|
| |
Note:
The changes that will be made by this script are as follows (there
may be overlap):
|
| |
1.
Password Policy:
MinimumPasswordAge = 2
MaximumPasswordAge = 42
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 5
ResetLockoutCount = 30
LockoutDuration = -1
RequireLogonToChangePassword = 0
ClearTextPassword = 0
2.
Audit Policy
Audit account logon events Success, Failure
Audit account management Success, Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Success, Failure
Audit privilege use Success, Failure
Audit system events Success, Failure
Maximum application log size 10240 kilobytes
Maximum security log size 10240 kilobytes
Maximum system log size 10240 kilobytes
Restrict guest access to application log Enabled
Restrict guest access to security log Enabled
Restrict guest access to system log Enabled
Retention method for application log As needed
Retention method for security log As needed
Retention method for system log As needed
3. User
Rights
Access this computer from the network Authenticated users
4.
Security Options
Additional restrictions for anonymous connections No access
without explicit anonymous permissions
Allow system to be shut down without having to log on Disabled
Allowed to eject removable NTFS media Administrators
Audit use of Backup and Restore privilege Enabled
Automatically log off users when logon time expires (local) Enabled
Clear virtual memory pagefile when system shuts down Enabled
Digitally sign client communication (when possible) Enabled
Digitally sign server communication (when possible) Enabled
Disable CTRL+ALT+DEL requirement for logon Disabled
Do not display last user name in logon screen Enabled
LAN Manager Authentication Level Send NTLMv2 response only\refuse
LM & NTLM
Message text for users attempting to log on This is a private
computer system. Cisco Systems,
Message title for users attempting to log on A T T E N T I O N
!
Prevent system maintenance of computer account password Disabled
Prevent users from installing printer drivers Enabled
Prompt user to change password before expiration 14 days
Recovery Console: Allow automatic administrative logon Disabled
Rename guest account No-guest
Restrict CD-ROM access to locally logged-on user only Enabled
Restrict floppy access to locally logged-on user only Enabled
Secure channel: Digitally encrypt secure channel data (when possible)
Enabled
Secure channel: Digitally sign secure channel data (when possible)
Enabled
Send unencrypted password to connect to third-party SMB servers
Disabled
Strengthen default permissions of global system objects (e.g.
Symbolic Links) Enabled
Unsigned driver installation behavior Do not allow installation
5.
Registry Values
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions=4,3
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmissions=4,2
machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4,1
machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4,300000
machine\system\currentcontrolset\services\tcpip\parameters\enablesecurityfilters=4,1
machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4,0
machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4,0
machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4,0
machine\system\currentcontrolset\services\tcpip\parameters\disableipsourcerouting=4,1
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0
machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autoshareserver=4,0
machine\system\currentcontrolset\services\afd\parameters\minimumdynamicbacklog=4,20
machine\system\currentcontrolset\services\afd\parameters\maximumdynamicbacklog=4,20000
machine\system\currentcontrolset\services\afd\parameters\enabledynamicbacklog=4,1
machine\system\currentcontrolset\services\afd\parameters\dynamicbackloggrowthdelta=4,10
machine\system\currentcontrolset\control\session manager\protectionmode=4,1
machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,1
machine\system\currentcontrolset\control\print\providers\lanman
print services\servers\addprinterdrivers=4,1
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,2
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,1
machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3namecreation=4,1
machine\software\policies\microsoft\windows nt\printers\disablewebprinting=4,1
machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,0
machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1,This
is a private computer system. Cisco Systems,
machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,A
T T E N T I O N !
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,1
machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0
machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,1
machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,1
machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0
machine\software\microsoft\driver signing\policy=3,2
6. File
System and Registry Access Control Lists
The ACLs applied to the file system and the registry are identical
to what Microsoft ships as the "Highly secure Webserver"
template in SCE. For details check the hisecweb-cisco.inf file
with the SCE snap-in in MMC.
|
| |
| Back
to top |
 |
|
Last Modified: December 15, 2000. Review Date: December 2001.
|
|