Networking / Beginners

Microsoft Windows

The following sets of configuration guidelines are broad enough to address basic elements of Windows NT, 2000, and XP. Specific configuration templates to be used as a starting point for your organization can be found on the NSA web site.

Note also that the operational role of the Windows machine should influence the implementation of these and any other security measures. If a system is performing a critical operational role or is in a high-risk area such as a DMZ, strict configuration settings and procedures should be observed and additional layers from third-party products considered.

Version and Patches for Windows

  • Ensure that the operating system came from a clean install, not an upgrade.
  • Ensure that appropriate service packs and patches are applied.
  • Ensure that all nonmission-related applications are removed; this includes Windows services that are installed but not needed.

Account Security for Windows

  • Implement a login security banner.
  • Ensure that interactive login is established for the minimum number of accounts needed.
  • Enable account lockout for all user accounts, including local administrator.
  • Enable strong password creation and uniqueness requirements.
  • Ensure that the local administrator accounts have very strong passwords and are not being used across untrusted domains, other OSs, or platforms.
  • Establish both minimum and maximum password aging settings.
  • Disable the guest account.
  • Enable password-protected screen saver.
  • Restrict the AT command to administrative use.

System Services for Windows

  1. Ensure that IP forwarding is disabled.
  2. Enable NTLMv2 only and disallow LanMan and NTLM transmission where possible. Downgrade as required.
  3. Remove OS2 and POSIX subsystems.
  4. Enable Syskey on all Windows 2000 and NT systems.
  5. Disable storage of LanMan hash.
  6. Disable unnecessary services such as Alerter, Server, Messenger.
  7. Verify necessity and logic of domain trust relationships.

User Accounts for Windows

  • Ensure that RestrictAnonymous setting is equal to 1 on Microsoft Windows NT and 2 on Microsoft Windows 2000 for systems that require SMB services.
  • Ensure that anonymous query of the registry is disabled.
  • Limit accounts with domain administrative privileges.
  • Ensure that the administrator account has been renamed.
  • Verify the necessity of all accounts and groups.
  • Ensure that the "Everyone" group settings exist only where necessary in general and in particular for shares and directories.
  • Ensure that Group Policy is being effectively used for Windows 2000 and above to implement security controls across the domains.
  • Ensure that groups are being used to assign permissions rather than users as much as possible.

File System Permissions for Windows

  • Ensure that the system utilizes multiple NTFS-only partitions- one for the OS and one or more for data and critical applications.
  • Ensure that ACLs for OS executables are set to Administrator and System full control only and all others read-only access.
  • Ensure that registry ACLs and system folder ACLs are tightened.
  • Ensure that default administrative shares are removed for critical systems.

Logging for Windows

  • Ensure adequate auditing and logging.
  • Enable Administrator- and System-only ACLs on the log files.
  • Disable the display of last logged-in user from CTRL-ALT-DEL.

Integrity Checking for Windows

  • Enable the bios password for OS boot-up.
  • Ensure that the system cannot boot from the floppy or CD-ROM drives.
  • Ensure that antivirus software is installed and updated.
  • Consider using Tripwire for file integrity protection and alerting on systems in operationally critical environments.

Network Services for Windows

  • Disable unnecessary services such as FTP, SMTP, SNMP, RAS, Remote Desktop, and Terminal Server.
  • Unbind File and Print Services from network adapters on systems not requiring SMB services.
  • Enable filter by IP for services when possible.
  • Implement IPSEC filtering or Internet Connection Firewall for port filtering.
  • Restrict general user query of LDAP ports 389 and 3268.
[Previous] [Contents] [Next]