This blog is a reproduction of an article from Microsoft Technet Magazine, Spring 2005, titled “10 Easy Ways To Lock Down Your Computer.” The author, Derek Melber, is a contributing editor to many popular IT-based web publications and a co-author of the Microsoft Windows Group Policy Guide with Darren Mar-Elia. This article discusses user passwords, user authentication, user privileges and anonymous access, and the persistence of GPO settings. Worth giving a read!
1. Minimum Password Length
This setting is important for two reasons. First, as long as it is greater than 0, the user account must have a password. This prevents an attacker from gaining access to resources as a user without first trying a password attack. Second, the minimum password length can be set to a large value (as for a pass phrase), which makes it very hard to break with a cracking tool. Passwords are commonly 6 to 8 characters, but pass phrases can be more than 14.2. Maximum Password Age
This setting controls how long a password is valid. The longer a password goes unchanged, the greater the chance that it gets cracked or becomes public. But you should weigh user convenience and security. It is reasonable to set the maximum password age between 30 and 60 days. Password age values are 0 = never or 1 ? 999 days.
3. Password Complexity
One way to strengthen a password is to make it difficult to guess by making it complex. Complexity means that the password contains more than just alpha characters. With this setting, all passwords must contain a minimum of six characters, use three of the four character types (lower case alpha, upper case alpha, numeric, and special), and may not contain part of the user’s account name.
4. Last User Logged On
By default, a computer will remember your username for the next time you log in. Therefore, if you log into a shared computer, your username will be remembered on that computer, too. With the username and password being the only two bits of information needed to authenticate to Active Directory, using this setting to hide the username for the next user makes life more difficult for an attacker.
5. LAN Manager Authentication Level
The LAN Manager Authentication level ensures that the most secure password authentication level is used for down-level OS authentication. This is a key configuration setting for servers and clients. When Windows XP Professional communicates with Windows NT Server, or when Windows Server 2003 communicates with Windows 95, the LAN Manager authentication level should be carefully chosen. The ideal is to configure the LAN Manager to the highest security level possible. The LAN Manager default is very weak, whereas NTLMv2 is the strongest authentication protocol of the LAN Manager family. Therefore, the most secure setting is “Send NTLMv2 response only\refuse LM & NTLM.”
6. Do Not Store LAN Manager Hash
All operating systems, including Windows XP Professional and Windows Server 2003, store the LAN Manager hash for backward compatibility. This is a security risk because the LAN Manager hash is relatively easy to crack. Unless you are running very old operating systems that are not patched, you won’t need to store this hash, so don’t.
7. User Privileges Assignment
User privileges are essential to the security of client computers and servers. The primary benefit of the approximately 40 user privileges is that they bypass the security access control list that is configured on a computer. For example, if a user has No Access configured for a file on a server, the user will still be able to back up the file as long as she is given the back up files and directories user privilege. Most of the user privileges are important for servers. Be sure to check which users and groups have been assigned user privileges on all computers. The anonymous user was created to allow computers to communicate easily with one another without requiring a user account. However, it’s easy to exploit this easy access so computers requiring anonymous access must be secured.
8. Do Not Allow Anonymous Enumeration of SAM Accounts
Historically, computers running Windows have allowed anonymous access to the Security Accounts Manager (SAM) accounts. This access should be removed, unless there are apps that require anonymous access to the SAM accounts. A similar setting is “Do not allow anonymous enumeration of SAM accounts and shares,” which controls the SAM and all shares on the computer.
9. Let Everyone Permissions Apply to Anonymous Users
This setting allows the Everyone group to also apply to anonymous users which is insecure. You should therefore not allow the Everyone group permissions to apply to anonymous users accessing the computer.
10. Process Settings in a GPO Even if the GPO Has Not Been Changed
In this setting, you’ll find a checkbox that is labeled “Process even if the Group Policy objects have not changed.” Checking this box will force the configured settings in the Computer Configuration\Windows Settings\Security Settings section of the GPO to apply at each refresh interval, even if the settings have not changed. This will change all settings back to the GPO-specified configuration even if the local user changed the setting in the Registry.
If you are interested in reading the complete article, please go through this Microsoft link.
