Active 11 years, 2 months ago. Viewed 9k times. Improve this question. Add a comment. Active Oldest Votes. Improve this answer. Chris S Chris S I was thinking it was something along those lines, but I couldn't find any documentation that explains that.
I will accept your answer as soon as the time limit runs out, but do you have a link to MS docs that explain this by any chance? Well either way, I greatly appreciate your quick response! Updated my answer with corrected details and the reference link. Choose the download you want. Download Summary:. Total Size: 0. Back Next. Microsoft recommends you install a download manager. Microsoft Download Manager. Manage all your internet downloads with this easy-to-use manager. It features a simple interface with many customizable options:.
Download multiple files at one time Download large files quickly and reliably Suspend active downloads and resume downloads that have failed. Remove From My Forums. Answered by:. Archived Forums. Windows Server General Forum. Sign in to vote. Is there some kind of reference as to when to use the or versions? Friday, October 4, PM.
This policy setting determines whether the Kerberos Key Distribution Center KDC validates every request for a session ticket against the user rights policy of the target computer.
The policy is V Medium The Kerberos user ticket renewal maximum lifetime must be limited to 7 days or less. This security configuration limits the amount of time an attacker has to V Medium Unauthorized accounts must not have the Enable computer and user accounts to be trusted for delegation user right. The "Enable computer and user accounts to be trusted for delegation" user right allows V Medium The system must lockout accounts after 3 invalid logon attempts within a specified time period.
The higher this value is, the less effective the account lockout feature will be in protecting the Windows has implemented a variety of security support providers for use with RPC sessions.
In a homogenous Windows environment, all of the options should be enabled and testing should be V Medium A system must be logged on to before removing from a docking station.
This setting controls the ability to undock the system without having to log on. Since the removal of a computer should be controlled, users should have to log on before undocking the computer to V Medium UIAccess applications will not be allowed to prompt for elevation without using the secure desktop. This check verifies whether User Interface Accessibility programs can automatically disable the secure desktop for elevation prompts for a standard user.
V Medium The system will be configured to prevent the storage of passwords and credentials This setting controls the storage of passwords and credentials for network authentication on the local system. Such credentials should never be stored on the local machine as that may lead to V Medium The system will be configured to require a strong session key.
This setting controls the required strength of a session key. Allowing other operating systems to run on a secure system, can allow users to circumvent security. If more than one operating system is installed on a computer each must be configured to be V Medium Users must be required to enter a password to access private keys stored on the computer. Configuring this setting so that users must provide a password distinct from their domain password every time they use a key makes it more difficult for an attacker to access locally stored user V Medium Windows Explorer shell protocol will run in protected mode.
This check verifies that the shell protocol runs in protected mode. This allows applications to only open limited folders. V Medium Automatic logons must be disabled. Allowing a system to automatically log on when the machine is booted could give access to any unauthorized individual who restarts the computer. Automatic logon with administrator privileges Some non-Microsoft SMB servers only support unencrypted plain text password authentication.
Sending plain text passwords across the network, when authenticating to an SMB server, reduces the V Medium Users will be prevented from changing installation options. This check verifies that users are prevented from changing installation options. Removable hard drives can be formatted and ejected by others who are not members of the Administrators Group, if they are not properly configured.
Formatting and ejecting removable NTFS media V Medium Audit policy using subcategories will be enabled. This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista and forward. V Medium The system will notify antivirus when file attachments are opened. This check verifies that antivirus programs are notified when a user opens a file attachment.
V Medium Application account passwords must meet DoD requirements for length, complexity and changes. Setting application accounts to expire may cause applications to stop functioning.
The organization must have a policy that manually managed application account passwords are changed at least V Medium Unauthorized accounts must not have the Create symbolic links user right.
Accounts with the "Create symbolic links" right can create pointers to other objects V Medium Remote Desktop Services will always prompt a client for passwords upon connection. This setting controls the ability of users to supply passwords automatically as part of their Remote Desktop session. Disabling this setting would allow anyone to use the stored credentials in a V Medium Remote Desktop Services will delete temporary folders when a session is terminated. This setting controls the deletion of the temporary folders when the session is terminated.
Temporary folders should always be deleted after a session is over to prevent hard disk clutter and V Medium Remote Desktop Services will be configured to use session-specific temporary folders. This setting controls the use of per session temporary folders or of a communal temporary folder. If this setting is enabled, only one temporary folder is used for all remote desktop sessions. V Medium Remote Desktop Services will be configured with the client connection encryption set to the required level.
Remote connections must be encrypted to prevent interception of data or sensitive information. Unsigned network traffic is susceptible to man-in-the-middle attacks where an intruder captures packets between the server and the client and modifies them before forwarding them to the client. V Medium Windows Peer-to-Peer networking services will be turned off. V Medium ACLs for system files and directories will conform to minimum requirements.
Failure to properly configure ACL file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. V Medium Unauthorized accounts must not have the Back up files and directories user right. Accounts with the "Back up files and directories" user right can circumvent file and V Medium System files will be monitored for unauthorized changes.
Comparing system files against a baseline on a regular basis will detect the possibility of introduction of malicious code on the system.
V Medium Services will be documented and unnecessary services will not be installed or will be disabled. Unnecessary services increase the attack surface of a system.
Some services may be run under the local System account, which generally has more permissions than required by the service. This check verifies that unhandled file associations will not use the Microsoft Web service to find an application.
V Medium User Account Control will switch to the secure desktop when prompting for elevation. This check verifies that the elevation prompt is only used in secure desktop mode.
This check verifies that UAC has not been disabled. This check verifies that the system is configured to prevent users from saving passwords in the Remote Desktop Client.
This check verifies that the system is configured to prevent users from sharing the local drives on their client computers to Remote Desktop Session Hosts that they access. V Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of V Medium Media Player must be configured to prevent automatic checking for updates.
Uncontrolled system updates can introduce issues to a system. The automatic check for updates performed by Windows Media Player must be disabled to ensure a constant platform and to prevent the V Medium For systems utilizing a logon ID as the individual identifier, passwords will, at a minimum, be 14 characters. Information systems not protected with strong password schemes including passwords of minimum length provide the opportunity for anyone to crack the password, thus, gaining access to the system V Medium Windows R2 passwords must be configured to expire.
Passwords that do not expire increase the exposure of a password with greater probability of being discovered or cracked. V Medium The built-in administrator account will be renamed.
The built-in administrator account is a well-known account. Renaming the account to an unidentified name improves the protection of this account and the system. V Medium The built-in guest account will be renamed.
A system faces an increased vulnerability threat if the built-in guest account is not renamed or disabled. The built-in guest account is a known user account on all Windows systems, and as V Medium The Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access. The "Deny Access from the Network" right defines the accounts that are prevented from Allowing anonymous FTP connections makes user auditing difficult.
Using accounts that have administrator privileges to V Medium The Deny log on as a service user right must be configured to include no accounts or groups blank.
The "Deny log on as a service" right defines accounts that are denied log on as a V Medium The system will be configured with a password-protected screen saver. The system should be locked when unattended. Unattended systems are susceptible to unauthorized use. The screen saver should be set at a maximum of 15 minutes and password protected. V Medium Network Bridges will be prohibited in Windows. This check verifies the Network Bridge cannot be installed and configured.
V Medium The system will be prevented from joining a homegroup. This setting will prevent a system from being joined to a homegroup. Homegroups are a method of sharing data and printers on a home network. V Medium Autoplay will be turned off for non-volume devices. V Medium Audit logs will be reviewed on a daily basis. To be of value, audit logs from servers and other critical systems will be reviewed on a daily basis to identify security breaches and potential weaknesses in the security structure.
This can be V Medium Web publishing and online ordering wizards will be prevented from downloading a list of providers. This check verifies that the system is configured to prevent Windows from downloading a list of providers for the Web publishing and online ordering wizards.
V Medium The Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access. The "Deny log on through Remote Desktop Services" right defines the accounts that are V Medium The built-in guest account must be disabled. A system faces an increased vulnerability threat if the built-in guest account is not disabled.
This account is a known account that exists on all Windows systems and cannot be deleted. V Medium WDigest Authentication must be disabled. This setting will prevent V Medium Security-related Software Patches will be applied. Major software vendors release security patches and hot fixes to their products when security vulnerabilities are discovered.
It is essential that these updates be applied in a timely manner to To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD The DoD root certificates will ensure that the trust V Medium Users will be notified if a web-based program attempts to install software.
This check verifies that users are notified if a web-based program attempts to install software. This setting prevents the system from setting up a default system access control list for certain system objects, which could create a very large number of security events, filling the security Determines what should happen when the smart card for a logged-on user is removed from the smart card reader.
Accounts with the "Force shutdown from a remote system" user right can remotely shut V Medium Windows will be prevented from using Windows Update to search for drivers. This check verifies that the system is configured to prevent Windows from searching Windows Update for device drivers when no local drivers for a device are present. V Medium The computer clock synchronization tolerance must be limited to 5 minutes or less.
This setting determines the maximum time difference in minutes that Kerberos will tolerate between the time on a client's clock and the time on a server's clock while still considering the two V Medium Group Policy objects will be reprocessed even if they have not changed.
Enabling this setting and then selecting the "Process even if the Group Policy objects have not changed" option ensures that the policies will be reprocessed even if none have been changed. V Medium Media Player will be configured to prevent automatic Codec downloads. The Windows Media Player uses software components, referred to as Codecs, to play back media files. By default, when an unknown file type is opened with the Media Player it will search the Allowing unsecure RPC communication exposes the server to man in the middle attacks and data disclosure attacks.
A man in the middle attack occurs when an intruder captures packets between a This policy setting stops the system from generating audit events for every file backed up or restored which could fill the Security log in Windows. V Medium Audit data must be retained for at least one year. Audit records are essential for investigating system activity after the fact.
Retention periods for audit data are determined based on the sensitivity of the data handled by the system. V Medium The Windows R2 password for the built-in Administrator account must be changed at least annually or when a member of the administrative team leaves the organization. The longer a password is in use, the greater the opportunity for someone to gain unauthorized knowledge of the password.
The password for the built-in Administrator account must be changed at V Medium Unauthorized accounts must not have the Lock pages in memory user right. The "Lock pages in memory" user right allows physical memory to be assigned to V Medium Unauthorized accounts must not have the Modify an object label user right. Accounts with the "Modify an object label" user right can change the integrity label V Medium Unauthorized accounts must not have the Manage auditing and security log user right.
Accounts with the "Manage auditing and security log" user right can manage the V Medium Unauthorized accounts must not have the Load and unload device drivers user right. The "Load and unload device drivers" user right allows device drivers to dynamically V Medium Unauthorized accounts must not have the Increase scheduling priority user right.
Accounts with the "Increase scheduling priority" user right can change a scheduling This check verifies that SpyNet membership is disabled. V Medium Remote access to the Plug and Play interface will be disabled for device installation.
This check verifies that remote access to the Plug and Play interface is disabled. V Medium The user will be prompted for a password on resume from sleep Plugged In. Applicable on Server R2 if the system is configured to sleep. This check verifies that the user is prompted for a password on resume from sleep Plugged In.
V Medium Users will be prompted for a password on resume from sleep on battery. Applicable to Server R2 if the system is configured to sleep. This check verifies that the user is prompted for a password on resume from sleep on battery. V Medium Zone information will be preserved when saving attachments.
This check verifies that file attachments are marked with their zone of origin allowing Windows to determine risk. V Medium Windows Help Ratings feedback will be turned off. This check verifies that users cannot provide ratings feedback to Microsoft for Help content V Medium The Windows Help Experience Improvement Program will be disabled This check verifies that the Windows Help Experience Improvement Program is disabled to prevent information from being passed to the vendor.
This check verifies that the Windows Customer Experience Improvement Program is disabled so information is not passed to the vendor. By default, the Everyone group is given full control to new file shares. When a share is created, permissions should be reconfigured to give the minimum access to those accounts that require it. V Medium The password history must be configured to 24 passwords remembered.
A system is more vulnerable to unauthorized access when users can recycle the same password several times without being required to change it to a unique password on a regularly scheduled basis.
V Medium The minimum password age must be configured to at least 1 day. Permitting passwords to be changed in immediate succession within the same day allows users to cycle passwords through their history database.
This enables users to effectively negate the purpose V Medium The maximum password age must be configured to 60 days or less. The longer passwords are in use, the greater the opportunity for someone to gain unauthorized knowledge of them.
Scheduled changing of passwords hinders the ability of unauthorized system users This setting ensures that services using Local System that use negotiate when reverting to NTLM authentication will use the computer identity vs.
This setting can cause disruptions in file and printer services. This setting prevents online identities from being used by PKU2U, which is a peer-to-peer authentication protocol. Authentication will be centrally managed with Windows user accounts. Certain encryption types are no longer considered secure.
This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites. V Medium Unauthorized accounts must not have the Impersonate a client after authentication user right. The "Impersonate a client after authentication" user right allows a program to V Medium The Application event log must be configured to a minimum size requirement. This check verifies whether the built-in Administrator account runs in Admin Approval Mode.
V Medium User Account Control will, at a minimum, prompt administrators for consent. This check verifies whether logged on administrator is prompted for consent when attempting to complete a task that requires raised privileges. V Medium User Account Control will be configured to detect application installations and prompt for elevation. This check verifies whether Windows responds to application installation requests by prompting for credentials.
Later versions of Windows PowerShell provide additional security and advanced logging features that can provide greater detail when malware has been run on a system. PowerShell 5. This check verifies that the configuration of wireless devices using Windows Connect Now is disabled.
V Medium Unauthorized accounts must not have the Create global objects user right. Accounts with the "Create global objects" user right can create objects that are V Medium Unauthorized accounts must not have the Create permanent shared objects user right. Accounts with the "Create permanent shared objects" user right could expose sensitive V Medium The Active Directory Infrastructure object must be configured with proper audit settings.
V Medium The Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access. The "Deny log on locally" right defines accounts that are prevented from logging on This provides a higher level of trust in the asserted identity than use of the username and
0コメント