Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD WORKING AIDE - WINDOWS SECURITY TEMPLATE SETTINGS TED MAC DAIBHIDH, CD Page 0 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD Table of Contents 1 INTRODUCTION ...................................................................................................................3 2 WINDOWS SECURITY TEMPLATES ...............................................................................4 3 SECURITY SETTINGS .........................................................................................................5 3.1 PASSWORD .........................................................................................................................4 3.2 ACCOUNT LOCKOUT...........................................................................................................5 3.3 KERBEROS POLICY .............................................................................................................6 3.4 AUDIT POLICY ....................................................................................................................7 3.5 USER RIGHTS ASSIGNMENTS ..............................................................................................8 3.6 SECURITY OPTIONS ..........................................................................................................14 3.7 EVENT LOG SIZE ..............................................................................................................27 3.8 GUEST ACCESS .................................................................................................................28 3.9 RETENTION METHOD .......................................................................................................28 3.10 SYSTEM SERVICES ............................................................................................................29 3.11 TCP/IP STACK HARDENING .............................................................................................51 3.12 AFD.SYS ........................................................................................................................53 3.13 OTHER SETTINGS .............................................................................................................54 4 ANNEXES ..............................................................................................................................56 4.1 GENERAL SECURITY SETTING VALUES ............................................................................56 4.2 WINDOWS SECURITY IDENTIFIERS (SIDS) ........................................................................59 4.3 COMMON ACCESS CONTROL LIST (ACL) SETTINGS ........................................................66 4.4 SECURITY POLICY COMPARISON AND ANALYSIS .............................................................74 5 REFERENCES ......................................................................................................................80 Page 1 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD 1 INTRODUCTION This purpose of this document is to aggregate several disparate documents and sources regarding Microsoft Windows security template settings; its purpose is to assist those with limited exposure in this regard should they find themselves tasked with a project requiring interpretation of these settings. Page 2 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD 2 WINDOWS SECURITY TEMPLATES1 Security templates are setup information (.inf) files that define system security settings (e.g. user rights, permissions, password policies, etc.) on a Windows host. Security templates can be either be deployed centrally using Group Policy objects (GPOs) or locally using tools such as secedit or MMC security plugins. Windows installations have several standard security templates which can be found in the C:\Windows\Security\Templates folder. The standard security templates are: a. Compatws.inf – required by older applications that need to have weaker security to access the Registry and the file system; b. DC security.inf – used to configure security of the Registry and File system of a computer that was upgraded from Windows NT to Windows 2000/2003; c. Hisecdc.inf – used to increase the security and communications with the domain controllers; d. Hisecws.inf – used to increase security and communications for the client computers and member servers; e. Notssid.inf – used to weaken security to allow older applications to run on Windows Terminal Services; f. Ocfiless.inf – used for optional components that are installed after the main operating system is installed - this will support services such as Terminal Services and Certificate Services; g. Securedc.inf – used to increase the security and communications with the domain controllers, but not to the level of the High Security DC security template; h. Securews.inf – used to increase security and communications for the client computers and member servers; and i. Setup security.inf – used to reapply the default security settings of a freshly installed computer. 1 Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004. Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-Windows-Security- Templates.html. Page 3 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD 3 SECURITY SETTINGS The sections below will define some of the individual security settings found in security templates. Where available, the CSEC recommended setting values2 will be provided and defined. 3.1 Password Enforce password history PasswordHistorySize = 24 „PasswordHistorySize‟ defines the number of passwords retained by the system. This history is compared with user input during password changes. The setting „24‟ requires the user to select twenty-four unique passwords before they can re-use their first one. With a „MinimumPasswordAge‟ of two, the user would have to cycle their password every two days to get back to their original password. Maximum password age MaximumPasswordAge = 42 „MaximumPasswordAge‟ defines the maximum number of days a user can keep the same password. A setting of forty-two requires the user to change their password every forty-two days; combined with the „PasswordComplexity‟ and ‟PasswordLength‟ settings, these settings ensure the password is strong and resilient to attack. Minimum password age MinimumPasswordAge = 2 „MinimumPasswordAge‟ defines how many days a user must wait between passwordchanges. The setting „2‟ requires the user to wait two before they can change it again. Minimum password length MinimumPasswordLength = 8 „MinimumPasswordLength‟ defines the minimum number of characters acceptable for a password. The setting „8‟ requires the user to enter a password of eight characters or more; combined with the „PasswordComplexity‟ and „MaximumPasswordAge‟ settings, these settings ensure the password is strong and resilient to attack. 2 Communications Security Establishment Canada. “Windows Server 2003 Recommended Baseline Security (ITSG-20)”. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf. Page 4 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD Password must meet complexity requirements PasswordComplexity = 1 „PasswordComplexity‟ defines password complexity requirements; this setting helps thwart brute-force attacks. The setting „1‟ requires the user to enter a strong password that meets the criteria demonstrated below: • Upper Case Character (A-Z) • Lower Case Character (a-z) • Base 10 Digits (0-9) • Non-alphanumeric (! @ # $ % ^ &) Store password using reversible encryption ClearTextPassword = 0 The „ClearTextPassword‟ keyword determines if the system stores passwords using reversible encryption. The setting „zero‟ disables reversible encryption. NOTE: Never enable this option unless operational considerations outweigh the need to protect password information. 3.2 Account Lockout Account Lockout Duration LockoutDuration = 15 „LockoutDuration‟ defines the length of time (in minutes) that an account is disabled afterlockout; this value needs to be synchronized with „ResetLockoutCounter‟ so the user can logon when the „LockoutDuration‟ has expired. The setting „15‟ disables the user‟s account for 15 minutes. Account lockout threshold LockoutBadCount = 10 „LockoutBadCount‟ defines the number of failed logons allowed before the account is locked. The setting „10‟ causes the user‟s account to be locked after 10 consecutive logon attempts. The setting prevents extended password guessing attacks. Page 5 Working Aide - Windows Security Template Settings Final - 06 March 2008 Ted Mac Daibhidh, CD Reset account lockout counter after ResetLockoutCount = 15 „ResetLockoutCount‟ defines the length of time (in minutes) before a lockout reset occurs; this value needs to be synchronized with „LockoutDuration‟ so the user can logon when the „LockoutDuration‟ has expired. The setting „15‟ resets the lockout to zero after fifteen minutes. 3.3 Kerberos Policy Enforce user logon restrictions TicketValidateClient = 1 „TicketValidateClient‟ determines if Kerberos V5 Key Distribution Centre authentication is required. The setting „1‟ requires the use of Kerberos Authentication. Maximum lifetime for the service ticket MaxServiceAge = 600 „MaxServiceAge‟ defines the number of minutes a service ticket
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages81 Page
-
File Size-