Although this guide discussed many security countermeasures and security settings, it is important to understand that some of them are especially important. This appendix highlights those settings; you may wish to refer to the relevant chapter for an explanation of what the setting does and why it is important. The settings that should be included in this list could be debated extensively. In fact, this topic was discussed at great length by a group of security experts within Microsoft. You may feel that some settings are missing, or that some of the listed settings do not need to be on the list. Because each organization has a distinct environment with unique business requirements, different opinions about security issues should be expected. Nevertheless, this list might help you prioritize tasks that are related to hardening computers that run Microsoft® Windows®. On This PageImportant CountermeasuresImportant countermeasures that are not related to security settings include: | • | Keep computers up-to-date on service packs and hotfixes with automated tools for testing and deployment. | | • | Install and configure distributed firewall software or organizational IPsec policies. | | • | Deploy and maintain antivirus software. | | • | Deploy and maintain antispyware software. | | • | Use an unprivileged account for day-to-day tasks. You should only use an account with administrator privileges to perform tasks that require elevated privileges. |
Key Security SettingsKey security settings that are available in Microsoft Windows include the following: | • | Password policy settings, which are discussed in Chapter 2, "Configuring the Active Directory Domain Infrastructure:" | • | Enforce Password History | | • | Maximum Password Age | | • | Minimum Password Length | | • | Passwords must meet complexity requirements | | • | Store Password Using reversible encryption for all users in the domain |
| | • | User rights assignment settings, which are discussed in Chapter 3, "Security Settings for Windows XP Clients:" | • | Access this computer from the network | | • | Act as part of the operating system | | • | Allow logon locally | | • | Allow Log on through Terminal Services |
| | • | Security option settings, which are discussed in Chapter 3, "Security Settings for Windows XP Clients:" | • | Accounts: Limit local account use of blank passwords to console logon only | | • | Domain Member: Digitally encrypt or sign Secure channel Data (always) | | • | Domain Member: Digitally encrypt Secure channel Data (when possible) | | • | Domain Member: Digitally sign Secure channel Data (when possible) | | • | Domain member: require strong (windows 2000 or later) session key | | • | Network access: Allow anonymous SID/Name translation | | • | Network Access: Do not allow anonymous enumeration of SAM accounts | | • | Network access: do not allow enumeration of SAM accounts and shares | | • | Network Access: Let Everyone permissions apply to anonymous users | | • | Network Access: Remotely Accessible Registry Paths | | • | Network Access: Restrict Anonymous access to named pipes and shares | | • | Network Access: Shares that can be accessed anonymously | | • | Network Access: Sharing and Security Model for Local Accounts | | • | Network Security: Do not store LAN manager hash value on next password change | | • | Network Security: LAN Manager Authentication Level |
| | • | Additional registry settings, which are discussed in Chapter 3, "Security Settings for Windows XP Clients," especially the following setting: |
| |
