1.

Review OS Patch Security

1. Critical Patches 1. Install critical patches listed in the current Critical Security Patches document.

2. Review Physical Access Security

1. Location Security

1. Place the server in a physically secure area that complies with the Physical Security for Infrastructure Technology section of the Watson Secu 2. BIOS Security

1. Set a BIOS password to prevent the boot sequence from being changed. Note: Many new servers have an Administrator BIOS password verse 2. Configure the bios so the system must boot from the hard drive first, then from the floppy or CD-ROM Note: This boot sequence is configu 3. Console Security 1. Configure the automatic password protected screen saver so it will activate after five minutes of inactivity at the console. 4. Recovery Console 1. Disable the automatic administrative logon feature.

3. Review User and Group Security

The consistent and proper application of user and group security is essential to maintaining a secure environment. As with all security policies, th 1. Users and Groups

1. Remove general users IDs from the local SAM. Process IDs are permitted, but have been documented. Note: General user IDs refers to useri 2. Review and confirm that only Local groups are being used to apply security; 3. Review and confirm that only Global groups are be added to Local groups. The general User is to be added to the Global groups for Share acc 2. Administrator Account

1. Rename the Administrator account. 2. Rename the account to a non-obvious name (e.g., not "admin," "root," etc.) 3. Delete the default account description for the renamed account. 4. Change the renamed administrator account password and ensure it complys with the more restrictive administrator level settings of the Watson 5. Enable account lockout on the real Administrator account which have been renamed by using the admnlock utility and by running the admnloc 6. Create a decoy account named "Administrator" with no privileges. 7. Disable the decoy Administrator account. 8. Add the following account description for the decoy Administrator account: Built-in account for administering the computer/domain 9. Change the decoy administrator account password and ensure it complys with the restrictive administrator level settings of the Watson Passwo 3. Guest Account

1. Rename the Guest account. 2. Delete the default account description for the renamed account. 3. Ensure the Guest account remains disabled. 4. Change the Guest account password. By default it does not have a password assigned. It have been set using the admin level settings of the W 5. Create a decoy account named "Guest" with no privileges. 6. Disable the decoy Guest account.

7. Ensure the decoy Guest account has the following account description: Built-in account for guest access to the computer/domain 8. Change the decoy Guest account password and ensure it complys with the admin level settings of the Watson Password Standard.

4. Review Share Security

The definition of File Shares must incorporate two levels of access permissions; Share Level permissions and File Level permissions.

1. Review and confirm that only the default admin shares on the system and boot partitions, typically the C: drive that contains the Windows OS 2. Review and confirm that Full Control for the Everyone group have been removed from all shared files and directories. Authenticated users g 3. Review files and directories to ensure that only required and approved permissions are applied. 4. Review Shares to ensure that only required and approved shares are implemented. 5. When file access is needed to the data drive, such as D:, by SQL Administrators or other applicable groups. Create the share as required: 6. Apply Read/Write to all groups given access and Full Control to the Local Administrators group; 7. Apply NTFS file permissions to the directory. Full Control for Local Administrators and as appropriate for all others; 8. Apply the appropriate group permissions to any additional directories, except for Full Control.

5. Review Account Policies

Account policies can be configured by accessing the Local Security Policy through Control Panel >Administrative Tools. There are two sections

1. All passwords are at least 8 characters long (minimum); 2. Minimum Password Age: 1 day; 3. Maximum Password Age: 90 days; 4. Password Uniqueness: 13 Passwords Remembered; 5. Password Complexity: Enabled. Passwords are made up of various characters, which can be broken down into four character groups. These ar 6. Account Lockout Duration: 60 Minutes (minimum) 7. Account Lockout After: 5 Bad Login Attempts (maximum) 8. Reset Account Lockout After: 15 Minutes (minimum)

6. Review Object Security

1. Protected Store Security

1. Enable 168-bit Protected Store key length by using the Keymigrt.exe utility at least once regardless of what patches or service packs are instal 2. File System Security

1. Verify all partitions have been NTFS. 2. Convert All File Allocation Table (FAT16/FAT32) partitions to NTFS. Warning: The convert utility will set the ACLs for the converted driv 3. Verify applications reside on a different logical partition than the operating system where technically possible. 3. Critical File Security

1. Verify permissions for critical system administration files listed below are modified so that only Administrators and SYSTEM have Full Acc 2. Verify permissions for all other users have been removed. 3. Relocate critical %SYSTEMROOT% and %SYSTEMDIRECTORY% administration files where technically possible. 4. Verify relocated system administration files reside in newly created %SYSTEMROOT%\TLS directory so that only Administrators and SYS FILES
%SYSTEMDIRECTORY%\ARP.EXE SYSTEMDIRECTORY%\AT.EXE SYSTEMDIRECTORY%\BOOTCFG.EXE %SYSTEMDIRECTORY%\CACLS .EXE %SYSTEMDIRECTORY%\CIPHER.EXE %SYSTEMDIRECTORY%\CMD.EXE

%SYSTEMDIRECTORY%\COMMAND.COM %SYSTEMDIRECTORY%\CSCRIPT.EXE %SYSTEMDIRECTORY%\DEBUG.EXE %SYSTEMDIRECTORY%\EDLPN.EXE %SYSTEMDIRECTORY%\EVENTVWR.EXE %SYSTEMDIRECTORY%\EVENTVWR.MSC %SYSTEMDIRECTORY%\FIND.EXE %SYSTEMDIRECTORY%\FINDSTR.EXE %SYSTEMDIRECTORY%\FINGER.EXE %SYSTEMDIRECTORY%\FTP.EXE %SYSTEMDIRECTORY%\GETMAC.EXE %SYSTEMDIRECTORY%\GPEDIT.MSC %SYSTEMDIRECTORY%\IPCONFIGEXE 9%SYSTEMDIRECTORY%\IPSECCMD.EXE %SYSTEMDIRECTORY%\ISSYNC.EXE %SYSTEMDIRECTORY%\MOUNTVOL.EXE %SYSTEMDIRECTORY%\NBTSTAT.EXE %SYSTEMDIRECTORY%\NET.EXE %SYSTEMDIRECTORY%\NETl .EXE %SYSTEMDIRECTORY%\NETSH.EXE %SYSTEMDIRECTORY%\NETSTAT.EXE %SYSTEMDIRECTORY%\NSLOOKUP.EXE %SYSTEMDIRECTORY%\NTBACKUP.EXE %SYSTEMDIRECTORY%\PATHPPNGEXE %SYSTEMDIRECTORY%\PPNGEXE

Note: Upon completing the installation of service packs and hot-fixes, which can contain copies of the files listed above, you must verify that additional instances

4. Critical Directory Security

1. Verify permissions for critical system administration directories listed below are modified so that only Administrators and SYSTEM have Fu 2. Verify permissions for all other users have been removed. DIRECTORIES
%PROGRAMFILES%\RESOURCE KIT %PROGRAMFILES%\RESOURCE PRO KIT %SYSTEMROOT%\$NTSERVICEPACKUNINSTALL$ %SYSTEMROOT%\CONFIG %SYSTEMROOT%\CSC

5. Critical Registry Keys Security 1. Verify permissions on critical registry keys listed below have been modified so that only Administrators and SYSTEM have Full Access. 2. Verify read and write permissions for all other users have been removed. REGISTRY KEYS
HKEY_LOCAL_MACHINE\software\microsoft\netdde HKEY_LOCAL_MACHINE\software\microsoft\OS/2 Subsystem for NT HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\securepipeservers\winreg HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\wmi\security HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\PermittedManagers HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\ValidComunities HKEY_USERS\.Default\software\microsoft\netdde

3. Verify permissions on critical registry keys listed below have been modified so that only Administrators, SYSTEM, and CREATOR OWN

4. Verify Everyone has only Read permissions 5. Verify permissions for all other users have been removed. REGISTRY KEYS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

6. Subsystems Security 1. Verify the OS/2 and POSIX subsystems have been removed. 7. Device Security 1. Verify CD-ROM access have been restricted to locally logged-on users only. 2. Verify Floppy access have been restricted to locally logged-on users only. 3. Verify Printer driver installation have been restricted to administrators only.

7. Review Network Security

1. Anonymous Access 1. Disable the enumeration of SAM accounts and shares via the anonymous user account with the settings below.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Entry LSA

2. Null Session Access 1. Restrict Null session share access have been restricted with the settings below.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\ Entry RestrictNullSessAccess Type DWORD Value

3. Telnet Access

1. Restrict telnet access by creating an empty TelnetClients Local Group on standalone servers and by creating an empty TelnetClients Glo 4. Remote Console Access

1. Restrict Remote Console access by creating an empty Rconsole Users local Group on standalone servers and by creating an empty Rcons

8. Review Interactive Logon

1. Add the following legal notice. 2. Disable the display last logged on user setting. 3. Disable the Shutdown button in the Logon dialog box. 4. Disable automatic administrator logon. 5. Require usage of CTRL+ALT+DEL for interactive logon.

Warning: These facilities are solely for the use of authorized employees or agents of the Company, its subsidiaries and affiliates. Unauthorized use is prohibited a

9. Review Audit Policies

Enable auditing by accessing the Local Security Policy through Control Panel> Administrative Tools. Audit Policies is located under Local Polic 1. Audit Account Logon Events: Success, Failure; 2. Audit Account Management: Success, Failure; 3. Audit Directory Service Access: Failure; 4. Audit Logon Events: Success, Failure; 5. Audit Policy Change: Success, Failure; 6. Audit Privilege Use: Failure; 7. Audit Process Tracking: None; 8. Audit System Events: Success, Failure; 9. Audit Object Access: Success, Failure; 2. Critical Directory Access Auditing 1. Enable Directory level audit tracking to critical system and security directories listed below for the group Everyone.
DIRECTORIES %SYSTEMDRIVE%\PROGRAM FILES\RESOURCE KIT %SYSTEMDRIVE%\PROGRAM FILES\RESOURCE PRO KIT %SYSTEMROOT% %SYSTEMROOT%\CONFIG %SYSTEMROOT%\CSC %SYSTEMROOT%\REPAIR %SYSTEMROOT%\SECURITY %SYSTEMROOT%\SYSTEM %SYSTEMROOT%\SYSTEM3 2 %SYSTEMDIRECTORY%\DLLCACHE %SYSTEMDIRECTORY%\IAS %SYSTEMDIRECTORY%\NTMSDATA %SYSTEMDIRECTORY%\WBEM

3. Critical File Auditing 1. Enable File level audit tracking to critical system and security files listed below for the group Everyone.
FILES %SYSTEMDIRECTORY%\ARP.EXE %SYSTEMDIRECTORY%\AT.EXE %SYSTEMDIRECTORY%\BOOTCFG.EXE %SYSTEMDIRECTORY%\CACLS .EXE %SYSTEMDIRECTORY%\CIPHER.EXE %SYSTEMDIRECTORY%\CMD.EXE %SYSTEMDIRECTORY%\COMMAND.COM %SYSTEMDIRECTORY%\CSCRIPT.EXE %SYSTEMDIRECTORY%\DEBUG.EXE %SYSTEMDIRECTORY%\EDLIN.EXE %SYSTEMDIRECTORY%\EVENTVWR.EXE %SYSTEMDIRECTORY%\EVENTVWR.MSC %SYSTEMDIRECTORY%\FIND.EXE %SYSTEMDIRECTORY%\FINDSTR.EXE %SYSTEMDIRECTORY%\FINGER.EXE %SYSTEMDIRECTORY%\FTP.EXE %SYSTEMDIRECTORY%\GETMAC.EXE

%SYSTEMDIRECTORY%\GPEDIT.MSC %SYSTEMDIRECTORY%\IPCONFIGEXE %SYSTEMDIRECTORY%\IPSECCMD.EXE %SYSTEMDIRECTORY%\ISSYNC.EXE %SYSTEMDIRECTORY%\NBTSTAT.EXE %SYSTEMDIRECTORY%\NET.EXE %SYSTEMDIRECTORY%\NETl .EXE %SYSTEMDIRECTORY%\NETSH.EXE %SYSTEMDIRECTORY%\NETSTAT.EXE %SYSTEMDIRECTORY%\NTBACKUP.EXE %SYSTEMDIRECTORY%\PATHPPNGEXE %SYSTEMDIRECTORY%\PPNGEXE %SYSTEMDIRECTORY%\POLEDIT.EXE %SYSTEMDIRECTORY%\RCP.EXE %SYSTEMDIRECTORY%\REGEXE %SYSTEMDIRECTORY%\REGEDIT.EXE %SYSTEMDIRECTORY%\REGEDT32.EXE %SYSTEMDIRECTORY%\REGPNI.EXE %SYSTEMDIRECTORY%\REGSVR32.EXE %SYSTEMDIRECTORY%\REXEC.EXE %SYSTEMDIRECTORY%\RSH.EXE %SYSTEMDIRECTORY%\ROUTE.EXE %SYSTEMDIRECTORY%\RUNAS.EXE %SYSTEMDIRECTORY%\RUNONCE.EXE %SYSTEMDIRECTORY%\SC.EXE %SYSTEMDIRECTORY%\SECEDIT.EXE %SYSTEMDIRECTORY%\SECPOL.MSC %SYSTEMDIRECTORY%\SYSKEY.EXE %SYSTEMDIRECTORY%\TELNET.EXE %SYSTEMDIRECTORY%\TFTP.EXE %SYSTEMDIRECTORY%\TRACERT.EXE %SYSTEMDIRECTORY%\TSKILL.EXE %SYSTEMDIRECTORY%\WSCRIPT.EXE %SYSTEMDIRECTORY%\XCOPY.EXE %SYSTEMDIRECTORY%\WBEM\WMIC.EXE %SYSTEMDRIVE%\AUTOEXEC.BAT %SYSTEMDRIVE%\BOOT.INI %SYSTEMDRIVE%\CONFIG. SYS %SYSTEMDRIVE%\IO.SYS %SYSTEMDRIVE%\MSDOS.SYS %SYSTEMDRIVE%\NTBOOTDD.SYS %SYSTEMDRIVE%\NTDETECT.COM %SYSTEMDRIVE%\NTLDR %SYSTEMROOT%\REGEDIT.EXE

4. Critical Registry Key Auditing 1. Enable Registry level tracking for the critical registry keys listed below. REGISTRY KEYS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\netdde HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\securepipeservers\winreg HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\control\wmi\security HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\PermittedManagers HKEY_LOCAL_MACHINE\SYSTEM\currentcontrolset\services\SNMP\Parameters\ValidComunities HKEY_USERS\.Default\SOFTWARE\Microsoft\netdde

10. Verify User Rights

Modify User Rights through the Local Security Policy via the Control Panel> Administrative Tools. User Rights Assignment is located under Lo

1. Access this computer from the network: Authenticated Users, Administrators (or none); 2. Act as part of the operating system: None; 3. Add workstations to domain: Administrators, Desktop Support Group (Applies to Domain Controllers of resource Domains only); Note: 4. Back up files and directories: Administrators, Backup Operators; 5. Bypass traverse checking: Administrators, Server Operators, and Backup Operators 6. Change the system time: Administrators; 7. Create a pagefile: Administrators; 8. Create a token object: None; Note: As a general rule no userids are allowed to create process tokens, but there are some service ids that will n 9. Create permanent shared objects: None; 10. Debug Programs: None; 11. Force shutdown from a remote system: Administrators; 12. Generate security audits: None; 13. Increase quotas: Administrators; 14. Increase scheduling priority: Administrators; 15. Load and unload device drivers: Administrators; 16. Lock pages in memory: None; 17. Log on as a batch job: None; Note: Some service accounts will need to have this right granted. No User accounts should have this right. 18. Log on as a service: Replicators (Domain Controller only, all others set to None) Serviceaccounts will be granted this right as required by 19. Log on locally: Administrators; 20. Manage auditing and security log: Administrators; 21. Modify firmware environment values: Administrators; 22. Replace a process level token: None; 23. Restore files and directories: Administrators , Back-up Operators; 24. Shut down the system: Administrators; 25. Take ownership of file or other objects: Administrators; 26. Deny access to this computer from the network: Guests (Add Administrators if Domain Controller) (Note: This setting is the default. The 27. Deny logon as a batch job: None by default (others allowable as approved and documented); 28. Deny logon as a service: None by default (others allowable as approved and documented); 29. Deny logon locally: None by default (others allowable as approved and documented); 30. Enable computer and user accounts to be trusted for delegation: None; 31. Profile single process: Administrators; 32. Profile system performance: Administrators;

11. Verify Event Log Settings

1. Application, System, and Security

1. Minimum Event Log Size: 20,032 KB for Security, 5,120 KB for the System and Application logs. Log files should maintain a minimum of 60 2. Log Retention Method: Overwrite Events As Needed 3. Log Retention: Not Defined 4. Restrict Guest access to logs: Enabled. (SCE configuration item) 5. Enable Security Log Warning Level. 6. A security audit event must be created in the security event log when the security log reaches 90 percent of capacity using the settings below to

7. An email alert must be sent to Information Security Department for each security audit 90% capacity event using an Watson approved host-b
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security Entry WarningLevel

Note: The WarningLevel setting requires Windows 2000 Service Pack 3(SP3).

12. Verify Security Policy Settings and Options

1. Additional Restrictions for Anonymous Connections: No Access Without Explicit Anonymous Permissions 2. Allow Server Operators to Schedule Tasks: Not Applicable 3. Allow System to be Shut Down Without Having to Log On: Disabled 4. Amount of Idle Time Required Before Disconnecting Session: 20 Minutes (maximum) 5. Audit the access of Global system objects: Disabled. 6. Audit Use of Backup and Restore Privilege: Disabled. 7. Automatically Log Off Users When Logon Time Expires: Enabled 8. Automatically Log Off Users When Logon Time Expires (local): Enabled 9. Clear Virtual Memory Pagefile When System Shuts Down: Enabled 10. Digitally Sign client communications (when possible): Enabled 11. Digitally sign server communications (when possible): Enabled 12. Disable CTRL+ALT+Delete Requirement for Logon: Disabled 13. Do Not Display Last User Name in Logon Screen: Enabled 14. Guest Account Status: Disabled 15. LAN Manager Authentication Level: Refuse LM & NTLM Use NTLMv2 session security (others allowable as approved and docume 16. Message Text for Users Attempting to Log On: Warning: These facilities are solely for the use of authorized employees or agents of the Company, its subsidiaries and affiliates. Unauthorized 17. Message Title for Users Attempting to Log On: Legal Warning: 18. Number of Previous Logons to Cache: 1 Logon. 19. Prevent system maintenance of computer account password: Disabled. 20. Prevent Users from Installing Printer Drivers: Enabled 21. Prompt User to Change Password Before Expiration: 14 Days (minimum) 22. Recovery Console: Allow Automatic Administrative Logon: Disabled 23. Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled 24. Rename Administrator Account: Watsonadmin (or Line of Business standard); 25. Rename Guest Account: xGuest (or Line of Business standard) 26. Restrict CD-ROM Access to Locally Logged-On User Only: Enabled 27. Restrict Floppy Access to Locally Logged-On User Only: Enabled 28. Secure channel: Digitally encrypt secure channel data (When possible): Enabled. 29. Secure channel: digitally sign secure channel data (when possible): Enabled. 30. Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled 31. Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled 32. Unsigned Driver Installation Behavior: Warn, but allow installation (minimum) or Do Not Allow Installation. 33. Unsigned Non-Driver Installation Behavior: Warn, but allow installation (minimum) or Do Not Allow Installation.

13. Verify Services Security

1. Registry Run Keys Programs listed in Run keys execute automatically at startup. 1. Verify that Systray.exe is the only program. 2. Required Services 1. Verify the required services listed below are enabled and running.

Service
Enterprise Security Agent Eventlog Intruder Alert Agent Network Associates McShield Protected Storage Security Accounts Manager System Event Notification Windows Time

Note: Enterprise Security Agent (ESM) must be installed on all servers where technically possible. Intruder Alert Agent (ITA) must be installed on all critical serv 3. Disallowed Services 1. Verify the following disallowed services are disabled.

Service
Alerter Automatic Update Clipbook Fax Service FTP Publishing Service Gopher Publishing Service IIS Admin Service Indexing Service Internet Connection Sharing Messenger NetMeeting Remote Desktop Sharing Network DDE Network DDE DSDM Network Monitor Network News Transfer Protocol Remote Access Auto Connection Manager Remote Procedure Call (RPC) Remote Registry Service Routing and Remote Access RunAs Service Simple TCP / IP Services Simple Mail Transfer Protocol (SMTP) SNMP Service SNMP Trap Service Telephony Telnet Terminal Services Trivial FTP Daemon World Wide Web Publishing Service

4. Windows Time Service

1. Configure and enable the Windows Time Service. System time must be synchronized with all servers, within 5 minutes. The authoritative Sim 5. DNS Server Service 1. DNS Server services must be disabled unless approved by the Information Security Department. 2. Zone transfers must be restricted to Watson approved servers.

6. SNMP Service 1. Verify SNMP services have been disabled unless approved by the Information Security Department. 2. Verify the SNMP default community strings have been changed and should not be Public or Private. 3. Verify SNMP traffic has been restricted to authorized IP addresses only.

14. Verify Registry Settings

1. Enable Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) 1 2. Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\ AEDebug\Auto (REG 3. Disable autoplay from any disk type, regardless of application: HLKM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\N 4. Disable Automatic Logon: HKLM\ Software \Microsoft\WindowsNT\CurrentVersion\Winlogon\AutoAdminLogon (REG_DWORD) 0 5. Dont display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 6. Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCDisable 7. Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\ Windows NT\CurrentVersio 8. Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCShowPr 9. Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\ CrashControl\AutoReboot(REG_D 10. Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun(REG_DWORD) 0 11. Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\ Parameters\RefuseReset(R 12. Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG 13. Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnableDeadGWDetect(R 14. Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnableICMPRedirect(RE 15. Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnablePMTUDiscovery(RE 16. Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000 17. Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnD 18. Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_ 19. Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ SynAttackProtect(REG_DWORD) 20. SYN Attack protection Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\ Tcpip\Parameters\Tcp 21. SYN Attack protection Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Paramete 22. Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\ NoDefaultExempt (REG_DWOR 23. Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hid

15. File Permissions

Unless stated otherwise, Administrators or System is granted full control for the designated folder and all contents. Creator Owner Full Control i

1. %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users:Read and Execute, List 2. %SystemDrive%\autoexec.bat Administrators: Full; System: Full 3. %SystemDrive%\boot.ini Administrators: Full; System: Full 4. %SystemDrive%\config.sys - Administrators: Full; System: Full 5. %SystemDrive%\io.sys Administrators: Full; System: Full 6. %SystemDrive%\msdos.sys Administrators: Full; System: Full 7. %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full 8. %SystemDrive%\ntdetect.com Administrators: Full; System: Full 9. %SystemDrive%\ntldr - Administrators: Full; System: Full 10. %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users:Read and Execute, List 11. %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System:Full 12. %SystemDrive%\Documents and Settings\All Users - Administrators: Full; System: Full; Users: Read and Execute, List 13. %SystemDrive%\Documents and Settings\All Users\Documents \DrWatson Administrators: Full; System: Full; Creator Owner: Full; U 14. %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List 15. %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List 16. %Program Files%\Resource Kit Administrators: Full; System: Full 17. %Program Files%\Resource Pro Kit Administrators: Full; System: Full 18. %SystemRoot Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List 19. %SystemRoot%\$NtServicePackUninstall$ Administrators: Full; System: Full

20. %SystemRoot%\CSC Administrators: Full; System: Full 21. %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List 22. %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, List folder/Read data, C 23. %SystemRoot%\Offline Web Pages Everyone: Full 24. %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read 25. %SystemRoot%\repair - Administrators: Full; System: Full 26. %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full 27. %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List 28. %SystemRoot%\system32\at.exe Administrators: Full; System: Full 29. %SystemRoot%\system32\Ntbackup.exe Administrators: Full; System: Full 30. %SystemRoot%\system32\rcp.exe Administrators: Full; System: Full 31. %SystemRoot%\system32\regedit.exe Administrators: Full; System: Full 32. %SystemRoot%\system32\regedt32.exe Administrators: Full; System: Full 33. %SystemRoot%\system32\rexec.exe Administrators: Full; System: Full 34. %SystemRoot%\system32\rsh.exe Administrators: Full; System: Full 35. %SystemRoot%\system32\secedit.exe Administrators: Full; System: Full 36. %SystemRoot%\system32\appmgmt Administrators: Full; System: Full; Users: Read and Execute, List 37. %SystemRoot%\system32\config Administrators: Full; System: Full 38. %SystemRoot%\system32\dllcache Administrators: Full; System: Full; Creator Owner: Full 39. %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List 40. %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read and Execute, List 41. %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full 42. %SystemRoot%\system32\NTMS Data Administrators: Full; System: Full 43. %SystemRoot%\system32\reinstallbackups Administrators: Full; System: Full; Creator Owner: Full; Power Users: Read and Execut 44. %SystemRoot%\system32\Setup Administrators: Full; System: Full; Users: Read and Execute, List 45. %SystemRoot%\system32\spool\printers Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folder, Execute F 46. %SystemRoot%\Tasks - Administrators: Full; System: Full; Creator Owner: Full

16. Verify Registry Permissions

Unless stated otherwise, Administrators or System Full Control is full control for the designated key and all subkeys. Creator Owner Full Contro

1. HKCR - Administrators: Full; System: Full; Creator Owner: Full; Users: Read 2. HKLM\Software Administrators Full; System: Full; Creator Owner: Full; Users: Read 3. HKLM\Software\Microsoft\Net DDE Administrators: Full; System: Full 4. HKLM\Software\Microsoft\OS/2 Subsystem for NT Administrators: Full; System: Full; Creator Owner: Full 5. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Asr\Commands Administrators: Full; System: Full; Creator Owner: Full; Use 6. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib Administrators: Full; System: Full; Creator Owner: Full; Interactive: 7. HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read 8. HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read 9. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; Authenticated Users: Read 10. HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read 11. HKLM\System\Clone Allow inheritable permissions to propagate to this object 12. HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read 13. HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read 14. Apply these permissions to all control sets other than CurrentControlSet. 15. HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg Administrators: Full 16. HKLM\System\CurrentControlSet\Control\WMI\Security - Administrators Read; System: Full; Creator Owner: Full (this key and subk 17. HKLM\System\CurrentControlSet\Enum - Administrators Read; System: Full; Authenticated Users: Read 18. HKLM\System\CurrentControlSet\Hardware Profiles - Administrators Full; System: Full; Creator Owner: Full; Users: Read 19. HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full; Creator Owner: 20. HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full; Creator Owner: F 21. HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read 22. HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full 23. HKU\.Default\Software\Microsoft\Protected Storage System Provider No entries

Critical Security Patches document.

a that complies with the Physical Security for Infrastructure Technology section of the Watson Security Policy.

quence from being changed. Note: Many new servers have an Administrator BIOS password verse a generic BIOS password that may prevent a server from rebooting. T from the hard drive first, then from the floppy or CD-ROM Note: This boot sequence is configured in the systems BIOS, which is typically accessed by hitting a spe

d screen saver so it will activate after five minutes of inactivity at the console.

and group security is essential to maintaining a secure environment. As with all security policies, the least privilege approach should be used when assigning rights and a

AM. Process IDs are permitted, but have been documented. Note: General user IDs refers to userids created for specific people and associated with a specific person. s are being used to apply security; ps are be added to Local groups. The general User is to be added to the Global groups for Share access and file permissions. Note: Local Groups must not contain individ

e (e.g., not "admin," "root," etc.)

password and ensure it complys with the more restrictive administrator level settings of the Watson Password Standard. strator account which have been renamed by using the admnlock utility and by running the admnlock /e command. Note: This enables the temporary lockout only for con

he decoy Administrator account: Built-in account for administering the computer/domain ssword and ensure it complys with the restrictive administrator level settings of the Watson Password Standard.

efault it does not have a password assigned. It have been set using the admin level settings of the Watson Password Standard.

following account description: Built-in account for guest access to the computer/domain rd and ensure it complys with the admin level settings of the Watson Password Standard.

e two levels of access permissions; Share Level permissions and File Level permissions.

dmin shares on the system and boot partitions, typically the C: drive that contains the Windows OS installation. the Everyone group have been removed from all shared files and directories. Authenticated users group may be used in place if wide access is required. only required and approved permissions are applied. and approved shares are implemented. e, such as D:, by SQL Administrators or other applicable groups. Create the share as required: ss and Full Control to the Local Administrators group; ry. Full Control for Local Administrators and as appropriate for all others; o any additional directories, except for Full Control.

ing the Local Security Policy through Control Panel >Administrative Tools. There are two sections in Account Policies, Password Policy and Account Lockout Policy. A

s are made up of various characters, which can be broken down into four character groups. These are uppercase alphabetic, lowercase alphabetic,numeric, and special ch

by using the Keymigrt.exe utility at least once regardless of what patches or service packs are installed. Note: To obtain the Keymigrt tool, run the Microsoft Windows Se

FAT32) partitions to NTFS. Warning: The convert utility will set the ACLs for the converted drive to Everyone: Full Control. Use the fixacls.exe utility from the Win gical partition than the operating system where technically possible.

nistration files listed below are modified so that only Administrators and SYSTEM have Full Access.

%SYSTEMDIRECTORY% administration files where technically possible. s reside in newly created %SYSTEMROOT%\TLS directory so that only Administrators and SYSTEM have Full Access.

%SYSTEMDIRECTORY%\POLEDIT.EXE %SYSTEMDIRECTORY%\RCP.EXE %SYSTEMDIRECTORY%\REGEXE %SYSTEMDIRECTORY%\REGEDIT.EXE %SYSTEMDIRECTORY%\REGEDT32.EXE %SYSTEMDIRECTORY%\REGINI.EXE

%SYSTEMDIRECTORY%\REGSVR32.EXE %SYSTEMDIRECTORY%\REXEC.EXE %SYSTEMDIRECTORY%\RSH.EXE %SYSTEMDIRECTORY%\ROUTE.EXE %SYSTEMDIRECTORY%\RUNAS .EXE %SYSTEMDIRECTORY%\RUNONCE.EXE %SYSTEMDIRECTORY%\SC.EXE %SYSTEMDIRECTORY%\SECEDIT.EXE %SYSTEMDIRECTORY%\SECPOL.MSC %SYSTEMDIRECTORY%\SYSKEY.EXE %SYSTEMDIRECTORY%\TELNET.EXE %SYSTEMDIRECTORY%\TFTP.EXE %SYSTEMDIRECTORY%\TRACERT.EXE %SYSTEMDIRECTORY%\TSKILL.EXE %SYSTEMDIRECTORY%\WSCRIPT.EXE %SYSTEMDIRECTORY%\XCOPY.EXE %SYSTEMDRIVE%\AUTOEXEC.BAT %SYSTEMDRIVE%\BOOT.PNI %SYSTEMDRIVE%\CONFIGSYS %SYSTEMDRIVE%\IO. SYS %SYSTEMDRIVE%\MSDOS.SYS %S YSTEMDRIVE%\NTBOOTDD. SYS %SYSTEMDRIVE%\NTDETECT.COM %SYSTEMDRIVE%\NTLDR %SYSTEMROOT%\REGEDIT.EXE

acks and hot-fixes, which can contain copies of the files listed above, you must verify that additional instances of the critical files have been deleted from temporary directories.

nistration directories listed below are modified so that only Administrators and SYSTEM have Full Access.

%SYSTEMROOT%\REPAIR %SYSTEMDIRECTORY%\DLLCACHE %SYSTEMDIRECTORY%\IAS %SYSTEMDIRECTORY%\NTMSDATA

listed below have been modified so that only Administrators and SYSTEM have Full Access. her users have been removed.

\control\securepipeservers\winreg

\services\SNMP\Parameters\PermittedManagers

\services\SNMP\Parameters\ValidComunities

listed below have been modified so that only Administrators, SYSTEM, and CREATOR OWNER have Full Control permissions.

ndows\CurrentVersion\RunOnce

ndows\CurrentVersion\RunOnceEx

ndows NT\CurrentVersion\AeDebug

ndows NT\CurrentVersion\WinLogon

ed to locally logged-on users only. to locally logged-on users only. n restricted to administrators only.

and shares via the anonymous user account with the settings below.

ntrolSet\Control\ Type DWORD Value 1

en restricted with the settings below.

et\Services\lanmanserver\parameters\

TelnetClients Local Group on standalone servers and by creating an empty TelnetClients Global Group on domain controllers. Note: Members of the Administrat

ng an empty Rconsole Users local Group on standalone servers and by creating an empty Rconsole Users Global Group on domain controllers.

authorized employees or agents of the Company, its subsidiaries and affiliates. Unauthorized use is prohibited and subject to criminal and civil penalties. Individuals using this computer syste

ity Policy through Control Panel> Administrative Tools. Audit Policies is located under Local Policies. Enable the following settings:

tical system and security directories listed below for the group Everyone.
R X X X X X X W X X X X X X X X X X X X X X X X X D X X X X X X X X X X X X X P X X X X X X X X X X X X X O X X X X X X X X X X X X X

ystem and security files listed below for the group Everyone.
R W X X X X X X X X X X X X X X X X X X D X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X P X X X X X X X X X X X X X X X X X O X X X X X X X X X X X X X X X X X

X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X

cal registry keys listed below.

ndows\CurrentVersion\RunOnce

ndows\CurrentVersion\RunOnceEx

ndows NT\CurrentVersion\AeDebug

ndows NT\CurrentVersion\WinLogon

\control\securepipeservers\winreg

\services\SNMP\Parameters\PermittedManagers

\services\SNMP\Parameters\ValidComunities

ty Policy via the Control Panel> Administrative Tools. User Rights Assignment is located under Local Policies. The following settings are to be applied:

uthenticated Users, Administrators (or none);

ors, Desktop Support Group (Applies to Domain Controllers of resource Domains only); Note: An authorized Desktop Support administrators group. ors, Backup Operators; , Server Operators, and Backup Operators

eneral rule no userids are allowed to create process tokens, but there are some service ids that will need to have this User right granted on a case by case basis.

service accounts will need to have this right granted. No User accounts should have this right. n Controller only, all others set to None) Serviceaccounts will be granted this right as required by the service;

tors , Back-up Operators;

work: Guests (Add Administrators if Domain Controller) (Note: This setting is the default. There are sites where this setting interferes with system administration. E ult (others allowable as approved and documented); t (others allowable as approved and documented); ers allowable as approved and documented); trusted for delegation: None;

Security, 5,120 KB for the System and Application logs. Log files should maintain a minimum of 60 days of events.

he security event log when the security log reaches 90 percent of capacity using the settings below to comply.

Security Department for each security audit 90% capacity event using an Watson approved host-based intrusion detection product.

ntrolSet\Services\Eventlog\Security Type DWORD Value 90

ws 2000 Service Pack 3(SP3).

nnections: No Access Without Explicit Anonymous Permissions

aving to Log On: Disabled connecting Session: 20 Minutes (maximum)

Time Expires: Enabled Time Expires (local): Enabled em Shuts Down: Enabled

fuse LM & NTLM Use NTLMv2 session security (others allowable as approved and documented) [NOTE: This would allow Win95/98 system which utilize weak

se of authorized employees or agents of the Company, its subsidiaries and affiliates. Unauthorized use is prohibited and subject to criminal and civil penalties. Individua g On: Legal Warning:

account password: Disabled.

Expiration: 14 Days (minimum) ministrative Logon: Disabled nd Access to All Drives and All Folders: Disabled sonadmin (or Line of Business standard); ne of Business standard) ged-On User Only: Enabled d-On User Only: Enabled channel data (When possible): Enabled. nel data (when possible): Enabled. o Third-Party SMB Servers: Disabled System Objects (e.g. Symbolic Links): Enabled Warn, but allow installation (minimum) or Do Not Allow Installation. or: Warn, but allow installation (minimum) or Do Not Allow Installation.

Setting
Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled

stalled on all servers where technically possible. Intruder Alert Agent (ITA) must be installed on all critical servers where technically possible. Critical servers include all DMZ servers, Doma

Setting
Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled Disabled

ervice. System time must be synchronized with all servers, within 5 minutes. The authoritative Simple Network Time Protocol (SNTP) time server must be the default ro

ss approved by the Information Security Department.

unless approved by the Information Security Department. gs have been changed and should not be Public or Private. authorized IP addresses only.

\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) 1 m Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\ AEDebug\Auto (REG_DWORD) 0 dless of application: HLKM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255 are \Microsoft\WindowsNT\CurrentVersion\Winlogon\AutoAdminLogon (REG_DWORD) 0 ogon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) 1 le Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCDisable (REG_DWORD) 4 ll operating system files at boot time: HKLM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\SFCScan(REG_DWORD) 1 ress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon\SFCShowProgress(REG_DWORD) 0 een of Death: HKLM\System\CurrentControlSet\Control\ CrashControl\AutoReboot(REG_DWORD) 0 urrentControlSet\Services\CDrom\Autorun(REG_DWORD) 0 ng Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\ Parameters\RefuseReset(REG_DWORD) 1 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 2 ng: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnableDeadGWDetect(REG_DWORD) 0 rst: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnableICMPRedirect(REG_DWORD) 0 : HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\ EnablePMTUDiscovery(REG_DWORD) 1 m\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000 Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1 KLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 0 M\System\CurrentControlSet\Services\Tcpip\Parameters\ SynAttackProtect(REG_DWORD) 2 aximum half-open sockets: HKLM\System\CurrentControlSet\Services\ Tcpip\Parameters\TcpMaxHalfOpen(REG_DWORD) 100 aximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 80 Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\ NoDefaultExempt (REG_DWORD) 1 master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden(REG_DWORD) 1 [Note: the exception for this setting are for fi

stem is granted full control for the designated folder and all contents. Creator Owner Full Control is for subfolders and files only. User permissions are for current folder

System: Full; Creator Owner: Full; Users:Read and Execute, List rators: Full; System: Full

ors: Full; System: Full

tors: Full; System: Full rators: Full; System: Full rators: Full; System: Full

- Administrators: Full; System: Full; Users:Read and Execute, List \Administrator - Administrators: Full; System:Full \All Users - Administrators: Full; System: Full; Users: Read and Execute, List \All Users\Documents \DrWatson Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read \Default User - Administrators: Full; System: Full; Users: Read and Execute, List ; System: Full; Creator Owner: Full; Users: Read and Execute, List istrators: Full; System: Full ministrators: Full; System: Full ystem: Full; Creator Onwer: Full; Users: Read and Execute, List l$ Administrators: Full; System: Full

: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List ministrators: Full; System: Full; Users: Traverse Folder/Execute File, List folder/Read data, Create files/Write data (This folder, only); Create files/Write data,

rators: Full; System: Full; Users: Read

rs: Full; System: Full; Creator Owner: Full ors: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List nistrators: Full; System: Full Administrators: Full; System: Full inistrators: Full; System: Full Administrators: Full; System: Full Administrators: Full; System: Full dministrators: Full; System: Full inistrators: Full; System: Full Administrators: Full; System: Full ministrators: Full; System: Full; Users: Read and Execute, List nistrators: Full; System: Full ministrators: Full; System: Full; Creator Owner: Full ministrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List Administrators: Full; System: Full; Authenticated Users: Read and Execute, List rators: Full; System: Full; Creator Owner: Full Administrators: Full; System: Full ps Administrators: Full; System: Full; Creator Owner: Full; Power Users: Read and Execute, List nistrators: Full; System: Full; Users: Read and Execute, List Administrators: Full; System: Full; Creator Owner: Full; Users: Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Da : Full; System: Full; Creator Owner: Full

stem Full Control is full control for the designated key and all subkeys. Creator Owner Full Control is for subkeys only. User permissions are for current key, subkeys, an

ull; Creator Owner: Full; Users: Read System: Full; Creator Owner: Full; Users: Read ministrators: Full; System: Full m for NT Administrators: Full; System: Full; Creator Owner: Full CurrentVersion\Asr\Commands Administrators: Full; System: Full; Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Su CurrentVersion\Perflib Administrators: Full; System: Full; Creator Owner: Full; Interactive: Read (this key and subkeys) entVersion\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read entVersion\Installer - Administrators Full; System: Full; Users: Read entVersion\Policies - Administrators: Full; System: Full; Authenticated Users: Read ystem: Full; Creator Owner: Full; Users: Read e permissions to propagate to this object trators Full; System: Full; Creator Owner: Full; Users: Read trators Full; System: Full; Creator Owner: Full; Users: Read s other than CurrentControlSet. l\SecurePipeServers\WinReg Administrators: Full l\WMI\Security - Administrators Read; System: Full; Creator Owner: Full (this key and subkeys) - Administrators Read; System: Full; Authenticated Users: Read are Profiles - Administrators Full; System: Full; Creator Owner: Full; Users: Read es\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full; Creator Owner: Full es\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full; Creator Owner: Full stem: Full; Creator Owner: Full; Users: Read DE - Administrators Full; System: Full ed Storage System Provider No entries

S password that may prevent a server from rebooting. This may occur if the BIOS password is prompted for at each reboot. ms BIOS, which is typically accessed by hitting a special key (such as DEL or Ctrl-S) during early boot up. Watch for an on screen message and refer to the owners ma

e approach should be used when assigning rights and access. The following is to be followed when reviewing server security:

specific people and associated with a specific person.

missions. Note: Local Groups must not contain individual users. If a single individual requires access for a single server then a new Global Group have been created, the

Note: This enables the temporary lockout only for connections from the network. This does not affect administrator logons that occur interactively from the console or v

sed in place if wide access is required.

licies, Password Policy and Account Lockout Policy. Apply the following configurations settings:

phabetic, lowercase alphabetic,numeric, and special characters. Requiring complex passwords will require new passwords to use characters from three of those four grou

btain the Keymigrt tool, run the Microsoft Windows Security Update Q23332 Patch using the x

Full Control. Use the fixacls.exe utility from the Windows NT Server Resource Kit to reset them to approved values.

s have been deleted from temporary directories.

domain controllers. Note: Members of the Administrators group are provided access via Telnet regardless of their membership, or lack thereof, in the TelnetClients grou

obal Group on domain controllers.

minal and civil penalties. Individuals using this computer system are subject to having all of their activities on this system monitored and recorded by systems personnel.

he following settings are to be applied:

Desktop Support administrators group.

s User right granted on a case by case basis.

ere this setting interferes with system administration. Each site must configure based upon the approved methodology at their location.);

This would allow Win95/98 system which utilize weak encryption hashing.]

d and subject to criminal and civil penalties. Individuals using this computer system are subject to having all of their activities on this system monitored and recorded by

ally possible. Critical servers include all DMZ servers, Domain Controllers, Web Servers, Exchange/Mail Servers, FTP Servers, Telnet Servers, DNS Servers, Database Servers, and Financia

me Protocol (SNTP) time server must be the default router at each location. This must be set using the net time utility and by running the net time /setsntp:server_list com

AutoRun (REG_DWORD) 255

LastUserName (REG_SZ) 1

FCScan(REG_DWORD) 1

n(REG_DWORD) 100 alfOpenRetired (REG_DWORD) 80

WORD) 1 [Note: the exception for this setting are for file and print servers that employees would be expected to browse to.]

and files only. User permissions are for current folder, subfolders, and files.

se Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Trave

ite data (This folder, only); Create files/Write data, Create folders/Append data (Files only)

ad Extended Attributes, Create folders, Append Data

only. User permissions are for current key, subkeys, and values.

kup Operators: Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Delete, Read (this key and subkeys)

h for an on screen message and refer to the owners manual to discover this key sequence and to learn how to modify BIOS settings./ An additional step is to set a BIOS

server then a new Global Group have been created, then that individual have been added to that new Global Group and that Global Group have been added to the approp

tor logons that occur interactively from the console or via Terminal Services.

sswords to use characters from three of those four groups.

membership, or lack thereof, in the TelnetClients group. The telnet service must also be disabled unless approved by the Information Security Department.

ored and recorded by systems personnel.

eir activities on this system monitored and recorded by systems personnel.

Telnet Servers, DNS Servers, Database Servers, and Financial/Customer Data File Servers.

ility and by running the net time /setsntp:server_list command. Note: For additional information, see the following Microsoft white paper: The Windows Time Service. h

ons (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, Create Files/Write Data, Create Folder/Append Data (Subfolders and files only)

dify BIOS settings./ An additional step is to set a BIOS setup password that prevents a person from changing the boot sequence to floppy or CD first.

p and that Global Group have been added to the appropriate Local Group. In addition, the description have been updated to provide details of that groups particular func

d by the Information Security Department.

g Microsoft white paper: The Windows Time Service. http://www.microsoft.com/windows2000/docs/wintimeserv.doc / The network routers are set with an approved cen

ate Folder/Append Data (Subfolders and files only)

boot sequence to floppy or CD first.

updated to provide details of that groups particular function.

.doc / The network routers are set with an approved centralized time synchronization source.