Unified CCE Security Hardening for Windows Server
This topic contains the security baseline for hardening Windows Servers running Unified CCE.
This baseline is essentially a collection of Microsoft group policy settings which are determined by using the Microsoft Security Compliance Manager 4.0 tool.
In addition to the GPO settings provided in the table, disable the following settings:-
NetBIOS
-
SMBv1
 Note |
For more details about these configurations, see the Microsoft Windows Server documentation. |
The baseline includes only those settings whose severity qualifies as Critical and Important. The settings with Optional and None severity qualification are not included in the baseline.
|
Setting Name |
Default Value |
Compliance |
|---|---|---|
|
Network security: LAN Manager authentication level |
Send NTLMv2 response only |
Send NTLMv2 response only. Refuse LM & NTLM |
|
Network Security: Restrict NTLM: Audit NTLM authentication in this domain |
Not defined |
Not Defined |
|
Network Security: Restrict NTLM: Incoming NTLM traffic |
Not defined |
Not Defined |
|
Interactive logon: Require smart card |
Disabled |
Not Defined |
|
Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication |
Not defined |
Not Defined |
|
Network security: Allow LocalSystem NULL session fallback |
Not defined |
Disabled |
|
Microsoft network client: Send unencrypted password to third-party SMB servers |
Disabled |
Disabled |
|
Network security: Allow Local System to use computer identity for NTLM |
Not defined |
Enabled |
|
Network security: Do not store LAN Manager hash value on next password change |
Enabled |
Enabled |
|
Network Security: Allow PKU2U authentication requests to this computer to use online identities |
Not defined |
Not Defined |
|
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
No minimum |
Require NTLMv2 session security,Require 128-bit encryption |
|
Microsoft network server: Server SPN target name validation level |
Off |
Not Defined |
|
Interactive logon: Smart card removal behavior |
No Action |
Lock Workstation |
|
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
No minimum |
Require NTLMv2 session security,Require 128-bit encryption |
|
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
10 logons |
4 logon(s) |
|
Network Security: Restrict NTLM: NTLM authentication in this domain |
Not defined |
Not Defined |
|
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers |
Not defined |
Not Defined |
|
Network access: Let Everyone permissions apply to anonymous users |
Disabled |
Disabled |
|
Network Security: Restrict NTLM: Add server exceptions in this domain |
Not defined |
Not Defined |
|
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic |
Not defined |
Not Defined |
|
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Disabled |
Enabled |
|
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
Enabled |
|
Shutdown: Clear virtual memory pagefile |
Disabled |
Disabled |
|
Network access: Remotely accessible registry paths |
System\CurrentControlSet\Control\ |
System\CurrentControlSet\Control\ |
|
Network access: Shares that can be accessed anonymously |
Not defined |
Not Defined |
|
Turn off the "Publish to Web" task for files and folders |
Not configured |
Not Configured |
|
Shutdown: Allow system to be shut down without having to log on |
Enabled |
Disabled |
|
System objects: Require case insensitivity for non-Windows subsystems |
Enabled |
Enabled |
|
Network access: Sharing and security model for local accounts |
Classic - local users authenticate as themselves |
Classic - local users authenticate as themselves |
|
Interactive logon: Do not require CTRL+ALT+DEL |
Disabled |
Disabled |
|
Devices: Allowed to format and eject removable media |
Administrators |
Administrators |
|
Turn off the Windows Messenger Customer Experience Improvement Program |
Not configured |
Not Configured |
|
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
Disabled |
Enabled |
|
Turn off Search Companion content file updates |
Not configured |
Not Configured |
|
Network access: Allow anonymous SID/Name translation |
Disabled |
Disabled |
|
Network access: Remotely accessible registry paths and sub-paths |
System\CurrentControlSet\Control\Print\ |
System\CurrentControlSet\Control\Print\ |
|
Recovery console: Allow automatic administrative logon |
Disabled |
Disabled |
|
Turn off Autoplay |
Not configured |
Enabled |
|
Turn off Windows Update device driver searching |
Disabled |
Not Configured |
|
Network access: Restrict anonymous access to Named Pipes and Shares |
Enabled |
Enabled |
|
Recovery console: Allow floppy copy and access to all drives and all folders |
Disabled |
Disabled |
|
Network access: Named Pipes that can be accessed anonymously |
None |
Not Defined |
|
Audit Policy: System: IPsec Driver |
No auditing |
Success and Failure |
|
Audit Policy: System: Security System Extension |
No auditing |
Success and Failure |
|
Audit Policy: Account Management: Security Group Management |
Success |
Success and Failure |
|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings |
Not defined |
Enabled |
|
Audit Policy: Account Management: Other Account Management Events |
No auditing |
Success and Failure |
|
Audit Policy: System: Security State Change |
Success |
Success and Failure |
|
Audit Policy: Detailed Tracking: Process Creation |
No auditing |
Success |
|
Audit Policy: System: Other System Events |
Success and Failure |
Success and Failure |
|
Audit Policy: Logon-Logoff: Account Lockout |
Success |
Success |
|
Audit Policy: Policy Change: Audit Policy Change |
Success |
Success and Failure |
|
Audit: Audit the access of global system objects |
Disabled |
Not Defined |
|
Audit Policy: Logon-Logoff: Special Logon |
Success |
Success |
|
Audit Policy: Account Management: User Account Management |
Success |
Success and Failure |
|
Audit Policy: Account Logon: Credential Validation |
No auditing |
Success and Failure |
|
Audit Policy: Logon-Logoff: Logon |
Success |
Success and Failure |
|
Audit Policy: Account Management: Computer Account Management |
No auditing |
Success |
|
Audit Policy: Privilege Use: Sensitive Privilege Use |
No auditing |
Success and Failure |
|
Audit Policy: Logon-Logoff: Logoff |
Success |
Success |
|
Audit Policy: Policy Change: Authentication Policy Change |
Success |
Success |
|
Audit: Audit the use of Backup and Restore privilege |
Disabled |
Not Defined |
|
Audit Policy: System: System Integrity |
Success and Failure |
Success and Failure |
|
Turn off toast notifications on the lock screen |
None |
Enabled |
|
Microsoft network server: Amount of idle time required before suspending session |
15 minutes |
15 minute(s) |
|
Interactive logon: Message text for users attempting to log on |
Not defined |
Not Defined |
|
Interactive logon: Machine inactivity limit |
Not defined |
900 seconds |
|
Microsoft network server: Disconnect clients when logon hours expire |
Enabled |
Enabled |
|
Interactive logon: Message title for users attempting to log on |
Not defined |
Not Defined |
|
Network security: Force logoff when logon hours expire |
Disabled |
Enabled |
|
Sign-in last interactive user automatically after a system-initiated restart |
None |
Disabled |
|
Interactive logon: Display user information when the session is locked |
Not defined |
Not Defined |
|
Interactive logon: Do not display last user name |
Disabled |
Enabled |
|
Interactive logon: Machine account lockout threshold |
Not defined |
10 invalid logon attempts |
|
Allow Remote Shell Access |
Not configured |
Not Configured |
|
Devices: Prevent users from installing printer drivers |
Disabled |
Enabled |
|
Create global objects |
Administrators, Service, Local Service, Network Service |
Administrators, Service, Local Service, Network Service |
|
Access this computer from the network |
Everyone, Administrators, Users, Backup Operators |
Administrators, Authenticated Users |
|
Domain controller: Allow server operators to schedule tasks |
Not defined |
Not Defined |
|
Modify an object label |
None |
No One |
|
Generate security audits |
Local Service, Network Service |
Local Service, Network Service |
|
Increase scheduling priority |
Administrators |
Administrators |
|
Force shutdown from a remote system |
Administrators |
Administrators |
|
Allow log on through Remote Desktop Services |
Administrators, Remote Desktop Users |
Administrators |
|
Change the system time |
Local Service, Administrators |
Local Service, Administrators |
|
Add workstations to domain |
Not defined (Authenticated Users for domain controllers) |
Not Defined |
|
Create a pagefile |
Administrators |
Administrators |
|
Profile single process |
Administrators |
Administrators |
|
Deny log on as a batch job |
No one |
Guests |
|
Act as part of the operating system |
No one |
No One |
|
Change the time zone |
Local Service, Administrators |
Local Service, Administrators |
|
Synchronize directory service data |
Not defined |
Not Defined |
|
Lock pages in memory |
No one |
No One |
|
Access Credential Manager as a trusted caller |
No one |
No One |
|
Create a token object |
No one |
No One |
|
Debug programs |
Administrators |
Administrators |
|
Deny log on as a service |
No one |
Guests |
|
Deny access to this computer from the network |
Guests |
Guests, NT AUTHORITY\Local account and member of Administrators group |
|
Back up files and directories |
Administrators, Backup Operators |
Administrators |
|
Shut down the system |
Administrators, Backup Operators, Users |
Administrators |
|
Deny log on locally |
Guests |
Guests |
|
Replace a process level token |
Local Service, Network Service |
Local Service, Network Service |
|
Modify firmware environment values |
Administrators |
Administrators |
|
Allow log on locally |
Guest, Administrators, Users, Backup Operators |
Administrators |
|
Restore files and directories |
Administrators, Backup Operators |
Administrators |
|
Profile system performance |
Administrators,NT Service\WdiServiceHost |
Administrators,NT Service\WdiServiceHost |
|
Log on as a batch job |
Administrators, Backup Operators |
Not Defined |
|
Perform volume maintenance tasks |
Administrators |
Administrators |
|
Manage auditing and security log |
Administrators |
Administrators |
|
Enable computer and user accounts to be trusted for delegation |
No one |
No One |
|
Impersonate a client after authentication |
Administrators, Service, Local Service, Network Service |
Administrators, Service, Local Service, Network Service |
|
Load and unload device drivers |
Administrators |
Administrators |
|
Take ownership of files or other objects |
Administrators |
Administrators |
|
Adjust memory quotas for a process |
Local Service, Network Service, Administrators |
Administrators, Local Service, Network Service |
|
Log on as a service |
No one |
Not Defined |
|
Create symbolic links |
Administrators |
Administrators |
|
Create permanent shared objects |
No one |
No One |
|
System cryptography: Force strong key protection for user keys stored on the computer |
Disabled |
Not Defined |
|
Domain member: Require strong (Windows 2000 or later) session key |
Disabled |
Enabled |
|
Windows Firewall: Domain: Allow unicast response |
Yes |
No |
|
Windows Firewall: Domain: Apply local firewall rules |
Yes |
Yes (default) |
|
Windows Firewall: Domain: Inbound connections |
Block |
Enabled |
|
Windows Firewall: Private: Firewall state |
On |
On |
|
Windows Firewall: Private: Apply local connection security rules |
Yes |
Yes (default) |
|
Windows Firewall: Private: Allow unicast response |
Yes |
No |
|
Windows Firewall: Public: Apply local firewall rules |
Yes |
Yes (default) |
|
Windows Firewall: Public: Apply local connection security rules |
Yes |
Yes |
|
Windows Firewall: Public: Firewall state |
On |
On |
|
Windows Firewall: Private: Outbound connections |
Allow |
Allow (default) |
|
Windows Firewall: Domain: Outbound connections |
Allow |
Allow (default) |
|
Windows Firewall: Domain: Firewall state |
On |
On |
|
Windows Firewall: Public: Allow unicast response |
Yes |
No |
|
Windows Firewall: Public: Inbound connections |
Block |
Enabled |
|
Windows Firewall: Domain: Apply local connection security rules |
Yes |
Yes (default) |
|
Windows Firewall: Private: Display a notification |
Yes |
Yes (default) |
|
Windows Firewall: Domain: Display a notification |
Yes |
Yes (default) |
|
Windows Firewall: Public: Display a notification |
Yes |
Yes |
|
Windows Firewall: Public: Outbound connections |
Allow |
Allow (default) |
|
Windows Firewall: Private: Inbound connections |
Block |
Enabled |
|
Windows Firewall: Private: Apply local firewall rules |
Yes |
Yes (default) |
|
Default Protections for Internet Explorer |
None |
Enabled |
|
Password protect the screen saver |
Not Configured |
Enabled |
|
Local Poilcy User Account Control: Admin Approval Mode for the Built-in Administrator account |
Disabled |
Enabled |
|
Default Protections for Software |
None |
Enabled |
|
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
Enabled |
Enabled |
|
Default Protections for Popular Software |
None |
Enabled |
|
Apply UAC restrictions to local accounts on network logons |
None |
Enabled |
|
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
Prompt for consent for non-Windows binaries |
Prompt for consent on the secure desktop |
|
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop |
Disabled |
Disabled |
|
Local Policy User Account Control: Virtualize file and registry write failures to per-user locations |
Enabled |
Enabled |
|
User Account Control: Switch to the secure desktop when prompting for elevation |
Enabled |
Enabled |
|
User Account Control: Run all administrators in Admin Approval Mode |
Enabled |
Enabled |
|
WDigest Authentication |
None |
Disabled |
|
User Account Control: Behavior of the elevation prompt for standard users |
Prompt for credentials |
Automatically deny elevation requests |
|
System ASLR |
None |
Enabled |
|
System DEP |
Enabled: Application Opt-Out |
Enabled |
|
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
Enabled |
Enabled |
|
Enable screen saver |
Not Configured |
Enabled |
|
Force specific screen saver |
Not Configured |
Enabled |
|
Increase a process working set |
Users |
Not Defined |
|
User Account Control: Detect application installations and prompt for elevation |
Enabled |
Enabled |
|
System SEHOP |
Enabled: Application Opt-Out |
Enabled |
|
Network Security: Configure encryption types allowed for Kerberos |
Not defined |
Not Defined |
|
Set client connection encryption level |
Not configured |
Not Configured |
|
Microsoft network client: Digitally sign communications (if server agrees) |
Enabled |
Enabled |
|
Domain controller: LDAP server signing requirements |
Not defined |
Not Defined |
|
Network security: LDAP client signing requirements |
Negotiate signing |
Negotiate signing |
|
Microsoft network client: Digitally sign communications (always) |
Disabled |
Enabled |
|
Microsoft network server: Digitally sign communications (always) |
Disabled |
Enabled |
|
Domain member: Digitally sign secure channel data (when possible) |
Enabled |
Enabled |
|
Domain member: Digitally encrypt or sign secure channel data (always) |
Enabled |
Enabled |
|
Microsoft network server: Digitally sign communications (if client agrees) |
Disabled |
Enabled |
|
Domain member: Digitally encrypt secure channel data (when possible) |
Enabled |
Enabled |
|
Specify the maximum log file size (KB) |
20480 KB |
Enabled |
|
Specify the maximum log file size (KB) |
20480 KB |
Enabled |
|
Specify the maximum log file size (KB) |
20480 KB |
Enabled |
|
Audit: Shut down system immediately if unable to log security audits |
Disabled |
Disabled |
|
Accounts: Limit local account use of blank passwords to console logon only |
Enabled |
Enabled |
|
Domain controller: Refuse machine account password changes |
Not defined |
Not Defined |
|
Domain member: Disable machine account password changes |
Disabled |
Disabled |
|
Domain member: Maximum machine account password age |
30 days |
30 day(s) |
|
Network access: Do not allow storage of passwords and credentials for network authentication |
Disabled |
Not Defined |
|
Interactive logon: Prompt user to change password before expiration |
14 days |
14 day(s) |
|
Allow indexing of encrypted files |
None |
Disabled |
|
Accounts: Rename administrator account |
Administrator |
Not Defined |
|
Do not display network selection UI |
None |
Enabled |
|
Allow Microsoft accounts to be optional |
None |
Enabled |
|
Accounts: Administrator account status |
Enabled |
Not Defined |
|
Accounts: Guest account status |
Disabled |
Disabled |
|
Accounts: Rename guest account |
Guest |
Not Defined |
|
Prevent enabling lock screen slide show |
None |
Enabled |
|
Prevent enabling lock screen camera |
None |
Enabled |
|
IRC Ports |
Not Defined |
Disabled |
|
Outgoing Email Port 25 |
Not Defined |
Disabled |
|
Advanced Audit Policy Configuration Audit Directory Service Access |
Success |
Success and Failure |
Other Windows Hardening Considerations
The following table lists the IIS settings with their corresponding default and possible values.
|
Setting Name |
Default Value |
Supported Values |
||
|---|---|---|---|---|
|
ASP.NET Application Custom Error |
RemoteOnly |
|
||
|
HTTPOnlyCookie |
Off |
Off |
||
|
AllowUnlisted |
true |
true |
||
|
requestFiltering File extensions blocked using false as the value for the allowed attribute. |
.asax, .ascx, .master, .skin, .browser, .sitemap, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .licx, .resx, .resources, .mdb, .vjsproj, .java, .jsl, .ldb, .dsdgm, .ssdgm, .lsad, .ssmap, .cd, .dsprototype, .lsaprototype, .sdm, .sdmDocument, .mdf, .ldf, .ad, .dd, .ldd, .sd, .adprototype, .lddprototype, .exclude, .refresh, .compiled, .msgx, .vsdisco, .rules |
.asax, .ascx, .master, .skin, .browser, .sitemap, .config, .cs, .csproj, .vb, .vbproj, .webinfo, .licx, .resx, .resources, .mdb, .vjsproj, .java, .jsl, .ldb, .dsdgm, .ssdgm, .lsad, .ssmap, .cd, .dsprototype, .lsaprototype, .sdm, .sdmDocument, .mdf, .ldf, .ad, .dd, .ldd, .sd, .adprototype, .lddprototype, .exclude, .refresh, .compiled, .msgx, .vsdisco, .rules .com, .doc, .docx, .docm, .jar, .hta, .vbs, .pdf, .sfx, .bat, .dll, .tmp, .py, .msi, .msp, .gadget, .cmd, .vbe, .jse, .ps1, .ps1xml, .ps2, .ps2xml, .psc1, .psc2, .lnk, .inf, .scf, .ws, .wsf, .scr, .pif |
Note |
Certain extensions, such as .exe, .htm and .dll, cannot be filtered in IIS. |
Feedback