| S.
NO. | CONTROL
STATEMENT | APPLICABLE TO | CONTROL IMPLICATION | TYPICAL
RISK RATING | REVIEW STEPS |
| 1. | A legal notice and warning should be implemented on the workstation/ server | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Displaying a legal warning ensures that users are aware of the consequences of unauthorized access and assists in conveying the protection of corporate assets should an incident ever proceed with litigation. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | | 3) | Ensure that “Interactive Logon: Message title for users attempting to log on” and “Interactive Logon: Message text for users attempting to log on” are defined. | | 4) | Close the Group Policy Editor. | |
| 2. | Automatic logon options for workstations/servers should not be enabled. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | When the console is locked, either by a user or automatically by a screen saver time-out, the console must be unlocked to gain access to the computer. | Medium | | For Windows XP SP2 and
Windows 2003: | | 1) | Open regedt32. | | 2) | Select the following key HKLM\Software\Microsoft
\WindowsNT
\CurrentVersion\
Winlogon | | 3) | Select Security\Permissions | | 4) | Ensure the setting of the AutoAdminLogon registry value is 0 or does not exist. | | 5) | Close regedt32. | | For Windows Vista SP1 and
Windows 2008: | | 1) | Open regedt32. | | 2) | Select the following key HKLM\Software\Microsoft\
WindowsNT\
CurrentVersion\Winlogon | | 3) | Select Security\Permissions | | 4) | Ensure the setting of the AutoLogonChecked registry value is 0 or does not exist. | | 5) | Close regedt32. | |
| 3. | The username of the last individual to logon should not be displayed to the next user that attempts to logon at the system. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | There is an increased risk that an unauthorized user may gain knowledge of the client naming standards and a name to gain access to the system if the last username is displayed at logon. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. | | 3) | Ensure that “Interactive logon: Do not display last user name” is Enabled. | | 4) | Close the Group Policy Editor. | |
| 4. | The Secure Attention Sequence (CTRL+ALT+DEL) requirement for logon should be enabled. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | An intruder with access to a workstation/server console could initiate a logon screen that prompts a new user for their password, only to capture it like a Trojan horse. The Secure Attention Sequence (SAS) will prevent this by trapping the CTRL+ALT+DEL key sequence. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. | | 3) | Ensure that “Interactive logon: Do not require CTRL+ALT+DEL” is disabled | | 4) | Close the Group Policy Object. | |
| 5. | Screen saver should be enabled with the password protection feature turned on. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Enabling the windows screen saver with password protection minimizes the chances that unattended workstations/servers will be broken into. | Medium | | For Windows XP SP2 and Windows 2003: | | 1) | Open the Group Policy Editor. | | 2) | Select the User Configuration\
Administrative Templates\
Control Panel\Display folder. | | 3) | Ensure that No screen Saver button is disabled. (for 2008 screen saver button should be enabled) | | 4) | Ensure that Hide Screen Saver tab and Password protected Screen Saver (for 2008 password protect the screen saver) is enabled. | | 5) | Ensure that Screen Saver timeout is enabled and set to appropriate value. (The best practices guidelines: min. 10 minute ) | | 6) | Close the Group Policy Editor. | | For Windows Vista SP1 and Windows 2008: | | 1) | Open the Group Policy Editor. | | 2) | Select the User Configuration\
Administrative Templates\
Control Panel\Display folder. | | 3) | Ensure that 'Screen Saver' button is enabled. (for 2008 screen saver button should be enabled) | | 4) | Ensure that 'Hide Screen Saver tab' and 'Password protect the Screen Saver' is enabled. | | 5) | Ensure that Screen Saver timeout is enabled and set to appropriate value. (The best practices guidelines: min. 10 minute ) | | 6) | Close the Group Policy Editor. | |
| 6. | No user accounts, with the exception of the built-in accounts of local Guest and Administrator and the domain account for the user of the system, should be in local groups. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Having all user accounts contained within global groups increases network security by simplifying administration. | Medium | | 1) | Open the Local Users and Groups snap-in. | | 2) | Select Groups. Double click each Local Group. | | 3) | Ensure that only global groups are members. | | 4) | Ensure that the Administrators group contains only the renamed Administrator account. | | 5) | Click Cancel to close. | | 6) | Repeat the steps above to review each Local Group. Close the snap-in. | |
| 7. | Standard desktop User accounts privileges should be restricted and be provided on need basis. | - Windows Vista SP1 | Lack of this control, makes computers and networks more vulnerable to malware that could abuse those privileges to damage files, make configuration changes such as disabling the firewall, and compromise sensitive data. | Medium | | 1) | Open the Control Panel | | 2) | Click on User Accounts | | 3) | In User Accounts tasks window, verify that “User Account Control (UAC)” is turned on. |
More information on UAC is available at
http://www.microsoft.com/technet/windowsvista/
security/uacppr.mspx
|
| 8. | Passwords should be set in accordance with Corporate Standards. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Having this feature enabled decreases the likelihood of passwords being guessed by the intruders. | High | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. | | 3) | Ensure that Minimum password age is set in accordance with corporate standards or the recommended guidelines. (The best practices guidelines: 3 days) | | 4) | Ensure that Maximum password age is in accordance with corporate standards or the recommended guidelines. (The best practices guidelines: 90 days) | | 5) | Verify that 'Passwords must meet complexity requirements' is enabled. | | 6) | Verify that the value in Enforce password history is in accordance with corporate standards or the recommended guidelines.
(The best practices guidelines: 6 passwords) | | 7) | Ensure that Minimum password length is in accordance with corporate standards or the recommended guidelines. (The best practices guidelines: 6 characters) | | 8) | Close the Group Policy Editor. | |
| 9. | The account lockout feature should be enabled and the related parameters should be set in accordance with corporate security standards and guidelines. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Locking out accounts after a specified number of failed logon attempts decreases the risk that user accounts will be compromised through brute force attacks. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Account Policies\
Account Lockout Policy. | | 3) | Ensure that Account lockout duration is in accordance with corporate standards or the recommended guidelines. | | 4) | Ensure that Account lockout threshold is in accordance with corporate standards or the recommended guidelines. | | 5) | Ensure that Reset account lockout after is in accordance with corporate standards or the recommended guidelines. | | 6) | Close Group Policy Editor. |
The best practices guidelines are:
Account lockout threshold = 3 bad logon attempts, Reset account lockout counter after 1440 minutes and Account lockout duration = 0 (account will be locked out until an administrator manually unlocks it).
|
| 10. | No shares beyond the built-in administrative shares should exist. If this is infeasible, permissions on
non-built-in shares should not allow Write, Delete, Change Permissions, or Take Ownership to the special group Everyone. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Shares allow users to access resources remotely on the network. Consequently, care should be taken when granting share rights. In particular, the default system groups should not be granted permissions that would allow members of these groups to abuse the system. | Medium | Review the listing of active shares by issuing the following command from the command line:
net share
If shares exist other than the default shares (e.g., C$, IPC$, Sysvol, Netlogon), utilize Windows Explorer to view the permissions on these shares. |
| 11. | Directories that contain sensitive Windows system files and critical data files should be secured. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | If unauthorized users gain access to sensitive system files, they could access sensitive files or potentially execute a Trojan horse or create a denial of service on the workstation/server. | High | | 1) | Open Windows Explorer. | | 2) | Locate the file/folder and right click to select Properties\Security tab\Advanced button. | | 3) | Compare the current permissions to the recommendations. | | 4) | Click OK twice to close the window.
System Directories (Guideline to be applied):
• %systemroot%\ (1,2,3,4)
• %systemroot%\system32 (1,2,3,4)
• %systemroot%\system32\drivers (1,2,3,4)
• %systemroot%\repair (2,4) (not found on 2008)
• %systemroot%\system32\config (1,2,4)
The best practices guidelines:
• CREATOR OWNER - ALLOW Full Control Subfolders and files
• Administrators - ALLOW Full Control This folder, subfolders and files
• Authenticated Users - ALLOW Read; Execute This folder, subfolders and files
• SYSTEM - ALLOW Full Control This folder, subfolders and files.
For critical files ensure access is given as per the confidentiality requirements of data stored / application requirements. | |
| 12. | NTFS should be used on all partitions. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | NTFS associates permissions with each file and directory. Using these permissions, different levels of access can be granted or denied to different groups of users. | Medium | | 1) | Open Windows Explorer. | | 2) | Locate the drives created, right click to select Properties. | | 3) | Select the General tab. | | 4) | Ensure the File System type is NTFS. | |
| 13. | Auditing of sensitive system and application files and directories should be enabled for critical workstations and servers. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Auditing access to sensitive system, application files and directories increases the possibility of detecting unauthorized access to the system. | Medium | | 1) | Open Windows Explorer. | | 2) | Locate the folder/file, right click to select Properties. | | 3) | Select the Security tab\Advanced button\Auditing tab. | | 4) | Ensure the appropriate groups and events are being audited. | | 5) | Click OK three times to confirm changes and close the window.
Repeat steps 2-5 for each of the folders below.
• %systemroot%\
• %systemroot%\system32
• %systemroot%\system32\drivers
• %systemroot%\system32\config
• %systemroot%\system32\spool
• %systemroot%\repair |
The best practices guidelines for Everyone group:
Create Files / Write Data - Failure,
Create Folders / Append Data - Failure,
Delete Subfolders and Files - Failure,
Delete - Success and Failure,
Change Permissions - Failure and
Take Ownership - Failure.
|
| 14. | The audit logs should be sufficiently large and the overwrite policy should be appropriate to ensure that the audit trail is usable and manageable. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | If events are overwritten before they can be reviewed, there is an increased risk that continuous unauthorized activity may go undetected. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate to the following sub tree: Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Log. | | 3) | Verify that the security options labeled 'Maximum Application Log' size, 'Maximum Security Log' size and 'Maximum System Log' size are defined and set in accordance to Corporate Security Policy. | | 4) | Close the Group Policy Editor. | |
| 15. | Auditing should be enabled for Privilege Use, Logon/ Logoff events, Audit policy change on critical workstations and servers. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | This control audits the failure of certain User Rights such as privilege user, Logon events, and policy change. Without Logon events auditing, failed attempts by unauthorized users might go undetected. | High | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy. | | 3) | Ensure Audit Privilege Use is set to audit the failure of privileged user rights. | | 4) | Ensure Audit logon events has been set to audit successes and failures of logon events. | | 5) | Ensure Audit Object Access is set to audit the failure of access to objects. | | 6) | Ensure Audit policy change is set to audit both success and failure. | | 7) | Ensure success and failure is enabled within the audit policy 'Audit Account Management'. | | 8) | Close the Group Policy Editor. | |
| 16. | The "Manage auditing and security log" standard user right should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | This privilege allows a user to specify object access auditing options for individual resources such as files and registry keys. Users with this right have the ability to attempt an attack on the system and then delete the log. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment | | 3) | Ensure 'Manage auditing and security log' is assigned to Administrators only. | | 4) | Close the Group Policy Editor. | |
| 17. | Down-level authentication should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Down-level authentication compromises passwords because they are sent in clear text. An unauthorized user could capture those passwords and use them to impersonate a user. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | | 3) | Ensure that the security option “Microsoft network client: Send unencrypted password to connect to third-party SMB servers” is disabled. Close the Group Policy Editor. | |
| 18. | If all clients run Windows 2000 or are running a version of Windows NT 4.0 with service pack 4 or higher, then only NTLMv2 authentication should be accepted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | The LanManager authentication security support provider (SSP) and the NTLMv1 SSP use a weaker form of authentication. An intruder may potentially be able to crack the password hash if they sniff it as it traverses the network. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options | | 3) | Ensure that 'Network Security: LAN Manager Authentication Level' is set to the value: Send NTLMv2 response only\Refuse LM & NTLM. | | 4) | Close the Group Policy Editor. | |
| 19. | Only the required Windows Components should be installed on workstations and servers. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Additional Windows Components would allow intruders to potentially exploit certain vulnerabilities that only exist in those components. Regardless of whether vulnerabilities exist, those components open the workstation/server up to new points of attack
and entry. | Low | | For Windows XP SP2 and Windows 2003: | | 1) | Open Control Panel from Start Menu. | | 2) | Double click Add/Remove Programs. | | 3) | Click Add/Remove Windows Components on the left margin. | | 4) | Ensure that only required components
are installed. | | 5) | Click Close and Close the Control Panel. | | For Windows Vista SP1 and Windows 2008: | | 1) | Open Control Panel from Start Menu. | | 2) | Double click Programs and Features. | | 3) | Click Turn Windows features on/off. | | 4) | In roles and features tab, ensure that only required components are installed. | | 5) | Click Close and Close the Control Panel.
As per best practices guidelines, Do not install the following Windows components unless a valid business case exists for their use:
• Indexing Service (Wsearch in Vista SP1 and 2008)
• Internet Information Services (other than MMC management snap-in)
• Management and Monitoring Tools
• Message Queuing Services
• Other Network File and Print Services
• Networking Services
• Script Debugger
• Windows Media Services | |
| 20. | Network protocols that are not required should be removed. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | The more protocols running, the more points of entry an unauthorized user has to compromise a workstation/server. | Low | | 1) | Right click My Network Places from Start Menu and select Properties. (for vista, 2008 – control panel network and internet/ network connections) | | 2) | Right click Local Area Connection and select Properties. | | 3) | Ensure that the following protocols are not present: AppleTalk, DLC, NetBEUI, Network Monitor, NWLink | | 4) | Click OK to close the Local Area Connection Properties window. | | 5) | Close the Network and Dialup Connections window. | |
| 21. | Null session pipes should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | The null credentials logon gives users a method of procuring every share and username that exists on the system. With this information, attackers can start brute force guessing passwords and attempt to compromise the system. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. | | 3) | Verify that "Network access: Named Pipes that can be accessed anonymously" is set only to the following values:
a. netlogon
b. lsarpc
c. samr
d. browser | | 4) | Verify that "Network access: Let Everyone permissions apply to anonymous users" is set to Disabled. | | 5) | Verify that "Network access: Allow anonymous SID/Name translation" is set to Disabled. | | 6) | Verify that "Network access: Do not allow anonymous enumeration of SAM accounts" is set to Enabled. | | 7) | Close the Group Policy Editor. | |
| 22. | SNMP should be disabled if it is not being used for remote management. If SNMP is used, the default community names (Public, private) should be changed and it should be restricted to a specific host or hosts. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Public and Private are default SNMP community names, using default settings increases possibility of service compromise. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate to the following sub tree: - Computer Configuration\Administrative Templates\Network\SNMP | | 3) | Verify that "Communities" is set to Enabled and an appropriate value has been defined. | | 4) | Verify that "Permitted Managers" is set to Enabled and defined appropriately. | | 5) | Verify that "Traps for Public community" is set to Enabled and defined to an appropriate value. | | 6) | Close the Group Policy Editor. | |
| 23. | Simple TCP/IP services that enable unnecessary enticement information services should be removed. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | The simple services include TCP and UDP versions of Chargen, Daytime, Discard, Echo, and Qotd. They are susceptible to denial of service attacks and disseminate information that could be used to launch an attack against the workstation/server. | Low | | 1) | Open regedt32. | | 2) | Select the following key.
HKLM\System\CurrentControlSet\Services\
SimpTcp\Paramaters | | 3) | Ensure that the values below do not exist or their values have been set to DWORD 0.
• EnableTcpChargen
• EnableTcpDaytime
• EnableTcpDiscard
• EnableTcpEcho
• EnableTcpQotd
• EnableUdpChargen
• EnableUdpDaytime
• EnableUdpDiscard
• EnableUdpEcho
• EnableUdpQotd | | 4) | Close regedt32 | |
| 24. | The telnet server services should not be used. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Telnet grants authorized users, access to the system. This is a powerful privilege that would allow the individual to perform many functions that could escalate privileges or launch malicious code. | High | | 1) | Open regedt32. | | 2) | Ensure the following keys do not exist.
Close regedt32.
• HKLM\SYSTEM\CurrentControlSet\Services\
TlntSvr
• HKLM\SOFTWARE\Microsoft\TelnetServer | | 3) | Open Windows Explorer. Ensure the following files do no exist.
• %SystemRoot%\system32\tlntsvr.exe
(Telnet Server)
• %SystemRoot%\system32\tlntsess.exe
(Telnet Server Helper)
• %SystemRoot%\system32\tlntadmn.exe (Telnet Server Administration Program)
• %SystemRoot%\system32\tlntsvrp.dll
(Telnet Server Proxy Stub) | | 4) | Close Windows Explorer. | |
| 25. | The "Act as part of the operating system" advanced user right should be restricted so that no one can act as the 'system'. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | The Act as Part of the Operating System right allows the designated accounts to act as a trusted part of the operating system and can therefore do anything regardless of other rights. | High | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure that 'Act as part of the operating system' is not assigned to any groups. | | 4) | Close the Group Policy Editor. | |
| 26. | The "Change the system time" user right should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | The entire audit, event monitoring, logging system, Kerberos, account lockout and expiration are based on time and therefore require that the time settings not be tampered with. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure that 'Change the system time' is defined and assigned to Administrators. | | 4) | Close the Group Policy Editor. | |
| 27. | The "Enable computer and user accounts to be trusted for delegation" advanced user right should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Misuse of this privilege or of the Trusted for Delegation settings could make the network vulnerable to attacks using Trojan horse programs that impersonate incoming clients to gain access to network resources. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure 'Enable computer and user accounts to be trusted for delegation' is assigned to Administrators group only. | | 4) | Close the Group Policy Editor. | |
| 28. | The "Log on as a batch job” and “Log on as a service” right should only be used for services account. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Batch jobs or services could run in the background and gain full control over the system. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure the security option 'Log on as a batch job' is not assigned any groups unless a valid business case exists for assignment of this right to a group containing user accounts for batch purposes. | | 4) | Ensure that the appropriate groups are assigned the 'Log on as a Service' security option in accordance with corporate standards. | | 5) | Close the Group Policy Editor. | |
| 29. | The "Take ownership of files or other objects" standard user right should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | With this right users can ignore the ACL of an object or file, take ownership of any securable object in the system, including files, folders, printers, registry keys, processes, and threads and change the ACL to grant themselves permission. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure that 'Take ownership of files or other objects' is assigned to Administrators only. | | 4) | Close the Group Policy Editor. | |
| 30. | The Back up/Restore files and directories standard user rights should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Back up files and directories allow the user to circumvent file and directory permissions to back up the system. Users with this user right may bypass the ACL of an object and read any object they wish. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure that only Backup Operators (or Administrators) are assigned to 'Backup Files and Directories'. | | 4) | Ensure that only Backup Operators (or Administrators) are assigned to 'Restore Files and Directories'. | | 5) | Close the Group Policy Editor. | |
| 31. | The Modify firmware environment variables advanced user right should be restricted. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | This privilege allows modification of the system environment variables. If a variable is modified, it could be set to point to a batch program that launches a Trojan horse or DoS attacks. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Navigate the following sub tree: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. | | 3) | Ensure that 'Modify firmware environment variables' are assigned to Administrators or as per the corporate security standards. | | 4) | Close the Group Policy Editor. | |
| 32. | The POSIX and OS/2 subsystems should be removed, if not used. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Legacy operating systems' subcomponents should be removed from Windows so that the application, and their exploits, cannot affect the integrity of
the system. | Low | | 1) | Open regedt32. | | 2) | Ensure that the below key does not exist.
Key path: HKLM\SYSTEM\CurrentControlSet\
Control\SessionManager\SubSystems\OS2 HKLM\SYSTEM\CurrentControlSet\Control
SessionManager\SubSystems\Posix | | 3) | Close regedt32. | |
| 33. | Remote registry access should not
be allowed. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | There is an increased risk that an unauthorized user may gain knowledge about a workstation/server and even attack the system with denial of services or Trojan horses, if they can access the registry's common areas and allowed paths. | High | | 1) | Open regedt32. | | 2) | Right click on each of the keys below and | | 3) | Select Permissions\Security\Advanced Settings. | | 4) | Ensure that the access given is in compliance with corporate standards or the recommended guidelines.
• HKLM\SYSTEM\CurrentControlSet\Control\
SecurePipeServers\winreg (Administrators-
Full Control, No other access control entry (ACE) should be set unless Backup operators need READ access.)
• HKLM\System\CurrentControlSet\Control\
ProductOptions
• HKLM\System\CurrentControlSet\Control\
Print\Printers
• HKLM\System\CurrentControlSet\Control\
ServerApplications
• HKLM\System\CurrentControlSet\
Services\ Eventlog
• HKLM\Software\Microsoft\OLAPServer
• HKLM\System\CurrentControlSet\Control\
ContentIndex
• HKLM\System\CurrentControlSet\Control\
TerminalServer
• HKLM\System\CurrentControlSet\Control\
TerminalServer\UserConfig
• HKLM\System\CurrentControlSet\Control\
TerminalServer\DefaultUserConfiguration
The best practices guidelines: Administrators:
Full Control, System: Full Control and
Authenticated Users: Read | |
| 34. | The "Disable registry editing tools" user configuration setting should be enabled. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | By limiting access to edit the registry, users (authorized or unauthorized) are restricted from browsing the registry for cached passwords and/or placing malicious programs in
the registry. | Medium | | For Windows 2003: | | 1) | Open the Group Policy Editor. | | 2) | Select the User Configuration\Administrative Templates\System folder. | | 3) | Verify that "Disable registry editing tools" option is enabled. | | 4) | Close the Group Policy Editor. | | For Windows XP SP2 , Vista SP1 and
Windows 2008: | | 1) | Open the Group Policy Editor. | | 2) | Select the User Configuration\Administrative Templates\System folder. | | 3) | Verify that “Prevent access to registry editing tools” option is set to Enabled. | | 4) | Close the Group Policy Editor. | |
| 35. | The "Disable the Security page" user configuration setting for Internet Explorer should be Enabled. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | This setting prevents users from viewing and changing settings for security zones, such as scripting, download, and user authentication. | Medium | | 1) | Open the Group Policy Editor. | | 2) | Select the User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel tab. | | 3) | Ensure that "Disable the Security page"
option is enabled. | | 4) | Close the Group Policy Editor. | |
| 36. | The "Disable Changing Advanced page settings" user configuration setting for Internet Explorer should be enabled. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | Enabling this setting prevents users from changing advanced Internet Explorer settings such as security, multimedia, and printing. In addition, users cannot select or clear the checkboxes on the Advanced tab. | Best Practice | | 1) | Open the Group Policy Editor. | | 2) | Select the User Configuration\Administrative Templates\Windows Components\Internet Explorer tab. | | 3) | Ensure that “Disable Changing Advanced page settings” option is set to enabled. | | 4) | Close the Group Policy Editor. | |
| 37. | The “Do Not Allow Auto complete to Save Passwords” user configuration setting for Internet Explorer should
be enabled. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | This setting disables automatic completion of user names and passwords in forms on Web pages and prevents users from being prompted to save passwords. Otherwise passwords would be cached in the registry and could be compromised by an unauthorized user. | Best Practice | | For Windows XP SP2 and Windows 2003: | | 1) | Open the Group Policy Editor. | | 2) | Select User Configuration\Administrative Templates\Windows Components\Internet Explorer tab. | | 3) | Ensure that "Do Not Allow Auto complete to Save Passwords" security option is set to Enabled. | | 4) | Close the Group Policy Editor. | | For Windows Vista SP1 and Windows 2008: | | 1) | Open the Group Policy Editor. | | 2) | Select User Configuration\Administrative Templates\Windows Components\Internet Explorer tab. | | 3) | Verify that the "Turn on the auto-complete feature for usernames and passwords on forms" option is set to Disabled. | | 4) | Close the Group Policy Editor. | |
| 38. | The latest Microsoft Service Pack and appropriate Hot fixes should be installed as recommended by Microsoft, upon adequate testing in non-production environment. | | - | Windows XP SP2 | | - | Windows 2003 | | - | Windows Vista SP1 | | - | Windows 2008 | | If the operating system is not current, there is an increased risk that an unauthorized user may be able to exploit weaknesses in the operating system. | High | Using standard Microsoft tools like Microsoft Baseline Security Analyzer check for patches.
For more information visit:
http://www.microsoft.com/technet/security
/tools/mbsahome.mspx |
