» overview
» our staff
» web services
» telecommunication
» research computing
» policies
» windows security
» documents
» desktop support
» licensed software
» campus resources
| Action | Advantages | Disadvantage (If Any) |
| Legal
Notice more |
Enumerates acceptable uses of computer | Extra step for user login |
| Protect
against remote registry Win32 APIs more |
Prevents remote changing of OS and Application parameters | |
| Remove
default shares more |
Removes known points of access | |
| Prevent
guests/null sessions from viewing Event logs more |
Restricts access to system information | |
| Strong
protection over shared objects more |
Prevents security escalation attack - Q218473 | |
| Protect
registry from remote connections more |
Prevents null session access to read/write registry keys | |
| Restrict
access to Run/RunOnce/Uninstall more |
Prevents hackers from running programs locally when the users logs in or uninstalls a program | |
| Min.
password length of 5 characters more |
Provides a base level of user security | |
| Password
Age of 180 days more |
Makes passwords harder to guess | |
| Account lockout for 15 min. after 3 failed login attempts | Repeated attempts to hackin via password gussing becomes very difficult | |
| Require password uniqueness | Users can't change password to recent or current password | |
| Users
accounts as such (i.e. Users don't get Admin/Power User
accounts) more |
If account is hijacked the damage can be minimized; prevents users from damaging own machines | |
| Disable
guest accounts more |
Prevents access by unknown users | Every user would require an account |
| Format
all partitions using NTFS more |
File level protections, directory compression | Harder to recover from significant system problems |
| Secure
the WinNT directories more |
Prevent unauthorized access to operating system | |
| Secure
boot files & System files more |
Prevents changes to essential system files | |
| Disable
NetBT more |
Limits access to local subnets, limiting access across the internet | Native file services not available using TCP/IP |
| Restrict
Scheduler service
to Admin more |
Prevents programs from being run in system mode | Limits access to occasionally useful tool |
| Hide last
username more |
Makes it harder to guess username/password | Makes it slower for someone to login at their own computer |
| Restrict anonymous net access to lookup accounts/groups/shares via null session access more | Restrict anonymous net access to lookup accounts/groups/shares across domains | Prevents admins of one domain from adding users of another without explicitly logging; prevents lmhost #include |
| Restrict use of LanManager password hash to legacy systems | Less secure LanManager password hash only used with by older clients, limiting exposure on network | |
| User
rights more |
Log on locally - Admin, Power Users, UsersShutdown System - Admin, Power Users, Users Access from network - Admin, Power Users, Users |