Windows Administration
10 Easy Ways To Lock Down Your Computer
Derek Melber
At a Glance:
- Key security settings for Windows-based computers
- User password security settings
- User logon and authentication settings
- User rights security settings
Did you know you could use a Group Policy Object (GPO) in Active Directory to secure all the computers and user environments in your Windows network? Here, I'll look at 10 critical GPO settings that handle security configurations across four areas: user passwords, user authentication, user privileges and anonymous access, and persistence of GPO settings.
User Password Security
The strength and security of a user password is at the core of your efforts to protect access to a user account on the network. If user accounts have unprotected or vulnerable passwords, there won't be much you can do to protect your network and resources. This is why there are so many security configurations within a GPO that are critical for security. Note that the password settings discussed here represent an exception to normal Group Policy processing order. They are defined at the domain level and will override settings at any other level.
Minimum Password Length
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum Password Length
1 This setting is important for two reasons. First, as long as it is greater than 0, the user account must have a password. This prevents an attacker from gaining access to resources as a user without first trying a password attack. Second, the minimum password length can be set to a large value (as for a pass phrase), which makes it very hard to break with a cracking tool. Passwords are commonly 6 to 8 characters, but pass phrases can be more than 14.
Maximum Password Age
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum Password Age
2 This setting controls how long a password is valid. The longer a password goes unchanged, the greater the chance that it gets cracked or becomes public. But you should weigh user convenience and security. It is reasonable to set the maximum password age between 30 and 60 days. Password age values are 0 = never or 1 – 999 days.
Password Complexity
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements
3 One way to strengthen a password is to make it difficult to guess by making it complex. Complexity means that the password contains more than just alpha characters. With this setting, all passwords must contain a minimum of six characters, use three of the four character types (lower case alpha, upper case alpha, numeric, and special), and may not contain part of the user's account name.
User Login and Authentication
These GPO settings can help control login and authentication in the domain: the LAN Manager Authentication level and storage of LAN Manager hashes.
Last User Logged On
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name
4 By default, a computer will remember your username for the next time you log in. Therefore, if you log into a shared computer, your username will be remembered on that computer, too. With the username and password being the only two bits of information needed to authenticate to Active Directory®, using this setting to hide the username for the next user makes life more difficult for an attacker.
LAN Manager Authentication Level
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: LAN Manager authentication level
5 The LAN Manager Authentication level ensures that the most secure password authentication level is used for down-level OS authentication. This is a key configuration setting for servers and clients. When Windows® XP Professional communicates with Windows NT® Server, or when Windows Server™ 2003 communicates with Windows 95, the LAN Manager authentication level should be carefully chosen. The ideal is to configure the LAN Manager to the highest security level possible. The LAN Manager default is very weak, whereas NTLMv2 is the strongest authentication protocol of the LAN Manager family. Therefore, the most secure setting is "Send NTLMv2 response only\refuse LM & NTLM."
Do Not Store LAN Manager Hash
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change
6 All operating systems, including Windows XP Professional and Windows Server 2003, store the LAN Manager hash for backward compatibility. This is a security risk because the LAN Manager hash is relatively easy to crack. Unless you are running very old operating systems that are not patched, you won't need to store this hash, so don't.
User Privileges
User privileges control the rights a user account has on a computer. These settings are unique on each computer, but can be controlled through a GPO.
User Privileges Assignment
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
7 User privileges are essential to the security of client computers and servers. The primary benefit of the approximately 40 user privileges is that they bypass the security access control list that is configured on a computer. For example, if a user has No Access configured for a file on a server, the user will still be able to back up the file as long as she is given the back up files and directories user privilege. Most of the user privileges are important for servers. Be sure to check which users and groups have been assigned user privileges on all computers.
The anonymous user was created to allow computers to communicate easily with one another without requiring a user account. However, it's easy to exploit this easy access so computers requiring anonymous access must be secured.
Do Not Allow Anonymous Enumeration of SAM Accounts
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Access: Do not allow anonymous enumeration of SAM accounts
8 Historically, computers running Windows have allowed anonymous access to the Security Accounts Manager (SAM) accounts. This access should be removed, unless there are apps that require anonymous access to the SAM accounts. A similar setting is "Do not allow anonymous enumeration of SAM accounts and shares," which controls the SAM and all shares on the computer.
Let Everyone Permissions Apply to Anonymous Users
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users
9 This setting allows the Everyone group to also apply to anonymous users which is insecure. You should therefore not allow the Everyone group permissions to apply to anonymous users accessing the computer.
Persistence of GPO Settings
By default, before the GPO is applied to the computer, the version stored on the domain controller will be compared to the version of the GPO that was last applied to that computer. Sometimes the GPO versions match, but the local computer setting is not the same as the GPO setting. This can occur when the local computer user has administrative control. In this case, the user can modify the Registry value of the GPO setting. This doesn't mean changing the GPO version, just the GPO setting. To eliminate this problem, force the GPO settings to apply regardless of GPO version.
Process Settings in a GPO Even if the GPO Has Not Been Changed
Computer Configuration\Administrative Templates\System\Group Policy\Security policy processing
10 In this setting, you'll find a checkbox that is labeled "Process even if the Group Policy objects have not changed." Checking this box will force the configured settings in the Computer Configuration\Windows Settings\Security Settings section of the GPO to apply at each refresh interval, even if the settings have not changed. This will change all settings back to the GPO-specified configuration even if the local user changed the setting in the Registry.
Derek Melber manages www.auditingwindows.com, the first dedicated Web site for Windows auditing and security. Derek's new book series on Auditing Windows Security is now available. Online training is available at www.auditlearning.org. Reach him at derekm@braincore.net.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.