Local Administrator Account Control
We have a confession to make. Up until now, we have pretty much made an implicit assumption that we are dealing with clients in an enterprise. Although it has made no particular difference in how we configure the systems up until now, it changes how you deal with accounts. On a client in an enterprise, there is usually a domain controller, which means that clients really only have one account locallythe built-in Administrator account. This is important, because the policies we set from now on will be different in an enterprise versus a small business or a home office. For more specific details on how to run systems in small businesses.
Do Not Store LAN Manager Hash Value
The first thing to do to protect the local Administrator account is to keep the LM hash from being stored. In a home or small business, this may be harder to do using the NoLMHash switch if there are accounts defined on the system that have to be accessible by Windows 9x clients. However, if no accounts defined on the system are used by down-level clients, we recommend turning off storage of LM hashes.
NOTE: Although you can technically turn off LM hash storage even if you have Windows 9x machines in your environment, doing so requires installing and configuring the DSClient on your 9x machines. Frankly, we recommend you spend your time getting rid of 9x instead. Your time will have been better spent and your environment will be more secure if you do.
Password Policies
Administrator accounts should have very strong passwords. We recommend that they should be 10 to 14 characters long and appear essentially random. You can configure the local password policy on all systems in a domain by setting a password policy on the Organizational Units that those systems are in. Password policy on an OU only applies to local accounts on the member systems of that OU. Therefore, it is ideal for controlling the local Administrator account. If there are user accounts on the clients, you may need to adjust the password policy to make it palatable to users. For more details on password policies.
SMB Message Signing
We discussed SMB message signing at length both above. Therefore, we do note reiterate that discussion here. We do recommend turning on SMB message signing and setting it to required on both the Workstation and Server services on all clients.
LAN Manager Authentication Level
The LAN Manager authentication level issue has been discussed at length already. For clients, the main concern is emanating LM responses, which can be much more easily cracked. To prevent this, we recommend configuring the "LAN Manager Authentication Level" to 4 or "Send NTLMv2 response only/refuse LM" as well as configuring security on the NTLM SSP.
In this tutorial:
- Protecting Hosts
- Security Configuration Myths
- Myth 1: Security Guides Make Your System Secure
- Myth 2: If We Hide It, they Not Find It
- Myth 3: The More Tweaks, the Better
- Myth 4: Tweaks Are Necessary
- Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
- Myth 6: "High Security" Is an End Goal for All Environments
- Myth 7: Start Securing Your Environment by Applying a Security Guide
- Myth 8: Security Tweaks Can Fix Physical Security Problems
- Myth 9: Security Tweaks Will Stop Worms/Viruses
- Myth 10: An Expert Recommended This Tweak as Defense in Depth
- Server Security Tweaks
- Software Restriction Policies
- Do Not Store LAN Manager Hash Value
- Anonymous Restrictions
- Security Identifiers (SIDs)
- Password Policies
- SMB Message Signing
- Networking LAN Manager Authentication Level
- TCP Hardening
- Restricted Groups
- Audit Settings
- Client Security Tweaks
- Firewalls
- IPsec Filters
- SafeDllSearchMode
- Local Administrator Account Control
- Limit Local Account Use of Blank Passwords to Console Logon Only
- Logon Events
- Allowed to Format and Eject Removable Media
- The Caution ListChanges You Should Not Make
- Crash on Audit Failure
- Clear Virtual Memory Page File
- Security Configuration Tools