windows security settings working aide

Working Aide - Windows Security Template Settings Final - 06 March 2008

Ted Mac Daibhidh, CD

Page 0

WORKING AIDE -

WINDOWS SECURITY TEMPLATE SETTINGS

TED MAC DAIBHIDH, CD



Page 1

Table of Contents

1 INTRODUCTION ...................................................................................................................3

2 WINDOWS SECURITY TEMPLATES ...............................................................................4

3 SECURITY SETTINGS .........................................................................................................5

3.1 PASSWORD .........................................................................................................................4 3.2 ACCOUNT LOCKOUT...........................................................................................................5 3.3 KERBEROS POLICY .............................................................................................................6 3.4 AUDIT POLICY ....................................................................................................................7

3.5 USER RIGHTS ASSIGNMENTS ..............................................................................................8 3.6 SECURITY OPTIONS ..........................................................................................................14

3.7 EVENT LOG SIZE ..............................................................................................................27 3.8 GUEST ACCESS .................................................................................................................28 3.9 RETENTION METHOD .......................................................................................................28 3.10 SYSTEM SERVICES ............................................................................................................29

3.11 TCP/IP STACK HARDENING .............................................................................................51 3.12 AFD.SYS ........................................................................................................................53

3.13 OTHER SETTINGS .............................................................................................................54

4 ANNEXES ..............................................................................................................................56

4.1 GENERAL SECURITY SETTING VALUES ............................................................................56

4.2 WINDOWS SECURITY IDENTIFIERS (SIDS) ........................................................................59 4.3 COMMON ACCESS CONTROL LIST (ACL) SETTINGS ........................................................66

4.4 SECURITY POLICY COMPARISON AND ANALYSIS .............................................................74

5 REFERENCES ......................................................................................................................80



Page 2

1 INTRODUCTION

This purpose of this document is to aggregate several disparate documents and

sources regarding Microsoft Windows security template settings; its purpose is to

assist those with limited exposure in this regard should they find themselves tasked

with a project requiring interpretation of these settings.



Page 3

2 WINDOWS SECURITY TEMPLATES1

Security templates are setup information (.inf) files that define system security

settings (e.g. user rights, permissions, password policies, etc.) on a Windows host.

Security templates can be either be deployed centrally using Group Policy objects

(GPOs) or locally using tools such as secedit or MMC security plugins.

Windows installations have several standard security templates which can be found

in the C:\Windows\Security\Templates folder. The standard security templates are:

a. Compatws.inf – required by older applications that need to have weaker

security to access the Registry and the file system;

b. DC security.inf – used to configure security of the Registry and File system of

a computer that was upgraded from Windows NT to Windows 2000/2003;

c. Hisecdc.inf – used to increase the security and communications with the

domain controllers;

d. Hisecws.inf – used to increase security and communications for the client

computers and member servers;

e. Notssid.inf – used to weaken security to allow older applications to run on

Windows Terminal Services;

f. Ocfiless.inf – used for optional components that are installed after the main

operating system is installed - this will support services such as Terminal

Services and Certificate Services;

g. Securedc.inf – used to increase the security and communications with the

domain controllers, but not to the level of the High Security DC security

template;

h. Securews.inf – used to increase security and communications for the client

computers and member servers; and

i. Setup security.inf – used to reapply the default security settings of a freshly

installed computer.

1 Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004.

Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html.



Page 4

3 SECURITY SETTINGS

The sections below will define some of the individual security settings found in

security templates. Where available, the CSEC recommended setting values2 will be

provided and defined.

3.1 Password

Enforce password history

PasswordHistorySize = 24

„PasswordHistorySize‟ defines the number of passwords retained by the system. This

history is compared with user input during password changes.

The setting „24‟ requires the user to select twenty-four unique passwords before they

can re-use their first one. With a „MinimumPasswordAge‟ of two, the user would have

to cycle their password every two days to get back to their original password.

Maximum password age

MaximumPasswordAge = 42

„MaximumPasswordAge‟ defines the maximum number of days a user can keep the

same password.

A setting of forty-two requires the user to change their password every forty-two

days; combined with the „PasswordComplexity‟ and ‟PasswordLength‟ settings, these

settings ensure the password is strong and resilient to attack.

Minimum password age

MinimumPasswordAge = 2

„MinimumPasswordAge‟ defines how many days a user must wait between

passwordchanges.

The setting „2‟ requires the user to wait two before they can change it again.

Minimum password length

MinimumPasswordLength = 8

„MinimumPasswordLength‟ defines the minimum number of characters acceptable for

a password.

The setting „8‟ requires the user to enter a password of eight characters or more;

combined with the „PasswordComplexity‟ and „MaximumPasswordAge‟ settings, these

settings ensure the password is strong and resilient to attack.

2 Communications Security Establishment Canada. “Windows Server 2003 Recommended Baseline

Security (ITSG-20)”. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.



Page 5

Password must meet complexity requirements

PasswordComplexity = 1

„PasswordComplexity‟ defines password complexity requirements; this setting helps

thwart brute-force attacks.

The setting „1‟ requires the user to enter a strong password that meets the criteria

demonstrated below:

• Upper Case Character (A-Z)

• Lower Case Character (a-z)

• Base 10 Digits (0-9)

• Non-alphanumeric (! @ # $ % ^ &)

Store password using reversible encryption

ClearTextPassword = 0

The „ClearTextPassword‟ keyword determines if the system stores passwords using

reversible encryption. The setting „zero‟ disables reversible encryption.

NOTE: Never enable this option unless operational considerations outweigh the need

to protect password information.

3.2 Account Lockout

Account Lockout Duration

LockoutDuration = 15

„LockoutDuration‟ defines the length of time (in minutes) that an account is disabled

afterlockout; this value needs to be synchronized with „ResetLockoutCounter‟ so the

user can logon when the „LockoutDuration‟ has expired.

The setting „15‟ disables the user‟s account for 15 minutes.

Account lockout threshold

LockoutBadCount = 10

„LockoutBadCount‟ defines the number of failed logons allowed before the account is

locked.

The setting „10‟ causes the user‟s account to be locked after 10 consecutive logon

attempts. The setting prevents extended password guessing attacks.



Page 6

Reset account lockout counter after

ResetLockoutCount = 15

„ResetLockoutCount‟ defines the length of time (in minutes) before a lockout reset

occurs; this value needs to be synchronized with „LockoutDuration‟ so the user can

logon when the „LockoutDuration‟ has expired.

The setting „15‟ resets the lockout to zero after fifteen minutes.

3.3 Kerberos Policy

Enforce user logon restrictions

TicketValidateClient = 1

„TicketValidateClient‟ determines if Kerberos V5 Key Distribution Centre

authentication is required.

The setting „1‟ requires the use of Kerberos Authentication.

Maximum lifetime for the service ticket

MaxServiceAge = 600

„MaxServiceAge‟ defines the number of minutes a service ticket will be valid.

The setting „600‟ allows the ticket to be used for ten hours.

Maximum lifetime for user ticket

MaxTicketAge = 10

„MaxTicketAge‟ defines the maximum hours a user‟s ticket granting ticket may be

used.

The setting „10‟ indicates that the ticket granting ticket must be replaced or renewed

after ten hours.

Maximum lifetime for user ticket renewal

MaxRenewAge = 7

„MaxRenewAge‟ defines the number of days a ticket granting ticket may be renewed

after issuance.

The setting „7‟ allows a ticket granting ticket to be renewed for seven days.

Maximum tolerance for computer clock synchronization

MaxClockSkew = 5

„MaxClockSkew‟ defines the maximum amount of time a system clock can be

different from the Domain Controller clock.

The setting of „5‟ indicates systems more than 5 minutes.



Page 7

3.4 Audit Policy

Additional information regarding audit policy can be found in section 4.1.4 of the

Annex.

Audit account logon events

AuditAccountLogon = 3

„AuditAccountLogon‟ defines types of logon events to audit; „success‟ events can

determine who accessed the system during an incident. „Fail‟ events provide insight

to password guessing attacks.

The setting „3‟ audits „success‟ and „fail‟ events.

Audit account management

AuditAccountManage = 3

„AuditAccountManage‟ defines types of logon events to audit; „success‟ events can be

used in investigations, monitoring accounts at the time of an incident. „Fail‟ attempts

can determine if users are probing the system for vulnerabilities.


Audit directory service access

AuditDSAccess = 3

„AuditDSAccess„ defines types of logon events to audit; the Directory Service holds

crucial information for the Domain. Knowledge of access during an incident can

provide valuable information about Active Directory objects accessed during an

attack.


Audit logon events

AuditLogonEvents = 3

„AuditLogonEvents‟ defines types of logon events to audit; „success‟ events can be

used to determine who was accessing the system during an incident. „Fail‟ logon

attempts can determine if the system is under a password guessing attack.


Audit object access

AuditObjectAccess = 2

„AuditObjectAccess‟ defines the type of logon events that will be audited; failed

attempts can be monitored to determine if any users are probing the system for

vulnerabilities.

The setting „2‟ audits failed events.



Page 8

Audit policy change

AuditPolicyChange = 3

„AuditPolicyChange‟ defines the type of logon events that will be audited; „success‟

events are used in investigations to determine access to the system and policy used

at the time of the incident. „Fail‟ attempts can determine if users are probing the

system for vulnerabilities.

The setting 3 audits „success and „fail‟ events.

Audit privilege use

AuditPrivilegeUse = 3

„AuditPrivilegeUse‟ defines logon events to be audited; „Success‟ events are used to

determine who was accessing the system at the time of the incident. „Fail‟ attempts

can determine if users are probing the system for vulnerabilities.


Audit process tracking

AuditProcessTracking = 0

„AuditProcessTracking‟ defines logon events to be audited. Due to the large volumes

of data generated if this setting is enabled, the normal setting for this value is

disabled. However, during an incident the information provided is invaluable; if an

attack is suspected, it is recommended that the setting be changed to „1‟ (enabled).

The setting „0‟ audits no events. The value of this information is weighed against the

volume of data collected.

Audit system events

AuditSystemEvents = 3

„AuditSystemEvents‟ defines events to be audited; these events reflect the system

shutdown and restarts, system security events, and events that affect the security

log.


3.5 User Rights Assignments

User rights assignments are designated using Windows Security Identifiers (SIDs);

refer to Annex 4.2.

Access this computer from the network

senetworklogonright = *S-1-5-11,*S-1-5-32-544

„senetworklogonright‟ grants network protocol access to the system (SMB, NetBIOS,

CIFS, HTTP and COM+). The policy grants privileges to the Administrators and

authenticated users. The ability to access the system from the network provides

greater exposure for an attack; restricting access reduces the exposure.



Page 9

Act as part of the operating system

setcbprivilege =

„setcbprivilege‟ grants an account the ability to act as part of the operating system.

According to Microsoft, there is no reason why an account would require this

privilege.

Add workstations to domain

semachineaccountprivilege =

„semachineaccountprivilege‟ grants the right to add workstations to a domain. This

policy grants no privilege; restricting this privilege helps maintain domain integrity.

Adjust memory quotas for a process

seincreasequotaprivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20

„seincreasequotaprivilege‟ grants the ability to adjust memory quotas for a process.

This policy grants privileges to Administrators, LOCAL SERVICE and NETWORK

SERVICE accounts; if misused, DoS attacks are possible.

Allow log on locally

seinteractivelogonright = *S-1-5-32-551,*S-1-5-32-544

„seinteractivelogonright‟ grants logon privilege to the local console. These privileges

are given to Administrators and Backup operators. Local access is restricted to

accounts that have legitimate reason for access; by restricting this privilege, system

exposure is reduced.

Allow log on through Terminal Services

seremoteinteractivelogonright = *S-1-5-32-544

„seremoteinteractivelogonright‟ grants the right to logon remotely through Terminal

Services. This policy grants rights to Administrators; there is no requirement to allow

users this form of access.

Backup files and directories

sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544

„sebackupprivilege‟ grants the right to backup files and directories. Rights are given

to Administrators and Backup Operators if your policy does not allow administrators

to backup then omit the Administrators group. The allocation of this privilege must

be tightly controlled.

Bypass traverse checking

sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5-

32-544

The „sechangenotifyprivilege‟ grants the right to bypass traverse checking in NTFS

file systems and the Registry. This policy grants rights to Users, Backup Operators,

Administrators and Authenticated users.



Page 10

Change the system time

sesystemtimeprivilege = *S-1-5-32-544

„sesystemtimeprivilege‟ grants the right to change the system time; this policy

grants rights to Administrators. The system time is critical in incident investigation;

without a consistent time, it is difficult to co-relate events on multiple systems.

Create a pagefile

secreatepagefileprivilege = *S-1-5-32-544

„secreatepagefileprivilege‟ grants the right to create a page file. This policy grants

rights to Administrators; restricting this to Administrators reduces the exposure to

trusted individuals. Too large a page file can cause poor system performance.

Create a token object

secreatetokenprivilege =

„secreatetokenprivilege‟ grants the right to create local security token objects; the

privilege gives the ability to create or modify Access Tokens. This policy does not

grant rights to anyone; doing this can prevent privilege escalation attacks and DoS

conditions.

Create global objects

secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544

„secreateglobalprivilege‟ grants the right to create objects available to all sessions; it

can be used to affect other user‟s processes. This policy grants rights to

Administrators and the SERVICE account.

Create permanent shared objects

secreatepermanentprivilege =

„secreatepermanentprivilege‟ grants the right to create shared objects (folders,

printers); users with this privilege could expose sensitive data to the network by

creating a shared object. Only members of the Administrators group can create

permanent shared objects.

Debug programs

sedebugprivilege =

„sedebugprivilege‟ grants the right to debug any kernel process. Program debugging

should never be done in a production environment; in the event it is required, grant

rights for only for the time required to perform the debugging.



Page 11

Deny access to this computer from the network

sedenynetworklogonright = *S-1-5-32-546, *S-1-5-7

„sedenynetworklogonright‟ prevents access for a variety of network protocols; the

policy applies the right to Guests and Anonymous Logon. The Administrators must

add the local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator

account.

NOTE: Given no reason for network access to the system for a group or user, access

should be denied.

Deny log on as a batch job

sedenybatchlogonright = *S-1-5-32-546, *S-1-5-7

„sedenybatchlogonright„ prevents the ability to create batch jobs; the batch facility

could be used to schedule jobs that result in a DoS. This policy applies rights to

Guests and Anonymous Logon; the Administrators must add the local accounts

„Guest‟ and „Support_388945a0‟.

NOTE: Given no reason for batch logon access to the system for a group or user,

access should be denied.

Deny log on as a service

sedenyservicelogonright = *S-1-5-32-546,*S-1-5-32-544, *S-1-5-7

„sedenyservicelogonright‟ prevents access to a variety of network protocols. This

policy applies the rights to Guests, Anonymous Logon and Administrators.

Administrators must add the local accounts „Guest‟, „Support_388945a0‟ and Built-in

Administrator account.

Deny log on locally

sedenyinteractivelogonright = *S-1-5-32-546, *S-1-5-7

„sedenyinteractivelogonright‟ prevents local access to the system. This policy applies

the rights to Guests and Anonymous Logon; administrators must add the local

accounts „Guest‟ and „Support_388945a0‟.

NOTE: Given no reason for interactive access to the system for a group, access

should be denied.

Deny log on through Terminal Services

sedenyremoteinteractivelogonright = *S-1-5-32-546, *S-1-5-7

„sedenyremoteinteractivelogonright‟ prevents logon through terminal services. This

policy applies rights to Guests and Anonymous Logon. Administrators must add the

local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator.

NOTE: Given no reason for terminal services access for a group, access should be

denied.



Page 12

Enable computer and user accounts to be trusted for delegation

seenabledelegationprivilege =

„seenabledelegationprivilege‟ grants the right to change „trusted for delegation‟

setting on Active Diretory objects; the misuse of this privilege could lead to

impersonation of users in a Domain. This policy does not grant privileges to anyone.

Force shutdown from a remote system

seremoteshutdownprivilege =

„seremoteshutdownprivilege‟ grants the right to shut the system down from a remote

location; servers in a High Security zone require physical access to be shut down.

This policy grants rights to no one.

Generate security audits

seauditprivilege = *S-1-5-19,*S-1-5-20

„seauditprivilege‟ grants the right to generate records in the security logs; limiting

rights to non-interactive accounts prevents DoS conditions caused by full logs.

This policy grants rights to Network Service and Local Service.

Impersonate a client after authentication

seimpersonateprivilege = *S-1-5-19,*S-1-5-20

„seimpersonateprivilege‟ grants the right for applications to impersonate that client;

for superior security, privileges should be limited to non-interactive accounts. This

policy grants rights to Local Service and Network Service.

Increase scheduling priority

seincreasebasepriorityprivilege = *S-1-5-32-544

„seincreasebasepriorityprivilege‟ grants the right to increase process priority; this

policy grants privileges to Administrators.

Load and unload device drivers

seloaddriverprivilege = *S-1-5-32-544

„seloaddriverprivilege‟ grants the right to load and unload device drivers. Driver code

can be run with elevated privileges; restricting privileges to Administrators reduces

system exposure. This policy grants privileges to Administrators.

Lock pages in memory

selockmemoryprivilege =

„selockmemoryprivilege‟ grants the right to keep data in physical memory. The abuse

of privileges can result in starved memory resources and a DoS situation; restricting

this privilege reduces exposure to this threat. This policy grants privileges to no one.



Page 13

Log on as a batch job

sebatchlogonright =

„sebatchlogonright‟ grants the right to submit batch jobs (log on as a batch job); The

Task Scheduler could be used to invoke a DoS condition; limiting this privilege

reduces the threat. This policy grants rights to no one.

Log on as a service

seservicelogonright = *S-1-5-20,*S-1-5-19

„seservicelogonright‟ grants the right to logon as a service. This policy grants rights

to Local Service and Network Service; interactive accounts are purposely excluded.

Manage auditing and security log

sesecurityprivilege = *S-1-5-32-544

„sesecurityprivilege‟ grants the right to specify object access auditing options; this

policy grants rights to Administrators. Administrators alone can determine the

appropriate auditing level thereby ensuring that users of the system cannot reduce

auditing and eliminate traces of their activity.

Modify firmware environment values

sesystemenvironmentprivilege = *S-1-5-32-544

„sesystemenvironmentprivilege‟ grants rights to modify firmware environment

values. The ability to change system configurations must be strictly controlled;

this policy grants these rights to Administrators only.

Perform volume maintenance tasks

semanagevolumeprivilege = *S-1-5-32-544

„semanagevolumeprivilege‟ grants rights to manage volumes or disks. The

administrative function of volume and disk management can damage data on a disk;

Restricting this privilege reduces the threat. This policy grants rights to

Administrators only.

Profile single process

seprofilesingleprocessprivilege = *S-1-5-32-544

„seprofilesingleprocessprivilege‟ grants the right to monitor performance of a non-

system process. The ability to profile a process can provide information to be used as

a basis of an attack; limiting privileges to Administrators reduces this threat.

This policy grants these rights to Administrators.

Profile system performance

sesystemprofileprivilege = *S-1-5-32-544

„sesystemprofileprivilege‟ grants the right to monitor performance of a system

process. Profiling a system gathers information useful for an attack; limiting

privileges to Administrators reduces this threat. This policy grants these rights to




Page 14

Remove computer from docking station

seundockprivilege = *S-1-5-32-544

„seundockprivilege‟ grants the right to undock the server. As a preventive measure,

these privileges should be restricted; this policy grants these privileges to


Replace a process level token

seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20

„seassignprimarytokenprivilege‟ grants the right to replace a process security token

of a child process; this can be used to launch processes as another user, providing

the ability to hide inappropriate activity on a system. These rights are granted to

Local Service and Network Service.

Restore files and directories

serestoreprivilege = *S-1-5-32-544

„serestoreprivilege‟ grants the right to bypass permissions when restoring objects.

Due to the nature of the restore process, rights should be restricted to accounts that

are required to use it. This policy grants privileges to Administrators only.

Shut down the system

seshutdownprivilege = *S-1-5-32-544

„seshutdownprivilege‟ grants the right to shut down the system locally. Restricting

this privilege reduces the threat of inadvertent or malicious shutdowns; this policy

grants the right to Administrators only.

Synchronize directory service data

sesyncagentprivilege =

„sesyncagentprivilege‟ grants the right to read all objects and properties in the

Directory; information gained from the Active Directory can be used to form an

attack against the system. This policy revokes all privileges.

Take ownership of files or other objects

setakeownershipprivilege = *S-1-5-32-544

„setakeownershipprivilege‟ grants the right to take ownership of any securable object

in the system. In addition to the act of changing ownership being recorded in the

logs, this policy grants privileges to Administrators only.

3.6 Security Options

Security options includes values for all entries in the Security Options section of the

policy GUI, incorporating entries in the Security Options section of the Domain Policy

as well as the Member Server Baseline. Please note all values are explicitly defined -

this ensures that security is not dependent on default values.



Page 15

Accounts: Administrator account status

EnableAdminAccount = 0

„EnableAdminAccount‟ determines if the local administrator account is enabled. The

setting „0‟ disables the local administrator account; this prevents widespread use and

removes it as a target for attack.

Accounts: Guest account status

EnableGuestAccount = 0

„EnableGuestAccount„ determines if the local guest account is enabled. The setting „0‟

disables the local guest account; this prevents widespread use and removes it as a

target for attack.

Accounts: Limit local account use of blank passwords to console logon

machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4, 1

„limitblankpassworduse‟ registry value determines if local accounts with blank

passwords can be used to logon remotely. The setting „1‟ disallows accounts with

blank passwords to logon remotely; this ensures remote access requires an account

name and password.

Accounts: Rename administrator account

NewAdministratorName = "johnsmith"

„NewAdministratorName‟ keyword sets the local administrator account name;

renaming the local administrator account makes it difficult for an attacker to misuse

the administrator account. The setting „johnsmith‟ renames the local administrator

account to johnsmith.

NOTE: This keyword should be omitted if a policy to rename the Administrator

account on each system is enforced. If not, then at a minimum change it from

„johnsmith‟ to a local value.

Accounts: Rename guest account

NewGuestName = "janesmith"

„NewGuestName‟ keyword sets the local guest account name; Renaming the account

makes it more difficult for an attacker to misuse it. The setting „janesmith‟ renames

the local guest account to janesmith.

NOTE: This keyword should be omitted if a policy to rename the Guest account on

each system is enforced. If not, then at a minimum change it from „janesmith‟ to a

local value.

Audit: Audit the access of global system objects

machine\system\currentcontrolset\control\lsa\auditbaseobjects=4, 0

„auditbaseobjects‟ registry setting determines if access to global system objects is

audited; the setting „0‟ disables audit access to global objects.



Page 16

Audit: Audit the use of Backup and Restore privilege

machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3, 0

„fullprivilegeauditing‟ determines if the system will audit the Backup and Restore

privilege; the setting „0‟ disables the audit of Backup and Restore privilege.

Audit: Shut down system immediately if unable to log security audits

machine\system\currentcontrolset\control\lsa\crashonauditfail=4, 1

The „crashonauditfail‟ registry value determines system behaviour when it fails to log

security events; the setting „1‟ shuts the system down when it cannot log. The

Canadian Federal government requires that comprehensive log data be carefully

maintained; therefore, if the log files are full the system must not process further

transactions.

Devices: Allow undock without having to log on

machine\software\microsoft\windows\currentversion\policies\system\un

dockwithoutlogon=4, 0

The „undockwithoutlogon‟ registry value determines if a portable computer can

undock without logon; the setting „0‟ disallows the computer to be undocked without

logon.

Devices: Allowed to format and eject removable media

machine\software\microsoft\windowsnt\currentversion\winlogon\allocate

dasd=1,"0"

The „allocatedasd‟ registry value determines who can format and eject removable

media; the ability to store large quantities of data (e.g. entire databases) makes

should be restricted to trusted individuals. The setting „0‟ permits Administrators to

format and eject removable media.

Devices: Prevent users from installing printer drivers

services\servers\addprinterdrivers=4, 1

The „addprinterdrivers‟ registry value determines if users can add printer drivers. The

setting „1‟ prevents users from adding print drivers; this assists in preventing users

running malicious code in a privileged state.

Devices: Restrict CD-ROM access to locally logged-on user only


cdroms=1,"1"

The „allocatecdroms‟ registry value determines if the CD-ROM is equally accessible to

local and remote users. The setting „1‟ restricts remote access to the CD-ROM when

in use by a local user.

NOTE: The setting allows remote authorized users to access the CD-ROM if no one is

logged on locally.



Page 17

Devices: Restrict floppy access to locally logged-on user only


floppies=1,"1"

The „allocatefloppies‟ registry value determines if the floppy drive is simultaneously

accessible to local and remote users; the setting „1‟ restricts remote access to when

in use by a local user.

NOTE: This setting allows remote access to the floppy drive if no one is logged on as

a local user.

Devices: Unsigned driver installation behavior

machine\software\microsoft\driversigning\policy=3, 1

The „policy‟ registry value defines the unsigned driver installation behaviour; if this

option is enforced, only drivers approved by the Windows Hardware Quality Lab

(WHQL) are eligible. The decision to install drivers not found within WHQL is left to

the Administrator. The setting „1‟ warns the user before the driver is installed.

Domain controller: Allow server operators to schedule tasks

machine\system\currentcontrolset\control\lsa\submitcontrol=4, 0

The „submitcontrol‟ registry value determines if system operators can schedule

tasks; a DoS condition may be invoked if too many simultaneous tasks are executed.

The setting „0‟ prevents system operators from scheduling tasks.

Domain controller: LDAP server signing requirements

machine\system\currentcontrolset\services\ntds\parameters\ldapserveri

ntegrity=4, 2

The „ldapserverintegrity‟ registry value determines if the LDAP server requires a

signature to negotiate with LDAP clients; unsigned data is susceptible to man-in-the-

middle attacks. This setting helps prevent session hijack.The setting „2‟ requires a

client signature.

Domain controller: Refuse machine account password changes

machine\system\currentcontrolset\services\netlogon\parameters\refusep

asswordchange=4, 0

The „refusepasswordchange‟ registry setting determines if domain controllers accept

changes to computer account passwords; regularly changed passwords reduce the

threat of effective brute-force attacks. The setting „0‟ allows changing of computer

account passwords.



Page 18

Domain member: Digitally encrypt or sign secure channel data

(always)

machine\system\currentcontrolset\services\netlogon\parameters\require

signorseal=4, 1

The „requiresignorseal‟ registry value determines if the domain member will encrypt

or sign secure channel data always. The setting „1‟ encrypts or signs secure channel

data; this value prevents legacy systems (pre-Windows 2000) from joining a

Domain.

Domain member: Digitally encrypt secure channel data (when

possible)

machine\system\currentcontrolset\services\netlogon\parameters\sealsec

urechannel=4, 1

The „sealsecurechannel‟ registry value determines if a domain member requests

encryption of all secure channel data; encrypting Secure Channel data prevents

sensitive information being sent in the clear, thereby limiting an attacker‟s ability to

gather information for an attack. The setting „1‟ requests encryption of all secure

channel data.

Domain member: Digitally sign secure channel data (when possible)

machine\system\currentcontrolset\services\netlogon\parameters\signsec

urechannel=4, 1

The „signsecurechannel‟ registry value determines if a system will sign secure

channel data when possible; unsigned data is susceptible to man-in-the-middle

attack. By enabling this setting, the client is protected from session hijack. The

setting „1‟ enables the signing of secure channel data when possible.

Domain member: Disable machine account password changes

machine\system\currentcontrolset\services\netlogon\parameters\disable

passwordchange=4, 0

The „disablepasswordchange‟ registry value determines if a domain controller will

accept machine account password changes; if the password change were disallowed,

the systems could not change their computer passwords leaving them susceptible to

password-guessing attacks. The setting „0‟ allows machine account password

changes.

Domain member: Maximum machine account password age

machine\system\currentcontrolset\services\netlogon\parameters\maxim

umpasswordage=4, 42

The „maximumpasswordage‟ registry value determines the maximum number days

between password changes. The setting „42‟ requires the password to be changed at

least every forty-two days; this ensures the password is changed often to thwart

password-guessing attacks.



Page 19

Domain member: Require strong (Windows 2000 or later) session key

machine\system\currentcontrolset\services\netlogon\parameters\require

strongkey=4, 1

The „requirestrongkey‟ registry value determines if a domain member establishes

secure channel communications requiring 128-bit encryption; if disabled, the client

must negotiate key strength with the Domain Controller. The setting „1‟ requires

128-bit encryption of the secure channel; this setting ensures the highest level of

protection for secure channel data.

Interactive logon: Do not display last user name

machine\software\microsoft\windows\currentversion\policies\system\do

ntdisplaylastusername=4, 1

The „dontdisplaylastusername‟ registry value determines if the system provides a

logon screen with the last username that logged on. The setting „1‟ does not display

the last username; this setting withholds vital information to prevent attacks.

Interactive logon: Do not require CTRL+ALT+DEL

machine\software\microsoft\windows\currentversion\policies\system\dis

ablecad=4, 0

The „disablecad‟ registry value determines if CTRL+ALT+DEL is required before a

user logon. The setting „0‟ requires CTRL+ALT+DEL to initiate logon; it provides

unassailable hardware initiation of the logon sequence; assisting in the thwarting of

Trojan Horse routines.

Interactive logon: Message text for users attempting to logon

machine\software\microsoft\windows\currentversion\policies\system\leg

alnoticetext=7, TEXT FOR USER LOGON MUST BE SUPPLIED

The „legalnoticetext‟ registry value is presented to the user prior to entry of

username and password; this may help an organization in the event of

legal proceedings. The value shown is the text presented.

Interactive logon: Message title for users attempting to logon

machine\software\microsoft\windows\currentversion\policies\system\leg

alnoticecaption=1

“TEXT FOR USER LOGON MUST BE SUPPLIED”

The „legalnoticecaption‟ registry value is presented to the user as the title of the

window that contains the „legalnoticetext‟ text; this may help an organization in the

event of legal proceedings. The value shown is the text presented.

Interactive logon: Number of previous logons to cache (in case domain

controller is not available)

machine\software\microsoft\windowsnt\currentversion\winlogon\cachedl

ogonscount=1,"0"

The „cachedlogonscount‟ registry value determines the number of unique user whom

logon information is locally cached. The setting „0‟ does not cache logon information

locally; this ensures the user establishes a current security token with the Domain

Controller, thereby preventing disabled users access via cached logon credentials.



Page 20

Interactive logon: Prompt user to change password before expiration

machine\software\microsoft\windowsnt\currentversion\winlogon\passwo

rdexpirywarning=4,14

The „passwordexpirywarning‟ registry value determines how many days in advance

the user is notified of password expiration. This setting warns the user 14 days

before password expiry; the user will continue to be reminded until the password

expiry date.

Interactive logon: Require Domain Controller authentication to unlock

workstation

machine\software\microsoft\windowsnt\currentversion\winlogon\forceun

locklogon=4, 1

The „forceunlocklogon‟ registry value determines if a domain controller must be

contacted to unlock a computer. The setting „1‟ requires contact with a domain

controller; this ensures the user establishes a current security token with the Domain

Controller and also disallows disabled users access via cached logon credentials.

Interactive logon: Require smart card

machine\software\microsoft\windows\currentversion\policies\system\scf

orceoption=4, 0

The „scforceoption‟ registry value determines if a smart card is required to logon. The

setting „0‟ does not require a smart card to logon. The majority of servers will not

require two-factor authentication; if this capability is a requirement, it should be

enabled during the application of a role specific policy.

Interactive logon: Smart card removal behaviour

machine\software\microsoft\windowsnt\currentversion\winlogon\scremo

veoption=1,"1"

The „scremoveoption‟ determines system behaviour when a smart card is removed.

The setting „1‟ locks the workstation when removed; this ensures accountability for

transactions that require smart card authentication.

Microsoft network client: Digitally sign communications (always)

machine\system\currentcontrolset\services\lanmanserver\parameters\re

quiresecuritysignature=4, 1

The „requiresecuritysignature‟ registry value determines if the SMB client requires

packet signing. The setting „1‟ requires packet signing; this setting provides for

mutual authentication and may prevent man-in-the-middle attacks thereby

eliminatingsession hijacking. Legacy systems cannot support this requirement.



Page 21

Microsoft network client: Digitally sign communications (if server

agrees)

machine\system\currentcontrolset\services\lanmanworkstation\paramete

rs\enablesecuritysignature=4, 1

The „enablesecuritysignature‟ registry value determines if an SMB client attempts to

negotiate SMB packet signing (if the server agrees). The setting „1‟ causes the client

to negotiate SMB signing; this setting provides for mutual authentication and may

prevent man-in-the-middle attacks thereby eliminating session hijacking. Legacy

systems (i.e. Pre-Windows 2000) cannot support this requirement.

Microsoft network client: Send unencrypted password to third-party

SMB

serversmachine\system\currentcontrolset\services\lanmanworkstation\pa

rameters\enableplaintextpassword=4, 0

The „enableplaintextpassword‟ registry value determines if an SMB client sends plain

text passwords to non-Microsoft SMB servers. The setting „0‟ disables the use of

clear-text passwords. The use of non-Microsoft SMB servers that do not accept

encrypted passwords is disallowed in a High Security environment; password

security must always be enforced.

Microsoft network server: Amount of idle time required before

suspending

sessionmachine\system\currentcontrolset\services\lanmanserver\parame

ters\autodisconnect=4, 15

The „autodisconnect‟ registry setting defines the amount of idle time in minutes

before an SMB session is suspended; the setting „15‟ suspends the SMB session after

fifteen minutes of idle time. An idle session consumes system resources; attackers

could set up sessions consuming resources to invoke a DoS condition. Further to the

security ramifications, idle sessions can cause SMB services to become slow or

unresponsive.

Microsoft network server: Digitally sign communications (always)


quiresecuritysignature=4, 1

The „requiresecuritysignature‟ registry value determines if the server will always sign

SMB communications. The setting „1‟ always digitally signs SMB communications;

this setting provides mutual authentication for all communication. Mutual

authentication may prevent man-in-the-middle attacks thereby eliminating session

hijacking. Legacy systems cannot support this requirement.



Page 22

Microsoft network server: Digitally sign communications (if client

agrees)

machine\system\currentcontrolset\services\lanmanserver\parameters\en

ablesecuritysignature=4, 1

The „enablesecuritysignature‟ registry value signs SMB communications, if the client

agrees. The setting „1‟ signs SMB communications; this setting provides mutual

authentication for all communication. Mutual authentication may prevent man-in-

the-middle attacks and eliminate the possibility of session hijacking. Legacy (i.e. Pre-

Windows 2000) systems cannot support this requirement.

Microsoft network server: Disconnect clients when logon hours expire

machine\system\currentcontrolset\services\lanmanserver\parameters\en

ableforcedlogoff=4, 1

The „enableforcedlogoff‟ registry value determines if a network connected user is

disconnected outside of their hours of operation. The setting „1‟ disconnects the user

when logged on outside of their hours of operation.

Network access: Allow anonymous SID/Name translation

LSAAnonymousNameLookup = 0

The „LSAAnonymousNameLookup‟ determines if the system allows anonymous

SID/NAME translation; if enabled, a user could use a well-known account SID to

obtain usernames of the account which could facilitate a password guessing attack.

The setting „0‟ disallows the system to perform anonymous SID/NAME translation.

Network access: Do not allow anonymous enumeration of SAM

accounts machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4, 1

The „restrictanonymoussam‟ registry value determines if anonymous enumeration of

SAM accounts is permitted. Successful enumeration maps account names to a

corresponding SID; when the SID is known, local Guest and Administrator accounts

are exposed and rendered vulnerable to password guessing attacks. The setting „1‟

disallows anonymous enumeration of SAM accounts.

Network access: Disallow anonymous enumeration of SAM accounts

and shares

machine\system\currentcontrolset\control\lsa\restrictanonymous=4, 1

The „restrictanonymous‟ registry value determines if anonymous enumeration of SAM

accounts and shares is permitted. Successful enumeration maps account names to a

corresponding SID; when the SID is known, local Guest and Administrator accounts

are exposed and rendered vulnerable to password guessing attacks. The setting „1‟

disallows anonymous enumeration of SAM accounts.



Page 23

Network access: Do not allow storage of credentials or .NET Passports

for network authentication

machine\system\currentcontrolset\control\lsa\disabledomaincreds=4, 1

The „disabledomaincreds‟ registry value determines if passwords, credentials or

Microsoft .NET passports are saved after initial domain authentication. The setting „1‟

disallows the save.

Network access: Let Everyone permissions apply to anonymous users

machine\system\currentcontrolset\control\lsa\everyoneincludesanonymo

us=4, 0

The „everyoneincludesanonymous‟ value determines what additional permissions are

granted for anonymous connections to a computer. The setting „0‟ grants no

additional permissions to anonymous users; this ensures unauthenticated users do

not inherit the rights of the „everyone‟ group.

Network access: Named Pipes that can be accessed anonymously

machine\system\currentcontrolset\services\lanmanserver\parameters\nu

llsessionpipes=7,

The „nullsessionpipes‟ value defines anonymous access to named pipes. The empty

setting disallows anonymous access to named pipes; this ensures all system access

is authorized.

Network access: Remotely accessible registry paths

machine\system\currentcontrolset\control\securepipeservers\winreg\allo

wedexactpaths\machine=7,

The „allowedexactpaths\machine‟ registry value defines which registry paths can be

accessed over the network. As there is normally no requirement for remotely

accessible registry information, the setting field is empty.

Network access: Remotely accessible registry paths and Sub-paths

machine\system\currentcontrolset\control\securepipeservers\winreg\allo

wedpaths\machine=7,

The „allowedpaths\machine‟ registry value defines registry paths and sub-paths that

can be accessed over the network. This Baseline configuration has no requirement

for remotely accessible registry information.

Network access: Restrict anonymous access to Named Pipes and Shares


strictnullsessaccess=4,1

The „restrictnullsessaccess‟ registry value determines if anonymous access is allowed

to named pipes and shares. The setting „1‟ disallows anonymous access to named

pipes and shares. Access to resources is predicated on authorization for that

resource; if anonymous access is granted, there would be no ability to identify who is

accessing the objects.



Page 24

Network access: Shares that can be accessed anonymously

machine\system\currentcontrolset\services\lanmanserver\parameters\nu

llsessionshares=7,

The „nullsessionshares‟ registry value defines which shares can be accessed

anonymously over the network. The empty setting disallows anonymous access to

any share; all system access should be authorized. Anonymous access prevents

accurate authorization of shares.

Network access: Sharing and security model for local accounts

machine\system\currentcontrolset\control\lsa\forceguest=4, 0

The „forceguest‟ registry value determines the sharing and security model for local

accounts. The setting „0‟ requires user authentication to access resources; this allows

individual access to be audited.

Network security: Do not store LAN Manager hash value on next

password change

machine\system\currentcontrolset\control\lsa\nolmhash=4, 1

The „nolmhash‟ registry value determines if the LAN Manager hash value is stored on

the next password change. The setting „1‟ does not save the LAN Manager hash

value; this prevents local storage of the password, which would be vulnerable to

attack.

NOTE: Upon enabling in operation, all passwords must be changed.

Network Security: Force logoff when logon hours expire

ForceLogoffWhenHourExpire = 1

The „ForceLogoffWhenHourExpire‟ keyword determines if locally logged on users are

disconnected when working outside of defined hours; the setting „1‟ disconnects the

user outside of defined hours. Hours are defined within the “Active Directory Users

and Computers”, the „Computer Management” and “Local Users and Groups”

interface.

Network security: LAN Manager authentication level

machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4, 5

The „lmcompatibilitylevel‟ value determines the level of LAN manager authentication.

The setting „5‟ sends NTLMv2 responses only and refuses LM & NTLM; this setting

ensures only the most secure authentication mechanism is permitted.

Network security: LDAP client signing requirements

machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4, 1

The „ldapclientintegrity‟ value determines if the LDAP client negotiates signing to

communicate with LDAP servers. The setting „2‟ requires signing negotiation; this

reduces the threat of a man-in-the-middle attacks.



Page 25

Network security: Minimum session security for NTLM SSP based

(including secure RPC) clients

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec

=4, 537395248

The „ntlmminclientsec‟ value defines the minimum session security for NTLM SSP

based (including secure RPC) clients. The setting „537395248‟ enables all options as

recommended by Microsoft; this requires message integrity, confidentiality, NTLMv2

session security and 128-bit encryption be used for logon.

Network security: Minimum session security for NTLM SSP based

(including secure RPC) servers

machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec

=4, 537395248

The „ntlmminserversec‟ registry value defines the minimum session security for NTLM

SSP based (including secure RPC) servers. The setting „537395248‟ enables all

options, as recommended; this requires message integrity, confidentiality, NTLMv2

session security and 128-bit encryption be used for logon.

Recovery console: Allow automatic administrative logon

machine\software\microsoft\windowsnt\currentversion\setup\recoveryco

nsole\securitylevel=4,0

The „securitylevel‟ value determines if the recovery console requires an Administrator

password to logon. The setting „0‟ requires an Administrators password; enabling this

setting to allow anyone to shut down a server is not recommended.

Recovery console: Allow floppy copy and access to all drives and all

folders

machine\software\microsoft\windowsnt\currentversion\setup\recoveryco

nsole\setcommand=4,0

The „setcommand‟ registry value determines if the Recovery Console „SET‟ command

is available; the setting „4‟ disables the „SET‟ command. (e.g. Copy to removable

media is disabled).

Shutdown: Allow system to be shut down without having to log on

machine\software\microsoft\windows\currentversion\policies\system\sh

utdownwithoutlogon=4, 0

The „shutdownwithoutlogon‟ registry value determines if the system can be shutdown

without the user logged on. The setting „0‟ requires the user to logon; this ensures

only authorized users may shut down the system.



Page 26

Shutdown: Clear virtual memory page file

machine\system\currentcontrolset\control\sessionmanager\memory\man

agement\clearpagefileatshutdown=4, 1

The „clearpagefileatshutdown‟ value determines if page file contents are overwritten

on a clean shutdown; sensitive system and user information may be contained in the

page file; by ensuring it is cleared, the risk that information be available to an

attacker is reduced. The setting „1‟ causes clears the page file on a normal shutdown.

System cryptography: Force strong key protection for user keys

stored on the computer machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2

The „forcekeyprotection‟ value determines if user keys (e.g. SMIME) require a

password each time they are to be used. The setting „2‟ requires entry of a password

each time a private key is used; this ensures that a session that requires key

material is used with the owner‟s knowledge.

System cryptography: Use FIPS compliant algorithms for encryption,

hashing, and signing

machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1

The „fipsalgorithmpolicy‟ determines if Transport Layer Security/Secure Socket Layer

(TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC

_SHA cipher suite. The setting „1‟ requires the use of the TLS_RSA_WITH_3DES

_EDE_CBC_SHA cipher suite. The Canadian Federal Government, requires this

setting for all servers to remain compliant to cryptographic policies.

System objects: Default owner for objects created by members of the

Administrators group

machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1

The „nodefaultadminowner‟ value determines if objects created by members of the

Administrators group are owned by the group or the object creator. The setting „1‟

makes objects owned by the creator; this ensures actions of an individual

administrator can be isolated and audited.

System objects: Require case insensitivity for non-Windows

subsystems

machine\system\currentcontrolset\control\sessionmanager\kernel\obcas

einsensitive=4, 1

The „obcaseinsensitive‟ value determines if case insensitivity is required for non-

Windows subsystems. The setting „1‟ requires case insensitivity for non-Windows

subsystems; this disables the ability for non-Windows sub-systems to create files

that are inaccessible to the Windows system and also disables the ability to block

access to other files with the same name in upper case.



Page 27

System objects: Strengthen default permissions of internal system

objects (e.g. Symbolic Links)

machine\system\currentcontrolset\control\sessionmanager\protectionmo

de=4, 1

The „protectionmode‟ registry setting determines if permissions on internal system

objects (e.g. symbolic links) is strengthened. The setting „1‟ strengthens protection

on internal system objects; it allows non-administrators to view shared objects they

did not create, but not modify.

System settings: Optional subsystems

machine\system\currentcontrolset\control\sessionmanager\subsystems\o

ptional=7,

The „optional‟ value defines which subsystems are used to support applications. The

empty setting disallows any optional subsystems. The use of sub-systems should be

justified with operational requirements; unless required, no subsystem should be

enabled.

Use Certificate Rules on Windows Executables for Software

Restriction Policies

machine\software\policies\microsoft\windows\safer\codeidentifiers\auth

enticodeenabled=4, 0

The „authenticodeenabled‟ value determines the use of certificate rules on Windows

executables for software restriction policies. The setting „0‟ does not use certificate

rules on Windows executables for software restriction policies.

3.7 Event Log Size

Microsoft guidance indicates that the total size of all event logs should not exceed

300MB. If this value is exceeded, the system may not log or record the failure.While

the interface may allow values up to 4GB, there is a risk of losing log entries for

values beyond 300 MB. The following policy will utilize full available space for

allocation between event logs.

Maximum application log size

MaximumLogSize = 76800 (in [Application Log] section)

The „MaximumLogSize‟ determines the size of the Application event log; the setting

„76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log

file will accommodate over 153,000 events and will allow the system to run for an

extended period of time without having to roll the log file.

NOTE: Due to the wide variety of event loads, monitoring the log files during

the initial operational period is recommended.



Page 28

Maximum security log size

MaximumLogSize = 153600 (in [Security Log] section)

The „MaximumLogSize‟ determines the size of the Security event log; the setting

„153600‟ creates a 153600 KB log file. With an average of 500 bytes per event, this

log file will accommodate over 307,200 events and allows the system to run for an

extended period-of-time without having to roll the log file.

NOTE: Due to the wide variety of event loads, monitoring the log files during the

initial operational period is recommended.

Maximum system log size

MaximumLogSize = 76800 (in [System Log] section

The „MaximumLogSize‟ determines the size of the System event log; the setting

„76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log

file will accommodate over 153,000 events allowing the system to run for an

extended period-of-time without having to roll the log file.

3.8 Guest Access

Prevent local Guests group from accessing Applications, Security, and

System logs

RestrictGuestAccess = 1(in [Application Log] or [Security Log] or [System

Log] section)

The „RestrictGuestAccess‟ keyword determines if accounts with „guest‟ access can

access the log. Access to log information provides an attacker with valuable

information to mount attacks on the system or users; as a result, only users who are

authenticated should be given access to the log files. The setting „1‟ disallows guest

access to the log.

3.9 Retention Method

Retention method for application log

AuditLogRetentionPeriod = 2(in [Application Log] or [Security Log] or

[System Log] section)

The „AuditLogRetentionPeriod‟ keyword determines the system behaviour when the

log is full. The setting „2‟ shuts the system down if the log cannot be written.

NOTE: Use of this setting should be consistent with the organization‟s log retention

policy.



Page 29

3.10 System Services

Amplifying information regarding the service startup and ACL settings can be found

in Annexes 4.1 and 4.3, respectfully.

3.10.1 Services Explicitly Covered by Microsoft

Alerter

"alerter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC

SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC

LCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Alerter service notifies selected users and computers of administrative alerts.

This policy disables this service.

Application Layer Gateway Service

"alg",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW

RPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCS

WRPWPDTLOCRSDRCWDWO;;;WD)"

The Application Layer Gateway Service is a subcomponent of the Internet Connection

Sharing (ICS) / Internet Connection Firewall (ICF) Service. This supports

independent software vendor plug-ins to allow proprietary protocols through the

firewall and work behind ICS. This policy disables the service.

Application Management

"appmgmt",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA

;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Application Management provides software installation services. This policy disables

the service.

ASP .NET State Service

"aspnet_state",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(A

U;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The ASP .NET State Service provides support for out-of-process session states for

ASP .NET. This policy disables the service.

Automatic Updates

"wuauserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC

LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR

CWDWO;;;WD)"

The Automatic Updates Service enables the automated download and installation of

software updates. This policy disables the service.

Background Intelligent Transfer Service

"bits",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW

RPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCS




Page 30

The Background Intelligent Transfer Service is used to transfer files asynchronously

between a client and an HTTP server. This policy disables the service.

Certificate Services

"certsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C

CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Certificate Services perform core functions for a Certification Authority. This

policy disables the service.

MS Software Shadow Copy Provider

"swprv",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS

WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW

DWO;;;WD)"

The MS Software Shadow Copy Provider supports the creation of file shadow copies

used to perform system backups. This policy sets the startup to manual for the

service.

Client Service for Netware

"nwcworkstation",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A

;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLO

CRSDRCWDWO;;;WD)"

The Client Service for Netware provides access to files and printers on NetWare

networks. This policy disables the service.

ClipBook

"clipsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC



The Clipbook Service creates and shares „pages‟ of data that may be viewed by

remote users. This policy disables the service.

Cluster Service

"clussvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C


The Cluster Service supports membership in a High Availability environment

(Cluster). The service is disabled.

COM+ Event System

"eventsystem",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC

DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;

CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The COM+ Event System Service extends the COM+ programming model. This policy

sets the service startup to automatic.



Page 31

COM+ System Application

"comsysapp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD

CLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;C


The COM+ System Application Service manages the configuration and tracking of

components based on COM+. The service is disabled.

Domain Member

Baseline"browser",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A

;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;

FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy sets service startup to automatic.

Workgroup Member Baseline

"browser",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL

CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD

CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy disables service startup.

Cryptographic Services

"cryptsvc",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL



Cryptographic Services provide key management functionality for the computer. This

policy sets the service to automatic startup.

Domain Member Baseline

"dhcp",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS

WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL

CSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy sets the service to automatic startup.

Workgroup Member Baseline

"dhcp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


CSWRPWPDTLOCRS

DRCWDWO;;;WD)"


DHCP Server

"dhcpserver",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;

FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The DHCP Server allocates IP addresses. The service is disabled.



Page 32

Distributed File System

"dfs",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC

LCSWRPWPDTLOCRSDRCWDWO;;;WD)

The Distributed File System manages logical volumes across local or wide area

networks. The service is disabled.

Distributed Link Tracking Client

"trkwks",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC

SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC

WDWO;;;WD)"

The Distributed Link Tracking Client Service ensures shortcuts (among others) work

after the target has been moved. The service is disabled.

Distributed Link Tracking Server

"trksvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Distributed Link Tracking Server stores information so files moved between

volumes can be tracked. The service is disabled.

Distributed Transaction Coordinator

"msdtc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Distributed Transaction Coordinator Service manages transactions that involve

multiple computer systems or resource managers. The service is disabled.

Domain Member Server

"dnscache",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC

LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC

DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"


Workgroup Member Server

"dnscache",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC




DNS Server

"dns",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC


The DNS Server responds to queries for DNS names. The service is disabled.



Page 33

Error Reporting Service

"ersvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS



The Error Reporting Service collects, stores, and reports unexpected application

closures to Microsoft. The service is disabled.

Event Log

"eventlog",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL



The Event Log Service enables event log messages to be viewed. This policy sets the

service to automatic startup.

Fax Service

"fax",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC


The Fax service provides Fax capabilities. The service is disabled.

File Replication

"ntfrs",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The File Replication Service automatically copies and maintains files on multiple

Servers. The service is disabled.

File Server for Macintosh

"macfile",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Macintosh File Service provides network file access to Macintosh computers. The

service is disabled.

FTP Publishing Service

"msftpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The FTP Publishing Service provides connectivity and administration through the IIS

snap-in. The service is disabled.

Help and Support

"helpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC



The Help and Support Service enables Help and Support Center to run. The service is

disabled.



Page 34

HTTP SSL

"httpfilter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC



The HTTP SSL Service provides SSL functions to IIS. The service is disabled.

Human Interface Device Access

"hidserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC



The Human Interface Device Access service allows use of pre-defined hotbuttons.

The service is disabled.

IAS Jet Database Access

"iasjet",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS



The IAS Jet Database Access service uses RADIUS to provide authentication,

authorization and accounting services. The service is disabled.

IIS Admin Service

"iisadmin",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL



The IIS Admin Service allows administration of IIS components. The service is

disabled.

IMAPI CD-Burning COM Service

"imapiservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC



The IMAPI CD-Burning Service manages CD burning. The service is disabled.

Indexing Service

"cisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS



The Indexing Service indexes file contents and properties. The service is disabled.

Infrared Monitor

"irmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CC


Infrared Monitor service enables file and image sharing through infrared devices. The




Page 35

Internet Authentication Service

"ias",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC


Internet Authentication Service manages network authentication, authorization and

accounting. The service is disabled.

Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)

"sharedaccess",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C

CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR

SDRCWDWO;;;WD)"

The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service

provides Internet services for small local networks. The service is disabled.

Intersite Messaging

"ismserv",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;


The Intersite Messaging Service is used for mail-based replication. The service is

disabled.

IP Version 6 Helper Service

"6to4",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCD


The IP Version 6 Helper Service offers IPV6 connectivity over existing IPV4 network.


IPSEC Policy Agent (IPSec Service)

"policyagent",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC

DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS

DRCWDWO;;;WD)"

The IPSEC Policy Agent (IPSec Service) provides encryption services to clients and

servers on networks. This policy sets the service to automatic startup.

Kerberos Key Distribution Centre

"kdc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW

RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD

WO;;;WD)"

The Kerberos Key Distribution Center Service allows user logon using Kerberos v5

authentication protocol. The service is disabled.

License Logging Service

"licenseservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;

CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOC

RSDRCWDWO;;;WD)"

The License Logging service records client access licensing information. The service

is disabled.



Page 36

Logical Disk Manager

"dmserver",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC



The Logical Disk Manager service detects all new hard drives and sends disk volume

information to the Logical Disk Manager Administration Service. This policy sets the

service to manual startup.

Logical Disk Manager Administrative Service

"dmadmin",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC



The Logical Disk Manager Administration service performs requests for disk

management. Thispolicy sets the service to manual startup.

Message Queuing

"msmq",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Message Queuing Service is the infrastructure and development tool for creating

distributed messaging applications. The service is disabled.

Message Queuing Down Level Clients

"mqds",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Message Queuing Down Level Clients service provides Active Directory access to

Message Queuing Clients. The service is disabled.

Message Queuing Triggers

"mqtgsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL

CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR

CWDWO;;;WD)"

The Message Queuing Trigger Service provides rule-based analysis of messages

arriving in the Message Queuing queue. The service is disabled.

Messenger

"messenger",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD

CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD

RCWDWO;;;WD)"

The Messenger Service sends Alerter Service messages between clients and servers.




Page 37

Microsoft POP3 Service

"pop3svc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Microsoft POP3 service provides e-mail transfer and retrieval services. The


MSSQL$UDDI

"mssql$uddi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC


DRCWDWO;;;WD)"

The MSSQL$UDDI service publishes and locates information about web services. The


MSSQLServerADHelper

"mssqlserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC


DRCWDWO;;;WD)"

The SQL Server service provides SQL functionality for a server. The service is

disabled.

.NET Framework Support Service

"corrtsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;


The .NET Framework Support Service notifies a subscribing client when a specified

process initializes the Client Runtime Service. The service is disabled.


"netlogon",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"



"netlogon",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"


NetMeeting Remote Desktop Sharing

"mnmsrvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The NetMeeting Remote Desktop Sharing Service enables access to a system with

NetMeeting. The service is disabled.



Page 38

Network Connections

"netman",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Network Communications Service manages objects in the Network Connections

folder. This policy sets the service to manual startup. This will start the service

automatically when the Network Connections interface is invoked.

Network DDE

"netdde",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The NetDDE Service provides network transport and security for DDE. The service is

disabled.

Network DDE DSDM

"netddedsdm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC


DRCWDWO;;;WD)"

The NetDDEDSDM Service manages DDE network shares. The service is disabled.

Network Location Awareness (NLA)

"nla",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW


WO;;;WD)"

The Network Location Awareness service collects and stores network information.


Network News Transport Protocol (NNTP)

"nntpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Network News Transport Protocol (NNTP) service provides News Server

capabilities. The service is disabled.

NTLM Security Support Provider

"ntlmssp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The NTLM Security Support Provider service provides security to RPC programs. This

enables users to log on using NTLM authentication in place of Kerberos. The service

is disabled.



Page 39

Performance Logs and Alerts

"sysmonlog",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD


RCWDWO;;;WD)"

The Performance Logs and Alerts Service collect performance data. The service is

disabled.

Plug and Play

"plugplay",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Plug and Play service allows a computer to adapt hardware configuration

changes with little user input. The service is disabled.

Portable Media Serial Number

"wmdmpmsn",4,D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD


RCWDWO;;;WD)"

The Portable Media Serial Number service retrieves serial numbers from any portable

music player connected to the system. The service is disabled.

Print Server for Macintosh

"macprint",4,D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Macintosh Print service provides network printer access to Macintosh computers.


Print Spooler

"spooler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Spooler service manages local and network print queues and controls all print

jobs. The service is disabled.

Protected Storage

"protectedstorage",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(

A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTL

OCRSDRCWDWO;;;WD)"

The Protected Storage service protects storage of sensitive information from

unauthorized services, processes or users. This policy sets the service to automatic

startup.



Page 40

Remote Access Auto Connection Manager

"rasauto",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Remote Access Auto Connection Manager service detects unsuccessful attempts

to a remote network or computer. It then provides an alternative method for

connection. The service is disabled.

Remote Access Connection Manager

"rasman",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Remote Access Connection Manager service manages dial-up and VPN

connections to a server. The service is disabled.

Remote Administration Service

"srvcsurg",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Remote Administration service provides an interface for Remote Server

Administration Tools. The service is disabled.

Remote Desktop Help Session Manager

"rdsessmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD

CLCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR

CWDWO;;;WD)"

The Remote Desktop Help Session Manager service controls the Remote Assistance

feature in the Help and Support Center application. The service is disabled.

Remote Installation

"binlsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C


The Remote Installation Service is a Windows deployment feature. The service is

disabled.

Remote Procedure Call (RPC)

"rpcss",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Remote Procedure Call (RPC) service is a secure inter-process communication

mechanism. This policy sets the service to automatic startup.



Page 41

Remote Procedure Call (RPC) Locator

"rpclocator",\4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC


DRCWDWO;;;WD)"

The RPC Locator Service enables RPC clients to locate RPC servers. The service is

disabled.

Remote Registry Service

"remoteregistry",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;


RSDRCWDWO;;;WD)"

The Remote Registry service enables remote users to modify registry settings on the

system. The service is disabled.

Remote Server Manager

"appmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CLCSWRPWPDTLOCRDRCWDWO;;;WD)"

The Remote Server Manager service acts as a Windows Management

Instrumentation (WMI) instance provider for Remote Administration Alert Objects. It

also acts as a WMI method provider for Remote Administration Tasks. The service is

disabled.

Remote Server Monitor

"appmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;


The Remote Service Monitor service provides monitoring capability of resources on

remotely managed systems. The service is disabled.

Remote Storage Notification

"remote_storage_user_link",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWD

WO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCS


The Remote Storage Notification service notifies a user when accessing data on

secondary storage units. The service is disabled.

Remote Storage Server

"remote_storage_server",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;

;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRP

WPDTLOCRSDRCWDWO;;;WD)"

The Remote Storage Server stores infrequently used files in secondary storage. The




Page 42

Removable Storage

"ntmssvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Removable Storage service maintains a catalogue of information for removable

media used by the system. The service is disabled.

Resultant Set of Policy Provider

"rsopprov",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The Resultant Set of Policy Provider service enables simulation of policy to determine

the effects. The service is disabled.

Routing and Remote Access

"remoteaccess",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C


SDRCWDWO;;;WD)"

The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to-

WAN, and NAT routing services. The service is disabled.

SAP Agent

"nwsapagent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC


DRCWDWO;;;WD)"

The SAP Agent service advertises services on an IPX network. The service is

disabled.

Secondary Logon Service

"seclogon",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Secondary Logon service allows users to create processes in different security

contexts. The service is disabled.

Security Accounts Manager

"samss",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Security Accounts Manager service manages user and group account

information. This policy sets the service to automatic startup.



Page 43

Server

"lanmanserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C


SDRCWDWO;;;WD)"

The Server service provides RPC, file, print, and Named pipe support over the

network. This policy disables service startup.

Shell Hardware Detection

"shellhwdetection",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(


OCRSDRCWDWO;;;WD)"

The Shell Hardware Detection service monitors and provides notification for AutoPlay

hardware events. The service is disabled.

Simple Mail Transport Protocol (SMTP)

"smtpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Simple Mail transfer Protocol (SMTP) service transports electronic mail across

the network. The service is disabled.

Simple TCP/IP Services

"simptcp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

Simple TCP/IP Services provide a variety of protocols. The service is disabled. The

services configured are as follows:

Echo Port 7

Discard Port 9

Character Generator Port 19

Daytime Port 13

Quote of the day Port 17

Single Instance Storage Groveler

"groveler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL



The Single Instance Storage Groveler service supports Remote Installation service.


Smart Card

"scardsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Smart Card service manages access to smart card readers. The service is

disabled.



Page 44

SNMP Service

"snmp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS

WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD

WO;;;WD)"

The Simple Network Management Protocol (SNMP) service allows incoming SNMP

requests to be processed by the system. The service is disabled.

SNMP Trap Service

"snmptrap",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC

LCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC

WDWO;;;WD)"

The SNMP Trap service receives trap messages generated by SNMP agents. The


Special Administration Console Helper

"sacsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Special Administration Console Helper service performs remote management

tasks. The service is disabled.

SQLAgent$* (*UDDI or WebDB)

"sqlagent$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A

;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLO

CRSDRCWDWO;;;WD)"

The SQLAgent$webdb service monitors, and schedules jobs. The service is disabled.

System Event Notification

"sens",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The System Event Notification service provides monitoring and tracking services for

system events. This policy sets the service to automatic startup.

Task Scheduler

"schedule",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The Task Scheduler service enables configuration and schedules of automated tasks

on the system. The service is disabled.



Page 45


"lmhosts",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"


Workgroup Member server

"lmhosts",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"


TCP/IP Print Server

"lpdsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The TCP/IP Print Server service enables TCP/IP based printing. The service is

disabled.

Telephony

"tapisrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Telephony service provides support for programs that control telephony and IP-

based voice devices. The service is disabled.

Telnet

"tlntsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Telnet service provides ASCII terminal sessions to telnet clients. The service is

disabled.

Terminal Services

"termservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC


DRCWDWO;;;WD)"

Terminal Services allows users to access a virtual Windows desktop session. The




Page 46

Terminal Services Licensing

"termservlicensing",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(


OCRSDRCWDWO;;;WD)"

The Terminal Services Licensing service provides registered client licenses when

connecting to a Terminal Server. The service is disabled.

Terminal Services Session Directory

"tssdis",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Terminal Services Session Directory service provides a multi-session

environment that allows access a virtual Windows desktop. The service is disabled.

Themes

"themes",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

The Themes service provides theme management services. The service is disabled.

Trivial FTP Daemon

"tftpd",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Trivial FTP Daemon is a File Transfer Protocol that does not require

authentication. The service is disabled.

Uninterruptible Power Supply

"ups",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW


WO;;;WD)"

The Uninterruptible Power Supply service manages an uninterruptible power supply.


Upload Manager

"uploadmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD


RCWDWO;;;WD)"

The Upload Manager service manages file transfers between clients and servers.

Driver data is anonymously uploaded from a customer computer to Microsoft. The




Page 47

Virtual Disk Service

"vds",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW


WO;;;WD)"

The Virtual Disk service provides a single interface for managing block storage

visualization. The service is disabled.

Volume Shadow Copy

"vss",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW


WO;;;WD)"

The Volume Shadow Copy service manages and implements volume shadow copies

used for backups. This policy sets the service to manual startup.

WebClient

"webclient",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The Webclient service allows Win32 applications to access documents on the

Internet. The service is disabled.

Web Element Manager

"elementmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC



The Web Element Manager service provides Web user interface elements for the

Administration Web site at port 8098. The service is disabled.

Windows Audio

"audiosrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL



The Windows Audio service provides support for sound. The service is disabled.

Windows Image Acquisition (WIA)

"stisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS

WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD

WO;;;WD)"

The Windows Image Acquisition (WIA) service supports scanners and cameras. The



"msiserver",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"




Page 48


"msiserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC

LCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC

WDWO;;;WD)"


Windows Internet Name Service (WINS)

"wins",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The


Windows Management Instrumentation

"winmgmt",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The Windows Management Instrumentation service provides a common interface to

access management information. This policy sets the service to automatic startup.

Windows Management Instrumentation Driver Extensions

"wmi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW


WO;;;WD)"

The Windows Management Instrumentation Driver Extensions service monitors all

drivers and event trace providers that publish WMI or event trace information. The


Windows Media Services

"wmserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

Windows Media Services provide streaming media service over IP-based networks.


Windows System Resource Manager

"windowssystemresourcemanager",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSD

RCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCD


The Windows System Resource Manager service is a tool to help customers deploy

applications. The service is disabled.



Page 49

Windows Time

"w32time",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The Windows Time service maintains date and time synchronization. This policy sets

the service to automatic startup.

WinHTTP Web Proxy Auto-Discovery Service

"winhttpautoproxysvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B

A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP

DTLOCRSDRCWDWO;;;WD)"

The WinHTTP Web Proxy Auto – Discovery service implements Web Proxy Auto-

discovery (WPAD) Protocol. The WPAD protocol is an HTTP client service that locates

proxy servers. The service is disabled.

Wireless Configuration

"wzcsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC

SWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW

DWO;;;WD)"

The Wireless Configuration service enables automatic configuration of IEEE 802.11

wireless adapters. The service is disabled.

WMI Performance Adapter

"wmiapsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC


CWDWO;;;WD)"

The WMI Performance Adapter service provides performance library information. The



"lanmanworkstation",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA

)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPD

TLOCRSDRCWDWO;;;WD)"



"lanmanworkstation",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA

)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPD

TLOCRSDRCWDWO;;;WD)"




Page 50

World Wide Web Publishing Service

"w3svc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The World Wide Web Publishing service provides Web connectivity and administration

through the IIS snap-in. The service is disabled.

3.10.2 Services Not Explicitly Covered by Microsoft

"fastuserswitchingcompatibility",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRC

WDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCL


The “fastuserswitchingcompatibility” is not a core requirement for a Windows 2003

server. The service is disabled.

"mssql$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C


SDRCWDWO;;;WD)"

The MSSQL$webdb service is used to publish and locate information about web

services. The service is disabled.

"mssqlserveradhelper",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B

A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP

DTLOCRSDRCWDWO;;;WD)"

The MSSQLServerADHelper service enables SQL server and SQL Server Analysis

Services to publish information in Active Directory. The service is disabled.

"saldm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The “saldm” is not a core requirement for a Windows 2003 server. The service is

disabled.

"sptimer",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL


CWDWO;;;WD)"

The “sptimer” is not a core requirement for a Windows 2003 server. The service is

disabled.

"sqlserveragent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;


RSDRCWDWO;;;WD)"

The “sqlserveragent” is not a core requirement for a Windows 2003 server. The




Page 51

"winsip",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

This is not a core requirement for a High Security server. The service is disabled.

3.11 TCP/IP Stack Hardening

EnableICMPRedirect

machine\system\currentcontrolset\services\tcpip\parameters\enableicmp

redirect=4, 0

The „enableicmpredirect‟ registry value causes TCP to find host routes which

overrides OSPF generated routes; if enabled, a ten-minute timeout makes the

system unavailable to the network. Disabling causes the system to rely on OSPF

routing; the setting „0‟ disables this capability.

SynAttackProtect

machine\system\currentcontrolset\services\tcpip\parameters\synattackp

rotect=4, 1

The „synattackprotect‟ registry value adjusts retransmissions of SYN-ACK. The

setting „1‟ causes connection timeouts faster when a SYN-ATTACK is detected; this

setting reduces effort expended on unresponsive connections.

EnableDeadGWDetect

machine\system\currentcontrolset\services\tcpip\parameters\enabledead

gwdetect=4, 0

The „enabledeadgwdetect‟ value allows TCP re-direction to a backup gateway; if a

system detects difficulties on a network, it will automatically switch to a different

gateway which in turn may cause undesirable packet traversal over un-trusted

networks. The setting „0‟ disables this capability.

EnablePMTUDiscovery

machine\system\currentcontrolset\services\tcpip\parameters\enablepmt

udiscovery=4, 0

The „enablepmtudiscovery‟ registry value determines if TCP automatically finds the

maximum transmission unit (MTU) or the largest packet size to a remote host; if

enabled, an attacker could force a very small packet size and invoke a DoS condition.

The setting „0‟ causes a fixed size packet be used for all connections to remote hosts.

KeepAliveTime

machine\system\currentcontrolset\services\tcpip\parameters\keepaliveti

me=4, 300000

The „keepalivetime‟ registry value determines how often TCP verifies an idle

connection is intact. The setting „300,000‟ (5 minutes) is short enough to provide

some defense against DoS conditions and provides the ability to recover resources

from unresponsive connections.



Page 52

DisableIPSourceRouting

machine\system\currentcontrolset\services\tcpip\parameters\disableipso

urcerouting=4, 2

The „disableipsourcerouting‟ value determines if the sender of a TCP packet can

dictate the route; dictating packet routes can obscure an attacker‟s location on the

network. The setting „2‟ disables this ability.

TcpMaxConnectResponseRetransmissions

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxcon

nectresponseretransmi

ssions=4, 2

The „tcpmaxconnectresponseretransmissions‟ value determines the number of

attempts that TCP re-transmits a SYN packet before aborting. The setting „2‟ limits

the possibility of a DoS attack without affecting normal users and reduces the effort

expended on unresponsive connections.

TcpMaxDataRetransmissions

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdata

retransmissions=4, 3

The „tcpmaxdataretransmissions‟ defines the number of times unacknowledged data

is retransmitted before disconnection. The setting „3‟ reduces the success of a DoS

attack and reduces the effort expended on unresponsive connections.

PerformRouterDiscovery

machine\system\currentcontrolset\services\tcpip\parameters\performrou

terdiscovery=4, 0

The „performrouterdiscovery‟ value controls the use of Internet Router Discovery

Protocol; if the system were to discover routers, an attacker could redirect packets to

another destination. The setting „0‟ disables discovery and forces the use of known

routers.

TCPMaxPortsExhausted

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxport

sexhausted=4, 5

The „tcpmaxportsexhausted‟ value controls the point which SYN-ATTACK protection

begins. The setting „5‟ causes protection to start after five failures; this is the

Microsoft standard for TCP/IP. The setting is a balance between performance and

security.

TCPMaxHalfOpen

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf

open=4, 100

The „tcpmaxhalfopen‟ value defines the number of connections in the SYN state table

before SYN attack protection begins. The setting of „100‟ initiates SYN attack

protection when the state table reaches one hundred connections.



Page 53

TCPMaxHalfOpenRetired

machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf

openretired=4, 80

The „tcpmaxhalfopenretired‟ value determines how many connections the server can

maintain in the half-open state; the setting „80‟ initiates SYN attack protection when

the state table reaches eighty connections.

NoNameReleaseOnDemand (TCP/IP)

machine\system\currentcontrolset\services\tcpip\parameters\nonamerel

easeondemand=4, 1

The „nonamereleaseondemand‟ registry determines if a system will release its

NetBIOS name to another computer on request; the setting „1‟ prevents disclosure of

NetBIOS information.

3.12 AFD.SYS

DynamicBacklogGrowthDelta

machine\system\currentcontrolset\services\afd\parameters\dynamicback

loggrowthdelta=4, 10

The „dynamicbackloggrowthdelta‟ value defines the number of free connections to

create when deemed necessary. The setting „10‟ creates ten additional free

connections. This setting ensures additional resources are not applied too, thereby

preventing the invocation of a DoS condition.

EnableDynamicBacklog

machine\system\currentcontrolset\services\afd\parameters\enabledynam

icbacklog=4, 1

The „enabledynamicbacklog‟ value enables dynamic backlog. The setting „1‟ enables

the backlog; this ensures the system manages port resources in a manner that

mitigates DoS attacks.

MinimumDynamicBacklog

machine\system\currentcontrolset\services\afd\parameters\minimumdyn

amicbacklog=4, 20

The „minimumdynamicbacklog‟ value controls the minimum number of free ports on

a listening end point. The setting „20‟ allows a system to create more if there is less

than twenty available; it is intended to ensure resources are available and limit the

threat of DoS conditions.

MaximumDynamicBacklog

machine\system\currentcontrolset\services\afd\parameters\maximumdyn

amicbacklog=4,20000

The „maximumdynamicbacklog‟ value controls the number of „quasi-free‟ connections

allowed on a listening end point. The setting „20,000‟ is recommended to stymie

DoS attacks. This setting reduces the resources allocated to incomplete connections;

if creating additional free ports exceeds the value, a system will not be able to

maintain additional sessions.



Page 54

3.13 Other Settings

NoNameReleaseOnDemand (NetBIOS)

machine\system\currentcontrolset\services\netbt\parameters\nonamerel

easeondemand=4, 1

The „nonamereleaseondemand‟ value determines if a system releases its NetBIOS

name upon a name-release request. The setting „1‟ prevents a system from releasing

the NetBIOS name, other than to WINS servers; this reduces information it provides

to an unauthorized user.

Enable the computer to stop generating 8.3 style filenames

machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3na

mecreation=4, 1

The „ntfsdisable8dot3namecreation‟ value determines if a system will generate 8.3

file names. The setting „1‟ prevents the 8.3 filename format. Generation of 8.3 file

makes the task of name guessing easier for an attacker; disabling this ensures only

the full name is used to reference files.

NoDriveTypeAutoRun

machine\software\microsoft\windows\currentversion\policies\explorer\n

odrivetypeautorun=4,255

The „nodrivetypeautorun‟ value determines if autorun is enabled on connected drives.

The setting „255‟ disables autorun for all drives on the system; this ensures

privileged users do not run unapproved software for without restrictions, unapproved

software may run inadvertently.

The time in seconds before the screen saver grace period expires (0

recommended)

machine\system\software\microsoft\windowsnt\currentversion\winlogon

\screensavergraceperiod=4, 0

The „screensavergraceperiod‟ value determines the amount of time (in seconds) to

enforce the screen saver password; the setting „0‟ enforces password lock with no

time delay which provides an immediate lock when the idle threshold is reached.

Warning Level

machine\system\currentcontrolset\services\eventlog\security\warninglev

el=4, 90

The „warninglevel‟ value determines the maximum amount of security logs before a

warning event is triggered. The setting „90‟ triggers a warning when the Security log

reaches 90% capacity; this will afford sufficient time to reset the log and determine

reasons for the warning.



Page 55

Enable Safe DLL search mode (recommended)

machine\system\currentcontrolset\control\sessionmanager\safedllsearch

mode=4, 1

The „safedllsearchmode‟ value determines the order DLLs are searched. The setting

„1‟ commands the system to first look in the PATH, then the current folder; this order

ensures files in the current foder do not run in place of files in the users PATH.

Disable Autorun on CD-ROM

machine\system\currentcontrolset\control\services\CDRom\AutoRun=4, 1

The „Disable Autorun on CD-Rom‟ prevents automatic execution of programs upon

insertion of a CD. The setting „1‟disables the Autorun feature; this helps reduce the

threat of malicious code infection through CD-Rom.

Disable Administrative Shares

machine\system\currentcontrolset\control\services\LanmanServer\Param

eters\AutoShareServer=4, 0

The „AutoShareServer‟ value determines if disk drives have administrative shares.

The setting „0‟ disables administrative shares.

Disable DCOM

machine\Software\Microsoft\OLE\EnableDCOM=4, 0

The „EnableDCOM‟ value determines if DCOM is active. The setting „0‟disables DCOM.



Page 56

4 ANNEXES

4.1 General Security Setting Values

Windows security templates utilize various general setting values; all of these will be

expounded upon below.

4.1.1 Binary Setting Values

Binary settings are used to indicate whether an object is enabled/installed or

disabled/not installed.

EnableAdminAccount = 1

1 = The administrator account is enabled.

4.1.2 Windows Services Boot Values

Windows services bootup values determine whether a service is enabled, disabled or

able to activated manually at system start up.

Windows Services Boot Settings

NUMERICAL VALUE DEFINITION

2 automatic startup

3 manual startup

4 disabled

netlogon,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC


WDWO;;;WD)"

2 = The netlogon service starts automatically at system bootup.

Binary Settings

BINARY VALUE DEFINITION

0 disabled/not installed

1 enabled/installed



Page 57

4.1.3 Common User Rights Security Identifier Settings

Security Identifiers (SIDs) are unique values of variable length that are used to

identify a security principal or security group in Windows operating systems; their

values remain constant across all operating systems.

User Rights Security Identifier Settings

SETTING DEFINITION

*S-1-5-32-544 administrator

*S-1-5-6 service

*S-1-5-32-551 backup operators

*S-1-5-32-545 users

*S-1-5-20 network service

*S-1-5-11 authenticated users.

sesystemtimeprivilege = *S-1-5-32-544

*S-1-5-32-544 = Only the system administrator can change the system time.

4.1.4 Audit Log Retention Period Settings

The audit log retention period settings determine the period of time that audit log

records will be retained before they are overwritten.

Retention Period Settings

NUMERICAL VALUE DEFINITION

0 overwrite events as needed

1 overwrite events as specified by

retention days entry

2 never overwrite events (clear log

manually)

AuditLogRetentionPeriod = 2

2 = The log’s events are never overwritten and must be cleared manually.



Page 58

4.1.5 Registry Value Settings

Registry settings in Windows security templates typically consist of two values. The

first value is numerical and represents a standard registry value type; the second

value will contain the security setting value.

MACHINE\Software\Microsoft\Driver Signing\Policy=3,1

3 = reg_binary

1= driver signing enabled

Registry Value Settings

SETTING DEFINITION Value

1 reg_sz sequence of characters representing human readable

text

2 reg_expand_sz expandable data test string containing a variable to be

replaced when called by an application

3 reg_binary binary value as described in 10.1.1.

4 reg_dword a number four bytes long; can be displayed as a

binary, hexadecimal or decimal value

7 reg_multi_sz multiple values of human readable text



Page 59

4.2 Windows Security Identifiers (SIDs)

SID: S-1-0

Name: Null Authority

Description: An identifier authority.

SID: S-1-0-0

Name: Nobody

Description: No security principal.

SID: S-1-1

Name: World Authority


SID: S-1-1-0

Name: Everyone

Description: A group that includes all users, even anonymous users and

guests. Membership is controlled by the operating system.

SID: S-1-2

Name: Local Authority


SID: S-1-3

Name: Creator Authority


SID: S-1-3-0

Name: Creator Owner

Description: A placeholder in an inheritable access control entry (ACE).

When the ACE is inherited, the system replaces this SID with the SID for

the object's creator.

SID: S-1-3-1

Name: Creator Group

Description: A placeholder in an inheritable ACE. When the ACE is inherited,

the system replaces this SID with the SID for the primary group of the

object's creator. The primary group is used only by the POSIX subsystem.

SID: S-1-3-2

Name: Creator Owner Server

Description: This SID is not used in Windows 2000.

SID: S-1-3-3

Name: Creator Group Server


SID: S-1-4

Name: Non-unique Authority




Page 60

SID: S-1-5

Name: NT Authority


SID: S-1-5-1

Name: Dialup

Description: A group that includes all users who have logged on through a

dial-up connection. Membership is controlled by the operating system.

SID: S-1-5-2

Name: Network

Description: A group that includes all users that have logged on through a

network connection. Membership is controlled by the operating system.

SID: S-1-5-3

Name: Batch

Description: A group that includes all users that have logged on through a

batch queue facility. Membership is controlled by the operating system.

SID: S-1-5-4

Name: Interactive

Description: A group that includes all users that have logged on

interactively. Membership is controlled by the operating system.

SID: S-1-5-5-X-Y

Name: Logon Session

Description: A logon session. The X and Y values for these SIDs are

different for each session.

SID: S-1-5-6

Name: Service

Description: A group that includes all security principals that have logged on

as a service. Membership is controlled by the operating system.

SID: S-1-5-7

Name: Anonymous

Description: A group that includes all users that have logged on

anonymously. Membership is controlled by the operating system.

SID: S-1-5-8

Name: Proxy


SID: S-1-5-9

Name: Enterprise Domain Controllers

Description: A group that includes all domain controllers in a forest that

uses an Active Directory directory service. Membership is controlled by the

operating system.



Page 61

SID: S-1-5-10

Name: Principal Self

Description: A placeholder in an inheritable ACE on an account object or

group object in Active Directory. When the ACE is inherited, the system

replaces this SID with the SID for the security principal who holds the

account.

SID: S-1-5-11

Name: Authenticated Users

Description: A group that includes all users whose identities were

authenticated when they logged on. Membership is controlled by the

operating system.

SID: S-1-5-12

Name: Restricted Code

Description: This SID is reserved for future use.

SID: S-1-5-13

Name: Terminal Server Users

Description: A group that includes all users that have logged on to a

Terminal Services server. Membership is controlled by the operating

system.

SID: S-1-5-18

Name: Local System

Description: A service account that is used by the operating system.

SID: S-1-5-19

Name: NT Authority

Description: Local Service

SID: S-1-5-20

Name: NT Authority

Description: Network Service

SID: S-1-5-domain-500

Name: Administrator

Description: A user account for the system administrator. By default, it is

the only user account that is given full control over the system.


Name: Guest

Description: A user account for people who do not have individual accounts.

This user account does not require a password. By default, the Guest

account is disabled.


Name: KRBTGT

Description: A service account that is used by the Key Distribution Center

(KDC) service.



Page 62


Name: Domain Admins

Description: A global group whose members are authorized to administer

the domain. By default, the Domain Admins group is a member of the

Administrators group on all computers that have joined a domain, including

the domain controllers. Domain Admins is the default owner of any object

that is created by any member of the group.


Name: Domain Users

Description: A global group that, by default, includes all user accounts in a

domain. When you create a user account in a domain, it is added to this

group by default.


Name: Domain Guests

Description: A global group that, by default, has only one member, the

domain's built-in Guest account.


Name: Domain Computers

Description: A global group that includes all clients and servers that have

joined the domain.


Name: Domain Controllers

Description: A global group that includes all domain controllers in the

domain. New domain controllers are added to this group by default.


Name: Cert Publishers

Description: A global group that includes all computers that are running an

enterprise certification authority. Cert Publishers are authorized to publish

certificates for User objects in Active Directory.

SID: S-1-5-root domain-518

Name: Schema Admins

Description: A universal group in a native-mode domain; a global group in a

mixed-mode domain. The group is authorized to make schema changes in

Active Directory. By default, the only member of the group is the

Administrator account for the forest root domain.

SID: S-1-5-root domain-519

Name: Enterprise Admins

Description: A universal group in a native-mode domain; a global group in a

mixed-mode domain. The group is authorized to make forest-wide changes

in Active Directory, such as adding child domains. By default, the only

member of the group is the Administrator account for the forest root

domain.



Page 63


Name: Group Policy Creator Owners

Description: A global group that is authorized to create new Group Policy

objects in Active Directory. By default, the only member of the group is

Administrator.


Name: RAS and IAS Servers

Description: A domain local group. By default, this group has no members.

Servers in this group have Read Account Restrictions and Read Logon

Information access to User objects in the Active Directory domain local

group. By default, this group has no members. Servers in this group have

Read Account Restrictions and Read Logon Information access to User

objects in Active Directory.

SID: S-1-5-32-544

Name: Administrators

Description: A built-in group. After the initial installation of the operating

system, the only member of the group is the Administrator account. When a

computer joins a domain, the Domain Admins group is added to the

Administrators group. When a server becomes a domain controller, the

Enterprise Admins group also is added to the Administrators group.

SID: S-1-5-32-545

Name: Users

Description: A built-in group. After the initial installation of the operating

system, the only member is the Authenticated Users group. When a

computer joins a domain, the Domain Users group is added to the Users

group on the computer.

SID: S-1-5-32-546

Name: Guests

Description: A built-in group. By default, the only member is the Guest

account. The Guests group allows occasional or one-time users to log on

with limited privileges to a computer's built-in Guest account.

SID: S-1-5-32-547

Name: Power Users

Description: A built-in group. By default, the group has no members. Power

users can create local users and groups; modify and delete accounts that

they have created; and remove users from the Power Users, Users, and

Guests groups. Power users also can install programs; create, manage, and

delete local printers; and create and delete file shares.



Page 64

SID: S-1-5-32-548

Name: Account Operators

Description: A built-in group that exists only on domain controllers. By

default, the group has no members. By default, Account Operators have

permission to create, modify, and delete accounts for users, groups, and

computers in all containers and organizational units of Active Directory

except the Builtin container and the Domain Controllers OU. Account

Operators do not have permission to modify the Administrators and Domain

Admins groups, nor do they have permission to modify the accounts for

members of those groups.

SID: S-1-5-32-549

Name: Server Operators


default, the group has no members. Server Operators can log on to a server

interactively; create and delete network shares; start and stop services;

back up and restore files; format the hard disk of the computer; and shut

down the computer.

SID: S-1-5-32-550

Name: Print Operators


default, the only member is the Domain Users group. Print Operators can

manage printers and document queues.

SID: S-1-5-32-551

Name: Backup Operators

Description: A built-in group. By default, the group has no members.

Backup Operators can back up and restore all files on a computer,

regardless of the permissions that protect those files. Backup Operators also

can log on to the computer and shut it down.

SID: S-1-5-32-552

Name: Replicators

Description: A built-in group that is used by the File Replication service on

domain controllers. By default, the group has no members. Do not add

users to this group.

The following groups will show as SIDs until a Windows Server 2003 domain

controller is made the primary domain controller (PDC) operations master role

holder. (The "operations master" is also known as flexible single master

operations or FSMO.) Additional new built-in groups that are created when a

Windows Server 2003 domain controller is added to the domain are:

SID: S-1-5-32-554

Name: BUILTIN\Pre-Windows 2000 Compatible Access

Description: An alias added by Windows 2000. A backward compatibility group

which allows read access on all users and groups in the domain.



Page 65

SID: S-1-5-32-555

Name: BUILTIN\Remote Desktop Users

Description: An alias. Members in this group are granted the right to logon

remotely.

SID: S-1-5-32-556

Name: BUILTIN\Network Configuration Operators

Description: An alias. Members in this group can have some administrative

privileges to manage configuration of networking features.

SID: S-1-5-32-557

Name: BUILTIN\Incoming Forest Trust Builders

Description: An alias. Members of this group can create incoming, one-way trusts

to this forest.

SID: S-1-5-32-557

Name: BUILTIN\Incoming Forest Trust Builders

Description: An alias. Members of this group can create incoming, one-way trusts

to this forest.

SID: S-1-5-32-558

Name: BUILTIN\Performance Monitor Users

Description: An alias. Members of this group have remote access to monitor this

computer.

SID: S-1-5-32-559

Name: BUILTIN\Performance Log Users

Description: An alias. Members of this group have remote access to schedule

logging of performance counters on this computer.

SID: S-1-5-32-560

Name: BUILTIN\Windows Authorization Access Group

Description: An alias. Members of this group have access to the computed

tokenGroupsGlobalAndUniversal attribute on User objects.

SID: S-1-5-32-561

Name: BUILTIN\Terminal Server License Servers

Description: An alias. A group for Terminal Server License Servers. When

Windows Server 2003 Service Pack 1 is installed, a new local group is created.

SID: S-1-5-32-562

Name: BUILTIN\Distributed COM Users

Description: An alias. A group for COM to provide computerwide access controls

that govern access to all call, activation, or launch requests on the computer.



Page 66

4.3 Common Access Control List (ACL) Settings

4.3.1 Security Descriptor Definition Language (SDDL)3

SDDL defines the string format that describe a security descriptor4 as a text string;

in the context of security template settings, SDDL is utilized in nTSecurityDescriptor5

attributes, registry keys and NTFS files to define the ACL.

4.3.2 Discretionary Access Control List (DACL)

The DACL identifies the trustees that are allowed or denied access to a securable

object; when a process tries to access a securable object, the system checks the

ACEs in the object's DACL to determine whether to grant access to it.

Should the object not have a DACL, the system grants full access to everyone; if the

object's DACL has no ACEs, the system denies all attempts to access the object

because the DACL does not allow any access rights.

The system checks the ACEs in sequence until it finds one or more ACEs that allow

all the requested access rights, or until any of the requested access rights are

denied.

4.3.3 System Access Control List (SACL)

The SACL enables administrators to log attempts to access a secured object; each

ACE specifies the types of access attempts by a specified trustee that cause the

system to generate a record in the security event log.

An ACE in a SACL can generate audit records when an access attempt fails, when it

succeeds, or both. In future releases, a SACL will also be able to raise an alarm when

an unauthorized user attempts to gain access to an object.

4.3.4 Access Control Entry (ACE)

An access control entry is an element in an access control list (ACL) . An ACL can

have zero or more ACEs. Each ACE controls or monitors access to an object by a

specified trustee.

3 University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March 2008.

https://www.washington.edu/computing/support/windows/UWdomains/SDDL.html.

4 Security Descriptor - A structure and associated data that contains the security information for a

securable object. A security descriptor identifies the object's owner and primary group. It can also contain a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the object. 5 nTSecurityDescriptor - Every object in Active Directory contains this attribute which is a security

descriptor object containing the discretionary access control list (DACL), the system access control list (SACL), group, and owner information that controls the object's access control behavior.



Page 67

All types of ACEs contain the following access control information:

A security identifier (SID) that identifies the trustee to which the ACE applies.

An access mask that specifies the access rights controlled by the ACE.

A flag that indicates the type of ACE.

A set of bit flags that determine whether child containers or objects can inherit the ACE from the primary object to which the ACL is attached.

The following table lists the three ACE types supported by all securable objects:

Type Description

Access-denied

ACE

Used in a discretionary access control list (DACL) to deny access

rights to a trustee.

Access-allowed

ACE Used in a DACL to allow access rights to a trustee.

System-audit

ACE

Used in a system access control list (SACL) to generate an audit

record when the trustee attempts to exercise the specified

access rights.

4.3.5 Format of nTSecurityDescriptor string:

Each nTSecurityDescriptor SDDL string is composed of 5 primary components which

correspond to the header, DACL (D:), SACL (S:), primary group (G:)and owner (O:):

O:owner_sidG:group_sidD:dacl_flags(ace string 1)(ace string 2 )S:sacl_flags(ace string 1)(ace string 2)

The header contains record keeping information along with 2 flags that designate

whether the object is blocking inheritance for the SACL and DACL. The contents of

both the primary group and owner parts are simply a single SID while the contents of both the SACL and DACL parts are a string with no fixed length.

ACEs6 make up the contents of these strings, are enclosed within parenthesis, and contain 6 fields separated by a semicolon delimiter. The fields are:

a. ACE type (allow/deny/audit);

b. ACE flags (inheritance and audit settings);

c. Permissions (list of incremental permissions);

d. ObjectType (GUID);

6 ACE - An access control entry is an element in an access control list (ACL). An ACL can have zero or

more ACEs. Each ACE controls or monitors access to an object by a specified trustee.



Page 68

e. Inherited Object Type (GUID); and

f. Trustee (SID)

4.3.6 ACE Type

The ACE type designates whether the trustee is allowed, denied or audited.

Value Description

"A" ACCESS ALLOWED

"D" ACCESS DENIED

"OA" OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).

"OD" OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).

"AU" SYSTEM AUDIT

"AL" SYSTEM ALARM

"OU" OBJECT SYSTEM AUDIT

"OL" OBJECT SYSTEM ALARM

4.3.7 ACE Flags

The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the

audit settings.

Value Description

"CI" CONTAINER INHERIT: Child objects that are containers, such as directories,

inherit the ACE as an explicit ACE.

"OI" OBJECT INHERIT: Child objects that are not containers inherit the ACE as an

explicit ACE.

"NP" NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.

"IO" INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT

CHILDREN VIA INHERITANCE.

"ID" ACE IS INHERITED

"SA" SUCCESSFUL ACCESS AUDIT

"FA" FAILED ACCESS AUDIT



Page 69

4.3.8 Permissions

The Permissions are a list of the incremental permissions given (or denied/audited)

to the trustee-these correspond to the permissions discussed earlier and are simply

appended together. However, the incremental permissions are not the only permissions available. The table below lists all the permissions.

Value Description

Generic access rights

"GA" GENERIC ALL

"GR" GENERIC READ

"GW" GENERIC WRITE

"GX" GENERIC EXECUTE

Directory service access rights

"RC" Read Permissions

"SD" Delete

"WD" Modify Permissions

"WO" Modify Owner

"RP" Read All Properties

"WP" Write All Properties

"CC" Create All Child Objects

"DC" Delete All Child Objects

"LC" List Contents

"SW" All Validated Writes

"LO" List Object

"DT" Delete Subtree

"CR" All Extended Rights

File access rights

"FA" FILE ALL ACCESS

"FR" FILE GENERIC READ

"FW" FILE GENERIC WRITE

"FX" FILE GENERIC EXECUTE

Registry key access rights

"KA" KEY ALL ACCESS

"KR" KEY READ

"KW" KEY WRITE

"KX" KEY EXECUTE

4.3.9 Object Type and Inherited Object Type

The ObjectType is a GUID representing an object class, attribute, attribute set, or

extended right. If present it limits the ACE to the object the GUID represents. The

Inherited Object Type is a GUID representing an object class. If present it limits inheritance of the ACE to the child entries of only that object class.



Page 70

4.3.10 Trustee

The Trustee is the SID of the user or group being given access (or denied or

audited). Instead of a SID, there are several commonly used acronyms for well-known SIDs. These are listed in the table below:

Value Description

"AO" Account operators

"RU" Alias to allow previous Windows 2000

"AN" Anonymous logon

"AU" Authenticated users

"BA" Built-in administrators

"BG" Built-in guests

"BO" Backup operators

"BU" Built-in users

"CA" Certificate server administrators

"CG" Creator group

"CO" Creator owner

"DA" Domain administrators

"DC" Domain computers

"DD" Domain controllers

"DG" Domain guests

"DU" Domain users

"EA" Enterprise administrators

"ED" Enterprise domain controllers

"WD" Everyone

"PA" Group Policy administrators

"IU" Interactively logged-on user

"LA" Local administrator

"LG" Local guest

"LS" Local service account

"SY" Local system

"NU" Network logon user

"NO" Network configuration operators

"NS" Network service account

"PO" Printer operators

"PS" Personal self

"PU" Power users

"RS" RAS servers group

"RD" Terminal server users

"RE" Replicator

"RC" Restricted code

"SA" Schema administrators

"SO" Server operators

"SU" Service logon user



Page 71

4.3.11 ACL Example

Given an ACL assigned to a service as demonstrated below:

w32time,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS


DWO;;;WD)"

The DACL

D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRP

WPDTLOCRSDR CWDWO;;;SY) would break out as follows:

AR SDDL_AUTO_INHERIT_REQ - the SE_DACL_AUTO_INHERIT_REQ flag is set.

ACE String 1

A ACCESS ALLOWED

CC CREATE ALL CHILD OBJECTS

DC DELETE ALL CHILD OBJECTS

LC LIST CONTENTS

SW ALL VALIDATED WRITES

RP READ ALL PROPERTIES

WP WRITE ALL PROPERTIES

DT DELETE SUBTREE

LO LIST OBJECT

CR ALL EXTENDED RIGHTS

SD DELETE

RC READ PERMISSIONS

WD MODIFY PERMISSIONS

WO MODIFY OWNER

BA BUILT-IN ADMINISTRATOR

ACE String 2

A ACCESS ALLOWED



LC LIST CONTENTS




DT DELETE SUBTREE

LO LIST OBJECT


SD DELETE

RC READ PERMISSIONS


WO MODIFY OWNER

SY LOCAL SYSTEM

The SACL S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

would break out as follows:



Page 72

AU SYSTEM AUDIT

FA FILE ALL ACCESS



LC LIST CONTENTS




DT DELETE SUBTREE

LO LIST OBJECT


SD DELETE

RC READ PERMISSIONS

WO MODIFY OWNER




Page 73

4.4 Security Policy Comparison and Analysis

While developing and deploying a custom security policy, the IT Security specialist in

the field may have to compare and/or analyze security policies. This annex will

outline the use of the MMC Security Configuration and Analysis plugin and the

command line tool secedit to compare and analyze the local security configuration of

a Windows 2003 Server installation.

4.4.1 MMC – Microsoft Management Console

MMC is a framework for system administration tools in modern Microsoft Windows

operating systems. Most of Microsoft's administration tools included with both

Windows itself, and Windows Server System products are implemented as MMC

modules (known as “snap-ins”).

One of these snap-ins (Security Configuration and Analysis) allows the system

administrator to analyze local security policies by generating a security database

from the security policy installed on a host and comparing it to another security

policy template.

4.4.2 Comparing and Analyzing Security Policies Using MMC

Running MMC and Adding the Snap-in

1. Log in as the local administrator (username: cscsrvadmin).

2. From the Start menu, select Run…

3. In the Open: field, type mmc and click OK.

4. In the Console window, click File and select Add/Remove Snap-in.

5. In the Add/Remove Snap-in window, click on Add…

6. In the Add Standalone Snap-in window, select Security Configuration and

Analysis and click Add.

7. Click Close.

8. In the Add/Remove Snap-in window, click on OK.



Page 74

Figure 1 – The MMC Console window after loading the Security Configuration and Analysis snap-in module.

To Open an Existing Security Policy Database

1. Right-click the Security Configuration and Analysis snap-in item.

2. Click Open Database.

3. Select a database, and then click Open.

To Create a New Security Policy Database


2. Click Open Database.

3. Type a new database name, and then click Open.

4. Select a security template to import, and then click Open.



Page 75

Figure 2 – The MMC Console window after loading selecting the security database and security policy.

To Compare and Analyze the Security Policy


2. Select Analyze Computer Now…

3. In the Perform Analysis window, click OK.

4. Allow the Analyzing System Security window‟s routine to complete.



Page 76

Figure 3 – The MMC Console’s security policy analysis progress window.

To Navigate the Results

1. Under the Security Configuration and Analysis snap-in item, select the

item you wish to view from the tree.

2. The analysis results for the selected item will be displayed on the right hand

side.

Figure 4 – The MMC Console window after the comparison and analysis is complete.



Page 77

Analyzing Security and Viewing Results

The Security Configuration and Analysis snap-in performs security analysis by

comparing the current state of system security against an analysis database. During creation, the analysis database uses at least one security template.

Should the administrator choose to import more than one security template, the

database will merge the various templates and create one composite template. The

snap-in resolves conflicts in order of import; the last template that is imported takes precedence.

The snap-in displays the analysis results by security area, using visual flags to

indicate problems; It displays the current system and base configuration settings for each security attribute in the security areas.

ANALYSIS VISUAL FLAG HIGHLIGHTS AND THEIR MEANINGS.

Visual Flag Highlight Meaning

Red X The entry is defined in the analysis

database and on the system, but the

security setting values do not match.

Green Check The entry is defined in the analysis

database and on the system and the

setting values match.

Question Mark The entry is not defined in the analysis

database and, therefore, was not

analyzed.

If an entry is not analyzed, it may be

that it was not defined in the analysis

database or that the user who is

running the analysis may not have

sufficient permission to perform

analysis on a specific object or area.

Exclamation Point This item is defined in the analysis

database, but does not exist on the

actual system. For example, there may

be a restricted group that is defined in

the analysis database but does not

actually exist on the analyzed system.

No Highlight The item is not defined in the analysis

database or on the system.



Page 78

4.4.3 Secedit – Command Line Security Policy Analysis Tool

Secedit is a command line tool that allows a system administrator to perform various

security policy related tasks. Although a command line tool, secedit is extremely

versatile as it can be scripted to perform tasks remotely across multiple hosts; MMC

can only be used to perform tasks on a single machine (the local host).

The Secedit tool has six primary functions; configure, analyze, import, export,

validate, and generate rollback; the scope of this document will be limited to those used for security policy analysis.

Comparing and Analyzing Security Policies Using Secedit

Running Secedit

1. From the Start menu, select Run…

2. In the Open: field, type cmd and click OK.

3. In the command shell window, enter the commands as described below.

Secedit Switches Explained

DB - The DB switch allows the administrator to specify the name of the database file

to either create or use.

CFG - The CFG switch allows the administrator to specify the name of the template

to use.

Overwrite – When used in conjunction with the import function, the overwrite

switch is purges the databases prior to the import function; this provides the same

basic functionality as creating a brand new database.

Log - Allows the administrator to specify a log file to be used in lieu of the default

log file.

Quiet – Allows the administrator to run Secedit without prompting for task

verifications.

Areas - Allows the administrator to specify which types of data from the template

should be applied; all other types of data within the template are ignored. Valid data

types are:

SECURITYPOLICY - including account policies, audit policies, event log

settings, and security options.

GROUP_MGMT - includes restricted groups settings.

USER_RIGHTS - includes user rights assignments.

REGKEYS - includes registry permissions.

FILESTORE - includes file system permissions. SERVICES - include system service settings.



Page 79

Creating a Security Policy Database

The secedit import function is used to create or import a security policy database;

the syntax for the Import function is as follows:

SECEDIT /IMPORT /DB database.sdb /CFG template.inf /OVERWRITE

In the example above, replace database.sdb with the name of the database being

created and template.inf with the name of the template being used to generate the database.

Analyzing Security Policies

The secedit analyze function is used to compare an existing security policy database

to a security policy. The syntax is as follows:

SECEDIT /ANALYZE /DB database.sdb /CFG template.inf /OVERWRITE /LOG

output.txt

In the example above, replace database.sdb with the name of an existing database

and template.inf with the name of the template being compared to the database.

This will create a log file in the current directory named OUTPUT.TXT listing every security setting that differs from the template.

Opening the Analysis Results File

To open and view the results file (e.g. OUTPUT.TXT), simply open the file with

Notepad or another text editor.



Page 80

5 REFERENCES

Communications Security Establishment Canada. “Windows Server 2003

Recommended Baseline Security (ITSG-20)”. March 2004. Accessed on 25 March

2008. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.

Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004.

Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-

Windows-Security-Templates.html.

Microsoft Download Center. “Windows Server 2003 Security Guide”. 05 August 2006.

Accessed on 25 March 2008. http://www.microsoft.com/downloads/details.aspx?

FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en.

Microsoft Help and Support. “Definition of Registry Value Data Types”. 14 March

2008. Accessed on 25 March 2008. http://support.microsoft.com/kb/101230.

Microsoft Help and Support. “Well-known Security Identifiers in Windows Operating

Systems”. 14 March 2008. Accessed on 25 March 2008.

http://support.microsoft.com/kb/243330.

Microsoft TechNet. “Security Templates”. Date unknown. Accessed on 25 March

2008. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit

/deploy/dgbe_sec_vopo.mspx?mfr=true

University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March

2008. https://www.washington.edu/computing/support/windows/UWdomains/

SDDL.html.

http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf

http://www.windowsecurity.com/articles/Understanding-

http://www.windowsecurity.com/articles/Understanding-

http://www.microsoft.com/downloads/details.aspx?%0bFamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

http://www.microsoft.com/downloads/details.aspx?%0bFamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en

http://support.microsoft.com/kb/101230

http://support.microsoft.com/kb/243330

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit

https://www.washington.edu/computing/support/windows/UWdomains/%0bSDDL.html

https://www.washington.edu/computing/support/windows/UWdomains/%0bSDDL.html

windows security settings working aide

Documents