Windows Security Settings Working Aide

Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
WORKING AIDE -
WINDOWS SECURITY TEMPLATE SETTINGS
TED MAC DAIBHIDH, CD
Page 0
Table of Contents
1 INTRODUCTION ...................................................................................................................3
2 WINDOWS SECURITY TEMPLATES ...............................................................................4
3 SECURITY SETTINGS .........................................................................................................5
3.1 PASSWORD .........................................................................................................................4
3.2 ACCOUNT LOCKOUT...........................................................................................................5
3.3 KERBEROS POLICY .............................................................................................................6
3.4 AUDIT POLICY ....................................................................................................................7
3.5 USER RIGHTS ASSIGNMENTS ..............................................................................................8
3.6 SECURITY OPTIONS ..........................................................................................................14
3.7 EVENT LOG SIZE ..............................................................................................................27
3.8 GUEST ACCESS .................................................................................................................28
3.9 RETENTION METHOD .......................................................................................................28
3.10 SYSTEM SERVICES ............................................................................................................29
3.11 TCP/IP STACK HARDENING .............................................................................................51
3.12 AFD.SYS ........................................................................................................................53
3.13 OTHER SETTINGS .............................................................................................................54
4 ANNEXES ..............................................................................................................................56
4.1 GENERAL SECURITY SETTING VALUES ............................................................................56
4.2 WINDOWS SECURITY IDENTIFIERS (SIDS) ........................................................................59
4.3 COMMON ACCESS CONTROL LIST (ACL) SETTINGS........................................................66
4.4 SECURITY POLICY COMPARISON AND ANALYSIS .............................................................74
5 REFERENCES ......................................................................................................................80
Page 1
1 INTRODUCTION
This purpose of this document is to aggregate several disparate documents and
sources regarding Microsoft Windows security template settings; its purpose is to
assist those with limited exposure in this regard should they find themselves tasked
with a project requiring interpretation of these settings.
Page 2
2 WINDOWS SECURITY TEMPLATES1

Security templates are setup information (.inf) files that define system security
settings (e.g. user rights, permissions, password policies, etc.) on a Windows host.
Security templates can be either be deployed centrally using Group Policy objects
(GPOs) or locally using tools such as secedit or MMC security plugins.
Windows installations have several standard security templates which can be found
in the C:\Windows\Security\Templates folder. The standard security templates are:
a. Compatws.inf – required by older applications that need to have weaker

security to access the Registry and the file system;
b. DC security.inf – used to configure security of the Registry and File system of

a computer that was upgraded from Windows NT to Windows 2000/2003;
c. Hisecdc.inf – used to increase the security and communications with the

domain controllers;
d. Hisecws.inf – used to increase security and communications for the client

computers and member servers;
e. Notssid.inf – used to weaken security to allow older applications to run on

Windows Terminal Services;
f. Ocfiless.inf – used for optional components that are installed after the main
operating system is installed - this will support services such as Terminal
Services and Certificate Services;
g. Securedc.inf – used to increase the security and communications with the

domain controllers, but not to the level of the High Security DC security
template;
h. Securews.inf – used to increase security and communications for the client

computers and member servers; and
i. Setup security.inf – used to reapply the default security settings of a freshly

installed computer.
1
Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004.
Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-Windows-Security-
Templates.html.
Page 3
3 SECURITY SETTINGS
The sections below will define some of the individual security settings found in
security templates. Where available, the CSEC recommended setting values2 will be
provided and defined.
3.1 Password
Enforce password history
PasswordHistorySize = 24
„PasswordHistorySize‟ defines the number of passwords retained by the system. This

history is compared with user input during password changes.
The setting „24‟ requires the user to select twenty-four unique passwords before they
can re-use their first one. With a „MinimumPasswordAge‟ of two, the user would have
to cycle their password every two days to get back to their original password.
Maximum password age

MaximumPasswordAge = 42
„MaximumPasswordAge‟ defines the maximum number of days a user can keep the
same password.
A setting of forty-two requires the user to change their password every forty-two
days; combined with the „PasswordComplexity‟ and ‟PasswordLength‟ settings, these
settings ensure the password is strong and resilient to attack.
Minimum password age

MinimumPasswordAge = 2
„MinimumPasswordAge‟ defines how many days a user must wait between

passwordchanges.
The setting „2‟ requires the user to wait two before they can change it again.
Minimum password length

MinimumPasswordLength = 8
„MinimumPasswordLength‟ defines the minimum number of characters acceptable for

a password.
The setting „8‟ requires the user to enter a password of eight characters or more;
combined with the „PasswordComplexity‟ and „MaximumPasswordAge‟ settings, these
settings ensure the password is strong and resilient to attack.
2
Communications Security Establishment Canada. “Windows Server 2003 Recommended Baseline
Security (ITSG-20)”. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.
Page 4
Password must meet complexity requirements

PasswordComplexity = 1
„PasswordComplexity‟ defines password complexity requirements; this setting helps

thwart brute-force attacks.
The setting „1‟ requires the user to enter a strong password that meets the criteria
demonstrated below:
• Upper Case Character (A-Z)
• Lower Case Character (a-z)
• Base 10 Digits (0-9)
• Non-alphanumeric (! @ # $ % ^ &)
Store password using reversible encryption

ClearTextPassword = 0
The „ClearTextPassword‟ keyword determines if the system stores passwords using

reversible encryption. The setting „zero‟ disables reversible encryption.
NOTE: Never enable this option unless operational considerations outweigh the need
to protect password information.
3.2 Account Lockout

Account Lockout Duration
LockoutDuration = 15
„LockoutDuration‟ defines the length of time (in minutes) that an account is disabled
afterlockout; this value needs to be synchronized with „ResetLockoutCounter‟ so the
user can logon when the „LockoutDuration‟ has expired.
The setting „15‟ disables the user‟s account for 15 minutes.
Account lockout threshold

LockoutBadCount = 10
„LockoutBadCount‟ defines the number of failed logons allowed before the account is
locked.
The setting „10‟ causes the user‟s account to be locked after 10 consecutive logon
attempts. The setting prevents extended password guessing attacks.
Page 5
Reset account lockout counter after

ResetLockoutCount = 15
„ResetLockoutCount‟ defines the length of time (in minutes) before a lockout reset
occurs; this value needs to be synchronized with „LockoutDuration‟ so the user can
logon when the „LockoutDuration‟ has expired.
The setting „15‟ resets the lockout to zero after fifteen minutes.
3.3 Kerberos Policy
Enforce user logon restrictions
TicketValidateClient = 1
„TicketValidateClient‟ determines if Kerberos V5 Key Distribution Centre

authentication is required.
The setting „1‟ requires the use of Kerberos Authentication.
Maximum lifetime for the service ticket

MaxServiceAge = 600
„MaxServiceAge‟ defines the number of minutes a service ticket will be valid.
The setting „600‟ allows the ticket to be used for ten hours.
Maximum lifetime for user ticket

MaxTicketAge = 10
„MaxTicketAge‟ defines the maximum hours a user‟s ticket granting ticket may be
used.
The setting „10‟ indicates that the ticket granting ticket must be replaced or renewed
after ten hours.
Maximum lifetime for user ticket renewal

MaxRenewAge = 7
„MaxRenewAge‟ defines the number of days a ticket granting ticket may be renewed
after issuance.
The setting „7‟ allows a ticket granting ticket to be renewed for seven days.
Maximum tolerance for computer clock synchronization

MaxClockSkew = 5
„MaxClockSkew‟ defines the maximum amount of time a system clock can be

different from the Domain Controller clock.
The setting of „5‟ indicates systems more than 5 minutes.
Page 6
3.4 Audit Policy

Additional information regarding audit policy can be found in section 4.1.4 of the
Annex.
Audit account logon events
AuditAccountLogon = 3
„AuditAccountLogon‟ defines types of logon events to audit; „success‟ events can

determine who accessed the system during an incident. „Fail‟ events provide insight
to password guessing attacks.
The setting „3‟ audits „success‟ and „fail‟ events.
Audit account management

AuditAccountManage = 3
„AuditAccountManage‟ defines types of logon events to audit; „success‟ events can be

used in investigations, monitoring accounts at the time of an incident. „Fail‟ attempts
can determine if users are probing the system for vulnerabilities.
Audit directory service access

AuditDSAccess = 3
„AuditDSAccess„ defines types of logon events to audit; the Directory Service holds
crucial information for the Domain. Knowledge of access during an incident can
provide valuable information about Active Directory objects accessed during an
attack.
Audit logon events

AuditLogonEvents = 3
„AuditLogonEvents‟ defines types of logon events to audit; „success‟ events can be

used to determine who was accessing the system during an incident. „Fail‟ logon
attempts can determine if the system is under a password guessing attack.
Audit object access

AuditObjectAccess = 2
„AuditObjectAccess‟ defines the type of logon events that will be audited; failed
attempts can be monitored to determine if any users are probing the system for
vulnerabilities.
The setting „2‟ audits failed events.
Page 7
Audit policy change

AuditPolicyChange = 3
„AuditPolicyChange‟ defines the type of logon events that will be audited; „success‟
events are used in investigations to determine access to the system and policy used
at the time of the incident. „Fail‟ attempts can determine if users are probing the
system for vulnerabilities.
The setting 3 audits „success and „fail‟ events.
Audit privilege use

AuditPrivilegeUse = 3
„AuditPrivilegeUse‟ defines logon events to be audited; „Success‟ events are used to

determine who was accessing the system at the time of the incident. „Fail‟ attempts
can determine if users are probing the system for vulnerabilities.
Audit process tracking

AuditProcessTracking = 0
„AuditProcessTracking‟ defines logon events to be audited. Due to the large volumes

of data generated if this setting is enabled, the normal setting for this value is
disabled. However, during an incident the information provided is invaluable; if an
attack is suspected, it is recommended that the setting be changed to „1‟ (enabled).
The setting „0‟ audits no events. The value of this information is weighed against the
volume of data collected.
Audit system events

AuditSystemEvents = 3
„AuditSystemEvents‟ defines events to be audited; these events reflect the system

shutdown and restarts, system security events, and events that affect the security
log.
3.5 User Rights Assignments

User rights assignments are designated using Windows Security Identifiers (SIDs);
refer to Annex 4.2.
Access this computer from the network
senetworklogonright = *S-1-5-11,*S-1-5-32-544
„senetworklogonright‟ grants network protocol access to the system (SMB, NetBIOS,

CIFS, HTTP and COM+). The policy grants privileges to the Administrators and
authenticated users. The ability to access the system from the network provides
greater exposure for an attack; restricting access reduces the exposure.
Page 8
Act as part of the operating system

setcbprivilege =
„setcbprivilege‟ grants an account the ability to act as part of the operating system.
According to Microsoft, there is no reason why an account would require this
privilege.
Add workstations to domain

semachineaccountprivilege =
„semachineaccountprivilege‟ grants the right to add workstations to a domain. This

policy grants no privilege; restricting this privilege helps maintain domain integrity.
Adjust memory quotas for a process

seincreasequotaprivilege = *S-1-5-32-544,*S-1-5-19,*S-1-5-20
„seincreasequotaprivilege‟ grants the ability to adjust memory quotas for a process.

This policy grants privileges to Administrators, LOCAL SERVICE and NETWORK
SERVICE accounts; if misused, DoS attacks are possible.
Allow log on locally

seinteractivelogonright = *S-1-5-32-551,*S-1-5-32-544
„seinteractivelogonright‟ grants logon privilege to the local console. These privileges

are given to Administrators and Backup operators. Local access is restricted to
accounts that have legitimate reason for access; by restricting this privilege, system
exposure is reduced.
Allow log on through Terminal Services

seremoteinteractivelogonright = *S-1-5-32-544
„seremoteinteractivelogonright‟ grants the right to logon remotely through Terminal

Services. This policy grants rights to Administrators; there is no requirement to allow
users this form of access.
Backup files and directories

sebackupprivilege = *S-1-5-32-551,*S-1-5-32-544
„sebackupprivilege‟ grants the right to backup files and directories. Rights are given
to Administrators and Backup Operators if your policy does not allow administrators
to backup then omit the Administrators group. The allocation of this privilege must
be tightly controlled.
Bypass traverse checking

sechangenotifyprivilege = *S-1-5-32-545,*S-1-5-32-551,*S-1-5-11,*S-1-5-
32-544
The „sechangenotifyprivilege‟ grants the right to bypass traverse checking in NTFS
file systems and the Registry. This policy grants rights to Users, Backup Operators,
Administrators and Authenticated users.
Page 9
Change the system time

sesystemtimeprivilege = *S-1-5-32-544
„sesystemtimeprivilege‟ grants the right to change the system time; this policy
grants rights to Administrators. The system time is critical in incident investigation;
without a consistent time, it is difficult to co-relate events on multiple systems.
Create a pagefile
secreatepagefileprivilege = *S-1-5-32-544
„secreatepagefileprivilege‟ grants the right to create a page file. This policy grants
rights to Administrators; restricting this to Administrators reduces the exposure to
trusted individuals. Too large a page file can cause poor system performance.
Create a token object

secreatetokenprivilege =
„secreatetokenprivilege‟ grants the right to create local security token objects; the
privilege gives the ability to create or modify Access Tokens. This policy does not
grant rights to anyone; doing this can prevent privilege escalation attacks and DoS
conditions.
Create global objects

secreateglobalprivilege = *S-1-5-6,*S-1-5-32-544
„secreateglobalprivilege‟ grants the right to create objects available to all sessions; it

can be used to affect other user‟s processes. This policy grants rights to
Administrators and the SERVICE account.
Create permanent shared objects

secreatepermanentprivilege =
„secreatepermanentprivilege‟ grants the right to create shared objects (folders,

printers); users with this privilege could expose sensitive data to the network by
creating a shared object. Only members of the Administrators group can create
permanent shared objects.
Debug programs
sedebugprivilege =
„sedebugprivilege‟ grants the right to debug any kernel process. Program debugging
should never be done in a production environment; in the event it is required, grant
rights for only for the time required to perform the debugging.
Page 10
Deny access to this computer from the network

sedenynetworklogonright = *S-1-5-32-546, *S-1-5-7
„sedenynetworklogonright‟ prevents access for a variety of network protocols; the

policy applies the right to Guests and Anonymous Logon. The Administrators must
add the local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator
account.
NOTE: Given no reason for network access to the system for a group or user, access
should be denied.
Deny log on as a batch job

sedenybatchlogonright = *S-1-5-32-546, *S-1-5-7
„sedenybatchlogonright„ prevents the ability to create batch jobs; the batch facility
could be used to schedule jobs that result in a DoS. This policy applies rights to
Guests and Anonymous Logon; the Administrators must add the local accounts
„Guest‟ and „Support_388945a0‟.
NOTE: Given no reason for batch logon access to the system for a group or user,
access should be denied.
Deny log on as a service

sedenyservicelogonright = *S-1-5-32-546,*S-1-5-32-544, *S-1-5-7
„sedenyservicelogonright‟ prevents access to a variety of network protocols. This

policy applies the rights to Guests, Anonymous Logon and Administrators.
Administrators must add the local accounts „Guest‟, „Support_388945a0‟ and Built-in
Administrator account.
Deny log on locally

sedenyinteractivelogonright = *S-1-5-32-546, *S-1-5-7
„sedenyinteractivelogonright‟ prevents local access to the system. This policy applies

the rights to Guests and Anonymous Logon; administrators must add the local
accounts „Guest‟ and „Support_388945a0‟.
NOTE: Given no reason for interactive access to the system for a group, access
should be denied.
Deny log on through Terminal Services

sedenyremoteinteractivelogonright = *S-1-5-32-546, *S-1-5-7
„sedenyremoteinteractivelogonright‟ prevents logon through terminal services. This

policy applies rights to Guests and Anonymous Logon. Administrators must add the
local accounts „Guest‟, „Support_388945a0‟ and Built-in Administrator.
NOTE: Given no reason for terminal services access for a group, access should be
denied.
Page 11
Enable computer and user accounts to be trusted for delegation

seenabledelegationprivilege =
„seenabledelegationprivilege‟ grants the right to change „trusted for delegation‟

setting on Active Diretory objects; the misuse of this privilege could lead to
impersonation of users in a Domain. This policy does not grant privileges to anyone.
Force shutdown from a remote system

seremoteshutdownprivilege =
„seremoteshutdownprivilege‟ grants the right to shut the system down from a remote
location; servers in a High Security zone require physical access to be shut down.
This policy grants rights to no one.
Generate security audits

seauditprivilege = *S-1-5-19,*S-1-5-20
„seauditprivilege‟ grants the right to generate records in the security logs; limiting
rights to non-interactive accounts prevents DoS conditions caused by full logs.
This policy grants rights to Network Service and Local Service.
Impersonate a client after authentication

seimpersonateprivilege = *S-1-5-19,*S-1-5-20
„seimpersonateprivilege‟ grants the right for applications to impersonate that client;

for superior security, privileges should be limited to non-interactive accounts. This
policy grants rights to Local Service and Network Service.
Increase scheduling priority

seincreasebasepriorityprivilege = *S-1-5-32-544
„seincreasebasepriorityprivilege‟ grants the right to increase process priority; this

policy grants privileges to Administrators.
Load and unload device drivers

seloaddriverprivilege = *S-1-5-32-544
„seloaddriverprivilege‟ grants the right to load and unload device drivers. Driver code
can be run with elevated privileges; restricting privileges to Administrators reduces
system exposure. This policy grants privileges to Administrators.
Lock pages in memory

selockmemoryprivilege =
„selockmemoryprivilege‟ grants the right to keep data in physical memory. The abuse
of privileges can result in starved memory resources and a DoS situation; restricting
this privilege reduces exposure to this threat. This policy grants privileges to no one.
Page 12
Log on as a batch job

sebatchlogonright =
„sebatchlogonright‟ grants the right to submit batch jobs (log on as a batch job); The
Task Scheduler could be used to invoke a DoS condition; limiting this privilege
reduces the threat. This policy grants rights to no one.
Log on as a service
seservicelogonright = *S-1-5-20,*S-1-5-19
„seservicelogonright‟ grants the right to logon as a service. This policy grants rights
to Local Service and Network Service; interactive accounts are purposely excluded.
Manage auditing and security log

sesecurityprivilege = *S-1-5-32-544
„sesecurityprivilege‟ grants the right to specify object access auditing options; this
policy grants rights to Administrators. Administrators alone can determine the
appropriate auditing level thereby ensuring that users of the system cannot reduce
auditing and eliminate traces of their activity.
Modify firmware environment values

sesystemenvironmentprivilege = *S-1-5-32-544
„sesystemenvironmentprivilege‟ grants rights to modify firmware environment

values. The ability to change system configurations must be strictly controlled;
this policy grants these rights to Administrators only.
Perform volume maintenance tasks

semanagevolumeprivilege = *S-1-5-32-544
„semanagevolumeprivilege‟ grants rights to manage volumes or disks. The

administrative function of volume and disk management can damage data on a disk;
Restricting this privilege reduces the threat. This policy grants rights to
Administrators only.
Profile single process

seprofilesingleprocessprivilege = *S-1-5-32-544
„seprofilesingleprocessprivilege‟ grants the right to monitor performance of a non-

system process. The ability to profile a process can provide information to be used as
a basis of an attack; limiting privileges to Administrators reduces this threat.
This policy grants these rights to Administrators.
Profile system performance

sesystemprofileprivilege = *S-1-5-32-544
„sesystemprofileprivilege‟ grants the right to monitor performance of a system

process. Profiling a system gathers information useful for an attack; limiting
privileges to Administrators reduces this threat. This policy grants these rights to
Page 13
Remove computer from docking station

seundockprivilege = *S-1-5-32-544
„seundockprivilege‟ grants the right to undock the server. As a preventive measure,

these privileges should be restricted; this policy grants these privileges to
Replace a process level token

seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20
„seassignprimarytokenprivilege‟ grants the right to replace a process security token

of a child process; this can be used to launch processes as another user, providing
the ability to hide inappropriate activity on a system. These rights are granted to
Local Service and Network Service.
Restore files and directories

serestoreprivilege = *S-1-5-32-544
„serestoreprivilege‟ grants the right to bypass permissions when restoring objects.

Due to the nature of the restore process, rights should be restricted to accounts that
are required to use it. This policy grants privileges to Administrators only.
Shut down the system

seshutdownprivilege = *S-1-5-32-544
„seshutdownprivilege‟ grants the right to shut down the system locally. Restricting
this privilege reduces the threat of inadvertent or malicious shutdowns; this policy
grants the right to Administrators only.
Synchronize directory service data

sesyncagentprivilege =
„sesyncagentprivilege‟ grants the right to read all objects and properties in the
Directory; information gained from the Active Directory can be used to form an
attack against the system. This policy revokes all privileges.
Take ownership of files or other objects

setakeownershipprivilege = *S-1-5-32-544
„setakeownershipprivilege‟ grants the right to take ownership of any securable object

in the system. In addition to the act of changing ownership being recorded in the
logs, this policy grants privileges to Administrators only.
3.6 Security Options

Security options includes values for all entries in the Security Options section of the
policy GUI, incorporating entries in the Security Options section of the Domain Policy
as well as the Member Server Baseline. Please note all values are explicitly defined -
this ensures that security is not dependent on default values.
Page 14
Accounts: Administrator account status

EnableAdminAccount = 0
„EnableAdminAccount‟ determines if the local administrator account is enabled. The

setting „0‟ disables the local administrator account; this prevents widespread use and
removes it as a target for attack.
Accounts: Guest account status

EnableGuestAccount = 0
„EnableGuestAccount„ determines if the local guest account is enabled. The setting „0‟
disables the local guest account; this prevents widespread use and removes it as a
target for attack.
Accounts: Limit local account use of blank passwords to console logon

machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4, 1
„limitblankpassworduse‟ registry value determines if local accounts with blank

passwords can be used to logon remotely. The setting „1‟ disallows accounts with
blank passwords to logon remotely; this ensures remote access requires an account
name and password.
Accounts: Rename administrator account

NewAdministratorName = "johnsmith"
„NewAdministratorName‟ keyword sets the local administrator account name;

renaming the local administrator account makes it difficult for an attacker to misuse
the administrator account. The setting „johnsmith‟ renames the local administrator
account to johnsmith.
NOTE: This keyword should be omitted if a policy to rename the Administrator

account on each system is enforced. If not, then at a minimum change it from
„johnsmith‟ to a local value.
Accounts: Rename guest account

NewGuestName = "janesmith"
„NewGuestName‟ keyword sets the local guest account name; Renaming the account
makes it more difficult for an attacker to misuse it. The setting „janesmith‟ renames
the local guest account to janesmith.
NOTE: This keyword should be omitted if a policy to rename the Guest account on
each system is enforced. If not, then at a minimum change it from „janesmith‟ to a
local value.
Audit: Audit the access of global system objects

machine\system\currentcontrolset\control\lsa\auditbaseobjects=4, 0
„auditbaseobjects‟ registry setting determines if access to global system objects is

audited; the setting „0‟ disables audit access to global objects.
Page 15
Audit: Audit the use of Backup and Restore privilege

machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3, 0
„fullprivilegeauditing‟ determines if the system will audit the Backup and Restore
privilege; the setting „0‟ disables the audit of Backup and Restore privilege.
Audit: Shut down system immediately if unable to log security audits

machine\system\currentcontrolset\control\lsa\crashonauditfail=4, 1
The „crashonauditfail‟ registry value determines system behaviour when it fails to log
security events; the setting „1‟ shuts the system down when it cannot log. The
Canadian Federal government requires that comprehensive log data be carefully
maintained; therefore, if the log files are full the system must not process further
transactions.
Devices: Allow undock without having to log on

machine\software\microsoft\windows\currentversion\policies\system\un
dockwithoutlogon=4, 0
The „undockwithoutlogon‟ registry value determines if a portable computer can

undock without logon; the setting „0‟ disallows the computer to be undocked without
logon.
Devices: Allowed to format and eject removable media

machine\software\microsoft\windowsnt\currentversion\winlogon\allocate
dasd=1,"0"
The „allocatedasd‟ registry value determines who can format and eject removable
media; the ability to store large quantities of data (e.g. entire databases) makes
should be restricted to trusted individuals. The setting „0‟ permits Administrators to
format and eject removable media.
Devices: Prevent users from installing printer drivers

services\servers\addprinterdrivers=4, 1
The „addprinterdrivers‟ registry value determines if users can add printer drivers. The
setting „1‟ prevents users from adding print drivers; this assists in preventing users
running malicious code in a privileged state.
Devices: Restrict CD-ROM access to locally logged-on user only

cdroms=1,"1"
The „allocatecdroms‟ registry value determines if the CD-ROM is equally accessible to

local and remote users. The setting „1‟ restricts remote access to the CD-ROM when
in use by a local user.
NOTE: The setting allows remote authorized users to access the CD-ROM if no one is
logged on locally.
Page 16
Devices: Restrict floppy access to locally logged-on user only

floppies=1,"1"
The „allocatefloppies‟ registry value determines if the floppy drive is simultaneously

accessible to local and remote users; the setting „1‟ restricts remote access to when
in use by a local user.
NOTE: This setting allows remote access to the floppy drive if no one is logged on as
a local user.
Devices: Unsigned driver installation behavior

machine\software\microsoft\driversigning\policy=3, 1
The „policy‟ registry value defines the unsigned driver installation behaviour; if this
option is enforced, only drivers approved by the Windows Hardware Quality Lab
(WHQL) are eligible. The decision to install drivers not found within WHQL is left to
the Administrator. The setting „1‟ warns the user before the driver is installed.
Domain controller: Allow server operators to schedule tasks

machine\system\currentcontrolset\control\lsa\submitcontrol=4, 0
The „submitcontrol‟ registry value determines if system operators can schedule

tasks; a DoS condition may be invoked if too many simultaneous tasks are executed.
The setting „0‟ prevents system operators from scheduling tasks.
Domain controller: LDAP server signing requirements

machine\system\currentcontrolset\services\ntds\parameters\ldapserveri
ntegrity=4, 2
The „ldapserverintegrity‟ registry value determines if the LDAP server requires a

signature to negotiate with LDAP clients; unsigned data is susceptible to man-in-the-
middle attacks. This setting helps prevent session hijack.The setting „2‟ requires a
client signature.
Domain controller: Refuse machine account password changes

machine\system\currentcontrolset\services\netlogon\parameters\refusep
asswordchange=4, 0
The „refusepasswordchange‟ registry setting determines if domain controllers accept

changes to computer account passwords; regularly changed passwords reduce the
threat of effective brute-force attacks. The setting „0‟ allows changing of computer
account passwords.
Page 17
Domain member: Digitally encrypt or sign secure channel data

(always)
machine\system\currentcontrolset\services\netlogon\parameters\require
signorseal=4, 1
The „requiresignorseal‟ registry value determines if the domain member will encrypt
or sign secure channel data always. The setting „1‟ encrypts or signs secure channel
data; this value prevents legacy systems (pre-Windows 2000) from joining a
Domain.
Domain member: Digitally encrypt secure channel data (when

possible)
machine\system\currentcontrolset\services\netlogon\parameters\sealsec
urechannel=4, 1
The „sealsecurechannel‟ registry value determines if a domain member requests

encryption of all secure channel data; encrypting Secure Channel data prevents
sensitive information being sent in the clear, thereby limiting an attacker‟s ability to
gather information for an attack. The setting „1‟ requests encryption of all secure
channel data.
Domain member: Digitally sign secure channel data (when possible)

machine\system\currentcontrolset\services\netlogon\parameters\signsec
urechannel=4, 1
The „signsecurechannel‟ registry value determines if a system will sign secure

channel data when possible; unsigned data is susceptible to man-in-the-middle
attack. By enabling this setting, the client is protected from session hijack. The
setting „1‟ enables the signing of secure channel data when possible.
Domain member: Disable machine account password changes

machine\system\currentcontrolset\services\netlogon\parameters\disable
passwordchange=4, 0
The „disablepasswordchange‟ registry value determines if a domain controller will

accept machine account password changes; if the password change were disallowed,
the systems could not change their computer passwords leaving them susceptible to
password-guessing attacks. The setting „0‟ allows machine account password
changes.
Domain member: Maximum machine account password age

machine\system\currentcontrolset\services\netlogon\parameters\maxim
umpasswordage=4, 42
The „maximumpasswordage‟ registry value determines the maximum number days

between password changes. The setting „42‟ requires the password to be changed at
least every forty-two days; this ensures the password is changed often to thwart
password-guessing attacks.
Page 18
Domain member: Require strong (Windows 2000 or later) session key

machine\system\currentcontrolset\services\netlogon\parameters\require
strongkey=4, 1
The „requirestrongkey‟ registry value determines if a domain member establishes

secure channel communications requiring 128-bit encryption; if disabled, the client
must negotiate key strength with the Domain Controller. The setting „1‟ requires
128-bit encryption of the secure channel; this setting ensures the highest level of
protection for secure channel data.
Interactive logon: Do not display last user name

machine\software\microsoft\windows\currentversion\policies\system\do
ntdisplaylastusername=4, 1
The „dontdisplaylastusername‟ registry value determines if the system provides a

logon screen with the last username that logged on. The setting „1‟ does not display
the last username; this setting withholds vital information to prevent attacks.
Interactive logon: Do not require CTRL+ALT+DEL

machine\software\microsoft\windows\currentversion\policies\system\dis
ablecad=4, 0
The „disablecad‟ registry value determines if CTRL+ALT+DEL is required before a

user logon. The setting „0‟ requires CTRL+ALT+DEL to initiate logon; it provides
unassailable hardware initiation of the logon sequence; assisting in the thwarting of
Trojan Horse routines.
Interactive logon: Message text for users attempting to logon

machine\software\microsoft\windows\currentversion\policies\system\leg
alnoticetext=7, TEXT FOR USER LOGON MUST BE SUPPLIED
The „legalnoticetext‟ registry value is presented to the user prior to entry of

username and password; this may help an organization in the event of
legal proceedings. The value shown is the text presented.
Interactive logon: Message title for users attempting to logon

machine\software\microsoft\windows\currentversion\policies\system\leg
alnoticecaption=1
“TEXT FOR USER LOGON MUST BE SUPPLIED”
The „legalnoticecaption‟ registry value is presented to the user as the title of the
window that contains the „legalnoticetext‟ text; this may help an organization in the
event of legal proceedings. The value shown is the text presented.
Interactive logon: Number of previous logons to cache (in case domain

controller is not available)
machine\software\microsoft\windowsnt\currentversion\winlogon\cachedl
ogonscount=1,"0"
The „cachedlogonscount‟ registry value determines the number of unique user whom
logon information is locally cached. The setting „0‟ does not cache logon information
locally; this ensures the user establishes a current security token with the Domain
Controller, thereby preventing disabled users access via cached logon credentials.
Page 19
Interactive logon: Prompt user to change password before expiration

machine\software\microsoft\windowsnt\currentversion\winlogon\passwo
rdexpirywarning=4,14
The „passwordexpirywarning‟ registry value determines how many days in advance

the user is notified of password expiration. This setting warns the user 14 days
before password expiry; the user will continue to be reminded until the password
expiry date.
Interactive logon: Require Domain Controller authentication to unlock

workstation
machine\software\microsoft\windowsnt\currentversion\winlogon\forceun
locklogon=4, 1
The „forceunlocklogon‟ registry value determines if a domain controller must be

contacted to unlock a computer. The setting „1‟ requires contact with a domain
controller; this ensures the user establishes a current security token with the Domain
Controller and also disallows disabled users access via cached logon credentials.
Interactive logon: Require smart card

machine\software\microsoft\windows\currentversion\policies\system\scf
orceoption=4, 0
The „scforceoption‟ registry value determines if a smart card is required to logon. The
setting „0‟ does not require a smart card to logon. The majority of servers will not
require two-factor authentication; if this capability is a requirement, it should be
enabled during the application of a role specific policy.
Interactive logon: Smart card removal behaviour

machine\software\microsoft\windowsnt\currentversion\winlogon\scremo
veoption=1,"1"
The „scremoveoption‟ determines system behaviour when a smart card is removed.

The setting „1‟ locks the workstation when removed; this ensures accountability for
transactions that require smart card authentication.
Microsoft network client: Digitally sign communications (always)

machine\system\currentcontrolset\services\lanmanserver\parameters\re
quiresecuritysignature=4, 1
The „requiresecuritysignature‟ registry value determines if the SMB client requires

packet signing. The setting „1‟ requires packet signing; this setting provides for
mutual authentication and may prevent man-in-the-middle attacks thereby
eliminatingsession hijacking. Legacy systems cannot support this requirement.
Page 20
Microsoft network client: Digitally sign communications (if server

agrees)
machine\system\currentcontrolset\services\lanmanworkstation\paramete
rs\enablesecuritysignature=4, 1
The „enablesecuritysignature‟ registry value determines if an SMB client attempts to

negotiate SMB packet signing (if the server agrees). The setting „1‟ causes the client
to negotiate SMB signing; this setting provides for mutual authentication and may
prevent man-in-the-middle attacks thereby eliminating session hijacking. Legacy
systems (i.e. Pre-Windows 2000) cannot support this requirement.
Microsoft network client: Send unencrypted password to third-party

SMB
serversmachine\system\currentcontrolset\services\lanmanworkstation\pa
rameters\enableplaintextpassword=4, 0
The „enableplaintextpassword‟ registry value determines if an SMB client sends plain

text passwords to non-Microsoft SMB servers. The setting „0‟ disables the use of
clear-text passwords. The use of non-Microsoft SMB servers that do not accept
encrypted passwords is disallowed in a High Security environment; password
security must always be enforced.
Microsoft network server: Amount of idle time required before

suspending
sessionmachine\system\currentcontrolset\services\lanmanserver\parame
ters\autodisconnect=4, 15
The „autodisconnect‟ registry setting defines the amount of idle time in minutes
before an SMB session is suspended; the setting „15‟ suspends the SMB session after
fifteen minutes of idle time. An idle session consumes system resources; attackers
could set up sessions consuming resources to invoke a DoS condition. Further to the
security ramifications, idle sessions can cause SMB services to become slow or
unresponsive.
Microsoft network server: Digitally sign communications (always)

quiresecuritysignature=4, 1
The „requiresecuritysignature‟ registry value determines if the server will always sign
SMB communications. The setting „1‟ always digitally signs SMB communications;
this setting provides mutual authentication for all communication. Mutual
authentication may prevent man-in-the-middle attacks thereby eliminating session
hijacking. Legacy systems cannot support this requirement.
Page 21
Microsoft network server: Digitally sign communications (if client

agrees)
machine\system\currentcontrolset\services\lanmanserver\parameters\en
ablesecuritysignature=4, 1
The „enablesecuritysignature‟ registry value signs SMB communications, if the client

agrees. The setting „1‟ signs SMB communications; this setting provides mutual
authentication for all communication. Mutual authentication may prevent man-in-
the-middle attacks and eliminate the possibility of session hijacking. Legacy (i.e. Pre-
Windows 2000) systems cannot support this requirement.
Microsoft network server: Disconnect clients when logon hours expire

machine\system\currentcontrolset\services\lanmanserver\parameters\en
ableforcedlogoff=4, 1
The „enableforcedlogoff‟ registry value determines if a network connected user is

disconnected outside of their hours of operation. The setting „1‟ disconnects the user
when logged on outside of their hours of operation.
Network access: Allow anonymous SID/Name translation

LSAAnonymousNameLookup = 0
The „LSAAnonymousNameLookup‟ determines if the system allows anonymous

SID/NAME translation; if enabled, a user could use a well-known account SID to
obtain usernames of the account which could facilitate a password guessing attack.
The setting „0‟ disallows the system to perform anonymous SID/NAME translation.
Network access: Do not allow anonymous enumeration of SAM

accounts
machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4, 1
The „restrictanonymoussam‟ registry value determines if anonymous enumeration of

SAM accounts is permitted. Successful enumeration maps account names to a
corresponding SID; when the SID is known, local Guest and Administrator accounts
are exposed and rendered vulnerable to password guessing attacks. The setting „1‟
disallows anonymous enumeration of SAM accounts.
Network access: Disallow anonymous enumeration of SAM accounts

and shares
machine\system\currentcontrolset\control\lsa\restrictanonymous=4, 1
The „restrictanonymous‟ registry value determines if anonymous enumeration of SAM

accounts and shares is permitted. Successful enumeration maps account names to a
corresponding SID; when the SID is known, local Guest and Administrator accounts
are exposed and rendered vulnerable to password guessing attacks. The setting „1‟
disallows anonymous enumeration of SAM accounts.
Page 22
Network access: Do not allow storage of credentials or .NET Passports

for network authentication
machine\system\currentcontrolset\control\lsa\disabledomaincreds=4, 1
The „disabledomaincreds‟ registry value determines if passwords, credentials or

Microsoft .NET passports are saved after initial domain authentication. The setting „1‟
disallows the save.
Network access: Let Everyone permissions apply to anonymous users

machine\system\currentcontrolset\control\lsa\everyoneincludesanonymo
us=4, 0
The „everyoneincludesanonymous‟ value determines what additional permissions are

granted for anonymous connections to a computer. The setting „0‟ grants no
additional permissions to anonymous users; this ensures unauthenticated users do
not inherit the rights of the „everyone‟ group.
Network access: Named Pipes that can be accessed anonymously

machine\system\currentcontrolset\services\lanmanserver\parameters\nu
llsessionpipes=7,
The „nullsessionpipes‟ value defines anonymous access to named pipes. The empty
setting disallows anonymous access to named pipes; this ensures all system access
is authorized.
Network access: Remotely accessible registry paths

machine\system\currentcontrolset\control\securepipeservers\winreg\allo
wedexactpaths\machine=7,
The „allowedexactpaths\machine‟ registry value defines which registry paths can be

accessed over the network. As there is normally no requirement for remotely
accessible registry information, the setting field is empty.
Network access: Remotely accessible registry paths and Sub-paths

machine\system\currentcontrolset\control\securepipeservers\winreg\allo
wedpaths\machine=7,
The „allowedpaths\machine‟ registry value defines registry paths and sub-paths that
can be accessed over the network. This Baseline configuration has no requirement
for remotely accessible registry information.
Network access: Restrict anonymous access to Named Pipes and Shares

strictnullsessaccess=4,1
The „restrictnullsessaccess‟ registry value determines if anonymous access is allowed

to named pipes and shares. The setting „1‟ disallows anonymous access to named
pipes and shares. Access to resources is predicated on authorization for that
resource; if anonymous access is granted, there would be no ability to identify who is
accessing the objects.
Page 23
Network access: Shares that can be accessed anonymously

machine\system\currentcontrolset\services\lanmanserver\parameters\nu
llsessionshares=7,
The „nullsessionshares‟ registry value defines which shares can be accessed

anonymously over the network. The empty setting disallows anonymous access to
any share; all system access should be authorized. Anonymous access prevents
accurate authorization of shares.
Network access: Sharing and security model for local accounts

machine\system\currentcontrolset\control\lsa\forceguest=4, 0
The „forceguest‟ registry value determines the sharing and security model for local
accounts. The setting „0‟ requires user authentication to access resources; this allows
individual access to be audited.
Network security: Do not store LAN Manager hash value on next

password change
machine\system\currentcontrolset\control\lsa\nolmhash=4, 1
The „nolmhash‟ registry value determines if the LAN Manager hash value is stored on
the next password change. The setting „1‟ does not save the LAN Manager hash
value; this prevents local storage of the password, which would be vulnerable to
attack.
NOTE: Upon enabling in operation, all passwords must be changed.
Network Security: Force logoff when logon hours expire

ForceLogoffWhenHourExpire = 1
The „ForceLogoffWhenHourExpire‟ keyword determines if locally logged on users are

disconnected when working outside of defined hours; the setting „1‟ disconnects the
user outside of defined hours. Hours are defined within the “Active Directory Users
and Computers”, the „Computer Management” and “Local Users and Groups”
interface.
Network security: LAN Manager authentication level

machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4, 5
The „lmcompatibilitylevel‟ value determines the level of LAN manager authentication.

The setting „5‟ sends NTLMv2 responses only and refuses LM & NTLM; this setting
ensures only the most secure authentication mechanism is permitted.
Network security: LDAP client signing requirements

machine\system\currentcontrolset\services\ldap\ldapclientintegrity=4, 1
The „ldapclientintegrity‟ value determines if the LDAP client negotiates signing to

communicate with LDAP servers. The setting „2‟ requires signing negotiation; this
reduces the threat of a man-in-the-middle attacks.
Page 24
Network security: Minimum session security for NTLM SSP based

(including secure RPC) clients
machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec
=4, 537395248
The „ntlmminclientsec‟ value defines the minimum session security for NTLM SSP
based (including secure RPC) clients. The setting „537395248‟ enables all options as
recommended by Microsoft; this requires message integrity, confidentiality, NTLMv2
session security and 128-bit encryption be used for logon.
Network security: Minimum session security for NTLM SSP based

(including secure RPC) servers
machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec
=4, 537395248
The „ntlmminserversec‟ registry value defines the minimum session security for NTLM
SSP based (including secure RPC) servers. The setting „537395248‟ enables all
options, as recommended; this requires message integrity, confidentiality, NTLMv2
session security and 128-bit encryption be used for logon.
Recovery console: Allow automatic administrative logon

machine\software\microsoft\windowsnt\currentversion\setup\recoveryco
nsole\securitylevel=4,0
The „securitylevel‟ value determines if the recovery console requires an Administrator

password to logon. The setting „0‟ requires an Administrators password; enabling this
setting to allow anyone to shut down a server is not recommended.
Recovery console: Allow floppy copy and access to all drives and all
folders
machine\software\microsoft\windowsnt\currentversion\setup\recoveryco
nsole\setcommand=4,0
The „setcommand‟ registry value determines if the Recovery Console „SET‟ command
is available; the setting „4‟ disables the „SET‟ command. (e.g. Copy to removable
media is disabled).
Shutdown: Allow system to be shut down without having to log on

machine\software\microsoft\windows\currentversion\policies\system\sh
utdownwithoutlogon=4, 0
The „shutdownwithoutlogon‟ registry value determines if the system can be shutdown

without the user logged on. The setting „0‟ requires the user to logon; this ensures
only authorized users may shut down the system.
Page 25
Shutdown: Clear virtual memory page file

machine\system\currentcontrolset\control\sessionmanager\memory\man
agement\clearpagefileatshutdown=4, 1
The „clearpagefileatshutdown‟ value determines if page file contents are overwritten

on a clean shutdown; sensitive system and user information may be contained in the
page file; by ensuring it is cleared, the risk that information be available to an
attacker is reduced. The setting „1‟ causes clears the page file on a normal shutdown.
System cryptography: Force strong key protection for user keys

stored on the computer
machine\software\policies\microsoft\cryptography\forcekeyprotection=4, 2
The „forcekeyprotection‟ value determines if user keys (e.g. SMIME) require a

password each time they are to be used. The setting „2‟ requires entry of a password
each time a private key is used; this ensures that a session that requires key
material is used with the owner‟s knowledge.
System cryptography: Use FIPS compliant algorithms for encryption,

hashing, and signing
machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy=4, 1
The „fipsalgorithmpolicy‟ determines if Transport Layer Security/Secure Socket Layer

(TLS/SSL) Security Provider supports only TLS_RSA_WITH_3DES_EDE_CBC
_SHA cipher suite. The setting „1‟ requires the use of the TLS_RSA_WITH_3DES
_EDE_CBC_SHA cipher suite. The Canadian Federal Government, requires this
setting for all servers to remain compliant to cryptographic policies.
System objects: Default owner for objects created by members of the

Administrators group
machine\system\currentcontrolset\control\lsa\nodefaultadminowner=4, 1
The „nodefaultadminowner‟ value determines if objects created by members of the

Administrators group are owned by the group or the object creator. The setting „1‟
makes objects owned by the creator; this ensures actions of an individual
administrator can be isolated and audited.
System objects: Require case insensitivity for non-Windows

subsystems
machine\system\currentcontrolset\control\sessionmanager\kernel\obcas
einsensitive=4, 1
The „obcaseinsensitive‟ value determines if case insensitivity is required for non-

Windows subsystems. The setting „1‟ requires case insensitivity for non-Windows
subsystems; this disables the ability for non-Windows sub-systems to create files
that are inaccessible to the Windows system and also disables the ability to block
access to other files with the same name in upper case.
Page 26
System objects: Strengthen default permissions of internal system

objects (e.g. Symbolic Links)
machine\system\currentcontrolset\control\sessionmanager\protectionmo
de=4, 1
The „protectionmode‟ registry setting determines if permissions on internal system

objects (e.g. symbolic links) is strengthened. The setting „1‟ strengthens protection
on internal system objects; it allows non-administrators to view shared objects they
did not create, but not modify.
System settings: Optional subsystems

machine\system\currentcontrolset\control\sessionmanager\subsystems\o
ptional=7,
The „optional‟ value defines which subsystems are used to support applications. The
empty setting disallows any optional subsystems. The use of sub-systems should be
justified with operational requirements; unless required, no subsystem should be
enabled.
Use Certificate Rules on Windows Executables for Software

Restriction Policies
machine\software\policies\microsoft\windows\safer\codeidentifiers\auth
enticodeenabled=4, 0
The „authenticodeenabled‟ value determines the use of certificate rules on Windows

executables for software restriction policies. The setting „0‟ does not use certificate
rules on Windows executables for software restriction policies.
3.7 Event Log Size

Microsoft guidance indicates that the total size of all event logs should not exceed
300MB. If this value is exceeded, the system may not log or record the failure.While
the interface may allow values up to 4GB, there is a risk of losing log entries for
values beyond 300 MB. The following policy will utilize full available space for
allocation between event logs.
Maximum application log size

MaximumLogSize = 76800 (in [Application Log] section)
The „MaximumLogSize‟ determines the size of the Application event log; the setting
„76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log
file will accommodate over 153,000 events and will allow the system to run for an
extended period of time without having to roll the log file.
NOTE: Due to the wide variety of event loads, monitoring the log files during
the initial operational period is recommended.
Page 27
Maximum security log size

MaximumLogSize = 153600 (in [Security Log] section)
The „MaximumLogSize‟ determines the size of the Security event log; the setting
„153600‟ creates a 153600 KB log file. With an average of 500 bytes per event, this
log file will accommodate over 307,200 events and allows the system to run for an
extended period-of-time without having to roll the log file.
NOTE: Due to the wide variety of event loads, monitoring the log files during the
initial operational period is recommended.
Maximum system log size

MaximumLogSize = 76800 (in [System Log] section
The „MaximumLogSize‟ determines the size of the System event log; the setting
„76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log
file will accommodate over 153,000 events allowing the system to run for an
extended period-of-time without having to roll the log file.
3.8 Guest Access

Prevent local Guests group from accessing Applications, Security, and
System logs
RestrictGuestAccess = 1(in [Application Log] or [Security Log] or [System
Log] section)
The „RestrictGuestAccess‟ keyword determines if accounts with „guest‟ access can

access the log. Access to log information provides an attacker with valuable
information to mount attacks on the system or users; as a result, only users who are
authenticated should be given access to the log files. The setting „1‟ disallows guest
access to the log.
3.9 Retention Method
Retention method for application log
AuditLogRetentionPeriod = 2(in [Application Log] or [Security Log] or
[System Log] section)
The „AuditLogRetentionPeriod‟ keyword determines the system behaviour when the

log is full. The setting „2‟ shuts the system down if the log cannot be written.
NOTE: Use of this setting should be consistent with the organization‟s log retention
policy.
Page 28
3.10 System Services

Amplifying information regarding the service startup and ACL settings can be found
in Annexes 4.1 and 4.3, respectfully.
3.10.1 Services Explicitly Covered by Microsoft

Alerter
"alerter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Alerter service notifies selected users and computers of administrative alerts.
This policy disables this service.
Application Layer Gateway Service

"alg",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;WD)"
The Application Layer Gateway Service is a subcomponent of the Internet Connection

Sharing (ICS) / Internet Connection Firewall (ICF) Service. This supports
independent software vendor plug-ins to allow proprietary protocols through the
firewall and work behind ICS. This policy disables the service.
Application Management
"appmgmt",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Application Management provides software installation services. This policy disables

the service.
ASP .NET State Service

"aspnet_state",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(A
U;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The ASP .NET State Service provides support for out-of-process session states for
ASP .NET. This policy disables the service.
Automatic Updates
"wuauserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Automatic Updates Service enables the automated download and installation of
software updates. This policy disables the service.
Background Intelligent Transfer Service

"bits",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCS
Page 29
The Background Intelligent Transfer Service is used to transfer files asynchronously

between a client and an HTTP server. This policy disables the service.
Certificate Services
"certsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Certificate Services perform core functions for a Certification Authority. This
policy disables the service.
MS Software Shadow Copy Provider

"swprv",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The MS Software Shadow Copy Provider supports the creation of file shadow copies
used to perform system backups. This policy sets the startup to manual for the
service.
Client Service for Netware

"nwcworkstation",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A
;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLO
CRSDRCWDWO;;;WD)"
The Client Service for Netware provides access to files and printers on NetWare
networks. This policy disables the service.
ClipBook
"clipsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
The Clipbook Service creates and shares „pages‟ of data that may be viewed by
remote users. This policy disables the service.
Cluster Service
"clussvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C
The Cluster Service supports membership in a High Availability environment

(Cluster). The service is disabled.
COM+ Event System

"eventsystem",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;
CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The COM+ Event System Service extends the COM+ programming model. This policy
sets the service startup to automatic.
Page 30
COM+ System Application

"comsysapp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;C
The COM+ System Application Service manages the configuration and tracking of
components based on COM+. The service is disabled.
Domain Member
Baseline"browser",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A
;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;
FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy sets service startup to automatic.
Workgroup Member Baseline

"browser",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy disables service startup.

Cryptographic Services
"cryptsvc",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
Cryptographic Services provide key management functionality for the computer. This
policy sets the service to automatic startup.
Domain Member Baseline

"dhcp",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;WD)"
This policy sets the service to automatic startup.
Workgroup Member Baseline

"dhcp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
CSWRPWPDTLOCRS
DRCWDWO;;;WD)"
DHCP Server
"dhcpserver",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;
FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The DHCP Server allocates IP addresses. The service is disabled.
Page 31
Distributed File System

"dfs",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;WD)
The Distributed File System manages logical volumes across local or wide area
networks. The service is disabled.
Distributed Link Tracking Client

"trkwks",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The Distributed Link Tracking Client Service ensures shortcuts (among others) work
after the target has been moved. The service is disabled.
Distributed Link Tracking Server

"trksvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Distributed Link Tracking Server stores information so files moved between
volumes can be tracked. The service is disabled.
Distributed Transaction Coordinator

"msdtc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Distributed Transaction Coordinator Service manages transactions that involve

multiple computer systems or resource managers. The service is disabled.
Domain Member Server

"dnscache",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Workgroup Member Server

"dnscache",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC

DNS Server
"dns",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC
The DNS Server responds to queries for DNS names. The service is disabled.
Page 32
Error Reporting Service

"ersvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
The Error Reporting Service collects, stores, and reports unexpected application
closures to Microsoft. The service is disabled.
Event Log
"eventlog",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
The Event Log Service enables event log messages to be viewed. This policy sets the
service to automatic startup.
Fax Service
"fax",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC
The Fax service provides Fax capabilities. The service is disabled.
File Replication
"ntfrs",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The File Replication Service automatically copies and maintains files on multiple
Servers. The service is disabled.
File Server for Macintosh

"macfile",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Macintosh File Service provides network file access to Macintosh computers. The
service is disabled.
FTP Publishing Service

"msftpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The FTP Publishing Service provides connectivity and administration through the IIS
snap-in. The service is disabled.
Help and Support

"helpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
The Help and Support Service enables Help and Support Center to run. The service is
disabled.
Page 33
HTTP SSL
"httpfilter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
The HTTP SSL Service provides SSL functions to IIS. The service is disabled.
Human Interface Device Access

"hidserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
The Human Interface Device Access service allows use of pre-defined hotbuttons.
The service is disabled.
IAS Jet Database Access

"iasjet",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
The IAS Jet Database Access service uses RADIUS to provide authentication,
authorization and accounting services. The service is disabled.
IIS Admin Service

"iisadmin",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
The IIS Admin Service allows administration of IIS components. The service is
disabled.
IMAPI CD-Burning COM Service

"imapiservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
The IMAPI CD-Burning Service manages CD burning. The service is disabled.
Indexing Service
"cisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
The Indexing Service indexes file contents and properties. The service is disabled.
Infrared Monitor
"irmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CC
Infrared Monitor service enables file and image sharing through infrared devices. The
Page 34
Internet Authentication Service

"ias",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC
Internet Authentication Service manages network authentication, authorization and

accounting. The service is disabled.
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)

"sharedaccess",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR
SDRCWDWO;;;WD)"
The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service
provides Internet services for small local networks. The service is disabled.
Intersite Messaging
"ismserv",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;
The Intersite Messaging Service is used for mail-based replication. The service is
disabled.
IP Version 6 Helper Service
"6to4",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCD
The IP Version 6 Helper Service offers IPV6 connectivity over existing IPV4 network.
IPSEC Policy Agent (IPSec Service)

"policyagent",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"
The IPSEC Policy Agent (IPSec Service) provides encryption services to clients and
servers on networks. This policy sets the service to automatic startup.
Kerberos Key Distribution Centre

"kdc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
RPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD
WO;;;WD)"
The Kerberos Key Distribution Center Service allows user logon using Kerberos v5
authentication protocol. The service is disabled.
License Logging Service

"licenseservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)"
The License Logging service records client access licensing information. The service
is disabled.
Page 35
Logical Disk Manager

"dmserver",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
The Logical Disk Manager service detects all new hard drives and sends disk volume
information to the Logical Disk Manager Administration Service. This policy sets the
service to manual startup.
Logical Disk Manager Administrative Service

"dmadmin",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
The Logical Disk Manager Administration service performs requests for disk
management. Thispolicy sets the service to manual startup.
Message Queuing
"msmq",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Message Queuing Service is the infrastructure and development tool for creating
distributed messaging applications. The service is disabled.
Message Queuing Down Level Clients

"mqds",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Message Queuing Down Level Clients service provides Active Directory access to
Message Queuing Clients. The service is disabled.
Message Queuing Triggers

"mqtgsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Message Queuing Trigger Service provides rule-based analysis of messages

arriving in the Message Queuing queue. The service is disabled.
Messenger
"messenger",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;WD)"
The Messenger Service sends Alerter Service messages between clients and servers.
Page 36
Microsoft POP3 Service

"pop3svc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Microsoft POP3 service provides e-mail transfer and retrieval services. The
MSSQL$UDDI
"mssql$uddi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DRCWDWO;;;WD)"
The MSSQL$UDDI service publishes and locates information about web services. The
MSSQLServerADHelper
"mssqlserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DRCWDWO;;;WD)"
The SQL Server service provides SQL functionality for a server. The service is
disabled.
.NET Framework Support Service

"corrtsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;
The .NET Framework Support Service notifies a subscribing client when a specified
process initializes the Client Runtime Service. The service is disabled.

"netlogon",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"

"netlogon",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
NetMeeting Remote Desktop Sharing

"mnmsrvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The NetMeeting Remote Desktop Sharing Service enables access to a system with
NetMeeting. The service is disabled.
Page 37
Network Connections
"netman",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Network Communications Service manages objects in the Network Connections

folder. This policy sets the service to manual startup. This will start the service
automatically when the Network Connections interface is invoked.
Network DDE
"netdde",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The NetDDE Service provides network transport and security for DDE. The service is
disabled.
Network DDE DSDM

"netddedsdm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DRCWDWO;;;WD)"
The NetDDEDSDM Service manages DDE network shares. The service is disabled.
Network Location Awareness (NLA)

"nla",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
WO;;;WD)"
The Network Location Awareness service collects and stores network information.
Network News Transport Protocol (NNTP)

"nntpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Network News Transport Protocol (NNTP) service provides News Server
capabilities. The service is disabled.
NTLM Security Support Provider

"ntlmssp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The NTLM Security Support Provider service provides security to RPC programs. This
enables users to log on using NTLM authentication in place of Kerberos. The service
is disabled.
Page 38
Performance Logs and Alerts

"sysmonlog",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
RCWDWO;;;WD)"
The Performance Logs and Alerts Service collect performance data. The service is
disabled.
Plug and Play

"plugplay",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Plug and Play service allows a computer to adapt hardware configuration
changes with little user input. The service is disabled.
Portable Media Serial Number

"wmdmpmsn",4,D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
RCWDWO;;;WD)"
The Portable Media Serial Number service retrieves serial numbers from any portable
music player connected to the system. The service is disabled.
Print Server for Macintosh

"macprint",4,D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Macintosh Print service provides network printer access to Macintosh computers.
Print Spooler
"spooler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Spooler service manages local and network print queues and controls all print
jobs. The service is disabled.
Protected Storage
"protectedstorage",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTL
OCRSDRCWDWO;;;WD)"
The Protected Storage service protects storage of sensitive information from
unauthorized services, processes or users. This policy sets the service to automatic
startup.
Page 39
Remote Access Auto Connection Manager

"rasauto",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Remote Access Auto Connection Manager service detects unsuccessful attempts
to a remote network or computer. It then provides an alternative method for
connection. The service is disabled.
Remote Access Connection Manager

"rasman",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Remote Access Connection Manager service manages dial-up and VPN
connections to a server. The service is disabled.
Remote Administration Service

"srvcsurg",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Remote Administration service provides an interface for Remote Server

Administration Tools. The service is disabled.
Remote Desktop Help Session Manager

"rdsessmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
CLCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Remote Desktop Help Session Manager service controls the Remote Assistance
feature in the Help and Support Center application. The service is disabled.
Remote Installation
"binlsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C
The Remote Installation Service is a Windows deployment feature. The service is

disabled.
Remote Procedure Call (RPC)

"rpcss",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Remote Procedure Call (RPC) service is a secure inter-process communication

mechanism. This policy sets the service to automatic startup.
Page 40
Remote Procedure Call (RPC) Locator

"rpclocator",\4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DRCWDWO;;;WD)"
The RPC Locator Service enables RPC clients to locate RPC servers. The service is
disabled.
Remote Registry Service

"remoteregistry",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
RSDRCWDWO;;;WD)"
The Remote Registry service enables remote users to modify registry settings on the
system. The service is disabled.
Remote Server Manager

"appmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CLCSWRPWPDTLOCRDRCWDWO;;;WD)"
The Remote Server Manager service acts as a Windows Management

Instrumentation (WMI) instance provider for Remote Administration Alert Objects. It
also acts as a WMI method provider for Remote Administration Tasks. The service is
disabled.
Remote Server Monitor

"appmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;
The Remote Service Monitor service provides monitoring capability of resources on

remotely managed systems. The service is disabled.
Remote Storage Notification

"remote_storage_user_link",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWD
WO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCS
The Remote Storage Notification service notifies a user when accessing data on
secondary storage units. The service is disabled.
Remote Storage Server

"remote_storage_server",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;
;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRP
WPDTLOCRSDRCWDWO;;;WD)"
The Remote Storage Server stores infrequently used files in secondary storage. The
Page 41
Removable Storage
"ntmssvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Removable Storage service maintains a catalogue of information for removable

media used by the system. The service is disabled.
Resultant Set of Policy Provider

"rsopprov",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The Resultant Set of Policy Provider service enables simulation of policy to determine
the effects. The service is disabled.
Routing and Remote Access

"remoteaccess",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C
SDRCWDWO;;;WD)"
The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to-
WAN, and NAT routing services. The service is disabled.
SAP Agent
"nwsapagent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DRCWDWO;;;WD)"
The SAP Agent service advertises services on an IPX network. The service is
disabled.
Secondary Logon Service

"seclogon",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Secondary Logon service allows users to create processes in different security
contexts. The service is disabled.
Security Accounts Manager

"samss",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Security Accounts Manager service manages user and group account
information. This policy sets the service to automatic startup.
Page 42
Server
"lanmanserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C
SDRCWDWO;;;WD)"
The Server service provides RPC, file, print, and Named pipe support over the
network. This policy disables service startup.
Shell Hardware Detection

"shellhwdetection",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(
OCRSDRCWDWO;;;WD)"
The Shell Hardware Detection service monitors and provides notification for AutoPlay
hardware events. The service is disabled.
Simple Mail Transport Protocol (SMTP)

"smtpsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Simple Mail transfer Protocol (SMTP) service transports electronic mail across
the network. The service is disabled.
Simple TCP/IP Services

"simptcp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
Simple TCP/IP Services provide a variety of protocols. The service is disabled. The
services configured are as follows:
Echo Port 7
Discard Port 9
Character Generator Port 19
Daytime Port 13
Quote of the day Port 17
Single Instance Storage Groveler

"groveler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
The Single Instance Storage Groveler service supports Remote Installation service.
Smart Card
"scardsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Smart Card service manages access to smart card readers. The service is
disabled.
Page 43
SNMP Service
"snmp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD
WO;;;WD)"
The Simple Network Management Protocol (SNMP) service allows incoming SNMP
requests to be processed by the system. The service is disabled.
SNMP Trap Service

"snmptrap",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The SNMP Trap service receives trap messages generated by SNMP agents. The
Special Administration Console Helper

"sacsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Special Administration Console Helper service performs remote management

tasks. The service is disabled.
SQLAgent$* (*UDDI or WebDB)

"sqlagent$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A
;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLO
CRSDRCWDWO;;;WD)"
The SQLAgent$webdb service monitors, and schedules jobs. The service is disabled.
System Event Notification

"sens",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The System Event Notification service provides monitoring and tracking services for
system events. This policy sets the service to automatic startup.
Task Scheduler
"schedule",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The Task Scheduler service enables configuration and schedules of automated tasks
on the system. The service is disabled.
Page 44
"lmhosts",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
Workgroup Member server

"lmhosts",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
TCP/IP Print Server

"lpdsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The TCP/IP Print Server service enables TCP/IP based printing. The service is
disabled.
Telephony
"tapisrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Telephony service provides support for programs that control telephony and IP-
based voice devices. The service is disabled.
Telnet
"tlntsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Telnet service provides ASCII terminal sessions to telnet clients. The service is
disabled.
Terminal Services
"termservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DRCWDWO;;;WD)"
Terminal Services allows users to access a virtual Windows desktop session. The
Page 45
Terminal Services Licensing

"termservlicensing",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(
OCRSDRCWDWO;;;WD)"
The Terminal Services Licensing service provides registered client licenses when
connecting to a Terminal Server. The service is disabled.
Terminal Services Session Directory

"tssdis",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Terminal Services Session Directory service provides a multi-session

environment that allows access a virtual Windows desktop. The service is disabled.
Themes
"themes",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
The Themes service provides theme management services. The service is disabled.
Trivial FTP Daemon

"tftpd",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Trivial FTP Daemon is a File Transfer Protocol that does not require
authentication. The service is disabled.
Uninterruptible Power Supply

"ups",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
WO;;;WD)"
The Uninterruptible Power Supply service manages an uninterruptible power supply.

Upload Manager
"uploadmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
RCWDWO;;;WD)"
The Upload Manager service manages file transfers between clients and servers.
Driver data is anonymously uploaded from a customer computer to Microsoft. The
Page 46
Virtual Disk Service

"vds",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
WO;;;WD)"
The Virtual Disk service provides a single interface for managing block storage
visualization. The service is disabled.
Volume Shadow Copy

"vss",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
WO;;;WD)"
The Volume Shadow Copy service manages and implements volume shadow copies
used for backups. This policy sets the service to manual startup.
WebClient
"webclient",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The Webclient service allows Win32 applications to access documents on the

Internet. The service is disabled.
Web Element Manager

"elementmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
The Web Element Manager service provides Web user interface elements for the
Administration Web site at port 8098. The service is disabled.
Windows Audio
"audiosrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
The Windows Audio service provides support for sound. The service is disabled.
Windows Image Acquisition (WIA)

"stisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD
WO;;;WD)"
The Windows Image Acquisition (WIA) service supports scanners and cameras. The

"msiserver",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
Page 47

"msiserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
Windows Internet Name Service (WINS)

"wins",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The
Windows Management Instrumentation

"winmgmt",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The Windows Management Instrumentation service provides a common interface to

access management information. This policy sets the service to automatic startup.
Windows Management Instrumentation Driver Extensions

"wmi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSW
WO;;;WD)"
The Windows Management Instrumentation Driver Extensions service monitors all

drivers and event trace providers that publish WMI or event trace information. The
Windows Media Services

"wmserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
Windows Media Services provide streaming media service over IP-based networks.
Windows System Resource Manager

"windowssystemresourcemanager",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCD
The Windows System Resource Manager service is a tool to help customers deploy
applications. The service is disabled.
Page 48
Windows Time
"w32time",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The Windows Time service maintains date and time synchronization. This policy sets
the service to automatic startup.
WinHTTP Web Proxy Auto-Discovery Service

"winhttpautoproxysvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B
A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP
DTLOCRSDRCWDWO;;;WD)"
The WinHTTP Web Proxy Auto – Discovery service implements Web Proxy Auto-
discovery (WPAD) Protocol. The WPAD protocol is an HTTP client service that locates
proxy servers. The service is disabled.
Wireless Configuration
"wzcsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The Wireless Configuration service enables automatic configuration of IEEE 802.11

wireless adapters. The service is disabled.
WMI Performance Adapter

"wmiapsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
CWDWO;;;WD)"
The WMI Performance Adapter service provides performance library information. The

"lanmanworkstation",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA
)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"

"lanmanworkstation",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA
)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPD
TLOCRSDRCWDWO;;;WD)"
Page 49
World Wide Web Publishing Service

"w3svc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The World Wide Web Publishing service provides Web connectivity and administration
through the IIS snap-in. The service is disabled.
3.10.2 Services Not Explicitly Covered by Microsoft

"fastuserswitchingcompatibility",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCL
The “fastuserswitchingcompatibility” is not a core requirement for a Windows 2003

server. The service is disabled.
"mssql$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C
SDRCWDWO;;;WD)"
The MSSQL$webdb service is used to publish and locate information about web
services. The service is disabled.
"mssqlserveradhelper",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B
A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP
DTLOCRSDRCWDWO;;;WD)"
The MSSQLServerADHelper service enables SQL server and SQL Server Analysis
Services to publish information in Active Directory. The service is disabled.
"saldm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The “saldm” is not a core requirement for a Windows 2003 server. The service is
disabled.
"sptimer",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CWDWO;;;WD)"
The “sptimer” is not a core requirement for a Windows 2003 server. The service is
disabled.
"sqlserveragent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
RSDRCWDWO;;;WD)"
The “sqlserveragent” is not a core requirement for a Windows 2003 server. The
Page 50
"winsip",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
This is not a core requirement for a High Security server. The service is disabled.
3.11 TCP/IP Stack Hardening

EnableICMPRedirect
machine\system\currentcontrolset\services\tcpip\parameters\enableicmp
redirect=4, 0
The „enableicmpredirect‟ registry value causes TCP to find host routes which
overrides OSPF generated routes; if enabled, a ten-minute timeout makes the
system unavailable to the network. Disabling causes the system to rely on OSPF
routing; the setting „0‟ disables this capability.
SynAttackProtect
machine\system\currentcontrolset\services\tcpip\parameters\synattackp
rotect=4, 1
The „synattackprotect‟ registry value adjusts retransmissions of SYN-ACK. The

setting „1‟ causes connection timeouts faster when a SYN-ATTACK is detected; this
setting reduces effort expended on unresponsive connections.
EnableDeadGWDetect
machine\system\currentcontrolset\services\tcpip\parameters\enabledead
gwdetect=4, 0
The „enabledeadgwdetect‟ value allows TCP re-direction to a backup gateway; if a

system detects difficulties on a network, it will automatically switch to a different
gateway which in turn may cause undesirable packet traversal over un-trusted
networks. The setting „0‟ disables this capability.
EnablePMTUDiscovery
machine\system\currentcontrolset\services\tcpip\parameters\enablepmt
udiscovery=4, 0
The „enablepmtudiscovery‟ registry value determines if TCP automatically finds the

maximum transmission unit (MTU) or the largest packet size to a remote host; if
enabled, an attacker could force a very small packet size and invoke a DoS condition.
The setting „0‟ causes a fixed size packet be used for all connections to remote hosts.
KeepAliveTime
machine\system\currentcontrolset\services\tcpip\parameters\keepaliveti
me=4, 300000
The „keepalivetime‟ registry value determines how often TCP verifies an idle
connection is intact. The setting „300,000‟ (5 minutes) is short enough to provide
some defense against DoS conditions and provides the ability to recover resources
from unresponsive connections.
Page 51
DisableIPSourceRouting
machine\system\currentcontrolset\services\tcpip\parameters\disableipso
urcerouting=4, 2
The „disableipsourcerouting‟ value determines if the sender of a TCP packet can

dictate the route; dictating packet routes can obscure an attacker‟s location on the
network. The setting „2‟ disables this ability.
TcpMaxConnectResponseRetransmissions
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxcon
nectresponseretransmi
ssions=4, 2
The „tcpmaxconnectresponseretransmissions‟ value determines the number of

attempts that TCP re-transmits a SYN packet before aborting. The setting „2‟ limits
the possibility of a DoS attack without affecting normal users and reduces the effort
expended on unresponsive connections.
TcpMaxDataRetransmissions
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdata
retransmissions=4, 3
The „tcpmaxdataretransmissions‟ defines the number of times unacknowledged data

is retransmitted before disconnection. The setting „3‟ reduces the success of a DoS
attack and reduces the effort expended on unresponsive connections.
PerformRouterDiscovery
machine\system\currentcontrolset\services\tcpip\parameters\performrou
terdiscovery=4, 0
The „performrouterdiscovery‟ value controls the use of Internet Router Discovery

Protocol; if the system were to discover routers, an attacker could redirect packets to
another destination. The setting „0‟ disables discovery and forces the use of known
routers.
TCPMaxPortsExhausted
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxport
sexhausted=4, 5
The „tcpmaxportsexhausted‟ value controls the point which SYN-ATTACK protection

begins. The setting „5‟ causes protection to start after five failures; this is the
Microsoft standard for TCP/IP. The setting is a balance between performance and
security.
TCPMaxHalfOpen
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf
open=4, 100
The „tcpmaxhalfopen‟ value defines the number of connections in the SYN state table
before SYN attack protection begins. The setting of „100‟ initiates SYN attack
protection when the state table reaches one hundred connections.
Page 52
TCPMaxHalfOpenRetired
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf
openretired=4, 80
The „tcpmaxhalfopenretired‟ value determines how many connections the server can
maintain in the half-open state; the setting „80‟ initiates SYN attack protection when
the state table reaches eighty connections.
NoNameReleaseOnDemand (TCP/IP)
machine\system\currentcontrolset\services\tcpip\parameters\nonamerel
easeondemand=4, 1
The „nonamereleaseondemand‟ registry determines if a system will release its

NetBIOS name to another computer on request; the setting „1‟ prevents disclosure of
NetBIOS information.
3.12 AFD.SYS
DynamicBacklogGrowthDelta
machine\system\currentcontrolset\services\afd\parameters\dynamicback
loggrowthdelta=4, 10
The „dynamicbackloggrowthdelta‟ value defines the number of free connections to

create when deemed necessary. The setting „10‟ creates ten additional free
connections. This setting ensures additional resources are not applied too, thereby
preventing the invocation of a DoS condition.
EnableDynamicBacklog
machine\system\currentcontrolset\services\afd\parameters\enabledynam
icbacklog=4, 1
The „enabledynamicbacklog‟ value enables dynamic backlog. The setting „1‟ enables
the backlog; this ensures the system manages port resources in a manner that
mitigates DoS attacks.
MinimumDynamicBacklog
machine\system\currentcontrolset\services\afd\parameters\minimumdyn
amicbacklog=4, 20
The „minimumdynamicbacklog‟ value controls the minimum number of free ports on

a listening end point. The setting „20‟ allows a system to create more if there is less
than twenty available; it is intended to ensure resources are available and limit the
threat of DoS conditions.
MaximumDynamicBacklog
machine\system\currentcontrolset\services\afd\parameters\maximumdyn
amicbacklog=4,20000
The „maximumdynamicbacklog‟ value controls the number of „quasi-free‟ connections

allowed on a listening end point. The setting „20,000‟ is recommended to stymie
DoS attacks. This setting reduces the resources allocated to incomplete connections;
if creating additional free ports exceeds the value, a system will not be able to
maintain additional sessions.
Page 53
3.13 Other Settings

NoNameReleaseOnDemand (NetBIOS)
machine\system\currentcontrolset\services\netbt\parameters\nonamerel
easeondemand=4, 1
The „nonamereleaseondemand‟ value determines if a system releases its NetBIOS

name upon a name-release request. The setting „1‟ prevents a system from releasing
the NetBIOS name, other than to WINS servers; this reduces information it provides
to an unauthorized user.
Enable the computer to stop generating 8.3 style filenames

machine\system\currentcontrolset\control\filesystem\ntfsdisable8dot3na
mecreation=4, 1
The „ntfsdisable8dot3namecreation‟ value determines if a system will generate 8.3

file names. The setting „1‟ prevents the 8.3 filename format. Generation of 8.3 file
makes the task of name guessing easier for an attacker; disabling this ensures only
the full name is used to reference files.
NoDriveTypeAutoRun
machine\software\microsoft\windows\currentversion\policies\explorer\n
odrivetypeautorun=4,255
The „nodrivetypeautorun‟ value determines if autorun is enabled on connected drives.

The setting „255‟ disables autorun for all drives on the system; this ensures
privileged users do not run unapproved software for without restrictions, unapproved
software may run inadvertently.
The time in seconds before the screen saver grace period expires (0
recommended)
machine\system\software\microsoft\windowsnt\currentversion\winlogon
\screensavergraceperiod=4, 0
The „screensavergraceperiod‟ value determines the amount of time (in seconds) to

enforce the screen saver password; the setting „0‟ enforces password lock with no
time delay which provides an immediate lock when the idle threshold is reached.
Warning Level
machine\system\currentcontrolset\services\eventlog\security\warninglev
el=4, 90
The „warninglevel‟ value determines the maximum amount of security logs before a
warning event is triggered. The setting „90‟ triggers a warning when the Security log
reaches 90% capacity; this will afford sufficient time to reset the log and determine
reasons for the warning.
Page 54
Enable Safe DLL search mode (recommended)

machine\system\currentcontrolset\control\sessionmanager\safedllsearch
mode=4, 1
The „safedllsearchmode‟ value determines the order DLLs are searched. The setting
„1‟ commands the system to first look in the PATH, then the current folder; this order
ensures files in the current foder do not run in place of files in the users PATH.
Disable Autorun on CD-ROM

machine\system\currentcontrolset\control\services\CDRom\AutoRun=4, 1
The „Disable Autorun on CD-Rom‟ prevents automatic execution of programs upon

insertion of a CD. The setting „1‟disables the Autorun feature; this helps reduce the
threat of malicious code infection through CD-Rom.
Disable Administrative Shares

machine\system\currentcontrolset\control\services\LanmanServer\Param
eters\AutoShareServer=4, 0
The „AutoShareServer‟ value determines if disk drives have administrative shares.

The setting „0‟ disables administrative shares.
Disable DCOM
machine\Software\Microsoft\OLE\EnableDCOM=4, 0
The „EnableDCOM‟ value determines if DCOM is active. The setting „0‟disables DCOM.
Page 55
4 ANNEXES
4.1 General Security Setting Values
Windows security templates utilize various general setting values; all of these will be
expounded upon below.
4.1.1 Binary Setting Values
Binary settings are used to indicate whether an object is enabled/installed or
disabled/not installed.
Binary Settings
BINARY VALUE DEFINITION
0 disabled/not installed
1 enabled/installed
EnableAdminAccount = 1
1 = The administrator account is enabled.
4.1.2 Windows Services Boot Values

Windows services bootup values determine whether a service is enabled, disabled or
able to activated manually at system start up.
Windows Services Boot Settings
NUMERICAL VALUE DEFINITION
2 automatic startup
3 manual startup
4 disabled
netlogon,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
WDWO;;;WD)"
2 = The netlogon service starts automatically at system bootup.
Page 56
4.1.3 Common User Rights Security Identifier Settings

Security Identifiers (SIDs) are unique values of variable length that are used to
identify a security principal or security group in Windows operating systems; their
values remain constant across all operating systems.
User Rights Security Identifier Settings
SETTING DEFINITION
*S-1-5-32-544 administrator
*S-1-5-6 service
*S-1-5-32-551 backup operators
*S-1-5-32-545 users
*S-1-5-20 network service
*S-1-5-11 authenticated users.
sesystemtimeprivilege = *S-1-5-32-544
*S-1-5-32-544 = Only the system administrator can change the system time.
4.1.4 Audit Log Retention Period Settings

The audit log retention period settings determine the period of time that audit log
records will be retained before they are overwritten.
Retention Period Settings

NUMERICAL VALUE DEFINITION
0 overwrite events as needed

1 overwrite events as specified by
retention days entry
2 never overwrite events (clear log
manually)
AuditLogRetentionPeriod = 2
2 = The log’s events are never overwritten and must be cleared manually.
Page 57
4.1.5 Registry Value Settings

Registry settings in Windows security templates typically consist of two values. The
first value is numerical and represents a standard registry value type; the second
value will contain the security setting value.
Registry Value Settings
SETTING DEFINITION Value
1 reg_sz sequence of characters representing human readable

text
2 reg_expand_sz expandable data test string containing a variable to be
replaced when called by an application
3 reg_binary binary value as described in 10.1.1.
4 reg_dword a number four bytes long; can be displayed as a
binary, hexadecimal or decimal value
7 reg_multi_sz multiple values of human readable text
MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
3 = reg_binary
1= driver signing enabled
Page 58
4.2 Windows Security Identifiers (SIDs)

SID: S-1-0
Name: Null Authority
Description: An identifier authority.
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and
guests. Membership is controlled by the operating system.
SID: S-1-2
Name: Local Authority
SID: S-1-3
Name: Creator Authority
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE).
When the ACE is inherited, the system replaces this SID with the SID for
the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited,
the system replaces this SID with the SID for the primary group of the
object's creator. The primary group is used only by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
SID: S-1-4
Name: Non-unique Authority
Page 59
SID: S-1-5
Name: NT Authority
SID: S-1-5-1
Name: Dialup
Description: A group that includes all users who have logged on through a
dial-up connection. Membership is controlled by the operating system.
SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a
network connection. Membership is controlled by the operating system.
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a
batch queue facility. Membership is controlled by the operating system.
SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on
interactively. Membership is controlled by the operating system.
SID: S-1-5-5-X-Y
Name: Logon Session
Description: A logon session. The X and Y values for these SIDs are
different for each session.
SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on
as a service. Membership is controlled by the operating system.
SID: S-1-5-7
Name: Anonymous
Description: A group that includes all users that have logged on
anonymously. Membership is controlled by the operating system.
SID: S-1-5-8
Name: Proxy
SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that
uses an Active Directory directory service. Membership is controlled by the
operating system.
Page 60
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or
group object in Active Directory. When the ACE is inherited, the system
replaces this SID with the SID for the security principal who holds the
account.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were
authenticated when they logged on. Membership is controlled by the
operating system.
SID: S-1-5-12
Name: Restricted Code
Description: This SID is reserved for future use.
SID: S-1-5-13
Name: Terminal Server Users
Description: A group that includes all users that have logged on to a
Terminal Services server. Membership is controlled by the operating
system.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-19
Name: NT Authority
Description: Local Service
SID: S-1-5-20
Name: NT Authority
Description: Network Service
SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is
the only user account that is given full control over the system.
Name: Guest
Description: A user account for people who do not have individual accounts.
This user account does not require a password. By default, the Guest
account is disabled.
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center
(KDC) service.
Page 61
Name: Domain Admins
Description: A global group whose members are authorized to administer
the domain. By default, the Domain Admins group is a member of the
Administrators group on all computers that have joined a domain, including
the domain controllers. Domain Admins is the default owner of any object
that is created by any member of the group.
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a
domain. When you create a user account in a domain, it is added to this
group by default.
Name: Domain Guests
Description: A global group that, by default, has only one member, the
domain's built-in Guest account.
Name: Domain Computers
Description: A global group that includes all clients and servers that have
joined the domain.
Name: Domain Controllers
Description: A global group that includes all domain controllers in the
domain. New domain controllers are added to this group by default.
Name: Cert Publishers
Description: A global group that includes all computers that are running an
enterprise certification authority. Cert Publishers are authorized to publish
certificates for User objects in Active Directory.
SID: S-1-5-root domain-518

Name: Schema Admins
Description: A universal group in a native-mode domain; a global group in a
mixed-mode domain. The group is authorized to make schema changes in
Active Directory. By default, the only member of the group is the
Administrator account for the forest root domain.
SID: S-1-5-root domain-519

Name: Enterprise Admins
Description: A universal group in a native-mode domain; a global group in a
mixed-mode domain. The group is authorized to make forest-wide changes
in Active Directory, such as adding child domains. By default, the only
member of the group is the Administrator account for the forest root
domain.
Page 62
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy
objects in Active Directory. By default, the only member of the group is
Administrator.
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members.
Servers in this group have Read Account Restrictions and Read Logon
Information access to User objects in the Active Directory domain local
group. By default, this group has no members. Servers in this group have
Read Account Restrictions and Read Logon Information access to User
objects in Active Directory.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating
system, the only member of the group is the Administrator account. When a
computer joins a domain, the Domain Admins group is added to the
Administrators group. When a server becomes a domain controller, the
Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating
system, the only member is the Authenticated Users group. When a
computer joins a domain, the Domain Users group is added to the Users
group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest
account. The Guests group allows occasional or one-time users to log on
with limited privileges to a computer's built-in Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power
users can create local users and groups; modify and delete accounts that
they have created; and remove users from the Power Users, Users, and
Guests groups. Power users also can install programs; create, manage, and
delete local printers; and create and delete file shares.
Page 63
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By
default, the group has no members. By default, Account Operators have
permission to create, modify, and delete accounts for users, groups, and
computers in all containers and organizational units of Active Directory
except the Builtin container and the Domain Controllers OU. Account
Operators do not have permission to modify the Administrators and Domain
Admins groups, nor do they have permission to modify the accounts for
members of those groups.
SID: S-1-5-32-549
Name: Server Operators
default, the group has no members. Server Operators can log on to a server
interactively; create and delete network shares; start and stop services;
back up and restore files; format the hard disk of the computer; and shut
down the computer.
SID: S-1-5-32-550
Name: Print Operators
default, the only member is the Domain Users group. Print Operators can
manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members.
Backup Operators can back up and restore all files on a computer,
regardless of the permissions that protect those files. Backup Operators also
can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on
domain controllers. By default, the group has no members. Do not add
users to this group.
The following groups will show as SIDs until a Windows Server 2003 domain
controller is made the primary domain controller (PDC) operations master role
holder. (The "operations master" is also known as flexible single master
operations or FSMO.) Additional new built-in groups that are created when a
Windows Server 2003 domain controller is added to the domain are:
SID: S-1-5-32-554
Name: BUILTIN\Pre-Windows 2000 Compatible Access
Description: An alias added by Windows 2000. A backward compatibility group
which allows read access on all users and groups in the domain.
Page 64
SID: S-1-5-32-555
Name: BUILTIN\Remote Desktop Users
Description: An alias. Members in this group are granted the right to logon
remotely.
SID: S-1-5-32-556
Name: BUILTIN\Network Configuration Operators
Description: An alias. Members in this group can have some administrative
privileges to manage configuration of networking features.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts
to this forest.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts
to this forest.
SID: S-1-5-32-558
Name: BUILTIN\Performance Monitor Users
Description: An alias. Members of this group have remote access to monitor this
computer.
SID: S-1-5-32-559
Name: BUILTIN\Performance Log Users
Description: An alias. Members of this group have remote access to schedule
logging of performance counters on this computer.
SID: S-1-5-32-560
Name: BUILTIN\Windows Authorization Access Group
Description: An alias. Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects.
SID: S-1-5-32-561
Name: BUILTIN\Terminal Server License Servers
Description: An alias. A group for Terminal Server License Servers. When
Windows Server 2003 Service Pack 1 is installed, a new local group is created.
SID: S-1-5-32-562
Name: BUILTIN\Distributed COM Users
Description: An alias. A group for COM to provide computerwide access controls
that govern access to all call, activation, or launch requests on the computer.
Page 65
4.3 Common Access Control List (ACL) Settings

4.3.1 Security Descriptor Definition Language (SDDL)3
SDDL defines the string format that describe a security descriptor4 as a text string;
in the context of security template settings, SDDL is utilized in nTSecurityDescriptor5
attributes, registry keys and NTFS files to define the ACL.
4.3.2 Discretionary Access Control List (DACL)

The DACL identifies the trustees that are allowed or denied access to a securable
object; when a process tries to access a securable object, the system checks the
ACEs in the object's DACL to determine whether to grant access to it.
Should the object not have a DACL, the system grants full access to everyone; if the
object's DACL has no ACEs, the system denies all attempts to access the object
because the DACL does not allow any access rights.
The system checks the ACEs in sequence until it finds one or more ACEs that allow
all the requested access rights, or until any of the requested access rights are
denied.
4.3.3 System Access Control List (SACL)

The SACL enables administrators to log attempts to access a secured object; each
ACE specifies the types of access attempts by a specified trustee that cause the
system to generate a record in the security event log.
An ACE in a SACL can generate audit records when an access attempt fails, when it
succeeds, or both. In future releases, a SACL will also be able to raise an alarm when
an unauthorized user attempts to gain access to an object.
4.3.4 Access Control Entry (ACE)

An access control entry is an element in an access control list (ACL) . An ACL can
have zero or more ACEs. Each ACE controls or monitors access to an object by a
specified trustee.
3
University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March 2008.
https://www.washington.edu/computing/support/windows/UWdomains/SDDL.html.
4
Security Descriptor - A structure and associated data that contains the security information for a
securable object. A security descriptor identifies the object's owner and primary group. It can also contain
a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the
object.
5
nTSecurityDescriptor - Every object in Active Directory contains this attribute which is a security
descriptor object containing the discretionary access control list (DACL), the system access control list
(SACL), group, and owner information that controls the object's access control behavior.
Page 66
All types of ACEs contain the following access control information:
A security identifier (SID) that identifies the trustee to which the ACE applies.
An access mask that specifies the access rights controlled by the ACE.
A flag that indicates the type of ACE.
A set of bit flags that determine whether child containers or objects can
inherit the ACE from the primary object to which the ACL is attached.
The following table lists the three ACE types supported by all securable objects:
Type Description
Access-denied Used in a discretionary access control list (DACL) to deny access
ACE rights to a trustee.
Access-allowed
Used in a DACL to allow access rights to a trustee.
ACE
Used in a system access control list (SACL) to generate an audit
System-audit
record when the trustee attempts to exercise the specified
ACE
access rights.
4.3.5 Format of nTSecurityDescriptor string:
Each nTSecurityDescriptor SDDL string is composed of 5 primary components which

correspond to the header, DACL (D:), SACL (S:), primary group (G:)and owner (O:):
O:owner_sidG:group_sidD:dacl_flags(ace string 1)(ace string 2 )S:sacl_flags(ace

string 1)(ace string 2)
The header contains record keeping information along with 2 flags that designate
whether the object is blocking inheritance for the SACL and DACL. The contents of
both the primary group and owner parts are simply a single SID while the contents
of both the SACL and DACL parts are a string with no fixed length.
ACEs6 make up the contents of these strings, are enclosed within parenthesis, and
contain 6 fields separated by a semicolon delimiter. The fields are:
a. ACE type (allow/deny/audit);
b. ACE flags (inheritance and audit settings);
c. Permissions (list of incremental permissions);
d. ObjectType (GUID);
6
ACE - An access control entry is an element in an access control list (ACL). An ACL can have zero or
more ACEs. Each ACE controls or monitors access to an object by a specified trustee.
Page 67
e. Inherited Object Type (GUID); and
f. Trustee (SID)
4.3.6 ACE Type
The ACE type designates whether the trustee is allowed, denied or audited.
Value Description
"A" ACCESS ALLOWED
"D" ACCESS DENIED
"OA" OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
"OD" OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
"AU" SYSTEM AUDIT
"AL" SYSTEM ALARM
"OU" OBJECT SYSTEM AUDIT
"OL" OBJECT SYSTEM ALARM
4.3.7 ACE Flags
The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the
audit settings.
Value Description
CONTAINER INHERIT: Child objects that are containers, such as directories,
"CI"
inherit the ACE as an explicit ACE.
OBJECT INHERIT: Child objects that are not containers inherit the ACE as an
"OI"
explicit ACE.
"NP" NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.
INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT
"IO"
CHILDREN VIA INHERITANCE.
"ID" ACE IS INHERITED
"SA" SUCCESSFUL ACCESS AUDIT
"FA" FAILED ACCESS AUDIT
Page 68
4.3.8 Permissions
The Permissions are a list of the incremental permissions given (or denied/audited)
to the trustee-these correspond to the permissions discussed earlier and are simply
appended together. However, the incremental permissions are not the only
permissions available. The table below lists all the permissions.
Value Description
Generic access rights
"GA" GENERIC ALL
"GR" GENERIC READ
"GW" GENERIC WRITE
"GX" GENERIC EXECUTE
Directory service access rights
"RC" Read Permissions
"SD" Delete
"WD" Modify Permissions
"WO" Modify Owner
"RP" Read All Properties
"WP" Write All Properties
"CC" Create All Child Objects
"DC" Delete All Child Objects
"LC" List Contents
"SW" All Validated Writes
"LO" List Object
"DT" Delete Subtree
"CR" All Extended Rights
File access rights
"FA" FILE ALL ACCESS
"FR" FILE GENERIC READ
"FW" FILE GENERIC WRITE
"FX" FILE GENERIC EXECUTE
Registry key access rights
"KA" KEY ALL ACCESS
"KR" KEY READ
"KW" KEY WRITE
"KX" KEY EXECUTE
4.3.9 Object Type and Inherited Object Type
The ObjectType is a GUID representing an object class, attribute, attribute set, or

extended right. If present it limits the ACE to the object the GUID represents. The
Inherited Object Type is a GUID representing an object class. If present it limits
inheritance of the ACE to the child entries of only that object class.
Page 69
4.3.10 Trustee
The Trustee is the SID of the user or group being given access (or denied or
audited). Instead of a SID, there are several commonly used acronyms for well-
known SIDs. These are listed in the table below:
Value Description
"AO" Account operators
"RU" Alias to allow previous Windows 2000
"AN" Anonymous logon
"AU" Authenticated users
"BA" Built-in administrators
"BG" Built-in guests
"BO" Backup operators
"BU" Built-in users
"CA" Certificate server administrators
"CG" Creator group
"CO" Creator owner
"DA" Domain administrators
"DC" Domain computers
"DD" Domain controllers
"DG" Domain guests
"DU" Domain users
"EA" Enterprise administrators
"ED" Enterprise domain controllers
"WD" Everyone
"PA" Group Policy administrators
"IU" Interactively logged-on user
"LA" Local administrator
"LG" Local guest
"LS" Local service account
"SY" Local system
"NU" Network logon user
"NO" Network configuration operators
"NS" Network service account
"PO" Printer operators
"PS" Personal self
"PU" Power users
"RS" RAS servers group
"RD" Terminal server users
"RE" Replicator
"RC" Restricted code
"SA" Schema administrators
"SO" Server operators
"SU" Service logon user
Page 70
4.3.11 ACL Example

Given an ACL assigned to a service as demonstrated below:
w32time,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
DWO;;;WD)"
The DACL
D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRP
WPDTLOCRSDR CWDWO;;;SY) would break out as follows:
AR SDDL_AUTO_INHERIT_REQ - the SE_DACL_AUTO_INHERIT_REQ flag is set.
ACE String 1
A ACCESS ALLOWED
CC CREATE ALL CHILD OBJECTS
DC DELETE ALL CHILD OBJECTS
LC LIST CONTENTS
SW ALL VALIDATED WRITES
RP READ ALL PROPERTIES
WP WRITE ALL PROPERTIES
DT DELETE SUBTREE
LO LIST OBJECT
CR ALL EXTENDED RIGHTS
SD DELETE
RC READ PERMISSIONS
WD MODIFY PERMISSIONS
WO MODIFY OWNER
BA BUILT-IN ADMINISTRATOR
ACE String 2
A ACCESS ALLOWED
LC LIST CONTENTS
DT DELETE SUBTREE
LO LIST OBJECT
SD DELETE
RC READ PERMISSIONS
WO MODIFY OWNER
SY LOCAL SYSTEM
The SACL S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

would break out as follows:
Page 71
AU SYSTEM AUDIT
FA FILE ALL ACCESS
LC LIST CONTENTS
DT DELETE SUBTREE
LO LIST OBJECT
SD DELETE
RC READ PERMISSIONS
WO MODIFY OWNER
Page 72
4.4 Security Policy Comparison and Analysis

While developing and deploying a custom security policy, the IT Security specialist in
the field may have to compare and/or analyze security policies. This annex will
outline the use of the MMC Security Configuration and Analysis plugin and the
command line tool secedit to compare and analyze the local security configuration of
a Windows 2003 Server installation.
4.4.1 MMC – Microsoft Management Console

MMC is a framework for system administration tools in modern Microsoft Windows
operating systems. Most of Microsoft's administration tools included with both
Windows itself, and Windows Server System products are implemented as MMC
modules (known as “snap-ins”).
One of these snap-ins (Security Configuration and Analysis) allows the system
administrator to analyze local security policies by generating a security database
from the security policy installed on a host and comparing it to another security
policy template.
4.4.2 Comparing and Analyzing Security Policies Using MMC

Running MMC and Adding the Snap-in
1. Log in as the local administrator (username: cscsrvadmin).

2. From the Start menu, select Run…
3. In the Open: field, type mmc and click OK.
4. In the Console window, click File and select Add/Remove Snap-in.
5. In the Add/Remove Snap-in window, click on Add…
6. In the Add Standalone Snap-in window, select Security Configuration and
Analysis and click Add.
7. Click Close.
8. In the Add/Remove Snap-in window, click on OK.
Page 73
Figure 1 – The MMC Console window after loading the Security Configuration and Analysis
snap-in module.
To Open an Existing Security Policy Database
1. Right-click the Security Configuration and Analysis snap-in item.

2. Click Open Database.
3. Select a database, and then click Open.
To Create a New Security Policy Database

2. Click Open Database.
3. Type a new database name, and then click Open.
4. Select a security template to import, and then click Open.
Page 74
Figure 2 – The MMC Console window after loading selecting the security database and security
policy.
To Compare and Analyze the Security Policy

2. Select Analyze Computer Now…
3. In the Perform Analysis window, click OK.
4. Allow the Analyzing System Security window‟s routine to complete.
Page 75
Figure 3 – The MMC Console’s security policy analysis progress window.
To Navigate the Results
1. Under the Security Configuration and Analysis snap-in item, select the
item you wish to view from the tree.
2. The analysis results for the selected item will be displayed on the right hand
side.
Figure 4 – The MMC Console window after the comparison and analysis is complete.
Page 76
Analyzing Security and Viewing Results
The Security Configuration and Analysis snap-in performs security analysis by

comparing the current state of system security against an analysis database. During
creation, the analysis database uses at least one security template.
Should the administrator choose to import more than one security template, the
database will merge the various templates and create one composite template. The
snap-in resolves conflicts in order of import; the last template that is imported takes
precedence.
The snap-in displays the analysis results by security area, using visual flags to
indicate problems; It displays the current system and base configuration settings for
each security attribute in the security areas.
ANALYSIS VISUAL FLAG HIGHLIGHTS AND THEIR MEANINGS.

Visual Flag Highlight Meaning
Red X The entry is defined in the analysis
database and on the system, but the
security setting values do not match.
Green Check The entry is defined in the analysis
database and on the system and the
setting values match.
Question Mark The entry is not defined in the analysis
database and, therefore, was not
analyzed.
If an entry is not analyzed, it may be

that it was not defined in the analysis
database or that the user who is
running the analysis may not have
sufficient permission to perform
analysis on a specific object or area.
Exclamation Point This item is defined in the analysis
database, but does not exist on the
actual system. For example, there may
be a restricted group that is defined in
the analysis database but does not
actually exist on the analyzed system.
No Highlight The item is not defined in the analysis
database or on the system.
Page 77
4.4.3 Secedit – Command Line Security Policy Analysis Tool

Secedit is a command line tool that allows a system administrator to perform various
security policy related tasks. Although a command line tool, secedit is extremely
versatile as it can be scripted to perform tasks remotely across multiple hosts; MMC
can only be used to perform tasks on a single machine (the local host).
The Secedit tool has six primary functions; configure, analyze, import, export,
validate, and generate rollback; the scope of this document will be limited to those
used for security policy analysis.
Comparing and Analyzing Security Policies Using Secedit
Running Secedit
1. From the Start menu, select Run…

2. In the Open: field, type cmd and click OK.
3. In the command shell window, enter the commands as described below.
Secedit Switches Explained
DB - The DB switch allows the administrator to specify the name of the database file
to either create or use.
CFG - The CFG switch allows the administrator to specify the name of the template
to use.
Overwrite – When used in conjunction with the import function, the overwrite
switch is purges the databases prior to the import function; this provides the same
basic functionality as creating a brand new database.
Log - Allows the administrator to specify a log file to be used in lieu of the default
log file.
Quiet – Allows the administrator to run Secedit without prompting for task
verifications.
Areas - Allows the administrator to specify which types of data from the template
should be applied; all other types of data within the template are ignored. Valid data
types are:
SECURITYPOLICY - including account policies, audit policies, event log

settings, and security options.
GROUP_MGMT - includes restricted groups settings.
USER_RIGHTS - includes user rights assignments.
REGKEYS - includes registry permissions.
FILESTORE - includes file system permissions.
SERVICES - include system service settings.
Page 78
Creating a Security Policy Database
The secedit import function is used to create or import a security policy database;
the syntax for the Import function is as follows:
SECEDIT /IMPORT /DB database.sdb /CFG template.inf /OVERWRITE
In the example above, replace database.sdb with the name of the database being
created and template.inf with the name of the template being used to generate the
database.
Analyzing Security Policies
The secedit analyze function is used to compare an existing security policy database
to a security policy. The syntax is as follows:
SECEDIT /ANALYZE /DB database.sdb /CFG template.inf /OVERWRITE /LOG

output.txt
In the example above, replace database.sdb with the name of an existing database
and template.inf with the name of the template being compared to the database.
This will create a log file in the current directory named OUTPUT.TXT listing every
security setting that differs from the template.
Opening the Analysis Results File
To open and view the results file (e.g. OUTPUT.TXT), simply open the file with
Notepad or another text editor.
Page 79
5 REFERENCES
Communications Security Establishment Canada. “Windows Server 2003
Recommended Baseline Security (ITSG-20)”. March 2004. Accessed on 25 March
2008. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.
Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004.

Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-
Windows-Security-Templates.html.
Microsoft Download Center. “Windows Server 2003 Security Guide”. 05 August 2006.
Accessed on 25 March 2008. http://www.microsoft.com/downloads/details.aspx?
FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en.
Microsoft Help and Support. “Definition of Registry Value Data Types”. 14 March
2008. Accessed on 25 March 2008. http://support.microsoft.com/kb/101230.
Microsoft Help and Support. “Well-known Security Identifiers in Windows Operating

Systems”. 14 March 2008. Accessed on 25 March 2008.
http://support.microsoft.com/kb/243330.
Microsoft TechNet. “Security Templates”. Date unknown. Accessed on 25 March

2008. http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
/deploy/dgbe_sec_vopo.mspx?mfr=true
University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March

2008. https://www.washington.edu/computing/support/windows/UWdomains/
SDDL.html.
Page 80

Windows Security Settings Working Aide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Security Settings Working Aide

Uploaded by

Copyright:

Available Formats

Working Aide - Windows Security Template Settings Final - 06 March 2008

Ted Mac Daibhidh, CD

TED MAC DAIBHIDH, CD

2 WINDOWS SECURITY TEMPLATES1

a. Compatws.inf – required by older applications that need to have weaker

b. DC security.inf – used to configure security of the Registry and File system of

c. Hisecdc.inf – used to increase the security and communications with the

d. Hisecws.inf – used to increase security and communications for the client

e. Notssid.inf – used to weaken security to allow older applications to run on

g. Securedc.inf – used to increase the security and communications with the

h. Securews.inf – used to increase security and communications for the client

i. Setup security.inf – used to reapply the default security settings of a freshly

„PasswordHistorySize‟ defines the number of passwords retained by the system. This

Maximum password age

Minimum password age

„MinimumPasswordAge‟ defines how many days a user must wait between

Minimum password length

„MinimumPasswordLength‟ defines the minimum number of characters acceptable for

Password must meet complexity requirements

„PasswordComplexity‟ defines password complexity requirements; this setting helps

• Upper Case Character (A-Z)

• Lower Case Character (a-z)

• Base 10 Digits (0-9)

Store password using reversible encryption

The „ClearTextPassword‟ keyword determines if the system stores passwords using

3.2 Account Lockout

The setting „15‟ disables the user‟s account for 15 minutes.

Account lockout threshold

Reset account lockout counter after

„TicketValidateClient‟ determines if Kerberos V5 Key Distribution Centre

The setting „1‟ requires the use of Kerberos Authentication.

Maximum lifetime for the service ticket

„MaxServiceAge‟ defines the number of minutes a service ticket will be valid.

Maximum lifetime for user ticket

Maximum lifetime for user ticket renewal

Maximum tolerance for computer clock synchronization

„MaxClockSkew‟ defines the maximum amount of time a system clock can be

The setting of „5‟ indicates systems more than 5 minutes.

3.4 Audit Policy

„AuditAccountLogon‟ defines types of logon events to audit; „success‟ events can

The setting „3‟ audits „success‟ and „fail‟ events.

Audit account management

„AuditAccountManage‟ defines types of logon events to audit; „success‟ events can be

The setting „3‟ audits „success‟ and „fail‟ events.

Audit directory service access

The setting „3‟ audits „success‟ and „fail‟ events.

Audit logon events

„AuditLogonEvents‟ defines types of logon events to audit; „success‟ events can be

The setting „3‟ audits „success‟ and „fail‟ events.

Audit object access

The setting „2‟ audits failed events.

Audit policy change

The setting 3 audits „success and „fail‟ events.

Audit privilege use

„AuditPrivilegeUse‟ defines logon events to be audited; „Success‟ events are used to

The setting „3‟ audits „success‟ and „fail‟ events.

Audit process tracking

„AuditProcessTracking‟ defines logon events to be audited. Due to the large volumes

Audit system events

„AuditSystemEvents‟ defines events to be audited; these events reflect the system

The setting „3‟ audits „success‟ and „fail‟ events.

3.5 User Rights Assignments

„senetworklogonright‟ grants network protocol access to the system (SMB, NetBIOS,