More On High Security

Rename Administrator account -

1. From "User Manager" select Administrator
2. From "File" menu choose "Rename"
3. Enter new username

Min. password length of 8 characters -

1. From "User Manager" select "Account" from "Policies" menu
2. For "Minimum Password Length" enter 8

Password Age of 45 days -

1. From "User Manager" select "Account" from "Policies" menu
2. For "Maximum Password Age" enter 45

Protect registry keys -

1. Using Regedt32.exe give the Everyone Group QueryValue, Enumerate Subkeys, Notify and Read Control to the following keys:

HKEY_LOCAL_MACHINE

\Software (not recommended for the entire subtree)

\Software\Microsoft\RPC (and its subkeys)

\Software\Microsoft\Windows NT\ CurrentVersion

\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList

\Software\Microsoft\Windows NT\ CurrentVersion\AeDebug

\Software\Microsoft\Windows NT\ CurrentVersion\Compatibility

\Software\Microsoft\Windows NT\ CurrentVersion\Drivers

\Software\Microsoft\Windows NT\ CurrentVersion\Embedding

\Software\Microsoft\Windows NT\ CurrentVersion\Fonts

\Software\Microsoft\Windows NT\ CurrentVersion\FontSubstitutes

\Software\Microsoft\Windows NT\ CurrentVersion\Font Drivers

\Software\Microsoft\Windows NT\ CurrentVersion\Font Mapper

\Software\Microsoft\Windows NT\ CurrentVersion\Font Cache

\Software\Microsoft\Windows NT\ CurrentVersion\GRE_Initialize

\Software\Microsoft\Windows NT\ CurrentVersion\MCI

\Software\Microsoft\Windows NT\ CurrentVersion\MCI Extensions

\Software\Microsoft\Windows NT\ CurrentVersion\PerfLib

Instead of Everyone:Read access on this key, give INTERACTIVE:Read

Access\Software\Microsoft\Windows NT\ CurrentVersion\Port (and all subkeys)

\Software\Microsoft\Windows NT\ CurrentVersion\Type1 Installer

\Software\Microsoft\Windows NT\ CurrentVersion\WOW (and all subkeys)

\Software\Microsoft\Windows NT\ CurrentVersion\Windows3.1MigrationStatus

(and all subkeys)

\System\CurrentControlSet\Services\LanmanServer\Shares

\System\CurrentControlSet\Services\UPS

\Software\Microsoft\Windows\CurrentVersion\Run

\Software\Microsoft\Windows\CurrentVersion\RunOnce

\Software\Microsoft\Windows\CurrentVersion\Uninsta

HKEY_CLASSES_ROOT

\HKEY_CLASSES_ROOT (and all subkeys)

HKEY_USERS

\.DEFAULT

1. Restart Computer

Enforce strong user passwords -

1. Copy Passfilt.dll to the c:\WINNT\SYSTEM32 folder
2. Use Regedt32.exe to add the value "Notification Packages", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA (value type: REG_MULTI_SZ)
3. Double-click the "Notification Packages" key and add the following value to end of values (if any): PASSFILT
4. Restart Computer

Restrict boot process -

1. from the BIOS set a boot password

Require logon to shutdown computer -

1. Use Regedt32.exe to add the value "ShutdownWithoutLogon ", to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (value type: REG_ SZ)
2. Double-click the " ShutdownWithoutLogon " key and set the value to: 0
3. Restart Computer

Control access to removable media -

1. Use Regedt32.exe to add the value "AllocateFloppies", to HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)
2. Double-click the "AllocateFloppies" key and set the value to: 1
3. Use Regedt32.exe to add the value "AllocateCDRoms", to HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)
4. Double-click the "AllocateFloppies" key and set the value to: 1
5. Restart Computer

Clean system page files on shutdown -

1. Use Regedt32.exe to add the value "ClearPageFileAtShutdown", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
   SessionManager\Memory Management (value type: REG_SZ)
2. Double-click the "ClearPageFileAtShutdown" key and set the value to: 1
3. Restart Computer

Disable logon caching -

1. Use Regedt32.exe to add the value "CachedLogonsCount", to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon (value type: REG_SZ)
2. Double-click the "CachedLogonsCount" key and set the value to: 1
3. Restart Computer

SMB signing - (required for all clients)

1. Use Regedt32.exe to add the value "RequireSecuritySignature", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
   LanManServer\Parameters (value type: REG_DWORD)
2. Double-click the "RequireSecuritySignature" key and set the value to: 1
3. Use Regedt32.exe to add the value "EnableSecuritySignature", to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon (value type: REG_SZ)
4. Double-click the "EnableSecuritySignature" key and set the value to: 1
5. Restart Computer

Remove Server/Workstation from network browsing list -

1. Use Regedt32.exe to add the value "hidden", to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
   LanmanServer\Parameters (value type: REG_DWORD)
2. Double-click the "hidden" key and set the value to: 1
3. Restart Computer

Enhance Security Account Manager protections -

1. Create Emergency Repair Disk using RDISK /S from Command Prompt
2. Install latest Service Pack
3. From Command Prompt run "syskey"

Disable LanManager password hash (could be used to prevent access from Win95/98)

1. Use Regedt32.exe to add the value "LMCompatibilityLevel", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA (value type: REG_DWORD)
2. Double-click the "LMCompatibilityLevel" key and set the value to: 1 or 2
   • 1 - Send Windows NT and LM password forms only if the server requests it.
   • 2 - Never send LM password form. (won't be able to receive connections form Window 95 etc.)
3. Restart Computer

Enable security auditing of logons, file access, etc.

1. From "User Manager" select "Audit" from "Policies" menu
2. Select "Audit These Events"
3. At a minimum select:
   • Logon and Logoff - Failure
   • Use of User Rights - Failure
   • User and Group Management - Success and Failure
   • Security Policy Changes - Success and Failure

Copyright © 2008 UC Regents. All rights reserved. | Contact Webmaster