Professional Documents
Culture Documents
Windows Security Settings Working Aide
Windows Security Settings Working Aide
WORKING AIDE -
WINDOWS SECURITY TEMPLATE SETTINGS
Page 0
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Table of Contents
1 INTRODUCTION ...................................................................................................................3
2 WINDOWS SECURITY TEMPLATES ...............................................................................4
3 SECURITY SETTINGS .........................................................................................................5
3.1 PASSWORD .........................................................................................................................4
3.2 ACCOUNT LOCKOUT...........................................................................................................5
3.3 KERBEROS POLICY .............................................................................................................6
3.4 AUDIT POLICY ....................................................................................................................7
3.5 USER RIGHTS ASSIGNMENTS ..............................................................................................8
3.6 SECURITY OPTIONS ..........................................................................................................14
3.7 EVENT LOG SIZE ..............................................................................................................27
3.8 GUEST ACCESS .................................................................................................................28
3.9 RETENTION METHOD .......................................................................................................28
3.10 SYSTEM SERVICES ............................................................................................................29
3.11 TCP/IP STACK HARDENING .............................................................................................51
3.12 AFD.SYS ........................................................................................................................53
3.13 OTHER SETTINGS .............................................................................................................54
4 ANNEXES ..............................................................................................................................56
4.1 GENERAL SECURITY SETTING VALUES ............................................................................56
4.2 WINDOWS SECURITY IDENTIFIERS (SIDS) ........................................................................59
4.3 COMMON ACCESS CONTROL LIST (ACL) SETTINGS........................................................66
4.4 SECURITY POLICY COMPARISON AND ANALYSIS .............................................................74
5 REFERENCES ......................................................................................................................80
Page 1
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
1 INTRODUCTION
This purpose of this document is to aggregate several disparate documents and
sources regarding Microsoft Windows security template settings; its purpose is to
assist those with limited exposure in this regard should they find themselves tasked
with a project requiring interpretation of these settings.
Page 2
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Windows installations have several standard security templates which can be found
in the C:\Windows\Security\Templates folder. The standard security templates are:
f. Ocfiless.inf – used for optional components that are installed after the main
operating system is installed - this will support services such as Terminal
Services and Certificate Services;
1
Melber, Derek. “Understanding Windows Security Templates”. 06 October 2004.
Accessed on 25 March 2008. http://www.windowsecurity.com/articles/Understanding-Windows-Security-
Templates.html.
Page 3
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
3 SECURITY SETTINGS
The sections below will define some of the individual security settings found in
security templates. Where available, the CSEC recommended setting values2 will be
provided and defined.
3.1 Password
Enforce password history
PasswordHistorySize = 24
The setting „24‟ requires the user to select twenty-four unique passwords before they
can re-use their first one. With a „MinimumPasswordAge‟ of two, the user would have
to cycle their password every two days to get back to their original password.
„MaximumPasswordAge‟ defines the maximum number of days a user can keep the
same password.
A setting of forty-two requires the user to change their password every forty-two
days; combined with the „PasswordComplexity‟ and ‟PasswordLength‟ settings, these
settings ensure the password is strong and resilient to attack.
The setting „2‟ requires the user to wait two before they can change it again.
The setting „8‟ requires the user to enter a password of eight characters or more;
combined with the „PasswordComplexity‟ and „MaximumPasswordAge‟ settings, these
settings ensure the password is strong and resilient to attack.
2
Communications Security Establishment Canada. “Windows Server 2003 Recommended Baseline
Security (ITSG-20)”. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.
Page 4
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The setting „1‟ requires the user to enter a strong password that meets the criteria
demonstrated below:
• Non-alphanumeric (! @ # $ % ^ &)
NOTE: Never enable this option unless operational considerations outweigh the need
to protect password information.
„LockoutDuration‟ defines the length of time (in minutes) that an account is disabled
afterlockout; this value needs to be synchronized with „ResetLockoutCounter‟ so the
user can logon when the „LockoutDuration‟ has expired.
„LockoutBadCount‟ defines the number of failed logons allowed before the account is
locked.
The setting „10‟ causes the user‟s account to be locked after 10 consecutive logon
attempts. The setting prevents extended password guessing attacks.
Page 5
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„ResetLockoutCount‟ defines the length of time (in minutes) before a lockout reset
occurs; this value needs to be synchronized with „LockoutDuration‟ so the user can
logon when the „LockoutDuration‟ has expired.
The setting „15‟ resets the lockout to zero after fifteen minutes.
3.3 Kerberos Policy
Enforce user logon restrictions
TicketValidateClient = 1
The setting „600‟ allows the ticket to be used for ten hours.
„MaxTicketAge‟ defines the maximum hours a user‟s ticket granting ticket may be
used.
The setting „10‟ indicates that the ticket granting ticket must be replaced or renewed
after ten hours.
„MaxRenewAge‟ defines the number of days a ticket granting ticket may be renewed
after issuance.
The setting „7‟ allows a ticket granting ticket to be renewed for seven days.
Page 6
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„AuditDSAccess„ defines types of logon events to audit; the Directory Service holds
crucial information for the Domain. Knowledge of access during an incident can
provide valuable information about Active Directory objects accessed during an
attack.
„AuditObjectAccess‟ defines the type of logon events that will be audited; failed
attempts can be monitored to determine if any users are probing the system for
vulnerabilities.
Page 7
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„AuditPolicyChange‟ defines the type of logon events that will be audited; „success‟
events are used in investigations to determine access to the system and policy used
at the time of the incident. „Fail‟ attempts can determine if users are probing the
system for vulnerabilities.
The setting „0‟ audits no events. The value of this information is weighed against the
volume of data collected.
Page 8
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„setcbprivilege‟ grants an account the ability to act as part of the operating system.
According to Microsoft, there is no reason why an account would require this
privilege.
„sebackupprivilege‟ grants the right to backup files and directories. Rights are given
to Administrators and Backup Operators if your policy does not allow administrators
to backup then omit the Administrators group. The allocation of this privilege must
be tightly controlled.
Page 9
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„sesystemtimeprivilege‟ grants the right to change the system time; this policy
grants rights to Administrators. The system time is critical in incident investigation;
without a consistent time, it is difficult to co-relate events on multiple systems.
Create a pagefile
secreatepagefileprivilege = *S-1-5-32-544
„secreatepagefileprivilege‟ grants the right to create a page file. This policy grants
rights to Administrators; restricting this to Administrators reduces the exposure to
trusted individuals. Too large a page file can cause poor system performance.
„secreatetokenprivilege‟ grants the right to create local security token objects; the
privilege gives the ability to create or modify Access Tokens. This policy does not
grant rights to anyone; doing this can prevent privilege escalation attacks and DoS
conditions.
Debug programs
sedebugprivilege =
„sedebugprivilege‟ grants the right to debug any kernel process. Program debugging
should never be done in a production environment; in the event it is required, grant
rights for only for the time required to perform the debugging.
Page 10
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
NOTE: Given no reason for network access to the system for a group or user, access
should be denied.
„sedenybatchlogonright„ prevents the ability to create batch jobs; the batch facility
could be used to schedule jobs that result in a DoS. This policy applies rights to
Guests and Anonymous Logon; the Administrators must add the local accounts
„Guest‟ and „Support_388945a0‟.
NOTE: Given no reason for batch logon access to the system for a group or user,
access should be denied.
NOTE: Given no reason for interactive access to the system for a group, access
should be denied.
NOTE: Given no reason for terminal services access for a group, access should be
denied.
Page 11
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„seremoteshutdownprivilege‟ grants the right to shut the system down from a remote
location; servers in a High Security zone require physical access to be shut down.
This policy grants rights to no one.
„seauditprivilege‟ grants the right to generate records in the security logs; limiting
rights to non-interactive accounts prevents DoS conditions caused by full logs.
This policy grants rights to Network Service and Local Service.
„seloaddriverprivilege‟ grants the right to load and unload device drivers. Driver code
can be run with elevated privileges; restricting privileges to Administrators reduces
system exposure. This policy grants privileges to Administrators.
„selockmemoryprivilege‟ grants the right to keep data in physical memory. The abuse
of privileges can result in starved memory resources and a DoS situation; restricting
this privilege reduces exposure to this threat. This policy grants privileges to no one.
Page 12
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„sebatchlogonright‟ grants the right to submit batch jobs (log on as a batch job); The
Task Scheduler could be used to invoke a DoS condition; limiting this privilege
reduces the threat. This policy grants rights to no one.
Log on as a service
seservicelogonright = *S-1-5-20,*S-1-5-19
„seservicelogonright‟ grants the right to logon as a service. This policy grants rights
to Local Service and Network Service; interactive accounts are purposely excluded.
„sesecurityprivilege‟ grants the right to specify object access auditing options; this
policy grants rights to Administrators. Administrators alone can determine the
appropriate auditing level thereby ensuring that users of the system cannot reduce
auditing and eliminate traces of their activity.
Page 13
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„seshutdownprivilege‟ grants the right to shut down the system locally. Restricting
this privilege reduces the threat of inadvertent or malicious shutdowns; this policy
grants the right to Administrators only.
„sesyncagentprivilege‟ grants the right to read all objects and properties in the
Directory; information gained from the Active Directory can be used to form an
attack against the system. This policy revokes all privileges.
Page 14
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„EnableGuestAccount„ determines if the local guest account is enabled. The setting „0‟
disables the local guest account; this prevents widespread use and removes it as a
target for attack.
„NewGuestName‟ keyword sets the local guest account name; Renaming the account
makes it more difficult for an attacker to misuse it. The setting „janesmith‟ renames
the local guest account to janesmith.
NOTE: This keyword should be omitted if a policy to rename the Guest account on
each system is enforced. If not, then at a minimum change it from „janesmith‟ to a
local value.
Page 15
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
„fullprivilegeauditing‟ determines if the system will audit the Backup and Restore
privilege; the setting „0‟ disables the audit of Backup and Restore privilege.
The „crashonauditfail‟ registry value determines system behaviour when it fails to log
security events; the setting „1‟ shuts the system down when it cannot log. The
Canadian Federal government requires that comprehensive log data be carefully
maintained; therefore, if the log files are full the system must not process further
transactions.
The „allocatedasd‟ registry value determines who can format and eject removable
media; the ability to store large quantities of data (e.g. entire databases) makes
should be restricted to trusted individuals. The setting „0‟ permits Administrators to
format and eject removable media.
The „addprinterdrivers‟ registry value determines if users can add printer drivers. The
setting „1‟ prevents users from adding print drivers; this assists in preventing users
running malicious code in a privileged state.
NOTE: The setting allows remote authorized users to access the CD-ROM if no one is
logged on locally.
Page 16
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
NOTE: This setting allows remote access to the floppy drive if no one is logged on as
a local user.
The „policy‟ registry value defines the unsigned driver installation behaviour; if this
option is enforced, only drivers approved by the Windows Hardware Quality Lab
(WHQL) are eligible. The decision to install drivers not found within WHQL is left to
the Administrator. The setting „1‟ warns the user before the driver is installed.
Page 17
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „requiresignorseal‟ registry value determines if the domain member will encrypt
or sign secure channel data always. The setting „1‟ encrypts or signs secure channel
data; this value prevents legacy systems (pre-Windows 2000) from joining a
Domain.
Page 18
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „legalnoticecaption‟ registry value is presented to the user as the title of the
window that contains the „legalnoticetext‟ text; this may help an organization in the
event of legal proceedings. The value shown is the text presented.
The „cachedlogonscount‟ registry value determines the number of unique user whom
logon information is locally cached. The setting „0‟ does not cache logon information
locally; this ensures the user establishes a current security token with the Domain
Controller, thereby preventing disabled users access via cached logon credentials.
Page 19
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „scforceoption‟ registry value determines if a smart card is required to logon. The
setting „0‟ does not require a smart card to logon. The majority of servers will not
require two-factor authentication; if this capability is a requirement, it should be
enabled during the application of a role specific policy.
Page 20
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „autodisconnect‟ registry setting defines the amount of idle time in minutes
before an SMB session is suspended; the setting „15‟ suspends the SMB session after
fifteen minutes of idle time. An idle session consumes system resources; attackers
could set up sessions consuming resources to invoke a DoS condition. Further to the
security ramifications, idle sessions can cause SMB services to become slow or
unresponsive.
The „requiresecuritysignature‟ registry value determines if the server will always sign
SMB communications. The setting „1‟ always digitally signs SMB communications;
this setting provides mutual authentication for all communication. Mutual
authentication may prevent man-in-the-middle attacks thereby eliminating session
hijacking. Legacy systems cannot support this requirement.
Page 21
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Page 22
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „nullsessionpipes‟ value defines anonymous access to named pipes. The empty
setting disallows anonymous access to named pipes; this ensures all system access
is authorized.
The „allowedpaths\machine‟ registry value defines registry paths and sub-paths that
can be accessed over the network. This Baseline configuration has no requirement
for remotely accessible registry information.
Page 23
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „forceguest‟ registry value determines the sharing and security model for local
accounts. The setting „0‟ requires user authentication to access resources; this allows
individual access to be audited.
The „nolmhash‟ registry value determines if the LAN Manager hash value is stored on
the next password change. The setting „1‟ does not save the LAN Manager hash
value; this prevents local storage of the password, which would be vulnerable to
attack.
Page 24
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „ntlmminclientsec‟ value defines the minimum session security for NTLM SSP
based (including secure RPC) clients. The setting „537395248‟ enables all options as
recommended by Microsoft; this requires message integrity, confidentiality, NTLMv2
session security and 128-bit encryption be used for logon.
The „ntlmminserversec‟ registry value defines the minimum session security for NTLM
SSP based (including secure RPC) servers. The setting „537395248‟ enables all
options, as recommended; this requires message integrity, confidentiality, NTLMv2
session security and 128-bit encryption be used for logon.
Recovery console: Allow floppy copy and access to all drives and all
folders
machine\software\microsoft\windowsnt\currentversion\setup\recoveryco
nsole\setcommand=4,0
The „setcommand‟ registry value determines if the Recovery Console „SET‟ command
is available; the setting „4‟ disables the „SET‟ command. (e.g. Copy to removable
media is disabled).
Page 25
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Page 26
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „optional‟ value defines which subsystems are used to support applications. The
empty setting disallows any optional subsystems. The use of sub-systems should be
justified with operational requirements; unless required, no subsystem should be
enabled.
The „MaximumLogSize‟ determines the size of the Application event log; the setting
„76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log
file will accommodate over 153,000 events and will allow the system to run for an
extended period of time without having to roll the log file.
NOTE: Due to the wide variety of event loads, monitoring the log files during
the initial operational period is recommended.
Page 27
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „MaximumLogSize‟ determines the size of the Security event log; the setting
„153600‟ creates a 153600 KB log file. With an average of 500 bytes per event, this
log file will accommodate over 307,200 events and allows the system to run for an
extended period-of-time without having to roll the log file.
NOTE: Due to the wide variety of event loads, monitoring the log files during the
initial operational period is recommended.
The „MaximumLogSize‟ determines the size of the System event log; the setting
„76800‟ creates a 76800 KB log file. With an average of 500 bytes per event, this log
file will accommodate over 153,000 events allowing the system to run for an
extended period-of-time without having to roll the log file.
NOTE: Use of this setting should be consistent with the organization‟s log retention
policy.
Page 28
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Alerter service notifies selected users and computers of administrative alerts.
This policy disables this service.
Application Management
"appmgmt",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA
;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The ASP .NET State Service provides support for out-of-process session states for
ASP .NET. This policy disables the service.
Automatic Updates
"wuauserv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Automatic Updates Service enables the automated download and installation of
software updates. This policy disables the service.
Page 29
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Certificate Services
"certsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Certificate Services perform core functions for a Certification Authority. This
policy disables the service.
The MS Software Shadow Copy Provider supports the creation of file shadow copies
used to perform system backups. This policy sets the startup to manual for the
service.
The Client Service for Netware provides access to files and printers on NetWare
networks. This policy disables the service.
ClipBook
"clipsrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Clipbook Service creates and shares „pages‟ of data that may be viewed by
remote users. This policy disables the service.
Cluster Service
"clussvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The COM+ Event System Service extends the COM+ programming model. This policy
sets the service startup to automatic.
Page 30
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The COM+ System Application Service manages the configuration and tracking of
components based on COM+. The service is disabled.
Domain Member
Baseline"browser",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A
;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;
FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Cryptographic Services provide key management functionality for the computer. This
policy sets the service to automatic startup.
DHCP Server
"dhcpserver",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;
FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Page 31
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Distributed File System manages logical volumes across local or wide area
networks. The service is disabled.
The Distributed Link Tracking Client Service ensures shortcuts (among others) work
after the target has been moved. The service is disabled.
The Distributed Link Tracking Server stores information so files moved between
volumes can be tracked. The service is disabled.
The DNS Server responds to queries for DNS names. The service is disabled.
Page 32
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Error Reporting Service collects, stores, and reports unexpected application
closures to Microsoft. The service is disabled.
Event Log
"eventlog",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Event Log Service enables event log messages to be viewed. This policy sets the
service to automatic startup.
Fax Service
"fax",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;WD)"
File Replication
"ntfrs",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The File Replication Service automatically copies and maintains files on multiple
Servers. The service is disabled.
The Macintosh File Service provides network file access to Macintosh computers. The
service is disabled.
The FTP Publishing Service provides connectivity and administration through the IIS
snap-in. The service is disabled.
The Help and Support Service enables Help and Support Center to run. The service is
disabled.
Page 33
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
HTTP SSL
"httpfilter",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The HTTP SSL Service provides SSL functions to IIS. The service is disabled.
The Human Interface Device Access service allows use of pre-defined hotbuttons.
The service is disabled.
The IAS Jet Database Access service uses RADIUS to provide authentication,
authorization and accounting services. The service is disabled.
The IIS Admin Service allows administration of IIS components. The service is
disabled.
Indexing Service
"cisvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Indexing Service indexes file contents and properties. The service is disabled.
Infrared Monitor
"irmon",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Infrared Monitor service enables file and image sharing through infrared devices. The
service is disabled.
Page 34
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service
provides Internet services for small local networks. The service is disabled.
Intersite Messaging
"ismserv",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;
CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Intersite Messaging Service is used for mail-based replication. The service is
disabled.
"6to4",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The IP Version 6 Helper Service offers IPV6 connectivity over existing IPV4 network.
The service is disabled.
The IPSEC Policy Agent (IPSec Service) provides encryption services to clients and
servers on networks. This policy sets the service to automatic startup.
The Kerberos Key Distribution Center Service allows user logon using Kerberos v5
authentication protocol. The service is disabled.
The License Logging service records client access licensing information. The service
is disabled.
Page 35
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Logical Disk Manager service detects all new hard drives and sends disk volume
information to the Logical Disk Manager Administration Service. This policy sets the
service to manual startup.
The Logical Disk Manager Administration service performs requests for disk
management. Thispolicy sets the service to manual startup.
Message Queuing
"msmq",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The Message Queuing Service is the infrastructure and development tool for creating
distributed messaging applications. The service is disabled.
The Message Queuing Down Level Clients service provides Active Directory access to
Message Queuing Clients. The service is disabled.
Messenger
"messenger",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;WD)"
The Messenger Service sends Alerter Service messages between clients and servers.
The service is disabled.
Page 36
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Microsoft POP3 service provides e-mail transfer and retrieval services. The
service is disabled.
MSSQL$UDDI
"mssql$uddi",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"
The MSSQL$UDDI service publishes and locates information about web services. The
service is disabled.
MSSQLServerADHelper
"mssqlserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"
The SQL Server service provides SQL functionality for a server. The service is
disabled.
The .NET Framework Support Service notifies a subscribing client when a specified
process initializes the Client Runtime Service. The service is disabled.
The NetMeeting Remote Desktop Sharing Service enables access to a system with
NetMeeting. The service is disabled.
Page 37
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Network Connections
"netman",3,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
Network DDE
"netdde",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The NetDDE Service provides network transport and security for DDE. The service is
disabled.
The NetDDEDSDM Service manages DDE network shares. The service is disabled.
The Network Location Awareness service collects and stores network information.
The service is disabled.
The Network News Transport Protocol (NNTP) service provides News Server
capabilities. The service is disabled.
The NTLM Security Support Provider service provides security to RPC programs. This
enables users to log on using NTLM authentication in place of Kerberos. The service
is disabled.
Page 38
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Performance Logs and Alerts Service collect performance data. The service is
disabled.
The Plug and Play service allows a computer to adapt hardware configuration
changes with little user input. The service is disabled.
The Portable Media Serial Number service retrieves serial numbers from any portable
music player connected to the system. The service is disabled.
The Macintosh Print service provides network printer access to Macintosh computers.
The service is disabled.
Print Spooler
"spooler",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The Spooler service manages local and network print queues and controls all print
jobs. The service is disabled.
Protected Storage
"protectedstorage",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(
A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTL
OCRSDRCWDWO;;;WD)"
The Protected Storage service protects storage of sensitive information from
unauthorized services, processes or users. This policy sets the service to automatic
startup.
Page 39
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Remote Access Auto Connection Manager service detects unsuccessful attempts
to a remote network or computer. It then provides an alternative method for
connection. The service is disabled.
The Remote Access Connection Manager service manages dial-up and VPN
connections to a server. The service is disabled.
The Remote Desktop Help Session Manager service controls the Remote Assistance
feature in the Help and Support Center application. The service is disabled.
Remote Installation
"binlsvc",4,"D:(A;;CCLCSWLOCRRC;;;IU)(A;;GA;;;BA)(A;;GA;;;SY)S:(AU;FA;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Page 40
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The RPC Locator Service enables RPC clients to locate RPC servers. The service is
disabled.
The Remote Registry service enables remote users to modify registry settings on the
system. The service is disabled.
The Remote Storage Notification service notifies a user when accessing data on
secondary storage units. The service is disabled.
The Remote Storage Server stores infrequently used files in secondary storage. The
service is disabled.
Page 41
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Removable Storage
"ntmssvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Resultant Set of Policy Provider service enables simulation of policy to determine
the effects. The service is disabled.
The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to-
WAN, and NAT routing services. The service is disabled.
SAP Agent
"nwsapagent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"
The SAP Agent service advertises services on an IPX network. The service is
disabled.
The Secondary Logon service allows users to create processes in different security
contexts. The service is disabled.
The Security Accounts Manager service manages user and group account
information. This policy sets the service to automatic startup.
Page 42
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Server
"lanmanserver",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR
SDRCWDWO;;;WD)"
The Server service provides RPC, file, print, and Named pipe support over the
network. This policy disables service startup.
The Shell Hardware Detection service monitors and provides notification for AutoPlay
hardware events. The service is disabled.
The Simple Mail transfer Protocol (SMTP) service transports electronic mail across
the network. The service is disabled.
Simple TCP/IP Services provide a variety of protocols. The service is disabled. The
services configured are as follows:
Echo Port 7
Discard Port 9
Character Generator Port 19
Daytime Port 13
Quote of the day Port 17
The Single Instance Storage Groveler service supports Remote Installation service.
The service is disabled.
Smart Card
"scardsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Smart Card service manages access to smart card readers. The service is
disabled.
Page 43
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SNMP Service
"snmp",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWD
WO;;;WD)"
The Simple Network Management Protocol (SNMP) service allows incoming SNMP
requests to be processed by the system. The service is disabled.
The SNMP Trap service receives trap messages generated by SNMP agents. The
service is disabled.
The SQLAgent$webdb service monitors, and schedules jobs. The service is disabled.
The System Event Notification service provides monitoring and tracking services for
system events. This policy sets the service to automatic startup.
Task Scheduler
"schedule",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Task Scheduler service enables configuration and schedules of automated tasks
on the system. The service is disabled.
Page 44
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
"lmhosts",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The TCP/IP Print Server service enables TCP/IP based printing. The service is
disabled.
Telephony
"tapisrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The Telephony service provides support for programs that control telephony and IP-
based voice devices. The service is disabled.
Telnet
"tlntsvr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The Telnet service provides ASCII terminal sessions to telnet clients. The service is
disabled.
Terminal Services
"termservice",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC
DCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRS
DRCWDWO;;;WD)"
Terminal Services allows users to access a virtual Windows desktop session. The
service is disabled.
Page 45
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Terminal Services Licensing service provides registered client licenses when
connecting to a Terminal Server. The service is disabled.
Themes
"themes",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
The Themes service provides theme management services. The service is disabled.
The Trivial FTP Daemon is a File Transfer Protocol that does not require
authentication. The service is disabled.
Upload Manager
"uploadmgr",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSD
RCWDWO;;;WD)"
The Upload Manager service manages file transfers between clients and servers.
Driver data is anonymously uploaded from a customer computer to Microsoft. The
service is disabled.
Page 46
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Virtual Disk service provides a single interface for managing block storage
visualization. The service is disabled.
The Volume Shadow Copy service manages and implements volume shadow copies
used for backups. This policy sets the service to manual startup.
WebClient
"webclient",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDC
LCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Web Element Manager service provides Web user interface elements for the
Administration Web site at port 8098. The service is disabled.
Windows Audio
"audiosrv",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCD
CLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The Windows Audio service provides support for sound. The service is disabled.
The Windows Image Acquisition (WIA) service supports scanners and cameras. The
service is disabled.
Page 47
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The
service is disabled.
Windows Media Services provide streaming media service over IP-based networks.
The service is disabled.
The Windows System Resource Manager service is a tool to help customers deploy
applications. The service is disabled.
Page 48
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Windows Time
"w32time",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The Windows Time service maintains date and time synchronization. This policy sets
the service to automatic startup.
The WinHTTP Web Proxy Auto – Discovery service implements Web Proxy Auto-
discovery (WPAD) Protocol. The WPAD protocol is an HTTP client service that locates
proxy servers. The service is disabled.
Wireless Configuration
"wzcsvc",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLORSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The WMI Performance Adapter service provides performance library information. The
service is disabled.
Page 49
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The World Wide Web Publishing service provides Web connectivity and administration
through the IIS snap-in. The service is disabled.
"mssql$webdb",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;C
CDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCR
SDRCWDWO;;;WD)"
The MSSQL$webdb service is used to publish and locate information about web
services. The service is disabled.
"mssqlserveradhelper",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;B
A)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWP
DTLOCRSDRCWDWO;;;WD)"
The MSSQLServerADHelper service enables SQL server and SQL Server Analysis
Services to publish information in Active Directory. The service is disabled.
"saldm",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The “saldm” is not a core requirement for a Windows 2003 server. The service is
disabled.
"sptimer",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCL
CSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDR
CWDWO;;;WD)"
The “sptimer” is not a core requirement for a Windows 2003 server. The service is
disabled.
"sqlserveragent",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;
CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOC
RSDRCWDWO;;;WD)"
The “sqlserveragent” is not a core requirement for a Windows 2003 server. The
service is disabled.
Page 50
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
"winsip",4,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
This is not a core requirement for a High Security server. The service is disabled.
The „enableicmpredirect‟ registry value causes TCP to find host routes which
overrides OSPF generated routes; if enabled, a ten-minute timeout makes the
system unavailable to the network. Disabling causes the system to rely on OSPF
routing; the setting „0‟ disables this capability.
SynAttackProtect
machine\system\currentcontrolset\services\tcpip\parameters\synattackp
rotect=4, 1
EnableDeadGWDetect
machine\system\currentcontrolset\services\tcpip\parameters\enabledead
gwdetect=4, 0
EnablePMTUDiscovery
machine\system\currentcontrolset\services\tcpip\parameters\enablepmt
udiscovery=4, 0
KeepAliveTime
machine\system\currentcontrolset\services\tcpip\parameters\keepaliveti
me=4, 300000
The „keepalivetime‟ registry value determines how often TCP verifies an idle
connection is intact. The setting „300,000‟ (5 minutes) is short enough to provide
some defense against DoS conditions and provides the ability to recover resources
from unresponsive connections.
Page 51
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
DisableIPSourceRouting
machine\system\currentcontrolset\services\tcpip\parameters\disableipso
urcerouting=4, 2
TcpMaxConnectResponseRetransmissions
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxcon
nectresponseretransmi
ssions=4, 2
TcpMaxDataRetransmissions
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxdata
retransmissions=4, 3
PerformRouterDiscovery
machine\system\currentcontrolset\services\tcpip\parameters\performrou
terdiscovery=4, 0
TCPMaxPortsExhausted
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxport
sexhausted=4, 5
TCPMaxHalfOpen
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf
open=4, 100
The „tcpmaxhalfopen‟ value defines the number of connections in the SYN state table
before SYN attack protection begins. The setting of „100‟ initiates SYN attack
protection when the state table reaches one hundred connections.
Page 52
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
TCPMaxHalfOpenRetired
machine\system\currentcontrolset\services\tcpip\parameters\tcpmaxhalf
openretired=4, 80
The „tcpmaxhalfopenretired‟ value determines how many connections the server can
maintain in the half-open state; the setting „80‟ initiates SYN attack protection when
the state table reaches eighty connections.
NoNameReleaseOnDemand (TCP/IP)
machine\system\currentcontrolset\services\tcpip\parameters\nonamerel
easeondemand=4, 1
3.12 AFD.SYS
DynamicBacklogGrowthDelta
machine\system\currentcontrolset\services\afd\parameters\dynamicback
loggrowthdelta=4, 10
The „enabledynamicbacklog‟ value enables dynamic backlog. The setting „1‟ enables
the backlog; this ensures the system manages port resources in a manner that
mitigates DoS attacks.
MinimumDynamicBacklog
machine\system\currentcontrolset\services\afd\parameters\minimumdyn
amicbacklog=4, 20
MaximumDynamicBacklog
machine\system\currentcontrolset\services\afd\parameters\maximumdyn
amicbacklog=4,20000
Page 53
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
NoDriveTypeAutoRun
machine\software\microsoft\windows\currentversion\policies\explorer\n
odrivetypeautorun=4,255
The time in seconds before the screen saver grace period expires (0
recommended)
machine\system\software\microsoft\windowsnt\currentversion\winlogon
\screensavergraceperiod=4, 0
Warning Level
machine\system\currentcontrolset\services\eventlog\security\warninglev
el=4, 90
The „warninglevel‟ value determines the maximum amount of security logs before a
warning event is triggered. The setting „90‟ triggers a warning when the Security log
reaches 90% capacity; this will afford sufficient time to reset the log and determine
reasons for the warning.
Page 54
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The „safedllsearchmode‟ value determines the order DLLs are searched. The setting
„1‟ commands the system to first look in the PATH, then the current folder; this order
ensures files in the current foder do not run in place of files in the users PATH.
Disable DCOM
machine\Software\Microsoft\OLE\EnableDCOM=4, 0
The „EnableDCOM‟ value determines if DCOM is active. The setting „0‟disables DCOM.
Page 55
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
4 ANNEXES
4.1 General Security Setting Values
Windows security templates utilize various general setting values; all of these will be
expounded upon below.
4.1.1 Binary Setting Values
Binary settings are used to indicate whether an object is enabled/installed or
disabled/not installed.
Binary Settings
0 disabled/not installed
1 enabled/installed
EnableAdminAccount = 1
1 = The administrator account is enabled.
2 automatic startup
3 manual startup
4 disabled
netlogon,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLC
SWRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRC
WDWO;;;WD)"
2 = The netlogon service starts automatically at system bootup.
Page 56
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SETTING DEFINITION
*S-1-5-32-544 administrator
*S-1-5-6 service
*S-1-5-32-551 backup operators
*S-1-5-32-545 users
*S-1-5-20 network service
*S-1-5-11 authenticated users.
sesystemtimeprivilege = *S-1-5-32-544
*S-1-5-32-544 = Only the system administrator can change the system time.
AuditLogRetentionPeriod = 2
2 = The log’s events are never overwritten and must be cleared manually.
Page 57
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
MACHINE\Software\Microsoft\Driver Signing\Policy=3,1
3 = reg_binary
1= driver signing enabled
Page 58
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
Description: An identifier authority.
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and
guests. Membership is controlled by the operating system.
SID: S-1-2
Name: Local Authority
Description: An identifier authority.
SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE).
When the ACE is inherited, the system replaces this SID with the SID for
the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited,
the system replaces this SID with the SID for the primary group of the
object's creator. The primary group is used only by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
Description: This SID is not used in Windows 2000.
SID: S-1-4
Name: Non-unique Authority
Description: An identifier authority.
Page 59
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-5
Name: NT Authority
Description: An identifier authority.
SID: S-1-5-1
Name: Dialup
Description: A group that includes all users who have logged on through a
dial-up connection. Membership is controlled by the operating system.
SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a
network connection. Membership is controlled by the operating system.
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a
batch queue facility. Membership is controlled by the operating system.
SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on
interactively. Membership is controlled by the operating system.
SID: S-1-5-5-X-Y
Name: Logon Session
Description: A logon session. The X and Y values for these SIDs are
different for each session.
SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on
as a service. Membership is controlled by the operating system.
SID: S-1-5-7
Name: Anonymous
Description: A group that includes all users that have logged on
anonymously. Membership is controlled by the operating system.
SID: S-1-5-8
Name: Proxy
Description: This SID is not used in Windows 2000.
SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that
uses an Active Directory directory service. Membership is controlled by the
operating system.
Page 60
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or
group object in Active Directory. When the ACE is inherited, the system
replaces this SID with the SID for the security principal who holds the
account.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were
authenticated when they logged on. Membership is controlled by the
operating system.
SID: S-1-5-12
Name: Restricted Code
Description: This SID is reserved for future use.
SID: S-1-5-13
Name: Terminal Server Users
Description: A group that includes all users that have logged on to a
Terminal Services server. Membership is controlled by the operating
system.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-19
Name: NT Authority
Description: Local Service
SID: S-1-5-20
Name: NT Authority
Description: Network Service
SID: S-1-5-domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is
the only user account that is given full control over the system.
SID: S-1-5-domain-501
Name: Guest
Description: A user account for people who do not have individual accounts.
This user account does not require a password. By default, the Guest
account is disabled.
SID: S-1-5-domain-502
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center
(KDC) service.
Page 61
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-5-domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer
the domain. By default, the Domain Admins group is a member of the
Administrators group on all computers that have joined a domain, including
the domain controllers. Domain Admins is the default owner of any object
that is created by any member of the group.
SID: S-1-5-domain-513
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a
domain. When you create a user account in a domain, it is added to this
group by default.
SID: S-1-5-domain-514
Name: Domain Guests
Description: A global group that, by default, has only one member, the
domain's built-in Guest account.
SID: S-1-5-domain-515
Name: Domain Computers
Description: A global group that includes all clients and servers that have
joined the domain.
SID: S-1-5-domain-516
Name: Domain Controllers
Description: A global group that includes all domain controllers in the
domain. New domain controllers are added to this group by default.
SID: S-1-5-domain-517
Name: Cert Publishers
Description: A global group that includes all computers that are running an
enterprise certification authority. Cert Publishers are authorized to publish
certificates for User objects in Active Directory.
Page 62
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-5-domain-520
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy
objects in Active Directory. By default, the only member of the group is
Administrator.
SID: S-1-5-domain-533
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members.
Servers in this group have Read Account Restrictions and Read Logon
Information access to User objects in the Active Directory domain local
group. By default, this group has no members. Servers in this group have
Read Account Restrictions and Read Logon Information access to User
objects in Active Directory.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating
system, the only member of the group is the Administrator account. When a
computer joins a domain, the Domain Admins group is added to the
Administrators group. When a server becomes a domain controller, the
Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating
system, the only member is the Authenticated Users group. When a
computer joins a domain, the Domain Users group is added to the Users
group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest
account. The Guests group allows occasional or one-time users to log on
with limited privileges to a computer's built-in Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power
users can create local users and groups; modify and delete accounts that
they have created; and remove users from the Power Users, Users, and
Guests groups. Power users also can install programs; create, manage, and
delete local printers; and create and delete file shares.
Page 63
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By
default, the group has no members. By default, Account Operators have
permission to create, modify, and delete accounts for users, groups, and
computers in all containers and organizational units of Active Directory
except the Builtin container and the Domain Controllers OU. Account
Operators do not have permission to modify the Administrators and Domain
Admins groups, nor do they have permission to modify the accounts for
members of those groups.
SID: S-1-5-32-549
Name: Server Operators
Description: A built-in group that exists only on domain controllers. By
default, the group has no members. Server Operators can log on to a server
interactively; create and delete network shares; start and stop services;
back up and restore files; format the hard disk of the computer; and shut
down the computer.
SID: S-1-5-32-550
Name: Print Operators
Description: A built-in group that exists only on domain controllers. By
default, the only member is the Domain Users group. Print Operators can
manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members.
Backup Operators can back up and restore all files on a computer,
regardless of the permissions that protect those files. Backup Operators also
can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on
domain controllers. By default, the group has no members. Do not add
users to this group.
The following groups will show as SIDs until a Windows Server 2003 domain
controller is made the primary domain controller (PDC) operations master role
holder. (The "operations master" is also known as flexible single master
operations or FSMO.) Additional new built-in groups that are created when a
Windows Server 2003 domain controller is added to the domain are:
SID: S-1-5-32-554
Name: BUILTIN\Pre-Windows 2000 Compatible Access
Description: An alias added by Windows 2000. A backward compatibility group
which allows read access on all users and groups in the domain.
Page 64
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
SID: S-1-5-32-555
Name: BUILTIN\Remote Desktop Users
Description: An alias. Members in this group are granted the right to logon
remotely.
SID: S-1-5-32-556
Name: BUILTIN\Network Configuration Operators
Description: An alias. Members in this group can have some administrative
privileges to manage configuration of networking features.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts
to this forest.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts
to this forest.
SID: S-1-5-32-558
Name: BUILTIN\Performance Monitor Users
Description: An alias. Members of this group have remote access to monitor this
computer.
SID: S-1-5-32-559
Name: BUILTIN\Performance Log Users
Description: An alias. Members of this group have remote access to schedule
logging of performance counters on this computer.
SID: S-1-5-32-560
Name: BUILTIN\Windows Authorization Access Group
Description: An alias. Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects.
SID: S-1-5-32-561
Name: BUILTIN\Terminal Server License Servers
Description: An alias. A group for Terminal Server License Servers. When
Windows Server 2003 Service Pack 1 is installed, a new local group is created.
SID: S-1-5-32-562
Name: BUILTIN\Distributed COM Users
Description: An alias. A group for COM to provide computerwide access controls
that govern access to all call, activation, or launch requests on the computer.
Page 65
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Should the object not have a DACL, the system grants full access to everyone; if the
object's DACL has no ACEs, the system denies all attempts to access the object
because the DACL does not allow any access rights.
The system checks the ACEs in sequence until it finds one or more ACEs that allow
all the requested access rights, or until any of the requested access rights are
denied.
An ACE in a SACL can generate audit records when an access attempt fails, when it
succeeds, or both. In future releases, a SACL will also be able to raise an alarm when
an unauthorized user attempts to gain access to an object.
3
University of Washington. “SDDL Syntax”. April 24, 2007. Accessed on 25 March 2008.
https://www.washington.edu/computing/support/windows/UWdomains/SDDL.html.
4
Security Descriptor - A structure and associated data that contains the security information for a
securable object. A security descriptor identifies the object's owner and primary group. It can also contain
a DACL that controls access to the object, and a SACL that controls the logging of attempts to access the
object.
5
nTSecurityDescriptor - Every object in Active Directory contains this attribute which is a security
descriptor object containing the discretionary access control list (DACL), the system access control list
(SACL), group, and owner information that controls the object's access control behavior.
Page 66
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
A security identifier (SID) that identifies the trustee to which the ACE applies.
An access mask that specifies the access rights controlled by the ACE.
A flag that indicates the type of ACE.
A set of bit flags that determine whether child containers or objects can
inherit the ACE from the primary object to which the ACL is attached.
The following table lists the three ACE types supported by all securable objects:
Type Description
Access-denied Used in a discretionary access control list (DACL) to deny access
ACE rights to a trustee.
Access-allowed
Used in a DACL to allow access rights to a trustee.
ACE
Used in a system access control list (SACL) to generate an audit
System-audit
record when the trustee attempts to exercise the specified
ACE
access rights.
The header contains record keeping information along with 2 flags that designate
whether the object is blocking inheritance for the SACL and DACL. The contents of
both the primary group and owner parts are simply a single SID while the contents
of both the SACL and DACL parts are a string with no fixed length.
ACEs6 make up the contents of these strings, are enclosed within parenthesis, and
contain 6 fields separated by a semicolon delimiter. The fields are:
d. ObjectType (GUID);
6
ACE - An access control entry is an element in an access control list (ACL). An ACL can have zero or
more ACEs. Each ACE controls or monitors access to an object by a specified trustee.
Page 67
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
f. Trustee (SID)
The ACE type designates whether the trustee is allowed, denied or audited.
Value Description
"A" ACCESS ALLOWED
"D" ACCESS DENIED
"OA" OBJECT ACCESS ALLOWED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
"OD" OBJECT ACCESS DENIED: ONLY APPLIES TO A SUBSET OF THE OBJECT(S).
"AU" SYSTEM AUDIT
"AL" SYSTEM ALARM
"OU" OBJECT SYSTEM AUDIT
"OL" OBJECT SYSTEM ALARM
The ACE flags denote the inheritance options for the ACE, and if it is a SACL, the
audit settings.
Value Description
CONTAINER INHERIT: Child objects that are containers, such as directories,
"CI"
inherit the ACE as an explicit ACE.
OBJECT INHERIT: Child objects that are not containers inherit the ACE as an
"OI"
explicit ACE.
"NP" NO PROPAGATE: ONLY IMMEDIATE CHILDREN INHERIT THIS ACE.
INHERITANCE ONLY: ACE DOESN'T APPLY TO THIS OBJECT, BUT MAY AFFECT
"IO"
CHILDREN VIA INHERITANCE.
"ID" ACE IS INHERITED
"SA" SUCCESSFUL ACCESS AUDIT
"FA" FAILED ACCESS AUDIT
Page 68
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
4.3.8 Permissions
The Permissions are a list of the incremental permissions given (or denied/audited)
to the trustee-these correspond to the permissions discussed earlier and are simply
appended together. However, the incremental permissions are not the only
permissions available. The table below lists all the permissions.
Value Description
Generic access rights
"GA" GENERIC ALL
"GR" GENERIC READ
"GW" GENERIC WRITE
"GX" GENERIC EXECUTE
Directory service access rights
"RC" Read Permissions
"SD" Delete
"WD" Modify Permissions
"WO" Modify Owner
"RP" Read All Properties
"WP" Write All Properties
"CC" Create All Child Objects
"DC" Delete All Child Objects
"LC" List Contents
"SW" All Validated Writes
"LO" List Object
"DT" Delete Subtree
"CR" All Extended Rights
File access rights
"FA" FILE ALL ACCESS
"FR" FILE GENERIC READ
"FW" FILE GENERIC WRITE
"FX" FILE GENERIC EXECUTE
Registry key access rights
"KA" KEY ALL ACCESS
"KR" KEY READ
"KW" KEY WRITE
"KX" KEY EXECUTE
Page 69
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
4.3.10 Trustee
The Trustee is the SID of the user or group being given access (or denied or
audited). Instead of a SID, there are several commonly used acronyms for well-
known SIDs. These are listed in the table below:
Value Description
"AO" Account operators
"RU" Alias to allow previous Windows 2000
"AN" Anonymous logon
"AU" Authenticated users
"BA" Built-in administrators
"BG" Built-in guests
"BO" Backup operators
"BU" Built-in users
"CA" Certificate server administrators
"CG" Creator group
"CO" Creator owner
"DA" Domain administrators
"DC" Domain computers
"DD" Domain controllers
"DG" Domain guests
"DU" Domain users
"EA" Enterprise administrators
"ED" Enterprise domain controllers
"WD" Everyone
"PA" Group Policy administrators
"IU" Interactively logged-on user
"LA" Local administrator
"LG" Local guest
"LS" Local service account
"SY" Local system
"NU" Network logon user
"NO" Network configuration operators
"NS" Network service account
"PO" Printer operators
"PS" Personal self
"PU" Power users
"RS" RAS servers group
"RD" Terminal server users
"RE" Replicator
"RC" Restricted code
"SA" Schema administrators
"SO" Server operators
"SU" Service logon user
Page 70
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
w32time,2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCS
WRPWPDTLOCRSDRCWDWO;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;WD)"
The DACL
D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRP
WPDTLOCRSDR CWDWO;;;SY) would break out as follows:
ACE String 1
A ACCESS ALLOWED
CC CREATE ALL CHILD OBJECTS
DC DELETE ALL CHILD OBJECTS
LC LIST CONTENTS
SW ALL VALIDATED WRITES
RP READ ALL PROPERTIES
WP WRITE ALL PROPERTIES
DT DELETE SUBTREE
LO LIST OBJECT
CR ALL EXTENDED RIGHTS
SD DELETE
RC READ PERMISSIONS
WD MODIFY PERMISSIONS
WO MODIFY OWNER
BA BUILT-IN ADMINISTRATOR
ACE String 2
A ACCESS ALLOWED
CC CREATE ALL CHILD OBJECTS
DC DELETE ALL CHILD OBJECTS
LC LIST CONTENTS
SW ALL VALIDATED WRITES
RP READ ALL PROPERTIES
WP WRITE ALL PROPERTIES
DT DELETE SUBTREE
LO LIST OBJECT
CR ALL EXTENDED RIGHTS
SD DELETE
RC READ PERMISSIONS
WD MODIFY PERMISSIONS
WO MODIFY OWNER
SY LOCAL SYSTEM
Page 71
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
AU SYSTEM AUDIT
FA FILE ALL ACCESS
CC CREATE ALL CHILD OBJECTS
DC DELETE ALL CHILD OBJECTS
LC LIST CONTENTS
SW ALL VALIDATED WRITES
RP READ ALL PROPERTIES
WP WRITE ALL PROPERTIES
DT DELETE SUBTREE
LO LIST OBJECT
CR ALL EXTENDED RIGHTS
SD DELETE
RC READ PERMISSIONS
WO MODIFY OWNER
WD MODIFY PERMISSIONS
Page 72
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
One of these snap-ins (Security Configuration and Analysis) allows the system
administrator to analyze local security policies by generating a security database
from the security policy installed on a host and comparing it to another security
policy template.
Page 73
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Figure 1 – The MMC Console window after loading the Security Configuration and Analysis
snap-in module.
Page 74
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Figure 2 – The MMC Console window after loading selecting the security database and security
policy.
Page 75
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
1. Under the Security Configuration and Analysis snap-in item, select the
item you wish to view from the tree.
2. The analysis results for the selected item will be displayed on the right hand
side.
Figure 4 – The MMC Console window after the comparison and analysis is complete.
Page 76
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
Should the administrator choose to import more than one security template, the
database will merge the various templates and create one composite template. The
snap-in resolves conflicts in order of import; the last template that is imported takes
precedence.
The snap-in displays the analysis results by security area, using visual flags to
indicate problems; It displays the current system and base configuration settings for
each security attribute in the security areas.
Page 77
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The Secedit tool has six primary functions; configure, analyze, import, export,
validate, and generate rollback; the scope of this document will be limited to those
used for security policy analysis.
Running Secedit
DB - The DB switch allows the administrator to specify the name of the database file
to either create or use.
CFG - The CFG switch allows the administrator to specify the name of the template
to use.
Overwrite – When used in conjunction with the import function, the overwrite
switch is purges the databases prior to the import function; this provides the same
basic functionality as creating a brand new database.
Log - Allows the administrator to specify a log file to be used in lieu of the default
log file.
Quiet – Allows the administrator to run Secedit without prompting for task
verifications.
Areas - Allows the administrator to specify which types of data from the template
should be applied; all other types of data within the template are ignored. Valid data
types are:
Page 78
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
The secedit import function is used to create or import a security policy database;
the syntax for the Import function is as follows:
In the example above, replace database.sdb with the name of the database being
created and template.inf with the name of the template being used to generate the
database.
The secedit analyze function is used to compare an existing security policy database
to a security policy. The syntax is as follows:
In the example above, replace database.sdb with the name of an existing database
and template.inf with the name of the template being compared to the database.
This will create a log file in the current directory named OUTPUT.TXT listing every
security setting that differs from the template.
To open and view the results file (e.g. OUTPUT.TXT), simply open the file with
Notepad or another text editor.
Page 79
Working Aide - Windows Security Template Settings Final - 06 March 2008
Ted Mac Daibhidh, CD
5 REFERENCES
Communications Security Establishment Canada. “Windows Server 2003
Recommended Baseline Security (ITSG-20)”. March 2004. Accessed on 25 March
2008. http://www.cse-cst.gc.ca/documents/publications/gov-pubs/itsg/itsg20.pdf.
Microsoft Download Center. “Windows Server 2003 Security Guide”. 05 August 2006.
Accessed on 25 March 2008. http://www.microsoft.com/downloads/details.aspx?
FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en.
Microsoft Help and Support. “Definition of Registry Value Data Types”. 14 March
2008. Accessed on 25 March 2008. http://support.microsoft.com/kb/101230.
Page 80