From: Subject: Compliance Validation Report Date: Sat, 4 Feb 2006 16:00:22 -0600 MIME-Version: 1.0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Location: file://C:\Program%20Files\The%20Center%20for%20Internet%20Security\CIS%20NG%20Scoring%20Tool\results\20060204155913234-0600\reports\html\benchmark-report.html X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 =EF=BB=BF Compliance = Validation Report

Summary

Computer Name:	green2kpro8
Benchmark:	Windows 2000 Operating System Level One Benchmark
Profile:	Windows 2000 Level 1 Benchmark
Scan Time:	02/04/2006 15:59:20

Description	Items	Score
Passed	Failed	Actual	Max
1 Service=20 Packs and Hotfixes	1	1	12.500	25.000
1.1 Major=20 Service Pack and Hotfix Requirements	1	0	12.500	12.500
1.2 Minor=20 Service Pack and Hotfix Requirements	0	1	0.000	12.500
2 Auditing=20 and Account Policies	2	16	6.944	25.000
2.1 Major=20 Auditing and Account Policies Requirements	1	1	6.250	12.500
2.2 Minor=20 Auditing and Account Policies Requirements	1	15	0.694	12.500
2.2.1 Audit=20 Policy (minimums)	0	7	0.000	4.167
2.2.2 Account=20 Policy	1	5	0.694	4.167
2.2.3 Account=20 Lockout Policy	0	3	0.000	4.167
2.2.4 Event=20 Log Settings =E2=80=93 Application, Security, and System = Logs	0	0	0.000	0.000
2.2.4.1 Application=20 Log	0	0	0.000	0.000
2.2.4.2 Security=20 Log	0	0	0.000	0.000
2.2.4.3 System=20 Log	0	0	0.000	0.000
3 Security=20 Settings	7	8	6.250	25.000
3.1 Major=20 Security Settings	0	1	0.000	12.500
3.2 Minor=20 Security Settings	7	7	6.250	12.500
3.2.1 Security=20 Options	7	7	6.250	12.500
3.2.2 Additional=20 Registry Settings	0	0	0.000	0.000
3.2.2.1	0	0	0.000	0.000
4 Additional=20 Security Protection	0	6	0.000	25.000
4.1 Available=20 Services	0	5	0.000	12.500
4.2 User=20 Rights	0	0	0.000	0.000
4.3 Other=20 System Requirements	0	1	0.000	12.500
Overall Score:	10	31	25.696

Note: Actual scores are subject to rounding errors. The sum of these = values=20 may not result in the exact overall score.

Security Items

Description	Status
1 Service=20 Packs and Hotfixes
1.1 Major=20 Service Pack and Hotfix Requirements
1.1.1 Current=20 Service Pack Installed	Passed
1.2 Minor=20 Service Pack and Hotfix Requirements
1.2.1 All=20 Critical Hotfixes available to date have been installed.	Failed
2 Auditing=20 and Account Policies
2.1 Major=20 Auditing and Account Policies Requirements
2.1.1 Minimum=20 Password Length	Failed
2.1.2 All=20 passwords are no more than 90 days old (maximum).	Passed
2.2 Minor=20 Auditing and Account Policies Requirements
2.2.1 Audit=20 Policy (minimums)
2.2.1.1 Audit=20 Account Logon Events: Success and Failure	Failed
2.2.1.2 Audit=20 Account Management: Success and Failure	Failed
2.2.1.3 Audit=20 Directory Service Access: Not Defined	Not Tested
2.2.1.4 Audit=20 Logon Events: Success and Failure	Failed
2.2.1.5 Audit=20 Object Access	Failed
2.2.1.6 Audit=20 Policy Change: Success and Failure	Failed
2.2.1.7 Audit=20 Privilege Use: Failure (minimum)	Failed
2.2.1.8 Audit=20 Process Tracking: Optional	Not Tested
2.2.1.9 Audit=20 System Events: Success and Failure	Failed
2.2.2 Account=20 Policy
2.2.2.1 Minimum=20 Password Age: 1 day	Failed
2.2.2.2 Maximum=20 Password Age: 90 days (as per major requirements)	Passed
2.2.2.3 Minimum=20 Password Length: 8 characters (as per major requirements)	Failed
2.2.2.4 Password=20 Complexity: Enabled	Failed
2.2.2.5 Password=20 History: 24 Passwords Remembered	Failed
2.2.2.6 Store=20 Passwords using Reversible Encryption: Disabled	Failed
2.2.3 Account=20 Lockout Policy
2.2.3.1 Account=20 Lockout Duration	Failed
2.2.3.2 Account=20 Lockout Threshold	Failed
2.2.3.3 Reset=20 Account Lockout After	Failed
2.2.4 Event=20 Log Settings =E2=80=93 Application, Security, and System = Logs
2.2.4.1=20 Application=20 Log
2.2.4.1.1 Maximum=20 Event Log Size	Not Tested
2.2.4.1.2 Restrict=20 Guest Access	Not Tested
2.2.4.1.3 Log=20 Retention Method	Not Tested
2.2.4.1.4 Log=20 Retention	Not Tested
2.2.4.2=20 Security=20 Log
2.2.4.2.1 Maximum=20 Event Log Size	Not Tested
2.2.4.2.2 Restrict=20 Guest Access	Not Tested
2.2.4.2.3 Log=20 Retention Method	Not Tested
2.2.4.2.4 Log=20 Retention	Not Tested
2.2.4.3=20 System=20 Log
2.2.4.3.1 Maximum=20 Event Log Size	Not Tested
2.2.4.3.2 Restrict=20 Guest Access	Not Tested
2.2.4.3.3 Log=20 Retention Method	Not Tested
2.2.4.3.4 Log=20 Retention	Not Tested
3 Security=20 Settings
3.1 Major=20 Security Settings
3.1.1 Additional=20 Restrictions for Anonymous Connections: =E2=80=9CNo Access Without = Explicit=20 Anonymous Permissions=E2=80=9D	Failed
3.2 Minor=20 Security Settings
3.2.1 Security=20 Options
3.2.1.1 Allow=20 Server Operators to Schedule Tasks: Not Applicable	Not Tested
3.2.1.2 Allow=20 System to be Shut Down Without Having to Log On: Disabled	Not Tested
3.2.1.3 Allowed=20 to Eject Removable NTFS Media: Administrators	Not Tested
3.2.1.4 Amount=20 of Idle Time Required Before Disconnecting Session: 30 Minutes=20 (minimum)	Passed
3.2.1.5 Audit=20 the access of global system objects: Not Defined	Not Tested
3.2.1.6 Audit=20 the use of backup and restore privilege: Not Defined	Not Tested
3.2.1.7 Automatically=20 Log Off Users When Logon Time Expires: Enabled	Not Tested
3.2.1.8 Automatically=20 Log Off Users When Logon Time Expires (local): Not = Defined	Not Tested
3.2.1.9 Clear=20 Virtual Memory Pagefile When System Shuts Down: Enabled	Not Tested
3.2.1.10 Digitally=20 Sign Client Communication (Always): Not Defined	Not Tested
3.2.1.11 Digitally=20 Sign Client Communication (When Possible): Enabled	Not Tested
3.2.1.12 Digitally=20 Sign Server Communication (Always): Not Defined	Not Tested
3.2.1.13 Digitally=20 Sign Server Communication (When Possible): Enabled	Not Tested
3.2.1.14 Disable=20 CTRL+ALT+Delete Requirement for Logon: Disabled	Failed
3.2.1.15 Do=20 Not Display Last User Name in Logon Screen: Enabled	Not Tested
3.2.1.16 LAN=20 Manager Authentication Level: =E2=80=9CSend NTLMv2 response = only=E2=80=9D (minimum)	Failed
3.2.1.17 Message=20 Text for Users Attempting to Log On: Custom Message or = =E2=80=9CThis system is for=20 the use of authorized users only. Individuals using this computer = system=20 without authority, or in excess of their authority, are subject to = having=20 all of their activities on this system monitored and recorded by = system=20 personnel. In the course of monitoring individuals improperly = using this=20 system, or in the course of system maintenance, the activities of=20 authorized users may also be monitored. Anyone using this system = expressly=20 consents to such monitoring and is advised that if such monitoring = reveals=20 possible evidence of criminal activity, system personnel may = provide the=20 evidence of such monitoring to law enforcement = officials.=E2=80=9D	Failed
3.2.1.18 Message=20 Title for Users Attempting to Log On: =E2=80=9CWarning:=E2=80=9D = or custom title.	Failed
3.2.1.19 Number=20 of Previous Logons to Cache: 0	Not Tested
3.2.1.20 Prevent=20 System Maintenance of Computer Account Password: Disabled	Not Tested
3.2.1.21 Prevent=20 Users from Installing Printer Drivers: Enabled	Failed
3.2.1.22 Prompt=20 User to Change Password Before Expiration: 14 Days = (minimum)	Passed
3.2.1.23 Recovery=20 Console: Allow Automatic Administrative Logon: Disabled	Passed
3.2.1.24 Recovery=20 Console: Allow Floppy Copy and Access to All Drives and All = Folders:=20 Disabled	Not Tested
3.2.1.25 Rename=20 Administrator Account: Any value other than = =E2=80=98Administrator=E2=80=99	Failed
3.2.1.26 Rename=20 Guest Account: Any value other than = =E2=80=98Guest=E2=80=99	Failed
3.2.1.27 Restrict=20 CD-ROM Access to Locally Logged-On User Only: Not Defined	Not Tested
3.2.1.28 Restrict=20 Floppy Access to Locally Logged-On User Only: Enabled	Not Tested
3.2.1.29 Secure=20 Channel: Digitally Encrypt or Sign Secure Channel Data (Always): = Not=20 Defined	Not Tested
3.2.1.30 Secure=20 Channel: Digitally Encrypt Secure Channel Data (When Possible):=20 Enabled	Passed
3.2.1.31 Secure=20 Channel: Digitally Sign Secure Channel Data (When Possible):=20 Enabled	Passed
3.2.1.32 Secure=20 Channel: Require Strong (Windows 2000 or later) Session Key: Not=20 Defined	Not Tested
3.2.1.33 Send=20 Unencrypted Password to Connect to Third-Party SMB Servers:=20 Disabled	Passed
3.2.1.34 Shut=20 Down system immediately if unable to log security audits: Not=20 Defined	Not Tested
3.2.1.35 Smart=20 Card Removal Behavior: =E2=80=9CLock Workstation=E2=80=9D = (minimum)	Not Tested
3.2.1.36 Strengthen=20 Default Permissions of Global System Objects (e.g. Symbolic = Links):=20 Enabled	Passed
3.2.1.37 Unsigned=20 Driver Installation Behavior: =E2=80=9CWarn, but allow = installation=E2=80=9D (minimum) or=20 =E2=80=9CDo Not Allow Installation=E2=80=9D.	Error
3.2.1.38 Unsigned=20 Non-Driver Installation Behavior: =E2=80=9CWarn, but allow = installation=E2=80=9D (minimum)=20 or =E2=80=9CDo Not Allow Installation=E2=80=9D	Error
3.2.2 Additional=20 Registry Settings
3.2.2.1 Suppress=20 Dr. Watson Crash Dumps: = HKLM\Software\Microsoft\DrWatson\CreateCrashDump=20 (REG_DWORD) 0	Not Tested
3.2.2.2 Disable=20 Automatic Execution of the System Debugger:=20 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto = (REG_DWORD)=20 0	Not Tested
3.2.2.3 Disable=20 autoplay from any disk type, regardless of application:=20 = HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveT= ypeAutoRun=20 (REG_DWORD) 255	Not Tested
3.2.2.4 Disable=20 Automatic Logon: HKLM\Software\Microsoft\Windows=20 NT\CurrentVersion\Winlogon\AutoAdminLogon (REG_SZ) 0	Not Tested
3.2.2.5 Mask=20 any typed passwords with asterisks:=20 = HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShare= Pwds=20 (REG_DWORD) 1	Not Tested
3.2.2.6 Disable=20 Dial-in access to the server:=20 = HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoDialIn = (REG_DWORD) 1	Not Tested
3.2.2.7 Disable=20 automatic reboots after a Blue Screen of Death:=20 HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot = (REG_DWORD)=20 0	Not Tested
3.2.2.8 Disable=20 CD Autorun: HKLM\System\CurrentControlSet\ Services\CDrom\Autorun=20 (REG_DWORD) 0	Not Tested
3.2.2.9 Remove=20 administrative shares on workstations: = HKLM\System\CurrentControlSet\=20 Services\LanmanServer\Parameters\AutoShareWks (REG_DWORD) = 0	Not Tested
3.2.2.10 Protect=20 against Computer Browser Spoofing Attacks: HKLM\System\=20 CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset = (REG_DWORD)=20 1	Not Tested
3.2.2.11 Protect=20 against source-routing spoofing:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRo= uting=20 (REG_DWORD) 2	Not Tested
3.2.2.12 Protect=20 the Default Gateway network setting:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetec= t=20 (REG_DWORD) 0	Not Tested
3.2.2.13 Ensure=20 ICMP Routing via shortest path first:=20 HKLM\System\CurrentControlSet\Services\Tcpip\=20 Parameters\EnableICMPRedirect (REG_DWORD) 0	Not Tested
3.2.2.14 Help=20 protect against packet fragmentation:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscove= ry=20 (REG_DWORD) 0	Not Tested
3.2.2.15 Manage=20 Keep-alive times:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=20 (REG_DWORD) 300000	Not Tested
3.2.2.16 Protect=20 Against Malicious Name-Release Attacks:=20 = HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDe= mand=20 (REG_DWORD) 1	Not Tested
3.2.2.17 Ensure=20 Router Discovery is Disabled:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDisc= overy=20 (REG_DWORD) 0	Not Tested
3.2.2.18 Protect=20 against SYN Flood attacks:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect = (REG_DWORD) 2	Not Tested
3.2.2.19 SYN=20 Attack protection =E2=80=93 Manage TCP Maximum half-open sockets:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen=20 (REG_DWORD) 100 or 500	Not Tested
3.2.2.20 SYN=20 Attack protection =E2=80=93 Manage TCP Maximum half-open retried = sockets:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenret= ried=20 (REG_DWORD) 80 or 400	Not Tested
3.2.2.21 Enable=20 IPSec to protect Kerberos RSVP Traffic:=20 HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt = (REG_DWORD)=20 1	Not Tested
3.2.2.1=20
3.2.2.1.1 Disable=20 autoplay for the current user:=20 = HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveT= ypeAutoRun=20 (REG_DWORD) 255	Not Tested
3.2.2.1.2 Disable=20 autoplay for new users by default:=20 = HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\= NoDriveTypeAutoRun=20 (REG_DWORD) Not Defined	Not Tested
4 Additional=20 Security Protection
4.1 Available=20 Services
4.1.1 Alerter=20 =E2=80=93 Disabled	Failed
4.1.2 Clipbook=20 =E2=80=93 Disabled	Failed
4.1.3 Computer=20 Browser =E2=80=93 Disabled	Not Tested
4.1.4 Fax=20 Service =E2=80=93 Disabled	Failed
4.1.5 FTP=20 Publishing Service =E2=80=93 Disabled	Not Tested
4.1.6 IIS=20 Admin Service =E2=80=93 Disabled	Not Tested
4.1.7 Internet=20 Connection Sharing =E2=80=93 Disabled	Not Tested
4.1.8 Messenger=20 =E2=80=93 Disabled	Failed
4.1.9 NetMeeting=20 Remote Desktop Sharing =E2=80=93 Disabled	Failed
4.1.10 Remote=20 Registry Service =E2=80=93 Disabled	Not Tested
4.1.11 Routing=20 and Remote Access =E2=80=93 Disabled	Not Tested
4.1.12 Simple=20 Mail Transfer Protocol (SMTP) =E2=80=93 Disabled	Not Tested
4.1.13 Simple=20 Network Management Protocol (SNMP) Service =E2=80=93 = Disabled	Not Tested
4.1.14 Simple=20 Network Management Protocol (SNMP) Trap =E2=80=93 = Disabled	Not Tested
4.1.15 Telnet=20 =E2=80=93 Disabled	Error
4.1.16 World=20 Wide Web Publishing Services =E2=80=93 Disabled	Not Tested
4.1.17 Automatic=20 Updates =E2=80=93 Not Defined	Not Tested
4.1.18 Background=20 Intelligent Transfer Service (a.k.a. BITS) =E2=80=93 Not = Defined	Not Tested
4.2 User=20 Rights
4.2.1 Access=20 this computer from the network: Users, Administrators (or = none)	Not Tested
4.2.2 Act=20 as part of the operating system: None	Not Tested
4.2.3 Add=20 workstations to domain: Not applicable	Not Tested
4.2.4 Back=20 up files and directories: Administrators	Not Tested
4.2.5 Bypass=20 traverse checking: Users	Not Tested
4.2.6 Change=20 the system time: Administrators	Not Tested
4.2.7 Create=20 a pagefile: Administrators	Not Tested
4.2.8 Create=20 a token object: None	Not Tested
4.2.9 Create=20 permanent shared objects: None	Not Tested
4.2.10 Debug=20 Programs: None	Not Tested
4.2.11 Deny=20 access to this computer from the network: Guests	Not Tested
4.2.12 Deny=20 logon as a batch job: None by default (others allowable as=20 appropriate)	Not Tested
4.2.13 Deny=20 logon as a service: None by default (others allowable as=20 appropriate)	Not Tested
4.2.14 Deny=20 logon locally: =E2=80=9CGuests=E2=80=9D by default (others = allowable as=20 appropriate)	Not Tested
4.2.15 Enable=20 computer and user accounts to be trusted for delegation: Not=20 Applicable	Not Tested
4.2.16 Force=20 shutdown from a remote system: Administrators	Not Tested
4.2.17 Generate=20 security audits: None	Not Tested
4.2.18 Increase=20 quotas: Administrators	Not Tested
4.2.19 Increase=20 scheduling priority: Administrators	Not Tested
4.2.20 Load=20 and unload device drivers: Administrators	Not Tested
4.2.21 Lock=20 pages in memory: None	Not Tested
4.2.22 Log=20 on as a batch job: None (=E2=80=9CNot Defined=E2=80=9D)	Not Tested
4.2.23 Log=20 on as a service: None (=E2=80=9CNot Defined=E2=80=9D)	Not Tested
4.2.24 Log=20 on locally: Administrators (other specific users = allowable)	Not Tested
4.2.25 Manage=20 auditing and security log: Administrators	Not Tested
4.2.26 Modify=20 firmware environment values: Administrators	Not Tested
4.2.27 Profile=20 single process: Administrators	Not Tested
4.2.28 Profile=20 system performance: Administrators	Not Tested
4.2.29 Remove=20 computer from docking station: Administrators	Not Tested
4.2.30 Replace=20 a process level token: None	Not Tested
4.2.31 Restore=20 files and directories: Administrators	Not Tested
4.2.32 Shut=20 down the system: Administrators	Not Tested
4.2.33 Synchronize=20 directory service data: Not Applicable	Not Tested
4.2.34 Take=20 ownership of file or other objects: Administrators	Not Tested
4.3 Other=20 System Requirements
4.3.1 Ensure=20 volumes are using the NTFS file system	Failed

Detailed Rule Results

1 Service Packs and Hotfixes

Description

Microsoft periodically distributes large updates to its = operating=20 systems in the form of Service Packs, as often as once every few = months,=20 or less frequently. Service Packs include all major and minor = fixes up to=20 the date of the service pack, and are extensively tested by = Microsoft=20 prior to release. In light of the vast number of applications = available,=20 it is entirely possible that a bug in a Service Pack may not be=20 discovered, and may slip through this engineering analysis = process.=20 Service Packs should be used in a test environment before being = pushed=20 into production. If a test system is not available, wait a week or = two=20 after the release of a Service Pack, and pay attention to the = Microsoft=20 web site for potential bug reports. Additional mailing list and = Internet=20 resources are listed in the appendices of this document.

It is important to be aware that Service Packs and = Hotfixes are=20 not just applicable to operating systems. Individual applications = have=20 their own Service Pack and Hotfix requirements. A Windows = 2000=20 system that is completely current on Windows 2000 Hotfixes and = Service=20 Packs also needs to be kept current with Service Packs and = Hotfixes for=20 Internet Explorer and Microsoft Office. The total security of the = system=20 requires attention to both Operating System and application = levels.

Between the releases of Service Packs, Microsoft distributes=20 intermediate updates to their operating systems in the form of = Hotfixes.=20 These updates are usually small and address a single problem.

Hotfixes can be released within hours of discovery of any = particular=20 bug or vulnerability, because they address a single problem. Since = they=20 are normally released so quickly, they do not pass the rigorous = testing=20 involved with Service Packs. They should be used with caution at = first,=20 even more so than Service Packs. Each Hotfix includes a = description of the=20 issue it resolves, whether it is security related, or it fixes a = different=20 sort of problem. These should be weighed to determine if the risk = of=20 installing the Hotfix is worth the risk of not installing it.

Periodically, Microsoft will release a Hotfix = =E2=80=9CRoll-up=E2=80=9D which is medium=20 ground between a Hotfix and a Service = Pack.

1.1 Major Service Pack and Hotfix=20 Requirements

Description

1.1.1 Current Service Pack = Installed	Check Type:	Status:
OVAL	Passed
Description At the time of this writing, Windows 2000 = Service=20 Pack 4 is available. Warning WARNING: Although Service = Packs are=20 generally reliable and go through extensive testing, it is = possible that=20 it is not compatible with every software product on the market. If = possible, test service packs in a test environment, or at least = wait until=20 it has been released for a short while before installing it, and = watch for=20 industry feedback on the compatibility of that service pack.=20

1.2 Minor Service Pack and Hotfix=20 Requirements

Description

1.2.1 All Critical Hotfixes available = to date=20 have been installed.	Check Type:	Status:
Questionnaire	Failed
Description Warning WARNING: Although = Hotfixes are=20 generally reliable and go through some testing, it is = significantly=20 possible that a hotfix addressing a single problem is not = compatible with=20 every software product on the market, and may cause other = problems. If=20 possible, test hotfixes in a test environment, or at least wait = until they=20 have been released for a short while before installation, and = watch for=20 industry feedback on the compatibility of those hotfixes.=20

2 Auditing and Account Policies

Description

2.1 Major Auditing and Account Policies=20 Requirements

Description

2.1.1 Minimum Password Length	Check Type:	Status:
OVAL	Failed
Description All passwords are at least 8 characters long (minimum). There is an ongoing debate as to whether complex passwords that = are=20 longer than 7 characters are any more secure than passwords of = exactly 7=20 characters, or passwords that are multiples of 7 characters. The=20 overriding factor is that password complexity within each block of = 7=20 characters determines how difficult passwords are to crack, with = regards=20 to LAN Manager password hashes. The general consensus is that = passwords of=20 8 or more characters, when combined with other factors discussed = herein,=20 make passwords very difficult to = crack.

2.1.2 All passwords are no more than 90 = days old=20 (maximum).	Check Type:	Status:
OVAL	Passed
Description Many systems and network administrators and help desk personnel = spend=20 significant time and effort ensuring that users change their = passwords on=20 a regular basis. This is a part of system administration that = affects=20 every user in a domain. What many people overlook is that each = Windows=20 2000 Server has at least one =E2=80=9CAdministrator=E2=80=9D = account and one =E2=80=9CGuest=E2=80=9D=20 account. The guest account is disabled by default, but the = Administrator=20 never disables, never locks out, and has full reign over that = server.=20 These passwords are often left unchanged for the life of a = computer. In addition, there may be service accounts with elevated = privileges=20 that never have their password changed either. Administrator or = privileged=20 accounts with passwords that never change are prime targets for an = intruder, and make it easy to gain an initial foothold into a = computer,=20 company workgroup, or domain.

2.2 Minor Auditing and Account Policies=20 Requirements

Description

2.2.1 Audit Policy = (minimums)

Description

The =E2=80=9CAudit Policy=E2=80=9D determines what sort of = system events the computer=20 tracks or records for administrators to determine what has = actually=20 happened over time. The events may be used to track events that an = application performed, or events that a user performed. They may = also=20 indicate attempts by unauthorized network users to penetrate a = computer=20 from the user console or the network. There are a number of = security=20 related events that should be recorded, but none are recorded by=20 default.

Click the Start button and navigate to Settings, and the = Control Panel.=20 Double-click =E2=80=9CAdministrative Tools=E2=80=9D. Then = double-click =E2=80=9CLocal Security=20 Policy=E2=80=9D. In the left pane, expand Local Policies, and = click Audit Policy.=20 To make changes, double-click one of the settings in the right = pane, check=20 or uncheck the appropriate boxes, and click OK to save the = settings. They=20 will take effect when the Local Security Policy editor is=20 closed.

2.2.1.1 Audit Account Logon Events: = Success and=20 Failure	Check Type:	Status:
OVAL	Failed
Description Auditing logon events will track successful and failed logon = attempts=20 from the local console, the network, or batch or service accounts = using=20 domain logon credentials. If a user attempts to log on and fails, = the only=20 way to know will be to have this auditing enabled, and to = periodically=20 check the local machine=E2=80=99s Security Event=20 Log.

2.2.1.2 Audit Account Management: = Success and=20 Failure	Check Type:	Status:
OVAL	Failed
Description In order to track successful and failed attempts to create new = users or=20 groups, rename users or groups, enable or disable users, or change = accounts=E2=80=99 passwords, enable auditing for Account = Management=20 events.

2.2.1.3 Audit Directory Service = Access: Not=20 Defined	Check Type:	Status:
None	Not Tested
Description No auditing of Directory Service Access is required on Windows = 2000=20 Servers that are member or stand-alone servers, because Directory = Service=20 Access can only be audited on Windows 2000 (or later) domain=20 controllers.

2.2.1.4 Audit Logon Events: Success = and=20 Failure	Check Type:	Status:
OVAL	Failed
Description Auditing logon events will track successful and failed logon = attempts=20 from the local console, the network, or batch or service accounts = using=20 local machine logon credentials. If a user attempts to log on and = fails,=20 the only way to know will be to have this auditing enabled, and to = periodically check the local machine=E2=80=99s Security Event=20 Log.

2.2.1.5 Audit Object Access	Check Type:	Status:
OVAL	Failed
Description It is possible to track when specific users access specific = files. In=20 order to track users=E2=80=99 access to files, go to that file or = folder, edit the=20 security properties for that object, and enable auditing for = specific=20 users or groups on those objects. Also, enable Audit Object Access for success or failure here, = and each=20 audit that fulfills your requirements will produce an event in the = security event log. Enabling this option in the audit policy does = not=20 produce events itself, unless objects and users are actively being = audited.

2.2.1.6 Audit Policy Change: Success = and=20 Failure	Check Type:	Status:
OVAL	Failed
Description If audit policies are audited, changes to User Rights, Audit = Policies,=20 or Trust Policies will produce events in the Security Event Log. = Some=20 people prefer not to audit successful Policy Change events because = there=20 can be a large number of them generated in an event log during the = course=20 of normal business.

2.2.1.7 Audit Privilege Use: Failure=20 (minimum)	Check Type:	Status:
OVAL	Failed
Description Auditing privilege use enables auditing for any operation that = would=20 require a user account to make use of extra privileges that it has = already=20 been assigned. If this is enabled, Events will be generated in the = Security Event Log if a user or process attempts to bypass = traverse=20 checking, debug programs, create a token object, replace a process = level=20 token, or generate security audits. It will also generate events = if a user=20 or account attempts to backup or restore files or directories = using the=20 Backup or Restore user right, but only if the security option to = audit=20 backups and restores is enabled. Privilege Use is used by all user accounts on a regular basis. = If=20 success and failure events are audited, there will be a great many = events=20 in the event log reflecting such use. This is normal, and sorting = through=20 these events is part of the cost of detailed=20 auditing.

2.2.1.8 Audit Process Tracking: = Optional	Check Type:	Status:
None	Not Tested
Description Each time an application or a user starts, stops, or otherwise = changes=20 a process, it will create an event in the event log. This creates = a very=20 large event log very quickly, and the information is not normally=20 exceptionally useful, unless you are tracking a very specific = behavior. As=20 such, auditing process tracking is not required, and is only = recommended=20 when absolutely necessary.

2.2.1.9 Audit System Events: Success = and=20 Failure	Check Type:	Status:
OVAL	Failed
Description Auditing System events is very important. System events include = starting or shutting down the computer, full event logs, or other = security=20 related events that have impact across the entire system. Auditing = of=20 Success and Failure events should be=20 enabled.

2.2.2 Account Policy

Description

2.2.2.1 Minimum Password Age: 1 = day	Check Type:	Status:
OVAL	Failed
Description If users are required to change their passwords, and the = operating=20 system remembers a certain number of passwords, the only way to = keep users=20 from cycling through the number of passwords is to set a minimum = life time=20 requirement for each new password once it was changed. As long as = this is=20 set to a time greater than zero, users are unable to cycle back to = their=20 favorite password.

2.2.2.2 Maximum Password Age: 90 days = (as per=20 major requirements)	Check Type:	Status:
OVAL	Passed
Description Many systems and network administrators and help desk personnel = spend=20 significant time and effort ensuring that users change their = passwords on=20 a regular basis. This is a part of system administration that = affects=20 every user in a domain. What many people overlook is that each = Windows=20 2000 Server computer has at least one = =E2=80=9CAdministrator=E2=80=9D account and one=20 =E2=80=9CGuest=E2=80=9D account. The guest account is disabled by = default, but the=20 Administrator never disables, never locks out, and has full reign = over=20 that computer. These passwords are often left unchanged for the = life of a=20 computer. In addition, there may be service accounts with elevated = privileges=20 that never have their password changed either. Administrator or = privileged=20 accounts with passwords that never change are prime targets for an = intruder, and make it easy to gain an initial foothold into a = computer,=20 company workgroup, or domain.

2.2.2.3 Minimum Password Length: 8 = characters=20 (as per major requirements)	Check Type:	Status:
OVAL	Failed
Description There is an ongoing debate as to whether complex passwords that = are=20 longer than 7 characters are any more secure than passwords of = exactly 7=20 characters, or passwords that are multiples of 7 characters. The=20 overriding factor is that password complexity within each block of = 7=20 characters determines how difficult passwords are to crack, with = regards=20 to LAN Manager password hashes. The general consensus is that = passwords of=20 8 or more characters, when combined with other factors discussed = herein,=20 make passwords very difficult to crack. Accounts that are granted Administrative access, or are = assigned to=20 services that are granted exceptional rights should be given = passwords or=20 pass-phrases that are 12 or more characters in=20 length.

2.2.2.4 Password Complexity: = Enabled	Check Type:	Status:
Questionnaire	Failed
Description Passwords are made up of various characters, which can be = broken down=20 into four character groups. These are uppercase alphabetic, = lowercase=20 alphabetic, numeric, and special characters. Requiring complex = passwords=20 will require new passwords to use characters from three of those = four=20 groups. Complex passwords become difficult for users to remember, = easier to=20 mistype, and result in more users calling support personnel for = password=20 assistance. Requiring complex passwords also increases the time = necessary=20 to crack passwords exponentially. There may be some cases where the standard Microsoft complexity = requirements do not meet the business or security requirements of=20 specified systems. Microsoft has made it possible to create custom = password filters, and many vendors have done just that. Links to = some of=20 the available filters can be found in Appendix=20 B.

2.2.2.5 Password History: 24 = Passwords=20 Remembered	Check Type:	Status:
OVAL	Failed
Description Passwords should be changed on a regular basis. By that same = rule,=20 users should not be permitted to use the same few passwords over = and over=20 again. The Enforce Password History setting determines how many = previous=20 passwords are stored to ensure that users do NOT cycle through = regular=20 passwords. The NSA requirement of 24 passwords remembered should = be viable=20 for public use as well.

2.2.2.6 Store Passwords using = Reversible=20 Encryption: Disabled	Check Type:	Status:
Questionnaire	Failed
Description One of the rare strengths of the Windows password models is = that they=20 use one-way encryption. That is, the passwords are encrypted to a = numeric=20 value, called a =E2=80=9Chash=E2=80=9D. This hash can not be = decrypted to directly=20 discover the original password. IIn order to support some applications and their = authentication,=20 Microsoft permits the ability to store passwords using reversible=20 encryption. If at all possible, this should be avoided. This = option is=20 disabled by default, and should remain so. Any application that = requires=20 reversible encryption for passwords is purposely putting systems = at=20 risk.

2.2.3 Account Lockout Policy

Description

One of the older methods used to guess a user=E2=80=99s = password was to=20 repeatedly attempt to access a computer using a logical or known = account=20 name, and a constantly changing password until one succeeds. In = order to=20 counter the usefulness of this attack, account authorizations can = be set=20 to =E2=80=9Clock out=E2=80=9D an account if too many login = attempts (Account Lockout=20 Threshold) are made in a determined period of time (Reset Account = Lockout)=20 for a period of time(Lockout Duration). If an account is locked = out, it=20 refuses to authenticate that account, until the locked out account = is=20 reset =E2=80=93 either automatically, or by an=20 administrator.

2.2.3.1 Account Lockout Duration	Check Type:	Status:
OVAL	Failed
Description

2.2.3.2 Account Lockout = Threshold	Check Type:	Status:
OVAL	Failed
Description

2.2.3.3 Reset Account Lockout = After	Check Type:	Status:
OVAL	Failed
Description

2.2.4 Event Log Settings =E2=80=93 = Application,=20 Security, and System Logs

Description

When events are audited, they are stored in one of the Windows = Event=20 Logs. The three event logs common to all Windows computers are the = Application, Security, and System logs. Obviously, the Security = event log=20 potentially holds most of the relevant details for a security = standard,=20 but in the event that administrators need to reconstruct events = that have=20 occurred, any source of information can be significant, so all = logs need=20 to be addressed.

The default size of each event log is 512k. This has been = standard=20 since the days of Windows NT 3.5, when a 2 GB hard drive was a = rare thing,=20 and a 40 GB hard drive was only a dream. Using modern hardware, 80 = MB of=20 hard drive space for each event log should not be a burden. Access = to=20 event logs should be restricted from guest access. Log retention = should=20 normally set to overwrite events =E2=80=9Cas needed=E2=80=9D = unless an administrator is=20 earnestly going to be checking the logs on a regular basis, in = which case=20 it should be set to retain logs =E2=80=9Cby days=E2=80=9D and the = Log Retention should be=20 set to at least 14 days, or as long as it takes for an = administrator to=20 archive the event logs on another = system.

2.2.4.1 Application Log

Description

2.2.4.1.1 Maximum Event Log = Size	Check Type:	Status:
None	Not Tested
Description

2.2.4.1.2 Restrict Guest = Access	Check Type:	Status:
None	Not Tested
Description

2.2.4.1.3 Log Retention Method	Check Type:	Status:
None	Not Tested
Description

2.2.4.1.4 Log Retention	Check Type:	Status:
None	Not Tested
Description

2.2.4.2 Security Log

Description

2.2.4.2.1 Maximum Event Log = Size	Check Type:	Status:
None	Not Tested
Description

2.2.4.2.2 Restrict Guest = Access	Check Type:	Status:
None	Not Tested
Description

2.2.4.2.3 Log Retention Method	Check Type:	Status:
None	Not Tested
Description

2.2.4.2.4 Log Retention	Check Type:	Status:
None	Not Tested
Description

2.2.4.3 System Log

Description

2.2.4.3.1 Maximum Event Log = Size	Check Type:	Status:
None	Not Tested
Description

2.2.4.3.2 Restrict Guest = Access	Check Type:	Status:
None	Not Tested
Description

2.2.4.3.3 Log Retention Method	Check Type:	Status:
None	Not Tested
Description

2.2.4.3.4 Log Retention	Check Type:	Status:
None	Not Tested
Description

3 Security Settings

Description

Security settings are changed in the Local Security Policy = Editor.=20 Expand Local Policies to Security Options. Double-click a setting, = make=20 the appropriate changes, and click OK. Once the Local Security = Policy=20 Editor is closed, the settings will take=20 effect.

3.1 Major Security Settings

Description

Click the Start button and navigate to Settings, and the = Control Panel.=20 Double-click =E2=80=9CAdministrative Tools=E2=80=9D. Then = double-click =E2=80=9CLocal Security=20 Policy=E2=80=9D. In the left pane, expand Local Policies, and = click Security=20 Options. To make changes, double-click one of the settings in the = right=20 pane, make the appropriate changes, and click OK to save the = settings.=20 They will become effective immediately, but won=E2=80=99t show up = in the Local=20 Security Policy editor until it is = closed.

3.1.1 Additional Restrictions for = Anonymous=20 Connections: =E2=80=9CNo Access Without Explicit Anonymous = Permissions=E2=80=9D	Check Type:	Status:
OVAL	Failed
Description The first setting under =E2=80=9CSecurity Options=E2=80=9D is = =E2=80=9CAdditional Restrictions=20 for Anonymous Connections=E2=80=9D. It can be set to = =E2=80=9CNone. Rely on default=20 permissions=E2=80=9D, =E2=80=9CDo not allow enumeration of SAM = accounts or shares=E2=80=9D, or =E2=80=9CNo=20 access without explicit anonymous permissions=E2=80=9D. Change = this setting to the=20 last choice, and protect your computer from access by the Null = User=20 account. Warning WARNING: Note that doing = so may=20 disable older programs that make use of this account. It will also = hamper=20 Windows NT 4.0 Domain Controllers from communicating with each = other=20 between trust relationships. Personal users probably don=E2=80=99t = have to worry=20 about this setting, but should be wary if something = doesn=E2=80=99t work right=20 after it is changed. Corporate or Government users should test = this in an=20 extensive lab environment before mandating it among many users.=20

3.2 Minor Security Settings

Description

3.2.1 Security Options

Description

3.2.1.1 Allow Server Operators to = Schedule=20 Tasks: Not Applicable	Check Type:	Status:
None	Not Tested
Description This setting is designed for Windows 2000 Server Domain = Controllers. It=20 has no effect on Windows 2000 member server=20 computers.

3.2.1.2 Allow System to be Shut Down = Without=20 Having to Log On: Disabled	Check Type:	Status:
None	Not Tested
Description By default, Windows 2000 Professional enables this option, and = Windows=20 2000 Servers disable it. While logging on to shut down a system = may be an=20 inconvenience, it is necessary to ensure that the server is not = rebooted=20 without the users=E2=80=99 = knowledge.

3.2.1.3 Allowed to Eject Removable = NTFS Media:=20 Administrators	Check Type:	Status:
None	Not Tested
Description Which users are permitted to remove NTFS formatted media from=20 computers. This generally applies to removable disks, JAZ or ZIP = drives.=20 If other users need to be granted this right, add them to the = list, but=20 the only group that should be listed here is=20 Administrators.

3.2.1.4 Amount of Idle Time Required = Before=20 Disconnecting Session: 30 Minutes (minimum)	Check Type:	Status:
OVAL	Passed
Description When Windows computers begin a connection with each other, they = exchange username and password credentials, authenticating and = authorizing=20 use of shared resources. After a certain period of inactivity, = that=20 connection needs to be re-authenticated to ensure that the network = connection is still originating from the correct valid user. The = default=20 value of 15 minutes is sufficient for most networks. Computers = that do not=20 share resources with other Windows computers are not affected by = this=20 setting.

3.2.1.5 Audit the access of global = system=20 objects: Not Defined	Check Type:	Status:
None	Not Tested
Description One of the types of auditing that Windows is capable of is the = auditing=20 of Global System Objects. These kernel objects, such as mutexes,=20 semaphores, and DOS devices are normally audited by developers = because=20 they indicate programmatic behavior within the kernel. Normal = system=20 operation does not need to be audited in such detail. This setting = is=20 optional.

3.2.1.6 Audit the use of backup and = restore=20 privilege: Not Defined	Check Type:	Status:
None	Not Tested
Description Another thing that Windows can audit is the use of the Backup = Files or=20 Restore Files privilege. When enabled, this will cause an event to = be=20 generated every time a file is backed up or restored. You can = imagine that=20 this will generate a significant number of events for normal = operation.=20 This setting is also optional.

3.2.1.7 Automatically Log Off Users = When Logon=20 Time Expires: Enabled	Check Type:	Status:
None	Not Tested
Description One of the problems that we are faced with comes from the user = who logs=20 in when necessary, but remains logged in indefinitely. The way to = prevent=20 this behavior is to enable some restricted hours in the = user=E2=80=99s profile,=20 even if only half an hour in the middle of the night, and enable = this=20 setting to require the user to re-authenticate his login session = at least=20 once a day. Another essential but separate practice is to require users to = enable a=20 password protected screen saver that activates after 10 minutes of = activity. This has to be enabled for each user, either manually = through=20 display settings, or through Group Policy. In any case, password = protected=20 screen savers are not measured as part of compliance with this CIS = standard.

3.2.1.8 Automatically Log Off Users = When Logon=20 Time Expires (local): Not Defined	Check Type:	Status:
None	Not Tested
Description This setting is identical to the previous setting except that = it=20 applies to local accounts, where 3.2.1.7 applies to domain = accounts, and=20 is normally applied through Group = Policy.

3.2.1.9 Clear Virtual Memory Pagefile = When=20 System Shuts Down: Enabled	Check Type:	Status:
None	Not Tested
Description As part of the normal behavior of a computer, not all of the = =E2=80=9Cmemory=E2=80=9D=20 being used is kept in the physical memory of a computer. Some of = that=20 memory is temporarily swapped or =E2=80=9Cpaged=E2=80=9D to disk = when it is not in use.=20 This benefits by allowing the computer to act like it has = significantly=20 more memory than it actually has. This was a lot more important = when 128=20 MB of memory was prohibitively expensive, if you could manage to = find=20 it. The memory saved to disk is not supposed to contain = cryptographic keys=20 or logon credentials, but the usernames and passwords that are not = integrated into the operating system are subject to being stored = in the=20 page file. When a computer is shut down, that pagefile is not = normally=20 overwritten. Anyone who can boot the computer to an alternate = operating=20 system can examine that disk space, and obtain any sort of = sensitive=20 information that was written to the pagefile. Enable this option to clear the pagefile on shutdown. This will = ensure=20 that any sensitive information is overwritten as the machine shuts = down.=20 Be aware that this will also increase the time that a computer = takes to=20 shut down, and also start up. How long depends on how fast the = computer=20 is, and how big the pagefile = is.

3.2.1.10 Digitally Sign Client = Communication=20 (Always): Not Defined	Check Type:	Status:
None	Not Tested
Description When one computer initiates a remote procedure call (RPC) with = another,=20 the computer that starts the conversation is the = =E2=80=9Cclient=E2=80=9D and the computer=20 fulfilling the request is the =E2=80=9Cserver=E2=80=9D regardless = of whether or not the=20 computer is a workstation or server. If you require this option, = any time=20 this computer acts as a =E2=80=9Cclient=E2=80=9D the server must = also support digital=20 signatures, or the requesting client will not permit the = connection to=20 complete. Digitally signing such communication is always a good idea, = however if=20 you require it all of the time, any situation that prevents it = will=20 prevent the session entirely. If you have a network that you can = guarantee=20 that all computers are capable of signing client communication, by = all=20 means, please do so. In most cases, the next option is more=20 realistic.

3.2.1.11 Digitally Sign Client = Communication=20 (When Possible): Enabled	Check Type:	Status:
None	Not Tested
Description When possible, digitally sign client communication. If not = possible,=20 for whatever reason, client communication will not be signed, but=20 communication will be permitted. This is the best option for = widespread=20 acceptance. This is enabled by = default.

3.2.1.12 Digitally Sign Server = Communication=20 (Always): Not Defined	Check Type:	Status:
None	Not Tested
Description Just like 3.2.1.10, any time this computer acts as a server, or = is=20 answering requests from another computer, that computer must allow = for=20 signing ITS client session, or no session can be established. This = may be=20 desirable, but be careful when implementing it. It is not=20 required.

3.2.1.13 Digitally Sign Server = Communication=20 (When Possible): Enabled	Check Type:	Status:
None	Not Tested
Description It is still a good idea to digitally sign server communication = from=20 your local computer, and enabling this option to sign it = =E2=80=9Cwhen possible=E2=80=9D=20 is a harmless way to ensure that traffic is signed when possible. = This=20 option is enabled by default, and should remain=20 enabled.

3.2.1.14 Disable CTRL+ALT+Delete = Requirement=20 for Logon: Disabled	Check Type:	Status:
OVAL	Failed
Description The CTRL+ALT+Delete requirement for logon, by itself, is a very = strong=20 aid to the security of a Windows computer. There are tools = available that=20 can circumvent many aspects of Windows security, but the = CTRL+ALT+Delete=20 at least makes it difficult to subvert the operating system. That being said, this is one of the most confusing settings = that=20 Microsoft has ever given to the rest of the world. Look back at = the name=20 of the setting: =E2=80=9CDisable CTRL+ALT+Delete=E2=80=A6=E2=80=9D = This setting must be disabled=20 to REQUIRE the CTRL+ALT+Delete for logon. Once again, = that=E2=80=99s DISABLE the=20 =E2=80=9CDisable CTRL+ALT+Delete Requirement for Logon=E2=80=9D=20 setting.

3.2.1.15 Do Not Display Last User = Name in=20 Logon Screen: Enabled	Check Type:	Status:
None	Not Tested
Description Anyone who walks up to a computer and presses CTRL+ALT+Delete = can see=20 the name of the last valid user who logged on to that system. As a = result,=20 they now have the name of a valid user for that computer. While it = is true=20 that there are other ways to garner that information, every little = bit=20 helps. Enable this setting to suppress the display of the last=20 username. Warning WARNING: If you are = enabling this=20 setting in a multi-user environment, you can expect some users to = call the=20 help desk and complain because you taking something away that they = are=20 accustomed to. The keys to making this sort of policy stick are to = first=20 get management approval and support, and second communicate your=20 intentions ahead of time. Once the change is made, it should not = be a=20 shock to your users.

3.2.1.16 LAN Manager Authentication = Level:=20 =E2=80=9CSend NTLMv2 response only=E2=80=9D (minimum)	Check Type:	Status:
OVAL	Failed
Description Windows network authentication has gone through some growing = pains, and=20 as a result has evolved quite a bit. The original LAN Manager (or = LM)=20 password hash is considered very weak. Using commercially = available=20 software, and off-the-shelf computers, most LM password hashes can = be used=20 to reveal the actual password in a matter of days, or hours. During the life of Windows NT, Microsoft developed the NTLM = password=20 hash and the NTLM version 2 (NTLMv2) password hash, which are=20 significantly more difficult to break. All of these authentication = methods=20 are incorporated into Windows 2000. The problem with password hashes is that when one computer = attempts to=20 authenticate with another, the default behavior is to send the = basic LM=20 hash along with the more secure NTLM hash. There are six choices = available=20 to determine what type of authentication is used and/or = acceptable: Send LM & NTLM responses=20 Send LM & NTLM, Use NTLMv2 session security if = negotiated=20 Send NTLM response only=20 Send NTLMv2 response only=20 Send NTLMv2 response only\refuse LM=20 Send NTLMv2 response only\refuse LM & NTLM The default option is the first and weakest =E2=80=93 send LM = & NTLM=20 responses. As a result, using NTLM is ineffective because both = protocols=20 are sent together. In order to take a much more effective stand to = protect=20 network authentication, set LAN Manager Authentication Level to = =E2=80=9CSend=20 NTLMv2 response only=E2=80=9D. Enable more strict security if you = are able to=20 require it across your entire network. Warning WARNING: Enabling this = setting may=20 have adverse effects on your ability to communicate with other = Windows=20 machines unless the change is made network-wide. If you find that = you are=20 unable to require a certain level of LM Authentication, back down = to =E2=80=9CSend=20 LM & NTLM =E2=80=93 Use NTLMv2 session security if = negotiated=E2=80=9D and try your=20 network authentication again. Communication with Windows 9x/Me = machines=20 will require them to have installed the DSCLIENT.EXE utility from = the=20 Windows 2000 installation CD.

3.2.1.17 Message Text for Users = Attempting to=20 Log On: Custom Message or =E2=80=9CThis system is for the use of = authorized users=20 only. Individuals using this computer system without authority, or = in=20 excess of their authority, are subject to having all of their = activities=20 on this system monitored and recorded by system personnel. In the = course=20 of monitoring individuals improperly using this system, or in the = course=20 of system maintenance, the activities of authorized users may also = be=20 monitored. Anyone using this system expressly consents to such = monitoring=20 and is advised that if such monitoring reveals possible evidence = of=20 criminal activity, system personnel may provide the evidence of = such=20 monitoring to law enforcement officials.=E2=80=9D	Check Type:	Status:
OVAL	Failed
Description There is a legal precedence in The United States that says an = intruder=20 in a network or computer system is not an intruder unless he has = been=20 warned that he is not welcome on that system, and he accepts the = fact=20 that, by entering that computer system, his acts may be monitored. = This is=20 the equivalent of a digital =E2=80=9CNo Trespassing=E2=80=9D sign, = commonly called a=20 Banner. The sample banner provided above is an approved banner provided = by the=20 United States Department of Justice. It has been deemed suitable = by the=20 government. If your organization expects to prosecute criminal = behavior=20 detected on their networks, you are advised to have this sample = banner=20 approved by your own legal counsel, or ask them to suggest and = approve one=20 for your organization.

3.2.1.18 Message Title for Users = Attempting to=20 Log On: =E2=80=9CWarning:=E2=80=9D or custom title.	Check Type:	Status:
OVAL	Failed
Description The message title goes hand-in-hand with the message text. No = matter=20 what else you put in your message title and text, don=E2=80=99t = say =E2=80=9CWelcome=E2=80=9D.=20 Remember that you are warning potential intruders away. You = don=E2=80=99t want=20 anything that can be construed as an=20 invitation.

3.2.1.19 Number of Previous Logons = to Cache:=20 0	Check Type:	Status:
None	Not Tested
Description =E2=80=9CCached logon credentials=E2=80=9D has no effect unless = the computer is a=20 member of a domain, and the user logs on using a domain account. = If a user=20 logs on to a computer through a domain account, then takes that = computer=20 off the network, he or she will need to authenticate somewhere to = gain=20 controlled access to the computer. Windows retains or caches the = logon=20 credentials of some number of users (default is 10) so that if = they logged=20 in before, they will be able to log on again if the computer = can=E2=80=99t reach a=20 domain controller to authenticate the user. The preferred value for this setting is zero =E2=80=93 to = disallow any user=20 from logging on to a computer if it is unable to contact a=20 domain.

3.2.1.20 Prevent System Maintenance = of=20 Computer Account Password: Disabled	Check Type:	Status:
None	Not Tested
Description Most people are unaware that when a computer is part of a = domain, that=20 computer has its own account name and password (separate from = usernames=20 and their passwords) that authenticates against the domain. Since = that=20 happens, it is potentially possible to gain some access to a = domain using=20 the computer=E2=80=99s account and password. Windows 2000 computers are capable of changing the password to = their=20 machine account on a regular basis, requiring no action on the = part of the=20 user =E2=80=93 their username and password is entirely separate = from that of the=20 computer. Leave this option enabled to allow domain members to = protect=20 their accounts=E2=80=99 passwords. This has no effect unless the computer is a member of a=20 domain.

3.2.1.21 Prevent Users from = Installing Printer=20 Drivers: Enabled	Check Type:	Status:
OVAL	Failed
Description When printer drivers are installed onto an operating system, = their code=20 is installed directly into the privileged space of the operating = system=20 kernel. This allows printer drivers to accomplish tasks that are = beyond=20 the actual user=E2=80=99s capability. Unfortunately, it also opens = the operating=20 system up to execute malicious code in the form of a = =E2=80=9CTrojan Horse=E2=80=9D=20 printer driver.

3.2.1.22 Prompt User to Change = Password Before=20 Expiration: 14 Days (minimum)	Check Type:	Status:
OVAL	Passed
Description Part of the password cycle is to notify users when their = password is in=20 danger of expiring. Give users plenty of notice so that they can = change=20 their password in time to avoid more help desk calls. 14 days = should=20 exceed most other commitments, including most=20 vacations.

3.2.1.23 Recovery Console: Allow = Automatic=20 Administrative Logon: Disabled	Check Type:	Status:
OVAL	Passed
Description One of the features new to Windows 2000 is the Recovery = Console. The=20 Recovery Console gives limited command-line access to an otherwise = unbootable operating system. It was developed in response to the fact that the NTFS file = system does=20 not natively allow access if the operating system becomes = unbootable.=20 Other third-party applications have been developed to perform this = action=20 as well, but the Recovery Console is part of the operating system. = It can=20 be installed from the Windows 2000 CD with the = =E2=80=9Cd:\i386\winnt32.exe=20 /cmdcons=E2=80=9D command. It can also be run directly from the = Windows 2000=20 installation CD. The Recovery Console does not grant full and unrestricted = access to the=20 operating system by default. It does require that you log on using = the=20 password of the default Administrator account. Bear in mind that = this is=20 not any administrator, but the Administrator. If the Administrator = account=20 has been renamed (as it should) you still need the password for = that=20 account. Also built into the Recovery Console is this security setting, = and the=20 next one. This setting allows Administrators to remove the = requirement for=20 anyone who can reboot the computer, to bypass all security and = directly=20 access the operating system. This is generally accepted as a bad = idea.=20 Disable this setting, and keep positive track of the password to = your=20 local Administrator account.

3.2.1.24 Recovery Console: Allow = Floppy Copy=20 and Access to All Drives and All Folders: Disabled	Check Type:	Status:
None	Not Tested
Description One of the other features of the Windows 2000 Recovery Console = is that=20 it does not allow access to all files and folders on the hard = drives. It=20 allows access to the root folder of each volume, and the = %systemroot%=20 folder, normally c:\winnt and its subfolders. Even then, it does = not allow=20 the operator to copy files from the hard drive to removable = media. The =E2=80=9CRecovery Console: Allow Floppy Copy and Access to = All Drives and=20 All Folders=E2=80=9D Security Setting is designed to optionally = circumvent the=20 Recovery Console=E2=80=99s ability to protect the operating = system. This setting=20 is disabled by default, and it should remain=20 disabled.

3.2.1.25 Rename Administrator = Account: Any=20 value other than =E2=80=98Administrator=E2=80=99	Check Type:	Status:
OVAL	Failed
Description The only credentials required to access a computer, either at = the=20 console or on a network are a valid username, and its password. = Windows=20 creates a default privileged account named = =E2=80=9CAdministrator=E2=80=9D. Change this account name to something site-specific. The = account still=20 needs to be accessible for valid access, but needs to be less = predictable=20 than a default installation allows. Please note that this does not = provide=20 a great deal of protection against an experienced attacker, but it = may=20 protect against scripted = attacks.

3.2.1.26 Rename Guest Account: Any = value other=20 than =E2=80=98Guest=E2=80=99	Check Type:	Status:
OVAL	Failed
Description Unlike the default Administrator account, the Guest account is = disabled=20 by default. It is only used to allow access to unauthenticated = users, and=20 then only if the account has a null password and it is not = disabled. The=20 Guest account has more safeguards in place, and is not as much a = target as=20 the Administrator account, but it still deserves significant = attention to=20 maintain security. Like the default Administrator account, the Guest account still = needs=20 to be protected. Change this to a site-specific name to help = protect=20 against its use.

3.2.1.27 Restrict CD-ROM Access to = Locally=20 Logged-On User Only: Not Defined	Check Type:	Status:
None	Not Tested
Description It is possible for servers to share files and folders from = anywhere in=20 their filesystem. As a result, the CD-ROM drive can be shared = externally.=20 Enabling this setting will prevent anyone but the currently logged = on user=20 from accessing material on the CD-ROM drive. Warning WARNING: Enabling this = setting may=20 have adverse effects on your ability to communicate with other = Windows=20 machines unless the change is made network-wide. If you find that = you are=20 unable to require a certain level of LM Authentication, back down = to =E2=80=9CSend=20 LM & NTLM =E2=80=93 Use NTLMv2 session security if = negotiated=E2=80=9D and try your=20 network authentication again. Communication with Windows 9x/Me = machines=20 will require them to have installed the DSCLIENT.EXE utility from = the=20 Windows 2000 installation CD.One problem has been identified when = this=20 setting is enabled. When users are installing software from a = CD-ROM=20 drive, and those installation packages use the Microsoft Installer = (.MSI)=20 packages, the software is actually installed by the Windows = Installer=20 service, NOT the local user. If this setting is enabled, such = software=20 installation will not be able to proceed, because of this = restriction. The=20 setting must be changed long enough to install the software, or = the=20 package must be copied to a local or network drive for the = installation=20 procedure to succeed.

3.2.1.28 Restrict Floppy Access to = Locally=20 Logged-On User Only: Enabled	Check Type:	Status:
None	Not Tested
Description Just like the CD-ROM drive, the floppy drive can be shared to = allow=20 network users access to the files on the floppy disk. This usually = represents more of a risk than access to the CD-ROM because most = CDs (but=20 not all) are manufactured, and commercially available, while most = of the=20 data copied to a floppy drive is proprietary. Whether or not that = is the=20 case, enable this setting to prevent sharing of the floppy disk=20 drive.

3.2.1.29 Secure Channel: Digitally = Encrypt or=20 Sign Secure Channel Data (Always): Not Defined	Check Type:	Status:
None	Not Tested
Description Secure Channels are normally established between workstations = or=20 servers and Domain Controllers. This data can include password=20 authentication hashes. Signing the data encapsulates it in a = digital=20 signature that authenticates the recipient. Encrypting the data = signs it=20 and masks it, making the data indecipherable if it is intercepted = over the=20 network. If a computer is unable to connect to a Domain Controller = by a=20 signed or encrypted channel, no session will be established. = Generally,=20 this option should be disabled unless the computer is in a domain = where=20 all machines have this option = enabled.

3.2.1.30 Secure Channel: Digitally = Encrypt=20 Secure Channel Data (When Possible): Enabled	Check Type:	Status:
OVAL	Passed
Description As described above, =E2=80=9Cencrypting=E2=80=9D the secure = channel authenticates the=20 computers at both ends of the conversation (signs) and encrypts = the data=20 to prevent interception of that data. This option should be = enabled. It=20 has no effect outside of a domain=20 environment.

3.2.1.31 Secure Channel: Digitally = Sign Secure=20 Channel Data (When Possible): Enabled	Check Type:	Status:
OVAL	Passed
Description Digitally signing the Secure Channel data provides = authentication of=20 all members of a =E2=80=9CConversation=E2=80=9D and prevents a = =E2=80=9CMan in the middle=E2=80=9D type of=20 attack. This option should be enabled, but also has no effect = outside of a=20 domain environment.

3.2.1.32 Secure Channel: Require = Strong=20 (Windows 2000 or later) Session Key: Not Defined	Check Type:	Status:
None	Not Tested
Description When a Secure Channel is signed or encrypted, or when anything = is=20 signed or encrypted, one of the key factors is what strength of = encryption=20 is used. Windows 2000 Domains are capable of using 128-bit = encryption.=20 This is the default setting, and should be used when possible. = Windows NT=20 4.0 domains are not capable of using this high encryption, and if = this=20 option is required, it may actually force the Secure Channel to be = established without any signing or encryption because the domain = is not=20 capable of maintaining this high level of encryption. As a standard, this setting should be enabled. In a Windows NT = domain,=20 disable the setting. In a Windows 2000 domain, enable this=20 setting.

3.2.1.33 Send Unencrypted Password = to Connect=20 to Third-Party SMB Servers: Disabled	Check Type:	Status:
OVAL	Passed
Description The end result of this setting can be determined answering one=20 question: When your Windows 2000 computer requests authentication = with a=20 non-Windows computer, should your Windows computer send your = password in=20 cleartext to that computer? You don=E2=80=99t have to think very = hard about this=20 setting to realize that it presents a serious risk to network = security.=20 This is disabled by default, and it should remain so. If you find an application that requires this setting to be = enabled,=20 please first send feedback to windows-feedback@cisecurity.org so = we can=20 document it, and second, write to the manufacturer of that product = and ask=20 them to design their product with a little better security in=20 mind.

3.2.1.34 Shut Down system = immediately if=20 unable to log security audits: Not Defined	Check Type:	Status:
None	Not Tested
Description One method of obscuring detection in the Security Event Log is = to fill=20 the log with so many events that they eventually overwrite one = another, or=20 the log fills to capacity, and can=E2=80=99t log any more events. = The defense=20 against these tactics requires that the computer be disabled = (blue-screen)=20 if it is unable to record security events. The local Administrator = will=20 still be able to log on at the console, but the machine will not = otherwise=20 be usable until the security log is cleared (and preferably = archived) and=20 rebooted. Note: Unless the log is set to =E2=80=9Cclear manually=E2=80=9D = or =E2=80=9COverwrite after x=20 days=E2=80=9D this setting will have no effect. It does emphasize = that some care=20 must be taken to maintain the event logs of all Windows=20 machines.

3.2.1.35 Smart Card Removal = Behavior: =E2=80=9CLock=20 Workstation=E2=80=9D (minimum)	Check Type:	Status:
None	Not Tested
Description In an environment that requires physical logon tokens, or = =E2=80=9CSmart=20 Cards=E2=80=9D, one question that inevitably must be answered is = =E2=80=9CWhat action=20 should be taken when a user leaves his workstation, and takes his = Smart=20 Card with him? The choices are =E2=80=9CNo Action=E2=80=9D, = =E2=80=9CLock Workstation=E2=80=9D, or =E2=80=9CForce=20 Logoff=E2=80=9D. The purpose of this setting is to keep users = honest. Any setting=20 other than =E2=80=9CNo Action=E2=80=9D is acceptable. In an environment that does not use Smart Cards, this setting = has no=20 effect.

3.2.1.36 Strengthen Default = Permissions of=20 Global System Objects (e.g. Symbolic Links): Enabled	Check Type:	Status:
OVAL	Passed
Description Windows 2000 keeps a list of shared objects and their default = Access=20 Control Lists. The =E2=80=9Cstrengthened=E2=80=9D setting for = these Access Control Lists=20 allow users read access to all users=E2=80=99 shared objects, and = full access to=20 their own. This option is enabled by default, and it should remain=20 so.

3.2.1.37 Unsigned Driver = Installation=20 Behavior: =E2=80=9CWarn, but allow installation=E2=80=9D (minimum) = or =E2=80=9CDo Not Allow=20 Installation=E2=80=9D.	Check Type:	Status:
OVAL	Error
Description Microsoft has generally shipped drivers with a digital = signature,=20 expressing that Microsoft itself has certified the drivers as = valid, and=20 tested not to perform actions that constitute foul play. = Unfortunately,=20 not all drivers (even from Microsoft) are distributed with digital = signatures. These settings should be set to anything other than = silent=20 success. If a user or administrator attempts to install = unauthenticated=20 drivers, they should at least receive a warning against such = action. This=20 setting should read =E2=80=9CWarn, but allow installation=E2=80=9D = or =E2=80=9CDo Not Allow=20 Installation=E2=80=9D. Errors ERROR: A required variable 'var-32137b' has not been = provided to the=20 OVAL interpreter.=20 ERROR: A required variable 'var-32137a' has not been = provided to the=20 OVAL interpreter.

3.2.1.38 Unsigned Non-Driver = Installation=20 Behavior: =E2=80=9CWarn, but allow installation=E2=80=9D (minimum) = or =E2=80=9CDo Not Allow=20 Installation=E2=80=9D	Check Type:	Status:
OVAL	Error
Description Much like the setting above, not all software installed from = Microsoft=20 or anyone else is guaranteed to include the requisite digital = signature.=20 It is still important to alert the user that software is being = installed=20 on their system, and give them the opportunity to abort the = installation.=20 Set this to =E2=80=9CWarn, but allow installation=E2=80=9D or = =E2=80=9CDo Not Allow=20 Installation=E2=80=9D. Warning WARNING: Enabling this = setting may=20 have adverse effects on your ability to communicate with other = Windows=20 machines unless the change is made network-wide. If you find that = you are=20 unable to require a certain level of LM Authentication, back down = to =E2=80=9CSend=20 LM & NTLM =E2=80=93 Use NTLMv2 session security if = negotiated=E2=80=9D and try your=20 network authentication again. Communication with Windows 9x/Me = machines=20 will require them to have installed the DSCLIENT.EXE utility from = the=20 Windows 2000 installation CD. It is important to understand that = forcing=20 users to acknowledge the installation of any software that does = not=20 include a digital signature will probably require a significant = amount of=20 user education, and you can expect some level of help desk = support. Users=20 will be calling in to report that (among other things) many = Microsoft=20 hotfixes are not digitally signed. Errors ERROR: A required variable 'var-32138a' has not been = provided to the=20 OVAL interpreter.=20 ERROR: A required variable 'var-32138b' has not been = provided to the=20 OVAL interpreter.

3.2.2 Additional Registry = Settings

Description

The following paragraphs describe individual security settings = that can=20 be applied in a variety of ways =E2=80=93 using REGEDIT.EXE, = REGEDT32.EXE, Local=20 Group Policy, or Domain Group Policy. For more information on = applying=20 changes directly to a Windows XP Professional registry, please = consult the=20 Microsoft TechNet Internet site at http://www.microsoft.com/technet= =20 . Some other helpful registry information is available at http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;Q256986=20 and http://www.microsoft.com/technet/prodtechnol/winntas/tips/win= ntmag/inreg.asp=20 .

Warning

WARNING: Editing the = registry can=20 make a system unbootable and unusable if done improperly. If you = are not=20 familiar with editing the registry, please take a few minutes and = follow=20 the links to Microsoft=E2=80=99s TechNet resources, and learn = about some of the=20 precautions you should take before editing the registry.=20

3.2.2.1 Suppress Dr. Watson Crash = Dumps:=20 HKLM\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) = 0	Check Type:	Status:
None	Not Tested
Description Dr. Watson is one of Microsoft=E2=80=99s utilities that handles = errors in=20 applications. If an application produces an error that Dr. Watson = can=20 manage, it will dump the contents of memory for that application = to a file=20 for future analysis. In the process of writing the contents of memory to disk, it is = entirely possible that password information could be written to = disk as=20 well, and later exploited. Set this value to zero to prevent Dr. = Watson=20 from writing crash dumps to = disk.

3.2.2.2 Disable Automatic Execution = of the=20 System Debugger: HKLM\Software\Microsoft\Windows=20 NT\CurrentVersion\AEDebug\Auto (REG_DWORD) 0	Check Type:	Status:
None	Not Tested
Description If an application is executed in non-privileged memory, and the = system=20 debugger is started, it is possible for that application to = execute code=20 in privileged memory space. Set this value to zero to prevent the = system=20 debugger from executing = automatically.

3.2.2.3 Disable autoplay from any = disk type,=20 regardless of application:=20 = HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveT= ypeAutoRun=20 (REG_DWORD) 255	Check Type:	Status:
None	Not Tested
Description Although it is convenient for applications to automatically run = when=20 Windows Explorer opens up, it can also cause applications to be = executed=20 against the wishes of an administrative user, and exploiting that=20 privilege. Set this value to 255 to prevent any type of drive from = automatically launching an application from Windows=20 Explorer.

3.2.2.4 Disable Automatic Logon:=20 HKLM\Software\Microsoft\Windows = NT\CurrentVersion\Winlogon\AutoAdminLogon=20 (REG_SZ) 0	Check Type:	Status:
None	Not Tested
Description Windows also has the ability to automatically log a user on = every time=20 that machine starts up. Some users may prefer this as a feature. = Some=20 server based applications may require that a user log in before = they can=20 execute, so they require this activity as well. The problem with this =E2=80=9Cfeature=E2=80=9D is that in = order for it to work, it=20 stores the username and password for that user in plaintext in the = registry. Set this value to zero to prevent any user from = automatically=20 logging in when the computer starts = up.

3.2.2.5 Mask any typed passwords with = asterisks:=20 = HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\HideShare= Pwds=20 (REG_DWORD) 1	Check Type:	Status:
None	Not Tested
Description In order to prevent passwords typed on the console from being = viewed in=20 plain-text, set this value to mask those keystrokes with=20 asterisks.

3.2.2.6 Disable Dial-in access to the = server:=20 = HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoDialIn = (REG_DWORD) 1	Check Type:	Status:
None	Not Tested
Description Prevent servers with modems from being used as inadvertent = remote=20 access servers. This setting is actually applied to Windows 9x/Me=20 machines, but does no harm on Windows = 2000.

3.2.2.7 Disable automatic reboots = after a Blue=20 Screen of Death:=20 HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot = (REG_DWORD)=20 0	Check Type:	Status:
None	Not Tested
Description If someone manages to get enough control of your computer that = they can=20 plant an application there, the next step is to force your = computer to=20 restart to register that app. One easy way to accomplish this task = is to=20 programmatically force an error that causes the computer to crash, = or=20 =E2=80=9CBlue Screen=E2=80=9D which will reboot the machine by = default. Set this Value to=20 zero to prevent this behavior from happening, and at least alert = the user=20 that something is wrong.

3.2.2.8 Disable CD Autorun:=20 HKLM\System\CurrentControlSet\ Services\CDrom\Autorun (REG_DWORD) = 0	Check Type:	Status:
None	Not Tested
Description If malicious software is written to a CD, it can be executed by = Windows=20 Explorer just by putting the CD in the drive. Set this value to = zero to=20 prevent any applications from automatically launching from the = CD-ROM=20 drive.

3.2.2.9 Remove administrative shares = on=20 workstations: HKLM\System\CurrentControlSet\=20 Services\LanmanServer\Parameters\AutoShareWks (REG_DWORD) 0	Check Type:	Status:
None	Not Tested
Description Every Windows NT/2000 computer automatically has = =E2=80=9CAdministrative=20 Shares=E2=80=9D installed by default. These are restricted to use = by=20 Administrators, but they expose each volume root, and the = %systemroot%=20 folder to the network as Admin$, C$, etc. These make remote = administration=20 convenient, but they also present a risk if someone manages to = guess the=20 password to an administrative account. Warning WARNING: Enabling this = setting may=20 have adverse effects on your ability to communicate with other = Windows=20 machines unless the change is made network-wide. If you find that = you are=20 unable to require a certain level of LM Authentication, back down = to =E2=80=9CSend=20 LM & NTLM =E2=80=93 Use NTLMv2 session security if = negotiated=E2=80=9D and try your=20 network authentication again. Communication with Windows 9x/Me = machines=20 will require them to have installed the DSCLIENT.EXE utility from = the=20 Windows 2000 installation CD.If you use administrative shares on = your=20 network for remote backups, antivirus support, or general remote=20 administration, this will break your applications. Please ask your = software vendors to design around this requirement in future = versions of=20 their applications.

3.2.2.10 Protect against Computer = Browser=20 Spoofing Attacks: HKLM\System\=20 CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset = (REG_DWORD) 1	Check Type:	Status:
None	Not Tested
Description Although this standard advises end-users to shut down their = Computer=20 Browser service, it is also likely that not everyone will be able = or=20 willing to do so. This registry setting provides protection = against a=20 vulnerability that allows the Computer Browse to be shut down. Set = this=20 value, to protect against this specific vulnerability. If you are = not=20 running the Computer Browser service, this setting will have no = effect.=20 More information is available at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;q262694=20 .

3.2.2.11 Protect against = source-routing=20 spoofing:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRo= uting=20 (REG_DWORD) 2	Check Type:	Status:
None	Not Tested
Description If a Windows computer has two valid networking devices = installed=20 (including dial-up networking,) it can be configured to act as a = router or=20 a firewall, and pass network traffic from one interface to = another.=20 Whether this is the intended purpose or not, it can be done on any = Windows=20 computer. =E2=80=9CSource Routing=E2=80=9D traffic that passes = through such a router can=20 bypass certain routing rules by =E2=80=9Cspoofing=E2=80=9D the = device to think malicious=20 network activity came from the protected side. Set this value to 2 = in=20 order to drop all source routed = packets.

3.2.2.12 Protect the Default Gateway = network=20 setting:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetec= t=20 (REG_DWORD) 0	Check Type:	Status:
None	Not Tested
Description When one TCP/IP Default Gateway fails, it is possible to force = one=20 computer to use a second default gateway to complete the route = path. In=20 most cases, computers are not set up with multiple default = gateways,=20 relying on redundant routers instead. If an attacker can manipulate your default gateway, and this = setting is=20 not set to zero, he could route your network traffic to an = alternate=20 address. Set this value to zero to protect against this kind of=20 attack.

3.2.2.13 Ensure ICMP Routing via = shortest path=20 first: HKLM\System\CurrentControlSet\Services\Tcpip\=20 Parameters\EnableICMPRedirect (REG_DWORD) 0	Check Type:	Status:
None	Not Tested
Description In order to prevent network ICMP traffic from being redirected = from one=20 computer to another, set the EnableICMPRedirect value to zero. = There is=20 some confusion as to whether or not the value name is pluralized. = For more=20 information, please refer to the Microsoft article at http://support.microsoft.com/default.aspx?scid=3Dkb;EN-US;q293626=20 .

3.2.2.14 Help protect against packet = fragmentation:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscove= ry=20 (REG_DWORD) 0	Check Type:	Status:
None	Not Tested
Description When data is transferred across a network, the data is broken = down into=20 packets. These packets are not always a uniform size. When these = packets=20 are broken down into smaller sizes, they are supposed to be = reassembled at=20 the other end of a network route in the same order. This does not = always=20 go as planned, and can used in some network attacks. Set this value to 0 to force Windows to use a consistent 576 = byte=20 packet. More details are available at http://support.micros= oft.com/?kbid=3D315669=20 .

3.2.2.15 Manage Keep-alive times:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime=20 (REG_DWORD) 300000	Check Type:	Status:
None	Not Tested
Description The KeepAliveTime determines how often the network subsystem = attempts=20 to verify that a TCP session is still active. The setting of = 300,000 works=20 out to one request every five = minutes.

3.2.2.16 Protect Against Malicious=20 Name-Release Attacks:=20 = HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDe= mand=20 (REG_DWORD) 1	Check Type:	Status:
None	Not Tested
Description By default, a computer running NetBIOS will release its name = upon=20 request. In order to protect against malicious name-release = attacks, set=20 this value to 1. Microsoft also references in at least one place = that this=20 is for Windows 2000 Service Pack 2 or=20 greater.

3.2.2.17 Ensure Router Discovery is = Disabled:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDisc= overy=20 (REG_DWORD) 0	Check Type:	Status:
None	Not Tested
Description The ICMP Router Discovery Protocol can be exploited to add = default=20 route entries to a remote system using DHCP. In order to protect = against=20 this vulnerability, set this value to = 0.

3.2.2.18 Protect against SYN Flood = attacks:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect = (REG_DWORD) 2	Check Type:	Status:
None	Not Tested
Description One of the first methods of launching Denial of Service attacks = was to=20 send a flood of incomplete 3-way handshake requests. Each time the = incomplete request was received by the target, a small portion of = the=20 target=E2=80=99s resources were set aside, waiting for the request = to finish. When=20 all of the resources were set aside, the target machine was no = longer able=20 to serve any more requests, and further service was denied. In order to prevent the success of this attack, set the=20 SynAttackProtect value to 2, which allows the operating system to = limit=20 the amount of resources that are set aside until the 3-way = handshake is=20 completed. Setting SynAttackProtect to 1 provides minimal = security, but=20 for maximum protection, set it to 2. You should be aware that enabling this protection prevents the = server=20 service from setting aside any resources for a connection until = the 3-way=20 handshake is complete. This may impact the performance of some=20 applications, but it also mitigates the impact of a Denial of = Service=20 attack. The next few settings also provide a measure of protection = against=20 Denial of Service or Distributed Denial of Service=20 attacks.

3.2.2.19 SYN Attack protection = =E2=80=93 Manage TCP=20 Maximum half-open sockets:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen=20 (REG_DWORD) 100 or 500	Check Type:	Status:
None	Not Tested
Description This value determines how many incomplete handshake requests = the=20 network will allow at one time. This provides protection if=20 SynAttackProtect is set to 1. 100 is the default value on Windows = 2000=20 Server, but 500 is the default value for Advanced Server. * In order to prevent users from incorrectly configuring their = version=20 of Windows 2000 Server/Advanced Server, the security template that = can be=20 downloaded from CIS does not include any value for this setting by = default. Both values are included in the comments, and can be = implemented=20 easily by manually editing the = template.

3.2.2.20 SYN Attack protection = =E2=80=93 Manage TCP=20 Maximum half-open retried sockets:=20 = HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenret= ried=20 (REG_DWORD) 80 or 400	Check Type:	Status:
None	Not Tested
Description This value indicates how many retransmitted SYN sessions are = permitted.=20 The Default value is 80 for Windows 2000 Server, but 400 for = Advanced=20 Server. * In order to prevent users from incorrectly configuring their = version=20 of Windows 2000 Server/Advanced Server, the security template that = can be=20 downloaded from CIS does not include any value for this setting by = default. Both values are included in the comments, and can be = implemented=20 easily by manually editing the = template.

3.2.2.21 Enable IPSec to protect = Kerberos RSVP=20 Traffic: = HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt=20 (REG_DWORD) 1	Check Type:	Status:
None	Not Tested
Description When Kerberos authentication information is transferred between = domain=20 controllers, or between domain controllers and member servers or=20 workstations, it is not secured by default. Even when IPSec is = used to=20 encrypt that traffic, the Kerberos information is considered = =E2=80=9Cexempt=E2=80=9D. Set=20 this value to 1 to ensure that all traffic, including Kerberos = information=20 is protected by IPSec.

3.2.2.1

Description

3.2.2.1.1 Disable autoplay for the = current=20 user:=20 = HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveT= ypeAutoRun=20 (REG_DWORD) 255	Check Type:	Status:
None	Not Tested
Description Note: Due to the inability to manage registry entries for each = local=20 user via Security Templates, this setting is recommended, but not = required=20 or measured.

3.2.2.1.2 Disable autoplay for new = users by=20 default:=20 = HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\= NoDriveTypeAutoRun=20 (REG_DWORD) Not Defined	Check Type:	Status:
None	Not Tested
Description

4 Additional Security Protection

Description

Many of the previous security related settings fell neatly into = categories that were well defined, easy to implement, and easy to = find.=20 Beyond that, there are other requirements that do not fit into = every mold=20 =E2=80=93 these are the things that make every computer unique. = These may present=20 the greatest challenge to securing a computer because these are = more=20 open-ended in nature. For lack of a better description, the pages = that=20 follow describe the realm that would fall into the category=20 =E2=80=9Cother=E2=80=9D . =

4.1 Available Services

Description

Every piece of code that executes on a computer exists in a = process.=20 Many of these processes begin as =E2=80=9CServices=E2=80=9D. You = can view a list of=20 processes by right-clicking =E2=80=9CMy Computer=E2=80=9D, and = click =E2=80=9CManage=E2=80=9D. Expand=20 =E2=80=9CServices and Applications=E2=80=9D and click = =E2=80=9CServices=E2=80=9D. These services are=20 scheduled to start either at boot time, as normal Automatic or = Manual=20 startup, or disabled to not start at all.

The services listed below should be disabled to protect your = computer=20 against certain vulnerabilities. These services may also restrict = certain=20 functionality that you are accustomed to, but we have tried to = maintain a=20 reasonable level of functionality where possible. If you need = these=20 services to maintain functionality of a server (for instance, the = World=20 Wide Web Publishing Services would be required for an IIS Server) = you need=20 to take extra steps to protect that service. Many of these = services may=20 soon be covered as additional Level 2 CIS Benchmarks.

Permissions on services listed here: Administrators: = Full=20 Control; System: Read, Start, Stop, and Pause. = Permissions on=20 services should be set using the Security template that = accompanies the=20 CIS Windows Scoring Tool.

4.1.1 Alerter =E2=80=93 Disabled	Check Type:	Status:
OVAL	Failed
Description The alerter service is normally used to send messages between = processes=20 on one computer =E2=80=9Calerting=E2=80=9D the status of certain = functions to the user=E2=80=99s=20 console, including the execution of print jobs. It also works in=20 conjunction with the Messenger service to send these same messages = between=20 computers on a network.

4.1.2 Clipbook =E2=80=93 Disabled	Check Type:	Status:
OVAL	Failed
Description The Clipbook service is used to share clipboard information = between=20 computers on a network. In most cases, users don=E2=80=99t want to = share that=20 information with other = computers.

4.1.3 Computer Browser =E2=80=93 = Disabled	Check Type:	Status:
None	Not Tested
Description The Computer Browser (not to be confused with Internet = browsers, such=20 as Internet Explorer or Netscape) keeps track of the computers on = a=20 network within a domain. It allows users to = =E2=80=9Cbrowse=E2=80=9D through Network=20 Neighborhood to find the shared resources they need without = knowing the=20 exact name of that resource. Unfortunately, it allows anyone to browse to those resources = before=20 checking any sort of authentication or authorization. Disabling this service will require users to know the resources = they=20 are looking for, by name, and may result in an increased number of = help=20 desk calls.

4.1.4 Fax Service =E2=80=93 = Disabled	Check Type:	Status:
OVAL	Failed
Description The fax service is used for the unattended reception of = incoming faxes.=20 It is not required for the sending, or manual reception of faxes. = It does=20 require that a computer be left running all the time, and have the = modem=20 set to auto-answer. Generally speaking, with the low cost of dedicated fax = machines, the=20 secure answer to most faxing needs would be to have a dedicated = fax=20 machine to receive faxes, while still using the computer to = manually send=20 faxes when appropriate.

4.1.5 FTP Publishing Service =E2=80=93 = Disabled	Check Type:	Status:
None	Not Tested
Description The FTP Publishing Service is part of the Internet Information = Server=20 suite of Internet applications. It is not installed by default. It = is used=20 for making files on your local machine available to other users on = your=20 network or the Internet. This service should be disabled, or removed. If it is going to = be=20 installed, it should be properly maintained, which is a subject = beyond the=20 scope of this benchmark.

4.1.6 IIS Admin Service =E2=80=93 = Disabled	Check Type:	Status:
None	Not Tested
Description Also part of the IIS suite of services, the IIS Admin Service = manages=20 the other IIS services. If this service is not running, the other = services=20 that are part of the IIS suite will not function either. Disable = this=20 service. If possible, this should be removed from=20 workstations.

4.1.7 Internet Connection Sharing = =E2=80=93 Disabled	Check Type:	Status:
None	Not Tested
Description One of the features introduced with Windows 2000 was the idea = of=20 Internet Connection Sharing (ICS) =E2=80=93 that is allowing one = computer to=20 connect to the Internet and act as a gateway, while allowing other = connected computers to access the Internet through that = connection. ICS should not be installed on most computers. If it is, it = should be=20 configured properly and securely, which is beyond the scope of = this=20 benchmark. If it is installed, regardless of whether or not it is = done=20 properly, there is a level of risk involved with its=20 presence.

4.1.8 Messenger =E2=80=93 Disabled	Check Type:	Status:
OVAL	Failed
Description The Messenger service works in tandem with the Alerter service. = It=20 allows Alerter services of multiple computers to send alerts to = each other=20 over a network. Most users can live without the messenger and = alerter=20 services and still accomplish the tasks they need to do in the = course of a=20 normal day. On October 15, 2003, Microsoft released Security Bulletin = 03-043. This=20 bulletin is an advisory of a vulnerability in the Messenger = service that=20 allows an attacker to execute application code of his or her = choice.=20 Disable this service to prevent this, or as-yet unknown similar=20 vulnerabilities from affecting a = system.

4.1.9 NetMeeting Remote Desktop Sharing = =E2=80=93=20 Disabled	Check Type:	Status:
OVAL	Failed
Description Microsoft has made one of the better collaboration tools that = is=20 available on the market today, but at the same time they took that = tool =E2=80=93=20 NetMeeting =E2=80=93 and tried to make it into a remote control = utility for help=20 desk personnel to take control of your computer in time of need. = In a=20 world of hacker attacks and buffer overflows, it seems like only a = matter=20 of time before an exploit is discovered, or it is just abused. If = you=20 don=E2=80=99t have a dedicated help desk, or your help desk = doesn=E2=80=99t use NetMeeting=20 Remote Desktop Sharing, disable this service. If your organization = requires this service, it should understand that there may be a = risk=20 involved.

4.1.10 Remote Registry Service = =E2=80=93 Disabled	Check Type:	Status:
None	Not Tested
Description The Windows Registry is essentially a database of settings and=20 configuration options that affect almost every function of a = Windows 2000=20 computer. It determines how everything behaves at startup, = shutdown, and=20 everything in between. The purpose of the Remote Registry Services = is to=20 expose that database to the rest of the network through a NetBIOS=20 connection. As frightening as that sounds, this service is enabled by = default on=20 every Windows computer deployed since the advent of Windows 95. A = majority=20 of remote administration tools have been written to take advantage = of the=20 Remote Registry Service to perform functions that would normally = require a=20 portion of their application to be installed locally. Because of its widespread distribution, and its initial = purpose, and=20 the fact that it is still only protected by a username and = password, the=20 Remote Registry Service is responsible for opening the doors to = uninvited=20 guests as well as the remote management utilities it is used to = support.=20 Disable this service to prevent remote access to the system=20 registry. Warning WARNING: By disabling = this service,=20 you are cutting any ability for support personnel or domain = administrators=20 to remotely manage your computer unless there is another = application=20 already installed on your computer to allow those functions. Be = wary that=20 this can break a large number of enterprise-wide applications.=20

4.1.11 Routing and Remote Access = =E2=80=93 Disabled	Check Type:	Status:
None	Not Tested
Description The Routing and Remote Access service is normally used either = to=20 facilitate servers are Remote Access Servers, or to allow = computers from=20 one network to interact with computers on another. RRAS is not fully implemented on Windows XP Professional like = it is in=20 the server operating systems. Users generally don=E2=80=99t need = RRAS on=20 workstations. If this service can not be disabled, it should be = locked=20 down as much as possible. More information is available at http= ://www.microsoft.com/TechNet/columns/cableguy/cg0601.asp=20 .

4.1.12 Simple Mail Transfer Protocol = (SMTP) =E2=80=93=20 Disabled	Check Type:	Status:
None	Not Tested
Description This service is installed as part of the IIS suite of = applications. It=20 should be disabled or removed = entirely.

4.1.13 Simple Network Management = Protocol (SNMP)=20 Service =E2=80=93 Disabled	Check Type:	Status:
None	Not Tested
Description The Simple Network Management Protocol (SNMP) has long been the = accepted standard for remote management through all network = devices =E2=80=93=20 routers, hubs, Unix, and Windows alike. It was recently discovered = that=20 SNMP has been proliferating a dangerously exploitable flaw for the = past=20 ten years or so. If you do not have a system actively using SNMP = for=20 remote management, disable it or remove it from the system. If you = must=20 use it, remove the =E2=80=9CPublic=E2=80=9D community name = entirely, and give it a complex=20 and unique community name (like = =E2=80=9Cmycorp872readonly=E2=80=9D) and make sure it has=20 =E2=80=9CRead Only=E2=80=9D access only. Community names like = =E2=80=9CPrivate=E2=80=9D aren=E2=80=99t really any=20 more secure than = =E2=80=9CPublic=E2=80=9D.

4.1.14 Simple Network Management = Protocol (SNMP)=20 Trap =E2=80=93 Disabled	Check Type:	Status:
None	Not Tested
Description Another part of the SNMP protocol is the SNMP Trap service. = Just like=20 its counterpart, it should be disabled and/or=20 removed.

4.1.15 Telnet =E2=80=93 Disabled	Check Type:	Status:
OVAL	Error
Description The Telnet service is not often installed on workstations. It = is used=20 for remote management of network devices, and offers a = command-shell based=20 form of network access to a computer. This is all well and good, = but the=20 traffic transferred by Telnet is not protected or encrypted in any = way. If=20 this is a requirement, take the time to look into a Secure Shell = (SSH)=20 remote management solution to fulfill your needs in a more secure = manner.=20 It is well worth the time and expense. Errors ERROR: An uncaught error occured:=20 org.cis.util.windows.InvalidHandleException: RegOpenKeyEx() = invalid=20 handle

4.1.16 World Wide Web Publishing = Services =E2=80=93=20 Disabled	Check Type:	Status:
None	Not Tested
Description The grand-daddy of all exploitable services is = Microsoft=E2=80=99s World Wide=20 Web service. It is the most often attacked web-server platform on = the=20 Internet today. As a result, it has had the most bugs found, and = the most=20 flaws exploited. This server is not installed by default, but = should not=20 exist on your average workstation. If it is not going to be = properly=20 maintained by personnel with an education in IIS security, it = should be=20 disabled or removed.

4.1.17 Automatic Updates =E2=80=93 Not = Defined	Check Type:	Status:
None	Not Tested
Description The Automatic Updates service is new to Windows 2000 Service = Pack 3. It=20 continually checks the Microsoft web site in the background, and = initiates=20 the download of any new Critical Updates as they become available. = It is=20 designed to NOT use excessive network bandwidth. This service does = not=20 install anything itself, it makes updates ready to install. NOTE: The Automatic Updates service and the Background = Intelligent=20 Transfer Service work together to help keep computers up to date = with the=20 latest critical patches. Organizations which have a separate patch = management strategy should disable these services to prevent = unmanaged=20 system patching. Other organizations or individual users that do = not have=20 another method of patching should leave these services enabled and = make=20 use of this gift from Microsoft to keep patches up to=20 date.

4.1.18 Background Intelligent Transfer = Service=20 (a.k.a. BITS) =E2=80=93 Not Defined	Check Type:	Status:
None	Not Tested
Description The BITS service works in conjunction with the Automatic = Updates=20 service to download Critical Updates from Microsoft=E2=80=99s = Internet site, and=20 make them available for installation. The service runs in the = background,=20 and makes use of unused and available=20 bandwidth.

4.2 User Rights

Description

In conjunction with many of the privileged groups in Windows = 2000,=20 there are a number of individual rights that can be assigned to = users or=20 groups to grant them abilities that would be beyond the reach of = normal=20 users.

4.2.1 Access this computer from the = network:=20 Users, Administrators (or none)	Check Type:	Status:
None	Not Tested
Description The ability to access a computer from the network is a user = right that=20 can be granted or revoked on any machine as appropriate. If this = list is=20 left empty, no user accounts can be used to gain access to the = resources=20 of this computer from the = network.

4.2.2 Act as part of the operating = system:=20 None	Check Type:	Status:
None	Not Tested
Description The operating system works in a special security context called = =E2=80=9CLocalSystem=E2=80=9D. This security context has the = ability to do things that=20 normal users and administrative users can not. Granting this user = right to=20 users or groups will give them the ability to exceed normal = privilege,=20 regardless of their group membership. Some services may require accounts with this right to operate = properly.=20 Don=E2=80=99t hand it out more than = necessary.

4.2.3 Add workstations to domain: Not=20 applicable	Check Type:	Status:
None	Not Tested
Description This user right only applies to domain controllers, and has no = effect=20 on Windows 2000 stand-alone or member=20 Servers.

4.2.4 Back up files and directories:=20 Administrators	Check Type:	Status:
None	Not Tested
Description This user right grants a user or group the ability to = circumvent normal=20 Windows file security for the purposes of backing up files and = folders. It=20 should be restricted when = possible.

4.2.5 Bypass traverse checking: = Users	Check Type:	Status:
None	Not Tested
Description The Bypassing Traverse Checking user right allows access to = files or=20 folders regardless of the user=E2=80=99s permissions to the parent = folder. In=20 other words, it prevents the inheritance of permissions. = Unfortunately, it=20 is necessary to grant this right to users to allow normal = operation of=20 applications on most = computers.

4.2.6 Change the system time: = Administrators	Check Type:	Status:
None	Not Tested
Description Changing the system time on Windows 2000 computers is = especially=20 important to restrict in a domain environment because of the role = that=20 time synchronization plays in Kerberos authentication. This should = not be=20 configurable to anyone except=20 Administrators.

4.2.7 Create a pagefile: = Administrators	Check Type:	Status:
None	Not Tested
Description In order to protect the potentially sensitive information that = can be=20 stored in a pagefile, the creation of pagefiles should be = restricted to=20 Administrators.

4.2.8 Create a token object: None	Check Type:	Status:
None	Not Tested
Description Allows the creation of a security access token. This right = should never=20 be given to any user.

4.2.9 Create permanent shared objects: = None	Check Type:	Status:
None	Not Tested
Description The right to create permanent shared objects should only be = used by=20 applications in the Windows kernel. The kernel already has the = right to=20 create such objects, so no users should ever be granted this=20 right.

4.2.10 Debug Programs: None	Check Type:	Status:
None	Not Tested
Description Any user can debug his or her programs, but this right allows a = user to=20 debug other processes on a machine. Users should not be granted = this right=20 except in an isolated development=20 environment.

4.2.11 Deny access to this computer = from the=20 network: Guests	Check Type:	Status:
None	Not Tested
Description The =E2=80=9CDeny Access=E2=80=9D user rights always supercede = the =E2=80=9CAllow Access=E2=80=9D user=20 rights, so that if a user is listed under both user rights, that = user will=20 be denied access. If there are no users who should be allowed = access to a=20 computer from the network, the Everyone group should be listed in = the=20 =E2=80=9CDeny Access to this computer from the network=E2=80=9D = user=20 right.

4.2.12 Deny logon as a batch job: None = by=20 default (others allowable as appropriate)	Check Type:	Status:
None	Not Tested
Description Just like the other =E2=80=9CDeny=E2=80=A6=E2=80=9D user = rights, a user listed here will be=20 denied access to logon as a batch job, even if he has been = explicitly=20 granted that right. This is not defined in the=20 template.

4.2.13 Deny logon as a service: None = by default=20 (others allowable as appropriate)	Check Type:	Status:
None	Not Tested
Description Just like the other =E2=80=9CDeny=E2=80=A6=E2=80=9D user = rights, a user listed here will be=20 denied access to logon as a service, even if he has been = explicitly=20 granted that right. This is not defined in the=20 template.

4.2.14 Deny logon locally: = =E2=80=9CGuests=E2=80=9D by default=20 (others allowable as appropriate)	Check Type:	Status:
None	Not Tested
Description Just like the other =E2=80=9CDeny=E2=80=A6=E2=80=9D user = rights, a user listed here will be=20 denied access to logon to the console, even if he has been = explicitly=20 granted that right.

4.2.15 Enable computer and user = accounts to be=20 trusted for delegation: Not Applicable	Check Type:	Status:
None	Not Tested
Description This user right only applies to Windows 2000 Domain = Controllers. It has=20 no effect on Windows 2000 stand-alone or member=20 servers.

4.2.16 Force shutdown from a remote = system:=20 Administrators	Check Type:	Status:
None	Not Tested
Description This grants a user the right to shut down a computer from the = network.=20 It should only be granted to Administrators, and may be restricted = to no=20 users or groups at all.

4.2.17 Generate security audits: = None	Check Type:	Status:
None	Not Tested
Description This user right allows a user or process to generate events to = be added=20 to the Windows Security Event Log. This right should not be = granted to any=20 user or group.

4.2.18 Increase quotas: = Administrators	Check Type:	Status:
None	Not Tested
Description The right to increase quotas applies to one process = manipulating the=20 processor quota of another process. This can be used in = performance=20 tuning, but can also cause a denial of service attack if misused = or=20 abused.

4.2.19 Increase scheduling priority:=20 Administrators	Check Type:	Status:
None	Not Tested
Description The scheduling priority is one of the settings that can be = altered as=20 needed for performance tuning, but normal users should not have = the=20 ability to change the priority of other=20 processes.

4.2.20 Load and unload device drivers: = Administrators	Check Type:	Status:
None	Not Tested
Description Device drivers execute as highly privileged applications on a = Windows=20 computer because they directly interface the hardware with the = operating=20 system. These drivers can be the source of =E2=80=9CTrojan = Horse=E2=80=9D applications,=20 and should be restricted where possible. This setting actually = applies to=20 the installation of Plug and Play device=20 drivers.

4.2.21 Lock pages in memory: None	Check Type:	Status:
None	Not Tested
Description The right to lock pages in memory is the ability to force data = in=20 physical memory to remain in physical memory, and not be paged to = disk,=20 which can seriously degrade system performance. This user right is = obsolete, and should remain = empty.

4.2.22 Log on as a batch job: None = (=E2=80=9CNot=20 Defined=E2=80=9D)	Check Type:	Status:
None	Not Tested
Description The right to log on as a batch job means that the listed user = has the=20 ability to log on using the batch queue facility. By default,=20 Administrators have this right, but very rarely use it. Remove all = users=20 and groups from this right.

4.2.23 Log on as a service: None = (=E2=80=9CNot=20 Defined=E2=80=9D)	Check Type:	Status:
None	Not Tested
Description Most applications that do not directly interact with the logged = on user=20 (and many that do) actually operate as a service. These services = almost=20 always execute under the LocalSystem security credentials. If a = service=20 needs to be executed in a user context, that user would have to be = listed=20 here. For scoring purposes, this setting is =E2=80=9CNot = Defined=E2=80=9D because=20 individual implementations will = vary.

4.2.24 Log on locally: Administrators = (other=20 specific users allowable)	Check Type:	Status:
None	Not Tested
Description Anyone who logs on locally to a computer console must be listed = here,=20 either by individual user names, or by the = =E2=80=9CAdministrators=E2=80=9D group. Average=20 users do not normally need to log on to the local console. If = other=20 non-administrative users do, list them separately here in addition = to or=20 instead of the Administrators group, as=20 appropriate.

4.2.25 Manage auditing and security = log:=20 Administrators	Check Type:	Status:
None	Not Tested
Description The ability to manage the security event log is the equivalent = to the=20 ability for an intruder to cover his tracks and destroy evidence = of what=20 has been done to a computer system. This user right should be = highly=20 restricted, possibly even to only a subset of system=20 administrators.

4.2.26 Modify firmware environment = values:=20 Administrators	Check Type:	Status:
None	Not Tested
Description Individual users have the ability to change their own = environment=20 variables, but only Administrators and accounts that hold this = right can=20 change the environment variables of other users on a=20 system.

4.2.27 Profile single process: = Administrators	Check Type:	Status:
None	Not Tested
Description This user right grants the ability for one user to monitor the=20 performance of another user or non-system=20 process.

4.2.28 Profile system performance:=20 Administrators	Check Type:	Status:
None	Not Tested
Description The Profile system performance user right allows a user or = group of=20 users to monitor system performance, including system=20 processes.

4.2.29 Remove computer from docking = station:=20 Administrators	Check Type:	Status:
None	Not Tested
Description This user right is just what you=E2=80=99d=20 expect.

4.2.30 Replace a process level token: = None	Check Type:	Status:
None	Not Tested
Description The ability to replace a process level token essentially means = that a=20 process can change the authentication authority of its own=20 child-processes.

4.2.31 Restore files and directories:=20 Administrators	Check Type:	Status:
None	Not Tested
Description In conjunction with the =E2=80=9CBackup files and = directories=E2=80=9D user right, this=20 can be very dangerous if a user backs up certain security related=20 information, alters it, and restores it back to the same place. It = should=20 be restricted to = Administrators.

4.2.32 Shut down the system: = Administrators	Check Type:	Status:
None	Not Tested
Description Users granted this right have the ability to shut down the = computer.=20 This only takes effect if users are required to log on to shut = down a=20 system.

4.2.33 Synchronize directory service = data: Not=20 Applicable	Check Type:	Status:
None	Not Tested
Description This user right has no effect on Windows 2000 Servers that are = not=20 Domain Controllers.

4.2.34 Take ownership of file or other = objects:=20 Administrators	Check Type:	Status:
None	Not Tested
Description A user who =E2=80=9Cowns=E2=80=9D a file has greater authority = over that file than even=20 the permissions would suggest. The right to take ownership of a = file is=20 equivalent to the ability to compromise an entire file=20 system.

4.3 Other System Requirements

Description

4.3.1 Ensure volumes are using the NTFS = file=20 system	Check Type:	Status:
OVAL	Failed
Description Since the early days of DOS, files have been stored on floppy = disks.=20 These disks break up data into blocks, and those blocks are = written to=20 similar blocks on a physical disk. The =E2=80=9Cmap=E2=80=9D = describing which blocks are=20 holding which files is stored on part of the disk called the = =E2=80=9CFile=20 Allocation Table=E2=80=9D or FAT. When DOS moved to Hard Disks, = the same FAT style=20 of disk allocation was used. FAT filesystems had some good points = =E2=80=93 most=20 of all, it=E2=80=99s pretty simple. Any system could read the = disks, and if there=20 was a problem, the data could have been restored. When disks began = to grow=20 beyond the size of FAT=E2=80=99s capabilities, it was expanded to = FAT32, allowing=20 for larger disks. However, FAT and FAT32 do not offer any = security. NTFS interoperability has come a long way since its initial=20 introduction. It can be bypassed if the system can be rebooted, = but it is=20 the ONLY way that any file-level security can be enforced while = system is=20 operating. To determine if a disk volume is NTFS, double click =E2=80=9CMy = Computer=E2=80=9D on=20 the desktop. Right-click the C drive (C:) and click Properties. = The=20 properties pane for that disk will describe the =E2=80=9CFile = System=E2=80=9D as either=20 FAT or NTFS. In order to make a FAT disk into an NTFS disk, open a Command = Prompt=20 (Click Start -> Programs -> Accessories -> Command = Prompt) and=20 type =E2=80=9CConvert C: /fs:ntfs=E2=80=9D. The system will = probably be required to=20 restart to perform this task. Take the same action with the D: = drive and=20 any others that show up as FAT disks. Once the disks have been converted to the NTFS file system, = default=20 security must be applied to the boot drive (C:). Open a command = prompt=20 (click Start, Programs, Accessories, and Command Prompt) and type = the=20 following command for workstations: =E2=80=9Csecedit = /configure /db=20 default.sdb /cfg =E2=80=9C%windir%\inf\setup security.inf=E2=80=9D = /areas filestore=E2=80=9D=20 or the following command for servers: =E2=80=9Csecedit = /configure /db=20 default.sdb /cfg =E2=80=9C%windir%\inf\setup security.inf=E2=80=9D = /areas filestore=E2=80=9D=20 and press enter. The /db parameter is required, even though = the=20 database does not exist until after the command is run. Type = =E2=80=9Csecedit /?=E2=80=9D=20 for more information on this command. Other applications will have the ability to use these security=20 features. Most users never need to update these file permissions, = while=20 system administrators of all levels will need to do so from time = to time.=20 In fact, it is possible to cripple a system by incorrectly = modifying that=20 security. It is important to keep in mind that this is still a = step up=20 from a FAT filesystem with NO security. Warning WARNING: Do not do this = if your=20 system is a dual-boot system with Windows 95/98/Me =E2=80=93 that = is if you have=20 the option of booting into Windows 2000 or Windows 9x. The = alternate=20 operating system will cease to function, and can not be recovered. =

Summary

Security Items

Detailed Rule Results

All passwords are at least 8 characters long (minimum).