ÿþ; --------------------------------------------------------- ; Windows Baseline Security Settings for LBNL ; ; ; --------------------------------------------------------- ; General Description of the LBNL Security Template ; ; Template Name: IT-SecureBaseline1.inf ; Template Version: R1.0.1 ; Date Created: July 01, 2005 ; Date Last Modified: 2005-07-01 ; E-mail: adadmin@lbl.gov ; ; Introduction: ; ------------- ; This template provides a security baseline for computers at LBNL. ; It is based on the NISTWinXPPro_legacy_R1.0.2.inf template from NIST and the Microsoft ; Enterprise Client - Desktop.inf template from the Windows XP SP2 Security Guide v2. ; Specifically, this template contains all of the NIST values for settings included by both templates with a few modifications ; to meet the needs of LBNL and NERSC - these modifications are documented later in this comment section ; This was done because the latest NIST template (NISTWinXPPro_legacy_R1.0.2.inf) was not updated for XP SP2 ; Also, the NISTWinXPPro_legacy_R1.0.2.inf file lists the Windows XP Security Guide v2 in the More Information section ; The Enterprise Client - Desktop.inf template in the Windows XP SP2 Security Guide v2 includes updated settings for XP SP2 ; Explanatory comments preceding each setting were researched and added by Craig Nelson (adadmin@lbl.gov) ; The only modifications to actual template settings made to the NIST settings are the following: ; ; Log Settings - AuditLogRetentionPeriod set to As Needed instead of not defined or overwriting settings after 7 days ; Registry Values- Legal Notice Caption and Legal Notice Text values mandated by DOE ; Registry Values - RestrictAnonymous set to Anonymous users must have explicitly assigned permissions (2) ; Registry Values - DontDisplayLastUserName set to Disabled so users can see if anyone else has logged on to their system ; Registry Values - NoLMHash set to Enabled so new passwords are not stored as LMHash values ; ; Account settings were intentionally left out of this template because this template is being imported to a GPO linked to OUs ; Account settings are applied at the domain level and are included in the GPO linked to the LBL domain ; Although this template contains a large amount of comments, these comments will not impact client performance ; This is because comments are ignored when the template is imported to a GPO ; Also, the default refresh behavior of Group Policy is to update deltas, instead of all settings ; ; DISCLAIMER: ; ----------- ; This template should not be implemented without examining its contents. These ; settings and explanatory comments should be reviewed to comply with LBNL policy and tested on non-production ; systems before being deployed ; ; ; More information: ; ----------------- ; For more information consult the following Internet URLs ; ; http://csrc.nist.gov/itsec/guidance_WinXP.html ; http://nsa2.www.conxion.com/winxp/ ; https://iase.disa.mil/documentlib.html#xpguid ; http://www.cisecurity.org/ ; http://www.microsoft.com/windowsxp/ ; http://www.microsoft.com/downloads/details.aspx?FamilyId=2D3E25BC-F434-4CC6-A5A7-09A8A229F118&displaylang=en ; http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en ; ; Revision History: ; --------------------- ; ; 2005-07-01 ; R1.0.1 Second Release. Legal Message Text display was fixed ; ;---------------------------------------------------------------- ;Profile Description ;---------------------------------------------------------------- [Profile Description] Description=LBNL Baseline Windows Security Settings ;---------------------------------------------------------------- ;Version Information ;---------------------------------------------------------------- ; By convention, the Version section appears first in INF files. Every INF file must have this section. [Version] ; Signature must be $Windows NT$, $Windows 95$, or $Chicago$ ; This is used to indicate the operating systems for which this INF is valid ; $Windows NT$ refers to NT-based operating systems, $Windows 95$ refers to Windows 9x/Me, $Chicago$ refers to all Windows operating systems ; The enclosing $'s are required but these strings are case-insensitive. ; If signature-name is none of these string values, the file is not accepted as a valid INF. ; Generally, Setup does not differentiate among these signature values. One of them must be specified, but it doesn't matter which one signature="$CHICAGO$" Revision=1 ;---------------------------------------------------------------- ;Unicode Settings ;---------------------------------------------------------------- [Unicode] ; Informs Windows XP Professional to use the Unicode character set. ; There are issues with using Unicode in a LAN environment where ASCII ; is used by other clients. ; The following OSes support Unicode fully or partially: ; Apple Mac OS 9.2, Mac OS X 10.1, Mac OS X Server, ATSUI ; Bell Labs Plan 9 ; Compaq's Tru64 UNIX, Open VMS ; GNU/Linux with glibc 2.2.2 or newer - FAQ support ; IBM AIX, AS/400, OS/2 ; Inferno by Vita Nuova ; Java platform ; Microsoft Windows CE, Windows NT, Windows 2000, and Windows XP ; SCO UnixWare 7.1.0 ; Sun Solaris ; Symbian Platform ; For more information consult the Unicode home page at http://www.unicode.org Unicode=yes ;---------------------------------------------------------------- ;System Access Settings ;---------------------------------------------------------------- [System Access] ; 5.39 - Network access: determines if the system allows anonymous SID/NAME translation. The system default setting  0 disallows the system to perform anonymous SID/NAME translation. If enabled, a user could use a well-known account SID to obtain usernames of the account. This setting reinforces the system default rather than modifying it. LSAAnonymousNameLookup = 0 ; 5.2 - Accounts: Guest account status (Security Options); determines if the local guest account is enabled. The system default setting  0 disables the local guest account. This setting reinforces the system default rather than modifying it. EnableGuestAccount = 0 ;---------------------------------------------------------------- ;Event Log - Log Settings ;---------------------------------------------------------------- ; 0 allows guest access ; 1 blocks guest access [System Log] ; How long logs are preserved - 0 = Overwrite Events As Needed, 1 = Overwrite Events As Specified by Retention Days Entry, 2 = Never Overwrite Events (Clear Log Manually) AuditLogRetentionPeriod = 0 ; 6.3 - Maximum system log size (sets the local System Event log to 16 MB - the default is 512 KB) MaximumLogSize = 16384 ; 6.6 - Determines whether local guests group can access the system log RestrictGuestAccess = 1 [Security Log] ; How long logs are preserved - 0 = Overwrite Events As Needed, 1 = Overwrite Events As Specified by Retention Days Entry, 2 = Never Overwrite Events (Clear Log Manually) AuditLogRetentionPeriod = 0 ; 6.2 - Maximum security log size (sets the local Security Event log to 80 MB - the default is 512 KB) MaximumLogSize = 81920 ; 6.5 - Prevent local guests group from accessing security log RestrictGuestAccess = 1 [Application Log] ; How long logs are preserved - 0 = Overwrite Events As Needed, 1 = Overwrite Events As Specified by Retention Days Entry, 2 = Never Overwrite Events (Clear Log Manually) AuditLogRetentionPeriod = 0 ; 6.1 - Maximum application log size (sets the local Application Event log to 16 MB - the default is 512 KB) MaximumLogSize = 16384 ; 6.4 - Prevent local guests group from accessing application log RestrictGuestAccess = 1 ;---------------------------------------------------------------------- ; Local Policies\Audit Policy ;---------------------------------------------------------------------- ; 0 = No Auditing ; 1 = Success ; 2 = Failure ; 3 = Success and Failure [Event Audit] ; 3.9 - These events reflect the system shutdown and restarts, system security events, and events that affect the security log AuditSystemEvents = 1 ; 3.1 - Audit account logon events; defines types of logon events to audit AuditLogonEvents = 3 ; 3.5 - Audit object access; determines whether individual folders, files, registry keys, or printers can be audited AuditObjectAccess = 2 ; 3.7 - Audit privilege use; determines whether rights other than logon rights are audited AuditPrivilegeUse = 2 ; 3.6 - Audit policy change; determines whether changes to rights assignment or other security settings modifications are audited AuditPolicyChange = 1 ; 3.2 - Audit account management; determines whether changes to user accounts or groups is auditied AuditAccountManage = 3 ; 3.4 - Audit account logon events; determines whether domain account logons are audited AuditAccountLogon = 3 ;---------------------------------------------------------------- ;Registry Values ;---------------------------------------------------------------- ; Registry value name in full path = Type, Value ; REG_SZ ( 1 ) ; REG_EXPAND_SZ ( 2 ) // with environment variables to expand ; REG_BINARY ( 3 ) ; REG_DWORD ( 4 ) ; REG_MULTI_SZ ( 7 ) [Registry Values] ; 5.14 - Determines whether the system warns (setting 1 - the default),blocks (setting 2),or ignores (setting 0) unsigned drivers when the user attempts to install them. Driver signing is the process of checking the signature of the driver to determine if it has been signed as a known-good driver indicating it has been tested with Windows. This can help provide greater system stability because a poorly written third-party driver can degrade system performance. machine\software\microsoft\driver signing\policy=3,1 ; 5.54 - Recovery Console: Determines if there is an automatic administrative logon to Recovery Console (0 = require password(default),1 = no password) machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 ; 5.10 - Devices: Determines who can access removable drives (0 - Administrators only, 1 - Administrators and Power Users, 2 - Administrators and the Interactive user) machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,"2" ; 5.28 - Interactive logon: Number of previous logons to cache (in case domain controller is not available), i.e the number of different users for whom credentials are cached machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,"2" ; 5.29 - Interactive logon: Specifies the number of days before a password expires that the system prompts the user to change the password (14 days is the default - this setting reinforces the system default rather than modifying it) machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 ; 5.31 - Interactive logon: Determines the smart card removal behavior (0 - No action, 1 - Lock workstation, 2 - Force logoff) machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,"1" ; 5.25 - Interactive logon: Do not require CTRL+ALT+DEL to log on to the system (0 - requires Ctrl-Alt-Del to logon - this is the default, 1 - Ctrl-Alt-Del is not required). This setting reinforces the system default rather than modifying it. machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0 ; 5.24 - Interactive logon: Determines whether a user name appears in the Log On to Windows dialog box (0 - The name of the last user who logged on is displayed in the logon dialog box - this is the default, 1 - The name of the last user who logged on is not displayed in the logon dialog box) machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0 ; 5.27 - Interactive logon: Message title for users attempting to log on - this is the text that appears in the title bar of the dialog box, not the message area machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,"NOTICE TO USERS" ; 5.26 - Interactive logon: Message text for users attempting to log on - this is the text that appears in the message area of the dialog box machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7,This is a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted"," monitored"," recorded"," copied"," audited"," inspected "," and disclosed to authorized site "," Department of Energy"," and law enforcement personnel"," as well as authorized officials of other agencies"," both domestic and foreign.,By using this system"," the user consents to such interception"," monitoring"," recording"," copying"," auditing"," inspection"," and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use.,LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. ; 5.56 - Shutdown: Determines whether the Shutdown button in the Log On to Windows dialog box is enabled (0 - the Shutdown button is disabled in the Logon dialog box (this is the default for W2K server and W2K3 server), 1 - the Shutdown button is enabled in the Logon dialog box (this is the default for W2KPro and XP) machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,0 ; 5.43 Network access: Determines whether the Everyone group includes anonymous (unauthenticated) users' Specifically, this entry determines whether the Local Security Authority (LSA) includes the security identifier (SID) of the Everyone group in the security token of an anonymous user (0 - The local Everyone group does not include anonymous users (this is the default), 1 - The local Everyone group includes anonymous users) - this setting is supported on W2K3 and XP - other (earlier) OSes ignore it. This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous=4,0 ; 5.47 - Network access: Determines whether Simple File Sharing is enabled - when enabled, it forces network logons using a local account to connect as Guest so advanced access control settings (Security tab on Property sheet) are unavailable. (0 - Classic access model with Simple File Sharing turned off, 1 - Simple File Sharing turned on - this is the default for XP machines in a workgroup) machine\system\currentcontrolset\control\lsa\forceguest=4,0 ; 5.3 - Accounts: Limit blank passwords on local accounts for console logon only - blank passwords cannot be used in scripts or for network access (0 - blank passwords of local accounts are permitted for all types of access, 1 - blank passwords on local accounts are restricted to console access - this is the default). This setting does not affect interactive logons that are performed physically at the console. This setting does not affect logons that use domain accounts. This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1 ; 5.50 - Network security: LAN Manager Authentication Level; Determines the type of NT LAN Manager responses (5 - DC refuses LM and NTLM responses (accepts only NTLMv2), 4 - DC refuses LM responses, 3 - Send NTLMv2 response only, 2 - Send NTLM response only, 1 - Use NTLMv2 session security if negotiated, 0 (Default) - Send LM response and NTLM response; never use NTLMv2 session security) machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,3 ; 5.59 - System objects: Specifies how the owner is assigned for objects created by members of the Administrators group (0 - assign ownership of file system objects created by an administrator to the Administrators group, 1 (Default) - assign ownership of file system objects created by an administrator to the individual administrator account). This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4,1 ; 5.41 - Network access: Do not allow anonymous enumeration of SAM accounts and shares (0 - Disabled (Default). Anonymous users are not restricted, 1 - Do not allow enumeration of share names, 2 - No access without explicit anonymous permissions (see http://support.microsoft.com/kb/q246261/ before setting 2 on domain controllers) machine\system\currentcontrolset\control\lsa\restrictanonymous=4,2 ; 5.40 - Network access: Do not allow anonymous enumeration of SAM accounts; determines whether the system allows enumeration of SAM accounts by users who have not been verified to be who they say they are through a password, smart card or some other authentication mechanism (0 - Disabled (Default). Anonymous users are not restricted, 1 - Do not allow enumeration of SAM accounts) machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4,1 ; 5.57 - Shutdown: Clear virtual memory pagefile; determines whether inactive pages in the paging file are filled with zeros when the system stops (0 (Default) - inactive pages are not filled with zeros, 1 - inactive pages are filled with zeros) machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,1 ; 5.35 - Microsoft network server: Amount of idle time required before suspending session; used to disconnect LAN connections after a set amount of idle time - 15 minutes is the system default - this setting reinforces the system default setting machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15 ; 5.37 - Microsoft network server: Digitally sign communication (if client agrees); Determines whether SMB signing is enabled for the server service (0 (Default) - Disabled, 1 - Enabled. Note: Windows 95 clients will not be able to access your server if you add the  RequireSecuritySignature value with a value of 1) machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,1 ; 5.46 - Network access: Specifies shares that can be access anonymously (this setting creates an empty set so no shares can be accessed anonymously - this setting reinforces the system default rather than modifying it) machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares=7, ; 5.34 - Microsoft network client: Determines whether the SMB redirector can send unencrypted passwords to third-party SMB servers that request them; (0 (Default)- The SMB redirector sends encrypted passwords only. Requests for unencrypted passwords fail. 1 - The SMB redirector can send unencrypted passwords to servers that request them.) This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 ; 5.33 - Microsoft network client: Digitally sign communication (if server agrees); Determines whether SMB signing is enabled for the workstation service (0 (Default) - Disabled, 1 - Enabled) machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1 ; 5.21 - Domain Member: Disable machine account password changes; Determines whether the computer will change its own account password automatically. This is the password taht is used by the computer to establish a secure channel with the DC before sending the user credentials for authenticating the user (0 - (Default), automatically changes the password on the local computer account at regular intervals, 1 - Disable automatic changes of passwords on machine accounts. A value of 1 still permits you to change the computer account password manually or with a program.) This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 ; 5.22 - Domain Member: Determines the number of days that computer accounts in the AD change their password (30 days is the default value for AD domain accounts) This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4,30 ; 5.19 - Domain Member: Digitally encrypt secure channel data (when possible); determines whether outgoing secure channel traffic (communications to a domain controller) is encrypted (0 - Outgoing traffic on a secure channel need not be encrypted. However, if the value of signsecurechannel is 1, outgoing traffic must be signed. 1 (Default) - Outgoing traffic on a secure channel must be encrypted. This specification is only enforced when the value of requiresignorseal is 1) This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 ; 5.20 - Domain Member: Digitally sign secure channel data (when possible); Determines whether outgoing secure channel traffic (communications to a domain controller) is digitally signed. (0 - Outgoing traffic on a secure channel need not be signed. 1 (Default) - Outgoing traffic on a secure channel must be signed.This specification is only enforced when the value of requiresignorseal is 1) This setting reinforces the system default rather than modifying it. machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 ;Prevents the machine from storing LMHash values on future password resets machine\system\currentcontrolset\control\lsa\nolmhash=4,1 ; The remaining registry values will not appear in the Security Templates MMC snap-in ; ; 12.22 - Determines whether to search the current directory first or search the System and Windows directories first for dynamic-link library (DLL) files (0 (Default for XP) - the search order is the directory from which the application loaded,then the current directory,then the system directory, then the 16-bit system directory, then the Windows directory, then the current directory, the directories listed in the path. 1 (Default for W2K3) - the search order is the directory from which the application loaded, then the current directory, then the system directory, then the 16-bit system directory, then the Windows directory, then directories listed in the path) This setting only applies to XP and W2K3 and is ignored by older (legacy) systems. MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode=4,1 ; 12.3 - Determines whether autoplay is disabled on all drives of the type specified. (By default,Autoplay is disabled on network drives and on removable drives,such as the floppy disk drive (but not the CD-ROM drive). The default value 0x95 (149) is the sum of 0x1 (unknown types),0x81 (unknown types),0x4 (floppy drives),and 0x10 (network drives). 255 disables it for all drives) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun=4,255 ;---------------------------------------------------------------------- ; Privileges & Rights ;---------------------------------------------------------------------- ; ; Setting of privileges & logon rights for well-known users & groups. ; ;SeNetworkLogonRight = Access this computer from the network ;SeTcbPrivilege = Act as part of the operating System ;SeMachineAccountPrivilege = Add workstations to the domain ;SeBackupPrivilege = Back up files and directories ;SeChangeNotifyPrivilege = Bypass traverse checking ;SeSystemtimePrivilege = Change the system time ;SeCreatePagefilePrivilege = Create a pagefile ;SeCreateTokenPrivilege = Allows a process to create an access token ;SeCreatePermanentPrivilege = Create permanent shared objects ;SeDebugPrivilege = Debug programs ;SeRemoteShutdownPrivilege = Force shutdown from a remote system ;SeAuditPrivilege = Generate security audits ;SeIncreaseQuotaPrivilege = Increase quotas ;SeIncreaseBasePriorityPrivilege= Increase scheduling priority ;SeLoadDriverPrivilege = Load and unload device drivers ;SeLockMemoryPrivilege = Lock pages in memory ;SeBatchLogonRight = Log on as a batch job ;SeServiceLogonRight = Log on as a service ;SeInteractiveLogonRight = Log on locally ;SeSecurityPrivilege = Manage auditing and security log ;SeSystemEnvironmentPrivilege = Modify firmware environment variables ;SeProfileSingleProcessPrivilege= Profile single process ;SeSystemProfilePrivilege = Profile system performance ;SeAssignPrimaryTokenPrivilege = Replace a process-level token. Allows a process that has this privilege to replace the access token associated with a process. This is useful for Multi-tiered (distibuted) applications that need to use impersonation to provide users secure access to the back end ;SeRestorePrivilege = Restore files and directories ;SeShutdownPrivilege = Shut down the system ;SeTakeOwnershipPrivilege = Take ownership of files or other objects ;S-1-5-32-544 = Administrators ;S-1-5-32-545 = Users ;S-1-5-32-547 = Power Users ;S-1-5-32-548 = Account Operators ;S-1-5-32-549 = Server Operators ;S-1-5-32-550 = Print Operators ;S-1-5-32-551 = Backup Operators ;S-1-5-32-552 = Replicators ;S-1-1-0 = Everyone ;S-1-3-0 = Creator Owner ;S-1-5-11 = Authenticated Users [Privilege Rights] ; 4.33 - Replace a process level token (Local Service and Network Service are specified here) - Allows a process that has this privilege to replace the access token associated with a process. This is useful for Multi-tiered (distibuted) applications that need to use impersonation to provide users secure access to the back end seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20 ; 4.12 - Debug programs - required by some MS installer programs use to install MS hotfixes (No users, including administrators from this setting) sedebugprivilege = ; 4.26 - Log on locally (Local Built-in Administrators and Users specified here) seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-545 ; 4.1 - Access this computer from the network (Local built-in Users and Administrators specified here) senetworklogonright = *S-1-5-32-545,*S-1-5-32-544 ; 4.2 - Act as part of the operating system (No users, including administrators from this setting) SeTcbPrivilege =