours are defined within the “Active Directory Users and Computers”, the „Computer Management” and “Local Users and Groups” interface.
Network security: LAN Manager authentication level machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4, 5
The „lmcompatibilitylevel‟ value determines the level of LAN manager authentication. The setting „5‟ sends NTLMv2 responses only and refuses LM & NTLM; this setting ensures only the most secure authentication mechanism is permitted.
Network security: LDAP client signing requirements machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4, 1
The „ldapclientintegrity‟ value determines if the LDAP client negotiates signing to communicate with LDAP servers. The setting „2‟ requires signing negotiation; this reduces the threat of a man-in-the-middle attacks.
Page 24 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec =4, 537395248
The „ntlmminclientsec‟ value defines the minimum session security for NTLM SSP based (including secure RPC) clients. The setting „537395248‟ enables all options as recommended by Microsoft; this requires message integrity, confidentiality, NTLMv2 session security and 128-bit encryption be used for logon.
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec =4, 537395248
The „ntlmminserversec‟ registry value defines the minimum session security for NTLM SSP based (including secure RPC) servers. The setting „537395248‟ enables all options, as recommended; this requires message integrity, confidentiality, NTLMv2 session security and 128-bit encryption be used for logon.
Recovery console: Allow automatic administrative logon machine\software\microsoft\windowsnt\currentversion\setup\recoveryco nsole\securitylevel=4,0
The „securitylevel‟ value determines if the recovery console requires an Administrator password to logon. The setting „0‟ requires an Administrators password; enabling this setting to allow anyone to shut down a server is not recommended.
Recovery console: Allow floppy copy and access to all drives and all folders machine\software\microsoft\windowsnt\currentversion\setup\recoveryco nsole\setcommand=4,0
The „setcommand‟ registry value determines if the Recovery Console „SET‟ command is available; the setting „4‟ disables the „SET‟ command. (e.g. Copy to removable media is disabled).
Shutdown: Allow system to be shut down without having to log on machine\software\microsoft\windows\currentversion\policies\system\sh utdownwithoutlogon=4, 0
The „shutdownwithoutlogon‟ registry value determines if the system can be shutdown without the user logged on. The setting „0‟ requires the user to logon; this ensures only authorized users may shut down the system.
Page 25 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Shutdown: Clear virtual memory page file machine\system\currentcontrolset\control\sessionmanager\memory\man agement\clearpagefileatshutdown=4, 1
The „clearpagefileatshutdown‟ value determines if page file contents are overwritten on a clean shutdown; sensitive system and user information may be contained in the page file; by ensuring it is cleared, the risk that information be available to an attacker is reduced. The setting „1‟ causes clears the page file on a normal shutdown.
System cryptography: Force strong key protection for user keys stored on the computer machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2
The „forcekeyprotection‟ value determines if user keys (e.g. SMIME) require a password each time they are to be used. The setting „2‟ requires entry of a password each time a private key is used; this ensures that a session that requires key material is used with the owner‟s knowledge.
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1
The „fipsalgorithmpolicy‟ determines if Transport Layer Security/Secure Socket Layer (TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC _SHA cipher suite. The setting „1‟ requires the use of the TLS_RSA_WITH_3DES _EDE_CBC_SHA cipher suite. The Canadian Federal Government, requires this setting for all servers to remain compliant to cryptographic policies.
System objects: Default owner for objects created by members of the Administrators group machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1
The „nodefaultadminowner‟ value determines if objects created by members of the Administrators group are owned by the group or the object creator. The setting „1‟ makes objects owned by the creator; this ensures actions of an individual administrator can be isolated and audited.
System objects: Require case insensitivity for non-Windows subsystems machine\system\currentcontrolset\control\sessionmanager\kernel\obcas einsensitive=4, 1
The „obcaseinsensitive‟ value determines if case insensitivity is required for non- Windows subsystems. The setting „1‟ requires case insensitivity for non-Windows subsystems; this disables the ability for non-Windows sub-systems to create files that are inaccessible to the Windows system and also disables the ability to block access to other files with the same name in upper case.
Page 26 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) machine\system\currentcontrolset\control\sessionmanager\protectionmo de=4, 1
The „protectionmode‟ registry setting determines if permissions on internal system objects (e.g. symbolic links) is strengthened. The setting „1‟ strengthens protection on internal system objects; it allows non-administrators to view shared objects they did not create, but not modify.
System settings: Optional subsystems machine\system\currentcontrolset\control\sessionmanager\subsystems\o ptional=7,
The „optional‟ value defines which subsystems are used to support applications. The empty setting disallows any optional subsystems. The use of sub-systems should be justified with operational requirements; unless required, no subsystem should be enabled.
Use Certificate Rules on Windows Executables for Software Restriction Policies machine\software\policies\microsoft\windows\safer\codeidentifiers\auth enticodeenabled=4, 0
The „authenticodeenabled‟ value determines the use of certificate rules on Windows executables for software restriction policies. The setting „0‟ does not use certificate rules on Windows executables for software restriction policies.
3.7 Event Log Size Microsoft guidance indicates that the total size of all event logs should not exceed 300MB. If this value is exceeded, the system may not log or record the failure.While the interface may allow values up to 4GB, there is a risk of losing log entries for values beyond 300 MB. The following policy will utilize full available space for allocation between event logs.
Maximum application log size MaximumLogSize = 76800 (in [Application Log] section)
The „MaximumLogSize‟ determines the size of the Application event log; the setting „76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 153,000 events and will allow the system to run for an extended period of time without having to roll the log file.
NOTE: Due to the wide variety of event loads, monitoring the log files during the initial operational period is recommended.
Page 27 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Maximum security log size MaximumLogSize = 153600 (in [Security Log] section)
The „MaximumLogSize‟ determines the size of the Security event log; the setting „153600‟ creates a 153600 KB log file. With an average of 500 bytes per event, this log file will accommodate over 307,200 events and allows the system to run for an extended period-of-time without having to roll the log file.
NOTE: Due to the wide variety of event loads, monitoring the log files during the initial operational period is recommended.
Maximum system log size MaximumLogSize = 76800 (in [System Log] section
The „MaximumLogSize‟ determines the size of the System event log; the setting „76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 153,000 events allowing the system to run for an extended period-of-time without having to roll the log file.
3.8 Guest Access Prevent local Guests group from accessing Applications, Security, and System logs RestrictGuestAccess = 1(in [Application Log] or [Security Log] or [System Log] section)
The „RestrictGuestAccess‟ keyword determines if accounts with „guest‟ access can access the log. Access to log information provides an attacker with valuable information to mount attacks on the system or users; as a result, only users who are authenticated should be given access to the log files. The setting „1‟ disallows guest access to the log. 3.9 Retention Method Retention method for application log AuditLogRetentionPeriod = 2(in [Application Log] or [Security Log] or [System Log] section)
The „AuditLogRetentionPeriod‟ keyword determines the system behaviour when the log is full. The setting „2‟ shuts the system down if the log cannot be written.
NOTE: Use of this setting should be consistent with the organization‟s log retention policy.
Page 28 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
3.10 System Services Amplifying information regarding the service startup and ACL settings can be found in Annexes 4.1 and 4.3, respectfully.
3.10.1 Services Explicitly Covered by Microsoft Alerter "alerter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Alerter service notifies selected users and computers of administrative alerts. This policy disables this service.
Application Layer Gateway Service "alg",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;WD)"
The Application Layer Gateway Service is a subcomponent of the Internet Connection Sharing (ICS) / Internet Connection Firewall (ICF) Service. This supports independent software vendor plug-ins to allow proprietary protocols through the firewall and work behind ICS. This policy disables the service.
Application Management "appmgmt",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA ;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Application Management provides software installation services. This policy disables the service.
ASP .NET State Service "aspnet_state",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(A U;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The ASP .NET State Service provides support for out-of-process session states for ASP .NET. This policy disables the service.
Automatic Updates "wuauserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Automatic Updates Service enables the automated download and installation of software updates. This policy disables the service.
Background Intelligent Transfer Service "bits",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;WD)"
Page 29 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
The Background Intelligent Transfer Service is used to transfer files asynchronously between a client and an HTTP server. This policy disables the service.
Certificate Services "certsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Certificate Services perform core functions for a Certification Authority. This policy disables the service.
MS Software Shadow Copy Provider "swprv",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The MS Software Shadow Copy Provider supports the creation of file shadow copies used to perform system backups. This policy sets the startup to manual for the service.
Client Service for Netware "nwcworkstation",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A ;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLO CRSDRCWDWO;;;WD)"
The Client Service for Netware provides access to files and printers on NetWare networks. This policy disables the service.
ClipBook "clipsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Clipbook Service creates and shares „pages‟ of data that may be viewed by remote users. This policy disables the service.
Cluster Service "clussvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Cluster Service supports membership in a High Availability environment (Cluster). The service is disabled.
COM+ Event System "eventsystem",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The COM+ Event System Service extends the COM+ programming model. This policy sets the service startup to automatic.
Page 30 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
COM+ System Application "comsysapp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The COM+ System Application Service manages the configuration and tracking of components based on COM+. The service is disabled.
Domain Member Baseline"browser",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A ;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU; FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy sets service startup to automatic.
Workgroup Member Baseline "browser",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy disables service startup. Cryptographic Services "cryptsvc",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Cryptographic Services provide key management functionality for the computer. This policy sets the service to automatic startup.
Domain Member Baseline "dhcp",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy sets the service to automatic startup.
Workgroup Member Baseline "dhcp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL CSWRPWPDTLOCRS DRCWDWO;;;WD)"
This policy disables service startup.
DHCP Server "dhcpserver",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU; FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The DHCP Server allocates IP addresses. The service is disabled.
Page 31 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Distributed File System "dfs",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)
The Distributed File System manages logical volumes across local or wide area networks. The service is disabled.
Distributed Link Tracking Client "trkwks",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Distributed Link Tracking Client Service ensures shortcuts (among others) work after the target has been moved. The service is disabled.
Distributed Link Tracking Server "trksvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Distributed Link Tracking Server stores information so files moved between volumes can be tracked. The service is disabled.
Distributed Transaction Coordinator "msdtc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Distributed Transaction Coordinator Service manages transactions that involve multiple computer systems or resource managers. The service is disabled.
Domain Member Server "dnscache",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy sets the service to automatic startup.
Workgroup Member Server "dnscache",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy disables service startup. DNS Server "dns",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The DNS Server responds to queries for DNS names. The service is disabled.
Page 32 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Error Reporting Service "ersvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Error Reporting Service collects, stores, and reports unexpected application closures to Microsoft. The service is disabled.
Event Log "eventlog",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Event Log Service enables event log messages to be viewed. This policy sets the service to automatic startup.
Fax Service "fax",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Fax service provides Fax capabilities. The service is disabled.
File Replication "ntfrs",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The File Replication Service automatically copies and maintains files on multiple Servers. The service is disabled.
File Server for Macintosh "macfile",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Macintosh File Service provides network file access to Macintosh computers. The service is disabled.
FTP Publishing Service "msftpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The FTP Publishing Service provides connectivity and administration through the IIS snap-in. The service is disabled.
Help and Support "helpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Help and Support Service enables Help and Support Center to run. The service is disabled.
Page 33 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
HTTP SSL "httpfilter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The HTTP SSL Service provides SSL functions to IIS. The service is disabled.
Human Interface Device Access "hidserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Human Interface Device Access service allows use of pre-defined hotbuttons. The service is disabled.
IAS Jet Database Access "iasjet",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;WD)"
The IAS Jet Database Access service uses RADIUS to provide authentication, authorization and accounting services. The service is disabled.
IIS Admin Service "iisadmin",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The IIS Admin Service allows administration of IIS components. The service is disabled.
IMAPI CD-Burning COM Service "imapiservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The IMAPI CD-Burning Service manages CD burning. The service is disabled.
Indexing Service "cisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Indexing Service indexes file contents and properties. The service is disabled.
Infrared Monitor "irmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Infrared Monitor service enables file and image sharing through infrared devices. The service is disabled.
Page 34 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Internet Authentication Service "ias",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Internet Authentication Service manages network authentication, authorization and accounting. The service is disabled.
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) "sharedaccess",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR SDRCWDWO;;;WD)"
The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service provides Internet services for small local networks. The service is disabled.
Intersite Messaging "ismserv",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Intersite Messaging Service is used for mail-based replication. The service is disabled.
IP Version 6 Helper Service
"6to4",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The IP Version 6 Helper Service offers IPV6 connectivity over existing IPV4 network. The service is disabled.
IPSEC Policy Agent (IPSec Service) "policyagent",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
The IPSEC Policy Agent (IPSec Service) provides encryption services to clients and servers on networks. This policy sets the service to automatic startup.
Kerberos Key Distribution Centre "kdc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Kerberos Key Distribution Center Service allows user logon using Kerberos v5 authentication protocol. The service is disabled.
License Logging Service "licenseservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;WD)"
The License Logging service records client access licensing information. The service is disabled.
Page 35 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Logical Disk Manager "dmserver",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Logical Disk Manager service detects all new hard drives and sends disk volume information to the Logical Disk Manager Administration Service. This policy sets the service to manual startup.
Logical Disk Manager Administrative Service "dmadmin",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Logical Disk Manager Administration service performs requests for disk management. Thispolicy sets the service to manual startup.
Message Queuing "msmq",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Message Queuing Service is the infrastructure and development tool for creating distributed messaging applications. The service is disabled.
Message Queuing Down Level Clients "mqds",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Message Queuing Down Level Clients service provides Active Directory access to Message Queuing Clients. The service is disabled.
Message Queuing Triggers "mqtgsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Message Queuing Trigger Service provides rule-based analysis of messages arriving in the Message Queuing queue. The service is disabled.
Messenger "messenger",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD RCWDWO;;;WD)"
The Messenger Service sends Alerter Service messages between clients and servers. The service is disabled.
Page 36 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Microsoft POP3 Service "pop3svc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Microsoft POP3 service provides e-mail transfer and retrieval services. The service is disabled.
MSSQL$UDDI "mssql$uddi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
The MSSQL$UDDI service publishes and locates information about web services. The service is disabled.
MSSQLServerADHelper "mssqlserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
The SQL Server service provides SQL functionality for a server. The service is disabled.
.NET Framework Support Service "corrtsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The .NET Framework Support Service notifies a subscribing client when a specified process initializes the Client Runtime Service. The service is disabled.
Domain Member Server "netlogon",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
This policy sets the service to automatic startup.
Workgroup Member Server "netlogon",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
This policy disables service startup.
NetMeeting Remote Desktop Sharing "mnmsrvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The NetMeeting Remote Desktop Sharing Service enables access to a system with NetMeeting. The service is disabled.
Page 37 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Network Connections "netman",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Network Communications Service manages objects in the Network Connections folder. This policy sets the service to manual startup. This will start the service automatically when the Network Connections interface is invoked.
Network DDE "netdde",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The NetDDE Service provides network transport and security for DDE. The service is disabled.
Network DDE DSDM "netddedsdm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
The NetDDEDSDM Service manages DDE network shares. The service is disabled.
Network Location Awareness (NLA) "nla",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Network Location Awareness service collects and stores network information. The service is disabled.
Network News Transport Protocol (NNTP) "nntpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Network News Transport Protocol (NNTP) service provides News Server capabilities. The service is disabled.
NTLM Security Support Provider "ntlmssp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The NTLM Security Support Provider service provides security to RPC programs. This enables users to log on using NTLM authentication in place of Kerberos. The service is disabled.
Page 38 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Performance Logs and Alerts "sysmonlog",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD RCWDWO;;;WD)"
The Performance Logs and Alerts Service collect performance data. The service is disabled.
Plug and Play "plugplay",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Plug and Play service allows a computer to adapt hardware configuration changes with little user input. The service is disabled.
Portable Media Serial Number "wmdmpmsn",4,D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD RCWDWO;;;WD)"
The Portable Media Serial Number service retrieves serial numbers from any portable music player connected to the system. The service is disabled.
Print Server for Macintosh "macprint",4,D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Macintosh Print service provides network printer access to Macintosh computers. The service is disabled.
Print Spooler "spooler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Spooler service manages local and network print queues and controls all print jobs. The service is disabled.
Protected Storage "protectedstorage",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)( A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTL OCRSDRCWDWO;;;WD)" The Protected Storage service protects storage of sensitive information from unauthorized services, processes or users. This policy sets the service to automatic startup.
Page 39 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Remote Access Auto Connection Manager "rasauto",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Remote Access Auto Connection Manager service detects unsuccessful attempts to a remote network or computer. It then provides an alternative method for connection. The service is disabled.
Remote Access Connection Manager "rasman",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Remote Access Connection Manager service manages dial-up and VPN connections to a server. The service is disabled.
Remote Administration Service "srvcsurg",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Remote Administration service provides an interface for Remote Server Administration Tools. The service is disabled.
Remote Desktop Help Session Manager "rdsessmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD CLCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Remote Desktop Help Session Manager service controls the Remote Assistance feature in the Help and Support Center application. The service is disabled.
Remote Installation "binlsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Remote Installation Service is a Windows deployment feature. The service is disabled.
Remote Procedure Call (RPC) "rpcss",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Remote Procedure Call (RPC) service is a secure inter-process communication mechanism. This policy sets the service to automatic startup.
Page 40 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Remote Procedure Call (RPC) Locator "rpclocator",\4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
The RPC Locator Service enables RPC clients to locate RPC servers. The service is disabled.
Remote Registry Service "remoteregistry",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;WD)"
The Remote Registry service enables remote users to modify registry settings on the system. The service is disabled.
Remote Server Manager "appmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRDRCWDWO;;;WD)"
The Remote Server Manager service acts as a Windows Management Instrumentation (WMI) instance provider for Remote Administration Alert Objects. It also acts as a WMI method provider for Remote Administration Tasks. The service is disabled.
Remote Server Monitor "appmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Remote Service Monitor service provides monitoring capability of resources on remotely managed systems. The service is disabled.
Remote Storage Notification "remote_storage_user_link",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;WD)"
The Remote Storage Notification service notifies a user when accessing data on secondary storage units. The service is disabled.
Remote Storage Server "remote_storage_server",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO; ;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRP WPDTLOCRSDRCWDWO;;;WD)"
The Remote Storage Server stores infrequently used files in secondary storage. The service is disabled.
Page 41 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Removable Storage "ntmssvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Removable Storage service maintains a catalogue of information for removable media used by the system. The service is disabled.
Resultant Set of Policy Provider "rsopprov",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Resultant Set of Policy Provider service enables simulation of policy to determine the effects. The service is disabled.
Routing and Remote Access "remoteaccess",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR SDRCWDWO;;;WD)"
The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to- WAN, and NAT routing services. The service is disabled.
SAP Agent "nwsapagent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
The SAP Agent service advertises services on an IPX network. The service is disabled.
Secondary Logon Service "seclogon",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Secondary Logon service allows users to create processes in different security contexts. The service is disabled.
Security Accounts Manager "samss",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Security Accounts Manager service manages user and group account information. This policy sets the service to automatic startup.
Page 42 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Server "lanmanserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR SDRCWDWO;;;WD)"
The Server service provides RPC, file, print, and Named pipe support over the network. This policy disables service startup.
Shell Hardware Detection "shellhwdetection",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)( A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTL OCRSDRCWDWO;;;WD)"
The Shell Hardware Detection service monitors and provides notification for AutoPlay hardware events. The service is disabled.
Simple Mail Transport Protocol (SMTP) "smtpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Simple Mail transfer Protocol (SMTP) service transports electronic mail across the network. The service is disabled.
Simple TCP/IP Services "simptcp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
Simple TCP/IP Services provide a variety of protocols. The service is disabled. The services configured are as follows:
Echo Port 7 Discard Port 9 Character Generator Port 19 Daytime Port 13 Quote of the day Port 17
Single Instance Storage Groveler "groveler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Single Instance Storage Groveler service supports Remote Installation service. The service is disabled.
Smart Card "scardsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Smart Card service manages access to smart card readers. The service is disabled.
Page 43 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SNMP Service "snmp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Simple Network Management Protocol (SNMP) service allows incoming SNMP requests to be processed by the system. The service is disabled.
SNMP Trap Service "snmptrap",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The SNMP Trap service receives trap messages generated by SNMP agents. The service is disabled.
Special Administration Console Helper "sacsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Special Administration Console Helper service performs remote management tasks. The service is disabled.
SQLAgent$* (*UDDI or WebDB) "sqlagent$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A ;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLO CRSDRCWDWO;;;WD)"
The SQLAgent$webdb service monitors, and schedules jobs. The service is disabled.
System Event Notification "sens",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The System Event Notification service provides monitoring and tracking services for system events. This policy sets the service to automatic startup.
Task Scheduler "schedule",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Task Scheduler service enables configuration and schedules of automated tasks on the system. The service is disabled.
Page 44 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Domain Member Server
"lmhosts",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
This policy sets the service to automatic startup.
Workgroup Member server "lmhosts",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
This policy disables service startup.
TCP/IP Print Server "lpdsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The TCP/IP Print Server service enables TCP/IP based printing. The service is disabled.
Telephony "tapisrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Telephony service provides support for programs that control telephony and IP- based voice devices. The service is disabled.
Telnet "tlntsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Telnet service provides ASCII terminal sessions to telnet clients. The service is disabled.
Terminal Services "termservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"
Terminal Services allows users to access a virtual Windows desktop session. The service is disabled.
Page 45 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Terminal Services Licensing "termservlicensing",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)( A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTL OCRSDRCWDWO;;;WD)"
The Terminal Services Licensing service provides registered client licenses when connecting to a Terminal Server. The service is disabled.
Terminal Services Session Directory "tssdis",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Terminal Services Session Directory service provides a multi-session environment that allows access a virtual Windows desktop. The service is disabled.
Themes "themes",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
The Themes service provides theme management services. The service is disabled.
Trivial FTP Daemon "tftpd",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Trivial FTP Daemon is a File Transfer Protocol that does not require authentication. The service is disabled.
Uninterruptible Power Supply "ups",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Uninterruptible Power Supply service manages an uninterruptible power supply. The service is disabled.
Upload Manager "uploadmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD RCWDWO;;;WD)"
The Upload Manager service manages file transfers between clients and servers. Driver data is anonymously uploaded from a customer computer to Microsoft. The service is disabled.
Page 46 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Virtual Disk Service "vds",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Virtual Disk service provides a single interface for managing block storage visualization. The service is disabled.
Volume Shadow Copy "vss",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Volume Shadow Copy service manages and implements volume shadow copies used for backups. This policy sets the service to manual startup.
WebClient "webclient",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Webclient service allows Win32 applications to access documents on the Internet. The service is disabled.
Web Element Manager "elementmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Web Element Manager service provides Web user interface elements for the Administration Web site at port 8098. The service is disabled.
Windows Audio "audiosrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Windows Audio service provides support for sound. The service is disabled.
Windows Image Acquisition (WIA) "stisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Windows Image Acquisition (WIA) service supports scanners and cameras. The service is disabled.
Domain Member Server "msiserver",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
This policy sets the service to automatic startup.
Page 47 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Workgroup Member Server "msiserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
This policy disables service startup.
Windows Internet Name Service (WINS) "wins",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The service is disabled.
Windows Management Instrumentation "winmgmt",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Windows Management Instrumentation service provides a common interface to access management information. This policy sets the service to automatic startup.
Windows Management Instrumentation Driver Extensions "wmi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD WO;;;WD)"
The Windows Management Instrumentation Driver Extensions service monitors all drivers and event trace providers that publish WMI or event trace information. The service is disabled.
Windows Media Services "wmserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
Windows Media Services provide streaming media service over IP-based networks. The service is disabled.
Windows System Resource Manager "windowssystemresourcemanager",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSD RCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCD CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Windows System Resource Manager service is a tool to help customers deploy applications. The service is disabled.
Page 48 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Windows Time "w32time",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The Windows Time service maintains date and time synchronization. This policy sets the service to automatic startup.
WinHTTP Web Proxy Auto-Discovery Service "winhttpautoproxysvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP DTLOCRSDRCWDWO;;;WD)"
The WinHTTP Web Proxy Auto – Discovery service implements Web Proxy Auto- discovery (WPAD) Protocol. The WPAD protocol is an HTTP client service that locates proxy servers. The service is disabled.
Wireless Configuration "wzcsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The Wireless Configuration service enables automatic configuration of IEEE 802.11 wireless adapters. The service is disabled.
WMI Performance Adapter "wmiapsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The WMI Performance Adapter service provides performance library information. The service is disabled.
Domain Member Server "lanmanworkstation",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPD TLOCRSDRCWDWO;;;WD)"
This policy sets the service to automatic startup.
Workgroup Member Server "lanmanworkstation",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPD TLOCRSDRCWDWO;;;WD)"
This policy disables service startup.
Page 49 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
World Wide Web Publishing Service "w3svc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The World Wide Web Publishing service provides Web connectivity and administration through the IIS snap-in. The service is disabled.
3.10.2 Services Not Explicitly Covered by Microsoft "fastuserswitchingcompatibility",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;WD)"
The “fastuserswitchingcompatibility” is not a core requirement for a Windows 2003 server. The service is disabled.
"mssql$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR SDRCWDWO;;;WD)"
The MSSQL$webdb service is used to publish and locate information about web services. The service is disabled.
"mssqlserveradhelper",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP DTLOCRSDRCWDWO;;;WD)"
The MSSQLServerADHelper service enables SQL server and SQL Server Analysis Services to publish information in Active Directory. The service is disabled.
"saldm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The “saldm” is not a core requirement for a Windows 2003 server. The service is disabled.
"sptimer",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR CWDWO;;;WD)"
The “sptimer” is not a core requirement for a Windows 2003 server. The service is disabled.
"sqlserveragent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;; CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;WD)"
The “sqlserveragent” is not a core requirement for a Windows 2003 server. The service is disabled.
Page 50 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
"winsip",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)"
This is not a core requirement for a High Security server. The service is disabled.
3.11 TCP/IP Stack Hardening EnableICMPRedirect machine\system\currentcontrolset\services\tcpip\parameters\enableicmp redirect=4, 0
The „enableicmpredirect‟ registry value causes TCP to find host routes which overrides OSPF generated routes; if enabled, a ten-minute timeout makes the system unavailable to the network. Disabling causes the system to rely on OSPF routing; the setting „0‟ disables this capability.
SynAttackProtect machine\system\currentcontrolset\services\tcpip\parameters\synattackp rotect=4, 1
The „synattackprotect‟ registry value adjusts retransmissions of SYN-ACK. The setting „1‟ causes connection timeouts faster when a SYN-ATTACK is detected; this setting reduces effort expended on unresponsive connections.
EnableDeadGWDetect machine\system\currentcontrolset\services\tcpip\parameters\enabledead gwdetect=4, 0
The „enabledeadgwdetect‟ value allows TCP re-direction to a backup gateway; if a system detects difficulties on a network, it will automatically switch to a different gateway which in turn may cause undesirable packet traversal over un-trusted networks. The setting „0‟ disables this capability.
EnablePMTUDiscovery machine\system\currentcontrolset\services\tcpip\parameters\enablepmt udiscovery=4, 0
The „enablepmtudiscovery‟ registry value determines if TCP automatically finds the maximum transmission unit (MTU) or the largest packet size to a remote host; if enabled, an attacker could force a very small packet size and invoke a DoS condition. The setting „0‟ causes a fixed size packet be used for all connections to remote hosts.
KeepAliveTime machine\system\currentcontrolset\services\tcpip\parameters\keepaliveti me=4, 300000
The „keepalivetime‟ registry value determines how often TCP verifies an idle connection is intact. The setting „300,000‟ (5 minutes) is short enough to provide some defense against DoS conditions and provides the ability to recover resources from unresponsive connections.
Page 51 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
DisableIPSourceRouting machine\system\currentcontrolset\services\tcpip\parameters\disableipso urcerouting=4, 2
The „disableipsourcerouting‟ value determines if the sender of a TCP packet can dictate the route; dictating packet routes can obscure an attacker‟s location on the network. The setting „2‟ disables this ability.
TcpMaxConnectResponseRetransmissions machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxcon nectresponseretransmi ssions=4, 2
The „tcpmaxconnectresponseretransmissions‟ value determines the number of attempts that TCP re-transmits a SYN packet before aborting. The setting „2‟ limits the possibility of a DoS attack without affecting normal users and reduces the effort expended on unresponsive connections.
TcpMaxDataRetransmissions machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdata retransmissions=4, 3
The „tcpmaxdataretransmissions‟ defines the number of times unacknowledged data is retransmitted before disconnection. The setting „3‟ reduces the success of a DoS attack and reduces the effort expended on unresponsive connections.
PerformRouterDiscovery machine\system\currentcontrolset\services\tcpip\parameters\performrou terdiscovery=4, 0
The „performrouterdiscovery‟ value controls the use of Internet Router Discovery Protocol; if the system were to discover routers, an attacker could redirect packets to another destination. The setting „0‟ disables discovery and forces the use of known routers.
TCPMaxPortsExhausted machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxport sexhausted=4, 5
The „tcpmaxportsexhausted‟ value controls the point which SYN-ATTACK protection begins. The setting „5‟ causes protection to start after five failures; this is the Microsoft standard for TCP/IP. The setting is a balance between performance and security.
TCPMaxHalfOpen machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf open=4, 100
The „tcpmaxhalfopen‟ value defines the number of connections in the SYN state table before SYN attack protection begins. The setting of „100‟ initiates SYN attack protection when the state table reaches one hundred connections.
Page 52 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
TCPMaxHalfOpenRetired machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf openretired=4, 80
The „tcpmaxhalfopenretired‟ value determines how many connections the server can maintain in the half-open state; the setting „80‟ initiates SYN attack protection when the state table reaches eighty connections.
NoNameReleaseOnDemand (TCP/IP) machine\system\currentcontrolset\services\tcpip\parameters\nonamerel easeondemand=4, 1
The „nonamereleaseondemand‟ registry determines if a system will release its NetBIOS name to another computer on request; the setting „1‟ prevents disclosure of NetBIOS information.
3.12 AFD.SYS DynamicBacklogGrowthDelta machine\system\currentcontrolset\services\afd\parameters\dynamicback loggrowthdelta=4, 10
The „dynamicbackloggrowthdelta‟ value defines the number of free connections to create when deemed necessary. The setting „10‟ creates ten additional free connections. This setting ensures additional resources are not applied too, thereby preventing the invocation of a DoS condition. EnableDynamicBacklog machine\system\currentcontrolset\services\afd\parameters\enabledynam icbacklog=4, 1
The „enabledynamicbacklog‟ value enables dynamic backlog. The setting „1‟ enables the backlog; this ensures the system manages port resources in a manner that mitigates DoS attacks.
MinimumDynamicBacklog machine\system\currentcontrolset\services\afd\parameters\minimumdyn amicbacklog=4, 20
The „minimumdynamicbacklog‟ value controls the minimum number of free ports on a listening end point. The setting „20‟ allows a system to create more if there is less than twenty available; it is intended to ensure resources are available and limit the threat of DoS conditions.
MaximumDynamicBacklog machine\system\currentcontrolset\services\afd\parameters\maximumdyn amicbacklog=4,20000
The „maximumdynamicbacklog‟ value controls the number of „quasi-free‟ connections allowed on a listening end point. The setting „20,000‟ is recommended to stymie DoS attacks. This setting reduces the resources allocated to incomplete connections; if creating additional free ports exceeds the value, a system will not be able to maintain additional sessions.
Page 53 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
3.13 Other Settings NoNameReleaseOnDemand (NetBIOS) machine\system\currentcontrolset\services\netbt\parameters\nonamerel easeondemand=4, 1
The „nonamereleaseondemand‟ value determines if a system releases its NetBIOS name upon a name-release request. The setting „1‟ prevents a system from releasing the NetBIOS name, other than to WINS servers; this reduces information it provides to an unauthorized user.
Enable the computer to stop generating 8.3 style filenames machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3na mecreation=4, 1
The „ntfsdisable8dot3namecreation‟ value determines if a system will generate 8.3 file names. The setting „1‟ prevents the 8.3 filename format. Generation of 8.3 file makes the task of name guessing easier for an attacker; disabling this ensures only the full name is used to reference files.
NoDriveTypeAutoRun machine\software\microsoft\windows\currentversion\policies\explorer\n odrivetypeautorun=4,255
The „nodrivetypeautorun‟ value determines if autorun is enabled on connected drives. The setting „255‟ disables autorun for all drives on the system; this ensures privileged users do not run unapproved software for without restrictions, unapproved software may run inadvertently.
The time in seconds before the screen saver grace period expires (0 recommended) machine\system\software\microsoft\windowsnt\currentversion\winlogon \screensavergraceperiod=4, 0
The „screensavergraceperiod‟ value determines the amount of time (in seconds) to enforce the screen saver password; the setting „0‟ enforces password lock with no time delay which provides an immediate lock when the idle threshold is reached.
Warning Level machine\system\currentcontrolset\services\eventlog\security\warninglev el=4, 90
The „warninglevel‟ value determines the maximum amount of security logs before a warning event is triggered. The setting „90‟ triggers a warning when the Security log reaches 90% capacity; this will afford sufficient time to reset the log and determine reasons for the warning.
Page 54 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Enable Safe DLL search mode (recommended) machine\system\currentcontrolset\control\sessionmanager\safedllsearch mode=4, 1
The „safedllsearchmode‟ value determines the order DLLs are searched. The setting „1‟ commands the system to first look in the PATH, then the current folder; this order ensures files in the current foder do not run in place of files in the users PATH.
Disable Autorun on CD-ROM machine\system\currentcontrolset\control\services\CDRom\AutoRun=4, 1
The „Disable Autorun on CD-Rom‟ prevents automatic execution of programs upon insertion of a CD. The setting „1‟disables the Autorun feature; this helps reduce the threat of malicious code infection through CD-Rom.
Disable Administrative Shares machine\system\currentcontrolset\control\services\LanmanServer\Param eters\AutoShareServer=4, 0
The „AutoShareServer‟ value determines if disk drives have administrative shares. The setting „0‟ disables administrative shares.
Disable DCOM machine\Software\Microsoft\OLE\EnableDCOM=4, 0
The „EnableDCOM‟ value determines if DCOM is active. The setting „0‟disables DCOM.
Page 55 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4 ANNEXES 4.1 General Security Setting Values Windows security templates utilize various general setting values; all of these will be expounded upon below. 4.1.1 Binary Setting Values Binary settings are used to indicate whether an object is enabled/installed or disabled/not installed.
Binary Settings
BINARY VALUE DEFINITION
0 disabled/not installed 1 enabled/installed
EnableAdminAccount = 1 1 = The administrator account is enabled.
4.1.2 Windows Services Boot Values Windows services bootup values determine whether a service is enabled, disabled or able to activated manually at system start up. Windows Services Boot Settings
NUMERICAL VALUE DEFINITION
2 automatic startup 3 manual startup 4 disabled netlogon,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC WDWO;;;WD)" 2 = The netlogon service starts automatically at system bootup.
Page 56 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.1.3 Common User Rights Security Identifier Settings Security Identifiers (SIDs) are unique values of variable length that are used to identify a security principal or security group in Windows operating systems; their values remain constant across all operating systems. User Rights Security Identifier Settings
SETTING DEFINITION
*S-1-5-32-544 administrator *S-1-5-6 service *S-1-5-32-551 backup operators *S-1-5-32-545 users *S-1-5-20 network service *S-1-5-11 authenticated users. sesystemtimeprivilege = *S-1-5-32-544 *S-1-5-32-544 = Only the system administrator can change the system time.
4.1.4 Audit Log Retention Period Settings The audit log retention period settings determine the period of time that audit log records will be retained before they are overwritten.
Retention Period Settings NUMERICAL VALUE DEFINITION
0 overwrite events as needed 1 overwrite events as specified by retention days entry 2 never overwrite events (clear log manually)
AuditLogRetentionPeriod = 2 2 = The log’s events are never overwritten and must be cleared manually.
Page 57 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.1.5 Registry Value Settings Registry settings in Windows security templates typically consist of two values. The first value is numerical and represents a standard registry value type; the second value will contain the security setting value.
Registry Value Settings
SETTING DEFINITION Value
1 reg_sz sequence of characters representing human readable text 2 reg_expand_sz expandable data test string containing a variable to be replaced when called by an application 3 reg_binary binary value as described in 10.1.1. 4 reg_dword a number four bytes long; can be displayed as a binary, hexadecimal or decimal value 7 reg_multi_sz multiple values of human readable text
MACHINE\Software\Microsoft\Driver Signing\Policy=3,1 3 = reg_binary 1= driver signing enabled
Page 58 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.2 Windows Security Identifiers (SIDs)
SID: S-1-0 Name: Null Authority Description: An identifier authority.
SID: S-1-0-0 Name: Nobody Description: No security principal.
SID: S-1-1 Name: World Authority Description: An identifier authority.
SID: S-1-1-0 Name: Everyone Description: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.
SID: S-1-2 Name: Local Authority Description: An identifier authority.
SID: S-1-3 Name: Creator Authority Description: An identifier authority.
SID: S-1-3-0 Name: Creator Owner Description: A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.
SID: S-1-3-1 Name: Creator Group Description: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
SID: S-1-3-2 Name: Creator Owner Server Description: This SID is not used in Windows 2000.
SID: S-1-3-3 Name: Creator Group Server Description: This SID is not used in Windows 2000.
SID: S-1-4 Name: Non-unique Authority Description: An identifier authority.
Page 59 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SID: S-1-5 Name: NT Authority Description: An identifier authority.
SID: S-1-5-1 Name: Dialup Description: A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
SID: S-1-5-2 Name: Network Description: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
SID: S-1-5-3 Name: Batch Description: A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
SID: S-1-5-4 Name: Interactive Description: A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
SID: S-1-5-5-X-Y Name: Logon Session Description: A logon session. The X and Y values for these SIDs are different for each session.
SID: S-1-5-6 Name: Service Description: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
SID: S-1-5-7 Name: Anonymous Description: A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
SID: S-1-5-8 Name: Proxy Description: This SID is not used in Windows 2000.
SID: S-1-5-9 Name: Enterprise Domain Controllers Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
Page 60 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SID: S-1-5-10 Name: Principal Self Description: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
SID: S-1-5-11 Name: Authenticated Users Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
SID: S-1-5-12 Name: Restricted Code Description: This SID is reserved for future use.
SID: S-1-5-13 Name: Terminal Server Users Description: A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
SID: S-1-5-18 Name: Local System Description: A service account that is used by the operating system.
SID: S-1-5-19 Name: NT Authority Description: Local Service
SID: S-1-5-20 Name: NT Authority Description: Network Service
SID: S-1-5-domain-500 Name: Administrator Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.
SID: S-1-5-domain-501 Name: Guest Description: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
SID: S-1-5-domain-502 Name: KRBTGT Description: A service account that is used by the Key Distribution Center (KDC) service.
Page 61 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SID: S-1-5-domain-512 Name: Domain Admins Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
SID: S-1-5-domain-513 Name: Domain Users Description: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
SID: S-1-5-domain-514 Name: Domain Guests Description: A global group that, by default, has only one member, the domain's built-in Guest account.
SID: S-1-5-domain-515 Name: Domain Computers Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-domain-516 Name: Domain Controllers Description: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.
SID: S-1-5-domain-517 Name: Cert Publishers Description: A global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
SID: S-1-5-root domain-518 Name: Schema Admins Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-root domain-519 Name: Enterprise Admins Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
Page 62 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SID: S-1-5-domain-520 Name: Group Policy Creator Owners Description: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
SID: S-1-5-domain-533 Name: RAS and IAS Servers Description: A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in Active Directory.
SID: S-1-5-32-544 Name: Administrators Description: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545 Name: Users Description: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
SID: S-1-5-32-546 Name: Guests Description: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
SID: S-1-5-32-547 Name: Power Users Description: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
Page 63 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SID: S-1-5-32-548 Name: Account Operators Description: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
SID: S-1-5-32-549 Name: Server Operators Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
SID: S-1-5-32-550 Name: Print Operators Description: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
SID: S-1-5-32-551 Name: Backup Operators Description: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
SID: S-1-5-32-552 Name: Replicators Description: A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
The following groups will show as SIDs until a Windows Server 2003 domain controller is made the primary domain controller (PDC) operations master role holder. (The "operations master" is also known as flexible single master operations or FSMO.) Additional new built-in groups that are created when a Windows Server 2003 domain controller is added to the domain are:
SID: S-1-5-32-554 Name: BUILTIN\Pre-Windows 2000 Compatible Access Description: An alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain.
Page 64 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
SID: S-1-5-32-555 Name: BUILTIN\Remote Desktop Users Description: An alias. Members in this group are granted the right to logon remotely.
SID: S-1-5-32-556 Name: BUILTIN\Network Configuration Operators Description: An alias. Members in this group can have some administrative privileges to manage configuration of networking features.
SID: S-1-5-32-557 Name: BUILTIN\Incoming Forest Trust Builders Description: An alias. Members of this group can create incoming, one-way trusts to this forest.
SID: S-1-5-32-557 Name: BUILTIN\Incoming Forest Trust Builders Description: An alias. Members of this group can create incoming, one-way trusts to this forest.
SID: S-1-5-32-558 Name: BUILTIN\Performance Monitor Users Description: An alias. Members of this group have remote access to monitor this computer.
SID: S-1-5-32-559 Name: BUILTIN\Performance Log Users Description: An alias. Members of this group have remote access to schedule logging of performance counters on this computer.
SID: S-1-5-32-560 Name: BUILTIN\Windows Authorization Access Group Description: An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.
SID: S-1-5-32-561 Name: BUILTIN\Terminal Server License Servers Description: An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.
SID: S-1-5-32-562 Name: BUILTIN\Distributed COM Users Description: An alias. A group for COM to provide computerwide access controls that govern access to all call, activation, or launch requests on the computer.
Page 65 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.3 Common Access Control List (ACL) Settings 4.3.1 Security Descriptor Definition Language (SDDL)3 SDDL defines the string format that describe a security descriptor4 as a text string; in the context of security template settings, SDDL is utilized in nTSecurityDescriptor5 attributes, registry keys and NTFS files to define the ACL.
4.3.2 Discretionary Access Control List (DACL) The DACL identifies the trustees that are allowed or denied access to a securable object; when a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it.
Should the object not have a DACL, the system grants full access to everyone; if the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights.
The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.
4.3.3 System Access Control List (SACL) The SACL enables administrators to log attempts to access a secured object; each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log.
An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. In future releases, a SACL will also be able to raise an alarm when an unauthorized user attempts to gain access to an object.
4.3.4 Access Control Entry (ACE) An access control entry is an element in an access control list (ACL) . An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee.
3 University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March 2008. https://www.washington.edu/computing/support/windows/UWdomains/SDDL.html.
4 Security Descriptor - A structure and associated data that contains the security information for a securable object. A security descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object.
5 nTSecurityDescriptor - Every object in Active Directory contains this attribute which is a security descriptor object containing the discretionary access control list (DACL), the system access control list (SACL), group, and owner information that controls the object's access control behavior.
Page 66 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
All types of ACEs contain the following access control information:
A security identifier (SID) that identifies the trustee to which the ACE applies. An access mask that specifies the access rights controlled by the ACE. A flag that indicates the type of ACE. A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.
The following table lists the three ACE types supported by all securable objects:
Type Description Access-denied Used in a discretionary access control list (DACL) to deny access ACE rights to a trustee. Access-allowed Used in a DACL to allow access rights to a trustee. ACE Used in a system access control list (SACL) to generate an audit System-audit record when the trustee attempts to exercise the specified ACE access rights.
4.3.5 Format of nTSecurityDescriptor string:
Each nTSecurityDescriptor SDDL string is composed of 5 primary components which correspond to the header, DACL (D:), SACL (S:), primary group (G:)and owner (O:):
O:owner_sidG:group_sidD:dacl_flags(ace string 1)(ace string 2 )S:sacl_flags(ace string 1)(ace string 2)
The header contains record keeping information along with 2 flags that designate whether the object is blocking inheritance for the SACL and DACL. The contents of both the primary group and owner parts are simply a single SID while the contents of both the SACL and DACL parts are a string with no fixed length.
ACEs6 make up the contents of these strings, are enclosed within parenthesis, and contain 6 fields separated by a semicolon delimiter. The fields are:
a. ACE type (allow/deny/audit);
b. ACE flags (inheritance and audit settings);
c. Permissions (list of incremental permissions);
d. ObjectType (GUID);
6 ACE - An access control entry is an element in an access control list (ACL). An ACL can have zero or more ACEs. Each ACE controls or monitors access to an object by a specified trustee.
Page 67 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
e. Inherited Object Type (GUID); and
f. Trustee (SID)
4.3.6 ACE Type
The ACE type designates whether the trustee is allowed, denied or audited.
Value Description "A" ACCESS ALLOWED "D" ACCESS DENIED "OA" OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S). "OD" OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S). "AU" SYSTEM AUDIT "AL" SYSTEM ALARM "OU" OBJECT SYSTEM AUDIT "OL" OBJECT SYSTEM ALARM
4.3.7 ACE Flags
The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the audit settings.
Value Description CONTAINER INHERIT: Child objects that are containers, such as directories, "CI" inherit the ACE as an explicit ACE. OBJECT INHERIT: Child objects that are not containers inherit the ACE as an "OI" explicit ACE. "NP" NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE. INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT "IO" CHILDREN VIA INHERITANCE. "ID" ACE IS INHERITED "SA" SUCCESSFUL ACCESS AUDIT "FA" FAILED ACCESS AUDIT
Page 68 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.3.8 Permissions
The Permissions are a list of the incremental permissions given (or denied/audited) to the trustee-these correspond to the permissions discussed earlier and are simply appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.
Value Description Generic access rights "GA" GENERIC ALL "GR" GENERIC READ "GW" GENERIC WRITE "GX" GENERIC EXECUTE Directory service access rights "RC" Read Permissions "SD" Delete "WD" Modify Permissions "WO" Modify Owner "RP" Read All Properties "WP" Write All Properties "CC" Create All Child Objects "DC" Delete All Child Objects "LC" List Contents "SW" All Validated Writes "LO" List Object "DT" Delete Subtree "CR" All Extended Rights File access rights "FA" FILE ALL ACCESS "FR" FILE GENERIC READ "FW" FILE GENERIC WRITE "FX" FILE GENERIC EXECUTE Registry key access rights "KA" KEY ALL ACCESS "KR" KEY READ "KW" KEY WRITE "KX" KEY EXECUTE
4.3.9 Object Type and Inherited Object Type
The ObjectType is a GUID representing an object class, attribute, attribute set, or extended right. If present it limits the ACE to the object the GUID represents. The Inherited Object Type is a GUID representing an object class. If present it limits inheritance of the ACE to the child entries of only that object class.
Page 69 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.3.10 Trustee
The Trustee is the SID of the user or group being given access (or denied or audited). Instead of a SID, there are several commonly used acronyms for well- known SIDs. These are listed in the table below:
Value Description "AO" Account operators "RU" Alias to allow previous Windows 2000 "AN" Anonymous logon "AU" Authenticated users "BA" Built-in administrators "BG" Built-in guests "BO" Backup operators "BU" Built-in users "CA" Certificate server administrators "CG" Creator group "CO" Creator owner "DA" Domain administrators "DC" Domain computers "DD" Domain controllers "DG" Domain guests "DU" Domain users "EA" Enterprise administrators "ED" Enterprise domain controllers "WD" Everyone "PA" Group Policy administrators "IU" Interactively logged-on user "LA" Local administrator "LG" Local guest "LS" Local service account "SY" Local system "NU" Network logon user "NO" Network configuration operators "NS" Network service account "PO" Printer operators "PS" Personal self "PU" Power users "RS" RAS servers group "RD" Terminal server users "RE" Replicator "RC" Restricted code "SA" Schema administrators "SO" Server operators "SU" Service logon user
Page 70 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.3.11 ACL Example Given an ACL assigned to a service as demonstrated below: w32time,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW DWO;;;WD)"
The DACL D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRP WPDTLOCRSDR CWDWO;;;SY) would break out as follows:
AR SDDL_AUTO_INHERIT_REQ - the SE_DACL_AUTO_INHERIT_REQ flag is set.
ACE String 1
A ACCESS ALLOWED CC CREATE ALL CHILD OBJECTS DC DELETE ALL CHILD OBJECTS LC LIST CONTENTS SW ALL VALIDATED WRITES RP READ ALL PROPERTIES WP WRITE ALL PROPERTIES DT DELETE SUBTREE LO LIST OBJECT CR ALL EXTENDED RIGHTS SD DELETE RC READ PERMISSIONS WD MODIFY PERMISSIONS WO MODIFY OWNER BA BUILT-IN ADMINISTRATOR
ACE String 2
A ACCESS ALLOWED CC CREATE ALL CHILD OBJECTS DC DELETE ALL CHILD OBJECTS LC LIST CONTENTS SW ALL VALIDATED WRITES RP READ ALL PROPERTIES WP WRITE ALL PROPERTIES DT DELETE SUBTREE LO LIST OBJECT CR ALL EXTENDED RIGHTS SD DELETE RC READ PERMISSIONS WD MODIFY PERMISSIONS WO MODIFY OWNER SY LOCAL SYSTEM
The SACL S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) would break out as follows:
Page 71 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
AU SYSTEM AUDIT FA FILE ALL ACCESS CC CREATE ALL CHILD OBJECTS DC DELETE ALL CHILD OBJECTS LC LIST CONTENTS SW ALL VALIDATED WRITES RP READ ALL PROPERTIES WP WRITE ALL PROPERTIES DT DELETE SUBTREE LO LIST OBJECT CR ALL EXTENDED RIGHTS SD DELETE RC READ PERMISSIONS WO MODIFY OWNER WD MODIFY PERMISSIONS
Page 72 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.4 Security Policy Comparison and Analysis While developing and deploying a custom security policy, the IT Security specialist in the field may have to compare and/or analyze security policies. This annex will outline the use of the MMC Security Configuration and Analysis plugin and the command line tool secedit to compare and analyze the local security configuration of a Windows 2003 Server installation.
4.4.1 MMC – Microsoft Management Console MMC is a framework for system administration tools in modern Microsoft Windows operating systems. Most of Microsoft's administration tools included with both Windows itself, and Windows Server System products are implemented as MMC modules (known as “snap-ins”).
One of these snap-ins (Security Configuration and Analysis) allows the system administrator to analyze local security policies by generating a security database from the security policy installed on a host and comparing it to another security policy template.
4.4.2 Comparing and Analyzing Security Policies Using MMC Running MMC and Adding the Snap-in
1. Log in as the local administrator (username: cscsrvadmin). 2. From the Start menu, select Run… 3. In the Open: field, type mmc and click OK. 4. In the Console window, click File and select Add/Remove Snap-in. 5. In the Add/Remove Snap-in window, click on Add… 6. In the Add Standalone Snap-in window, select Security Configuration and Analysis and click Add. 7. Click Close. 8. In the Add/Remove Snap-in window, click on OK.
Page 73 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Figure 1 – The MMC Console window after loading the Security Configuration and Analysis snap-in module.
To Open an Existing Security Policy Database
1. Right-click the Security Configuration and Analysis snap-in item. 2. Click Open Database. 3. Select a database, and then click Open.
To Create a New Security Policy Database
1. Right-click the Security Configuration and Analysis snap-in item. 2. Click Open Database. 3. Type a new database name, and then click Open. 4. Select a security template to import, and then click Open.
Page 74 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Figure 2 – The MMC Console window after loading selecting the security database and security policy.
To Compare and Analyze the Security Policy
1. Right-click the Security Configuration and Analysis snap-in item. 2. Select Analyze Computer Now… 3. In the Perform Analysis window, click OK. 4. Allow the Analyzing System Security window‟s routine to complete.
Page 75 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Figure 3 – The MMC Console’s security policy analysis progress window.
To Navigate the Results
1. Under the Security Configuration and Analysis snap-in item, select the item you wish to view from the tree. 2. The analysis results for the selected item will be displayed on the right hand side.
Figure 4 – The MMC Console window after the comparison and analysis is complete.
Page 76 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Analyzing Security and Viewing Results
The Security Configuration and Analysis snap-in performs security analysis by comparing the current state of system security against an analysis database. During creation, the analysis database uses at least one security template.
Should the administrator choose to import more than one security template, the database will merge the various templates and create one composite template. The snap-in resolves conflicts in order of import; the last template that is imported takes precedence.
The snap-in displays the analysis results by security area, using visual flags to indicate problems; It displays the current system and base configuration settings for each security attribute in the security areas.
ANALYSIS VISUAL FLAG HIGHLIGHTS AND THEIR MEANINGS. Visual Flag Highlight Meaning Red X The entry is defined in the analysis database and on the system, but the security setting values do not match. Green Check The entry is defined in the analysis database and on the system and the setting values match. Question Mark The entry is not defined in the analysis database and, therefore, was not analyzed.
If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area. Exclamation Point This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system. No Highlight The item is not defined in the analysis database or on the system.
Page 77 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
4.4.3 Secedit – Command Line Security Policy Analysis Tool Secedit is a command line tool that allows a system administrator to perform various security policy related tasks. Although a command line tool, secedit is extremely versatile as it can be scripted to perform tasks remotely across multiple hosts; MMC can only be used to perform tasks on a single machine (the local host).
The Secedit tool has six primary functions; configure, analyze, import, export, validate, and generate rollback; the scope of this document will be limited to those used for security policy analysis.
Comparing and Analyzing Security Policies Using Secedit
Running Secedit
1. From the Start menu, select Run… 2. In the Open: field, type cmd and click OK. 3. In the command shell window, enter the commands as described below.
Secedit Switches Explained
DB - The DB switch allows the administrator to specify the name of the database file to either create or use.
CFG - The CFG switch allows the administrator to specify the name of the template to use.
Overwrite – When used in conjunction with the import function, the overwrite switch is purges the databases prior to the import function; this provides the same basic functionality as creating a brand new database.
Log - Allows the administrator to specify a log file to be used in lieu of the default log file.
Quiet – Allows the administrator to run Secedit without prompting for task verifications.
Areas - Allows the administrator to specify which types of data from the template should be applied; all other types of data within the template are ignored. Valid data types are:
SECURITYPOLICY - including account policies, audit policies, event log settings, and security options. GROUP_MGMT - includes restricted groups settings. USER_RIGHTS - includes user rights assignments. REGKEYS - includes registry permissions. FILESTORE - includes file system permissions. SERVICES - include system service settings.
Page 78 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
Creating a Security Policy Database
The secedit import function is used to create or import a security policy database; the syntax for the Import function is as follows:
SECEDIT /IMPORT /DB database.sdb /CFG template.inf /OVERWRITE
In the example above, replace database.sdb with the name of the database being created and template.inf with the name of the template being used to generate the database.
Analyzing Security Policies
The secedit analyze function is used to compare an existing security policy database to a security policy. The syntax is as follows:
SECEDIT /ANALYZE /DB database.sdb /CFG template.inf /OVERWRITE /LOG output.txt
In the example above, replace database.sdb with the name of an existing database and template.inf with the name of the template being compared to the database. This will create a log file in the current directory named OUTPUT.TXT listing every security setting that differs from the template.
Opening the Analysis Results File
To open and view the results file (e.g. OUTPUT.TXT), simply open the file with Notepad or another text editor.
Page 79 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD
5 REFERENCES Communications Security Establishment Canada. “Windows Server 2003 Recommended Baseline Security (ITSG-20)”. March 2004. Accessed on 25 March 2008. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.
Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004. Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding- Windows-Security-Templates.html.
Microsoft Download Center. “Windows Server 2003 Security Guide”. 05 August 2006. Accessed on 25 March 2008. http://www.microsoft.com/downloads/details.aspx? FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en.
Microsoft Help and Support. “Definition of Registry Value Data Types”. 14 March 2008. Accessed on 25 March 2008. http://support.microsoft.com/kb/101230.
Microsoft Help and Support. “Well-known Security Identifiers in Windows Operating Systems”. 14 March 2008. Accessed on 25 March 2008. http://support.microsoft.com/kb/243330.
Microsoft TechNet. “Security Templates”. Date unknown. Accessed on 25 March 2008. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit /deploy/dgbe_sec_vopo.mspx?mfr=true
University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March 2008. https://www.washington.edu/computing/support/windows/UWdomains/ SDDL.html.
Page 80