Back to Security Advisor

Table 1. Security Administration Guide recommendations for Windows 2000 Server security baseline. Comments inform you of sections where the provided template does not match the recommndations or where items cannot be seen in the GUI, but are present.
Template Area Specific Changes Comments
Account Policies
Password Policy 24 remembered, minimum age 2 days, maximum age 42 days, minimum length 8 characters, passwords must meet complexity requirements Not implemented in template; you will need to do so; implement your organization's policy
Account Lockout Duration 30 minutes,threshold 5 invalid attempts, reset account lockout counter after Not implemented in template; you will need to do so; implement your organization's policy
Local Policies
Audit Policy
Audit account logon events Success, failure Failure to detect cracking attacks, success to find out if they worked. This item has to do with events that occur where the "account" exists, i.e. you're going to get information at the DC. Look for Kerberos messages.
Audit account management Success, failure Who's making what changes to groups, accounts
Audit directory service access Failure Who's trying to make changes, delegate administration?
Audit logon events Success , failure These events are recorded where you log on -- at the workstation or server. You need both account logon and logon events to get the real picture.
Audit object access Success, failure Just turns on the ability to go set SACLs on the reg keys, files etc. Monitor access to critical files, find out what the apps are looking at in the registry.
Audit policy change Success, failure Who's changing the audit policy -- or trying to? If I were attacking your system, I'd want to do this to try to prevent an audit trial.
Audit privilege use Failure Who's trying to add folks to the Administrators group, shut down systems, etc.
Audit process tracking No auditing Not good in a production environment. Use to track , test application in test network
Audit system event Success, failure Yep, want to know about system shutdowns, etc.
Security Options
Restrict Anonymous No access without explicit anonymous permissions Be aware this may cause problems with some apps. The rational here is to prevent anonymous connections from learning system configuration, file shares, password policies, etc. See Q246261.
Allow server operators to schedule tasks Disabled By default, only administrators can schedule tasks on servers. Keep it that way.
Allow systems to be shut down without having to log on. Disabled The default on servers. Many attacks require system shut down. An attacker in physical possession of a system could.
Allowed to eject removable NTFS media Administrators If you take NTFS media to a system that you control, you can access anything. Typically, you set these permissions to keep people out. To ensure OS control, keep removable media from being removed by ordinary users.
Amount of time required before disconnecting session 15 minutes System default.
Audit the access of global system objects Disabled If enabled, mutexes, semaphores, etc. are created with a SACL. Since we have set auditing of object access, these items will be audited. More useful in development environment.
Audit use of Backup and Restore privilege Disabled Generates massive number of events; generates an event per file backed up or restored. As a general rule not turned on.
Automatically log off users when logon time expires Enabled Client's SMB connections are forcibly disconnected. Affects all computers in the domain. If Joe is working online with a document stored on ServerA and his logon hours expire, he won't be able to save the document.
Automatically log off users when logon time expires(local) Enabled Like previous option except only affects machine user is logged onto.
Clear virtual memory pagefile when system shuts down Enabled Many important and sensitive bits of information may be periodically paged to the pagefile. If the system is rebooted into another operating system, this information might be retrieved. Clearing at shutdown prevents this from occurring.
Digitally sign client/server communications(always), (when possible) Enabled (all four selections) SMB packet signing. This authenticates the client and server -- and thus each is able to identify packets as coming from a particular host. Thwarts man-in-the-middle attacks/session hijacking. Does degrade performance. An alternative to using SMB packet signing is to establish IPSec policies. (you must have 100% Windows 2000/XP clients to do so) Can use SMB signing in NT; see Q161372.
Driver installations Unsigned drivers can't be installed Since many "legit" drivers aren't signed, this policy may get in the way of hardware installations and upgrades. It can then, however, be temporarily changed to allow a tested, but unsigned driver to be installed then.
Disable Ctrl+Alt+Del requirement for logon Disabled Nothing like a double negative to confuse people. This simply means you will leave the three-finger salute in place. It does protect against some Trojans that would seek to capture passwords.
Do not display last user name in logon screen Enabled While obscurity is not security, why give away any more than you have to? Sure, an attentive attacker can surmise user names by deducing your naming convention. But not all have minimal level skills and, besides, let's make them work for it.
LAN Manager Authentication Level Set to NTLMv2 only LM and NTLM are enabled by default. These network authentication protocols aren't secure. Requiring NTLMv2 use by legacy clients is a step towards security. Don't forget to make registry entries (NT) and load the Active Directory clients (98) if you have legacy clients. May cause problems for some legacy apps, for example, RRAS on NT. This setting doesn't prevent Kerberos from being used; just prevents LM or NTLM.
Message text for users attempting to log on x This is not configured. You should have a legal statement here, and no pre-drafted paragraph from Microsoft or anyone else is going to be perfect for your needs. Make sure to have one, and make sure to involve your lawyers.
Message title for users attempting to log on x Ditto.
No. of cached logons Zero Not caching logons means any local logons at the console won't work; if the server can't connect to the DC, the user can't log on.
Prevent system maintenance of computer account password Disabled Computers also have accounts in the Active Directory and computers logon as well. The computer password is periodically (every seven days) and automatically changed. This option is available for the circumstances in which it is difficult for the computer to maintain this relationship, causing the need to frequently reset the account. Do not enable this setting without determining that there is no other solution.
Prevent users from installing printer drivers Enabled Typically enabled on servers, disabled on workstations. When enabled, prevents users from installing a print driver unless it already exists on the machine. Does not affect Power Users. When enabled, prevents DOS because of adding wrong driver and prevents potential attack code disguised as a printer driver.
Prompt user to change password before expiration 14 days Mostly a convenience; however, has implications. If a user is prompted prior to the actual expiration, he or she has time to think about what the password should be. Better passwords mean better security.
Recovery console: allow automatic administrative logon Disabled Are you kidding? Automatic administrator logon in any form is not a good idea.
Recovery Console: allow floppy copy and access to all drives Disabled You do not want booting into recovery console to become a way to obtain or damage system files or other sensitive files. Above all, do not enable this item or the previous one.
Rename administrator account x Should be done. Not in the base template. This change belongs in the local security policy. You do not want to rename all server Administrator accounts to the same name -- what's the point? Now once this is found, the attacker knows this for all servers.
Rename guest account x Ditto
Restrict CD-ROM access to locally logged on user only Enabled No network access to CD-ROM. This prevents the network user from accessing data/software on a CD-ROM, but allows the Administrator sitting at the console to use it.
Restrict floppy access to locally logged on user only Enabled Ditto but for floppy.
Secure Channel: Digitally encrypt, sign secure channel data; require strong -- Windows 2000 or later -- session key Enabled -- all four of them. Four settings here to manage the secure channel between a computer and its domain controller. By default, passwords are encrypted, requests are authenticated but not all data is encrypted or signed. Enabling all polices ensures data will always be encrypted or signed, and that a Windows 2000 or later session key is used. (The last policy, if enabled, requires that all DCs be able to provide the key; if it is not enabled, the strength of the key is negotiated with the DC.)
Send unencrypted password to connect to third-party SMB server Disabled Clear text passwords are never a good choice.
Shut down system immediately if unable to log security audits Enabled If the security log is full and the setting in the audit policy calls for manual reset (no events are overwritten) then no one will be able to log on or do work. An administrator can log on and must archive and clear the log and reset.
Smart card removal behavior Lock workstation If smart cards are used, this option will lock the workstation when the card is removed. This provides a fail safe if users are trained to remove cards when leaving their machines. If cards are also used for ID and ID is necessary in building, then this works very well.
Strengthen default permissions of global systems objects (e.g. symbolic links) Enabled The default DACL on these objects (DOS device names, mutexes, semaphores, symbolic links) is strengthened to allow non-administrative access to read, but not modify objects not owned by them.
Unsigned driver installation behavior Do not allow installation Drivers run in kernel mode. Trojans masquerading as drivers can do a lot of damage. Poorly written drivers can also be destructive. Signed drivers are approved by Microsoft. If you must use tested drivers that aren't approved, change the policy, install the driver, then reinstate the policy.
Unsigned non-driver installation behavior Warn but allow install In reality, few drivers are signed and fewer non-drivers are signed. Hence, the "warn" policy.
Event Log Settings Log size to 10MB; do not overwrite events; crash on audit fail Not overwriting events and stopping the system when events can't be logged is not a combination for the faint of heart. If the log fills up, the system stops working until the administrator archives and clears the log and resets the setting. You need to make sure all admins know about this "feature" and what to do about it.
Restricted Groups none x
System Services For a list of those "enabled" and "disabled" see tables below The enabled services do allow the server to participate in a domain. Additional services may need to be enabled before it can serve as an infrastructure, application or file and print server.
Additional Registry Values
In addition to the Security Options, the baseline template includes additional security settings by setting numerous new registry settings. These settings aren't displayed in the policy when it is opened in the Security templates console; however, they may be viewed by opening the policy template file. (Look at Q228460 for more info on the file structure of templates.)
Security considerations for network attacks 12 registry settings Designed to reduce effectiveness of Web-based DoS attacks. Article Q315669 describes these settings.
Afd.sys settings 4 registry settings to control "dynamic backlog' Aft.sys handles FTP and Web server connection attempts. These settings improve its ability to defend against SYN Flooding. See Q142641
Disable Auto Generation of 8.3 file names Enabled If disabled (default) an attacker only need enter 8 characters to access a file name. Entering a longer file name may not slow down a determined attacker, but makes him work harder.
Disable LMHash Creation Enabled Even if NTLMv2 must be used for network authentication, the LM password hash is stored in the registry. If an attacker is able to obtain the file or extract the password hashes, a password cracker will more easily crack the LM hashes and then obtain the NTLMs. Use this setting if you are able to require NTLMv2.
Configure NTLMSSP Security Enabled A connection will fail if encryption is required but is not 128-bit.
Disable Autorun Enabled When not set, an attacker can easily get a program of choice to run under the security context of the currently logged on user by inserting a CD-ROM in the systems. (Just walk by the desk of someone who has the system locked or unlocked and who is away, insert CD-ROM, walk away.) Prevent this!
Registry Access Control Lists
Baseline.inf doesn't change those set by hisecws.inf. hisecws.inf primarily changes those that affect Power Users. Power Users are reduced to the same settings as Users.
File Access Control Lists
File Access Control List. Settings are added to the hisecws.inf template. See "Default Access Control Settings in Windows 2000" white paper for default settings. The baseline.inf adds to this list by securing additional files, including the Windows startup files and many commands that can be run from the command line.
Folders Permissions
%systemdrive% Administrators and System: Full Control
Authenticated users: Read and Execute, List Folder Contents, Readx
%systemroot% files:repair, security, temp, system32\config and system32\logfiles Administrators and System: Full Control
Creator/Owner: Full Controlx
Administrators and System: Full Control
Everyone: Read and Execute, List Folder Contents, and Read