; (c) Microsoft Corporation 1997-2000 ; ; Security Configuration Template for Security Configuration Editor ; ; Template Name: HiSecWeb.INF ; Template Version: 05.00.HB.0000 ; ; ------------------------------------------------------------------- ; Revision History ; ------------------------------------------------------------------- ; Date Comment ; 03-Sep-1999 Original, based on the following assumptions: ; Machine is a not a Domain Controller ; DC's should not be web-servers ; Machine is a standalone server ; - If machine is joined to a domain, ; then domain-level policies may (or may not) ; overwrite these settings. ; - If machine is joined to a domain, ; it should be in it's own OU, and you would ; apply this template at the OU level. ; Machine is a dedicated web-server and physically protected ; Machine has the Windows 2000 clean-install defaults ; - No modifications have been made to ACLs, User Rights etc. ; No one is allowed to log on locally to the machine accept an admin ; Admins are not allowed to log on over ; the network (they have to go to the Web server to administer it) ; Admin\Guest accounts are not renamed via this template ; 24-Jan-2000 Updated registry entries ; 23-May-2000 Updated to reduce SMB/Secure channel signing requirements. ; 20-Nov-200 Updated to include Cisco Specific Parameters (gavreid@cisco.com) ; [Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [System Access] MinimumPasswordAge = 2 MaximumPasswordAge = 42 MinimumPasswordLength = 8 PasswordComplexity = 1 PasswordHistorySize = 24 LockoutBadCount = 5 ResetLockoutCount = 30 LockoutDuration = -1 RequireLogonToChangePassword = 0 NewGuestName = "No-guest" ClearTextPassword = 0 [System Log] MaximumLogSize = 10240 AuditLogRetentionPeriod = 0 RestrictGuestAccess = 1 [Security Log] MaximumLogSize = 10240 AuditLogRetentionPeriod = 0 RestrictGuestAccess = 1 [Application Log] MaximumLogSize = 10240 AuditLogRetentionPeriod = 0 RestrictGuestAccess = 1 [Event Audit] AuditSystemEvents = 3 AuditLogonEvents = 3 AuditObjectAccess = 2 AuditPrivilegeUse = 3 AuditPolicyChange = 3 AuditAccountManage = 3 AuditAccountLogon = 3 [Registry Values] machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdataretransmissions=4,3 machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxconnectresponseretransmissions=4,2 machine\system\currentcontrolset\services\tcpip\parameters\synattackprotect=4,1 machine\system\currentcontrolset\services\tcpip\parameters\keepalivetime=4,300000 machine\system\currentcontrolset\services\tcpip\parameters\enablesecurityfilters=4,1 machine\system\currentcontrolset\services\tcpip\parameters\enablepmtudiscovery=4,0 machine\system\currentcontrolset\services\tcpip\parameters\enableicmpredirect=4,0 machine\system\currentcontrolset\services\tcpip\parameters\enabledeadgwdetect=4,0 machine\system\currentcontrolset\services\tcpip\parameters\disableipsourcerouting=4,1 machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1 machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1 machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0 machine\system\currentcontrolset\services\netbt\parameters\nonamereleaseondemand=4,1 machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1 machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0 machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,1 machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1 machine\system\currentcontrolset\services\lanmanserver\parameters\autoshareserver=4,0 machine\system\currentcontrolset\services\afd\parameters\minimumdynamicbacklog=4,20 machine\system\currentcontrolset\services\afd\parameters\maximumdynamicbacklog=4,20000 machine\system\currentcontrolset\services\afd\parameters\enabledynamicbacklog=4,1 machine\system\currentcontrolset\services\afd\parameters\dynamicbackloggrowthdelta=4,10 machine\system\currentcontrolset\control\session manager\protectionmode=4,1 machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown=4,1 machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers=4,1 machine\system\currentcontrolset\control\lsa\restrictanonymous=4,2 machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5 machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,1 machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3namecreation=4,1 machine\software\policies\microsoft\windows nt\printers\disablewebprinting=4,1 machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,0 machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1,This is a private computer system. Cisco Systems, machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,A T T E N T I O N ! machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,1 machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0 machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14 machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies=1,1 machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,0 machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms=1,1 machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0 machine\software\microsoft\driver signing\policy=3,2 [Group Membership] *S-1-5-32-547__Memberof = *S-1-5-32-547__Members = [Privilege Rights] senetworklogonright = *S-1-5-11 [Service General Setting] 1="alerter", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 2="browser", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 3="clipsrv", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 4="dhcp", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 5="dnscache", 4, "D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 6="fax", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 7="iisadmin", 2, "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)" 8="irmon", 4, "D:AR(A;;RPWPDTRC;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)" 9="lanmanworkstation", 4, "D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" a="messenger", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" b="mnmsrvc", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" c="policyagent", 2, "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)" d="rasauto", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" e="rasman", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" f="remoteregistry", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 10="schedule", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 11="sharedaccess", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 12="spooler", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 13="tapisrv", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 14="termservice", 4, "D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 15="w3svc", 2, "D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"