 |
|
|
|---|
|
|
|
|---|
 |  |  |
| Security Benchmark for Windows XP Pro / MCEAdapted from CIS Security Benchmark ver. 1.3 (10/20/2004) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| WARNING: You are not reading "Security For Dummies". If you are the typical BDEU (brain-dead end-user) who finds it difficult to recall which side of the keyboard faces skyward, perhaps you should STOP READING NOW! You might hurt yourself. |
This hardening guide for Windows XP is definitely not for technophobes and Luddites. Several of the described settings, when improperly configured, can destabilize system functionality or adversely alter system performance. If you suspect that your system has been compromised, any changes to critical security policies could -- in rare instances -- trigger a catastrophic failure (e.g., corrupting partitions, changing passwords, etc.) once resident malware senses a threat to its longevity. See the note at the base of table below for comments regarding the Vista operating system.
It is best that you have an IT professional perform any changes to the permissions, registry, and security settings of your computer. Aspiring hacker-types and geek-wannabes are free to do as much damage to their personal (non-production) computers as they deem suitable. When -- rather than if -- your system no longer boots, feel free to call us to resurrect the poor beast. We charge confiscatory fees that are, nevertheless, unlikely to discourage the hopelessly inept or ardently curious. Should you decide to throw caution to the winds and plunge headlong into self-mutilation, consider yourself adequately forewarned.
It is advisable to run a series of thorough threat scans prior to making any changes to your security policies and permissions. It is good practice to scan using three or more different tools prior to changing any sensitive settings. Please consult our Internet Security page for a host of links to most popular online threat scanners. If your favorite online threat scanner is not listed, there may be a good reason behind its absence. It could be a rogue, it might be riddled with vulnerabilities, or it may be prone to reporting false positives.
"Computer and network security is a difficult topic to summarize. Many of the features that are enabled 'out-of-the-box' on a Windows computer are enabled 'just in case' the prospective owner wants to use them. Most of these features never will be used, but often have vulnerabilities that can be exploited by unscrupulous people." - CIS Guide |
Ah yes ... digital denizens are poised to strike at every turn. It is your mission, should you chose to accept it, to frustrate them at every other. The CIS Security Benchmark reflects content and input from the Consensus Baseline Security Settings jointly developed by the National Security Agency, the Defense Information Systems Agency, the National Institute of Standards and Technology, the General Services Administration, the SANS Institute, and the Center for Internet Security. These fellows take the matter of security very seriously, as do we.
"Any user who uses this Guide to make even the slightest improvement on the secure state of a system might be doing just enough to turn a potential hacker or cracker away to an easier target. Every computer operator who becomes 'Security Aware' improves the safety level of the Internet." And that is a very good thing. |
Some people assume that only the highest level of security is best for their situation. That is not always the case. Please keep in mind that vulnerabilities are defended by disabling functionality. Use of specific functions may be far more important to the day-to-day operation of a system than defending against a potential vulnerability that may never materialize. Then again, who really needs the likes of antiquated Telnet protocols in this day and age?
The CIS Guide proposes three specific levels of guidance (Legacy, Enterprise, and Specialized):
Legacy - Designed for XP Pro systems that need to operate with older legacy systems such as Windows NT, or in environments where operation of older third-party software applications are necessary. The settings will not affect the functionality or performance of the operating system, nor will it hamper operation of the applications running on the system.
Enterprise (Desktop) - Designed for XP Pro systems operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, thus able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are unlikely to affect the function or performance. However, one should carefully consider the possible impact to software applications when applying these recommended XP technical controls.
Enterprise (Mobile) - These are nearly identical to the Enterprise Desktop settings, but with modifications appropriate for laptop users whose systems must operate both on and away from the corporate network. In environments where all systems are Windows 2000 or later, these Enterprise-level settings are unlikely to affect the function or performance.
Specialized Security - Formerly known as "High Security," settings in this level are designed for XP Pro systems in which security and integrity are the highest priorities -- at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and applied only by an experienced administrator who has a thorough understanding of the potential impact of each setting / action in a given environment.
As you go through making various required changes, you can visualize your progress with Belarc Advisor. If you are unable to drive your Benchmark score above an 8 (out of 10), you simply are not trying hard enough!
DESCRIPTION / REQUIREMENT | Legacy | Enterprise | Specialized Security | ||
| Desktop | Mobile | ||||
| SERVICE PACK AND HOTFIX REQUIREMENTS | |||||
| Major Requirement | |||||
| Current Service Pack Installed | Service Pack 2 | ||||
| Critical Hotfixes (equally important) | |||||
| Latest Critical and Security Hotfixes as recognized by Belarc Advisor and Shavlik's HFNetChk | All Critical / Important Hotfixes | ||||
| OTHER SYSTEM REQUIREMENTS | |||||
| Ensure volumes are using the NTFS file system | All Volumes (No FAT 32 volumes ever) | ||||
| Disable NetBIOS over TCP/IP (use static IP addresses) | <Not defined> | All Network Devices | |||
| Enable the Internet Connection Firewall | Recommended | ||||
| Restricted Groups | Remote Desktop Users: NONE! | ||||
| LOCAL SECURITY SETTINGS | |||||
| Account Policies - Password Policy | |||||
| Enforce Password History | 24 passwords remembered | ||||
| Maximum Password Age | 90 days | ||||
| Minimum Password Age | 1 day | ||||
| Minimum Password Length | 8 characters | 12 characters | |||
| Password Must Meet Complexity Requirement | Enabled | ||||
| Store Password using Reversible Encryption | Disabled (enable with extreme caution) | ||||
| Account Policies - Account Lockout Policy | |||||
| Account Lockout Duration | 15 minutes | 15 minutes | |||
| Account Lockout Threshold | 50 attempts | 10 attempts | |||
| Reset Account Lockout After | 15 minutes | 15 minutes | |||
| Local Policies - Audit Policy | |||||
| Audit Account Logon Events | Success, Failure | ||||
Audit Account Management | Success, Failure | ||||
Audit Directory Service Access | <No Auditing> | ||||
Audit Logon Events | Success, Failure | ||||
Audit Object Access | Failure (minimum) | Success, Failure | |||
Audit Policy Change | Success (minimum) | ||||
Audit Privilege Use | Failure (minimum) | ||||
Audit Process Tracking | <No Auditing> | ||||
Audit System Events | Success (minimum) | ||||
| NOTE: Please refer to Event Log Settings topic (below) to properly configure log settings. | |||||
| Local Policies - User Rights Assignment | |||||
| Access this computer from the network | Administrators, Users | Administrators | |||
| <None for stand alone systems> | |||||
| Act as part of the operating system | <None> | ||||
| Add workstations to domain | <Not Applicable> | ||||
| Adjust memory quotas for a process | Local Service, Network Service <not defined> | ||||
| Allow logon through Terminal Services | Administrators | <None> | |||
| Back up files and directories | Administrators | ||||
| Bypass traverse checking | Users | ||||
| Change the system time | Administrators | ||||
| Create a pagefile | Administrators | ||||
| Create a token object | <None> | ||||
| Create global objects | Administrators | ||||
| Create permanent shared objects | <None> | ||||
| Debug Programs | <None> | Administrators | <None> | ||
| Deny access to this computer from network | Guests | ||||
| Deny logon as a batch job | <Not Defined - add groups or users only as req'd.> | ||||
| Deny logon as a service | <Not Defined> | ||||
| Deny logon locally | <Not Defined - add groups or users only as req'd.> | ||||
| Deny logon through Terminal Service | <Not Defined - add groups or users only as req'd.> | ||||
| Enable computer and user accounts to be trusted for delegation | <Not Applicable> | ||||
| Force shutdown from a remote system | Administrators | ||||
| Generate security audits | Local Service, Network Service | ||||
| Impersonate a client after authentication | <Not defined - add groups or users only as req'd.> | ||||
| Increase scheduling priority | Administrators | ||||
| Load and unload device drivers | Administrators | ||||
| Lock pages in memory | <None> | ||||
| Log on as a batch job | <Not Defined - add service or user only as req'd.> | ||||
| Log on as a service | <Not Defined - add service or user only as req'd.> | ||||
| Log on locally | Administrators, Users | ||||
| Manage auditing and security log | Administrators | ||||
| Modify firmware environment values | Administrators | ||||
| Perform volume maintenance tasks | Administrators | ||||
| Profile single process | Administrators | ||||
| Profile system performance | Administrators | ||||
| Remove computer from docking station | Administrators, Users | ||||
| Replace a process level token | Local Service, Network Service | ||||
| Restore files and directories | Administrators | ||||
| Shut down the system | Administrators, Users | ||||
| Synchronize directory service data | <Not Applicable> | ||||
| Take ownership of file or other objects | Administrators | ||||
| Local Policies - Security Options | |||||
Accounts: Administrator Account Status | <Not Defined> | ||||
Accounts: Guest Account Status | Disabled | ||||
Accounts: Limit local account use of blank passwords to console logon only | Enabled | ||||
Accounts: Rename Administrator Account | <Non-standard> ... rename to Superuser, etc. | ||||
Accounts: Rename Guest Account | <Non-standard> ... rename to Visitor, etc. | ||||
Audit: Audit the access of global system objects | <Not Defined> | ||||
Audit: Audit the use of backup and restore privilege | <Not Defined> | ||||
Audit: Shut Down system immediately if unable to log security alerts | <Not Defined> | Enabled | |||
| DCOM: Machine access restrictions in SDDL syntax | <Not defined> | ||||
| DCOM: Machine launch restrictions in SDDL syntax | <Not defined> | ||||
Devices: Allow undock without having to log on | <Not Defined> | Disabled | |||
Devices: Allowed to format and eject removable media | Interactive Users | Administrators | |||
Devices: Prevent users from installing printer drivers | <Not Defined> | Enabled | |||
Devices: Restrict CD-ROM access to locally logged-on user only | <Not Defined> | Enabled | |||
Devices: Restrict floppy access to locally logged-on user only | <Not Defined> | Enabled | |||
Devices: Unsigned driver installation behavior | Warn, but allow installation | ||||
Domain Controller: Allow server operators to schedule tasks | <Not Applicable> | ||||
Domain Controller: LDAP server signing requirements | <None> | ||||
Domain Controller: Refuse machine account password changes | <Not Applicable> | ||||
Domain Member: Digitally encrypt or sign secure channel data (always) | Disabled | Enabled | |||
Domain Member: Digitally encrypt secure channel data (when possible) | Enabled | ||||
Domain Member: Digitally sign secure channel data (when possible) | Enabled | ||||
Domain Member: Disable machine account password changes | Disabled | ||||
Domain Member: Maximum machine account password age | 30 days | ||||
Domain Member: Require strong (Windows 2000 or later) session key | <Not Defined> | Enabled | |||
Interactive Logon: Do not display last user name | Enabled | ||||
Interactive Logon: Do not require CTRL-ALT-DEL | Disabled | ||||
Interactive Logon: Message text for users attempting to log on | <Custom text or DoJ Approved> | ||||
| Interactive Logon: Message title for users attempting to log on | <Custom text or DoJ Approved> | ||||
Interactive Logon: Number of previous logons to cache | 2 | 1 | 2 | 0 | |
Interactive Logon: Prompt user to change password before expiration | 14 days | ||||
Interactive Logon: Require domain controller authentication to unlock workstation | <Not Defined> | Enabled | Disabled | <Not Defined> | |
Interactive Logon: Smart card removal behavior | Lock Workstation | ||||
Microsoft Network Client: Digitally sign communications (always) | <Not Defined> | Enabled | |||
Microsoft Network Client: Digitally sign communications (if server agrees) | Enabled | ||||
| Microsoft Network Client: Send unencrypted password to connect to third-party SMB servers | Disabled | ||||
Microsoft Network Server: Amount of idle time required before disconnecting session | 15 Minutes | ||||
Microsoft Network Server: Digitally sign communications (always) | <Not Defined> | Enabled | |||
Microsoft Network Server: Digitally sign communications (if client agrees) | Enabled | ||||
Microsoft Network Server: Disconnect clients when logon hours expire | Enabled | Disabled | Enabled | ||
| Network Access: Allow anonymous SID/Name translation: | Disabled | ||||
| Network Access: Do not allow Anonymous enumeration of SAM accounts | Enabled | ||||
| Network Access: Do not allow Anonymous enumeration of SAM accounts and shares | Enabled | ||||
Network Access: Do not allow storage of credentials or .NET passports for network authentication | <Not Defined> | Enabled | |||
Network Access: Let Everyone permissions apply to anonymous users | Disabled | ||||
Network Access: Named pipes that can be accessed anonymously | <Not Defined> | <None> | |||
Network Access: Remotely accessible registry paths | <Not Defined> | ||||
Network Access: Shares that can be accessed anonymously | <None> | ||||
Network Access: Sharing and security model for local accounts | Classic - local users authenticate as themselves | ||||
| Network Security: Do not store LAN Manager password hash value on next password change | <Not Defined> | Enabled | |||
Network Security: Force logoff when logon hours expire | <Not Defined> | Enabled | <Not Defined> | Enabled | |
Network Security: LAN Manager Authentication Level | Send NTLMv2 | Send NTLMv2, refuse LM | Send NTLMv2, refuse LM & NTLM | ||
Network Security: LDAP client signing requirements | Require Signing | ||||
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients | <Not Defined> | Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption | |||
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers | <Not Defined> | Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption | |||
Recovery Console: Allow automatic administrative logon | Disabled | ||||
Recovery Console: Allow floppy copy and access to all drives and all folders | <Not Defined> | ||||
Shutdown: Allow system to be shut down without having to log on | Disabled | ||||
Shutdown: Clear virtual memory pagefile | Enabled | ||||
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | <Not Defined> | Enabled | |||
| System objects: Default owner for objects created by members of the Administrators group | Object Creator | ||||
System objects: Require case insensitivity for non-Windows subsystems | <Not Defined> | Enabled | |||
System objects: Strengthen default permissions of internal system objects | <Not Defined> | Enabled | |||
| EVENT LOG SETTINGS | |||||
| Application Log | |||||
| Maximum Event Log Size | 16 MB | ||||
| Restrict Guest Access | Enabled | ||||
| Log Retention Method | <Not Defined> | ||||
| Log Retention | <Not Defined> | ||||
| Security Log | |||||
| Maximum Event Log Size | 80 MB | ||||
| Restrict Guest Access | Enabled | ||||
| Log Retention Method | <Not Defined> | ||||
| Log Retention | <Not Defined> | ||||
| System Log | |||||
| Maximum Event Log Size | 16 MB | ||||
| Restrict Guest Access | Enabled | ||||
| Log Retention Method | <Not Defined> | ||||
| Log Retention | <Not Defined> | ||||
| NOTE: Please refer to Local Policies - Audit Policy topic (above) to properly configure local security settings. | |||||
| REGISTRY SETTINGS | |||||
Suppress Dr. Watson Crash Dumps: HKLM\Software\ Microsoft\DrWatson\ CreateCrashDump | (REG_DWORD) 0 | ||||
Disable Automatic Execution of the System Debugger: HKLM\Software\Microsoft\ Windows NT\CurrentVersion\ AEDebug\Auto | (REG_DWORD) 0 | ||||
Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\ Windows\CurrentVersion\ Policies\Explorer\ NoDriveTypeAutoRun | (REG_DWORD) 255 | ||||
Disable autoplay for current user: HKCU\Software\ Microsoft\Windows\ CurrentVersion\Policies\ Explorer\ NoDriveTypeAutoRun | (REG_DWORD) 255 | ||||
| Disable autoplay for the default profile: HKU\.DEFAULT\ Software\Microsoft\Windows\ CurrentVersion\Policies\ Explorer\NoDriveTypeAutoRun | (REG_DWORD) 255 | ||||
Disable Automatic Logon: HKLM\Software\Microsoft\ Windows NT\CurrentVersion\ Winlogon\AutoAdminLogon | (REG_DWORD) 0 | ||||
Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\ AutoReboot | (REG_DWORD) 0 | ||||
Disable CD Autorun: HKLM\System\CurrentControlSet\ Services\CDrom\Autorun (REG_DWORD) | (REG_DWORD) 0 | ||||
Remove administrative shares on workstation (Professional): HKLM\System\ CurrentControlSet\Services\ LanmanServer\Parameters\ AutoShareWks | <Not Defined> | 0 | |||
Protect against Computer Browser Spoofing Attacks: HKLM\System\ CurrentControlSet\Services\ MrxSmb\Parameters\ RefuseReset | (REG_DWORD) 1 | ||||
| Protect against source-routing spoofing: HKLM\System\ CurrentControlSet\Services\ Tcpip\Parameters\ DisableIPSourceRouting | (REG_DWORD) 2 | ||||
Protect the Default Gateway network setting: HKLM\System\ CurrentControlSet\Services\Tcpip\Parameters\ EnableDeadGWDetect | (REG_DWORD) 0 | ||||
Ensure ICMP Routing via shortest path first: HKLM\System\ CurrentControlSet\Services\ Tcpip\Parameters\ EnableICMPRedirect | (REG_DWORD) 0 | ||||
Help protect against packet fragmentation: HKLM\System\ CurrentControlSet\Services\ Tcpip\Parameters\ EnablePMTUDiscovery | (REG_DWORD) 0 | ||||
Manage Keep-alive times: HKLM\System\ CurrentControlSet\Services\ Tcpip\Parameters\ KeepAliveTime | (REG_DWORD) 300000 | ||||
Protect Against Malicious Name-Release Attacks: HKLM\System\ CurrentControlSet\Services\ Netbt\Parameters\ NoNameReleaseOnDemand | (REG_DWORD) 1 | ||||
| Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\ Parameters\PerformRouterDiscovery (REG_DWORD) | (REG_DWORD) 0 | ||||
Protect against SYN Flood attacks: HKLM\System\ CurrentControlSet\Services\ Tcpip\Parameters\ SynAttackProtect | (REG_DWORD) 2 | ||||
SYN Attack protection - Manage TCP Maximum half-open sockets: HKLM\System\ CurrentControlSet\Services\ Tcpip\Parameters\ TcpMaxHalfOpen | (REG_DWORD) 100 | ||||
SYN Attack protection - Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\ Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) | (REG_DWORD) 80 | ||||
Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\ CurrentControlSet\Services\ IPSEC\ NoDefaultExempt | (REG_DWORD) 1 | ||||
| Hide workstation from Network Browser listing: HKLM\System\ CurrentControlSet\Services\ Lanmanserver\Parameters\ Hidden | (REG_DWORD) 1 | ||||
Enable Safe DLL Search Mode: HKLM\System\ CurrentControlSet\Control\ Session Manager\ SafeDllSearchMode | (REG_DWORD) 1 | ||||
| ADMINISTRATIVE TOOLS / SERVICES | |||||
| Permissions on services listed herein: Administrators: Full Control; System: Read, Start, Stop, and Pause | |||||
| Alerter | Disabled | ||||
| Automatic Updates | <Not Defined> | ||||
| Background Intelligent Transfer Service | <Not Defined> | ||||
| Clipbook | Disabled | ||||
| Computer Browser | <Not Defined> | Disabled | |||
| Fax Service | <Not Defined> | Disabled | |||
| FTP Publishing Service | Disabled | ||||
| IIS Admin Service | Disabled | ||||
| Indexing Service | <Not Defined> | Disabled | |||
| Messenger | Disabled | ||||
| Net Logon | <Not Defined> | Disabled | |||
| NetMeeting Remote Desktop Sharing | Disabled | ||||
| Remote Desktop Help Session Manager | Disabled | <Not Defined> | Disabled | ||
| Remote Registry Service | <Not Defined> | Disabled | |||
| Routing and Remote Access | Disabled | ||||
| Simple Mail Transfer Protocol (SMTP) | Disabled | ||||
| Simple Network Management Protocol (SNMP) Service | Disabled | ||||
| Simple Network Management Protocol (SNMP) Trap | Disabled | ||||
| Task Scheduler | <Not Defined> | Disabled | |||
| Telnet | Disabled | ||||
| Terminal Services | <Not Defined> | Disabled | |||
| Universal Plug and Play Device Host | <Not Defined> | Disabled | |||
| World Wide Web Publishing Services | Disabled | ||||
| FILE PERMISSIONS | |||||
| * Unless stated otherwise, Administrators or System "Full Control" is full control for the designated folder and its contents. | |||||
%SystemDrive% | <Not Defined> | Administrators: Full; System: Full; Creator Owner: Full; Interactive: Read, Execute | |||
%SystemRoot%\system32\ at.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32 \attrib.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ cacls.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ debug.exe | Administrators: Full; System: Full | ||||
| %SystemRoot%\system32\ drwatson.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ drwtsn32.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ edlin.exe | Administrators: Full; System: Full; Interactive: Full | ||||
%SystemRoot%\system32\ eventcreate.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ eventtriggers.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ ftp.exe | Administrators: Full; System: Full; Interactive: Full | ||||
| %SystemRoot%\system32\ net.exe | Administrators: Full; System: Full; Interactive: Full | ||||
| %SystemRoot%\system32\ net1.exe | Administrators: Full; System: Full; Interactive: Full | ||||
%SystemRoot%\system32\ netsh.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ rcp.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ reg.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\regedit.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ regedt32.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ regsvr32.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ rexec.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ rsh.exe | Administrators: Full; System: Full | ||||
| %SystemRoot%\system32\ runas.exe | Administrators: Full; System: Full; Interactive: Full | ||||
%SystemRoot%\system32\ sc.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ subst.exe | Administrators: Full; System: Full | ||||
%SystemRoot%\system32\ telnet.exe | Administrators: Full; System: Full; Interactive: Full | ||||
| %SystemRoot%\system32\ tftp.exe | Administrators: Full; System: Full; Interactive: Full | ||||
%SystemRoot%\system32\ tlntsvr.exe | Administrators: Full; System: Full | ||||
| REGISTRY PERMISSIONS | |||||
| * Unless stated otherwise, Administrators or System Full Control (for the designated key and all subkeys). Creator Owner Full Control (for subkeys only). Users permissions are for current key, subkeys, and values. | |||||
HKLM\Software | <Not Defined> | Administrators: Full; System: Full; Creator Owner: Full; Users: Read | |||
HKLM\Software\Microsoft\ Windows\CurrentVersion\Installer | Administrators: Full; System: Full; Users: Read | ||||
HKLM\Software\Microsoft\ Windows\CurrentVersion\Policies | Administrators: Full; System: Full; Authenticated Users: Read | ||||
HKLM\System | <Not Defined> | Administrators: Full; System: Full; Creator Owner: Full; Users: Read | |||
HKLM\System\ CurrentControlSet\Enum | Administrators: Full; System: Full; Authenticated Users: Read | ||||
HKLM\System\ CurrentControlSet\Services\ SNMP\Parameters\ PermittedManagers | Administrators: Full; System: Full; Creator Owner: Full | ||||
| HKLM\System\ CurrentControlSet\Services\ SNMP\Parameters\ ValidCommunities | Administrators: Full; System: Full; Creator Owner: Full | ||||
HKLM\SOFTWARE\Microsoft\ Windows\CurrentVersion\ policies\Ratings | <Not Defined> | Administrators: Full; Users: Read | |||
| HKLM\Software\Microsoft\ MSDTC | <Not Defined> | Administrators: Full; System: Full; Network Service: Query value, Set value, Create subkey, Enumerate Subkeys, Notify, Read permissions; Users: Read | |||
HKU\.Default\Software\ Microsoft\SystemCertificates\ Root\ ProtectedRoots | Administrators: Full; System: Full; Users: Read | ||||
HKLM \SOFTWARE\ Microsoft\Windows NT\ CurrentVersion\SeCEdit | Administrators: Full; System: Full; Users: Read | ||||
| FILE & REGISTRY AUDITING | |||||
%SystemDrive% | <Not Defined> | Everyone: Failures | |||
HKLM\Software | <Not Defined> | Everyone: Failures | |||
HKLM\System | <Not Defined> | Everyone: Failures | |||
NOTE: Vista is a much easier operating system to harden than either XP or MCE. Many potential vulnerabilities have already been addressed. The default Benchmark score is still minimal, but it takes only a few changes to raise your score above 6 or 7. Individual changes that have not already been incorporated into Vista can be changed at your discretion.
Resourceful administrators of networks are likely to want to place these (and other) settings in a configuration template and push it out to various workstations and servers as you deem necessary. Those on individual workstations or laptops may be resigned to entering the changes manually. No matter how you elect to harden your systems and networks, do it early (such as before first connecting to a network or the Internet) and confirm the settings periodically.
There is an excellent article on Microsoft Tech which covers the topic of Windows XP /Server 2003 Security in much greater detail.
Don't forget to configure your HOSTS file(s) using the templates from MVPS.ORG; and mail reader and browser blacklists (or whitelists) to limit the user's ability to casually stumble into trouble. Fool-proof HOSTS file updates may be accomplished using JavaCool's SpywareBlaster, although it may conflict with proactive anti-threat tools, such as Aura. SpySweeper also complains about the size of the HOSTS file. We consider such issues to be minor bugs in the anti-threat application. There's no place like localhost.
Here are a few other useful SecuritySpace resources:
Security Audits | Managed DNS | Network Monitor | Site Analyzer
Internet Research | Web Probe | WhoIs
Another worthwhile site to visit is Common Vulnerabilities and Exposures (CVE), hosted by MITRE.ORG.
 | Copyright 2001-2008 - Secor Consulting LLC - ALL RIGHTS RESERVED |  |
