CSEC Homepage > About IT Security > Government of Canada Publications > IT Security Guidance (ITSG) > Windows Server 2003 Recommended Baseline Security

Windows Server 2003 Recommended Baseline Security

ITSG-20

March 2004

Windows Server 2003 Recommended Baseline Security

The Windows Server 2003 Recommended Baseline Security is an unclassified publication, issued under the authority of the Chief, Communications Security Establishment (CSEC).

CSE wishes to acknowledge Microsoft for the “Windows Server 2003 Security Guide” and “Threats and Counter Measures: Security Settings in Windows Server 2003 and Windows XP” documents which are both used as reference.

For further information, please contact CSE’s:

Client Contact Centre
cryptosvc@cse-cst.gc.ca (e-mail)
613-991-8495 (tel)

_____________________________

Diane Keller
A/Director, Architecture and Engineering

©2004 Government of Canada, Communications Security Establishment

It is permissible to make extracts from this publication, provided the extracts are for Government of Canada departmental use. For commercial purposes, written permission from CSEC is required.

This product review was prepared by CSEC for the use of the federal government. The review is informal and limited in scope. It is not an assessment or evaluation, and does not represent an endorsement of the product by CSE. The material in it reflects CSE’s best judgement, in light of the information available to it at the time of preparation. Any use which a third party makes of this report, or any reliance on or decisions made based on it, are the responsibility of such third parties. CSEC accepts no responsibility for damages, if any, suffered by any third party as a result of decisions or actions based on this report.

© 2004 Government of Canada, Communications Security Establishment (CSEC) P.O. Box 9703, Terminal, Ottawa, Ontario, Canada, K1G 3Z4

This publication may be reproduced verbatim, in its entirety, without charge, for educational and personal purposes only. However, written permission from CSEC is required for use of the material in edited or excepted form, or for any commercial purpose.

Executive Summary

This guide provides detailed guidance for hardening a Windows 2003 Server. Deploying hardened servers is critical when protecting information technology (IT) from attack. By using the information in this guide, System Administrators can install packages that will deploy hardened servers in their environment.

The intent of this guide is to provide a very secure Baseline configuration. System Administrators may then add functionality as needed.

To help System Administrators add functionality, two configurations are provided: a print server and a file server.

This guide has been developed using the “Microsoft Windows Server 2003 Security Guide” [Reference 1] as reference. The Microsoft guide was analyzed and tested at CSE. The result is detailed instructions on:

• Necessary software
• Registry keys
• Security settings
• Internet Protocol Security (IPSec)

Table of Contents

Foreword
Disclaimer of Responsibility
Record of Amendments
Executive Summary
Table of Contents
List of Tables
List of Figures
List of Abbreviations and Acronyms

1 Introduction

1.1 Background
1.2 Aim
1.3 Scope
1.4 Approach
1.5 Functional and Security Testing
1.6 Assumptions
1.7 Related documents
1.8 Document Structure
1.9 Typographic Conventions
1.10 Reference Documents

2 Overview: Information Technology Security Guidance for Windows Server 2003

2.1 How to Use This Document

2.1.1 Installation
2.1.2 Configuration
2.1.3 Monitoring and Enforcement

2.2 Assumptions / Restrictions

2.2.1 Installation
2.2.2 Policy
2.2.3 Policy Monitoring and Enforcement

3 Automated Installation

3.1 Initiating Automated Installation

3.2 Domain Server Installation Configuration file
3.2.1 Winnt.sif (Domain)

3.3 Workgroup Server Installation Configuration file

3.3.1 Winnt.sif (Workgroup)

4 Server Policy Files

4.1 Policy File Application

4.1.1 Policy Application in a Domain
4.1.2 Policy Application in a Workgroup

4.2 Baseline Server Policy Files Details

4.3 Account Policies

4.3.1 Password Policy
4.3.2 Account Lockout Policy
4.3.3 Kerberos Policy

4.4 Local Policies

4.4.1 Audit Policy
4.4.2 User Rights Assignments
4.4.3 Security Options

4.5 Event Log

4.5.1 Log Size
4.5.2 Guest Access
4.5.3 Retention Method

4.6 System Services

4.6.1 Services Explicitly Covered by Microsoft Guidance
4.6.2 Services Not Explicitly Covered by Microsoft Guidance

4.7 Additional Security Settings

4.7.1 Security Consideration for Network Attacks
4.7.2 AFD.SYS Settings
4.7.3 Other Security Related Settings
4.7.4 Manual Activities
4.7.5 Access Controls
4.7.6 Variance from Microsoft Guidance

5 Role Based Server Policies

5.1 Role Based IPSec Policies

5.1.1 Load IPSec policy
5.1.2 Activate IPSec Policy

5.2 Domain File Server Security Policy

5.2.1 Variance from Microsoft “Hardening File Servers” Guidance
5.2.2 [Service General Setting]
5.2.3 Domain File Server IPSec Policy

5.3 Domain Print Server Policy

5.3.1 Variance from Microsoft “Hardening Print Servers” Guidance
5.3.2 [Registry Values]
5.3.3 [Service General Setting]
5.3.4 Domain Print Server IPSec Policy

5.4 Workgroup File Server Policy

5.4.1 Variance from Microsoft Guidance
5.4.2 [Registry Values]
5.4.3 [Service General Setting]
5.4.4 Workgroup File Server IPSec Policy

5.5 Workgroup Print Server Policy

5.5.1 Variance from Microsoft Guidance
5.5.2 [Registry Values]
5.5.3 [Service General Setting]
5.5.4 Workgroup Print Server IPSec Policy

6.1 Configuration of Microsoft Management Console (MMC)
6.2 Load Policy File and Computer Configuration
6.3 Compare Resultant Policy and Computer Settings

Bibliography

Annex A

Table 1 – General File Access Controls
Table 2 – General Registry Access Controls
Table 3 – Variance from Microsoft Member Server Baseline
Table 4 – Variance from Microsoft Bastion Host Local Policy

Figure 1 – Example Active Directory Structure

List of Abbreviations and Acronyms

1 Introduction

1.1 Background

Threat agents exploit vulnerabilities to either gain control or disable a computer. Experts differ on what may be the primary cause of computer vulnerabilities. Some will agree that two causes are exploitation of defects in software, and lack of secure configurations.

To address software defects, vendors issue patches in many forms. These are designed to address software defects particular to an operating system or application. Although they fix one problem, patches create other issues. In addition to patches, checklists are used to provide computer users with secure and tested configuration guides.

In the past, Government agencies¹ have produced and disseminated checklists for securing computer systems. However, the way checklists are produced has changed. Vendors realize benefits producing configuration checklists for their own products. In turn, public and private organizations save time and money by leveraging this complex work.

1.2 Aim

ITSG-20 provides a practical set of security settings for Microsoft Windows Server 2003. The aim is to establish and maintain a High Security Windows Server 2003 environment.

There are two platform variants: Domain Server and Workgroup Server. We cover two applications as well: Print Server and File Server. In other words, we provide four configurations, one for each application running on each platform, as follows:

1) Domain File Server
2) Domain Print Server
3) Workgroup File Server
4) Workgroup Print Server

The guideline provides a Baseline configuration that applies to all servers of a given type, Domain Server or Workgroup Server. Given that the Baseline configuration provides security before functionality, it should be used as a starting point. File and Print Server application policies are layered on top of the Baseline configuration. In this way, we provide a template for creating additional server roles based on the CSEC Baseline. Application policies layered above the Baseline enables the server to function as intended.

1.3 Scope

ITSG-20 provides guidance to build High Security Domain and High Security Workgroup servers. Additional policies can be applied to support a variety of roles within your organization.

We provide two such additional policies: File Server Role Guidance and Print Server Role Guidance.

______________________

¹ Agencies such as: National Institute of Standards and Technology (NIST), National Security Agency (NSA), Center for Internet Security (CIS), and SANS (SysAdmin, Audit, Network, Security).

1.4 Approach

Two documents were of significant reference: Windows Server 2003 Security Guide and Threats and Counter Measures: Security Settings in Windows Server 2003 and Windows XP. These documents were tested and augmented in a CSEC lab environment to produce ITSG-20.

Wherever possible, an automated approach is used throughout this document.

1.5 Functional and Security Testing

Connectivity was verified by accessing services offered by the hardened systems (Printer or File Shares). Once usability was established, Vulnerability and Penetration tests were executed against the systems. Results from vulnerability and penetration tests influenced this document.

1.6 Assumptions

It is assumed the reader has a thorough understanding of security features within Windows Server 2003. ITSG-20 is a detailed guide intended for use by system administrators.

It is recommended that the reference documents listed in section 1.10 be reviewed. This will enhance the readers understanding of ITSG-20.

1.7 Related documents

See section 1.10, in addition to the Bibliography at the end of this document.

1.8 Document Structure

This document has the following structure:

1. Introduction

This section provides an explanation of the document and contents.

2. Overview: Information Technology Security Guidance for Windows Server 2003

This section provides an outline for the approach used by the document. It explains the method used to “Start secure and stay secure”, as follows:

a) Installation;
b) Configuration and Monitoring; and
c) Enforcement.

This section also provides details on assumptions and restrictions used for the above. Included is a list of reference documents and description of tests performed against the environment.

This section provides values to perform an unattended installation of a Domain or Workgroup based server. This automated installation ensures that systems are consistent, with minimum software packages.

4. Server Policy Files

This section provides policy file values for the creation of a secure server in Domain or Workgroup environments.

5. Role Based Server Policies

This section provides policy file entries used to modify the baseline. These policy entries allow a server to perform designated file or print server activities, including IPSec.

6. Server Policy Compliance: Inspection and Enforcement

This section details a method for monitoring and enforcing policies outlined in this guide. The approach uses capabilities inherent in the Windows Server 20003 operating system.

7. Annex A: Server Policy File Details

This section has policy files with comments and explanations. This section explains settings in more detail. It also identifies differences from the Microsoft recommendation.

1.9 Typographic Conventions

The following typographic conventions are used in this document:

1. Bold Italics are used to denote parameters and their values EXAMPLE: JoinDomain=”cse.local”

2. [Square Brackets Denote File Section Headings] EXAMPLE: [Identification]

3. “Items in quotations marks are to be entered in the file with quotation marks” EXAMPLE: JoinDomain=”cse.local”

1.10 Reference Documents

[Reference 1] Windows Server 2003 Security Guide

[Reference 2] Threats and Counter Measures: Security Settings in Windows Server 2003 and Windows XP

Overview: Information Technology Security Guidance
for Windows Server 2003

2.1 How to Use This Document

Deploying a secure server can be organized in three steps: install the Operating System (OS), apply security policy, than apply additional changes, as needed.

To begin, the guide presents Baseline configurations for workgroup and domain servers. For easy reference, information is organized consistent with “Windows Security Guide for 2003 Server”. Additional items beyond Microsoft recommendations are listed in a separate section.

Policies for print and file servers are also presented in separate sections. These policies are applied to the Baseline of the installed OS. Any additional changes are contained in the print and file server policy sections.

System administrators can replace variables with values of their own. These settings produce a custom install package used to create a file or print server.

To apply the Baseline and role specific policies in a Domain, Active Directory organizational units must be created.

In a Workgroup environment, policies must be applied immediately upon system startup. By policy, the built-in administrator account is disabled. Make sure you create a site-specific administrator account prior to applying the policy.

In addition to guidance on the deployment of secure servers, a maintenance section using Microsoft MMC is provided.

2.1.1 Installation

The installation process is automated via the use of an answer file (see Appendix A). This answer file directs the installation process. While many approaches can achieve this result, we make use of the Winnt.sif file.

The Windows installation process reads the answer file from a floppy disk. Local information (System name, TCP/IP parameters, Domain/Workgroup) is supplied to reflect requirements. The result is an unattended installation that has no operator interaction.

2.1.2 Configuration

ITSG-20 takes a layered approach to policy application. The first layer is the Baseline configuration for the OS. This layer is intended to provide a security profile with minimal exposure. Additional policy requirements are determined by role. Each policy file enables specific elements that allow the server to perform a single function (file sharing, print sharing, etc). Additional analysis and testing is required to build multi-function servers.

The Domain environment supports a layered approach. This is accomplished by applying policy at the Domain level as well as the Organizational Unit (OU) level. Further granularity is achieved within a level; this allows you to create a matrix of policies for servers and environments.

In a Workgroup environment, policy is applied in a prescribed order via policy files. This provides a consistent security profile for servers in a Workgroup environment.

Since ‘policy files’ are simply text files, you can edit them with your favorite text editor. You may also copy and paste the policy text found at the end of this document.

2.1.3 Monitoring and Enforcement

We have outlined a manual method that provides basic compliance verification. This manual approach limits scalability of the solution. In a large environment, we recommend an automated method.

2.2 Assumptions / Restrictions

2.2.1 Installation

For the installation of the OS, please ensure the following:

a. The CD-ROM is before the floppy drive in the boot device order;

b. There is no previous version of Windows (if not the installation will pause); and

c. The first available disk partition is for the operating system.

The following assumptions are made:

a. The Server to be installed is not a Cluster Member;

b. The Domain has an Organizational Unit for Servers;

c. The Domain has an Organizational Unit for Print Servers under Servers;

d. The Domain has an Organizational Unit for Files servers under Servers; and

e. The installation is limited to contents of the Microsoft Server 2003 distribution.

2.2.2 Policy

Application of the policy results in the following:

a. Local Guest account is renamed and disabled;

b. Local Administrator account is renamed and disabled;

c. All systems are Windows 2000 or later;

d. System will shutdown if unable to log security events;

e. No shares or named pipes can be accessed anonymously;

f. No registry data can be accessed remotely;

g. No accounts have the right to submit batch jobs;

h. Administrator accounts cannot start services (Use an appropriate SERVICE account);

i. Plug and Play is enabled when required as it is disabled by default; and

j. SNMP is disabled.

2.2.3 Policy Monitoring and Enforcement

No additional assumptions are required for Policy Monitoring and Enforcement.

This section provides details for the Winnt.sif files. These files are used to install Windows Server 2003 in a Domain or Workgroup environment. In both cases, use local operational values. The raw files (ones without comments) are in Appendix A.

NOTE: You must maintain your system with the latest service packs and hot fixes. This ensures the system’s security is current.

3.1 Initiating Automated Installation

The automated installation uses a combination of CDROM and a floppy disk with a Winnt.sif file. During the boot process, it determines if the floppy has a Winnt.sif file. If present, it will use the settings in the file to configure the system.

3.2 Domain Server Installation Configuration file

In the Active Directory tree, the Domain version requires a ‘Print Servers’ and ‘File Servers’ organizational unit (OU) be part of a ‘Public Servers’ OU (see below). All three of these OU’s are placeholders for policy that apply to the OU level in the directory information tree.

Figure 1 – Example Active Directory Structure

Automated Installation

3.2.1 Winnt.sif (Domain)

3.2.1.1 [Data]

AutoPartition=1

The AutoPartition value provides a location for the Windows operating system. The setting ‘1’installs the operating system in the first available partition with sufficient space. If there is an existing operating system, the install will halt and require further instruction.

MsDosInitiated=0

The MsDosInitiated value must be present and must be set to ‘zero’ or the automated installation fails.

UnattendedInstall=Yes

When set to ‘YES’, the UnattendedInstall value allows the pre-installation of Windows by using the CD Boot method.

3.2.1.2 [GuiUnattended]

AdminPassword="A_Str0ng_p@SSw0rd"

The AdminPassword value defines the Local Administrator password on the system being installed.

NOTE: Select a value consistent with the local policy on Administrator passwords.

EncryptedAdminPassword=No

The EncryptedAdminPassword value determines if the setup encrypts the Administrator password. The setting ‘No’ does not encrypt the password. You may enable this feature via the setupmgr.exe tool provided on the Windows distribution media.

OEMSkipWelcome=1

The OEMSkipWelcome value determines if the startup displays the Welcome page. The setting ‘1’ does not display the Welcome page.

OEMSkipRegional=1

The OEMSkipRegional value determines if the installation will display the Regional Settings page. The setting ‘1’ does not display the Regional Settings page.

The TimeZone value sets the system clock to the local time zone.

004 – Pacific Standard Time

010 – Mountain Standard Time

020 – Central Standard Time

025 – Canada Central Standard Time (Saskatchewan)

035 – Eastern Standard Time

050 – Atlantic Standard Time

060 – Newfoundland and Labrador Standard Time

AutoLogon=No

The Autologon value determines if the Administrator account will be automatically logged on until the system is rebooted. The setting ‘No’ disables the AutoLogon feature. The AutoLogonCount can increase the number of reboots required to disable the autologon feature.

3.2.1.3 [Identification]

DomainAdmin=administrator

The DomainAdmin value provides the install with a privileged Domain account. The DomainAdmin can add the system to the domain.

DomainAdminPassword=" A_Str0ng_p@SSW0RD "

The DomainAdminPassword provides the required password for the DomainAdmin account. NOTE: Provide a local value.

JoinDomain="Department_Name.local"

The JoinDomain value is the name of the Domain the system will join. NOTE: The local Domain name is required.

The MachineObjectOU value defines the Organizational Unit of the system in the Domain.

NOTE: Local Domain values are required.

3.2.1.4 [LicenseFilePrintData]

AutoMode=PerServer

The AutoMode value defines the license mode. Enter either PerSeat or PerServer. NOTE: If PerServer is specified then the AutoUsers value must be supplied as well.

AutoUsers=5

The AutoUsers value determines the number of concurrent users the PerServer license supports. NOTE: A local value is required that reflects the license purchased for the system.

3.2.1.5 [Unattended]

OemPreinstall=No

The OEMPreinstall value determines if there are OEM files to be installed. The setting ‘No’ indicates all files are on the Windows distribution.

UattendedSwitch=Yes

The UnattendedSwitch value specifies whether Setup skips Windows Welcome. The setting ‘Yes’ skips the Windows Welcome.

Repartition=No

The Repartition value determines what action to take on first drive partitions. The setting ‘No’ maintains all partitions on the first drive.

TargetPath=Windows

The TargetPath value defines the location of the operating system. The setting ‘Windows’ places the operating system files in a windows folder.

The UnattendedMode value determines the level of human interaction with the installation process. The setting ‘FullUnattended’ has no human interaction.

WaitForReboot=No

The WaitForReboot value determines if the system will reboot immediately or provide an opportunity for human interaction. The setting ‘No’ reboots the system immediately.

OemSkipEula=Yes

The OemSkipEula value determines if the end user license agreement is presented during the installation. The setting ‘Yes’ does not display the end user license agreement.

FileSystem=ConvertNTFS

The FileSystem value determines the file system type for the installation. The value ConvertNTFS installs the system on an NTFS file system.

3.2.1.6 [UserData]

ComputerName=FileServer01

The ComputerName value sets the ComputerName registry value. NOTE: Provide a local value.

FullName="System_Admin"

The FullName value sets the RegisteredOwner in the registry. NOTE: Provide a local value.

OrgName="Department_Name"

The OrgName value sets the RegisteredOrganisation in the registry. NOTE: Provide a local value.

The ProductKey value supplies the required license string for the version of Windows Server 2003 being installed.

NOTE: Provide a local value.

3.2.1.7 [params.MS_TCPIP.Adapter01]

SpecificTo=Adapter01

The SpecificTo value identifies the network adapter to be configured. The setting ‘Adapter01’ applies to the first network adapter identified.

DisableDynamicUpdate=No

The DisableDynamicUpdate value determines if the system will dynamically register ‘A’ and ‘PTR’ records. The setting ‘No’ dynamically registers the ‘A’ and ‘PTR’ records with the DNS.

EnableAdapterDomainNameregistration=No

The EnableAdapterDomainNameregistration value determines if the connection specific DNS records are going to be registered. The setting ‘No’ does not register connection specific DNS records.

DefaultGateway=xxx.xxx.xxx.xxx

The DefaultGateway sets the TCP/IP default gateway value for the adapter. NOTE: Provide a local value.

DHCP=Yes

The DHCP value determines if the adapter will request a TCP/IP address using DHCP. The setting ‘Yes’ requests a TCP/IP address.

DNSDomain=Department_Name.local

The DNSDomain provides the name of the domain to which the system is entered. NOTE: Provide a local value.

The NetBIOSOptions determines the NetBIOS over TCP/IP setting. The setting ‘1’ enables NetBIOS over TCP/IP.

Subnetmask=xxx.xxx.xxx.xxx

The Subnetmask provides the subnet mask address. NOTE: Provide a local value.

3.2.1.8 [NetOptionalComponents]

DHCPServer=0

The DHCPServer value determines if the system will install the DHCP Server. The setting ‘0’ does not install the DHCP Server.

DNS=0

The DNS value determines if the system will install the DNS Server. The setting ‘0’ does not install the DNS Server.

IAS=0

The IAS value determines if the system will install the Internet Authentication Service. The setting ‘0’ does not install the Internet Authentication Service.

ILS=0

The ILS value determines if setup will install services that support telephony features (caller ID, conference calls, video conferencing, faxing, etc.). The setting ‘0’ does not install the Internet Locator Service.

LDPSVC=0

The LPDSVC value determines if the system will install UNIX Print services. The setting ‘0’ does not install UNIX Print services.

MacPrint=0

The MacPrint value determines if the system will install Macintosh print services. The setting ‘0’ does not install Macintosh Print services.

The MacSrv value determines if the system will install Macintosh file services. The setting ‘0’ does not install Macintosh file services.

Netcm=0

The Netcm value determines if the system will install Microsoft Connection Manager Administration Kit and Phone Book Service. The setting ‘0’ does not install this service.

NetMonTools=0

The ‘NetMon Tools’ value determines if the system will install the network monitoring tools. The setting ‘0’ does not install the network monitoring tools.

SimpTcp=0

The ‘SimpTcp’ value determines if the system will install simple TCP/IP protocol suites. The setting ‘0’ does not install the simple TCP/IP protocol suites.

SNMP=0

The ‘SNMP’ value determines if the system will install Simple Network Management Protocol. The setting ‘0’ does not install the SNMP protocol.

WINS=0

The ‘WINS’ value determines if the system will install Windows Internet Name Service. The setting ‘0’ does not install WINS.

3.2.1.9 [Components]

AccessOpt=On

The AccessOpt value sets the registry value accessopt. The setting ‘On’ installs the Accessibility wizard.

appsrv_console=Off

The appsrv_console sets the registry value appsrv_console. The setting ‘Off’ does not install the Application Server Console.

The aspnet value sets the aspnet registry value. The setting ‘Off’ does not install the ASP .NET development platform.

AutoUpdate=Off

The AutoUpdate value sets the autoupdate registry value. The setting ‘Off’ does not install AutoUpdate.

BitsServerExtensionsISAPI=Off

The BitsServerExtensionsISAPI sets the bitsserverextensionsisapi registry value. The setting ‘Off’ does not install ISAPI for BITS server extensions.

BitsServerExtensionManager=Off

The BitsServerExtensionManager sets the bitsserverextensionmanager registry key. The setting ‘Off’ does not install the MMC snap-in, administrative APIs and ADSI extensions for BITS.

Calc=On

The Calc value sets the registry value calc. The setting ‘Off’ does not install the Calculator feature.

certsrv=On

The certsrv value sets the certsrv registry value. The setting ‘On’ installs the Certificate Services components.

certsrv_client=Off

The certsrv_client value sets the certsrv_client registry value. The setting ‘Off’ does not install the Web client components of Certificate Services. This requires a Certification Authority to be defined with the CAName parameter. This also requires a computer system hosting the Certification Authority be defined with the CAMachine parameter. These entries support the use of a certificate in a web browser.

The certsrv_server value sets the certsrv_server registry value. The setting ‘Off’ does not install the Certificate Server Services. Only systems that are intended to offer a Certification Authority service require this to be enabled.

charmap=On

The charmap value sets the charmap registry value. The setting ‘On’ installs the Character Map feature.

chat=Off

The chat value sets the chat registry value. The setting ‘Off’ does not install the Chat program.

Clipbook=Off

The Clipbook value sets the clipbook registry value. The setting ‘Off’ does not install the Clipbook.

cluster=Off

The cluster value sets the cluster registry value. The setting ‘Off’ does not install the cluster software.

complusnetwork=On

The complusnetwork value sets the complusnetwork registry value. The setting ‘On’ enables network Com+ access.

deskpaper=Off

The deskpaper value sets the deskpaper registry value. The setting ‘Off’ does not install a desktop background.

dialer=Off

The dialer value sets the dialer registry value. The setting ‘Off’ does not install the Phone Dialer.

dtcnetwork=Off

The dtcnetwork value sets the dtcnetwork registry value. The setting ‘Off’ does not enable DTC network access. DTC is the Distributed Transaction Coordinator.

The fax value sets the fax registry value. The setting ‘Off’ does not install the Fax feature.

fp_extensions=Off

The fp_extensions value sets the fp_extensions registry value. The setting ‘Off’ does not install the FrontPage server extensions.

fp_vdir_deploy=Off

The fp_vdir_deploy value sets the fp_vdir_deploy registry value. The setting ‘Off’ does not install the Visual InterDev RAD Remote Deployment Support.

freecell=Off

The freecell value sets the freecell registry value. The setting ‘Off’ does not install the Freecell game.

hearts=Off

The hearts value sets the hearts registry value. The setting ‘Off’ does not install the Hearts game.

hypertrm=Off

The hyperterm value sets the hyperterm registry value. The setting ‘Off’ does not install the HyperTerminal feature.

IEAccess=Off

The IEAccess value determines if the Internet Explorer Access points are visible. The setting ‘Off’ does not make the Internet Explorer Access points visible.

iis_asp=Off

The iis_asp value sets the iis_asp registry value. The setting ‘Off’ does not install the Active Server Pages feature.

The iis_common value sets the iis_common registry value. The setting ‘Off’ does not install the common set of files needed by IIS.

iis_ftp=Off

The iis_ftp value sets the iis_ftp registry value. The setting ‘Off’ does not install the FTP Service.

iis_inetmgr=Off

The iis_inetmgr value sets the iis_inetmgr registry value. The setting ‘Off’ does not install the MMC-based administration tools for IIS.

iis_internetdataconnector=Off

The iis_internetdataconnector value sets the iis_internetdataconnector registry value. The setting ‘Off’ does not install the Internet Data Connector.

iis_nntp=Off

The iis_nntp value sets the iis_nntp registry value. The setting ‘Off’ does not install the NNTP Service.

iis_serversidesincludes=Off

The iis_serversideincludes value sets the iis_serversideincludes registry value. The setting ‘Off’ does not install the Server Side Includes.

iis_smpt=Off

The iis_smtp value sets the iis_smtp registry value. The setting ‘Off’ does not install the SMTP Service.

iis_webadmin=Off

The iis_webadmin value sets the iis_webadmin registry value. The setting ‘Off’ does not install the Web UI for Web server administration (Remote Administration Tools).

The iis_webdav value sets the iis_dav registry value. The setting ‘Off’ does not install the WebDAV Publishing.

iis_www=Off

The iis_www value sets the iis_www registry value. The setting ‘Off’ does not install the WWW Service.

iis_www_vdir_scripts=Off

The iis_www_vdir_scripts value sets the iis_www_vdir_scripts registry value. The setting ‘Off’ does not create the optional scripts directory on the default web site.

indexsrv_system=Off

The indexsrv_system value sets the indexsrv_system registry value. The setting ‘Off’ does not install the Indexing Service.

inetprint=Off

The inetprint value sets the inetprint registry value. The setting ‘Off’ does not install Internet Printing.

licenseserver=Off

The licenseserver value sets the licenseserver registry value. The setting ‘Off’ does not enable Terminal Services licensing.

media_clips=Off

The media_clips value sets the media_clips registry value. The setting ‘Off’ does not install sample sounds.

media_utopia=Off

The media_utopia value sets the media_utopia registry value. The setting ‘Off’ does not install the Utopia sound scheme.

The minesweeper value sets the minesweeper registry value. The setting ‘Off’ does not install the Minesweeper game.

mousepoint=On

The mousepoint value sets the mousepoint registry value. The setting ‘On’ installs all available mouse pointers.

msmq_ADIntegrated=Off

The msmq_ADIntegrated value sets the msmq_ADIntegrated registry value. The setting ‘Off’ does not integrate MSMQ with Active Directory.

msmq_Core=Off

The msmq_core value sets the msmq_core registry value. The setting ‘Off’ does not install the Message Queuing components.

msmq_HTTPSupport=Off

The msmq_HTTPSupport value sets the msmq_HTTPSupport registry value. The setting ‘Off’ does disables the sending and receiving of messages using the HTTP protocol.

msmq_LocalStorage=Off

The msmq_LocalStorage value sets the msmq_LocalStorage registry value. The setting ‘Off’ does not store messages locally.

msmq_MQDSSService=Off

The msmq_MQDSSService value sets the msmq_MQDSSService registry value. The setting ‘Off’ restricts access to Active Directory and site recognition for downstream clients.

msmq_RoutingSupport=Off

The msmq_RoutingSupport value sets the msmq_RoutingSupport registry value. The setting ‘Off’ does not provide efficient routing.

The msmq_TriggerService value sets the msmq_TriggerService registry value. The setting ‘Off’ disassociates the arrival of incoming messages at a queue with functionality in a Component Object Module (COM) component. The same may be said for a standalone executable program.

msnexplr=Off

The msnexplr value sets the msnexpire registry value. The setting ‘Off’ does not install MSN Explorer.

mswordpad=On

The mswordpad value sets the mswordpad registry value. The setting ‘On’ installs the mswordpad feature.

netcis=Off

The netcis value sets the netcis registry value. The setting ‘Off’ does not install Microsoft COM Internet Services.

netoc=Off

The netoc value sets the netoc registry value. The setting ‘Off’ does not install optional networking components.

objectpkg=Off

The objectpkg value determines if the Object Packager is installed. The setting ‘Off’ does not install the Object Packager.

OEAccess=Off

The OEAccess value determines if the visible entry points to Outlook Express are installed. The setting ‘Off’ does not install the visible entry points for Outlook Express.

paint=Off

The paint value sets the paint registry value. The setting ‘Off’ does not install Microsoft Paint.

The pinball value sets the pinball registry value. The setting ‘Off’ does not install the Pinball game.

Pop3Admin=Off

The Pop3Admin value determines if the optional Web UI for the Remote Administration Tools is installed. The setting ‘Off’ does not install the optional Web UI for the Remote Administration Tools.

Pop3Service=Off

The Pop3Service value determines if the main POP3 service is installed. The setting ‘Off’ does not install the main POP3 service.

Pop3Srv=Off

The Pop3Srv value determines if the root POP3 component is installed. The setting ‘Off’ does not install the root POP3 component

rec=Off

The rec value determines if the Sound Recorder is installed. The setting ‘Off’ does not install the Sound recorder.

reminst=Off

The reminst value sets the reminst registry value. The setting ‘Off’ does not install the Remote installation Service.

rootautoupdate=Off

The rootautoupdate value sets the rootautoupdate registry value. The setting ‘Off’ disables the OMC Update Root Certificates. If the user is presented with a certificate issued by an untrusted root authority, actions that require authentication are prevented.

rstorage=Off

The rstorage value sets the rstorage registry value. The setting ‘Off’ does not install the Remote Storage feature.

The solitaire value sets the solitaire registry value. The setting ‘Off’ does not install the Solitaire game.

spider=Off

The spider value sets the spider registry value. The setting ‘Off’ does not install the Spider game.

templates=Off

The templates value sets the templates registry value. The setting ‘Off’ does not install Document Templates.

TerminalServer=On

The TerminalServer value determines if the Terminal Server is installed. The setting ‘On’ installs the service.

TSWebClient=Off

The TSWebClient determines if the ActiveX control for hosting Terminal Services client connections over the Web are installed. The setting ‘Off’ does not install the ActiveX control.

vol=Off

The vol value sets the vol registry value. The setting ‘Off’ does not install The Volume Control.

WBEMSNMP=Off

The WBEMSNMP value sets the WBEMSNMP registry value. The setting ‘Off’ does not install the WMI SNMP Provider.

WMAccess=Off

The WMAccess value determines if the visible entry points to Windows Manager are installed. The setting ‘Off’ does not install the visible entry points to Windows Manager.

WMPOCM=Off

The WMPOCM value determines if the visible entry points to the Windows Media Player are installed. The setting ‘Off’ does not install the visible entry points to Windows Media Player.

The wms value sets the wms registry value. The setting ‘Off’ does not install the core Windows Media Server components.

wms_admin_asp=Off

The wms_admin_asp value sets the wms_admin_asp registry value. The setting ‘Off’ does not install Windows Media Services Web-based administrative components.

wms_admin_mmc=Off

The wms_admin_mmc value sets the wms_admin_mmc registry value. The setting ‘Off’ does not install the Windows Media Services MMC-based administrative components.

wms_isapi=Off

The wms_isapi value sets the wms_isapi registry value. The setting ‘Off’ does not install the Windows Media Services Multicast and Advertisement Logging Agent components.

wms_server=Off

The wms_server value sets the wms_server registry value. The setting ‘Off’ does not install the Windows Media Services server components.

zonegames=Off

The zonegames value sets the zonegames registry value. The setting ‘Off’ does not install the Microsoft Gaming Zone Internet Games.

3.3 Workgroup Server Installation Configuration file

The Workgroup Server installation can create a new workgroup or join an existing one. The installation assumes no use of DHCP or DNS. As a result, the Administrator must enter TCP/IP values into the Winnt.sif to enable networking.

3.3.1.1 [Data]

AutoPartition=1

The AutoPartition value provides a location to place the Windows operating system. The setting ‘1’installs the operating system in the first available partition with sufficient space. If there is an existing operating system the install will halt and require further instruction.

MsDosInitiated=0

The MsDosInitiated value must be present and must be set to ‘zero’. If not, the automated installation fails.

UnattendedInstall=Yes

When set to ‘YES’, the UnattendedInstall value allows the pre-installation of Windows by using the CD Boot method.

3.3.1.2 [GuiUnattended]

AdminPassword="A_Str0ng_p@SSw0rd"

The AdminPassword value defines the Local Administrator password on the system being installed.

NOTE: Select a value in keeping with the local policy on Administrator passwords.

EncryptedAdminPassword=No

The EncryptedAdminPassword value determines if the setup encrypts the Administrator password. The setting ‘No’ does not encrypt the password. You may enable this feature via the setupmgr.exe tool provided on the Windows distribution media.

OEMSkipWelcome=1

The OEMSkipWelcome value determines if the startup displays the Welcome page. The setting ‘1’ does not display the Welcome page.

OEMSkipRegional=1

The OEMSkipRegional value determines if the installation will display the Regional Settings page. The setting ‘1’ does not display the Regional Settings page.

The TimeZone value sets the system clock to the local time zone.

004 – Pacific Standard Time

010 – Mountain Standard Time

020 – Central Standard Time

025 – Canada Central Standard Time (Saskatchewan)

035 – Eastern Standard Time

050 – Atlantic Standard Time

060 – Newfoundland and Labrador Standard Time

AutoLogon=No

The Autologon value determines if the Administrator account will automatically log on until the system is rebooted. The setting ‘No’ disables the AutoLogon feature. The AutoLogonCount can increase the number of reboots required to disable the feature.

3.3.1.3 [Identification]

JoinWorkgroup=Department_Name

The JoinWorkgroup value determines which workgroup the server will join. NOTE: This value must be replaced with a local value.

3.3.1.4 [LicenseFilePrintData]

AutoMode=PerServer

The AutoMode value defines the license mode. Enter either PerSeat or PerServer. NOTE: If PerServer is specified then the AutoUsers value must be supplied as well.

AutoUsers=5

The AutoUsers value determines the number of concurrent users the PerServer license supports. NOTE: Provide a local value.

OemPreinstall=No

The OEMPreinstall value determines if there are OEM files to be installed. The setting ‘No’ indicates all required files are on the Windows distribution.

UattendedSwitch=Yes

The UnattendedSwitch value specifies whether Setup skips Windows Welcome. The setting ‘Yes’ skips the Windows Welcome.

Repartition=No

The Repartition value determines what action to take on first drive partitions. The setting ‘No’ maintains all partitions on the first drive.

TargetPath=Windows

The TargetPath value defines a location for the operating system. The setting ‘Windows’ places the operating system in the Windows folder.

UnattendedMode=FullUnattended

The UnattendedMode value determines the level of human interaction with the installation. The setting ‘FullUnattended’ has no human interaction during the process.

WaitForReboot=No

The WaitForReboot value determines if the system will reboot immediately or provide an opportunity for human interaction. The setting ‘No’ reboots the system immediately.

OemSkipEula=Yes

The OemSkipEula value determines if the end user license agreement is presented during the installation. The setting ‘Yes’ does not display the end user license agreement.

FileSsytem=ConvertNTFS

The FileSystem value determines the file system type for the installation. The value ConvertNTFS installs the system on an NTFS file system.

3.3.1.6 [UserData]

ComputerName=File_Server_1

The ComputerName value sets the ComputerName registry value. NOTE: Provide a local value.

FullName="System_Admin"

The FullName value sets the RegisterdOwner in the registry. NOTE: Provide a local value.

OrgName="Department_Name"

The OrgName value sets the RegisteredOrganisation in the registry. NOTE: Provide a local value.

ProductKey="xxxx-xxxx-xxxx-xxxx-xxxx"

The ProductKey value supplies the required license string for the version of Windows Server 2003 being installed.

NOTE: Provide a local value.

3.3.1.7 [Networking]

This section defines the Network for the system. In a Workgroup environment, static means are used for networking; this includes static IP addresses, and a Hosts file for name resolution. As a result, automated network definition is disabled. All values are supplied via parameters in this installation file.

InstallDefaultComponents=No

The InstallDefaultComponents indicates if the network setup will use DHCP and DNS. The setting ‘No’ indicates that the network will use supplied values as opposed to DHCP and DNS.

3.3.1.8 [NetAdapters]

Adapter1=params.Adapter1

The Adapter1 value defines network interfaces to install with associated logical names. This ensures commands bound for adapters are properly directed.

3.3.1.9 [params.Adapter1]

InfID=*

The InfID identifies a network adapter with a value that is the same as the Plug and Play ID. If there were more than one adapter, the parameter would supply the Plug and Play ID.

3.3.1.10 [NetClients]

MS_MSClient=params.MS_MSClient

The MS_MSClient value specifies the section where the Client for Microsoft Networks is defined. The value ‘params.MS_MSClient’ is the title of the section that contains the definition of the network client.

3.3.1.11 [NetServices]

MS_SERVER=params.MS_SERVER

The MS_SERVER value specifies the section where the entries are supplied to define a network service. There are no network services defined in this installation file. As a result there is no need for a ‘params.MS_SERVER’ section.

3.3.1.12 [NetProtocols]

MS_TCPIP=params.MS_TCPIP

The MS_TCPIP value defines the section that holds the entries for this protocol.

3.3.1.13 [params.MS_TCPIP]

DNS=No

The DNS value defines if the server will use a DNS Server. The setting ‘No’ indicates the server will not use DNS for name resolution.

UseDomainNameDevolution=No

The UseDomainNameDevolution value determines if the system will attempt to connect when the supplied DNS name is not Fully Qualified. The setting ‘No’ prevents the system from making this attempt.

The EnableLMHosts value determines if the server will use the Hosts file to resolve network name to address translations. The setting ‘Yes’ indicates the Hosts file will be used for name resolution.

AdapterSections=params.MS_TCPIP.Adapter1

The AdapterSections value defines the location in this file that contains the definition of the adapter.

3.3.1.14 [params.MS_TCPIP.Adapter1]

SpecificTo=Adapter1

The SpecificTo value identifies the network adapter to which the block of commands applies. The setting ‘Adapter01’ applies to the first network adapter identified.

DHCP=No

The DHCP value identifies if the system uses DHCP. The setting ‘No’ indicates that the system will not obtain a TCP/IP address from a DHCP server.

IPAddress=xxx.xxx.xxx.xxx

The IPAddress value defines the IP address for the adapter.

SubnetMask=xxx.xxx.xxx.xxx

The Subnetmask value provides the subnet mask addresses.

DefaultGateway=xxx.xxx.xxx.xxx

The DefaultGateway value defines the address for Packets bound outside the mask. The gateway acts as the first stop in the route to the target system.

WINS=No

The WINS value determines if the system will use Windows Internet Name Service. The setting ‘No’ disables WINS on the specified adapter.

The NetBIOSOptions value determines if the system enables NetBIOS over TCP/IP. The setting ‘zero’ disallows NetBIOS over TCP/IP.

3.3.1.15 [NetOptionalComponents]

DHCPServer=0

The DHCPServer value determines if the system will install the DHCP Server. The setting ‘0’ does not install the DHCP Server.

DNS=0

The DNS value determines if the system will install the DNS Server. The setting ‘0’ does not install the DNS Server software.

IAS=0

The IAS value determines if the system will install the Internet Authentication Service. The setting ‘0’ does not install the Internet Authentication Service.

ILS=0

The ILS value determines if setup will install services that support telephony features (caller ID, conference calls, video conferencing, faxing, etc.). The setting ‘0’ does not install the Internet Locator Service.

LDPSVC=0

The LPDSVC value determines if setup will install UNIX Print services. The setting ‘0’ does not install UNIX Print services.

MacPrint=0

The MacPrint value determines if setup will install Macintosh print services. The setting ‘0’ does not install Macintosh Print services.

MacSrv=0

The MacSrv value determines if setup will install Macintosh file services. The setting ‘0’ does not install Macintosh file services.

The Netcm value determines if setup will install the Microsoft Connection Manager Administration Kit and Phone Book Service. The setting ‘0’ does not install these services.

NetMonTools=0

The ‘NetMon Tools’ value determines if setup will install the network monitoring tools. The setting ‘0’ does not install the network monitoring tools.

SimpTcp=0

The ‘SimpTcp’ value determines if setup will install simple TCP/IP protocol suites. The setting ‘0’ does not install simple TCP/IP protocol suites.

SNMP=0

The ‘SNMP’ value determines if setup will install Simple Network Management Protocol. The setting ‘0’ does not install the SNMP protocol.

WINS=0

The ‘WINS’ value determines if setup will install Windows Internet Name Service. The setting ‘0’ does not install WINS.

3.3.1.16 [Components]

AccessOpt=On

The AccessOpt value sets the registry value accessopt. The setting ‘On’ installs the Accessibility wizard.

appsrv_console=Off

The appsrv_console sets the registry value appsrv_console. The setting ‘Off’ does not install the Application Server Console.

aspnet=Off

The aspnet value sets the aspnet registry value. The setting ‘Off’ does not install the ASP .NET development platform.

The AutoUpdate value sets the autoupdate registry value. The setting ‘Off’ does not install AutoUpdate.

BitsServerExtensionsISAPI=Off

The BitsServerExtensionsISAPI sets the bitsserverextensionsisapi registry value. The setting ‘Off’ does not install ISAPI for BITS server extensions.

BitsServerExtensionManager=Off

The BitsServerExtensionManager sets the bitsserverextensionmanager registry key. The setting ‘Off’ does not install the MMC snap-in, administrative APIs and ADSI extensions for BITS.

Calc=On

The Calc value sets the registry value for calc. The setting ‘Off’ does not install the Calculator feature.

certsrv=On

The certsrv value sets the certsrv registry value. The setting ‘On’ installs the Certificate Services components.

certsrv_client=Off

The certsrv_client value sets the certsrv_client registry value. The setting ‘Off’ does not install the Web client components of Certificate Services. This requires a Certification Authority to be defined with the CAName parameter. This also requires a computer system hosting the Certification Authority be defined with the CAMachine parameter. These entries support the use of a certificate in a web browser.

certsrv_server=Off

The certsrv_server value sets the certsrv_server registry value. The setting ‘Off’ does not install the Certificate Server.

charmap=On

The charmap value sets the charmap registry value. The setting ‘On’ installs the Character Map feature.

The chat value sets the chat registry value. The setting ‘Off’ does not install the Chat program.

Clipbook=Off

The Clipbook value sets the clipbook registry value. The setting ‘Off’ does not install the Clipbook.

cluster=Off

The cluster value sets the cluster registry value. The setting ‘Off’ does not install the cluster software.

complusnetwork=On

The complusnetwork value sets the complusnetwork registry value. The setting ‘On’ enables network Com+ access.

deskpaper=Off

The deskpaper value sets the deskpaper registry value. The setting ‘Off’ does not install a desktop background.

dialer=Off

The dialer value sets the dialer registry value. The setting ‘Off’ does not install the Phone Dialer.

dtcnetwork=Off

The dtcnetwork value sets the dtcnetwork registry value. The setting ‘Off’ disables DTC network access. DTC is the Distributed Transaction Coordinator.

fax=Off

The fax value sets the fax registry value. The setting ‘Off’ does not install the Fax feature.

fp_extensions=Off

The fp_extensions value sets the fp_extensions registry value. The setting ‘Off’ does not install the FrontPage server extensions.

The fp_vdir_deploy value sets the fp_vdir_deploy registry value. The setting ‘Off’ does not install the Visual InterDev RAD Remote Deployment Support.

freecell=Off

The freecell value sets the frecell registry value. The setting ‘Off’ does not install the Freecell game.

hearts=Off

The hearts value sets the hearts registry value. The setting ‘Off’ does not install the Hearts game.

hypertrm=Off

The hyperterm value sets the hyperterm registry value. The setting ‘Off’ does not install the HyperTerminal feature.

IEAccess=Off

The IEAccess value determines if the Internet Explorer Access points are visible. The setting ‘Off’ does not make the Internet Explorer Access points visible.

iis_asp=Off

The iis_asp value sets the iis_asp registry value. The setting ‘Off’ does not install the Active Server Pages feature.

iis_common=Off

The iis_common value sets the iis_common registry value. The setting ‘Off’ does not install the common set of files needed by IIS.

iis_ftp=Off

The iis_ftp value sets the iis_ftp registry value. The setting ‘Off’ does not install the FTP Service.

iis_inetmgr=Off

The iis_inetmgr value sets the iis_inetmgr registry value. The setting ‘Off’ does not install the MMC-based administration tools for IIS.

The iis_internetdataconnector value sets the iis_internetdataconnector registry value. The setting ‘Off’ does not install the Internet Data Connector.

iis_nntp=Off

The iis_nntp value sets the iis_nntp registry value. The setting ‘Off’ does not install the NNTP Service.

iis_serversidesincludes=Off

The iis_serversideincludes value sets the iis_serversideincludes registry value. The setting ‘Off’ does not install the Server Side Includes.

iis_smpt=Off

The iis_smtp value sets the iis_smtp registry value. The setting ‘Off’ does not install the SMTP Service.

iis_webadmin=Off

The iis_webadmin value sets the iis_webadmin registry value. The setting ‘Off’ does not install the Web UI for Web server administration (Remote Administration Tools).

iis_webdav=Off

The iis_webdav value sets the iis_dav registry value. The setting ‘Off’ does not install WebDAV Publishing.

iis_www=Off

The iis_www value sets the iis_www registry value. The setting ‘Off’ does not install the WWW Service.

iis_www_vdir_scripts=Off

The iis_www_vdir_scripts value sets the iis_www_vdir_scripts registry value. The setting ‘Off’ does not does not create the optional scripts directory on the default web site.

The indexsrv_system value sets the indexsrv_system registry value. The setting ‘Off’ does not install the Indexing Service.

inetprint=Off

The inetprint value sets the inetprint registry value. The setting ‘Off’ does not install Internet Printing.

licenseserver=Off

The licenseserver value sets the licenseserver registry value. The setting ‘Off’ does not enable Terminal Services licensing.

media_clips=Off

The media_clips value sets the media_clips registry value. The setting ‘Off’ does not install sample sounds.

media_utopia=Off

The media_utopia value sets the media_utopia registry value. The setting ‘Off’ does not install the Utopia sound scheme.

minesweeper=Off

The minesweeper value sets the minesweeper registry value. The setting ‘Off’ does not install the Minesweeper game.

mousepoint=On

The mousepoint value sets the mousepoint registry value. The setting ‘On’ installs all available mouse pointers.

msmq_ADIntegrated=Off

The msmq_ADIntegrated value sets the msmq_ADIntegrated registry value. The setting ‘Off’ does not integrate MSMQ with Active Directory.

The msmq_core value sets the msmq_core registry value. The setting ‘Off’ does not install the Message Queuing components.

msmq_HTTPSupport=Off

The msmq_HTTPSupport value sets the msmq_HTTPSupport registry value. The setting ‘Off’ does not enable sending and receiving of messages using HTTP.

msmq_LocalStorage=Off

The msmq_LocalStorage value sets the msmq_LocalStorage registry value. The setting ‘Off’ does not store messages locally.

msmq_MQDSSService=Off

The msmq_MQDSSService value sets the msmq_MQDSSService registry value. The setting ‘Off’ disables access to Active Directory and site recognition for downstream clients.

msmq_RoutingSupport=Off

The msmq_RoutingSupport value sets the msmq_RoutingSupport registry value. The setting ‘Off’ does not provide efficient routing. The Message Queuing components are not installed so this parameter does not affect the system.

msmq_TriggerService=Off

The msmq_TriggerService value sets the msmq_TriggerService registry value. The setting ‘Off’ disassociates the arrival of incoming messages at a queue with functionality in a Component Object Module (COM) component. The same may be said for a standalone executable program.

msnexplr=Off

The msnexplr value sets the msnexplr registry value. The setting ‘Off’ does not install MSN Explorer.

mswordpad=On

The mswordpad value sets the mswordpad registry value. The setting ‘On’ installs the mswordpad feature.

The netcis value sets the netcis registry value. The setting ‘Off’ does not install Microsoft COM Internet Services.

netoc=Off

The netoc value sets the netoc registry value. The setting ‘Off’ does not install optional networking components.

objectpkg=Off

The objectpkg value determines if the Object Packager is installed. The setting ‘Off’ does not install the Object Packager.

OEAccess=Off

The OEAccess value determines if the visible entry points to Outlook Express are installed. The setting ‘Off’ does not install the visible entry points for Outlook Express.

paint=Off

The paint value sets the paint registry value. The setting ‘Off’ does not install Microsoft Paint.

pinball=Off

The pinball value sets the pinball registry value. The setting ‘Off’ does not install the Pinball game.

Pop3Admin=Off

The Pop3Admin value determines if setup will install the optional Web UI for the Remote Administration Tools. The setting ‘Off’ does not install the optional Web UI.

Pop3Service=Off

The Pop3Service value determines if setup will install the main POP3 service. The setting ‘Off’ does not install the main POP3 service.

Pop3Srv=Off

The Pop3Srv value determines if setup will install the root POP3 component. The setting ‘Off’ does not install the root POP3 component.

The rec value determines if setup will install the Sound Recorder. The setting ‘Off’ does not install the Sound recorder.

reminst=Off

The reminst value sets the reminst registry value. The setting ‘Off’ does not install the remote installation Service.

rootautoupdate=Off

The rootautoupdate value sets the rootautoupdate registry value. The setting ‘Off’ disables the OMC Update Root Certificates. If the user is presented with a certificate issued by a root authority that is not directly trusted, and the Update Root Certificates component is not installed on the user’s computer, the user will be prevented from completing the action that required authentication.

rstorage=Off

The rstorage value sets the rstorage registry value. The setting ‘Off’ does not install the Remote Storage feature.

solitaire=Off

The solitaire value sets the solitaire registry value. The setting ‘Off’ does not install the Solitaire game.

spider=Off

The spider value sets the spider registry value. The setting ‘Off’ does not install the Spider game.

templates=Off

The templates value sets the templates registry value. The setting ‘Off’ does not install Document Templates.

TerminalServer=Off

The TerminalServer value determines if setup will install Terminal Services. The setting of ‘Off’ does not install Terminal Services.

The TSWebClient determines if the ActiveX control for hosting Terminal Services client connections over the Web are installed. The setting ‘Off’ does not install the ActiveX control.

vol=Off

The vol value sets the vol registry value. The setting ‘Off’ does not install the Volume Control.

WBEMSNMP=Off

The WBEMSNMP value sets the WBEMSNMP registry value. The setting ‘Off’ does not install the WMI SNMP Provider.

WMAccess=Off

The WMAccess value determines if setup will install visible entry points to Windows Manager. The setting ‘Off’ does not install visible entry points to Windows Manager.

WMPOCM=Off

The WMPOCM value determines setup will install visible entry points to Windows Media Player. The setting ‘Off’ does not install visible entry points to Windows Media Player.

wms=Off

The wms value determines sets the wms registry value. The setting ‘Off’ does not install the core Windows Media Server components.

wms_admin_asp=Off

The wms_admin_asp value sets the wms_admin_asp registry value. The setting ‘Off’ does not install Windows Media Services Web-based administrative components.

wms_admin_mmc=Off

The wms_admin_mmc value sets the wms_admin_mmc registry value. The setting ‘Off’ does not install the Windows Media Services MMC-based administrative components.

wms_isapi=Off

The wms_isapi value sets the wms_isapi registry value. The setting ‘Off’ does not install the Windows Media Services Multicast and Advertisement Logging Agent components.

The wms_server value sets the wms_server registry value. The setting ‘Off’ does not install the Windows Media Services server components.

zonegames=Off

The zonegames value sets the zonegames registry value. The setting ‘Off’ does not install the Microsoft Gaming Zone Internet Games component.

4.1 Policy File Application

Apply policies dictated by the environment (Domain or Workgroup).

4.1.1 Policy Application in a Domain

The policy files are applied to Organizational Units within the Active Directory. The structure of the Directory will dictate the exact names and locations of the Organizational Units. The structure deployed in the CSEC lab had an Organizational Unit for “Public Servers” to which the Baseline configuration was applied. The “Print Servers” and “File Servers” organizational units are placed in the “Public Server” organizational unit. The appropriate policies are applied to the specific organizational unit.

This procedure is applicable to any organizational unit and any policy file. Simply substitute the ‘OU’ and ‘policy file name’ as required.

1. Invoke Active Directory interface.

2. Expand Directory - click on the “+” signs to display the desired OU.

3. Right click on the desired OU and select Properties from the menu.

a. “Organizational Unit Properties” dialog opens.

4. Select “Group Policy” tab.

5. Click “New” button.

6. “New Group Policy Object” is created.

7. Rename “New Group Policy Object” to desired value.

8. Click “Edit” button.

b. “Group Policy Object Editor” dialog opens.

9. Click “+” beside “Windows Settings”.

10. Right Click “Security Settings”.

11. Select “Import Policy” from menu.

12. Browse to desired policy file and select it.

13. Enable “Clear this database before importing”.

14. Click “Open” (policy is imported).

15. Click “File” and then “Exit”.

16. Click “Apply”.

17. Click “Exit”.

Repeat this process until all OUs (Public Servers, Print Servers and Files Servers) have the required policy files applied to them.

4.1.2 Policy Application in a Workgroup

The policies for a workgroup server must be applied in the appropriate order to ensure a correct policy. Apply the Baseline configuration first, than apply additional policies to enable the designated role of the server.

To enter a policy file with the local Group Policy Editor, perform the following:

1. Open a command window.

2. Enter “MMC” and press “Return”.

a. “Console 1” dialog opens.

3. Click “File”.

4. Select “Add/Remove Snap-in”.

5. “Add/Remove Snap-in” dialog displayed.

6. Click “Add”.

7. “Add Standalone Snap-in” dialog displayed.

8. Browse to and select “Group Policy Editor”.

9. Click “Add”.

10. “Select Group Policy Object” dialog displayed.

11. Accept defaults and click “”Finish”.

12. Click “Close”.

13. Click “OK”.

a. The “Root Console Window” appears.

14. Click on “+” beside “Local Computer Policy”

15. Click on “+” beside “Windows Settings”.

16. Right click on “Security Settings”.

17. Select “Import Policy”.

18. Browse to desired policy file and select it.

a. Import Baseline configuration policy first then Role based policies.

19. Click “Open”.

20. Click “File”.

21. Click “Exit”.

22. “Microsoft Management Console” dialog displayed.

23. Select “Yes” if you wish to save the settings. a. Otherwise, select “No”.

4.2 Baseline Server Policy Files Details

The following section provides additional services and settings that are managed by policy files.

The Domain and Workgroup Baseline configuration files are largely identical. The following section provides details on the security settings. Items that are not the same will have both settings documented.

4.3 Account Policies

Account policies determine the rules for user’s with respect to passwords and Kerberos.

4.3.1 Password Policy

4.3.1.1 Enforce password history

PasswordHistorySize = 24

The ‘PasswordHistorySize’ defines the number of passwords retained by the system. This history is compared with user input during password changes. The setting ‘24’ requires the user to select twenty-four unique passwords before they can re-use their first one. With a ‘MinimumPasswordAge’ of two, the user would have to cycle their password every two days to get back to their original password.

4.3.1.2 Maximum password age

MaximumPasswordAge = 42

The ‘MaximumPasswordAge’ defines the maximum number of days a user can keep the same password. A setting of forty-two requires the user to change their password every forty-two days. Combined with the ‘PasswordComplexity’ and ’PasswordLength’ settings, these settings ensure the password is strong and resilient to attack.

4.3.1.3 Minimum Password Age

MinimumPasswordAge = 2

The ‘MinimumPasswordAge’ defines how many days a user must wait between password changes. The setting ‘2’ requires the user to wait two before they can change it again.

4.3.1.4 Minimum password length

MinimumPasswordLength = 8

The ‘MinimumPasswordLength’ defines the minimum number of characters acceptable for a password. The setting ‘8’ requires the user to enter a password of eight characters or more.

4.3.1.5 Password must meet complexity requirements

PasswordComplexity = 1

The ‘PasswordComplexity’ switch defines password complexity requirements. The setting ‘1’ requires the user to enter a password that meets the criteria below.

The password contains characters from three of the following four categories:

• Upper Case Character (A-Z)
• Lower Case Character (a-z)
• Base 10 Digits (0-9)
• Non-alphanumeric (! @ # $ % ^ &)

This setting helps thwart brute-force attacks.

4.3.1.6 Store password using reversible encryption

ClearTextPassword = 0

The ‘ClearTextPassword’ keyword determines if the system stores passwords using reversible encryption. The setting ‘zero’ disables reversible encryption.

NOTE: Never enable this option unless operational considerations outweigh the need to protect password information.

4.3.2 Account Lockout Policy

4.3.2.1 Account Lockout Duration

LockoutDuration = 15

The ‘LockoutDuration’ defines the length of time (in minutes) that an account is disabled after lockout. The setting ‘15’ disables the user’s account for 15 minutes. This value needs to be synchronized with ‘ResetLockoutCounter’ so the user can logon when the ‘LockoutDuration’ has expired.

4.3.2.2 Account lockout threshold

LockoutBadCount = 10

The ‘LockoutBadCount’ defines the number of failed logons allowed before the account is locked. The setting ‘10’ causes the user’s account to be locked after 10 consecutive logon attempts. The setting prevents extended password guessing attacks.

ResetLockoutCount = 15

The ‘ResetLockoutCount’ defines the length of time (in minutes) before a lockout reset occurs. The setting ‘15’ resets the lockout to zero after fifteen minutes. This value needs to be synchronized with ‘LockoutDuration’ so the user can logon when the ‘LockoutDuration’ has expired.

4.3.3 Kerberos Policy

There are no Kerberos settings in the Workgroup Baseline configuration.

4.3.3.1 Enforce user logon restrictions

TicketValidateClient = 1

The ‘TicketValidateClient’ determines if Kerberos V5 Key Distribution Centre authentication is required. The setting ‘1’ requires the use of Kerberos Authentication.

4.3.3.2 Maximum lifetime for the service ticket

MaxServiceAge = 600

The ‘MaxServiceAge’ defines the number of minutes a service ticket will be valid. The setting ‘600’ allows the ticket to be used for ten hours.

4.3.3.3 Maximum lifetime for user ticket

MaxTicketAge = 10

The ‘MaxTicketAge’ defines the maximum hours a user’s ticket granting ticket may be used. The setting ‘10’ indicates that the ticket granting ticket must be replaced or renewed after ten hours.

4.3.3.4 Maximum lifetime for user ticket renewal

MaxRenewAge = 7

The ‘MaxRenewAge’ defines the number of days a ticket granting ticket may be renewed after issuance. The setting ‘7’ allows a ticket granting ticket to be renewed for seven days.

4.3.3.5 Maximum tolerance for computer clock synchronization

MaxClockSkew = 5

The ‘MaxClockSkew’ defines the maximum amount of time a system clock can be different from the Domain Controller clock. The setting of ‘5’ indicates systems more than 5 minutes different than the Domain Controller clock will be refused.

4.4.1.1 Audit account logon events

AuditAccountLogon = 3

The ‘AuditAccountLogon’ defines types of logon events to audit. The setting ‘3’ audits ‘success’ and ‘fail’ events. ‘Success’ events can determine who accessed the system during an incident. ‘Fail’ events provide insight to password guessing attacks.

4.4.1.2 Audit account management

AuditAccountManage = 3

The ‘AuditAccountManage’ defines types of logon events to audit. The setting ‘3’ audits ‘success’ and ‘fail’ events. ‘Success’ events can be used in investigations, monitoring accounts at the time of an incident. ‘Fail’ attempts can determine if users are probing the system for vulnerabilities.

4.4.1.3 Audit directory service access

AuditDSAccess = 3

The ‘AuditDSAccess‘ defines types of logon events to audit. The setting ‘3’ audits ‘success’ and ‘fail’ events. The Directory Service holds crucial information for the Domain. Knowledge of access during an incident can provide valuable information about Active Directory objects accessed during an attack.

4.4.1.4 Audit logon events

AuditLogonEvents = 3

The ‘AuditLogonEvents’ defines types of logon events to audit. The setting ‘3’ audits ‘success’ and ‘fail’ events. ‘Success’ events can be used to determine who was accessing the system during an incident. ‘Fail’ logon attempts can determine if the system is under a password guessing attack.

4.4.1.5 Audit object access

AuditObjectAccess = 2

The ‘AuditObjectAccess’ defines the type of logon events that will be audited. The setting ‘2’ audits failed events. Failed attempts can be monitored to determine if any users are probing the system for vulnerabilities.

AuditPolicyChange = 3

The ‘AuditPolicyChange’ defines the type of logon events that will be audited. The setting 3 audits ‘success and ‘fail’ events. ‘Success’ events are used in investigations to determine access to the system and policy used at the time of the incident. ‘Fail’ attempts can determine if users are probing the system for vulnerabilities.

4.4.1.7 Audit privilege use

AuditPrivilegeUse = 3

The ‘AuditPrivilegeUse’ defines logon events to be audited. The setting ‘3’ audits ‘success’ and ‘fail’ events. ‘Success’ events are used to determine who was accessing the system at the time of the incident. ‘Fail’ attempts can determine if users are probing the system for vulnerabilities.

4.4.1.8 Audit process tracking

AuditProcessTracking = 0

The ‘AuditProcessTracking’ defines logon events to be audited. The setting ‘0’ audits no events. The value of this information is weighed against the volume of data collected. Due to large volumes of data, the normal setting for this value is disabled. However, during an incident the information provided is invaluable. If an attack is suspected, we recommend the setting be enabled.

4.4.1.9 Audit system events

AuditSystemEvents = 3

The’ AuditSystemEvents’ defines events to be audited. The setting ‘3’ audits ‘success’ and ‘fail’ events. These events reflect the system shutdown and restarts, system security events, and events that affect the security log.

4.4.2 User Rights Assignments

4.4.2.1 Access this computer from the network

senetworklogonright = *S-1-5-11,*S-1-5-32-544

The ‘senetworklogonright’ grants network protocol access to the system (SMB, NetBIOS, CIFS, HTTP and COM+). The policy grants privileges to the Administrators and authenticated users. The ability to access the system from the network provides greater exposure for an attack. Restricting access reduces the exposure.

setcbprivilege =

The ‘setcbprivilege’ grants an account the ability to act as part of the operating system. According to Microsoft, there is no reason why an account would require this privilege.

4.4.2.3 Add workstations to domain

semachineaccountprivilege =

The ‘semachineaccountprivilege’ grants the right to add workstations to a domain. This policy grants no privilege. Restricting this privilege helps maintain Domain integrity.

4.4.2.4 Adjust memory quotas for a process

seincreasequotaprivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20

The ‘seincreasequotaprivilege’ grants the ability to adjust memory quotas for a process. This policy grants privileges to Administrators, LOCAL SERVICE and NETWORK SERVICE accounts. If misused, DoS attacks are possible.

4.4.2.5 Allow log on locally

seinteractivelogonright = *S-1-5-32-551,*S-1-5-32-544

The ‘seinteractivelogonright’ grants logon privilege to the local console. These privileges are given to Administrators and Backup operators. Local access is restricted to accounts that have legitimate reason for access. By restricting this privilege, system exposure is reduced.

4.4.2.6 Allow log on through Terminal Services

seremoteinteractivelogonright = *S-1-5-32-544

The ‘seremoteinteractivelogonright’ grants the right to logon remotely through Terminal Services. This policy grants rights to Administrators. There is no requirement to allow users this form of access.

4.4.2.7 Backup files and directories

sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544

The ‘sebackupprivilege’ grants the right to backup files and directories. Rights are given to Administrators and Backup Operators. If your policy does not allow administrators to backup then omit the Administrators group. The allocation of this privilege must be tightly controlled.

sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5-32-544

The ‘sechangenotifyprivilege’ grants the right to bypass traverse checking in NTFS file systems and the Registry. This policy grants rights to Users, Backup Operators, Administrators, and authenticated users.

4.4.2.9 Change the system time

sesystemtimeprivilege = *S-1-5-32-544

The ‘sesystemtimeprivilege’ grants the right to change the system time. This policy grants rights to Administrators. The system time is critical in incident investigation. Without a consistent time, it is difficult to co-relate events on multiple systems.

4.4.2.10 Create a pagefile

secreatepagefileprivilege = *S-1-5-32-544

The ‘secreatepagefileprivilege’ grants the right to create a page file. This policy grants rights to Administrators. Too large a page file can cause poor system performance. Restricting this to Administrators reduces the exposure to trusted individuals.

4.4.2.11 Create a token object

secreatetokenprivilege =

The ‘secreatetokenprivilege’ grants the right to create local security token objects. The privilege gives the ability to create or modify Access Tokens. This policy does not grant rights to anyone. This can prevent privilege escalation attacks and DoS conditions.

4.4.2.12 Create global objects

secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544

The ‘secreateglobalprivilege’ grants the right to create objects available to all sessions. This policy grants rights to Administrators and the SERVICE account. It can be used to affect other user’s processes.

4.4.2.13 Create permanent shared objects

secreatepermanentprivilege =

The ‘secreatepermanentprivilege’ grants the right to create shared objects (folders, printers). Users with this privilege could expose sensitive data to the network by creating a shared object. Only members of the Administrators group can create permanent shared objects.

sedebugprivilege =

The ‘sedebugprivilege’ grants the right to debug any kernal process. Program debugging should never be done in a production environment. In the event it is required, grant rights for a short time.

4.4.2.15 Deny access to this computer from the network

sedenynetworklogonright = *S-1-5-32-546, *S-1-5-7

The ‘sedenynetworklogonright’ prevents access for a variety of network protocols. The policy applies the right to Guests and ANONYMOUS LOGON. The Administrators must add the local accounts ‘Guest’, ‘Support_388945a0’ and Built-in Administrator account.

NOTE: Given no reason for network access to the system for a group or user, access should be denied.

4.4.2.16 Deny log on as a batch job

sedenybatchlogonright = *S-1-5-32-546, *S-1-5-7

The ‘sedenybatchlogonright‘ prevents the ability to create batch jobs. This policy applies rights to Guests and ANONYMOUS LOGON. The Administrators must add the local accounts ‘Guest’ and ‘Support_388945a0’. The batch facility could be used to schedule jobs that result in a DoS.

NOTE: Given no reason for batch logon access to the system for a group or user, access should be denied.

4.4.2.17 Deny log on as a service

sedenyservicelogonright = *S-1-5-32-546,*S-1-5-32-544, *S-1-5-7

The ‘sedenyservicelogonright’ prevents access to a variety of network protocols. This policy applies the rights to Guests, ANONYMOUS LOGON, and Administrators. Administrators must add the local accounts ‘Guest’, ‘Support_388945a0’ and Built-in Administrator account.

4.4.2.18 Deny log on locally

sedenyinteractivelogonright = *S-1-5-32-546, *S-1-5-7

The ‘sedenyinteractivelogonright’ prevents local access to the system. This policy applies the rights to Guests and ANONYMOUS LOGON. Administrators must add the local accounts ‘Guest’ and ‘Support_388945a0’.

NOTE: Given no reason for interactive access to the system for a group, access should be denied.

sedenyremoteinteractivelogonright = *S-1-5-32-546, *S-1-5-7

The ‘sedenyremoteinteractivelogonright’ prevents logon through terminal services. This policy applies rights to Guests and ANONYMOUS LOGON. Administrators must add the local accounts ‘Guest’, ‘Support_388945a0’ and Built-in Administrator.

NOTE: Given no reason for terminal services access for a group, access should be denied.

4.4.2.20 Enable computer and user accounts to be trusted for delegation

seenabledelegationprivilege =

The ‘seenabledelegationprivilege’ grants the right to change the ‘trusted for delegation’ setting on Active Diretory objects. This policy does not grant privileges to anyone. The misuse of this privilege could lead to impersonation of users in a Domain.

4.4.2.21 Force shutdown from a remote system

seremoteshutdownprivilege =

The ‘seremoteshutdownprivilege’ grants the right to shut the system down from a remote location. This policy grants rights to noone. Servers in a High Security zone require physical access to be shut down.

4.4.2.22 Generate security audits

seauditprivilege = *S-1-5-19,*S-1-5-20

The ‘seauditprivilege’ grants the right to generate records in the security logs. This policy grants rights to NETWORK SERVICE and LOCAL SERVICE. By limiting rights to non-interactive accounts, DoS conditions through full logs can be avoided.

4.4.2.23 Impersonate a client after authentication

seimpersonateprivilege = *S-1-5-19,*S-1-5-20

The ‘seimpersonateprivilege’ grants the right for applications to impersonate that client. This policy grants rights to Local Service and Network Service. For better security, privileges are limited to non-interactive accounts.

4.4.2.24 Increase scheduling priority

seincreasebasepriorityprivilege = *S-1-5-32-544

The ‘seincreasebasepriorityprivilege’ grants the right to increase process priority. This policy grants privileges to Administrators. If misused, a DoS condition could starve CPU resources.

seloaddriverprivilege = *S-1-5-32-544

The ‘seloaddriverprivilege’ grants the right to load and unload device drivers. This policy grants privileges to Administrators. The driver code is run with elevated privileges. By restricting privileges to Administrators, the exposure is reduced.

4.4.2.26 Lock pages in memory

selockmemoryprivilege =

The ‘selockmemoryprivilege’ grants the right to keep data in physical memory. This policy grants privileges to no one. The abuse of privileges can result in starved memory resources and a DoS situation. Restricting this privilege reduces exposure to this threat.

4.4.2.27 Log on as a batch job

sebatchlogonright =

The ‘sebatchlogonright’ grants the right to submit batch jobs (log on as a batch job). This policy grants rights to noone. The Task Scheduler could cause a DoS; limiting this privilege reduces the threat.

4.4.2.28 Log on as a service

seservicelogonright = *S-1-5-20,*S-1-5-19

The ‘seservicelogonright’ grants the right to logon as a service. This policy grants rights to Local Service and Network Service. Interactive accounts are purposely excluded.

4.4.2.29 Manage auditing and security log

sesecurityprivilege = *S-1-5-32-544

The ‘sesecurityprivilege’ grants the right to specify object access auditing options. This policy grants rights to Administrators. Administrators alone can determine the appropriate auditing level. This ensures that users of the system cannot reduce auditing and eliminate traces of their activity.

4.4.2.30 Modify firmware environment values

sesystemenvironmentprivilege = *S-1-5-32-544

The ‘sesystemenvironmentprivilege’ grants rights to modify firmware environment values. This policy grants these rights to Administrators only. The ability to change system configurations needs to be controlled.

semanagevolumeprivilege = *S-1-5-32-544

The ‘semanagevolumeprivilege’ grants rights to manage volumes or disks. This policy grants rights to Administrators only. The administrative function of volume and disk management can damage user data on a disk. Restricting this privilege reduces the threat.

4.4.2.32 Profile single process

seprofilesingleprocessprivilege = *S-1-5-32-544

The ‘seprofilesingleprocessprivilege’ grants the right to monitor performance of a non-system process. This policy grants these rights to Administrators. The ability to profile a process can provide information to be used as a basis of an attack. Limiting privileges to Administrators reduces this threat.

4.4.2.33 Profile system performance

sesystemprofileprivilege = *S-1-5-32-544

The ‘sesystemprofileprivilege’ grants the right to monitor performance of a system process. This policy grants these rights to Administrators only. Profiling a system gathers information useful for an attack. Limiting privileges to Administrators reduces this threat.

4.4.2.34 Remove computer from docking station

seundockprivilege = *S-1-5-32-544

The ‘seundockprivilege’ grants the right to undock the server. This policy grants these privileges to Administrators only. As a preventive measure, these privileges are restricted.

4.4.2.35 Replace a process level token

seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20

The ‘seassignprimarytokenprivilege’ grants the right to replace a process security token of a child process. These rights are ganted to Local Service and Network Service. This can be used to launch processes as another user, providing the ability to hide inappropriate activity on a system.

4.4.2.36 Restore files and directories

serestoreprivilege = *S-1-5-32-544

The ‘serestoreprivilege’ grants the right to bypass permissions when restoring objects. This policy grants privileges to Administrators only. Due to the nature of the restore process, rights are restricted to accounts that are required to use it.

seshutdownprivilege = *S-1-5-32-544

The ‘seshutdownprivilege’ grants the right to shut down the system locally. This policy grants the right to Administrators only. By restricting this privilege, the threat of inadevertent or malicious shutdowns is reduced.

4.4.2.38 Synchronize directory service data

sesyncagentprivilege =

The ‘sesyncagentprivilege’ grants the right to read all objects and properties in the Directory. This policy revokes all privilege. Information gained from the Active Directory can be used to form an attack against the system.

4.4.2.39 Take ownership of files or other objects

setakeownershipprivilege = *S-1-5-32-544

The ‘setakeownershipprivilege’ grants the right to take ownership of any securable object in the system. The act of changing ownership will be recorded in the logs. This policy grants privileges to Administrators only.

4.4.3 Security Options

This section includes values for all entries in the Security Options section of the policy GUI. It incorporates entries in the Security Options section of the Domain Policy as well as the Member Server Baseline. Please note all values are explicitly defined. This ensures that security is not dependent on default values.

4.4.3.1 Accounts: Administrator account status

EnableAdminAccount = 0

The ‘EnableAdminAccount’ determines if the local administrator account is enabled. The setting ‘0’ disables the local administrator account. This prevents widespread use and removes it as a target for attack.

4.4.3.2 Accounts: Guest account status

EnableGuestAccount = 0

The ‘EnableGuestAccount‘ determines if the local guest account is enabled. The setting ‘0’ disables the local guest account. This prevents widespread use and removes it as a target for attack.

machine \system \currentcontrolset \control \lsa \limitblankpassworduse=4, 1

The ‘limitblankpassworduse’ registry value determines if local accounts with blank passwords can be used to logon remotely. The setting ‘1’ disallows accounts with blank passwords to logon remotely. This ensures remote access requires an account name and password.

4.4.3.4 Accounts: Rename administrator account

NewAdministratorName = "johnsmith"

The ‘NewAdministratorName’ keyword sets the local administrator account name. The setting ‘johnsmith’ renames the local administrator account to johnsmith. Renaming the local administrator account makes it difficult for an attacker to misuse it.

NOTE: This keyword should be omitted if a policy to rename the Administrator account on each system is enforced. If not, then at a minimum change it from ‘johnsmith’ to a local value.

4.4.3.5 Accounts: Rename guest account

NewGuestName = "janesmith"

The ‘NewGuestName’ keyword sets the local guest account name. The setting ‘janesmith’ renames the local guest account to janesmith. Renaming the account makes it more difficult for an attacker to misuse it.

NOTE: This keyword should be omitted if a policy to rename the Guest account on each system is enforced. If not, then at a minimum change it from ‘janesmith’ to a local value.

4.4.3.6 Audit: Audit the access of global system objects

machine \system \currentcontrolset \control \lsa \auditbaseobjects=4, 0

The ‘auditbaseobjects’ registry setting determines if access to global system objects is audited. The setting ‘0’ disables audit access to global objects.

4.4.3.7 Audit: Audit the use of Backup and Restore privilege

machine \system \currentcontrolset \control \lsa \fullprivilegeauditing=3, 0

The ‘fullprivilegeauditing’ determines if the system will audit the Backup and Restore privilege. The setting ‘0’ disables the audit of Backup and Restore privilege.

machine \system \currentcontrolset \control \lsa \crashonauditfail=4, 1

The ‘crashonauditfail’ registry value determines system behaviour when it fails to log security events. The setting ‘1’ shuts the system down when it cannot log. The government requires that comprehensive log data be carefully maintained. As a result, if the log files are full the system must not process further transactions.

4.4.3.9 Devices: Allow undock without having to log on

machine \software \microsoft \windows \currentversion \policies \system \undockwithoutlogon=4, 0

The ‘undockwithoutlogon’ registry value determines if a portable computer can undock without logon. The setting ‘0’ disallows the computer to be undocked without logon.

4.4.3.10 Devices: Allowed to format and eject removable media

machine \software \microsoft \windows nt \currentversion \winlogon \allocatedasd=1,"0"

The ‘allocatedasd’ registry value determines who can format and eject removable media. The setting ‘0’ permits Administrators to format and eject removable media. The ability to store large quantities of data (e.g. entire databases) makes should be restricted to trusted individuals.

4.4.3.11 Devices: Prevent users from installing printer drivers

services \servers \addprinterdrivers=4, 1

The ‘addprinterdrivers’ registry value determines if users can add printer drivers. The setting ‘1’ prevents users from adding print drivers. This helps prevent the threat of users running malicious code in a privileged state.

4.4.3.12 Devices: Restrict CD-ROM access to locally logged-on user only

machine \software \microsoft \windows nt \currentversion \winlogon \allocatecdroms=1,"1"

The ‘allocatecdroms’ registry value determines if the CD-ROM is equally accessible to local and remote users. The setting ‘1’ restricts remote access to the CD-ROM when in use by a local user.

NOTE: The setting allows remote authorized users to access the CD-ROM if no one is logged on locally.

4.4.3.13 Devices: Restrict floppy access to locally logged-on user only

machine \software \microsoft \windows nt \currentversion \winlogon \allocatefloppies=1,"1"

The ‘allocatefloppies’ registry value determines if the floppy drive is simultaneously accessible to local and remote users. The setting ‘1’ restricts remote access to when in use by a local user.

NOTE: This setting allows remote access to the floppy drive if no one is logged on as a local user.

machine \software \microsoft \driver signing \policy=3, 1

The ‘policy’ registry value defines the unsigned driver installation behavior. The setting ‘1’ warns the user before the driver is installed. If this option is enforced, only drivers approved by the Windows Hardware Quality Lab (WHQL) are eligible. The decision to install drivers not found within WHQL is left to the Administrator.

4.4.3.15 Domain controller: Allow server operators to schedule tasks

machine \system \currentcontrolset \control \lsa \submitcontrol=4, 0

The ‘submitcontrol’ registry value determines if system operators can schedule tasks. The setting ‘0’ prevents system operators from scheduling tasks. A sufficient number of tasks can lead to a DoS condition.

4.4.3.16 Domain controller: LDAP server signing requirements

machine \system \currentcontrolset \services \ntds \parameters \ldapserverintegrity=4, 2

The ‘ldapserverintegrity’ registry value determines if the LDAP server requires a signature to negotiate with LDAP clients. The setting ‘2’ requires a client signature. Unsigned data is susceptible to man-in-the-middle attacks. This setting helps prevent session hijack.

4.4.3.17 Domain controller: Refuse machine account password changes

machine \system \currentcontrolset \services \netlogon \parameters \refusepasswordchange=4, 0

The ‘refusepasswordchange’ registry setting determines if domain controllers accept changes to computer account passwords. The setting ‘0’ allows changing of computer account passwords. Regularly changed passwords reduce the threat of effective brute-force attacks.

4.4.3.18 Domain member: Digitally encrypt or sign secure channel data (always)

machine \system \currentcontrolset \services \netlogon \parameters \requiresignorseal=4, 1

The ‘requiresignorseal’ registry value determines if the domain member will encrypt or sign secure channel data always. The setting ‘1’ encrypts or signs secure channel data. This setting prevents legacy systems (pre-Windows 2000) from joining a Domain.

4.4.3.19 Domain member: Digitally encrypt secure channel data (when possible)

machine \system \currentcontrolset \services \netlogon \parameters \sealsecurechannel=4, 1

The ‘sealsecurechannel’ registry value determines if a domain member requests encryption of all secure channel data. The setting ‘1’ requests encryption of all secure channel data. By encrypting Secure Channel data, the system prevents sensitive information being sent in the clear. This limits an attacker’s ability to gather information for an attack.

machine \system \currentcontrolset \services \netlogon \parameters \signsecurechannel=4, 1

The ‘signsecurechannel’ registry value determines if a system will sign secure channel data when possible. The setting ‘1’ enables the signing of secure channel data when possible. Unsigned data is susceptible to man-in-the-middle attack. By enabling this setting, the client is protected from session hijack.

4.4.3.21 Domain member: Disable machine account password changes

machine \system \currentcontrolset \services \netlogon \parameters \disablepasswordchange=4, 0

The ‘disablepasswordchange’ registry value determines if a domain controller will accept machine account password changes. The setting ‘0’ allows machine account password changes. If the password change were disallowed, the systems could not change their computer passwords. This would leave them susceptible to password-guessing attacks.

4.4.3.22 Domain member: Maximum machine account password age

machine \system \currentcontrolset \services \netlogon \parameters \maximumpasswordage=4, 42

The ‘maximumpasswordage’ registry value determines the maximum number days between password changes. The setting ‘42’ requires the password to be changed at least every forty-two days. This ensures the password is changed often to thwart password-guessing attacks.

4.4.3.23 Domain member: Require strong (Windows 2000 or later) session key

machine \system \currentcontrolset \services \netlogon \parameters \requirestrongkey=4, 1

The ‘requirestrongkey’ registry value determines if a domain member establishes secure channel communications requiring 128-bit encryption. The setting ‘1’ requires 128-bit encryption of the secure channel. If disabled, the client must negotiate key strength with the Domain Controller. This setting ensures the highest level of protection for secure channel data.

4.4.3.24 Interactive logon: Do not display last user name

machine \software \microsoft \windows \currentversion \policies \system \dontdisplaylastusername =4, 1

The ‘dontdisplaylastusername’ registry value determines if the system provides a logon screen with the last username that logged on. The setting ‘1’ does not display the last username. This setting withholds vital information to prevent attacks.

4.4.3.25 Interactive logon: Do not require CTRL+ALT+DEL

machine \software \microsoft \windows \currentversion \policies \system \disablecad=4, 0

The ‘disablecad’ registry value determines if CTRL+ALT+DEL is required before a user logon. The setting ‘0’ requires CTRL+ALT+DEL to initiate logon. The Windows architecture security

4.4.3.26 Interactive logon: Message text for users attempting to logon

machine \software \microsoft \windows \currentversion \policies \system \legalnoticetext=7, DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED

The ‘legalnoticetext’ registry value is presented to the user prior to entry of username and password. The value shown is the text presented. This may help an organization in the event of legal proceedings.

4.4.3.27 Interactive logon: Message title for users attempting to logon

machine \software \microsoft \windows \currentversion \policies \system \legalnoticecaption=1 “DEPARTMENTAL TEXT FOR USER LOGON MUST BE SUPPLIED”

The ‘legalnoticecaption’ registry value is presented to the user as the title of the window that contains the ‘legalnoticetext’ text. The value shown is the text presented. This may help an organization in the event of legal proceedings.

4.4.3.28 Interactive logon: Number of previous logons to cache (in case domain controller is not available)

machine \software \microsoft \windowsnt \currentversion \winlogon \cachedlogonscount=1,"0"

The ‘cachedlogonscount’ registry value determines the number of unique user whom logon information is locally cached. The setting ‘0’ does not cache logon information locally. This ensures the user establishes a current security token with the Domain Controller. This prevents disabled users access via cached logon credentials.

4.4.3.29 Interactive logon: Prompt user to change password before expiration

machine \software \microsoft \windowsnt \currentversion \winlogon \passwordexpirywarning=4, 14

The ‘passwordexpirywarning’ registry value determines how many days in advance the user is notified of password expiration. This setting warns the user 14 days before password expiry. The user will continue to be reminded until the password expiry date.

4.4.3.30 Interactive logon: Require Domain Controller authentication to unlock workstation

machine \software \microsoft \windows nt \currentversion \winlogon \forceunlocklogon=4, 1

The ‘forceunlocklogon’ registry value determines if a domain controller must be contacted to unlock a computer. The setting ‘1’ requires contact with a domain controller. This ensures the user establishes a current security token with the Domain Controller. This also disallows disabled users access via cached logon credentials.

machine \software \microsoft \windows \currentversion \policies \system \scforceoption=4, 0

The ‘scforceoption’ registry value determines if a smart card is required to logon. The setting ‘0’ does not require a smart card to logon. The majority of servers will not require two-factor authentication. If this capability were a requirement, it should be enabled during the application of a role specific policy.

4.4.3.32 Interactive logon: Smart card removal behaviour

machine \software \microsoft \windowsnt \currentversion \winlogon \scremoveoption=1,"1"

The ‘scremoveoption’ determines system behaviour when a smart card is removed. The setting ‘1’ locks the workstation when removed. This ensures accountability for transactions that require smart card authentication.

4.4.3.33 Microsoft network client: Digitally sign communications (always)

machine \system \currentcontrolset \services \lanmanserver \parameters \requiresecuritysignature =4, 1

The ‘requiresecuritysignature’ registry value determines if the SMB client requires packet signing. The setting ‘1’ requires packet signing. This setting provides for mutual authentication. This may prevent man-in-the-middle attacks and eliminate session hijacking. Legacy systems cannot support this requirement.

4.4.3.34 Microsoft network client: Digitally sign communications (if server agrees)

machine \system \currentcontrolset \services \lanmanworkstation \parameters \enablesecuritysign ature=4, 1

The ‘enablesecuritysignature’ registry value determines if an SMB client attempts to negotiate SMB packet signing (if the server agrees). The setting ‘1’ causes the client to negotiate SMB signing. This setting provides for mutual authentication. This may prevent man-in-the-middle attacks and eliminate session hijacking. Legacy systems (i.e. Pre-Windows 2000) cannot support this requirement.

4.4.3.35 Microsoft network client: Send unencrypted password to third-party SMB servers

machine \system \currentcontrolset \services \lanmanworkstation \parameters \enableplaintextpas sword=4, 0

The ‘enableplaintextpassword’ registry value determines if an SMB client sends plain text passwords to non-Microsoft SMB servers. The setting ‘0’ disables the use of clear-text passwords. The use of non-Microsoft SMB servers that do not accept encrypted passwords is disallowed in a High Security environment. Password security must always be enforced.

machine \system \currentcontrolset \services \lanmanserver \parameters \autodisconnect=4, 15

The ‘autodisconnect’ registry setting defines the amount of idle time in minutes before an SMB session is suspended. The setting ‘15’ suspends the SMB session after fifteen minutes of idle time. An idle session consumes resources. Attackers could set up sessions consuming resources to initiate a DoS attack. Additionally, idle sessions can cause SMB services to become slow or unresponsive.

4.4.3.37 Microsoft network server: Digitally sign communications (always)

machine \system \currentcontrolset \services \lanmanserver \parameters \requiresecuritysignature =4, 1

The ‘requiresecuritysignature’ registry value determines if the server will always sign SMB communications. The setting ‘1’ always digitally signs SMB communications. This setting provides mutual authentication for all communication. Mutual authentication may prevent man-in-the-middle attacks and eliminate session hijacking. Legacy (i.e. Pre-Windows 2000) systems cannot support this requirement.

4.4.3.38 Microsoft network server: Digitally sign communications (if client agrees)

machine \system \currentcontrolset \services \lanmanserver \parameters \enablesecuritysignature= 4, 1

The ‘enablesecuritysignature’ registry value signs SMB communications, if the client agrees. The setting ‘1’ signs SMB communications. This setting provides mutual authentication for all communication. Mutual authenitcation may prevent man-in-the-middle attacks and eliminate the session hijacking. Legacy (i.e. Pre-Windows 2000) systems cannot support this requirement.

4.4.3.39 Microsoft network server: Disconnect clients when logon hours expire

machine \system \currentcontrolset \services \lanmanserver \parameters \enableforcedlogoff=4, 1

The ‘enableforcedlogoff’ registry value determines if a network connected user is disconnected outside of their hours of operation. The setting ‘1’ disconnects the user when logged on outside of their hours of operation.

4.4.3.40 Network access: Allow anonymous SID/Name translation

LSAAnonymousNameLookup = 0

The ‘LSAAnonymousNameLookup’ determines if the system allows anonymous SID/NAME translation. The setting ‘0’ disallows the system to perform anonymous SID/NAME translation. If enabled, a user could use a well-known account SID to obtain usernames of the account. This may then be used to initiate a password guessing attack.

machine \system \currentcontrolset \control \lsa \restrictanonymoussam=4, 1

The ‘restrictanonymoussam’ registry value determines if anonymous enumeration of SAM accounts is permitted. The setting ‘1’disallows anonymous enumeration of SAM accounts. The enumeration maps account names to a corresponding SID. When the SID is known, local Guest and Administrator accounts are exposed. Once identified, they are open to password guessing attacks.

4.4.3.42 Network access: Do not allow anonymous enumeration of SAM accounts and shares

machine \system \currentcontrolset \control \lsa \restrictanonymous=4, 1

The ‘restrictanonymous’ registry value determines if anonymous enumeration of SAM accounts and shares is permitted. The setting ‘1’ disallows anonymous enumeration of SAM accounts and shares. The enumeration maps account names to a corresponding SID. When the SID is known, local Guest and Administrator accounts are exposed. Once identified, they are open to password guessing attacks.

4.4.3.43 Network access: Do not allow storage of credentials or .NET Passports for network authentication

machine \system \currentcontrolset \control \lsa \disabledomaincreds=4, 1

The ‘disabledomaincreds’ registry value determines if passwords, credentials or Microsoft .NET passports are saved after initial domain authentication. The setting ‘1’ does not perform the save.

4.4.3.44 Network access: Let Everyone permissions apply to anonymous users

machine \system \currentcontrolset \control \lsa \everyoneincludesanonymous=4, 0

The ‘everyoneincludesanonymous’ value determines what additional permissions are granted for anonymous connections to a computer. The setting ‘0’ grants no additional permissions to anonymous users. This ensures unauthenticated users do not inherit the rights of the ‘everyone’ group.

4.4.3.45 Network access: Named Pipes that can be accessed anonymously

machine \system \currentcontrolset \services \lanmanserver \parameters \nullsessionpipes=7,

The ‘nullsessionpipes’ value defines anonymous access to named pipes. The empty setting disallows anonymous access to named pipes. This ensures all system access is authorized.

machine \system \currentcontrolset \control \securepipeservers \winreg \allowedexactpaths \machi ne=7,

The ‘allowedexactpaths \machine’ registry value defines which registry paths can be accessed over the network. This Baseline configuration has no requirement for remotely accessible registry information.

4.4.3.47 Network access: Remotely accessible registry paths and Sub-paths

machine \system \currentcontrolset \control \securepipeservers \winreg \allowedpaths \machine=7,

The ‘allowedpaths \machine’ registry value defines registry paths and sub-paths that can be accessed over the network. This Baseline configuration has no requirement for remotely accessible registry information.

4.4.3.48 Network access: Restrict anonymous access to Named Pipes and Shares

machine \system \currentcontrolset \services \lanmanserver \parameters \restrictnullsessaccess=4, 1

The ‘restrictnullsessaccess’ registry value determines if anonymous access is allowed to named pipes and shares. The setting ‘1’ disallows anonymous access to named pipes and shares. Access to resources is predicated on authorization for that resource. If anonymous access is granted, there would be no ability to identify who is accessing the objects.

4.4.3.49 Network access: Shares that can be accessed anonymously

machine \system \currentcontrolset \services \lanmanserver \parameters \nullsessionshares=7,

The ‘nullsessionshares’ registry value defines which shares can be accessed anonymously over the network. The empty setting disallows anonymous access to any share. All system access should be authorized. Anonymous access prevents accurate authorization of shares.

4.4.3.50 Network access: Sharing and security model for local accounts

machine \system \currentcontrolset \control \lsa \forceguest=4, 0

The ‘forceguest’ registry value determines the sharing and security model for local accounts. The setting ‘0’ requires user authentication to access resources. This allows individual access to be audited.

4.4.3.51 Network security: Do not store LAN Manager hash value on next password change

machine \system \currentcontrolset \control \lsa \nolmhash=4, 1

The ‘nolmhash’ registry value determines if the LAN Manager hash value is stored on the next password change. The setting ‘1’ does not save the LAN Manager hash value. This prevents local storage of the password, which would be vulnerable to attack.

NOTE: Upon enabling in operation, all passwords must be changed.

4.4.3.52 Network Security: Force logoff when logon hours expire

ForceLogoffWhenHourExpire = 1

The ‘ForceLogoffWhenHourExpire’ keyword determines if locally logged on users are disconnected when working outside of defined hours. The setting ‘1’ disconnects the user outside of defined hours. Hours are defined within the “Active Directory Users and Computers”, the ‘Computer Management” and “Local Users and Groups” interface. Account should be created with restrictions on hours of access; we recommend enforcement through disconnection outside specified hours.

4.4.3.53 Network security: LAN Manager authentication level

machine \system \currentcontrolset \control \lsa \lmcompatibilitylevel=4, 5

The ‘lmcompatibilitylevel’ value determines the level of LAN manager authentication. The setting ‘5’ sends NTLMv2 responses only and refuses LM & NTLM. This setting ensures only the most secure authentication mechanism is permitted.

4.4.3.54 Network security: LDAP client signing requirements

machine \system \currentcontrolset \services \ldap \ldapclientintegrity=4, 1

The ‘ldapclientintegrity’ value determines if the LDAP client negotiates signing to communicate with LDAP servers. The setting ‘2’ requires signing negotiation. This reduces the threat of a man-in-the-middle attacks.

4.4.3.55 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

machine \system \currentcontrolset \control \lsa \msv1_0 \ntlmminclientsec=4, 537395248

The ‘ntlmminclientsec’ value defines the minimum session security for NTLM SSP based (including secure RPC) clients. The setting ‘537395248’ enables all options, as recommended. This requires message integrity, confidentiality, NTLMv2 session security and 128-bit encryption be used for logon.

machine \system \currentcontrolset \control \lsa \msv1_0 \ntlmminserversec=4, 537395248

The ‘ntlmminserversec’ registry value defines the minimum session security for NTLM SSP based (including secure RPC) servers. The setting ‘537395248’ enables all options, as recommended. This requires message integrity, confidentiality, NTLMv2 session security and 128-bit encryption be used for logon.

4.4.3.57 Recovery console: Allow automatic administrative logon

machine \software \microsoft \windowsnt \currentversion \setup \recoveryconsole \securitylevel=4, 0

The ‘securitylevel’ value determines if the recovery console requires an Administrator password to logon. The setting ‘0’ requires an Administrators password. Enabling this setting to allow anyone to shut down a server is not recommended.

4.4.3.58 Recovery console: Allow floppy copy and access to all drives and all folders

machine \software \microsoft \windowsnt \currentversion \setup \recoveryconsole \setcommand=4, 0

The ‘setcommand’ registry value determines if the Recovery Console ‘SET’ command is available. The setting ‘4’ disables the ‘SET’ command. (e.g. Copy to removable media is disabled).

4.4.3.59 Shutdown: Allow system to be shut down without having to log on

machine \software \microsoft \windows \currentversion \policies \system \shutdownwithoutlogon=4 , 0

The ‘shutdownwithoutlogon’ registry value determines if the system can be shutdown without the user logged on. The setting ‘0’ requires the user to logon. This ensures only authorized users may shut down the system.

4.4.3.60 Shutdown: Clear virtual memory page file

machine \system \currentcontrolset \control \sessionmanager \memory \management \clearpagefile atshutdown=4, 1

The ‘clearpagefileatshutdown’ value determines if page file contents are overwritten on a clean shutdown. The setting ‘1’ causes clears the page file on a normal shutdown. Sensitive system and user information may be contained in the page file. By ensuring it is cleared, the risk that information be available to an attacker is reduced.

4.4.3.61 System cryptography: Force strong key protection for user keys stored on the computer

machine \software \policies \microsoft \cryptography \forcekeyprotection=4, 2

The ‘forcekeyprotection’ value determines if user keys (e.g. SMIME) require a password each time they are to be used. The setting ‘2’ requires entry of a password each time a private key is used. This ensures that a session that requires key material is used with the owner’s knowledge.

4.4.3.62 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

machine \system \currentcontrolset \control \lsa \fipsalgorithmpolicy=4, 1

The ‘fipsalgorithmpolicy’ determines if Transport Layer Security / Secure Socket Layer (TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. The setting ‘1’ requires the use of the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In the Federal Government, this setting is required for all servers to remain compliant to cryptographic policies.

4.4.3.63 System objects: Default owner for objects created by members of the Administrators group

machine \system \currentcontrolset \control \lsa \nodefaultadminowner=4, 1

The ‘nodefaultadminowner’ value determines if objects created by members of the Administrators group are owned by the group or the object creator. The setting ‘1’ makes objects owned by the creator. This ensures actions of an individual administrator can be isolated and audited.

4.4.3.64 System objects: Require case insensitivity for non-Windows subsystems

machine \system \currentcontrolset \control \session manager \kernel \obcaseinsensitive=4, 1

The ‘obcaseinsensitive’ value determines if case insensitivity is required for non-Windows subsystems. The setting ‘1’ requires case insensitivity for non-Windows subsystems. This disables the ability for non-Windows sub-systems to create files that are inaccessible to the Windows system. It also disables the ability to block access to other files with the same name in upper case.

4.4.3.65 System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

machine \system \currentcontrolset \control \session manager \protectionmode=4, 1

The ‘protectionmode’ registry setting determines if permissions on internal system objects (e.g. symbolic links) is strengthened. The setting ‘1’ strengthens protection on internal system objects. It allows non-administrators to view shared objects they did not create, but not modify.

machine \system \currentcontrolset \control \session manager \subsystems \optional=7,

The ‘optional’ value defines which subsystems are used to support applications. The empty setting disallows any optional subsystems. The use of sub-systems should be justified with operational requirements. Unless required, no subsystem should be enabled.

4.4.3.67 Use Certificate Rules on Windows Executables for Software Restriction Policies

machine \software \policies \microsoft \windows \safer \codeidentifiers \authenticodeenabled=4, 0

The ‘authenticodeenabled’ value determines the use of certificate rules on Windows executables for software restriction policies. The setting ‘0’ does not use certificate rules on Windows executables for software restriction policies.

4.5 Event Log

Microsoft guidance indicates that the total size of all event logs should not exceed 300MB. If this value is exceeded, the system may not log or record the failure.

While the interface may allow values up to 4GB, there is a risk of losing log entries for values beyond 300 MB. The following policy will utilize full available space for allocation between event logs.

4.5.1 Log Size

4.5.1.1 Maximum application log size

MaximumLogSize = 76800 (in [Application Log] section)

The ‘MaximumLogSize’ determines the size of the Application event log. The setting ‘76800’ creates a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 153,000 events. This will allow the system to run for an extended period-of-time without having to roll the log file.

NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period.

4.5.1.2 Maximum security log size

MaximumLogSize = 153600 (in [Security Log] section)

The ‘MaximumLogSize’ determines the size of the Security event log. The setting ‘153600’ creates a 153600 KB log file. With an average of 500 bytes per event, this log file will accommodate over 307,200 events. This allows the system to run for an extended period-of-time without having to roll the log file.

NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period.

MaximumLogSize = 76800 (in [System Log] section

The ‘MaximumLogSize’ determines the size of the System event log. The setting ‘76800’ creates a 76800 KB log file. With an average of 500 bytes per event, this log file will accommodate over 153,000 events. This allows the system to run for an extended period-of-time without having to roll the log file.

NOTE: Due to the wide variety of event loads, we recommend monitoring the log files during the initial operational period.

4.5.2 Guest Access

4.5.2.1 Prevent local Guests group from accessing Applications, Security, and System logs

RestrictGuestAccess = 1(in [Application Log] or [Security Log] or [System Log] section)

The ‘RestrictGuestAccess’ keyword determines if accounts with ‘guest’ access can access the log. The setting ‘1’ disallows guest access to the log. Access to log information provides an attacker with valuable information to mount attacks on the system or users. As a result, only users who are authenticated are given access to the log files.

4.5.3 Retention Method

4.5.3.1 Retention method for application log

AuditLogRetentionPeriod = 2(in [Application Log] or [Security Log] or [System Log] section)

The ‘AuditLogRetentionPeriod’ keyword determines the system behaviour when the log is full. The setting ‘2’ shuts the system down if the log cannot be written. Use of this setting should be consistent with departmental log retention policy.

4.6 System Services

A large number of services are disabled in this guide. With each disabled service, we provide justification for the recommendation. In some cases, a more flexible approach may be needed.

It is important to note that a disabled service may only be required occasionally. For example, the Performance Logs and Alerts service is disabled. However, to help fulfill a specific temporary need, the Administrator could enable a service, resolve an issue, and return the service to the original configuration.

4.6.1.1 Alerter

"alerter", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Alerter service notifies selected users and computers of administrative alerts. This policy disables this service.

4.6.1.2 Application Layer Gateway Service

"alg", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Application Layer Gateway Service is a subcomponent of the Internet Connection Sharing (ICS) / Internet Connection Firewall (ICF) Service. This supports independent software vendor plug-ins to allow proprietary protocols through the firewall and work behind ICS. This policy disables the service.

4.6.1.3 Application Management

"appmgmt", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

Application Management provides software installation services. This policy disables the service.

4.6.1.4 ASP .NET State Service

"aspnet_state", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The ASP .NET State Service provides support for out-of-process session states for ASP .NET. This policy disables the service.

4.6.1.5 Automatic Updates

"wuauserv", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

4.6.1.6 Background Intelligent Transfer Service

"bits", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Background Intelligent Transfer Service is used to transfer files asynchronously between a client and an HTTP server. This policy disables the service.

4.6.1.7 Certificate Services

"certsvc", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The Certificate Services perform core functions for a Certification Authority. This policy disables the service.

4.6.1.8 MS Software Shadow Copy Provider

"swprv", 3,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The MS Software Shadow Copy Provider supports the creation of file shadow copies used to perform system backups. This policy sets the startup to manual for the service.

4.6.1.9 Client Service for Netware

"nwcworkstation", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Client Service for Netware provides access to files and printers on NetWare networks. This policy disables the service.

4.6.1.10 ClipBook

"clipsrv", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Clipbook Service creates and shares ‘pages’ of data that may be viewed by remote users. This policy disables the service.

"clussvc", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The Cluster Service supports membership in a High Availability environment (Cluster). The service is disabled.

4.6.1.12 COM+ Event System

"eventsystem", 3,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The COM+ Event System Service extends the COM+ programming model. This policy sets the service startup to automatic.

4.6.1.13 COM+ System Application

"comsysapp", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The COM+ System Application Service manages the configuration and tracking of components based on COM+. The service is disabled.

4.6.1.14 Computer Browser

The Computer Browser Service maintains an up-to-date list of the computers on your network.

4.6.1.14.1 Domain Member Baseline

"browser", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

This policy sets service startup to automatic.

4.6.1.14.2 Workgroup Member Baseline

"browser", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

This policy disables service startup.

"cryptsvc", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

Cryptographic Services provide key management functionality for the computer. This policy sets the service to automatic startup.

4.6.1.16 DHCP Client

The DHCP Client service registers with DHCP and DNS servers in the domain.

4.6.1.16.1 Domain Member Baseline

"dhcp", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

This policy sets the service to automatic startup.

4.6.1.16.2 Workgroup Member Baseline

"dhcp", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

This policy disables service startup.

4.6.1.17 DHCP Server

"dhcpserver", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The DHCP Server allocates IP addresses. The service is disabled.

4.6.1.18 Distributed File System

"dfs", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)

The Distributed File System manages logical volumes across local or wide area networks. The service is disabled.

"trkwks", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Distributed Link Tracking Client Service ensures shortcuts (among others) work after the target has been moved. The service is disabled.

4.6.1.20 Distributed Link Tracking Server

"trksvr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Distributed Link Tracking Server stores information so files moved between volumes can be tracked. The service is disabled.

4.6.1.21 Distributed Transaction Coordinator

"msdtc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Distributed Transaction Coordinator Service manages transactions that involve multiple computer systems or resource managers. The service is disabled.

4.6.1.22 DNS Client

The DNS Client Service resolves and caches DNS names.

4.6.1.22.1 Domain Member Server

"dnscache", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

This policy sets the service to automatic startup.

4.6.1.22.2 Workgroup Member Server

"dnscache", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

This policy disables service startup.

"dns", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The DNS Server responds to queries for DNS names. The service is disabled.

4.6.1.24 Error Reporting Service

"ersvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Error Reporting Service collects, stores, and reports unexpected application closures to Microsoft. The service is disabled.

4.6.1.25 Event Log

"eventlog", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Event Log Service enables event log messages to be viewed. This policy sets the service to automatic startup.

4.6.1.26 Fax Service

"fax", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The Fax service provides Fax capabilities. The service is disabled.

4.6.1.27 File Replication

"ntfrs", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The File Replication Service automatically copies and maintains files on multiple Servers. The service is disabled.

4.6.1.28 File Server for Macintosh

"macfile", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Macintosh File Service provides network file access to Macintosh computers. The service is disabled.

4.6.1.29 FTP Publishing Service

"msftpsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The FTP Publishing Service provides connectivity and administration through the IIS snap-in. The service is disabled.

4.6.1.30 Help and Support

"helpsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Help and Support Service enables Help and Support Center to run. The service is disabled.

4.6.1.31 HTTP SSL

"httpfilter", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The HTTP SSL Service provides SSL functions to IIS. The service is disabled.

4.6.1.32 Human Interface Device Access

"hidserv", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Human Interface Device Access service allows use of pre-defined hotbuttons. The service is disabled.

4.6.1.33 IAS Jet Database Access

"iasjet", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The IAS Jet Database Access service uses RADIUS to provide authentication, authorization and accounting services. The service is disabled.

"iisadmin", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The IIS Admin Service allows administration of IIS components. The service is disabled.

4.6.1.35 IMAPI CD-Burning COM Service

"imapiservice", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The IMAPI CD-Burning Service manages CD burning. The service is disabled.

4.6.1.36 Indexing Service

"cisvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Indexing Service indexes file contents and properties. The service is disabled.

4.6.1.37 Infrared Monitor

"irmon", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

Infrared Monitor service enables file and image sharing through infrared devices. The service is disabled.

4.6.1.38 Internet Authentication Service

"ias", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

Internet Authentication Service manages network authentication, authorization and accounting. The service is disabled.

4.6.1.39 Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)

"sharedaccess", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

4.6.1.40 Intersite Messaging

"ismserv", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The Intersite Messaging Service is used for mail-based replication. The service is disabled.

4.6.1.41 IP Version 6 Helper Service

"6to4", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The IP Version 6 Helper Service offers IPV6 connectivity over existing IPV4 network. The service is disabled.

4.6.1.42 IPSEC Policy Agent (IPSec Service)

"policyagent", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The IPSEC Policy Agent (IPSec Service) provides encryption services to clients and servers on networks. This policy sets the service to automatic startup.

4.6.1.43 Kerberos Key Distribution Centre

"kdc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Kerberos Key Distribution Center Service allows user logon using Kerberos v5 authentication protocol. The service is disabled.

4.6.1.44 License Logging Service

"licenseservice", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The License Logging service records client access licensing information. The service is disabled.

"dmserver", 3,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Logical Disk Manager service detects all new hard drives and sends disk volume information to the Logical Disk Manager Administration Service. This policy sets the service to manual startup.

4.6.1.46 Logical Disk Manager Administrative Service

"dmadmin", 3,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"

The Logical Disk Manager Administration service performs requests for disk management. This policy sets the service to manual startup.

4.6.1.47 Message Queuing

"msmq", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Message Queuing Service is the infrastructure and development tool for creating distributed messaging applications. The service is disabled.

4.6.1.48 Message Queuing Down Level Clients

"mqds", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Message Queuing Down Level Clients service provides Active Directory access to Message Queuing Clients. The service is disabled.

4.6.1.49 Message Queuing Triggers

"mqtgsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Message Queuing Trigger Service provides rule-based analysis of messages arriving in the Message Queuing queue. The service is disabled.

"messenger", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Messenger Service sends Alerter Service messages between clients and servers. The service is disabled.

4.6.1.51 Microsoft POP3 Service "pop3svc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Microsoft POP3 service provides e-mail transfer and retrieval services. The service is disabled.

4.6.1.52 MSSQL$UDDI

"mssql$uddi", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The MSSQL$UDDI service publishes and locates information about web services. The service is disabled.

4.6.1.53 MSSQLServerADHelper

"mssqlserver", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The SQL Server service provides SQL functionality for a server. The service is disabled.

4.6.1.54 .NET Framework Support Service

"corrtsvc", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The .NET Framework Support Service notifies a subscribing client when a specified process initializes the Client Runtime Service. The service is disabled.

4.6.1.55 Netlogon

The Netlogon Service authenticates users and services.

"netlogon", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy sets the service to automatic startup.

4.6.1.57 Workgroup Member Server

"netlogon", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy disables service startup.

4.6.1.58 NetMeeting Remote Desktop Sharing

"mnmsrvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The NetMeeting Remote Desktop Sharing Service enables access to a system with NetMeeting. The service is disabled.

4.6.1.59 Network Connections

"netman", 3,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Network Communications Service manages objects in the Network Connections folder. This policy sets the service to manual startup. This will start the service automatically when the Network Connections interface is invoked.

4.6.1.60 Network DDE

"netdde", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The NetDDE Service provides network transport and security for DDE. The service is disabled.

4.6.1.61 Network DDE DSDM

"netddedsdm", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The NetDDEDSDM Service manages DDE network shares. The service is disabled.

"nla", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Network Location Awareness service collects and stores network information. The service is disabled.

4.6.1.63 Network News Transport Protocol (NNTP)

"nntpsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Network News Transport Protocol (NNTP) service provides News Server capabilities. The service is disabled.

4.6.1.64 NTLM Security Support Provider

"ntlmssp", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The NTLM Security Support Provider service provides security to RPC programs. This enables users to log on using NTLM authentication in place of Kerberos. The service is disabled.

4.6.1.65 Performance Logs and Alerts

"sysmonlog", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Performance Logs and Alerts Service collect performance data. The service is disabled.

4.6.1.66 Plug and Play

"plugplay", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Plug and Play service allows a computer to adapt hardware configuration changes with little user input. The service is disabled.

"wmdmpmsn", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Portable Media Serial Number service retrieves serial numbers from any portable music player connected to the system. The service is disabled.

4.6.1.68 Print Server for Macintosh

"macprint", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Macintosh Print service provides network printer access to Macintosh computers. The service is disabled.

4.6.1.69 Print Spooler

"spooler", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Spooler service manages local and network print queues and controls all print jobs. The service is disabled.

4.6.1.70 Protected Storage

"protectedstorage", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Protected Storage service protects storage of sensitive information from unauthorized services, processes or users. This policy sets the service to automatic startup.

4.6.1.71 Remote Access Auto Connection Manager

"rasauto", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Access Auto Connection Manager service detects unsuccessful attempts to a remote network or computer. It then provides an alternative method for connection. The service is disabled.

"rasman", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Access Connection Manager service manages dial-up and VPN connections to a server. The service is disabled.

4.6.1.73 Remote Administration Service

"srvcsurg", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Administration service provides an interface for Remote Server Administration Tools. The service is disabled.

4.6.1.74 Remote Desktop Help Session Manager

"rdsessmgr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Desktop Help Session Manager service controls the Remote Assistance feature in the Help and Support Center application. The service is disabled.

4.6.1.75 Remote Installation

"binlsvc", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The Remote Installation Service is a Windows deployment feature. The service is disabled.

4.6.1.76 Remote Procedure Call (RPC)

"rpcss", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Procedure Call (RPC) service is a secure inter-process communication mechanism. This policy sets the service to automatic startup.

"rpclocator", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The RPC Locator Service enables RPC clients to locate RPC servers. The service is disabled.

4.6.1.78 Remote Registry Service

"remoteregistry", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Registry service enables remote users to modify registry settings on the system. The service is disabled.

4.6.1.79 Remote Server Manager

"appmgr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Remote Server Manager service acts as a Windows Management Instrumentation (WMI) instance provider for Remote Administration Alert Objects. It also acts as a WMI method provider for Remote Administration Tasks. The service is disabled.

4.6.1.80 Remote Server Monitor

"appmon", 4,
"D:(A;;CCLCSWLOCRRC;;;IU )(A;;GA;;;BA )(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

The Remote Service Monitor service provides monitoring capability of resources on remotely managed systems. The service is disabled.

4.6.1.81 Remote Storage Notification

"remote_storage_user_link", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Storage Notification service notifies a user when accessing data on secondary storage units. The service is disabled.

"remote_storage_server", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Remote Storage Server stores infrequently used files in secondary storage. The service is disabled.

4.6.1.83 Removable Storage

"ntmssvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Removable Storage service maintains a catalogue of information for removable media used by the system. The service is disabled.

4.6.1.84 Resultant Set of Policy Provider

"rsopprov", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Resultant Set of Policy Provider service enables simulation of policy to determine the effects. The service is disabled.

4.6.1.85 Routing and Remote Access

"remoteaccess", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to-WAN, and NAT routing services. The service is disabled.

4.6.1.86 SAP Agent

"nwsapagent", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The SAP Agent service advertises services on an IPX network. The service is disabled.

"seclogon", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Secondary Logon service allows users to create processes in different security contexts. The service is disabled.

4.6.1.88 Security Accounts Manager

"samss", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Security Accounts Manager service manages user and group account information. This policy sets the service to automatic startup.

4.6.1.89 Server

"lanmanserver", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Server service provides RPC, file, print, and Named pipe support over the network. This policy disables service startup.

4.6.1.90 Shell Hardware Detection

"shellhwdetection", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Shell Hardware Detection service monitors and provides notification for AutoPlay hardware events. The service is disabled.

4.6.1.91 Simple Mail Transport Protocol (SMTP)

"smtpsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Simple Mail transfer Protocol (SMTP) service transports electronic mail across the network. The service is disabled.

"simptcp", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Simple TCP/IP Services provide a variety of protocols. The service is disabled. The services

configured are as follows:

Echo Port 7

Discard Port 9

Character Generator Port 19

Daytime Port 13

Quote of the day Port 17

4.6.1.93 Single Instance Storage Groveler

"groveler", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Single Instance Storage Groveler service supports Remote Installation service. The service is disabled.

4.6.1.94 Smart Card

"scardsvr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Smart Card service manages access to smart card readers. The service is disabled.

4.6.1.95 SNMP Service

"snmp", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Simple Network Management Protocol (SNMP) service allows incoming SNMP requests to be processed by the system. The service is disabled.

4.6.1.96 SNMP Trap Service

"snmptrap", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The SNMP Trap service receives trap messages generated by SNMP agents. The service is disabled.

"sacsvr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Special Administration Console Helper service performs remote management tasks. The service is disabled.

4.6.1.98 SQLAgent$* (*UDDI or WebDB)

"sqlagent$webdb", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The SQLAgent$webdb service monitors, and schedules jobs. The service is disabled.

4.6.1.99 System Event Notification

"sens", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The System Event Notification service provides monitoring and tracking services for system events. This policy sets the service to automatic startup.

4.6.1.100 Task Scheduler

"schedule", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Task Scheduler service enables configuration and schedules of automated tasks on the system. The service is disabled.

4.6.1.101 TCP/IP NetBIOS Helper Service

The TCP/IP NetBIOS Helper service provides support for NetBIOS over TCP/IP. This is required for Domain membership.

4.6.1.101.1 Domain Member Server

"lmhosts", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy sets the service to automatic startup.

"lmhosts", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy disables service startup.

4.6.1.102 TCP/IP Print Server

"lpdsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The TCP/IP Print Server service enables TCP/IP based printing. The service is disabled.

4.6.1.103 Telephony

"tapisrv", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Telephony service provides support for programs that control telephony and IP-based voice devices. The service is disabled.

4.6.1.104 Telnet

"tlntsvr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Telnet service provides ASCII terminal sessions to telnet clients. The service is disabled.

4.6.1.105 Terminal Services

"termservice", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Terminal Services allows users to access a virtual Windows desktop session. The service is disabled.

4.6.1.106 Terminal Services Licensing

"termservlicensing", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Terminal Services Licensing service provides registered client licenses when connecting to a Terminal Server. The service is disabled.

"tssdis", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Terminal Services Session Directory service provides a multi-session environment that allows access a virtual Windows desktop. The service is disabled.

4.6.1.108 Themes

"themes", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Themes service provides theme management services. The service is disabled.

4.6.1.109 Trivial FTP Daemon

"tftpd", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Trivial FTP Daemon is a File Transfer Protocol that does not require authentication. The service is disabled.

4.6.1.110 Uninterruptible Power Supply

"ups", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Uninterruptible Power Supply service manages an uninterruptible power supply. The service is disabled.

4.6.1.111 Upload Manager

"uploadmgr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Upload Manager service manages file transfers between clients and servers. Driver data is anonymously uploaded from a customer computer to Microsoft. The service is disabled.

"vds", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Virtual Disk service provides a single interface for managing block storage visualization. The service is disabled.

4.6.1.113 Volume Shadow Copy

"vss", 3,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Volume Shadow Copy service manages and implements volume shadow copies used for backups. This policy sets the service to manual startup.

4.6.1.114 WebClient

"webclient", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Webclient service allows Win32 applications to access documents on the Internet. The service is disabled.

4.6.1.115 Web Element Manager

"elementmgr", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Web Element Manager service provides Web user interface elements for the Administration Web site at port 8098. The service is disabled.

4.6.1.116 Windows Audio

"audiosrv", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC RSDRCWDWO;;;SY )(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRS DRCWDWO;;;WD)"

The Windows Audio service provides support for sound. The service is disabled.

"stisvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Windows Image Acquisition (WIA) service supports scanners and cameras. The service is disabled.

4.6.1.118 Windows Installer

The Windows Installer service manages the installation and removal of applications.

4.6.1.118.1 Domain Member Server

"msiserver", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy sets the service to automatic startup.

4.6.1.118.2 Workgroup Member Server

"msiserver", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy disables service startup.

4.6.1.119 Windows Internet Name Service (WINS)

"wins", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The service is disabled.

4.6.1.120 Windows Management Instrumentation

"winmgmt", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Windows Management Instrumentation service provides a common interface to access management information. This policy sets the service to automatic startup.

4.6.1.121 Windows Management Instrumentation Driver Extensions

"wmi", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Windows Management Instrumentation Driver Extensions service monitors all drivers and event trace providers that publish WMI or event trace information. The service is disabled.

4.6.1.122 Windows Media Services

"wmserver", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Windows Media Services provide streaming media service over IP-based networks. The service is disabled.

4.6.1.123 Windows System Resource Manager

"windowssystemresourcemanager", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Windows System Resource Manager service is a tool to help customers deploy applications. The service is disabled.

4.6.1.124 Windows Time

"w32time", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Windows Time service maintains date and time synchronization. This policy sets the service to automatic startup.

4.6.1.125 WinHTTP Web Proxy Auto-Discovery Service

"winhttpautoproxysvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The WinHTTP Web Proxy Auto – Discovery service implements Web Proxy Auto- discovery (WPAD) Protocol. The WPAD protocol is an HTTP client service that locates proxy servers. The service is disabled.

"wzcsvc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The Wireless Configuration service enables automatic configuration of IEEE 802.11 wireless adapters. The service is disabled.

4.6.1.127 WMI Performance Adapter

"wmiapsrv", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The WMI Performance Adapter service provides performance library information. The service is disabled.

4.6.1.128 Workstation

The Workstation service creates and maintains client network connections.

4.6.1.128.1 Domain Member Server

"lanmanworkstation", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy sets the service to automatic startup.

4.6.1.128.2 Workgroup Member Server

"lanmanworkstation", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This policy disables service startup.

4.6.1.129 World Wide Web Publishing Service

"w3svc", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The World Wide Web Publishing service provides Web connectivity and administration through the IIS snap-in. The service is disabled.

The following service entries in the policy file are not represented in the GUI interface.

"fastuserswitchingcompatibility", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The “fastuserswitchingcompatibility” is not a core requirement for a Windows 2003 server. The service is disabled.

"mssql$webdb", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The MSSQL$webdb service is used to publish and locate information about web services. The service is disabled.

"mssqlserveradhelper", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The MSSQLServerADHelper service enables SQL server and SQL Server Analysis Services to publish information in Active Directory. The service is disabled.

"saldm", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The “saldm” is not a core requirement for a Windows 2003 server. The service is disabled.

"sptimer", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The “sptimer” is not a core requirement for a Windows 2003 server. The service is disabled.

"sqlserveragent", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

The “sqlserveragent” is not a core requirement for a Windows 2003 server. The service is disabled.

"winsip", 4,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

This is not a core requirement for a High Security server. The service is disabled.

4.7 Additional Security Settings

The following settings are in the policy file and organized similarily with the Windows Server 2003 Security Guide. While the settings affect the Registry, they do not appear in the Registry section of the Policy GUI.

4.7.1 Security Consideration for Network Attacks

4.7.1.1 EnableICMPRedirect

machine \system \currentcontrolset \services \tcpip \parameters \enableicmpredirect=4, 0

The ‘enableicmpredirect’ registry value causes TCP to find host routes. This overrides OSPF generated routes. The setting ‘0’ disables this capability. If enabled, a ten-minute timeout makes the system unavailable to the network. Disabling causes the system to rely on OSPF routing.

4.7.1.2 SynAttackProtect

machine \system \currentcontrolset \services \tcpip \parameters \synattackprotect=4, 1

The ‘synattackprotect’ registry value adjusts retransmissions of SYN-ACK. The setting ‘1’ causes connection timeouts faster when a SYN-ATTACK is detected. The setting reduces effort expended on unresponsive connections.

4.7.1.3 EnableDeadGWDetect

machine \system \currentcontrolset \services \tcpip \parameters \enabledeadgwdetect=4, 0

The ‘enabledeadgwdetect’ value allows TCP re-direction to a backup gateway. The setting ‘0’ disables this capability. If a system detects difficulties on a network, it will automatically switch to a different gateway. This may cause undesireable packet traversal over un-trusted networks.

4.7.1.4 EnablePMTUDiscovery

machine \system \currentcontrolset \services \tcpip \parameters \enablepmtudiscovery=4, 0

The ‘enablepmtudiscovery’ registry value determines if TCP automatically finds the maximum transmission unit (MTU) or the largest packet size to a remote host. The setting ‘0’ causes a fixed size packet be used for all connections to remote hosts. If enabled, an attacker could force a very small packet size. This results in a significant increase of network workload. This may also lead to a DoS condition.

4.7.1.5 KeepAliveTime

machine \system \currentcontrolset \services \tcpip \parameters \keepalivetime=4, 300000

The ‘keepalivetime’ registry value determines how often TCP verifes an idle connection is intact. The setting ‘300,000’ (5 minutes) is short enough to provide some defense against DoS conditions. This setting provides the ability to recover resources from unresponsive connections.

4.7.1.6 DisableIPSourceRouting

machine \system \currentcontrolset \services \tcpip \parameters \disableipsourcerouting=4, 2

The ‘disableipsourcerouting’ value determines if the sender of a TCP packet can dictate the route. The setting ‘2’ disables this ability. Dictating packet routes can obscure an attacker’s location on the network.

4.7.1.7 TcpMaxConnectResponseRetransmissions

machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxconnectresponseretransmi ssions=4, 2

The ‘tcpmaxconnectresponseretransmissions’ value determines the number of attempts that TCP re-transmits a SYN packet before aborting. The setting ‘2’ limits the possibility of a DoS attack without affecting normal users. This setting reduces the effort expended on unresponsive connections.

4.7.1.8 TcpMaxDataRetransmissions

machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxdataretransmissions=4, 3

The ‘tcpmaxdataretransmissions’ defines the number of times unacknowledged data is retransmitted before disconnection. The setting ‘3’ reduces the success of a DoS attack. This is achieved by reducing the effort expended on unresponsive connections.

4.7.1.9 PerformRouterDiscovery

machine \system \currentcontrolset \services \tcpip \parameters \performrouterdiscovery=4, 0

The ‘performrouterdiscovery’ value controls the use of Internet Router Discovery Protocol. The setting ‘0’ disables discovery and forces the use of known routers. If the system were to discover routers, an attacker could redirect packets to another destination.

4.7.1.10 TCPMaxPortsExhausted

machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxportsexhausted=4, 5

The ‘tcpmaxportsexhausted’ value controls the point which SYN-ATTACK protection begins. The setting ‘5’ causes protection to start after five failures. This is the Microsoft standard for TCP/IP. The setting is a balance between performance and security.

4.7.1.11 TCPMaxHalfOpen

machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxhal//fopen=4, 100

The ‘tcpmaxhal//fopen’ value defines the number of connections in the SYN state table before SYN attack protection begins. The setting of ‘100’ initiates SYN attack protection when the state table reaches one hundred connections.

4.7.1.12 TCPMaxHalfOpenRetired

machine \system \currentcontrolset \services \tcpip \parameters \tcpmaxhal//fopenretired=4, 80

The ‘tcpmaxhal//fopenretired’ value determines how many connections the server can maintain in the half-open state. The setting ‘80’ initiates SYN attack protection when the state table reaches eighty connections.

4.7.1.13 NoNameReleaseOnDemand (TCP/IP)

machine \system \currentcontrolset \services \tcpip \parameters \nonamereleaseondemand=4, 1

The ‘nonamereleaseondemand’ registry determines if a system will release its NetBIOS name to another computer on request. The setting ‘1’ prevents disclosure of NetBIOS information.

4.7.2 AFD.SYS Settings

4.7.2.1 DynamicBacklogGrowthDelta

machine \system \currentcontrolset \services \afd \parameters \dynamicbackloggrowthdelta=4, 10

The ‘dynamicbackloggrowthdelta’ value defines the number of free connections to create when deemed necessary. The setting ‘10’ creates ten additional free connections. This setting ensures additional resources are not applied too quickly, avoiding a potential DoS condition.

4.7.2.2 EnableDynamicBacklog

machine \system \currentcontrolset \services \afd \parameters \enabledynamicbacklog=4, 1

The ‘enabledynamicbacklog’ value enables dynamic backlog. The setting ‘1’ enables the backlog. This ensures the system manages port resources in a manner that mitigates DoS attacks.

4.7.2.3 MinimumDynamicBacklog

machine \system \currentcontrolset \services \afd \parameters \minimumdynamicbacklog=4, 20

The ‘minimumdynamicbacklog’ value controls the minimum number of free ports on a listening end point. The setting ‘20’ allows a system to create more if there is less than twenty available. The setting is intended to ensure resources are available and limit the threat of DoS conditions.

4.7.2.4 MaximumDynamicBacklog

machine \system \currentcontrolset \services \afd \parameters \maximumdynamicbacklog=4, 20000

The ‘maximumdynamicbacklog’ value controls the number of ‘quasi-free’ connections allowed on a listening end point. The setting ‘20,000’ is recommended to mitigate a DoS attack. The setting reduces the resources allocated to incomplete connections. If creating additional free ports exceeds the value, a system will not be able to maintain additional sessions.

4.7.3 Other Security Related Settings

4.7.3.1 NoNameReleaseOnDemand (NetBIOS)

machine \system \currentcontrolset \services \netbt \parameters \nonamereleaseondemand=4, 1

The ‘nonamereleaseondemand’ value determines if a system releases its NetBIOS name upon a name-release request. The setting ‘1’ prevents a system from releasing the NetBIOS name, other than to WINS servers. This reduces information it provides to an unauthorized user.

4.7.3.2 Enable the computer to stop generating 8.3 style filenames

machine \system \currentcontrolset \control \filesystem \ntfsdisable8dot3namecreation=4, 1

The ‘ntfsdisable8dot3namecreation’ value determines if a system will generate 8.3 file names. The setting ‘1’ prevents the 8.3 filename format. Generation of 8.3 file makes the task of name guessing easier for an attacker. Disabling this ensures only the full name is used to reference files.

4.7.3.3 NoDriveTypeAutoRun

machine \software \microsoft \windows \currentversion \policies \explorer \nodrivetypeautorun=4,2 55

The ‘nodrivetypeautorun’ value determines if autorun is enabled on connected drives. The setting ‘255’ disables autorun for all drives on the system. This ensures privileged users do not run unapproved software. Without restrictions, unapproved software may run inadvertently.

4.7.3.4 The time in seconds before the screen saver grace period expires (0 recommended)

machine \system \software \microsoft \windowsnt \currentversion \winlogon \screensavergraceperi od=4, 0

The ‘screensavergraceperiod’ value determines the amount of time (in seconds) to enforce the screen saver password. The setting ‘0’ enforces password lock with no time delay. This provides an immediate lock when the idle threshold is reached.

4.7.3.5 Warning Level

machine \system \currentcontrolset \services \eventlog \security \warninglevel=4, 90

The ‘warninglevel’ value determines the maximum amount of security logs before a warning event is triggered. The setting ‘90’ triggers a warning when the Security log reaches 90% capacity. This will afford sufficient time to reset the log and determine reasons for the warning.

machine \system \currentcontrolset \control \session manager \safedllsearchmode=4, 1

The ‘safedllsearchmode’ value determines the order DLLs are searched. The setting ‘1’ commands the system to first look in the PATH, then the current folder. This order ensures files in the current foder do not run in place of files in the users PATH.

4.7.3.7 Disable Autorun on CD-ROM

machine \system \currentcontrolset \control \services \CDRom \AutoRun=4, 1

The ‘Disable Autorun on CD-Rom’ prevents automatic execution of programs upon insertion of a CD. The setting ‘1’disables the Autorun feature. This helps reduce the threat of malicious code infection through CD-Rom.

4.7.3.8 Disable Administrative Shares

machine \system \currentcontrolset \control \services \LanmanServer \Parameters \AutoShareServ er=4, 0

The ‘AutoShareServer’ value determines if disk drives have administrative shares. The setting ‘0’ disables administrative shares.

4.7.3.9 Disable DCOM machine \Software \Microsoft \OLE \EnableDCOM=4, 0

The ‘EnableDCOM’ value determines if DCOM is active. The setting ‘0’disables DCOM.

4.7.4 Manual Activities

The following elements could not be automated. They must be manually configured.

NOTE: For 4.7.4.1 through 4.7.4.3, use the following procedure to reach the “Computer Configuration” level in either MMC (for Workgroup server) or Active Directory (for domain server).

For a Domain server do the following:

1. Invoke “Active Directory”.

2. Right click “Public Server” OU and select “Properties”.

3. Select the “Group Policy” tab.

4. Select “CSE High Security – Baseline Policy”.

5. Click “Edit”. The Computer Configuration entry is now displayed on the screen.

For a Workgroup system do the following:

1. Open a command window.

2. Enter “MMC” and press “Enter”.

3. “Console 1” dialog opens.

4. Click “File”.

5. Select “Add/Remove Snap-in”.

6. “Add/Remove Snap-in” dialog displayed.

7. Click “Add”.

8. “Add Standalone Snap-in” dialog displayed.

9. Browse to and select “IP Security Policy Management”.

10. Click “Add”.

11. “Select Computer or Domain” dialog displayed.

12. Accept defaults and click “”Finish”.

13. Click “Close”.

14. Click “OK”.

15. In the “root Console Window”

16. Select “Group Policy Object Editor”

17. Click on “Add”.

18. “Select Group Policy Object” window opens.

19. Click “Finish” to accept defaults.

20. Click “Close”.

21. Click “OK”.

22. Click “+” beside “Local Computer Policy”. The Computer Configuration entry is now displayed on the screen.

4.7.4.1 Set client connection encryption level

Computer configuration \Administrative Templates \Windows Components \Terminal Services \Encryption and Security \Set client connection encryption level=High

The “Set client encryption level” setting uses 128-bit encryption to protect Terminal Service sessions. This policy sets the value to High.

4.7.4.2 Always prompt client for password upon connection

Computer configuration \Administrative Templates \Windows Components \Terminal Services \Encryption and Security \Always prompt client for password upon connection \=Enabled

The “Always prompt client for password upon connection \=Enabled” setting forces the user to logon to the local service. This policy enables password challenge upon connection.

4.7.4.3 Report Errors

Computer configuration \Administrative Templates \System \Error Reporting \=Disabled

The “Error Reporting \=Disabled” setting prevents the system from reporting error conditions to Microsoft.

4.7.4.4 Remove POSIX Subsystem Registry Key

machine \system \currentcontrolset \control \session manager \subsystems \posix

The ‘posix’ value determines if the POSIX subsystem is supported. This policy deletes the key. This prevents inadvertent use of the subsystem.

4.7.4.5 Set BIOS Password

The system BIOS should be password protected. This follows vendor specific procedures that are not outlined in this document.

4.7.4.6 Disable Memory Dump

Control Panel/System Properties/Advanced/Startup and Recovery-SettingsWrite Debugging Information=None

The ability to dump memory in case of a program failure should be disabled. The likelihood of requiring a memory dump is low, however, if needed you may temporarily enable it.

4.7.4.7 Boot Immediately to Windows

My Computer/Properties/Advanced/Startup and Recovery-Settings/Time to display list of operating systems=0

The ‘Time to display list of operating systems’ value determines the number of seconds the system displays Operating System options at boot time. The setting ‘0’ prevents alternate boot during normal operations.

4.7.4.8 Disassociate .reg Files from the Registry Editor

1. Start/Settings/Control Panel/Folder Options

2. Select ‘REG’extension

4. Click ‘Close’

Disassociating the .reg extension from the registry editor prevents inadvertent modification of the registry.

4.7.4.9 Remove Unnecessary Programs

Start->Control Panel=>Add Remove Programs=>Add/Remove Window Components Remove CHAT.

4.7.5 Access Controls

Important files and registry values on the system should be protected. A good way of doing this is by use of Access Controls. The following sections provide suggestions for access controls.

NOTE: Each installation must ensure the settings that follow are appropriate for their own environment.

4.7.5.1 General File Access Controls

Table 1 – General File Access Controls

4.7.5.2 General Registry Access Controls

Table 2 – General Registry Access Controls

4.7.6 Variance from Microsoft Guidance

The following table provides a list of settings that differ between the CSEC guidance and Microsoft guidance. The parameter is identified along with the CSEC value and Microsoft value.

Table 3 – Variance from Microsoft Member Server Baseline

Table 4 – Variance from Microsoft Bastion Host Local Policy

5 Role Based Server Policies

The following policy files apply settings specific to the role they serve. They do not contain every setting required for a server; therefore apply these settings after the Baseline configuration.

5.1 Role Based IPSec Policies

Role based IP Security Policy is applied in a two-step process. The first step is to load the policy into the policy editor. The second step is to activate the policy. This is achieved with the Group Policy Editor.

5.1.1 Load IPSec policy

• Activate “Windows Explorer”.
• Browse to location of desired IPSec policy file (must have .CMD extension).
• Right click on policy command files and select “Open”.
  o Command window will open, execute the policy command file, and close.

5.1.2 Activate IPSec Policy

• Open a command window.
• Enter “MMC” and press “Enter”.

o “Console 1” dialog opens.

• Click “File”.
• Select “Add/Remove Snap-in”.

o “Add/Remove Snap-in” dialog displayed.

• Click “Add”.

o “Add Standalone Snap-in” dialog displayed.

• Browse to and select “IP Security Policy Management”.
• Click “Add”.

o “Select Computer or Domain” dialog displayed.

• Accept defaults and click “”Finish”.
• Click “Close”.
• Click “OK”.
• In the “Root Console Window”, click on “IP Security Policies on Local Computer”.
• In right frame right click the desired IP Security policy and select “Assign”.
• Right click the active policy and select “Properties”.
• Select the “General” tab.
• Click on the “Settings” button. o “Key Exchange Settings” dialog displayed.
• Click the “Methods” button. o The “Key Exchange Methods” dialog displayed.
• Remove all settings except the following (ensure they are in the order below):
  IKE 3DES SHA1 High (1024) IKE 3DES SHA1 Med (2)
• Click “OK”.
• Click “OK”.
• Click “File”.
• Click “Exit”.
  o “Microsoft Management Console” dialog displayed

• Select “Yes” if you wish to save the settings (otherwise select “No”).

5.2 Domain File Server Security Policy

The domain-based file server allows authenticated users to access shared files in the domain. These shared files can use file protection to control access. Access attempts from outside a domain can authenticate with domain-based credentials. Once authenticated, access is granted based on domain policy.

To fulfill file services, the Baseline configuration settings do not require further changes.

5.2.1 Variance from Microsoft “Hardening File Servers” Guidance

In the Microsoft hardening policy for Domain file servers, Distributed Files system and File Replication services are disabled. In the CSEC Baseline configuration these same services are disabled; therefore they need not be disabled in the File Server policy.

The remaining differences are a result of CSEC and Microsoft Baseline configuration variance.

It is important to note that the role-based policies cannot be viewed in isolation from the Baseline configuration.

"lanmanserver", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

"browser", 2,
"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA )(A;;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

5.2.3 Domain File Server IPSec Policy

The following file is supplied as part of the Microsoft Windows Server 2003 Security Guideline. The file must be modified to reflect correct domain controller addresses. Once modified, the procedure outlined in 5.1 Role Based IPSec Policies is used to apply the policy.

REM (c) Microsoft Corporation 1997-2003

REM Packet Filters for Server Hardening

REM

REM Name: PacketFilter-File.CMD

REM Version: 1.0

REM This CMD file provides the proper NETSH syntax for creating an IPSec Policy REM that blocks all network traffic to a File Server except for what is REM explicitly allowed as described in the Windows 2003 Server Solution Guide. REM Please read the entire guide before using this CMD file.

REM Revision History

REM 0000 - Original February 05, 2003

REM 0000 - Original April 03, 2003

:IPSec Policy Definition

netsh ipsec static add policy name="Packet Filters - File" description="Server Hardening Policy" assign=no

:IPSec Filter List Definitions

netsh ipsec static add filterlist name="CIFS/SMB Server" description="Server Hardening"

netsh ipsec static add filterlist name="NetBIOS Server" description="Server Hardening"

netsh ipsec static add filterlist name="Terminal Server" description="Server Hardening"

netsh ipsec static add filterlist name="Monitoring" description="Server Hardening"

netsh ipsec static add filterlist name="Block Domain Access" description="Server Hardening"

netsh ipsec static add filterlist name="ALL Inbound Traffic" description="Server Hardening"

:IPSec Filter Action Definitions

netsh ipsec static add filteraction name=SecPermit description="Allows Traffic to Pass" action=permit

netsh ipsec static add filteraction name=Block description="Blocks Traffic" action=block

:IPSec Filter Definitions

netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=TCP srcport=0 dstport=445

netsh ipsec static add filter filterlist="CIFS/SMB Server" srcaddr=any dstaddr=me description="CIFS/SMB Server Traffic" protocol=UDP srcport=0 dstport=445

netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=137

netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=137

netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=UDP srcport=0 dstport=138

netsh ipsec static add filter filterlist="NetBIOS Server" srcaddr=any dstaddr=me description="NetBIOS Server Traffic" protocol=TCP srcport=0 dstport=139

netsh ipsec static add filter filterlist="Terminal Server" srcaddr=any dstaddr=me description="Terminal Server Traffic" protocol=TCP srcport=0 dstport=3389

netsh ipsec static add filter filterlist="Block Domain Access" srcaddr=me dstaddr=any description="Block Domain Access" protocol=TCP srcport=any dstport=1097

netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0 dstport=0

REM NOTE: IP Address or server names of Domain Controllers must be hardcode into the dstaddr of the Domain Member filters defined below

netsh ipsec static add filter filterlist="Domain Member" srcaddr=me

dstaddr=192.168.0.1 description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0

REM netsh ipsec static add filter filterlist="Domain Member" srcaddr=me dstaddr= description="Traffic to Domain Controller" protocol=any srcport=0 dstport=0

REM NOTE: IP Address or server name of Monitoring server must be hard coded into the dstaddr of Monitoring filter defined below