Share via


Windows Vista Security Guide

Appendix A: Security Group Policy Settings

On This Page

Overview Overview
Domain Policy Domain Policy
Computer Policy Computer Policy
User Policy User Policy
More Information More Information

Overview

This appendix identifies the security policy settings for the Enterprise Client (EC) and Specialized Security – Limited Functionality (SSLF) environments. The appendix also provides the recommended settings configured through the automated process that the Windows Vista Security Guide prescribes in Chapter 1, "Implementing the Security Baseline" and Chapter 5, "Specialized Security – Limited Functionality." The Windows Vista Security Guide Settings.xls file that accompanies this guide provides another resource that you can use to compare the setting values.

The appendix presents the settings according to how they appear in the Group Policy Object Editor user interface (UI) in the Windows Vista™ operating system.

Note   Group Policy settings that are new in Windows Vista are denoted with the § symbol.

The security settings this guide addresses are grouped into the following three main sections:

  • Domain policy. The settings in this section are applied to the domain.
  • Computer policy. The settings in this section are applied to desktop and laptop computers in the domain.
  • User policy. The settings in this section are applied to users in the domain.

Tables in each of the main sections list the setting names and refer to baseline values that the engineering team developed for both the EC and the SSLF security configurations prescribed in this guide.

Possible values vary considerably by setting. Most settings are configured to either Enabled or Disabled or some other value listed in the Group Policy Object Editor. However, many settings also require you to specify numerical values or security groups.

User rights policy settings require specific user and group names. When a particular user right is not granted to any user or group, the Group Policy Object Editor displays the setting as enabled, but no users or groups will be listed. The tables in this appendix use the value No one to describe settings configured in this way.

Settings configured to Not Defined or Not configured are not affected by the Group Policy objects (GPOs) included with this guide. This is very different than having a setting configured to No one as described previously. Settings not modified by the GPOs included with this guide can easily be modified by local computer administrators if the setting is not already configured by another GPO in your environment. This can lead to configuration inconsistencies across your environment, which could compromise security. For this reason, many prescribed settings merely enforce the default Windows Vista setting.

The following table shows a couple of examples that can help you understand the different possible configurations:

Setting Windows Vista default VSG EC Computer GPO VSG SSLF Computer GPO

Allow log on through Terminal Services

Administrators, Remote Desktop Users

Not Defined

No one

Adjust memory quotas for a process

Administrators, Local Service, Network Service

Not Defined

Administrators, Local Service, Network Service

 

Notice the default for the Allow log on through Terminal Services setting. The setting is Not Defined in the EC Computer GPO, which means no changes are made to the default. However, in the SSLF Computer GPO, the No one setting (an enabled setting that is blank in the Group Policy Object Editor) means that no user or group has the right to log on through Terminal Services. Furthermore a local computer administrator cannot easily change this setting because it is enforced through Group Policy.

Similarly, notice the default for the Adjust memory quotas for a process setting. Once again the EC Computer GPO does not modify the default. Under this configuration, a local computer administrator could easily modify this setting. However, in the SSLF environment, this would not be possible because the SSLF Computer GPO enforces the default setting.

Finally, there are several settings prescribed in the guide that require specific environment information to provide the proper functionality. Because it is not possible to include these settings in the GPOs included with this guide, they are configured in the tables with a value of Recommended. You should further investigate these settings to determine the proper configuration.

  Warning

The functionality of many settings in this appendix are dependent on other settings, and these dependencies are by design. Also, the values for some settings require you to customize them to the specific needs of your environment for them to work properly. For these reasons, if you alter any of the prescribed settings values for either the EC or SSLF environment, be prepared to extensively test the client computers in your environment to ensure their full functionality.

Top Of Page Top of page

Domain Policy

The security settings in this section of the appendix apply to the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, the following setting groups appear in the Windows Settings sub-node:

  • Password Policy Settings
  • Account Lockout Policy Settings

Password Policy Settings

Complex passwords that you change regularly help reduce the likelihood of a successful password attack. Password policy settings control the complexity and lifetime of passwords. You configure password policy settings only by Group Policy at the domain level.

You can configure the password policy settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

The following table summarizes the password policy setting recommendations for the two types of secure environments defined in this guide. The following subsections describe each of the settings.

Table A2. Password Policy Setting Recommendations

Setting Windows Vista default Domain controller default VSG EC Domain GPO VSG SSLF Domain GPO

Enforce password history

0 passwords remembered

24 passwords remembered

24 passwords remembered

24 passwords remembered

Maximum password age

42 days

42 days

90 days

90 days

Minimum password age

0 days

1 day

1 day

1 day

Minimum password length

0 characters

7 characters

8 characters

12 characters

Password must meet complexity requirements

Disabled

Enabled

Enabled

Enabled

Store passwords using reversible encryption

Disabled

Disabled

Disabled

Disabled

Enforce password history
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.

Configure the Enforce password history setting to 24 passwords for the two security environments in this guide.

Maximum password age
Values for this policy setting range from 1 to 999 days. (You can also set the value to 0 to specify that passwords never expire.) This policy setting defines how long a user can use their password before it expires. The default value for this policy setting is 42 days. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.

Configure the Maximum password age setting to a value of 90 days for the two security environments defined in this guide.

Minimum password age
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.

The value for the Minimum password age setting must be less than that specified for the Maximum password age setting, unless the value for the Maximum password age setting is configured to 0, which causes passwords never to expire. If the value for the Maximum password age setting is configured to 0, the value for this policy setting can be configured to any value between 0 and 999.

If you want the Enforce password history setting to be effective, configure this value to be greater than 0. If the Minimum password age setting is 0, users can cycle through passwords repeatedly until they can re-use an old favorite.

Configure the Minimum password age setting to a value of 1 day for the two security environments defined in this guide. This value discourages users from repeated re-use of the same password because it requires them to wait a full day before they can change passwords. It also encourages users to remember new passwords because they must use them for at least a day before they can reset them. Finally, it does not allow users to circumvent the Enforce password history setting restriction.

Minimum password length
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Microsoft® Windows 2000 and later versions, pass phrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Remember that users must be educated about the proper selection and maintenance of passwords, especially with regard to password length.

In the EC environment, ensure that the value for the Minimum password length setting is configured to 8 characters. This policy setting is long enough to provide adequate security. In the SSLF environment, configure the value to 12 characters.

Password must meet complexity requirements
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. By default, the value for this policy setting in Windows Vista is configured to Disabled, but it is Enabled in a Microsoft Windows Server® 2003 domain for both environments described in this guide.

When this policy is enabled, passwords must meet the following minimum requirements:

  • Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
  • Be at least six characters in length
  • Contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • Base 10 digits (0 through 9)
  • Non-alphabetic characters (for example, !, $, #, %)

Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack.

Store passwords using reversible encryption
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. For this reason, you should enable this policy setting only when application requirements outweigh the need to protect password information. The default value for this policy setting is Disabled.

You must enable this policy setting when using the Challenge-Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Service (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

Ensure that the Store passwords using reversible encryption for all users in the domain setting has a Disabled configuration, as it is in the Default Domain Group Policy object (GPO) of Windows Server 2003 and in the local security policy for workstations and servers. This policy setting is also Disabled in the two environments that are defined in this guide.

How to Make Users Change Passwords Only When Required

In addition to these password policies, centralized control over all users is a requirement for some organizations. This section describes how to prevent users from changing their passwords except when they are required to do so.

Centralized control of user passwords is a cornerstone of a well-crafted Windows Vista security scheme. You can use Group Policy to set minimum and maximum password ages as discussed previously. However, frequent password change requirements can enable users to circumvent the Enforce password history setting for your environment. Requirements for passwords that are too long may also lead to help desk calls from users who forget their passwords.

Users can change their passwords during the period between the minimum and maximum password age settings. However, the SSLF environment security design requires that users change their passwords only when prompted by the operating system after their passwords have reached the maximum age of 42 days. To achieve this level of control, administrators can disable the Change Password button in the Windows Security dialog box that appears when you press CTRL+ALT+DEL.

You can implement this configuration for an entire domain through Group Policy, or edit the registry to implement it for one or more specific users. For more information about this configuration, see Microsoft Knowledge Base article 324744, "How To: Prevent Users from Changing a Password Except When Required in Windows Server 2003." If you have a Windows 2000–based domain, see Knowledge Base article 309799, "How To: Prevent Users from Changing a Password Except When Required in Windows 2000."

Account Lockout Policy Settings

The account lockout policy is an Active Directory® directory service security feature that locks a user account. The lock prevents logon after a specified number of failed logon attempts occur within a specified period. Domain controllers track logon attempts and the number of allowed attempts and the period are based on the values that are configured for the account lockout settings. In addition, you can specify the duration of the lock.

These policy settings help prevent attackers from guessing user passwords, and they decrease the likelihood of successful attacks on your network environment. However, an enabled account lockout policy will probably result in more support issues for network users. Before you enable the following settings, ensure that your organization wants to accept this additional management overhead. For many organizations, an improved and less-costly solution is to automatically scan the Security event logs for domain controllers and generate administrative alerts when it appears that someone is attempting to guess passwords for user accounts.

You can configure the account lockout policy settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings
\Account Policies\Account Lockout Policy

The following table includes the account lockout policy setting recommendations for both of the security environments defined in this guide. The following subsections describe each of the settings.

Table A3. Account Lockout Policy Setting Recommendations

Setting Windows Vista default Domain controller default VSG EC Domain GPO VSG SSLF Domain GPO

Account lockout duration

Not Defined

Not Defined

15 minutes

15 minutes

Account lockout threshold

0 invalid logon attempts

0 invalid logon attempts

50 invalid logon attempts

10 invalid logon attempts

Reset account lockout counter after

Not Defined

Not Defined

15 minutes

15 minutes

Account lockout duration
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. The Windows Vista default value for this policy setting is Not Defined.

To reduce the number of help desk support calls and also help provide a secure infrastructure, configure the value for the Account lockout duration setting to 15 minutes for both the EC and SSLF environments that are defined in this guide.

Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. The recommended setting value of 15 minutes was determined to be a reasonable amount of time for users to wait to log on again, in addition to providing a level of protection against brute force password attacks. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.

Account lockout threshold
This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The computer with the incorrect password will continuously try to authenticate the user, and because the password it uses to authenticate is incorrect, a lock occurs. To avoid accidental lockout of authorized users, set the account lockout threshold to a high number. The default value for this policy setting is 0 invalid logon attempts, which disables the account lockout feature.

Configure the value for the Account lockout threshold setting to 50 invalid logon attempts for EC environments and 10 invalid logon attempts for SSLF environments.

Because it is possible for an attacker to use this lockout state as a denial of service (DoS) by triggering a lockout on a large number of accounts, your organization should determine whether to use this policy setting based on identified threats and the risks you want to mitigate. There are two options to consider for this policy setting.

  • Configure the value for Account lockout threshold to 0 to ensure that accounts will not be locked out. This setting value will prevent a DoS attack that attempts to lock out accounts in your organization. It will also reduce help desk calls, because users will not be able to lock themselves out of their accounts accidentally. However, this setting value will not prevent a brute force attack. The following defenses should also be considered:
  • A password policy that forces all users to have complex passwords made up of 8 or more characters.
  • A robust auditing mechanism, which will alert administrators when a series of account lockouts occurs in the environment. For example, the auditing solution should monitor for security event 539, which is a logon failure. This event identifies that there was a lock on the account at the time of the logon attempt.
  • Configure the value for Account lockout threshold to a value that will provide users with the ability to mistype their password several times but will lock out the account if a brute force password attack occurs. A setting value of 50 invalid logon attempts for EC environments and 10 for SSLF type environments should help ensure adequate security and acceptable usability. This configuration will prevent accidental account lockouts and reduce help desk calls, but will not prevent a DoS attack.

Reset account lockout counter after
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.

Configure the value for the Reset account lockout counter after setting to 15 minutes for both the EC and SSLF environments defined in this guide.

If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts as described earlier in this appendix. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended setting value of 15 minutes was determined to be a reasonable amount of time that users are likely to accept, which should help to minimize the number of calls to the help desk. Users should be aware of the length of time they must wait before attempting to logon so they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.

Top Of Page Top of page

Computer Policy

The security settings in this section of the appendix apply to desktop and laptop computers in the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, these settings appear in the Windows Settings and Administrative Templates sub-nodes.

Computer Configuration\Windows Settings

The following setting groups appear in the Computer Configuration\Windows Settings\Security Settings\Local Policies subdirectory:

  • Audit Policy Settings
  • User Rights Assignment Settings
  • Security Options Settings

The following setting groups appear in the Computer Configuration\Windows Settings\Security Settings subdirectory:

  • Event Log Security Settings
  • Windows Firewall with Advanced Security Settings

Audit Policy Settings

An audit policy determines the security events to report to administrators so that there is a record of user or system activity in specified event categories. The administrator can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.

However, before you implement an Audit policy you must investigate which event categories to audit in your environment. The audit settings you choose within the event categories define your Audit policy. When you define audit settings for specific event categories, an administrator can create an Audit policy that will meet the security needs of your organization.

If you do not configure audit settings, it will be difficult or impossible to determine what took place during a security incident. However, if you configure audit settings so that too many authorized activities generate events, the Security event log will fill up with too much data. The information in the following sections will help you decide what to monitor to facilitate the collection of relevant audit data for your organization.

Windows Vista includes the same nine audit policy categories present in previous versions of Windows, which are:

  • System
  • Logon/Logoff
  • Object Access
  • Privilege Use
  • Detailed Tracking
  • Policy Change
  • Account Management
  • DS Access
  • Account Logon

However, Windows Vista allows audit policy to be managed in a more precise way by including fifty audit policy subcategories. Although not all subcategories apply to Windows Vista-based computers, many of them can be configured to record specific events that provide valuable information.

In the past, configuring any of the nine audit categories was easily accomplished using Group Policy. Although the same is possible with Windows Vista, the new audit subcategories cannot be configured individually using the Group Policy Object Editor because the subcategories are not exposed in the Group Policy Object Editor. If you configure any of the audit categories in Windows Vista using the settings present in the Group Policy Object Editor, all subcategories will also be configured. This will most likely cause excessive audit logging that will quickly fill up your event logs.

The recommended approach is to configure only the necessary audit subcategories. Configuring each subcategory requires using a command-line tool included in Windows Vista called AuditPol.exe.

Having to use a command-line tool makes it very difficult to implement the prescribed audit policy across many computers. However, Microsoft has developed a solution for configuring audit subcategories using Group Policy. This solution is automatically implemented by the scripts and GPOs included with this guide.

When you run the GPOAccelerator.wsf script as described in Chapters 1 and 5 of this guide, the script automatically copies the following files to the NETLOGON share of one of your domain controllers.

For the EC environment:

  • EC-VSGAuditPolicy.cmd
  • EC-VSGApplyAuditPolicy.cmd
  • EC-VSGAuditPolicy.txt

For the SSLF environment:

  • SSLF-VSGAuditPolicy.cmd
  • SSLF-VSGApplyAuditPolicy.cmd
  • SSLF-VSGAuditPolicy.txt

These files will then automatically replicate to the NETLOGON share of domain controllers in your Active Directory domain. The computer-specific GPOs created by the GPOAccelerator.wsf script include a computer startup script that runs these files to configure the prescribed audit policy settings. The first time these files run on a computer, a scheduled task named VSGAudit is created. This task will run every hour to help ensure the audit policy settings are up to date.

For more information on the solution for configuring the new audit policy settings in Windows Vista in a Windows Server 2003-based domain, see the Knowledge Base article 921469, "How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain."

The following table summarizes the audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide. You should review these recommendations and adjust them as appropriate for your organization. Information about how to modify the audit policy settings configured by GPOs included with this guide is provided at the end of this section.

However, be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated will make it difficult to find other types of entries in the Security event log. Such a configuration could also have a significant impact on performance.

The following sections provide a brief description of each Audit policy. The tables in each section include recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide.

Note   Due to time constraints, descriptions of each of the audit policy subcategories are not provided in this guide. The forthcoming release of theThreats and Countermeasures guide will include detailed descriptions of each of the 50 audit policy subcategories.

System

The System audit category allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.

In Windows Vista, the System audit category contains the subcategories represented in the following table.

Table A4. System Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ Security System Extension

No Auditing

Success and Failure

Success and Failure

§ System Integrity

Success and Failure

Success and Failure

Success and Failure

§ IPsec Driver

No Auditing

Success and Failure

Success and Failure

§ Other System Events

Success and Failure

No Auditing

No Auditing

§ Security State Change

Success

Success and Failure

Success and Failure

§ - Denotes Group Policy settings that are new in Windows Vista.

Logon/Logoff

This audit category generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource.

If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers.

In Windows Vista, the Logon\Logoff events audit category contains the subcategories represented in the following table.

Table A5. Logon/Logoff Audit Policy Subcategory

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ Logon

Success

Success

Success and Failure

§ Logoff

Success

Success

Success

§ Account Lockout

Note  No events map to this subcategory.

Success

No Auditing

No Auditing

§ IPsec Main Mode

No Auditing

No Auditing

No Auditing

§ IPsec Quick Mode

No Auditing

No Auditing

No Auditing

§ IPsec Extended Mode

No Auditing

No Auditing

No Auditing

§ Special Logon

Success

Success

Success

§ Other Logon/Logoff Events

No Auditing

No Auditing

No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Object Access

By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), effectively enabling auditing to take place.

A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information:

  • The security principal (user, computer, or group) to be audited.
  • The specific access type to be audited, called an access mask.
  • A flag to indicate whether to audit failed access events, successful access events, or both.

If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user fails in an attempt to access an object with a specified SACL.

Organizations should define only the actions they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.

The Object Access events audit category contains the subcategories represented in the following table.

Table A6. Object Access Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ File System

No Auditing

No Auditing

Failure

§ Registry

No Auditing

No Auditing

Failure

§ Kernel Object

No Auditing

No Auditing

No Auditing

§ SAM

No Auditing

No Auditing

No Auditing

§ Certification Services

No Auditing

No Auditing

No Auditing

§ Application Generated

No Auditing

No Auditing

No Auditing

§ Handle Manipulation

No Auditing

No Auditing

No Auditing

§ File Share

No Auditing

No Auditing

No Auditing

§ Filtering Platform Packet Drop

No Auditing

No Auditing

No Auditing

§ Filtering Platform Connection

No Auditing

No Auditing

No Auditing

§ Other Object Access Events

No Auditing

No Auditing

No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

The following procedures describe how to configure audit rules on a file or folder and how to test each audit rule for each object in the specified file or folder.

Note   You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events for the following steps to log events in the Security event log.

To define an audit rule for a file or folder

  1. Use Windows Explorer to locate the file or folder and then click it.

  2. On the File menu, click Properties.

  3. Click the Security tab, and then click the Advanced button.

  4. Click the Auditing tab.

  5. If prompted for administrative credentials, clickContinue, type your username and password, and press ENTER.

  6. Click the Add button. TheSelect User,Computer,or Group dialog box will display.

  7. Click the Object Types button, and in the Object Types dialog box, select the object types you want to find.

Note   The User,Group, and Built-in security principal object types are selected by default.

  1. Click the Locations button, and in the Location dialog box, select either your domain or local computer.

  2. In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and then click OK. TheAuditing Entry dialog box will display.

  3. Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.

Note   Remember that each access may generate multiple events in the event log and cause it to grow rapidly.

  1. In the Auditing Entry dialog box, next to List Folder / Read Data, selectSuccessful and Failed, and then clickOK.

  2. The audit entries you have enabled will display under the Auditing tab of the Advanced Security Setting dialog box.

  3. Click OK to close the Properties dialog box.

To test an audit rule for the file or folder

  1. Open the file or folder.
  2. Close the file or folder.
  3. Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log.
  4. Double-click the events as needed to view their details.
Privilege Use

The Privilege Use audit category determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records.

The Privilege Use events audit category contains the subcategories represented in the following table.

Table A7. Privilege Use Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ Sensitive Privilege Use

No Auditing

No Auditing

Success and Failure

§ Non Sensitive Privilege Use

No Auditing

No Auditing

No Auditing

§ Other Privilege Use Events
Note No events map to this subcategory.

No Auditing

No Auditing

No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Detailed Tracking

The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched.

The Detailed Tracking events audit category contains the subcategories represented in the following table.

Table A8. Detailed Tracking Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPO VSG SSLF Computer GPO

§ Process Termination

No Auditing

No Auditing

No Auditing

§ DPAPI Activity

No Auditing

No Auditing

No Auditing

§ RPC Events

No Auditing

No Auditing

No Auditing

§ Process Creation

No Auditing

Success

Success

§ - Denotes Group Policy settings that are new in Windows Vista.

Policy Change

The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, by adding the Debug programs privilege or theBack up files and directories privilege.

The Policy Change events audit category contains the subcategories represented in the following table.

Table A9. Policy Change Audit Policy subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ Audit Policy Change

Success

Success and Failure

Success and Failure

§ Authentication Policy Change

Success

Success

Success

§ Authorization Policy Change

No Auditing

No Auditing

No Auditing

§ MPSSVC Rule-Level Policy Change

No Auditing

No Auditing

No Auditing

§ Filtering Platform Policy Change

No Auditing

No Auditing

No Auditing

§ Other Policy Change Events

No Auditing

No Auditing

No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Account Management

The Account Management audit category helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.

The Account Management events audit category contains the subcategories represented in the following table.

Table A10. Account Management System Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ User Account Management

Success

Success

Success and Failure

§ Computer Account Management

No Auditing

Success

Success and Failure

§ Security Group Management

Success

Success

Success and Failure

§ Distribution Group Management

No Auditing

No Auditing

No Auditing

§ Application Group Management

No Auditing

No Auditing

No Auditing

§ Other Account Management Events

No Auditing

Success

Success and Failure

§ - Denotes Group Policy settings that are new in Windows Vista.

DS Access

The DS Access audit category applies only to domain controllers. For this reason, the DS Access audit category and all related subcategories are configured to No Auditing for both environments discussed in this guide.

The DS Access events audit category contains the subcategories represented in the following table.

Table A11. DS Access Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ Directory Service Changes

No Auditing

No Auditing

No Auditing

§ Directory Service Replication

No Auditing

No Auditing

No Auditing

§ Detailed Directory Service Replication

No Auditing

No Auditing

No Auditing

§ Directory Service Access

No Auditing

No Auditing

No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Account Logon

The Account Logon audit category generates events for credential validation. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on.

The Account Logon events audit category contains the subcategories represented in the following table.

Table A12. Account Logon Audit Policy Subcategory Recommendations

Subcategory Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

§ Credential Validation

No Auditing

Success

Success and Failure

§ Kerberos Ticket Events

No Auditing

No Auditing

No Auditing

§ Other Account Logon Events

Note No events map to this subcategory.

No Auditing

No Auditing

No Auditing

§ - Denotes Group Policy settings that are new in Windows Vista.

Modifying Audit Policy Settings

To modify the audit policy subcategories and settings configured by the GPOs included with this guide requires you to use Auditpol.exe to modify the configuration of one computer in your environment, and generate a file that contains the audit policy settings for your environment. The computer GPOs included with this guide will then apply the modified audit policy to computers in your environment.

To modify your audit policy configuration

  1. Log on as a domain administrator to a computer running Windows Vista that is joined to the domain using Active Directory in which you will create the GPOs.

  2. On the desktop, click the Windows Vista Start button, click All Programs, click Accessories, right-clickCommand Prompt, and then click Run as administrator.

  3. Clear the current audit policy settings. To do this, type the following line at the command prompt, and then press ENTER:

auditpol /clear

  1. Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want. For example, type the following lines at the command prompt. Press ENTER after each line.

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

auditpol /set /subcategory:"user account management" /success:enable /failure:enable auditpol /set /subcategory:"logon" /success:enable /failure:enable auditpol /set /subcategory:"IPSEC Main Mode" /failure:enable

Note To see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER:
auditpol /list /subcategory:*

Type the following line at the command prompt, and then press ENTER:

auditpol /backup /file:EC-AuditPolicy.txt (or SSLF-AuditPolicy.txt)

  1. Copy the new EC-AuditPolicy.txt (or SSLF-AuditPolicy.txt) file to the NETLOGON share of one of the domain controllers in your environment, and overwrite the existing version.

The computer GPOs included with this guide will use the new EC-AuditPolicy.txt (or SSLF-AuditPolicy.txt) file to modify and configure the audit policy settings on your computers.

Removing the Audit Policy Configuration

As previously discussed, the solution implemented by the GPOs included with this guide for configuring the audit policy subcategories creates the VSGAudit scheduled task on all computers in your environment. If you have removed the GPOs included with this guide from your environment, you might want to delete the VSGAudit scheduled task. The VSGAudit scheduled task should not affect the performance of computers running Windows Vista even if the GPOs included with this guide have been removed from your environment.

To delete the VSGAudit scheduled task from computers across your environment

  1. Depending on your environment, delete the following three files from the NETLOGON share of one of the domain controllers in your environment:

For the EC environment:

  • EC-VSGAuditPolicy.cmd
  • EC-VSGApplyAuditPolicy.cmd
  • EC-VSGAuditPolicy.txt

For the SSLF environment:

  • SSLF-VSGAuditPolicy.cmd
  • SSLF-VSGApplyAuditPolicy.cmd
  • SSLF-VSGAuditPolicy.txt
  1. Create an empty text file, name it DeleteVSGAudit.txt, and copy it to the NETLOGON share of one of the domain controllers in your environment. The text file will automatically replicate to all domain controllers in your environment.

The VSGAudit scheduled task checks for the DeleteVSGAudit.txt file every time it runs, and when it finds the file, the VSGAudit scheduled task deletes itself. Since the VSGAudit scheduled task is configured to run every hour, it should not take long before the task is deleted from all computers across your environment.

Audit Policies for Computers Running Windows XP in the EC Environment

The GPOs included with this guide include settings that configure the audit categories present in previous versions of Windows. If you use the script and the GPOs included with this guide, these settings will not apply to computers running Windows Vista.

The GPOs intended for use in the EC environment have been designed to work with Windows XP-based computers. Settings for audit categories are included in these GPOs so that computers running Windows XP in your environment receive the recommended audit policy settings for Windows XP-based computers.

You can configure the Audit policy settings in Windows Vista at the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings
\Local Policies\Audit Policy

The following table summarizes the Audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide.

Table A13. Audit Policy Setting Recommendations

Setting Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

Audit account logon events

No Auditing

Success

Not Defined

Audit account management

No Auditing

Success

Not Defined

Audit directory service access

No Auditing

Not Defined

Not Defined

Audit logon events

No Auditing

Success

Not Defined

Audit object access

No Auditing

No Auditing

Not Defined

Audit policy change

No Auditing

Success

Not Defined

Audit privilege use

No Auditing

No Auditing

Not Defined

Audit process tracking

No Auditing

No Auditing

Not Defined

Audit system events

No Auditing

Success

Not Defined

Note   Because GPOs for the EC environment are designed to work with computers running Windows XP, the recommended audit policy settings are included in these GPOs. However, because the SSLF GPOs are only designed to work with computers running Windows Vista, audit policy settings are not included in the SSLF GPOs.

User Rights Assignment Settings

In conjunction with many of the privileged groups in Windows Vista, a number of user rights can be assigned to certain users or groups that typical users do not have.

To set the value of a user right to No one, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting.

You can configure the user rights assignment settings in Windows Vista at the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

The following table summarizes user rights assignment setting recommendations for user rights that begin with the letters A through E. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this guide. The following subsections provide more detailed information about each of the settings.

Recommendations for user rights that begin with the rest of the letters in the alphabet are summarized in Table A5, and additional detailed information about those user rights is provided in the subsections that follow that table.

Note   Many features in IIS require certain accounts such as IIS_WPG, IIS IUSR_<ComputerName>, and* IWAM_<ComputerName>* to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, seeIIS and Built-in Accounts (IIS 6.0).

User Rights A - E

The following table summarizes user rights assignment setting recommendations for user rights that start with the letters A through E. The subsections that follow this table provide more detailed information about each of these settings.

Table A14. User Rights Assignment Setting Recommendations,Part 1

Setting Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

Access this computer from the network

Everyone, Administrators, Users, Backup Operators

Administrators, Users

Administrators

Act as part of the operating system

No one

No one

No one

Adjust memory quotas for a process

Administrators, Local Service, Network Service

Not Defined

Administrators, Local Service, Network Service

Allow log on locally

Guest, Administrators, Users, Backup Operators

Administrators, Users

Administrators, Users

Allow log on through Terminal Services

Administrators, Remote Desktop Users

Not Defined

No one

Back up files and directories

Administrators, Backup Operators

Not Defined

Administrators

Bypass traverse checking

Everyone, Administrators, Users, Backup Operators, Local Service, Network Service

Not Defined

Administrators, Users, Local Service, Network Service

Change the system time

Local Service, Administrators

Local Service, Administrators

Local Service, Administrators

§ Change the time zone

Local Service, Administrators, Users

Not Defined

Local Service, Administrators, Users

Create a pagefile

Administrators

Administrators

Administrators

Create permanent shared objects

No one

Not Defined

No one

Create a token object

No one

Not Defined

No one

Create global objects

Administrators, Service, Local Service, Network Service

Not Defined

Administrators, Service, Local Service, Network Service

§ Create symbolic links

Administrators

Not Defined

Administrators

Debug programs

Administrators

Administrators

No one

Deny access to this computer from the network

Guest

Guests

Guests

Deny log on as a batch job

No one

Not Defined

Guests

Deny log on locally

Guest

Guests

Guests

Deny log on through Terminal Services

No one

Not Defined

Everyone

Enable computer and user accounts to be trusted for delegation

No one

Not Defined

No one

§ - Denotes Group Policy settings that are new in Windows Vista.

Access this computer from network
This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+).

The Access this computer from network setting is configured to Administrators and Users for the EC environment and to Administrators for the SSLF environment.

Act as part of the operating system
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access.

For this reason, the Act as part of the operating system setting is restricted to No one for both of the environments that are discussed in this guide.

Adjust memory quotas for a process
This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack.

For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, andNetwork Service for the SSLF environment and configured to Not Defined for the EC environment.

Allow log on locally
This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require this user right.

The Guest account is assigned this user right by default. Although this account is disabled by default, Microsoft recommends that you enable this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to theBackup Operators group if your organization requires that they have this capability.

The Allow log on locally setting is restricted to theUsers andAdministrators groups for the two environments that are discussed in this guide.

Allow log on through Terminal Services
This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group.

Restrict this user right to theAdministrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature.

The Allow log on through Terminal Services setting is configured to Not Defined for the EC environment. For additional security this policy setting is configured to No one for the SSLF environment.

Back up files and directories
This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply.

The Back up files and directories setting is configured to Not Defined for computers in the EC environment and to the Administrators group for the SSLF environment.

Bypass traverse checking
This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or in the registry. This user right does not allow users to list the contents of a folder, but only allows them to traverse directories.

The Bypass traverse checking setting is configured to Not Defined for computers in the EC environment. It is configured to the Administrators, Users ,Local Service,and Network Service groups and accounts for the SSLF environment.

Change the system time
This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time, not the actual time that the events occurred.

The Change the system time setting is configured to the Local Service and to the Administrators group for both of the environments that are discussed in this guide.

Note   Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers.

Change time zone
This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers.

The Change time zone setting is configured to Not Defined for the EC environment, and to Administrators,Local Service, and Users for the SSLF environment.

Create a pagefile
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer.

The Create a pagefile setting is configured to theAdministrators for both the EC environment and the SSLF environment.

Create permanent shared objects
This policy setting allows users to create directory objects in the object manager. This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently, Therefore, it is typically not necessary to specifically assign this user right.

The Create a permanent shared objects setting is configured to Not Defined for the EC environment, and toNo one for the SSLF environment.

Create a token object
This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. In environments in which security is a high priority, this user right should not be assigned to any users. Any processes that require this capability should use the Local System account, which is assigned this user right by default.

The Create a token object setting is configured to Not Defined for the EC environment and to No one for the SSLF environment.

Create global objects
This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right.

Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption.

The Create global objects setting is configured to Not Defined for the EC environment and to Administrators,Service,Local Service,and Network Service for the SSLF environment.

Create symbolic links
This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk file) to another file system object, which can be a file, folder, shortcut or another symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only works from within the Windows shell. To other programs and applications, shortcuts are just another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature of the NTFS file system.

Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only Administrators can create symbolic links.

The Create symbolic links setting is configured to Not Defined for computers in the EC environment and to theAdministrators group for the SSLF environment to enforce the default configuration.

Debug programs
This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right; however, developers who are debugging new system components will need it.

Note Microsoft released several security updates in October 2003 that used a version of Update.exe that required the administrator to have theDebug programs user right. Administrators who did not have this user right were unable to install these security updates until they reconfigured their user rights. This is not typical behavior for operating system updates. For more information, see the Knowledge Base article 830846, "Windows Product Updates may stop responding or may use most or all the CPU resources."

Because an attacker could exploit this user right, it is assigned only to the Administrators group by default. The Debug programs policy setting is configured toAdministrators for the EC environment and toNo one for the SSLF environment.

Deny access to this computer from the network
This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In an SSLF environment, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers.

The Deny access to this computer from the network setting is configured to theGuests group for computers in both of the environments that are discussed in this guide.

Deny log on as a batch job
This policy setting prohibits user logon through a batch-queue facility, a feature in Windows Server 2003 that is used to schedule jobs to run automatically one or more times in the future.

The Deny log on as a batch job setting is configured to Not Defined for the EC environment and to theGuests group for the SSLF environment.

Deny log on locally
This policy setting prohibits users from local logon to the computer console. If unauthorized users could log on locally to a computer, they could download malicious code or elevate their privileges on the computer. (If attackers have physical access to the console, there are other risks to consider.) This user right should not be assigned to those users who need physical access to the computer console.

The Deny log on locally setting is configured to theGuests group for both of the environments that are discussed in this guide. Also, any service accounts for the SSLF environment that are added to the computer should be assigned this user right to prevent their abuse.

Deny log on through Terminal Services
This policy setting prohibits users from logging on to computers in your environment through Remote Desktop connections. If you assign this user right to the Everyone group, you also prevent members of the default Administrators group from using Terminal Services to log on to computers in your environment.

The Deny log on through Terminal Services setting is configured to Not Defined for the EC environment and to theEveryone group for the SSLF environment.

Enable computer and user accounts to be trusted for delegation
This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

For this reason, the Enable computer and user accounts to be trusted for delegation setting is configured to Not Defined for the EC environment and to No one for the SSLF environment.

User Rights F - T

The following table summarizes user rights assignment setting recommendations for user rights that start with the letters F through T. The subsections that follow this table provide more detailed information about each of these settings.

Table A15. User Rights Assignment Setting Recommendations,Part 2

Setting Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

Force shutdown from a remote system

Administrators

Administrators

Administrators

Generate security audits

Local Service, Network Service

Local Service, Network Service

Local Service, Network Service

Impersonate a client after authentication

Administrators, Service, Local Service, Network Service

Not Defined

Administrators, Service, Local Service, Network Service

§ Increase a process working set

Users

Not Defined

Administrators

Increase scheduling priority

Administrators

Administrators

Administrators

Load and unload device drivers

Administrators

Administrators

Administrators

Lock pages in memory

No one

No one

No one

Log on as a batch job

Administrators, Backup Operators

Not Defined

No one

Log on as a service

No one

Not Defined

No one

Manage auditing and security log

Administrators

Administrators

Administrators

Modify firmware environment variables

Administrators

Administrators

Administrators

Perform volume maintenance tasks

Administrators

Administrators

Administrators

Profile single process

Administrators

Not Defined

Administrators

Profile system performance

Administrators

Administrators

Administrators

Remove computer from docking station

Administrators, Users

Administrators, Users

Administrators, Users

Replace a process level token

Local Service, Network Service

Local Service, Network Service

Local Service, Network Service

Restore files and directories

Administrators, Backup Operators

Not Defined

Administrators

Shut down the system

Administrators, Backup Operators, Users

Administrators, Users

Administrators, Users

Take ownership of files or other objects

Administrators

Administrators

Administrators

§ - Denotes Group Policy settings that are new in Windows Vista.

Force shutdown from a remote system
This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recommends that only highly trusted administrators be assigned this user right.

The Force shutdown from a remote system setting is configured to theAdministrators group for both of the environments that are discussed in this guide.

Generate security audits
This policy setting determines which users or processes can generate audit records in the Security log. An attacker could use this capability to create a large number of audited events, which would make it more difficult for a system administrator to locate any illicit activity. Also, if the event log is configured to overwrite events as needed, any evidence of unauthorized activities could be overwritten by a large number of unrelated events.

For this reason, theGenerate security audits setting is configured to theLocal Service and Network Service groups for both of the environments that are discussed in this guide.

Impersonate a client after authentication
The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect—for example, by remote procedure call (RPC) or named pipes—to a service that they have created to impersonate that client, which could elevate the unauthorized user's permissions to administrative or system levels.

Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started.

Also, a user can impersonate an access token if any of the following conditions exist:

  • The access token that is being impersonated is for this user.
  • The user, in this logon session, logged on to the network with explicit credentials to create the access token.
  • The requested level is less than Impersonate, such as Anonymous or Identify.

An attacker with theImpersonate a client after authentication user right could create a service, trick a client to make them connect to the service, and then impersonate that client to elevate the attacker's level of access to that of the client.

For this reason, theImpersonate a client after authentication setting is configured toNot Defined for the EC environment and toAdministrators,Service,Local Service,and Network Service for the SSLF environment.

Increase a process working set
This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

This right is granted to all users by default. However, increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. It would be possible for malicious code to increase the process working set to a level that could severely degrade system performance and potentially cause a denial of service. Certain environments can help mitigate this risk by limiting which users can increase the process working set.

For this reason, the Increase a process working set user right is configured to Not Defined for the EC environment and to Administrators for the SSLF environment.

Increase scheduling priority
This policy setting allows users to change the amount of processor time that a process utilizes. An attacker could use this capability to increase the priority of a process to real-time and create a denial of service condition for a computer.

For this reason, theIncrease scheduling priority setting is configured to the Administrators group for both of the environments that are discussed in this guide.

Load and unload device drivers
This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista.

Because this user right could be used by an attacker, theLoad and unload device drivers setting is configured to the Administrators group for both of the environments that are discussed in this guide.

Lock pages in memory
This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur.

For this reason, theLock pages in memory setting is configured toNo one for both of the environments that are discussed in this guide.

Log on as a batch job
This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in the EC environment. However, its use should be restricted in the SSLF environment to prevent misuse of system resources or to prevent attackers from using the right to launch malicious code after gaining user level access to a computer.

Therefore, the Log on as a batch job user right is configured toNot Defined for the EC environment and toNo one for the SSLF environment.

Log on as a service
This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in an SSLF environment, but because many applications may require this privilege, it should be carefully evaluated and tested before configuring it in an EC environment. On Windows Vista-based computers, no users or groups have this privilege by default.

The Log on as a service setting is configured toNot Defined for the EC environment and toNo one for the SSLF environment.

Manage auditing and security log
This policy setting determines which users can change the auditing options for files and directories and clear the Security log.

Because this capability represents a relatively small threat, theManage auditing and security log setting enforces the default value of the Administrators group for both of the environments that are discussed in this guide.

Modify firmware environment variables
This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of service condition.

Because this capability represents a relatively small threat, theModify firmware environment variables setting enforces the default value of theAdministrators group for both of the environments that are discussed in this guide.

Perform volume maintenance tasks
This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial of service condition.

The Perform volume maintenance tasks setting enforces the default value of the Administrators group for both of the environments that are discussed in this guide.

Profile single process
This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that could be used to mount an attack on the system.

The Profile single process setting is configured to Not Defined for computers in the EC environment and to the Administrators group for the SSLF environment.

Profile system performance
This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer.

The Profile system performance setting enforces the default of theAdministrators group for both of the environments that are discussed in this guide.

Remove computer from docking station
This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer.

The Remove computer from docking station setting is configured to theAdministrators and Users groups for both of the environments discussed in this guide.

Replace a process level token
This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges.

The Replace a process level token setting is configured to the default values of Local Service and Network Service for both of the environments discussed in this guide.

Restore files and directories
This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principals as object owners; it is similar to the Back up files and directories user right.

The Restore files and directories setting is configured to Not Defined for the EC environment and to theAdministrators group for the SSLF environment.

Shut down the system
This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. In SSLF environments, Microsoft recommends that this right only be assigned to the Administrators and Users groups.

The Shut down the system setting is configured to the Administrators and Users groups for both of the environments that are discussed in this guide.

Take ownership of files or other objects
This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user.

The Take ownership of files or other objects setting is configured to the default value of the Administrators group for both of the environments discussed in this guide.

Security Options Settings

The security option settings that are applied through Group Policy on computers that run Windows Vista in your environment are used to enable or disable capabilities and features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings are also used to configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works.

You can configure the security option settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Not all of the settings that are included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the prescribed settings will take full effect.

The following sections provide security option setting recommendations, and are grouped by type of object. Each section includes a table that summarizes the settings, and detailed information is provided in the subsections that follow each table. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this guide: the Enterprise Client (EC) environment and the Specialized Security - Limited Functionality (SSLF) environment.

This section of the appendix includes tables and recommendations for the following object type settings that reside in theSecurity Options subdirectory:

  • Accounts
  • Audit
  • Devices
  • Domain member
  • Interactive logon
  • Microsoft Network Client
  • MSS settings
  • Microsoft Network Server
  • Network access
  • Network security
  • Recovery console
  • Shutdown
  • System cryptography
  • System objects
  • User Account Control
Accounts

The following table summarizes the recommended security option settings for accounts. Additional information is provided in the subsections that follow the table.

Table A16. Security Options Setting Recommendations - Accounts

Setting Windows Vista default EC Computer GPOs SSLF Computer GPOs

Accounts: Administrator account status

Disabled

Not Defined

Disabled

Accounts: Guest account status

Disabled

Disabled

Disabled

Accounts: Limit local account use of blank passwords to console logon only

Enabled

Enabled

Enabled

Accounts: Rename administrator account

Administrator

Recommended

Recommended

Accounts: Rename guest account

Guest

Recommended

Recommended

Accounts: Administrator account status
This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured.

The Accounts: Administrator account status setting is configured toNot Defined for the EC environment and to Disabled for the SSLF environment.

Accounts: Guest account status
This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system.

The Accounts: Guest account status security option setting is configured toDisabled for the two environments that are discussed in this guide.

Accounts: Limit local account use of blank passwords to console logon only
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer.

The Accounts: Limit local account use of blank passwords to console logon only setting is configured to Enabled for the two environments discussed in this guide.

Accounts: Rename administrator account
The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends that you choose another name for this account, and that you avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console).

The recommendation to use the Accounts: Rename administrator account setting applies to both of the environments that are discussed in this guide.

Note   This policy setting is not configured in the Security Templates, nor does this guide suggest a user name for the account. Suggested user names are omitted to ensure that organizations that implement this guidance will not use the same new user name in their environments.

Accounts: Rename guest account
The built-in local guest account is another well-known name to attackers. Microsoft also recommends that you rename this account to something that does not indicate its purpose. Even if you disable this account (which is recommended), ensure that you rename it for added security.

The recommendation to use the Accounts: Rename guest account setting applies to both of the environments discussed in this guide.

Note   This policy setting is not configured in the Security Templates, nor is a new user name for the account suggested here. Suggested user names are omitted to ensure that organizations that implement this guidance will not use the same new user name in their environments.

Audit

The following table summarizes the recommended Audit settings. Additional information is provided in the subsections that follow the table.

Table A17. Security Option Setting Recommendations - Audit

Setting Windows Vista default VSG EC Computer GPOs VSG SSLF Computer GPOs

Audit: Audit the access of global system objects

Disabled

Not Defined

Disabled

Audit: Audit the use of Backup and Restore privilege

Disabled

Not Defined

Disabled

§ Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

Not Defined

Enabled

Enabled

Audit: Shut down system immediately if unable to log security audits

Disabled

Not Defined

Disabled

§ - Denotes Group Policy settings that are new in Windows Vista.

Audit: Audit the access of global system objects
This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS® devices, and causes access to these system objects to be audited.

If theAudit: Audit the access of global system objects setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured toNot Defined for the EC environment and Disabled for the SSLF environment.

Audit: Audit the use of Backup and Restore privilege
This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored.

If theAudit: Audit the use of Backup and Restore privilege setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured toNot Defined for the EC environment and Disabled for the SSLF environment.

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista.

The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this guide, theAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting is configured to Enabled for both of the environments that are discussed in this guide.

Audit: Shut down system immediately if unable to log security audits
This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason.

If theAudit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. Therefore, this policy setting is configured toNot Defined for the EC environment and Disabled for the SSLF environment.

Devices

The following table summarizes the recommended security option settings for devices. Additional information is provided in the subsections that follow the table.

Table A18. Security Option Setting Recommendations - Devices

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Devices: Allow undock without having to log on

Enabled

Not Defined

Disabled

Devices: Allowed to format and eject removable media

Not Defined (registry value doesn't exist by default)

Administrators, Interactive Users

Administrators

Devices: Prevent users from installing printer drivers
(desktop computers)

Disabled

Enabled

Enabled

Devices: Prevent users from installing printer drivers
(laptop computers)

Disabled

Disabled

Disabled

Devices: Restrict CD-ROM access to locally logged-on user only

Not Defined (registry value doesn't exist by default)

Not Defined

Disabled

Devices: Restrict floppy access to locally logged-on user only

Not Defined (registry value doesn't exist by default)

Not Defined

Disabled

Devices: Allow undock without having to log on
This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user must log on and have been assigned theRemove computer from docking station user right to undock the computer.

TheDevices: Allow undock without having to log on setting is configured to Not Defined for the EC environment and toDisabled for the SSLF environment.

Devices: Allowed to format and eject removable media
This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges.

TheDevices: Allow to format and eject removable media setting is restricted to theAdministrators and Interactive Users groups for the EC environment, and to theAdministrators group only for the SSLF environment for added security.

Devices: Prevent users from installing printer drivers
It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possibility of such an event, only administrators should be allowed to install printer drivers. However, because laptops are mobile devices, laptop users may occasionally need to install a printer driver from a remote source to continue their work. Therefore, this policy setting should be disabled for laptop users, but always enabled for desktop users.

TheDevices: Prevent users from installing printer drivers setting is configured to Enabled for desktop computers in both of the environments that are discussed in this guide and toDisabled for laptop users in both of the environments.

Devices: Restrict CD-ROM access to locally logged on user only
This policy setting determines whether the CD-ROM drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access media from the CD-ROM drive. When this policy setting is enabled and no one is logged on, the CD-ROM drive can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.

TheDevices: Restrict CD-ROM access to locally logged on user only setting is configured to Not Defined for the EC environment and toDisabled for the SSLF environment.

Devices: Restrict floppy access to locally logged on user only
This policy setting determines whether the floppy drive is accessible to both local and remote users simultaneously. If you enable this policy setting, only interactively logged on users are allowed to access floppy drive media. When this policy setting is enabled and no one is logged on, floppy drive media can be accessed over the network. If you enable this setting, the Windows Backup utility will fail if volume shadow copies were specified for the backup job. Any third-party backup products that use volume shadow copies will also fail.

TheDevices: Restrict floppy access to locally logged on user only setting is configured to Not Defined for the EC environment and toDisabled for the SSLF environment.

Domain Member

The following table summarizes the recommended security option settings for domain members. Additional information is provided in the subsections that follow the table.

Table A19. Security Option Setting Recommendations - Domain Member

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Domain member: Digitally encrypt or sign secure channel data (always)

Enabled

Enabled

Enabled

Domain member: Digitally sign secure channel data (when possible)

Enabled

Enabled

Enabled

Domain member: Disable machine account password changes

Disabled

Disabled

Disabled

Domain member: Maximum machine account password age

30 days

30 days

30 days

Domain member: Require strong (Windows 2000 or later) session key

Disabled

Enabled

Enabled

Domain member: Digitally encrypt or sign secure channel data (always)
This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encrypting all secure channel traffic, because all secure channel data is signed and encrypted.

TheDomain member: Digitally encrypt or sign secure channel data (always) setting is configured toEnabled for both of the environments that are discussed in this guide.

Domain member: Digitally encrypt secure channel data (when possible)
This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain member will be prevented from negotiating secure channel encryption.

TheDomain member: Digitally encrypt secure channel data (when possible) setting is configured toEnabled for both of the environments that are discussed in this guide.

Domain member: Digitally sign secure channel data (when possible)
This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network.

TheDomain member: Digitally sign secure channel data (when possible) setting is configured toEnabled for both of the environments that are discussed in this guide.

Domain member: Disable machine account password changes
This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its computer account password as specified by theDomain Member: Maximum machine account password age setting, which by default is every 30 days. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account.

Therefore, theDomain member: Disable machine account password changes setting is configured toDisabled for both of the environments that are discussed in this guide.

Domain member: Maximum machine account password age
This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts.

Therefore, theDomain member: Maximum machine account password age setting is configured to30 days for both of the environments that are discussed in this guide.

Domain member: Require strong (Windows 2000 or later) session key
When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key.

To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel data with a strong key, which means all domain controllers must be running Microsoft Windows 2000 or later. If communication to non-Windows 2000-based domains is required, Microsoft recommends that you disable this policy setting.

TheDomain member: Require strong (Windows 2000 or later) session key setting is configured toEnabled for both of the environments that are discussed in this guide.

Interactive Logon

The following table summarizes the recommended security option settings for interactive logon. Additional information is provided in the subsections that follow the table.

Table A20. Security Option Setting Recommendations - Interactive Logon

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Interactive Logon: Do not display last user name

Disabled

Enabled

Enabled

Interactive Logon: Do not require CTRL+ALT+DEL

Not Defined

Disabled

Disabled

Interactive Logon: Message text for users attempting to log on

Blank

Recommended

Recommended

Interactive Logon: Message title for users attempting to log on

Blank

Recommended

Recommended

Interactive Logon: Number of previous logons to cache (in case domain controller is not available)
(desktop computers)

10

2

0

Interactive Logon: Number of previous logons to cache (in case domain controller is not available)
(laptop computers)

10

2

2

Interactive Logon: Prompt user to change password before expiration

14 days

14 days

14 days

Interactive Logon: Require Domain Controller authentication to unlock workstation (desktop computers)

Disabled

Enabled

Enabled

Interactive Logon: Require Domain Controller authentication to unlock workstation (laptop computers)

Disabled

Disabled

Disabled

Interactive Logon: Smart card removal behavior

No action

Lock Workstation

Lock Workstation

Interactive Logon: Do not display last user name
This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization.

TheInteractive logon: Do not display last user name setting is configured toEnabled for the two environments that are discussed in this guide.

Interactive Logon: Do not require CTRL+ALT+DEL
The CTRL+ALT+DEL key combination establishes a trusted path to the operating system when a user enters a user name and password. When this policy setting is enabled, users are not required to use this key combination to log on to the network. However, this configuration poses a security risk because it provides an opportunity for users to log on with weaker logon credentials.

TheInteractive logon: Do not require CTRL+ALT+DEL setting is configured toDisabled for the two environments that are discussed in this guide.

Interactive Logon: Message text for users attempting to log on
This policy setting specifies a text message that displays to users when they log on. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.

Note   Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, theInteractive logon: Message text for users attempting to log on and theInteractive logon: Message title for users attempting to log on settings mustboth be enabled for either one to work properly.

Interactive Logon: Message title for users attempting to log on
This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. The reason for this policy setting is the same as for the previous message text setting. Organizations that do not use this policy setting are more legally vulnerable to trespassers who attack the system.

Note   Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, theInteractive logon: Message text for users attempting to log on and theInteractive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly.

Interactive Logon: Number of previous logons to cache (in case domain controller is not available)
This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. The default value for this policy setting is 10. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords.

TheInteractive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to2 for both desktop and laptop computers in the EC environment and for the laptop computers in the SSLF environment. However, this policy setting is configured to0 for desktops in the SSLF environment because these computers should always be securely connected to the organization's network.

Interactive Logon: Prompt user to change password before expiration
This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.

TheInteractive logon: Prompt user to change password before expiration setting is configured to14 days for both of the environments that are discussed in this guide.

Interactive Logon: Require Domain Controller authentication to unlock workstation
When this policy setting is enabled, a domain controller must authenticate the domain account used to unlock the computer. When this policy setting is disabled, cached credentials can be used to unlock the computer. Microsoft recommends that this policy setting be disabled for laptop users in both environments, because mobile users do not have network access to domain controllers.

TheInteractive logon: Require Domain Controller authentication to unlock workstation setting is configured toEnabled for desktop computers in both the EC and SSLF environments. However, this policy setting is configured toDisabled for laptops in both of the environments, which allows these users to work when they are away from the office.

Interactive Logon: Smart card removal behavior
This policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader. When configured toLock Workstation, this policy setting locks the workstation when the smart card is removed, which allows users to leave the area, take their smart cards with them, and automatically lock their workstations. If you configure this policy setting toForce Logoff, users will be automatically logged off when the smart card is removed.

TheInteractive logon: Smart card removal behavior setting is configured to theLock Workstation option for both of the environments that are discussed in this guide.

Microsoft Network Client

The following table summarizes the recommended security option settings for Microsoft network client computers. Additional information is provided in the subsections that follow the table.

Table A21. Security Option Setting Recommendations - Microsoft Network Client

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Microsoft network client: Digitally sign communications (always)

Disabled

Enabled

Enabled

Microsoft network client: Digitally sign communications (if server agrees)

Enabled

Enabled

Enabled

Microsoft network client: Send unencrypted password to third-party SMB servers

Disabled

Disabled

Disabled

Microsoft network client: Digitally sign communications (always)
This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy client computers, set this option to Disabled because these computers will not be able to authenticate or gain access to domain controllers. However, you can use this policy setting in Windows 2000 or later environments.

The Microsoft network client: Digitally sign communications (always) setting is configured to Enabled for computers for both of the environments in this guide.

Note   When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide.

Microsoft network client: Digitally sign communications (if server agrees)
This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows-based networks helps to prevent sessions from being hijacked. If you enable this policy setting, the Microsoft network client will use signing only if the server with which it communicates accepts digitally signed communication.

The Microsoft network client: Digitally sign communications (if server agrees) setting is configured to Enabled for the two environments that are discussed in this guide.

Note   Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Microsoft network client: Send unencrypted password to third-party SMB servers
Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network.

The Microsoft network client: Send unencrypted password to third-party SMB servers setting is configured to Disabled for the two environments that are discussed in this guide.

Microsoft Network Server

The following table summarizes the recommended Microsoft network server security option settings. Additional information is provided in the subsections that follow the table.

Table A22. Security Option Setting Recommendations - Microsoft Network Server

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Microsoft network server: Amount of idle time required before suspending session

15 minutes

15 minutes

15 Minutes

Microsoft network server: Digitally sign communications (always)

Disabled

Enabled

Enabled

Microsoft network server: Digitally sign communications (if client agrees)

Disabled

Enabled

Enabled

Microsoft network server: Disconnect clients when logon hours expire

Enabled

Enabled

Enabled

Microsoft network server: Amount of idle time required before suspending session
This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.

The Microsoft network server: Amount of idle time required before suspending session setting is configured to a period of 15 minutes in both of the environments that are discussed in this guide.

Microsoft network server: Digitally sign communications (always)
This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server.

The Microsoft network server: Digitally sign communications (always) setting is configured to Enabled for both of the environments that are discussed in this guide.

Microsoft network server: Digitally sign communications (if client agrees)
This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled.

The Microsoft network server: Digitally sign communications (if client agrees) setting is configured to Enabled for the two environments that are discussed in this guide.

Note   Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment.

Microsoft network server: Disconnect clients when logon hours expire
This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client sessions with the SMB service will be forcibly disconnected when the client's logon hours expire. If you disable this policy setting, established client sessions will be maintained after the client's logon hours expire. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire.

If your organization configures logon hours for users, it makes sense to enable this policy setting.

The Microsoft network client: Disconnect client when logon hours expire setting is configured to Enabled for the two environments that are discussed in this guide.

MSS Settings

The following settings include registry value entries that do not display by default through the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance. The GPOAccelerator.wsf script discussed in Chapter 1, "Implementing the Security Baseline," modifies the SCE so that it properly displays the MSS settings.

The following table summarizes the MSS settings recommended for each of the environments discussed in this guide. Additional information about each setting is provided after the table.

Table A23. Security Option Setting Recommendations - MSS Settings

Setting EC VSG Computer GPOs SSLF VSG Computer GPOs

MSS: (AutoAdminLogon) Enable Automatic Logon
(not recommended)

 

Not Defined

 

Disabled

 

MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

 

Not Defined

 

Highest Protection, source routing is completely disabled.

 

MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)

 

Not Defined

 

Disabled

 

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

 

Not Defined

 

Disabled

 

MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)

 

Not Defined

 

Enabled

 

MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds

 

Not Defined

 

30000 or 5 minutes (recommended)

 

MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic

 

Multicast, broadcast, and ISAKMP are exempt (Best for Windows XP)

 

Multicast, broadcast, and ISAKMP are exempt (Best for Windows XP)

 

MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)

 

255, disable Autorun for all drives

 

255, disable Autorun for all drives

 

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

 

Not Defined

 

Enabled

 

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)

 

Not Defined

 

Enabled

 

MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)

 

Not Defined

 

Disabled

 

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

 

Enabled

 

Enabled

 

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires
(0 recommended)

 

0

 

0

 

MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

 

Not Defined

 

Connections timeout sooner if SYN attack is detected

 

MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged

 

Not Defined

 

3 & 6 seconds, half-open connections dropped after 21 seconds

 

MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
(3 recommended, 5 is default)

 

Not Defined

 

3

 

MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

 

Not Defined

 

90

 

MSS: (AutoAdminLogon) Enable Automatic Logon
The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) in the Security Configuration Editor.

This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For these reasons the setting is configured to Not Defined for the EC environment, and the default Disabled setting is explicitly enforced for the SSLF environment.

For additional information, see the Knowledge Base article 315231, "How to turn on automatic logon in Windows XP."

MSS: (DisableIPSourceRouting) IP source routing protection level
The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) in the SCE.

IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. This setting is configured to Not Defined for the EC environment and to Highest Protection,source routing is completely disabled for the SSLF environment.

MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways
The registry value entry EnableDeadGWDetect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) in the SCE.

When dead gateway detection is enabled, the IP may change to a backup gateway if a number of connections experience difficulty. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE.

Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

MSS: (Hidden) Hide Computer From the Browse List
The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\ registry key. The entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE.

You can configure a computer so that it does not send announcements to browsers on the domain. If you do so, you hide the computer from the Browse list, which means that the computer will stop announcing itself to other computers on the same network. An attacker who knows the name of a computer can more easily gather additional information about the system. You can enable this setting to remove one method that an attacker might use to gather information about computers on the network. Also, this setting can help reduce network traffic when enabled. However, the security benefits of this setting are small because attackers can use alternative methods to identify and locate potential targets. For this reason, Microsoft recommends that you enable this setting only in SSLF environments.

This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

For additional information, see the Knowledge Base article 321710, "HOW TO: Hide a Windows 2000-Based Computer from the Browser List."

MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
The registry value entry KeepAliveTime was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE.

This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. This setting is configured to Not Defined for the EC environment and to 30000 or 5 minutes for the SSLF environment.

MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic
The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE.

The default exemptions to IPsec policy filters are documented in the online help for the specific operating system. These filters make it possible for Internet Key Exchange (IKE) and the Kerberos authentication protocol to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic.

IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, and the affect of these default exemptions has not been fully understood. Therefore, some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. Microsoft recommends that you enforce the default setting in Windows XP with SP2, Multicast,broadcast,and ISAKMP are exempt, for both of the environments that are discussed in this guide.

For additional information, see the Knowledge Base article 811832, "IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios."

MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives
The registry value entry NoDriveTypeAutoRun was added to the template file in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Policies\Explorer\
registry key. The entry appears as MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) in the SCE.

AutoRun starts to read from a drive on your computer as soon as media is inserted into it. As a result, the setup file of programs and the sound on audio media starts immediately. This setting is configured to 255,Disable Autorun for all drives for both of the environments that are discussed in this guide.

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\
Parameters\
registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers in the SCE.

NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. It is set to Not Defined for the EC environment and Enabled for the SSLF environment.

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames
The registry value entry NtfsDisable8dot3NameCreation was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\ registry key. The entry appears as MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) in the SCE.

Windows Server 2003 supports 8.3 file name formats for backward compatibility with16-bit applications. The 8.3 file name convention is a naming format that allows file names up to eight characters long. This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses
The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) in the SCE.

This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

MSS: (SafeDllSearchMode) Enable Safe DLL Search Order
The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE.

The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:

  • Search folders specified in the system path first, and then search the current working folder.
  • Search current working folder first, and then search the folders specified in the system path.

When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. This setting is configured to Enabled for both of the environments that are discussed in this guide.

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires
The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon\
registry key. The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) in the SCE.

Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. This setting is configured to 0 seconds for both of the environments that are discussed in this guide.

MSS: (SynAttackProtect) Syn attack protection level
The registry value entry SynAttackProtect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) in the SCE.

This setting causes TCP to adjust retransmission of SYN-ACKs. When you configure this value, the connection responses time out more quickly if a connect request (SYN) attack is detected. This setting is configured to Not Defined for the EC environment and to Connections timeout sooner if SYN attack is detected for the SSLF environment.

MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
The registry value entry TCPMaxConnectResponseRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\Tcpip\Parameters
\ registry key. The entry appears as MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged in the SCE.

This setting determines the number of times that TCP retransmits a SYN before the attempt to connect is aborted. The retransmission time-out is doubled with each successive retransmission in a given connect attempt. The initial time-out value is three seconds. This setting is configured to Not Defined for the EC environment and to 3 & 6 seconds,half-open connections dropped after 21 seconds for the SSLF environment.

MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip
\Parameters\
registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended,5 is default) in the SCE.

This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. This setting is configured to Not Defined for the EC environment and to 3 for the SSLF environment.

MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in the SCE.

This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. This setting is configured to Not Defined for the EC environment and to 90 for the SSLF environment.

Note   If log settings are configured to Overwrite events as needed or Overwrite events older thanxdays, this event will not be generated.

Network Access

The following table summarizes the recommended security option settings for network access. Additional information is provided in the subsections that follow the table.

Table A24. Security Option Setting Recommendations - Network Access

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Network access: Allow anonymous SID/Name translation

Disabled

Disabled

Disabled

Network access: Do not allow anonymous enumeration of SAM accounts

Enabled

Enabled

Enabled

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Disabled

Enabled

Enabled

Network access: Do not allow storage of credentials or .NET Passports for network authentication

Disabled

Enabled

Enabled

Network access: Let Everyone permissions apply to anonymous users

Disabled

Disabled

Disabled

Network access: Named Pipes that can be accessed anonymously

netlogon, lsarpc, samr, browser

Not Defined

netlogon, lsarpc, samr, browser

Network access: Remotely accessible registry paths

System\CurrentControlSet\
Control\ProductOptions

System\CurrentControlSet\
Control\Server Applications

Software\Microsoft\Windows NT\CurrentVersion

Not Defined

System\CurrentControlSet\
Control\ProductOptions

System\CurrentControlSet\
Control\Server Applications

Software\Microsoft\Windows NT\CurrentVersion

§ Network access: Remotely accessible registry paths and sub-paths

System\CurrentControlSet\
Control\Print\Printers

System\CurrentControlSet\
Services\Eventlog

Software\Microsoft\OLAP Server

Software\Microsoft\Windows NT\CurrentVersion\Print

Software\Microsoft\Windows NT\CurrentVersion\Windows

System\CurrentControlSet\
ContentIndex

System\CurrentControlSet\
Control\Terminal Server

System\CurrentControlSet\
Control\Terminal Server\User Config

System\CurrentControlSet\
Control\Terminal Server\Default User Config

Software\Microsoft\Windows NT\CurrentVersion\perflib

System\CurrentControlSet\
Services\SysmonLog

Not Defined

System\CurrentControlSet\
Control\Print\Printers

System\CurrentControlSet\
Services\Eventlog

Software\Microsoft\OLAP Server

Software\Microsoft\Windows NT\CurrentVersion\Print

Software\Microsoft\Windows NT\CurrentVersion\Windows

System\CurrentControlSet\
ContentIndex

System\CurrentControlSet\
Control\Terminal Server

System\CurrentControlSet\
Control\Terminal Server\User Config

System\CurrentControlSet\
Control\Terminal Server\Default User Config

Software\Microsoft\Windows NT\CurrentVersion\perflib

System\CurrentControlSet\
Services\SysmonLog

Network access: Restrict anonymous access to Named Pipes and Shares

Enabled

Not Defined

Enabled

Network access: Shares that can be accessed anonymously

None

Not Defined

None

Network access: Sharing and security model for local accounts

Classic - local users authenticate as themselves

Classic - local users authenticate as themselves

Classic - local users authenticate as themselves

§ - Denotes Group Policy settings that are new in Windows Vista.

Network access: Allow anonymous SID/Name translation
This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. Disable this policy setting to prevent unauthenticated users from obtaining user names that are associated with their respective SIDs.

The Network access: Allow anonymous SID/Name translation setting is configured to Disabled for the two environments that are discussed in this guide.

Network access: Do not allow anonymous enumeration of SAM accounts
This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user names on the workstations in your environment. This policy setting also allows additional restrictions on anonymous connections.

The Network access: Do not allow anonymous enumeration of SAM accounts setting is configured to Enabled for the two environments that are discussed in this guide.

Network access: Do not allow anonymous enumeration of SAM accounts and shares
This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment.

The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting is configured to Enabled for the two environments that are discussed in this guide.

Network access: Do not allow storage of credentials or .NET Passports for network authentication
This policy setting controls authentication credential storage and passwords on the local system.

The Network access: Do not allow storage of credentials or .NET Passports for network authentication setting is configured to Enabled for the two environments that are discussed in this guide.

Network access: Let Everyone permissions apply to anonymous users
This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerate the names of domain accounts and network shares. An unauthorized user could anonymously list account names and shared resources and use the information to guess passwords or perform social engineering attacks.

Therefore, the Network access: Let Everyone permissions apply to anonymous users setting is configured to Disabled for both of the environments in this guide.

Network access: Named Pipes that can be accessed anonymously
This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access.

For the EC environment the Network access: Named Pipes that can be accessed anonymously setting is configured to Not Defined. However, the following default values are enforced for the SSLF environment:

  • Netlogon
  • Isarpc
  • Samr
  • Browser

Network access: Remotely accessible registry paths
This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths.

For the EC environment the Network access: Remotely accessible registry paths setting is configured to Not Defined. But the SSLF environment the following default values are enforced:

  • System\CurrentControlSet\Control\ProductOptions
  • System\CurrentControlSet\Control\Server Applications
  • Software\Microsoft\Windows NT\CurrentVersion

Network access: Remotely accessible registry paths and sub-paths
This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions.

The Network access: Remotely accessible registry paths and sub-paths setting is configured to Not Defined for the EC environment. For the SSLF environment the setting is configured to the following:

  • System\CurrentControlSet\Control\Print\Printers
  • System\CurrentControlSet\Services\Eventlog
  • Software\Microsoft\OLAP Server
  • Software\Microsoft\Windows NT\CurrentVersion\Print
  • Software\Microsoft\Windows NT\CurrentVersion\Windows
  • System\CurrentControlSet\ContentIndex
  • System\CurrentControlSet\Control\Terminal Server
  • System\CurrentControlSet\Control\Terminal Server\User Config
  • System\CurrentControlSet\Control\Terminal Server\Default User Config
  • Software\Microsoft\Windows NT\CurrentVersion\perflib
  • System\CurrentControlSet\Services\SysmonLog

Network access: Restrict anonymous access to Named Pipes and Shares
When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKLM\System
\CurrentControlSet\Services\LanManServer\Parameters
registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment.

The Network access: Restrict anonymous access to Named Pipes and Shares setting is configured to Not Defined for the EC environment and Enabled in the SSLF environment.

Network access: Shares that can be accessed anonymously
This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server.

The Network access: Shares that can be accessed anonymously setting is configured to Not Defined for the EC environment. However, ensure that this setting is configured to None for the SSLF environment.

Note   It can be very dangerous to add other shares to this Group Policy setting. Any network user can access any shares that are listed, which could exposure or corrupt sensitive data.

Network access: Sharing and security model for local accounts
This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource.

Therefore, the Sharing and security model for local accounts setting uses the default Classic option for both of the environments that are discussed in this guide.

Network Security

The following table summarizes the recommended security option settings for network security. Additional information is provided in the subsections that follow the table.

Table A25. Security Option Setting Recommendations - Network Security

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Network security: Do not store LAN Manager hash value on next password change

Enabled

Enabled

Enabled

Network security: Force logoff when logon hours expire

Disabled

Not Defined

Not Defined

Network security: LAN Manager authentication level

Send NTLMv2 response only

Send NTLMv2 response only. Refuse LM

Send NTLMv2 response only. Refuse LM and NTLM

Network security: LDAP client signing requirements

Negotiate signing

Negotiate signing

Negotiate signing

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

No minimum

Require NTLMv2 session security, Require 128-bit encryption

Require NTLMv2 session security, Require 128-bit encryption

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

No minimum

Require NTLMv2 session security, Require 128-bit encryption

Require NTLMv2 session security, Require 128-bit encryption

Network security: Do not store LAN Manager hash value on next password change
This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT® hash.

For this reason, the Network security: Do not store LAN Manager hash value on next password change setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   Older operating systems and some third-party applications may fail when this policy setting is enabled. Also you will need to change the password on all accounts after you enable this setting.

Network security: Force logoff when logon hours expire
This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB server will be disconnected when the client's logon hours expire. If you disable this policy setting, established client sessions will be maintained after the client's logon hours expire.

The Network security: Force logoff when logon hours expire setting is configured to Not Defined for both environments in the appendix.

Network security: LAN Manager authentication level
This policy setting specifies the type of challenge/response authentication for network logons. LAN Manager (LM) authentication is the least secure method; it allows encrypted passwords to be cracked because they can be easily intercepted on the network. NT LAN Manager (NTLM) is somewhat more secure. NTLMv2 is a more robust version of NTLM that is available in Windows Vista, Windows XP Professional, Windows Server 2003, Windows 2000, and Windows NT 4.0 Service Pack 4 (SP4) or later. NTLMv2 is also available for Windows 95 and Windows 98 with the optional Directory Services Client.

Microsoft recommends that you configure this policy setting to the strongest possible authentication level for your environment. In environments that run only Windows 2000 Server or Windows Server 2003 with Windows Vista or Windows XP Professional-based workstations, configure this policy setting to the Send NTLMv2 response only. Refuse LM and NTLM option for the highest security.

The Network security: LAN Manager authentication level setting is configured to Send NTLMv2 response only. Refuse LM for the EC environment. However, this policy setting is configured to the more restrictive Send NTLMv2 response only. Refuse LM and NTLM for the SSLF environment.

Network security: LDAP client signing requirements
This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Because unsigned network traffic is susceptible to man-in-the-middle attacks, an attacker could cause an LDAP server to make decisions that are based on false queries from the LDAP client.

Therefore, the value for the Network security: LDAP client signing requirements setting is configured to Negotiate signing for both of the environments that are discussed in this guide.

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This policy setting determines the minimum application-to-application communications security standards for clients. The options for this policy setting are:

  • Require NTLMv2 session security
  • Require 128-bit encryption

If all of the computers on your network can support NTLMv2 and 128-bit encryption (for example, Windows Vista, Windows XP Professional SP2 and Windows Server 2003 SP1), all four setting options can be selected for maximum security.

The Require NTLMv2 session security and Require 128-bit encryption options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting in both of the environments that are discussed in this guide.

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
This policy setting is similar to the previous setting, but affects the server side of communication with applications. The options for the setting are the same:

  • Require NTLMv2 session security
  • Require 128-bit encryption

If all of the computers on your network can support NTLMv2 and 128-bit encryption (for example, Windows Vista, Windows XP Professional SP2 and Windows Server 2003 SP1), all four options can be selected for maximum security.

The Require NTLMv2 session security and Require 128-bit encryption options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers setting in both of the environments that are discussed in this guide.

Recovery Console

The following table summarizes the recommended security option settings for the recovery console. Additional information is provided in the subsections that follow.

Table A26. Security Option Setting Recommendations - Recovery Console

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Recovery console: Allow automatic administrative logon

Disabled

Disabled

Disabled

Recovery console: Allow floppy copy and access to all drives and all folders

Disabled

Not Defined

Disabled

Recovery console: Allow automatic administrative logon
The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when it is invoked during startup. Microsoft recommends that you disable this policy setting, which will require administrators to enter a password to access the recovery console.

The Recovery console: Allow automatic administrative logon setting is configured to Disabled for the two environments that are discussed in this guide.

Recovery console: Allow floppy copy and access to all drives and all folders
This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables:

  • AllowWildCards. Enables wildcard support for some commands (such as the DEL command).
  • AllowAllPaths. Allows access to all files and folders on the computer.
  • AllowRemovableMedia. Allows files to be copied to removable media, such as a floppy disk.
  • NoCopyPrompt. Does not prompt when overwriting an existing file.

The Recovery console: Allow floppy copy and access to all drives and all folders setting is configured to Not Defined for the EC environment. However, for maximum security, this setting is configured to Disabled for the SSLF environment.

Shutdown

The following table summarizes shutdown security option setting recommendations. Additional information is provided in the subsections that follow the table.

Table A27. Security Option Setting Recommendations - Shutdown

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Shutdown: Allow system to be shut down without having to log on

Enabled

Not Defined

Disabled

Shutdown: Clear virtual memory pagefile (desktop computers)

Disabled

Disabled

Disabled

Shutdown: Clear virtual memory pagefile (laptop computers)

Disabled

Disabled

Enabled

Shutdown: Allow system to be shut down without having to log on
This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends that you disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system.

The Shutdown: Allow system to be shut down without having to log on setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Shutdown: Clear virtual memory pagefile
This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, the hibernation file (Hiberfil.sys) is zeroed out when hibernation is disabled on a portable computer system. It will take longer to shut down and restart the computer, and will be especially noticeable on computers with large paging files.

For these reasons, the Shutdown: Clear virtual memory pagefile setting is configured to Enabled for SSLF laptop computers, and Disabled for all other computer types in both of the environments that are discussed in this guide.

System Cryptography

The following table summarizes the recommended security option settings for system cryptography. Additional information is provided after the table.

Table A28. Security Option Setting Recommendations - System Cryptography

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Disabled

Not Defined

Disabled

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this policy setting increases security, most public Web sites that are secured with TLS or SSL do not support these algorithms. Client computers that have this policy setting enabled will also be unable to connect to Terminal Services on servers that are not configured to use the FIPS compliant algorithms.

The System cryptography: Use FIPS compliant algorithms for encryption,hashing,and signing setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment.

Note   If you enable this policy setting, computer performance will be slower because the 3DES process is performed on each block of data in the file three times. This policy setting should only be enabled if your organization is required to be FIPS compliant.

System Objects

The following table summarizes the recommended security option settings for system objects. Additional information is provided in the subsections that follow the table.

Table A29. Security Option Setting Recommendations - System Objects

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

System objects: Require case insensitivity for non-Windows subsystems

Enabled

Not Defined

Enabled

System objects: Strengthen default permissions of internal system objects

Enabled

Enabled

Enabled

System objects: Require case insensitivity for non-Windows subsystems
This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32® subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available.

To ensure consistency of file names, the System objects: Require case insensitivity for non-Windows subsystems setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment.

System objects: Strengthen default permissions of internal system objects
This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to read shared objects but does not allow them to modify any that they did not create.

Therefore, the System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) setting is configured to the default setting of Enabled for both of the environments that are discussed in this guide.

User Account Control

User Account Control (UAC) reduces the exposure and attack surface of the operating system by requiring that all users run in standard user mode, even if they have logged on with administrative credentials. This limitation helps minimize the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected the computer.

When a user attempts to perform an administrative task, the operating system must raise their security level to allow the task to take place. The UAC settings in GPOs configure how the operating system responds to a request to heighten security privileges.

The following table summarizes the recommended security option settings for User Account Control. Additional information is provided in the subsections that follow the table.

Table A30. Security Option Setting Recommendations - User Account Control

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

§ User Account Control: Admin Approval Mode for the Built-in Administrator account

Disabled

Enabled

Enabled

§ User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Prompt for consent

Prompt for credentials

Prompt for credentials

§ User Account Control: Behavior of the elevation prompt for standard users

Prompt for credentials

Automatically deny elevation requests

Automatically deny elevation requests

§ User Account Control: Detect application installations and prompt for elevation

Enabled

Enabled

Enabled

§ User Account Control: Only elevate executables that are signed and validated

Disabled

Disabled

Disabled

§ User Account Control: Only elevate UIAccess applications that are installed in secure locations

Enabled

Enabled

Enabled

§ User Account Control: Run all administrators in Admin Approval Mode

Enabled

Enabled

Enabled

§ User Account Control: Switch to the secure desktop when prompting for elevation

Enabled

Enabled

Enabled

§ User Account Control: Virtualize file and registry write failures to per-user locations

Enabled

Enabled

Enabled

**§ -** Denotes Group Policy settings that are new in Windows Vista.

User Account Control: Admin Approval Mode for the Built-in Administrator account
This policy setting configures whether the built-in Administrator account runs in Admin Approval Mode. The default behavior for this setting varies because Windows Vista configures the built-in Administrator account dependant on specific installation criteria.

Windows Vista configures the setting to Disabled by default for new installations and for upgrades where the built-in Administrator is not the only local active administrator on the computer. Windows Vista disables the built-in Administrator account by default for installations and upgrades on domain-joined computers.

Windows Vista configures the setting to Enabled by default for upgrades when Windows Vista determines that the built-in Administrator account is the only active local administrator on the computer. If this is the case, Windows Vista enables the built-in Administrator account following the upgrade.

The configuration of the User Account Control: Admin Approval Mode for the Built-in Administrator setting is Enabled for both of the environments that are discussed in this guide.

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This setting determines the behavior of Windows Vista when a logged on administrator attempts to complete a task that requires raised privileges. There are three values for this setting:

  • No prompt. Using this value elevates the privileges automatically and silently.
  • Prompt for consent. Using this value causes UAC to ask for consent before elevating the privileges but does not require credentials.
  • Prompt for credentials. Using this value causes UAC to require an administrator to type valid administrator credentials when prompted before elevating the privileges.

The configuration for the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode is to Prompt for credentials for both of the environments that are discussed in this guide.

User Account Control: Behavior of the elevation prompt for standard users
This setting determines the behavior of Windows Vista when a logged on user attempts to complete a task that requires raised privileges. There are two values for this setting:

  • Automatically deny elevation requests. Using this value prevents an elevation prompt from being presented and the user cannot perform administrative tasks without using the Run command as an administrator or by logging on with an administrator account.
  • Prompt for credentials. Using this value causes UAC to require an administrator to type valid administrator credentials when prompted before the setting can elevate.

The configuration of the User Account Control: Behavior of the elevation prompt for standard users setting is to Automatically deny elevation requests for both of the environments that are discussed in this guide.

This setting prevents standard users from elevating their privileges. In other words, a standard user cannot provide administrative account credentials to perform an administrative task. Right-clicking a program file and selecting Run as administrator will not work for the standard user. Standard users who need to perform administrative tasks must log off and then log back on using their administrative account to complete an administrative task. Although this process is somewhat inconvenient, it does help better secure your environment.

User Account Control: Detect application installations and prompt for elevation
This setting determines how Windows Vista responds to application installation requests. Application installation requires an elevation of privilege. There are two values for this setting:

  • Enabled. Using this value causes Windows Vista, on detection of an installer, to prompt the user for consent or credentials, depending on the configuration of the behavior of the elevation prompt settings.
  • Disabled. Using this value causes application installations to fail silently or in a non-deterministic manner.

The configuration for the User Account Control: Detect application installations and prompt for elevation setting is Enabled for both of the environments that are discussed in this guide.

User Account Control: Only elevate executables that are signed and validated
This setting enables the prevention of the execution of unsigned or invalidated applications. Before enabling this setting, it is essential that administrators are certain that all required applications are signed and valid. There are two values for this setting:

  • Enabled. Using this value allows only signed executable files to run. This setting blocks unsigned applications from running.
  • Disabled. Using this value allows both signed and unsigned executables to run.

The configuration of the User Account Control: Only elevate executables that are signed and validated setting is Disabled for both of the environments that are discussed in this guide.

User Account Control: Only elevate UIAccess applications that are installed in secure locations
This setting helps protect a Windows Vista-based computer by only allowing applications installed in a secure location, such as the Program Files or the Windows\System32 folders, on the file system to run with elevated privileges.

The configuration for the User Account Control: Only elevate UIAccess applications that are installed in secure locations setting is Enabled for both of the environments that are discussed in this guide.

User Account Control: Run all administrators in Admin Approval Mode
This setting effectively disables UAC. There are two values for this setting:

  • Enabled. Using this value prompts both administrators and standard users when either type of user attempts to perform administrative operations. The prompt style depends on policy.
  • Disabled. Using this value disables the Admin Approval Mode user type and all related UAC policies. This setting will cause the Security Center to indicate that the overall security of the operating system has been reduced.

The configuration for the User Account Control: Run all administrators in Admin Approval Mode setting is Enabled for both of the environments discussed in this guide.

User Account Control: Switch to the secure desktop when prompting for elevation
This setting helps protect the computer and user from malicious use of the elevation prompt. The Windows Vista secure desktop can only run SYSTEM processes, which generally eliminates messages from malicious software. As a result, consent and credential prompts generally cannot be input spoofed on the secure desktop. In addition, the consent prompt is protected from output spoofing. There is still a risk when using the credential prompt because malware may be able to spoof this. This setting has two values:

  • Enabled. Using this value displays the UAC elevation prompt on the secure desktop.
  • Disabled. Using this value causes the UAC elevation prompt to display on the user desktop.

The configuration of the User Account Control: Switch to the secure desktop when prompting for elevation setting is Enabled for both of the environments that are discussed in this guide.

User Account Control: Virtualize file and registry write failures to per-user locations
Applications that lack an application compatibility database entry or a requested execution level marking in the application manifest are not UAC-compliant. Applications that are not UAC-compliant try to write to protected areas including Program Files and %systemroot%. These applications will silently fail if they cannot complete the write process. If you enable this setting, you allow Windows Vista to virtualize file and registry writes to user locations enabling the application to run.

UAC-compliant applications should not write to protected areas and cause write failures. As a result, environments that are only utilizing UAC-compliant applications should disable this setting.

There are two possible values for this setting:

  • Enabled. Environments that utilize software that is not UAC-compliant should configure this setting to Enabled.
  • Disabled. Environments that utilize software that is UAC-compliant should configure this setting to Disabled.

If you are not certain that all applications in your environment are UAC-compliant, you should configure this setting to Enabled.

For this reason, the configuration of the User Account Control: Virtualize file and registry write failures to per-user locations setting is Enabled for both environments in this guide.

Event Log Security Settings

The event log records events on the system, and the Security log records audit events. The event log container of Group Policy is used to define attributes that are related to the Application, Security, and System event logs, such as maximum log size, access rights for each log, and retention settings and methods.

You can configure the event log settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings\Event Log

This section provides details about the prescribed settings for the environments that are discussed in this guide. For a summary of the prescribed settings in this section, see the Windows Vista Security Guide Settings.xls For information about the default settings and a detailed explanation of each of the settings discussed in this section, see the Threats and Countermeasures guide. This companion guide also includes detailed information about the potential for lost event log data when the log sizes are set to very large values.

The following table summarizes the recommended event log security settings for both desktop and laptop clients in the two types of environments that are discussed in this guide. The following subsections provide detailed information about each of the settings.

Table A31. Security Option Setting Recommendations - Event Log Security Settings

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

Maximum application log size

Not applicable
(default = 20480)

32768 KB

32768 KB

Maximum security log size

Not applicable
(default = 20480)

81920 KB

81920 KB

Maximum system log size

Not applicable
(default = 20480)

32768 KB

32768 KB

Retention method for application log

Not applicable (default = Overwrite as needed)

As Needed

As Needed

Retention method for security log

Not applicable (default = Overwrite as needed)

As Needed

As Needed

Retention method for system log

Not applicable (default = Overwrite as needed)

As Needed

As Needed

Maximum application log size
This policy setting specifies the maximum size of the Application event log, which has a maximum capacity of 4 GB. However, this size is not recommended because of the risk of memory fragmentation, which causes slow performance and unreliable event logging. Requirements for the Application log size vary, and depend on the function of the platform and the need for historical records of application-related events.

The Maximum application log size setting is configured to 32768 KB for all computers in the two environments that are discussed in this guide.

Maximum security log size
This policy setting specifies the maximum size of the Security event log, which has a maximum capacity of 4 GB. However, this size is not recommended because of the risk of memory fragmentation, which causes slow performance and unreliable event logging. Requirements for the Security log size vary, and depend on the function of the platform and the need for historical records of application-related events.

The Maximum security log size setting is configured to 81920 KB for all computers in the two environments that are discussed in this guide.

Maximum system log size
This policy setting specifies the maximum size of the System event log, which has a maximum capacity of 4 GB. However, this size is not recommended because of the risk of memory fragmentation, which leads to slow performance and unreliable event logging. Requirements for the application log size vary depending on the function of the platform and the need for historical records of application related events.

The Maximum system log size setting is configured to 32768 KB for all computers in the two environments that are discussed in this guide.

Retention method for application log
This policy setting determines the "wrapping" method for the Application log. It is imperative that the Application log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this configuration could result in a loss of historical data.

The Retention method for application log is configured to As Needed for both of the environments that are discussed in this guide.

Retention method for security log
This policy setting determines the "wrapping" method for the Security log. It is imperative that the Security log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this configuration could result in a loss of historical data.

The Retention method for security log is configured to As Needed for both of the environments that are discussed in this guide.

Retention method for system log
This policy setting determines the "wrapping" method for the System log. It is imperative that the System log is archived regularly if historical events are desirable for either forensics or troubleshooting purposes. Overwriting events as needed ensures that the log always stores the most recent events, although this configuration could result in a loss of historical data.

The Retention method for system log is configured to As Needed for both of the environments that are discussed in this guide.

Windows Firewall with Advanced Security Settings

The firewall included with Windows Vista allows for more precise control of its configuration.

You can configure the Windows Firewall with Advanced Security settings in the following location in the Group Policy Object Editor:

Computer Configuration\Windows Settings\Security Settings
\Windows Firewall with Advanced Security

To control these settings, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Windows Firewall Properties link. In the Windows Firewall with Advanced Security dialog box, you can specify settings for the Domain, Private, and Public profiles. For each profile, you can specify general settings in the State section and then, in the Settings section, you can click the Customize button to specify customized settings. This section of the appendix includes tables and recommendations for each of the profiles that you can configure in the Windows Firewall with Advanced Security dialog box.

Domain Profile

This profile applies when a computer is connected to a network and authenticates to a domain controller in the domain to which the computer belongs.

Table A32. Recommended Domain Profile Settings

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

§ Firewall state

Not configured

On (recommended)

On (recommended)

§ Inbound connections

Not configured

Block (default)

Block (default)

§ Outbound connections

Not configured

Allow (default)

Allow (default)

Customized settings

§ Display a notification

Not configured

Yes (default)

No

§ Allow unicast response

Not configured

No

No

§ Apply local firewall rules

Not configured

Yes (default)

No

§ Apply local connection security rules

Not configured

Yes (default)

No

§ - Denotes Group Policy settings that are new in Windows Vista.

The recommended Windows Firewall with Advanced Security configuration for the EC environment includes firewall rules that allow for Remote Desktop, and Remote Assistance communications to occur. Furthermore, local administrators of computers in the EC environment can configure local firewall rules to permit additional communications to a computer.

In the SSLF environment, all inbound communications are blocked by default and local firewall rules are ignored by computers. Additions or modifications to firewall rules must be configured using the Group Policy Object Editor.

Important   The prescribed firewall settings for the SSLF environment greatly limit inbound connections to your computers. You should extensively test this firewall configuration in your environment to ensure all applications work as expected.

To see which rules are defined for the Domain Profile, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Inbound Rules link.

Private Profile

This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network.

Table A33. Recommended Private Profile Settings

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

§ Firewall state

Not configured

On (recommended)

On (recommended)

§ Inbound connections

Not configured

Block (default)

Block (default)

§ Outbound connections

Not configured

Allow (default)

Allow (default)

Customized settings

§ Display a notification

Not configured

Yes (default)

No

§ Allow unicast response

Not configured

No

No

§ Apply local firewall rules

Not configured

Yes (default)

No

§ Apply local connection security rules

Not configured

Yes (default)

No

§ - Denotes Group Policy settings that are new in Windows Vista.

The recommended Windows Firewall with Advanced Security configuration for the EC environment includes firewall rules that allow for Remote Desktop communications to occur. Furthermore, local administrators of computers in the EC environment can configure local firewall rules to permit additional communications to a computer.

In the SSLF environment, all inbound communications are blocked by default and local firewall rules are ignored by computers. Additions or modifications to firewall rules must be configured using the Group Policy Object Editor.

To see which rules are defined for the Private Profile, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Inbound Rules link.

Public Profile

This profile is the default network location type when the computer is not connected to a domain. Public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as within an IT environment.

Table A34. Recommended Public Profile Settings

Setting Windows Vista default EC VSG Computer GPOs SSLF VSG Computer GPOs

§ Firewall state

Not configured

On (recommended)

On (recommended)

§ Inbound connections

Not configured

Block (default)

Block (default)

§ Outbound connections

Not configured

Allow (default)

Allow (default)

Customized settings

§ Display a notification

Not configured

No

No

§ Allow unicast response

Not configured

No

No

§ Apply local firewall rules

Not configured

No

No

§ Apply local connection security rules

Not configured

No

No

§ - Denotes Group Policy settings that are new in Windows Vista.

In both the EC and SSLF environments, all inbound communications are blocked by default and no firewall rules exist that allow for additional communications to a computer. Furthermore, local firewall rules are ignored by computers in both environments described in this guide. Additions or modifications to firewall rules that apply to the Public Profile must be configured using the Group Policy Object Editor.

The following sections briefly describe the settings you can configure for each of the firewall profiles.

Firewall state
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.

Inbound connections
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

Outbound connections
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection.

Important If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.

Display a notification
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections.

Note   When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored.

Allow unicast response
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. If you enable this setting and this computer sends multicast or broadcast messages to other computers, Windows Firewall with Advanced Security waits as long as three seconds for unicast responses from the other computers and then blocks all later responses. If you disable this setting and this computer sends a multicast or broadcast message to other computers, Windows Firewall with Advanced Security blocks the unicast responses sent by those other computers.

Apply local firewall rules
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. If you configure this setting to No, administrators can still create firewall rules, but the rules will not be applied. This setting is available only when configuring the policy through Group Policy.

Apply local connection security rules
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. If you configure this setting to No, administrators can still create firewall rules, but the rules will not be applied. This setting is available only when configuring the policy through Group Policy.

Computer Configuration\Administrative Templates

The following setting groups for the computer policy contain settings that this guide prescribes. The settings appear in the Computer Configuration\Administrative Templates subnode of the Group Policy Object Editor.

  • Network Connections
  • System
  • Logon
  • Group Policy
  • Remote Assistance
  • Remote Procedure Call
  • Internet Communication Management\Internet Communication Settings
  • Windows Components
  • Autoplay Policies
  • Credential User Interface
  • Internet Explorer
  • NetMeeting
  • Terminal Services
  • Windows Messenger
  • Windows Update

Network Connections

There are no specific security-related configurations in the Network container of Group Policy. However, there are a number of very important settings in the Network Connections\Windows Firewall container.

Microsoft recommends configuring the Windows Firewall using the Windows Firewall with Advanced Security settings available in the Group Policy Object Editor. However, the recommended settings for Windows Firewall with Advanced Security will change the state of several settings in this area of Group Policy. Furthermore, several of the recommended settings help maintain compatibility with computers running Windows XP in the EC environment described in this guide.

In Windows XP, Windows Firewall settings are configured in two profiles: Domain Profile and Standard Profile. Whenever a domain environment is detected, the Domain Profile is used, and whenever a domain environment is not available, the Standard Profile is used.

When a Windows Firewall setting is Recommended in one of the following two tables, the specific value to use will vary for different organizations. Because each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall, it is not feasible for this guide to define a list that will be broadly useful.

When you need to determine which applications or ports might need exceptions, it may be helpful to enable Windows Firewall logging, Windows Firewall auditing, and network tracing. For more information, see the "Configuring a Computer for Windows Firewall Troubleshooting" article.

Typically, the Domain Profile is configured to be less restrictive than the Standard Profile because a domain environment often provides additional layers of protection. The policy setting names are identical in both profiles. The following two tables summarize the policy settings for the different profiles, and more detailed explanations are provided in the subsections that follow the tables.

Network Connections\Windows Firewall\Domain Profile

The settings in this section configure the Windows Firewall Domain Profile. You can configure these settings in the following location within the Group Policy Object Editor:

Administrative Templates\Network\Network Connections
\Windows Firewall\Domain Profile

Table A35. Recommended Windows Firewall Domain Profile Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Windows Firewall: Allow ICMP exceptions

Not Recommended

Not Recommended

Not configured

Not configured

Windows Firewall: Allow inbound file and printer sharing exception

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Allow inbound remote administration exception

Not configured

Not configured

Not configured

Not configured

Windows Firewall: Allow inbound Remote Desktop exceptions

Enabled

Enabled

Not configured

Not configured

Windows Firewall: Allow inbound UPnP framework exceptions

Not Recommended

Not Recommended

Not configured

Not configured

Windows Firewall: Allow local port exceptions

Disabled

Disabled

Disabled

Disabled

Windows Firewall: Allow local program exceptions

Not Recommended

Not Recommended

Disabled

Disabled

Windows Firewall: Define inbound port exceptions

Not Recommended

Not Recommended

Not configured

Not configured

Windows Firewall: Define inbound program exceptions

Recommended

Recommended

Not configured

Not configured

Windows Firewall: Do not allow exceptions

Not Recommended

Not Recommended

Not configured

Not configured

Windows Firewall: Prohibit notifications

Disabled

Disabled

Enabled

Enabled

Windows Firewall: Prohibit unicast response to multicast or broadcast requests

Enabled

Enabled

Enabled

Enabled

Windows Firewall: Protect all network connections

Enabled

Enabled

Enabled

Enabled

Note   When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful.

Network Connections\Windows Firewall\Standard Profile

The settings in this section configure the Windows Firewall Standard Profile. This profile is often more restrictive than the Domain Profile, which assumes a domain environment provides some basic level of security. The Standard Profile is expected to be used when a computer is on an untrusted network, such as a hotel network or a public wireless access point. Such environments pose unknown threats and require additional security precautions.

Note   The Standard Profile only applies to computers running Windows XP. The following recommendations apply only to the EC environment described in this guide to maintain compatibility with Windows XP.

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\Network\Network Connections
\Windows Firewall\Standard Profile

Table A36. Recommended Windows Firewall Standard Profile Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Windows Firewall: Allow ICMP exceptions

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Allow inbound file and printer sharing exception

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Allow inbound remote administration exception

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Allow inbound Remote Desktop exceptions

Enabled

Enabled

Not configured

Not configured

Windows Firewall: Allow inbound UPnP framework exceptions

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Allow local port exceptions

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Allow local program exceptions

Not Recommended

Not Recommended

Not configured

Not configured

Windows Firewall: Define inbound port exceptions

Not Recommended

Not Recommended

Not configured

Not configured

Windows Firewall: Define inbound program exceptions

Recommended

Recommended

Not configured

Not configured

Windows Firewall: Do not allow exceptions

Recommended

Recommended

Not configured

Not configured

Windows Firewall: Prohibit notifications

Disabled

Disabled

Not configured

Not configured

Windows Firewall: Prohibit unicast response to multicast or broadcast requests

Enabled

Enabled

Not configured

Not configured

Windows Firewall: Protect all network connections

Enabled

Enabled

Not configured

Not configured

Note   When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful.

Windows Firewall: Allow ICMP exceptions
This policy setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message.

If you configure the Windows Firewall: Allow ICMP exceptions setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you configure this policy setting to Disabled, Windows Firewall blocks all unsolicited inbound ICMP message types and the listed outbound ICMP message types. As a result, utilities that rely on ICMP may fail.

Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. Also, ICMP messages are used to estimate network performance when Group Policy is downloaded and processed; if ICMP messages are blocked, Group Policy may not be applied to affected systems. For that reason, Microsoft recommends that you configure the Windows Firewall: Allow ICMP exceptions setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure this policy setting with the appropriate message types.

Whenever the computer is on an untrusted network, the Windows Firewall: Allow ICMP exceptions setting should be configured to Disabled.

Note   If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions.

Windows Firewall: Allow inbound file and printer sharing exception
This policy setting creates an exception that allows file and printer sharing. It configures Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which such messages are allowed.

If you disable the Windows Firewall: Allow inbound file and printer sharing exception setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers.

Because the computers in your environment that run Windows Vista will not typically share files and printers, Microsoft recommends you configure the Windows Firewall: Allow inbound file and printer sharing exception setting to Disabled.

Note   If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions.

Windows Firewall: Allow inbound remote administration exception
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports that are typically used by remote administration programs; Windows Firewall can help block these ports.

To provide flexibility for remote administration, the Windows Firewall: Allow inbound remote administration exception setting is available. If this policy setting is enabled, the computer can receive the unsolicited incoming messages that are associated with remote administration on TCP ports 135 and 445. This policy setting also allows Svchost.exe and Lsass.exe to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. If you enable this policy setting, you need to specify the IP addresses or subnets from which these incoming messages are allowed.

If you configure the Windows Firewall: Allow inbound remote administration exception setting to Disabled, Windows Firewall makes none of the described exceptions. The impact of configuring this policy setting to Disabled may be unacceptable to many organizations because many remote administration tools and tools that scan for vulnerabilities will fail. Therefore, Microsoft recommends that only the most security-sensitive organizations enable this policy setting.

For the Domain Profile, Microsoft recommends that the Windows Firewall: Allow inbound remote administration exception setting be Enabled for computers in the EC environment only when necessary. If you enable this setting, computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers that are used for remote administration.

Microsoft recommends that the Windows Firewall: Allow inbound remote administration exception setting be Disabled for all computers in the Standard Profile to avoid known attacks that specifically use exploits against TCP ports 135 and 445.

Note   If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions.

Windows Firewall: Allow inbound Remote Desktop exceptions
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have exploited the ports that are typically used by Remote Desktop.

To provide flexibility for remote administration, the Windows Firewall: Allow inbound Remote Desktop exceptions setting is available. If you enable this policy setting, Windows Firewall opens TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these inbound messages are allowed.

If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator adds this port to a local port exceptions list in an attempt to open it, Windows Firewall does not open the port.

To maintain the enhanced management capabilities that are provided by Remote Desktop, you need to configure this policy setting to Enabled for the EC environment. You must specify the IP addresses and subnets of the computers that are used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.

Windows Firewall: Allow inbound UPnP framework exceptions
This policy setting allows a computer to receive unsolicited Plug and Play messages that are sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900.

If you enable the Windows Firewall: Allow inbound UPnP framework exceptions setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these inbound messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.

Blocking UPnP network traffic effectively reduces the attack surface of computers in your environment. On trusted networks, Microsoft recommends that you configure the Windows Firewall: Allow inbound UPnP framework exception setting to Disabled unless you use UPnP devices on your network. This policy setting should always be Disabled on untrusted networks.

Windows Firewall: Allow local port exceptions
This policy setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by Windows Firewall: Define port exceptions.

If you enable the Windows Firewall: Allow local port exceptions setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list.

Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list. For that reason, Microsoft recommends that the Windows Firewall: Allow local port exceptions setting be configured to Disabled.

Windows Firewall: Allow local program exceptions
This policy setting controls whether administrators can use the Windows Firewall component in Control Panel to define a local program exceptions list. If you disable this policy setting, administrators will not be able to define a local program exceptions list; also, this configuration ensures that program exceptions only come from Group Policy. If this policy setting is enabled, local administrators are allowed to use Control Panel to define program exceptions locally.

For enterprise client computers, there may be conditions that justify local program exceptions. These conditions may include applications that were not analyzed when the organization's firewall policy was created or new applications that require nonstandard port configuration. If you choose to enable the Windows Firewall: Allow local program exceptions setting for such situations, remember that the attack surface of the affected computers is increased.

Windows Firewall: Define inbound port exceptions
The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings.

If you enable the Windows Firewall: Define inbound port exceptions setting, you can view and change the port exceptions list that is defined by Group Policy. To view and modify the port exceptions list, configure the setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means that you can accidentally create multiple entries for the same port with Scope or Status values that conflict.

If you disable the Windows Firewall: Define inbound port exceptions setting, the port exceptions list that is defined by Group Policy is deleted but other settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions setting.

Environments with nonstandard applications that require specific ports to be open should consider program exceptions instead of port exceptions. Microsoft recommends that the Windows Firewall: Define inbound port exceptions setting be configured to Enabled and that a list of port exceptions be specified only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times.

Note   If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions.

Windows Firewall: Define inbound program exceptions
Some applications may need to open and use network ports that are not typically allowed by Windows Firewall. The Windows Firewall: Define inbound program exceptions setting allows you to view and change the program exceptions list that is defined by Group Policy.

If this policy setting is Enabled you can view and change the program exceptions list. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it requests Windows Firewall to open, even if that port is blocked by another setting. If you configure this policy setting to Disabled, the program exceptions list that is defined by Group Policy is deleted.

Note   If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. Because the entry is not checked, you can add programs that you have not installed yet. You can also accidentally create multiple exceptions for the same program with Scope or Status values that conflict.

Windows Firewall: Do not allow exceptions
This policy setting caused Windows Firewall to block all unsolicited incoming messages. It overrides all other Windows Firewall settings that allow such messages. If you enable this policy setting in the Windows Firewall item in Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it.

Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. Such environments may need to configure the Windows Firewall: Do not allow exceptions setting to Disabled to allow those applications and services to run properly. However, before you configure this policy setting, you should test the environment to determine exactly what communications need to be allowed.

Note   This policy setting provides a strong defense against external attackers and should be set to Enabled in situations in which you require complete protection from external attacks, such as the outbreak of a new network worm. If you set this policy setting to Disabled, Windows Firewall will be able to apply other policy settings that allow unsolicited incoming messages.

Windows Firewall: Prohibit notifications
Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so because of current Windows Firewall rules.

The Windows Firewall: Prohibit notifications setting determines whether these settings are shown to the users. If you configure this policy setting to Enabled, Windows Firewall prevents the display of these notifications. If you configure it to Disabled, Windows Firewall allows the display of these notifications.

Windows Firewall: Prohibit unicast response to multicast or broadcast requests
This policy setting helps prevent a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses that are sent by those other computers. When this policy setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses.

Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attempt to probe a known computer. Microsoft recommends that the Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting be configured to Enabled to help prevent this type of attack.

Note   This policy setting has no effect if the unicast message is a response to a DHCP broadcast message that is sent by the computer. Windows Firewall always permits those DHCP responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.

Windows Firewall: Protect all network connections
This policy setting enables Windows Firewall, which replaces Internet Connection Firewall on all computers that run Windows Vista. This guide recommends that you configure this policy setting to Enabled to protect all network connections for computers in all of the environments that are discussed in this guide.

If Windows Firewall: Protect all network connections is configured to Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored.

Note   If you enable this policy setting, Windows Firewall runs and ignores the setting for Computer Configuration\Administrative Templates\Network\Network Connections
\Prohibit use of Internet Connection Firewall on your DNS domain network
.

System

Within the Computer Configuration\Administrative Templates\System location, the following additional sections are configured:

  • Logon
  • Group Policy
  • Remote Assistance
  • Remote Procedure Call
  • Internet Communication Management\Internet Communication Settings
Logon

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Logon

The following table summarizes the recommended Logon settings. Additional information about each setting is provided in the subsections that follow the table.

Table A37. Recommended Logon Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Do not process the legacy run list

Not configured

Not configured

Enabled

Enabled

Do not process the run once list

Not configured

Not configured

Enabled

Enabled

Do not process the legacy run list
This policy setting causes the run list, which is a list of programs that Windows Vista runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

You can enable the Do not process the legacy run list setting to help prevent a malicious user from running a program each time Windows Vista starts, which could compromise data on the computer or cause other harm. When this policy setting is enabled, certain system programs are prevented from running, such as antivirus software, and software distribution and monitoring software. Microsoft recommends that you evaluate the threat level to your environment before you determine whether to use this policy setting for your organization.

The Do not process the legacy run list setting is Not configured for the EC environment and Enabled for the SSLF environment.

Do not process the run once list
This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run once the next time the client computer restarts. Setup and installation programs are sometimes added to this list to complete installations after a client computer restarts. If you enable this policy setting, attackers generally cannot use the run once list to launch rogue applications, which was a common method of attack in the past. A malicious user can exploit the run once list to install a program that may compromise the security of Windows Vista-based client computers.

Note   Customized run once lists are stored in the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.

The Do not process the run once list setting should cause minimal functionality loss to users in your environment, especially if the client computers have been configured with all of your organization's standard software before this policy setting is applied through Group Policy. The Do not process the run once list setting is set to Not configured for the EC environment and to Enabled for the SSLF environment.

Group Policy

You can configure this prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Group Policy

Table A38. Recommended Group Policy Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Registry policy processing

Enabled

Enabled

Enabled

Enabled

Registry policy processing
This policy setting determines when registry policies are updated. It affects all policies in the Administrative Templates folder, and any other policies that store values in the registry. If this policy setting is enabled, the following options are available:

  • Do not apply during periodic background processing.
  • Process even if the Group Policy objects have not changed.

Some settings that are configured through the Administrative Templates are made in areas of the registry that are accessible to users. User changes to these settings will be overwritten if this policy setting is enabled.

The Registry policy processing setting is configured to Enabled for both of the environments that are discussed in this guide.

Remote Assistance

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\System\Remote Assistance

The following table summarizes the recommended Remote Assistance settings. Additional information about each setting is provided in the subsections that follow.

Table A39. Recommended Remote Assistance Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Offer Remote Assistance

Not configured

Not configured

Disabled

Disabled

Solicited Remote Assistance

Not configured

Not configured

Disabled

Disabled

Offer Remote Assistance
This policy setting determines whether a support person or an IT "expert" administrator can offer remote assistance to computers in your environment if a user does not explicitly request assistance first through a channel, such as e-mail, or Instant Messenger.

Note   The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation after the Offer Remote Assistance setting is configured to Enabled.

If this policy setting is enabled the following options are available:

  • Allow helpers to only view the computer
  • Allow helpers to remotely control the computer

When you configure this policy setting, you can also specify a list of users or user groups known as "helpers" who may offer remote assistance.

To configure the list of helpers

  1. In the Offer Remote Assistance setting configuration window, click Show. A new window will open in which you can enter helper names.

  2. Add each user or group to the Helper list in one of the following formats:

  • <Domain Name>\<User Name>
  • <Domain Name>\<Group Name>

If this policy setting is disabled or not configured, users and or groups will not be able to offer unsolicited remote assistance to computer users in your environment.

The Offer Remote Assistance setting is Not configured for the EC environment. However, this policy setting is configured to Disabled for the SSLF environment to prevent access to Windows Vista client computers across the network.

Solicited Remote Assistance
This policy setting determines whether remote assistance may be solicited from the Windows Vista computers in your environment. You can enable this policy setting to allow users to solicit remote assistance from IT "expert" administrators.

Note   Experts cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation.

If the Solicited Remote Assistance setting is enabled, the following options are available:

  • Allow helpers to remotely control the computer
  • Allow helpers to only view the computer

Also, the following options are available to configure the amount of time that a user help request remains valid:

  • Maximum ticket time (value):
  • Maximum ticket time (units): hours,minutes or days

When a ticket (help request) expires, the user must send another request before an expert can connect to the computer. If you disable the Solicited Remote Assistance setting, users cannot send help requests and the expert cannot connect to their computers.

If the Solicited Remote Assistance setting is not configured, users can configure solicited remote assistance through the Control Panel. The following settings are enabled by default in the Control Panel: Solicited Remote Assistance, Buddy support, and Remote control. The value for the Maximum ticket time is set to 30 days. If this policy setting is disabled, no one will be able to access Windows Vista client computers across the network.

The Solicited Remote Assistance setting is Not configured for the EC environment and is configured to Disabled for the SSLF environment.

Remote Procedure Call

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\System\Remote Procedure Call

The following table summarizes the recommended Remote Procedure Call settings. Additional information about each setting is provided in the subsections that follow the table.

Table A40. Recommended Remote Procedure Call Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Restrictions for Unauthenticated RPC clients

Enabled- Authenticated

Enabled- Authenticated

Enabled- Authenticated

Enabled- Authenticated

RPC Endpoint Mapper Client Authentication

Disabled

Disabled

Enabled

Enabled

**Restrictions for Unauthenticated RPC clients** This policy setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to the RPC server. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC interfaces that have specifically asked to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy. If you enable this policy setting, the following values are available:
  • None. Allows all RPC clients to connect to RPC servers that run on the computer on which the policy is applied.
  • Authenticated. Allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy is applied. Interfaces that have asked to be exempt from this restriction will be granted an exemption.
  • Authenticated without exceptions. Allows only authenticated RPC clients to connect to RPC servers that run on the computer on which the policy is applied. No exceptions are allowed.

Because unauthenticated RPC communication can create a security vulnerability, the Restrictions for Unauthenticated RPC clients setting is configured to Enabled and the RPC Runtime Unauthenticated Client Restriction to Apply value is set to Authenticated for both of the environments that are discussed in this guide.

Note   RPC applications that do not authenticate unsolicited inbound connection requests may not work properly when this configuration is applied. Ensure you test applications before you deploy this policy setting throughout your environment. Although the Authenticated value for this policy setting is not completely secure, it can be useful for providing application compatibility in your environment.

RPC Endpoint Mapper Client Authentication
If you enable this policy setting, client computers that communicate with this computer will be forced to provide authentication before an RPC communication is established. By default, RPC clients will not use authentication to communicate with the RPC Server Endpoint Mapper Service when they request the endpoint of a server. However, this default was changed for the SSLF environment to require client computers to authenticate before an RPC communication is allowed.

Internet Communication Management\Internet Communication Settings

There are several configuration settings available in the Internet Communication settings group. This guide recommends that many of these settings be restricted, primarily to help improve the confidentiality of the data on your computer systems. If these settings are not restricted, information could be intercepted and used by attackers. Although the actual occurrence of this type of attack today is rare, proper configuration of these settings will help protect your environment against future attacks.

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Administrative Templates\System\Internet Communication Management\Internet Communication settings

The following table summarizes the recommended Internet Communication settings. Additional information about each setting is provided in the subsections that follow the table.

Table A41. Recommended Internet Communication Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Turn off the "Publish to Web" task for files and folders

Enabled

Enabled

Enabled

Enabled

Turn off Internet download for Web publishing and online ordering wizards

Enabled

Enabled

Enabled

Enabled

Turn off the Windows Messenger Customer Experience Improvement Program

Enabled

Enabled

Enabled

Enabled

Turn off Search Companion content file updates

Enabled

Enabled

Enabled

Enabled

Turn off printing over HTTP

Enabled

Enabled

Enabled

Enabled

Turn off downloading of print drivers over HTTP

Enabled

Enabled

Enabled

Enabled

Turn off Windows Update device driver searching

Disabled

Disabled

Enabled

Enabled

Turn off the "Publish to Web" task for files and folders
This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web.

If you configure the Turn off the "Publish to Web" task for files and folders setting to Enabled, these options are removed from the File and Folder tasks in Windows folders. By default, the option to publish to the Web is available. Because this capability could be used to expose secured content to an unauthenticated Web client computer, this policy setting is configured to Enabled for both the EC and SSLF environments.

Turn off Internet download for Web publishing and online ordering wizards
This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. If this policy setting is enabled, Windows is prevented from downloading providers; only the service providers cached in the local registry will display.

Because the Turn off "Publish to Web" task for files and folders setting was enabled for both the EC and SSLF environments (see the previous setting), this option is not needed. However, the Turn off Internet download for Web publishing and online ordering wizards setting is configured to Enabled to minimize the attack surface of client computers and to ensure that this capability cannot be exploited in other ways.

Turn off the Windows Messenger Customer Experience Improvement Program
This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. You can enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the user settings that enable the collection of usage information.

Many large enterprise environments may not want to have information collected from managed client computers. The Turn off the Windows Messenger Customer Experience Improvement Program setting is configured to Enabled for both of the environments that are discussed in this guide to prevent information being collected.

Turn off Search Companion content file updates
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. If you configure this policy setting to Enabled, you prevent Search Companion from downloading content updates during searches.

The Turn off Search Companion content file updates setting is configured to Enabled for both the EC and SSLF environments to help control unnecessary network communications from each managed client computer.

Note   Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior.

Turn off printing over HTTP
This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. If you enable this policy setting, the client computer will not be able to print to Internet printers over HTTP.

Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise environments. The Turn off printing over HTTP setting is configured to Enabled for both the EC and SSLF environments to help prevent a potential security breach from an insecure print job.

Note   This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP.

Turn off downloading of print drivers over HTTP
This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.

The Turn off downloading of print drivers over HTTP setting is configured to Enabled to prevent print drivers from being downloaded over HTTP.

Note   This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits drivers that are not already installed locally from downloading.

Turn off Windows Update device driver searching
This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present.

Because there is some risk when any device drivers are downloaded from the Internet, the Turn off Windows Update device driver searching setting is configured to Enabled for the SSLF environment and Disabled for the EC environment. The reason for this configuration is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource and configuration management. This will also help ensure compatibility and stability across the computers in your environment.

Note   See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted before Windows Update is searched for device drivers if a driver is not found locally.

Windows Components

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components

In the Administrative Templates\Windows Components section, you can configure settings for:

  • AutoPlay policies
  • Credential user interface
  • Internet Explorer
  • NetMeeting
  • Terminal Services
  • Windows Messenger
  • Windows Update
AutoPlay Policies

Autoplay is a feature of Windows that will automatically open or start media files or installation programs as soon as they are detected by your computer. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\
AutoPlay Policies

Table A42. Recommended AutoPlay Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Turn off Autoplay

Not configured

Not configured

Enabled -
All Drives

Enabled -
All Drives

Turn off Autoplay
Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay setting to disable the Autoplay feature. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives.

The Turn off Autoplay setting is configured to Not configured for the EC environment and to Enabled - All Drives for the SSLF environment only.

Note   You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives.

Credential User Interface

The Credential User Interface settings control the UI seen by users when prompted to supply their account name and password to authorize elevated tasks that require approval through the Secure Desktop. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Credential User Interface

Table A43. Recommended UAC Credential User Interface Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

§ Enumerate administrator accounts on elevation

Not configured

Not configured

Disabled

Disabled

§ Require trusted path for credential entry

Not configured

Not configured

Enabled

Enabled

§ - Denotes Group Policy settings that are new in Windows Vista.

Enumerate administrator accounts on elevation
By default, all administrator accounts are displayed when you attempt to elevate a running application. If you enable this policy, users will always be required to type in a user name and password to elevate. If you disable this policy, all local administrator accounts on the computer will be displayed so the user can choose one and enter the correct password.

The Enumerate administrator accounts on elevation setting is configured to Not configured for the EC environment and to Disabled for the SSLF environment only.

Require trusted path for credential entry
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a user first need to press CTRL+ALT+DEL. Requiring the use of a trusted path helps prevent a Trojan horse or other types of malicious code from stealing the user's Windows credentials.

If you disable or do not configure this policy setting, users will enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials.

The Require trusted path for credential entry setting is configured to Not configured for the EC environment and to Enabled for the SSLF environment only.

Internet Explorer

Microsoft Internet Explorer® Group Policy helps you enforce security requirements for Windows Vista computers, and prevent the exchange of unwanted content through Internet Explorer. Use the following criteria to secure Internet Explorer on the workstations in your environment:

  • Ensure that requests to the Internet only occur in direct response to user actions.
  • Ensure that information sent to specific Web sites only reaches those sites unless specific user actions are allowed to transmit information to other destinations.
  • Ensure that trusted channels to servers/sites are clearly identified along with who owns the servers/sites on each channel.
  • Ensure that any script or program that runs with Internet Explorer executes in a restricted environment. Programs that are delivered through trusted channels may be enabled to operate outside of the restricted environment.

Important   You need to ensure that Internet Explorer is properly configured to access the Internet before you apply the GPOs included with this guide. Many environments require specific proxy settings for proper Internet access. The recommended settings included in this guide prevent users from changing the configuration of Internet Explorer proxy settings.

You can configure the prescribed computer settings for Internet Explorer in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer

The following table summarizes many of the Internet Explorer setting recommendations. Additional information about each setting is provided in the subsections that follow the table.

Table A44. Recommended Internet Explorer Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Disable Automatic Install of Internet Explorer components

Enabled

Enabled

Enabled

Enabled

Disable Periodic Check for Internet Explorer software updates

Enabled

Enabled

Enabled

Enabled

Disable software update shell notifications on program launch

Enabled

Enabled

Enabled

Enabled

Do not allow users to enable or disable add-ons

Enabled

Enabled

Enabled

Enabled

Make proxy settings per-machine (rather than per-user)

Enabled

Disabled

Enabled

Disabled

Security Zones: Do not allow users to add/delete sites

Enabled

Enabled

Enabled

Enabled

Security Zones: Do not allow users to change policies

Enabled

Enabled

Enabled

Enabled

Security Zones: Use only machine settings

Enabled

Enabled

Enabled

Enabled

Turn off Crash Detection

Enabled

Enabled

Enabled

Enabled

Disable Automatic Install of Internet Explorer components
If you enable this policy setting, Internet Explorer will not be able to download components when users browse to Web sites that require the components to fully function. If this policy setting is disabled or not configured, users will be prompted to download and install components each time they visit Web sites that use them.

The Disable Automatic Install of Internet Explorer components setting is configured to Enabled for the two environments that are discussed in the appendix.

Note   Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy to update Internet Explorer through Microsoft Update or a similar service.

Disable Periodic Check for Internet Explorer software updates
If you enable this policy setting, Internet Explorer will not be able to determine whether a later browser version is available and notify users if this is the case. If this policy setting is disabled or not configured, Internet Explorer will check for updates every 30 days (the default setting) and notify users if a new version is available.

The Disable Periodic Check for Internet Explorer software updates setting is configured to Enabled for the two environments that are discussed in this guide.

Note   Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy for the administrators in your organization to ensure that they periodically accept new updates for Internet Explorer on the client computers in your environment.

Disable software update shell notifications on program launch
This policy setting specifies that programs that use Microsoft software distribution channels will not notify users when they install new components. Software distribution channels are used to update software dynamically on users' computers; this functionality is based on Open Software Distribution (.osd) technologies.

The Disable software update shell notifications on program launch setting is configured to Enabled for the two environments that are discussed in this guide.

Do not allow users to enable or disable add-ons
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Manage Add-ons. If you configure this policy setting to Enabled, users cannot enable or disable add-ons through Manage Add-ons. The only exception is if an add-on has been specifically entered into the Add-On List policy setting in a way that allows users to continue to manage the add-on. In such a case, the user can still manage the add-on through Manage Add-ons. If you configure this policy setting to Disabled, the user will be able to enable or disable add-ons.

Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. Therefore, this policy setting is configured to Enabled for the two environments that are discussed in this guide.

Note   You should review the GPO settings in Internet Explorer\Security Features\Add-on Management to ensure that appropriate authorized add-ons can still run in your environment. For example, you may want to read the Knowledge Base article 555235, "Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy."

Make proxy settings per-machine (rather than per-user)
If you enable this policy setting, users will not be allowed to alter user-specific proxy settings. They must use the zones that are created for all users of the computers they access.

The Make proxy settings per-machine (rather than per-user) setting is configured to Enabled for desktop client computers for the two environments that are discussed in this guide. However, the policy setting is configured to Disabled for laptop client computers because mobile users may have to change their proxy settings as they travel.

Security Zones: Do not allow users to add/delete sites
Enable this policy setting to disable the site management settings for security zones. (To see the site management settings for security zones, open Internet Explorer, select Tools and then Internet Options, click the Security tab, and then click Sites.) If this policy setting is disabled or not configured, users will be able to add or remove Web sites in the Trusted Sites and Restricted Sites zones, as well as alter settings in the Local Intranet zone.

The Security Zones: Do not allow users to add/delete sites setting is configured to Enabled for the two environments that are discussed in this guide.

Note   If you enable the Disable the Security page setting (located in \User Configuration\
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), the Security tab is removed from the interface and the Disable setting takes precedence over this Security Zones: setting.

Security Zones: Do not allow users to change policies
If you enable this policy setting, you disable the Custom Level button and Security level for this zone slider on the Security tab in the Internet Options dialog box. If this policy setting is disabled or not configured, users will be able to change the settings for security zones. It prevents users from changing security zone policy settings that are established by the administrator.

The Security Zones: Do not allow users to change policies setting is configured to Enabled for the two environments that are discussed in this guide.

Note   If you enable the Disable the Security page setting (located in \User Configuration\
Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) the Security tab is removed from Internet Explorer in Control Panel and the Disable setting takes precedence over this Security Zones: setting.

Security Zones: Use only machine settings
This policy setting affects how security zone changes apply to different users. It is intended to ensure that security zone settings remain uniformly in effect on the same computer and do not vary from user to user. If you enable this policy setting, changes that one user makes to a security zone will apply to all users of that computer. If this policy setting is disabled or not configured, users of the same computer are allowed to establish their own security zone settings.

The Security Zones: Use only machine settings setting is configured to Enabled for the two environments that are discussed in this guide.

Turn off Crash Detection
This policy setting allows you to manage the crash detection feature of add-on management in Internet Explorer. If you enable this policy setting, a crash in Internet Explorer will be similar to one on a computer that runs Windows XP Professional with Service Pack 1 (SP1) or earlier: Windows Error Reporting will be invoked. If you disable this policy setting, the crash detection feature in add-on management will be functional.

Because Internet Explorer crash report information could contain sensitive information from the computer's memory, the Turn off Crash Detection setting is configured to Enabled for both of the two environments that are discussed in this guide. If you experience frequent repeated crashes and need to report them for follow-up troubleshooting, you could temporarily configure the policy setting to Disabled.

Within the Computer Configuration\Administrative Templates\Windows Components\Internet Explorer, the following additional setting sections are configured:

  • Internet Control Panel\Advanced Page
  • Security Features\MK Protocol Security Restriction
  • Security Features\Consistent MIME Handling
  • Security Features\MIME Sniffing Safety Features
  • Security Features\Scripted Window Security Restrictions
  • Security Features\Protection From Zone Elevation
  • Security Features\Restrict ActiveX Install
  • Security Features\Restrict File Download
  • Security Features\Add-on Management
  • Internet Explorer Add-on List Setting

The default values for these settings provide enhanced security compared to earlier versions of Windows. However, you might want to review these settings to determine whether you want to require them or relax them in your environment for usability or application compatibility.

For example, you can now configure Internet Explorer to block pop-ups for all Internet zones by default. You might want to ensure that this policy setting is enforced on all computers in your environment to help eliminate pop-up windows and to help reduce the possibility of malicious software and spyware installations that are often spawned from Internet Web sites. Conversely, your environment might contain applications that require the use of pop-ups to function. If so, you could configure this policy to allow pop-ups for Web sites within your intranet.

Internet Explorer\Internet Control Panel\Advanced Page

You can configure this prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page

Table A45. Recommended Advanced Page Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Allow software to run or install even if the signature is invalid

Disabled

Disabled

Disabled

Disabled

Allow software to run or install even if the signature is invalid
Microsoft ActiveX® controls and file downloads often have digital signatures attached that help certify the file's integrity and the identity of the signer (creator) of the software. Such signatures help ensure that unmodified software is downloaded and that you can identify active signers to determine whether you trust them enough to run their software.

The Allow software to run or install even if the signature is invalid setting allows you to manage whether downloaded software can be installed or run by users even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature.

Because unsigned software can create a security vulnerability, this policy setting is configured to Disabled for both of the environments that are discussed in this guide.

Note   Some legitimate software and controls may have an invalid signature and still be OK. You should carefully test such software in isolation before you allow it to be used on your organization's network.

Internet Explorer\Security Features\MK Protocol Security Restriction

You can configure this prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\MK Protocol Security Restriction

Table A46. Recommended MK Protocol Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (MK Protocol)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (MK Protocol)
This policy setting reduces attack surface area because it blocks the seldom-used MK protocol. Some older Web applications use the MK protocol to retrieve information from compressed files. If you configure this policy setting to Enabled, the MK protocol is blocked for Windows Explorer and Internet Explorer, which causes resources that use the MK protocol to fail. If you disable this policy setting, other applications are allowed to use the MK protocol API.

Because the MK protocol is not widely used, it should be blocked wherever it is not needed. This policy setting is configured to Enabled for both of the environments that are discussed in this guide. Microsoft recommends that you block the MK protocol unless you specifically need it in your environment.

Note   Because resources that use the MK protocol will fail when you deploy this policy setting, you should ensure that none of your applications use the protocol.

Internet Explorer\Security Features\Consistent MIME Handling

You can configure this prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\Consistent MIME Handling

Table A47. Recommended Consistent MIME Handling Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (Consistent MIME Handling)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Consistent MIME Handling)
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files that are received through a Web server. The Consistent MIME Handling setting determines whether Internet Explorer requires that all file type information that is provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME data indicates that the file is really an executable file, Internet Explorer changes its extension to reflect this executable status. This capability helps ensure that executable code cannot masquerade as other types of data that may be trusted.

If you enable this policy setting, Internet Explorer examines all received files and enforces consistent MIME data for them. If you disable or do not configure this policy setting, Internet Explorer does not require consistent MIME data for all received files and will use the MIME data that is provided by the file.

MIME file type spoofing is a potential threat to your organization. You should ensure that these files are consistent and properly labeled to help prevent malicious file downloads that may infect your network. This policy setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   This policy setting works in conjunction with, but does not replace, the MIME Sniffing Safety Features settings.

Internet Explorer\Security Features\MIME Sniffing Safety Features

You can configure this prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\MIME Sniffing Safety Features

Table A48. Recommended MIME Sniffing Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (MIME Sniffing)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (MIME Sniffing)
MIME sniffing is a process that examines the content of a MIME file to determine its context—whether it is a data file, an executable file, or some other type of file. This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. When set to Enabled, MIME sniffing will not promote a file of one type to a more dangerous file type. If you disable this policy setting, MIME sniffing configures Internet Explorer processes to allow promotion of a file from one type to a more dangerous file type. For example, a text file could be promoted to an executable file, which is dangerous because any code in the supposed text file would be executed.

MIME file-type spoofing is a potential threat to your organization. Microsoft recommends that you ensure these files are consistently handled to help prevent malicious file downloads that may infect your network.

The Internet Explorer Processes (MIME Sniffing) setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   This policy setting works in conjunction with, but does not replace, the Consistent MIME Handling settings.

Internet Explorer\Security Features\Scripted Window Security Restrictions

You can configure this prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\Scripted Window Security Restrictions

Table A49. Recommended Scripted Window Restrictions Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (Scripted Window Security Restrictions)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Scripted Window Security Restrictions)
Internet Explorer allows scripts to programmatically open, resize, and reposition various types of windows. Often, disreputable Web sites resize windows to either hide other windows or force you to interact with a window that contains malicious code.

The Internet Explorer Processes (Scripted Window Security Restrictions) setting restricts pop-up windows and does not allow scripts to display windows in which the title and status bars are not visible to the user or that hide other windows' title and status bars. If you enable this policy setting, pop-up windows will not display in Windows Explorer and Internet Explorer processes. If you disable or do not configure this policy setting, scripts will still be able to create pop-up windows and windows that hide other windows.

The Internet Explorer Processes (Scripted Window Security Restrictions) setting is configured to Enabled for both of the environments that are discussed in this guide. When enabled, this policy setting help make it difficult for malicious Web sites to control your Internet Explorer windows or fool users into clicking the wrong window.

Internet Explorer\Security Features\Protection From Zone Elevation

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\Protection From Zone Elevation

Table A50. Recommended Zone Elevation Protection Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (Zone Elevation Protection)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Zone Elevation Protection)
Internet Explorer places restrictions on each Web page that it opens. These restrictions depend on the location of the Web page (such as Internet zone, Intranet zone, or Local Machine zone). Web pages on a local computer have the fewest security restrictions and reside in the Local Machine zone, which makes this zone a prime target for malicious attackers.

If you enable the Internet Explorer Processes (Zone Elevation Protection) setting, any zone can be protected from zone elevation by Internet Explorer processes. This approach helps prevent content that runs in one zone from gaining the elevated privileges of another zone. If you disable this policy setting, no zone receives such protection for Internet Explorer processes.

Because of the severity and relative frequency of zone elevation attacks, the Internet Explorer Processes (Zone Elevation Protection) setting is configured to Enabled for both of the environments that are discussed in this guide.

Internet Explorer\Security Features\Restrict ActiveX Install

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\Restrict ActiveX Install

Table A51. Restrict ActiveX Install Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (Restrict ActiveX Install)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Restrict ActiveX Install)
This policy setting provides the ability to block ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompts for ActiveX control installations will be blocked for Internet Explorer processes. If you disable this policy setting, prompts for ActiveX control installations will not be blocked and these prompts will be displayed to users.

Users often choose to install software such as ActiveX controls that are not permitted by their organization's security policy. Such software can pose significant security and privacy risks to networks. Therefore, the Internet Explorer Processes (Restrict ActiveX Install) setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   This policy setting also blocks users from installing authorized legitimate ActiveX controls that will interfere with important system components like Windows Update. If you enable this policy setting, make sure to implement some alternate way to deploy security updates such as Windows Server Update Services (WSUS). For more information about WSUS, see the Windows Server Update Services Product Overview page.

Internet Explorer\Security Features\Restrict File Download

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\Restrict File Download

Table A52. Recommended Restrict File Download Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Internet Explorer Processes (Restrict File Download)

Enabled

Enabled

Enabled

Enabled

Internet Explorer Processes (Restrict File Download)
In certain circumstances, Web sites can initiate file download prompts without interaction from users. This technique can allow Web sites to put unauthorized files on a user's hard disk drive if they click the wrong button and accept the download.

If you configure the Internet Explorer Processes (Restrict File Download) setting to Enabled, file download prompts that are not user-initiated are blocked for Internet Explorer processes. If you configure this policy setting to Disabled, file download prompts will occur that are not user-initiated for Internet Explorer processes.

The Internet Explorer Processes (Restrict File Download) setting is configured to Enabled for both of the environments that are discussed in this guide to help prevent attackers from placing arbitrary code on a user's computers.

Internet Explorer\Security Features\Add-on Management

You can configure these prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Internet Explorer\Security Features\Add-on Management

Table A53. Add-on Management Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Deny all add-ons unless specifically allowed in the Add-on List

Recommended

Recommended

Recommended

Recommended

Add-on List

Recommended

Recommended

Recommended

Recommended

Deny all add-ons unless specifically allowed in the Add-on List
This policy setting, along with the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting.

If you enable this policy setting, Internet Explorer only allows add-ins that are specifically listed (and allowed) through the Add-on List. If you disable this policy setting, users may use Add-on Manager to allow or deny any add-ons.

You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used.

Add-on List
This policy setting, along with the Deny all add-ons unless specifically allowed in the Add-on List setting, allows you to control Internet Explorer add-ons. By default, the Add-on List setting defines a list of add-ons to be allowed or denied through Group Policy. The Deny all add-ons unless specifically allowed in the Add-on List setting ensures that all add-ons are assumed to be denied unless they are specifically listed in the Add-on List setting.

If you enable the Add-on List setting, you are required to list the add-ons to be allowed or denied by Internet Explorer. Because the specific list of add-ons that should be included on this list will vary from one organization to another, this guide does not provide a detailed list. For each entry that you add to the list, you must provide the following information:

  • Name of the Value. The CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets; for example, {000000000-0000-0000-0000-0000000000000}. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.
  • Value. A number that indicates whether Internet Explorer should deny or allow the add-on to be loaded. The following values are valid:
  • 0 Deny this add-on
  • 1 Allow this add-on
  • 2 Allow this add-on and permit the user to manage it through Manage Add-ons

If you disable the Add-on List setting, the list is deleted. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used.

NetMeeting

Microsoft NetMeeting® allows users to conduct virtual meetings across the network in your organization. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components\
NetMeeting

Table A54. Recommended NetMeeting Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Disable remote Desktop Sharing

Not configured

Not configured

Enabled

Enabled

Disable remote Desktop Sharing
This policy setting disables the remote desktop sharing feature of NetMeeting. If you enable this policy setting, users will not be able to configure NetMeeting to allow remote control of the local desktop.

The Disable remote Desktop Sharing setting is Not configured for the EC environment. However, it is configured to Enabled for the SSLF environment to prevent users from sharing desktops remotely through NetMeeting.

Terminal Services

Terminal Services settings provide options to redirect client computer resources to servers that are accessed through Terminal Services. This section includes settings for:

  • Remote Desktop Connection Client
  • Terminal Server\Connections
  • Terminal Server\Device and Resource Redirection
  • Terminal Server\Security
Terminal Services\Remote Desktop Connection Client

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Administrative Templates\Windows Components\Terminal Services
\Remote Desktop Connection Client

Table A55. Recommended Do Not Allow Passwords to be Saved Setting

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Do not allow passwords to be saved

Enabled

Enabled

Enabled

Enabled

Do not allow passwords to be saved
This policy setting helps prevent Terminal Services clients from saving passwords on a computer. If you enable this policy setting, the password saving checkbox is disabled for Terminal Services clients and users will not be able to save passwords.

Because saved passwords can cause additional compromise, the Do not allow passwords to be saved setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server.

Terminal Services\Terminal Server\Connections

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Terminal Services\Terminal Server\Connections

Table A56. Recommended Connections Setting

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Allow users to connect remotely using Terminal Services

Not configured

Not configured

Disabled

Disabled

Allow users to connect remotely using Terminal Services
This policy setting allows you to control if users can connect to a computer using Terminal Services or Remote Desktop.

In the SSLF environment, users are required to log on directly to the physical computer console. For this reason, the Allow users to connect remotely using Terminal Services setting is configured to Disabled for the SSLF environment. However, this policy setting is Not configured for the EC environment.

Terminal Services\Terminal Server\Device and Resource Redirection

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Terminal Services\Terminal Server\Device and Resource Redirection

Table A57. Recommended Device and Resource Redirection Setting

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Do not allow drive redirection

Not configured

Not configured

Enabled

Enabled

Do not allow drive redirection
This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format:

\\TSClient\<driveletter>$

If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. For this reason, the Do not allow drive redirection setting is configured to Enabled for the SSLF environment. However, this policy setting is Not configured for the EC environment.

Terminal Services\Terminal Server\Security

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates
\Windows Components\Terminal Services\Terminal Server\Security

Table A58. Recommended Terminal Server Security Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Always prompt client for password upon connection

Enabled

Enabled

Enabled

Enabled

Set client connection encryption level

Enabled:High Level

Enabled:High Level

Enabled:High Level

Enabled:High Level

Always prompt client for password upon connection
This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on if they enter a password in the Remote Desktop Connection client.

The Always prompt client for password upon connection setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   If you do not configure this policy setting, the local computer administrator can use the Terminal Services Configuration tool to either allow or prevent passwords from being automatically sent.

Set client connection encryption level
This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session.

The encryption level is set to Enabled:High Level to enforce 128-bit encryption for the two environments that are discussed in this guide.

Windows Messenger

Windows Messenger is used to send instant messages to other users on a computer network. The messages may include files and other attachments.

You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates
\Windows Components\Windows Messenger

Table A59. Recommended Windows Messenger Setting

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Do not allow Windows Messenger to be run

Enabled

Enabled

Enabled

Enabled

**Do not allow Windows Messenger to be run** You can enable the **Do not allow Windows Messenger to be run** setting to disable Windows Messenger and prevent the program from running. Because this application has been used for malicious purposes such as spam, the distribution of malicious software, and disclosure of sensitive data, Microsoft recommends that you configure the **Do not allow Windows Messenger to be run** setting to **Enabled** for both the EC and SSLF environments.

Note   This setting only affects Windows Messenger software included in Windows XP. This setting will not prevent users from running MSN® Messenger or Windows Live™ Messenger.

Windows Update

Administrators use Windows Update settings to manage how updates and hotfixes are applied on Windows Vista-based workstations. Updates are available from Windows Update. Alternatively, you can set up an intranet Web site to distribute updates and hotfixes in a similar manner with additional administrative control.

Windows Server Update Services (WSUS) is an infrastructure service that builds on the success of the Microsoft Windows Update and Software Update Services (SUS) technologies. WSUS manages and distributes critical Windows updates that resolve known security vulnerabilities and other stability issues with Windows operating systems.

WSUS eliminates manual update steps with a dynamic notification system for critical updates that are available to Windows-based client computers through your intranet server. No Internet access is required from client computers to use this service. This technology also provides a simple and automatic way to distribute updates to your Windows-based workstations and servers.

Windows Server Update Services also offers the following features:

  • Administrator control over content synchronization within your intranet. This synchronization service is a server-side component that retrieves the latest critical updates from Windows Update. As new updates are added to Windows Update, the server running WSUS automatically downloads and stores them, based on an administrator-defined schedule.
  • An intranet-hosted Windows Update server. This easy-to-use server acts as the virtual Windows Update server for client computers. It contains a synchronization service and administrative tools for managing updates. It services requests for approved updates from client computers that are connected to it through the HTTP protocol. This server can also host critical updates that are downloaded from the synchronization service and refer client computers to those updates.
  • Administrator control over updates. The administrator can test and approve updates from the public Windows Update site before deployment on their organization's intranet. Deployment takes place on a schedule that the administrator creates. If multiple servers are running WSUS, the administrator controls which computers access particular servers that run the service. Administrators can enable this level of control with Group Policy in an Active Directory environment or through registry keys.
  • Automatic updates on computers (workstations or servers). Automatic Updates is a Windows feature that can be set up to automatically check for updates that are published on Windows Update. WSUS uses this Windows feature to publish administrator approved updates on an intranet.

Note   If you choose to distribute updates through another method, such as Microsoft Systems Management Server, this guide recommends that you disable the Configure Automatic Updates setting.

There are several Windows Update settings. A minimum of three settings is required to make Windows Update work: Configure Automatic Updates, No auto-restart for scheduled Automatic Updates installations, and Reschedule Automatic Updates scheduled installations. A fourth setting is optional and depends on the requirements of your organization: Specify intranet Microsoft update service location.

You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor:

Computer Configuration\Administrative Templates\Windows Components
\Windows Update

The settings that are discussed in this section do not individually address specific security risks, but relate more to administrator preference. However, configuration of Windows Update is essential to the security of your environment because it helps ensure that the client computers in your environment receive security updates from Microsoft soon after they are available.

Note   Windows Update depends on several services, including the Remote Registry service and the Background Intelligence Transfer Service.

The following table summarizes the recommended Windows Update settings. Additional information about each setting is provided in the subsections that follow the table.

Table A60. Recommended Windows Update Settings

Setting EC desktop EC laptop SSLF desktop SSLF laptop

Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box

Disabled

Disabled

Disabled

Disabled

Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box

Disabled

Disabled

Disabled

Disabled

Configure Automatic Updates

Enabled

Enabled

Enabled

Enabled

No auto-restart for scheduled Automatic Updates installations

Disabled

Disabled

Disabled

Disabled

Reschedule Automatic Updates scheduled installations

Enabled

Enabled

Enabled

Enabled

Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box
This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. If you disable this policy setting, the Install Updates and Shut Down option will display in the Shut Down Windows dialog box if updates are available when the user selects the Shut Down option in the Start menu.

Because updates are important to the overall security of all computers, the Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box setting is configured to Disabled for both of the environments that are discussed in this guide. This policy setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box setting.

Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box
This policy setting allows you to manage whether the Install Updates and Shut Down option is allowed to be the default choice in the Shut Down Windows dialog. If you disable this policy setting, the Install Updates and Shut Down option will be the default option in the Shut Down Windows dialog box if updates are available for installation when the user selects the Shut Down option in the Start menu.

Because updates are important to the overall security of all computers, the Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box setting is configured to Disabled for both of the environments that are discussed in this guide.

Note   This policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box setting is Enabled.

Configure Automatic Updates
This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them.

After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:

  • Notify before downloading any updates and notify again before installing them.
  • Download the updates automatically and notify when they are ready to be installed. (Default setting)
  • Automatically download updates and install them on the schedule specified below.

If you disable this policy setting, you will need to download and manually install any available updates from Windows Update.

The Configure Automatic Updates setting is configured to Enabled for the two environments that are discussed in this guide.

No auto-restart for scheduled Automatic Updates installations
If this policy setting is enabled, the computer will wait for a logged-on user to restart it to complete a scheduled installation; otherwise, the computer will restart automatically. When enabled, this policy setting also prevents Automatic Updates from restarting computers automatically during a scheduled installation. If a user is logged on to a computer when Automatic Updates requires a restart to complete an update installation, the user is notified and given the option to delay the restart. Automatic Updates will not detect future updates until the restart occurs.

If the No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled or Not configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation. If automatic restarts are a concern, you can configure the No auto-restart for scheduled Automatic Updates installations setting to Enabled. If you do enable this policy setting, schedule your client computers to restart after normal business hours to ensure that the installation is completed.

The No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled for the two environments that are discussed in this guide.

Note   This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is configured to Disabled, it will not work.

Reschedule Automatic Updates scheduled installations
This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after a specified number of minutes when you next start the computer. If you configure this policy setting to Disabled or Not configured, previously scheduled installations will occur during the next regularly scheduled installation time.

The Reschedule Automatic Updates scheduled installations setting is configured to Enabled for the two environments that are discussed in this guide. After you enable this policy setting, you may change the default waiting period to one that is appropriate for your environment.

Note   This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is Disabled, the Reschedule Automatic Updates scheduled installations setting has no effect. You can enable the latter two settings to ensure that previously missed installations will be scheduled to install each time the computer restarts.

Top of page

Top Of Page Top of page

User Policy

The remaining sections of this appendix discuss User Configuration setting recommendations. These settings need to be applied to users, not computers. They should be implemented in a Group Policy that is linked to the OU that contains the users you want to configure. Apply these settings through a GPO that is linked to an OU that contains user accounts.

Note   User configuration settings are applied to any Windows Vista–based computer that a user logs on to in an Active Directory domain. However, computer configuration settings apply to all client computers that are governed by a GPO in Active Directory without regard for which user logs on to the computer.

User Configuration\Administrative Templates

The following setting groups for the user policy contain settings that this guide prescribes. The settings appear in the User Configuration\Administrative Templates sub-node of the Group Policy Object Editor:

  • System
  • Power Management
  • Windows Components
  • Attachment Manager
  • Internet Explorer
  • Windows Explorer

System

You can configure the following prescribed setting in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\System

The following table summarizes the recommended Registry Editor User configuration settings.

Table A61. Recommended System User Configuration Settings

Setting EC computer SSLF computer

Prevent access to registry editing tools

Not configured

Enabled

Prevent access to registry editing tools
This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe. If you enable this policy setting, a message will display when users try to use a registry editor that informs them that they cannot use either of these editors. This policy setting removes the ability of users and intruders to access the registry with these tools, but does not prevent access to the registry itself.

The Prevent access to registry editing tools setting is Not configured for the EC environment. However, this policy setting is configured to Enabled for the SSLF environment.

Power Management

You can configure the following prescribed setting in this location in the Group Policy Object Editor:

User Configuration\Administrative Templates\System\Power Management

The following table summarizes the recommended Prompt for password on resume from hibernate/suspend configuration settings.

Table A62. Recommended System\Power Management User Configuration Settings

Setting EC computer SSLF computer

Prompt for password on resume from hibernate/suspend

Enabled

Enabled

Prompt for password on resume from hibernate/suspend
This policy setting controls whether client computers in your environment are locked when they resume operational mode from a hibernated or suspended state. If you enable this policy setting, client computers are locked when they resume operational mode and users must enter their passwords to unlock them. Potentially serious security breaches can occur if this policy setting is disabled or not configured, because the client computers may be accessed by anyone.

For this reason, the Prompt for password on resume from hibernate/suspend setting is configured to Enabled for the two environments discussed in this guide.

Windows Components

You can configure the following prescribed setting in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components

The following table summarizes the recommended Registry Editor User configuration settings.

Attachment Manager

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Attachment Manager

The following table summarizes the recommended Attachment Manager user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A63. Recommended Attachment Manager User Configuration Settings

Setting EC computer SSLF computer

Do not preserve zone information in file attachments

Disabled

Disabled

Hide mechanisms to remove zone information

Enabled

Enabled

Notify antivirus programs when opening attachments

Enabled

Enabled

Do not preserve zone information in file attachments
This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook® Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setting requires that files be downloaded to NTFS disk partitions to function correctly. If zone information is not preserved, Windows cannot make proper risk assessments based on the zone where the attachment came from.

If the Do not preserve zone information in file attachments setting is enabled, file attachments are not marked with their zone information. If this policy setting is disabled, Windows is forced to store file attachments with their zone information. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, Microsoft recommends that you configure this policy setting to Disabled to help ensure that as much security information as possible is preserved with each file.

The Do not preserve zone information in file attachments setting is configured to Disabled for both of the environments that are discussed in this guide.

Hide mechanisms to remove zone information
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. Typically, users can either click the Unblock button in the file’s Property sheet or select a check box in the Security Warning dialog. If the zone information is removed, users can open potentially dangerous file attachments that Windows has prevented users from opening.

When the Hide mechanisms to remove zone information setting is enabled, Windows hides the check box and Unblock button. When this policy setting is disabled, Windows displays the check box and the Unblock button. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, Microsoft recommends that you configure this policy setting to Enabled to help ensure that as much security information as possible is retained with each file.

The Hide mechanisms to remove zone information setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   To configure whether files are saved with zone information, see the previous Do not preserve zone information in file attachments setting.

Notify antivirus programs when opening attachments
Antivirus programs are mandatory in many environments and provide a strong defense against attack.

The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, this policy setting configures Windows to call the registered antivirus program and have it scan file attachments when they are opened by users. If the antivirus scan fails, the attachments are blocked from being opened. If this policy setting is disabled, Windows does not call the registered antivirus program when file attachments are opened. To help ensure that virus scanners examine every file before it is opened, Microsoft recommends that this policy setting be configured to Enabled in all environments.

The Notify antivirus programs when opening attachments setting is configured to Enabled for both of the environments that are discussed in this guide.

Note   An updated antivirus program must be installed for this policy setting to function properly.

Internet Explorer

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components\
Internet Explorer

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A64. Recommended Internet Explorer User Configuration Settings

Setting EC user SSLF user

Configure Outlook Express

Enabled

Not configured

Disable "Configuring History"

Not configured

Enabled:40

Disable AutoComplete for forms

Not configured

Enabled

Disable changing Automatic Configuration settings

Not configured

Enabled

Disable changing certificate settings

Not configured

Enabled

Disable changing connection settings

Not configured

Enabled

Disable changing proxy settings

Not configured

Enabled

Do not allow users to enable or disable add-ons

Not configured

Enabled

§ Prevent "fix settings" functionality

Not configured

Disabled

Prevent deletion of "Temporary Internet Files and Cookies"

Not configured

Enabled

§ Turn off "Delete Browsing History" functionality

Not configured

Enabled

§ Turn off the Security Settings Check feature

Not configured

Disabled

Turn on the auto-complete feature for user names and passwords on forms

Disabled

Disabled

§ - Denotes Group Policy settings that are new in Windows Vista.

Configure Outlook Express
This policy setting allows administrators to enable and disable the ability of Microsoft Outlook® Express users to save or open attachments that can potentially contain a virus. Users cannot disable the Configure Outlook Express setting to stop it from blocking attachments. To enforce this policy setting, click Enable and select Block attachments that could contain a virus.

The Configure Outlook Express setting is configured to Enabled with the Block attachments that could contain a virus option for the EC environment in this guide.

Disable "Configuring History"
This setting specifies the number of days that Internet Explorer keeps track of the pages viewed in the History List. The Delete Browsing History option can be accessed using Tools-Internet Options-General tab. It is also available as Delete History directly under Tools-Internet Options-Delete Browsing History in Internet Explorer 7.

If you enable this policy setting, a user cannot set the number of days that Internet Explorer keeps track of the pages viewed in the History List. You must specify the number of days that Internet Explorer keeps track of the pages viewed in the History List. Users will not be able to delete browsing history. If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer keeps track of the pages viewed in the History List and has the freedom to Delete Browsing History.

The Disable "Configuring History" setting is Not configured for the EC environment and is configured to Enabled:40 for the SSLF environment.

Disable AutoComplete for forms
This policy setting controls automatic completion of fields in forms on Web pages. If you enable this policy setting, the AutoComplete feature will not suggest possible choices for completing a form. This can help protect sensitive data in certain environments.

The Disable AutoComplete for forms setting is Not configured for the EC environment and Enabled for the SSLF environment.

Disable changing Automatic Configuration settings
This policy setting removes a user's ability to change automatically configured settings. Administrators use automatic configuration to update browser settings periodically. If you enable this policy setting, the automatic configuration settings are dimmed in Internet Explorer. (These settings are located in the Automatic Configuration area of the LAN Settings dialog box.) This policy setting also removes a user's ability to change settings that are configured through Group Policy.

To view the LAN Settings dialog box

  1. Open the Internet Options dialog box, and click the Connections tab.
  2. Click the LAN Settings button to view the settings.

The Disable changing Automatic Configuration settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Note   The Disable the Connections page setting removes the Connections tab from Internet Explorer in Control Panel and takes precedence over this Disable changing Automatic Configuration settings configuration option. If the former setting is enabled, the latter setting is ignored. The Disable the Connections page setting is located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor.

Disable changing certificate settings
This policy setting removes a user's ability to change certificate settings in Internet Explorer. Certificates are used to verify the identity of software publishers. If you enable this policy setting, the certificate settings in the Certificates area of the Content tab in the Internet Options dialog box are dimmed. This policy setting also removes a user's ability to change settings that are configured through Group Policy.

The Disable changing certificate settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Note   When this policy setting is enabled, users can still double-click the software publishing certificate (.spc) file to run the Certificate Manager Import Wizard. This wizard enables users to import and configure settings for certificates from software publishers that are not already configured in Internet Explorer.

Note   The Disable the Content page setting removes the Content tab from Internet Explorer in Control Panel and takes precedence over this Disable changing certificate settings configuration option. If the former setting is enabled, the latter setting is ignored. The Disable the Content page setting located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor.

Disable changing connection settings
This policy setting removes users' ability to change dial-up settings. If you enable this policy setting, the Settings button on the Connections tab in the Internet Options dialog box is dimmed. This policy setting also removes users' ability to change settings that are configured through Group Policy. You may want to disable this policy setting for laptop users if their travel requires them to change their connection settings.

The Disable changing connection settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Note   If you configure the Disable the Connections page setting, you do not need to configure this policy setting. The Disable the Connections page setting removes the Connections tab from the interface. The Disable the Connections page setting is located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor.

Disable changing proxy settings
This policy setting removes users' ability to change proxy settings. If you enable this policy setting, the proxy settings are dimmed. (The proxy settings are located in the Proxy Server area of the LAN Settings dialog box that appears when the user clicks the Connections tab and then the LAN Settings button in the Internet Options dialog box.) This policy setting also removes users' ability to change settings that are configured through Group Policy. You may want to disable this policy setting for laptop users if their travel requires them to change their connection settings.

The Disable changing proxy settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Note   If you configure the Disable the Connections page setting, you do not need to configure this policy setting. The Disable the Connections page setting removes the Connections tab from the interface. This setting is located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor.

Do not allow users to enable or disable add-ons
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager. If you enable this policy setting, users cannot enable or disable add-ons through Add-On Manager. The only exception occurs if an add-on has been specifically entered into the 'Add-On List' policy setting in such a way as to allow users to continue to manage the add-on. In this case, the user can still manage the add-on through the Add-On Manager. If you disable or do not configure this policy setting, the appropriate controls in the Add-On Manager will be available to the user.

The Do not allow users to enable or disable add-ons setting is configured to Not configured for the EC environment and Enabled for the SSLF environment.

Prevent "fix settings" functionality
This policy setting prevents users from performing the "Fix settings" functionality related to the Security Settings Check in Internet Explorer. If you enable this policy setting, users cannot click the Fix Settings For Me option in the Information bar context menu that appears when Internet Explorer determines that its configuration is not secure.

The Prevent "fix settings" functionality setting is Not configured for the EC environment and Disabled for the SSLF environment.

Prevent deletion of "Temporary Internet Files and Cookies"
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history, available by clicking Tools-Internet Options-Delete Browsing History in Internet Explorer 7. If you enable this policy setting, users will not be able to delete temporary Internet files and cookies. If you disable or do not configure this policy setting, users will be able to delete temporary Internet files and cookies.

The Prevent deletion of "Temporary Internet Files and Cookies" setting is Not configured for the EC environment and Enabled for the SSLF environment.

Turn off "Delete Browsing History" functionality
This policy setting prevents users from performing the "Delete Browsing History" action in Internet Explorer. If you enable this policy setting, users cannot perform the "Delete Browsing History" action in Internet Options for Internet Explorer 7. If you disable or do not configure this policy setting, users can perform the "Delete Browsing History" action in Internet Options for Internet Explorer 7.

The Turn off "Delete Browsing History" functionality setting is Not configured for the EC environment and Enabled for the SSLF environment.

Turn off the Security Settings Check feature
This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the security settings check will not be performed. If you disable this policy setting, the security settings check will be performed. If you do not configure this policy setting, the user will be able to change the "Disable Security Settings Check" setting.

The Turn off the Security Settings Check feature setting is Not configured for the EC environment and Disabled for the SSLF environment.

Turn on the auto-complete feature for user names and passwords on forms
This policy setting controls automatic completion of user names and passwords in forms on Web pages, and prevents user prompts to save passwords. If you disable this policy setting, the check boxes for User Names and Passwords on Forms and Prompt Me to Save Passwords are dimmed and users are prevented from saving passwords locally.

The Turn on the auto-complete feature for user names and passwords on forms setting is configured to Disabled for the two environments discussed in this guide.

Within Computer Configuration\Administrative Templates\Windows Components\Internet Explorer, the following additional setting sections are configured:

  • Browser Menus
  • Internet Control Panel
  • Internet Control Panel\Advanced Page
  • Internet Control Panel\Security Page
  • Internet Control Panel\Security Page\Internet Zone
  • Internet Control Panel\Security Page\Restricted Sites Zone
  • Offline Pages
Browser Menus

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Browser Menus

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A65. Recommended Browser menus Settings

Setting EC user SSLF user

Disable Save this program to disk option

Not configured

Enabled

Disable Save this program to disk option
This policy setting prevents users from saving a program or file that Internet Explorer has downloaded to the hard disk. If you enable this policy setting, users cannot save programs to disk with the Save this program to disk option. The program file will not download, and the user is informed that the command is not available. This policy setting helps protect SSLF environments because users cannot download potentially harmful programs through Internet Explorer and save them to disk.

The Disable Save this program to disk option setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Internet Control Panel

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A66. Recommended Internet Control Panel Explorer User Configuration Settings

Setting EC user SSLF user

Disable the Advanced Page

Not configured

Enabled

Disable the Security Page

Not configured

Enabled

§ Prevent ignoring certificate errors

Not configured

Enabled

§ - Denotes Group Policy settings that are new in Windows Vista.

Disable the Advanced Page
This policy setting works in conjunction with other settings to ensure that users cannot change the settings that are configured in the Advanced tab of Internet Explorer.

The Disable the Advanced Page setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Disable the Security Page
This policy setting works in conjunction with other settings to ensure that users cannot change the settings that are configured through Group Policy. This policy setting removes the Security tab from the Internet Options dialog box. If you enable this policy setting, users cannot view and change settings for security zones, such as scripting, downloads, and user authentication. Microsoft recommends that this policy setting be enabled so that users cannot change settings that will weaken other security settings in Internet Explorer.

The Disable the Security Page setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment.

Prevent ignoring certificate errors
When a user experiences Secure Socket Layer/Transport Layer Security (SSL/TLS) certificate errors such as "expired," "revoked," or "name mismatch," Internet Explorer blocks the user's ability to continue browsing the Web site. If you enable this policy setting, the user is not permitted to continue browsing the Web site. If you disable this policy setting or do not configure it, the user may elect to ignore certificate errors and continue browsing the Web site.

The Prevent ignoring certificate errors setting is configured to Not configured for the EC environment and Enabled for the SSLF environment.

Internet Control Panel\Advanced Page

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel\Advanced Page

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A67. Recommended Advanced Page Settings

Setting EC user SSLF user

§ Allow Install On Demand (Internet Explorer)

Not configured

Disabled

Allow software to run or install even if the signature is invalid

Not configured

Disabled

Automatically check for Internet Explorer updates

Not configured

Disabled

Check for server certificate revocation

Not configured

Enabled

§ - Denotes Group Policy settings that are new in Windows Vista.

Allow Install On Demand (Internet Explorer)
This policy setting allows you to manage whether users can automatically download and install Web Components (such as fonts) that can be installed by Internet Explorer Active Setup. For example, if you open a Web page that requires Japanese-text display support, Internet Explorer could prompt the user to download the Japanese Language Pack component if it is not already installed.

If you enable this policy setting, Web Components such as fonts will be automatically installed as necessary. If you disable this policy setting, users will be prompted when Web Components such as fonts would be downloaded. If you do not configure this policy, users will be prompted when Web Components such as fonts would be downloaded.

The Allow Install On Demand (Internet Explorer) setting is configured to Not configured for the EC environment and Disabled for the SSLF environment.

Allow software to run or install even if the signature is invalid
This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.

If you enable this policy setting, users will be prompted to install or run files that have an invalid signature. If you disable this policy setting, users cannot run or install files that have an invalid signature. If you do not configure this policy, users can choose to run or install files that have an invalid signature.

The Allow software to run or install even if the signature is invalid setting is configured to Not configured for the EC environment and Disabled for the SSLF environment.

Automatically check for Internet Explorer updates
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Explorer is set to do this, the checks occur approximately every 30 days, and users are prompted to install new versions as they become available.

If you enable this policy setting, Internet Explorer checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are available. If you disable this policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them. If you do not configure this policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them.

The Automatically check for Internet Explorer updates setting is configured to Not configured for the EC environment and Disabled for the SSLF environment.

Check for server certificate revocation
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are revoked when they have been compromised or are no longer valid, and this option protects users from submitting confidential data to a site that may be fraudulent or not secure.

If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked.

The Check for server certificate revocation setting is configured to Not configured for the EC environment and Enabled for the SSLF environment.

Internet Control Panel\Security Page

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel\Security Page

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A68. Recommended Security Page Settings

Setting EC user SSLF user

Intranet Sites: Include all network paths (UNCs)

Not configured

Disabled

Intranet Sites: Include all network paths (UNCs)
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. If you enable this policy setting, all network paths are mapped into the Intranet Zone. If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

The Intranet Sites: Include all network paths (UNCs) setting is configured to Disabled for the SSLF environment and Not configured for the EC environment.

Internet Control Panel\Security Page\Internet Zone

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel\Security Page\Internet Zone

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Note   The settings for the Internet and Restricted Sites zones are very similar. Descriptions for settings in both zones are provided below.

Table A69. Recommended Internet Zone Settings

Setting EC user SSLF user

Internet Zone\Access data sources across domains

Not configured

Enabled:Disable

Internet Zone\Allow drag and drop or copy and paste files

Not configured

Enabled:Disable

Internet Zone\Allow font downloads

Not configured

Enabled:Disable

Internet Zone\Allow installation of desktop items

Not configured

Enabled:Disable

Internet Zone\Allow cut, copy, or paste operations from the clipboard via script

Not configured

Enabled:Disable

Internet Zone\Allow script-initiated windows without size or position constraints

Not configured

Enabled:Disable

§ Internet Zone\Allow status bar updates via script

Not configured

Disabled

Internet Zone\Automatic prompting for file downloads

Not configured

Enabled:Enable

Internet Zone\Download signed ActiveX controls

Not configured

Enabled:Disable

Internet Zone\Download unsigned ActiveX controls

Not configured

Enabled:Disable

Internet Zone\Initialize and script ActiveX controls not marked as safe

Not configured

Enabled:Disable

Internet Zone\Java permissions

Not configured

Enabled:Disable Java

Internet Zone\Launching applications and files in an IFRAME

Not configured

Enabled:Disable

Internet Zone\Logon Options

Not configured

Enabled:Prompt for user name and password

Internet Zone\Navigate sub-frames across different domains

Not configured

Disabled

Internet Zone\Open file based on content, not file extension

Not configured

Enabled:Disable

Internet Zone\Software channel permissions

Not configured

Enabled:High Safety

Internet Zone\Use Pop-up Blocker

Not configured

Enabled:Enable

Internet Zone\Web sites in less privileged Web content zones can navigate into this zone

Not configured

Enabled:Disable

**§ -** Denotes Group Policy settings that are new in Windows Vista.
Internet Control Panel\Security Page\Restricted Sites Zone

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Note   The settings for the Internet and Restricted Sites zones are very similar. Descriptions for settings in both zones are provided below.

Table A70. Recommended Restricted Sites Zone Settings

Setting EC user SSLF user

Restricted Sites Zone\Access data sources across domains

Not configured

Enabled:Disable

Restricted Sites Zone\Allow active scripting

Not configured

Enabled:Disable

Restricted Sites Zone\Allow binary and script behaviors

Not configured

Enabled:Disable

Restricted Sites Zone\Allow cut, copy, or paste operations from the clipboard via script

Not configured

Enabled:Disable

Restricted Sites Zone\Allow drag and drop or copy and paste files

Not configured

Enabled:Disable

Restricted Sites Zone\Allow file downloads

Not configured

Enabled:Disable

Restricted Sites Zone\Allow font downloads

Not configured

Enabled:Disable

Restricted Sites Zone\Allow installation of desktop items

Not configured

Enabled:Disable

Restricted Sites Zone\Allow META REFRESH

Not configured

Enabled:Disable

Restricted Sites Zone\Allow script-initiated windows without size or position constraints

Not configured

Enabled:Disable

§ Restricted Sites Zone\Allow status bar updates via script

Not configured

Disabled

Restricted Sites Zone\Automatic prompting for file downloads

Not configured

Enabled:Enable

Restricted Sites Zone\Download signed ActiveX controls

Not configured

Enabled:Disable

Restricted Sites Zone\Download unsigned ActiveX controls

Not configured

Enabled:Disable

Restricted Sites Zone\Initialize and script ActiveX controls not marked as safe

Not configured

Enabled:Disable

Restricted Sites Zone\Java permissions

Not configured

Enabled:Disable Java

Restricted Sites Zone\Launching applications and files in an IFRAME

Not configured

Enabled:Disable

Restricted Sites Zone\Logon Options

Not configured

Enabled:Anonymous Logon

Restricted Sites Zone\Navigate sub-frames across different domains

Not configured

Enabled:Disable

Restricted Sites Zone\Open file based on content, not file extension

Not configured

Enabled:Disable

Restricted Sites Zone\Run .NET Framework-reliant components not signed with Authenticode

Not configured

Enabled:Disable

Restricted Sites Zone\Run .NET Framework-reliant components signed with Authenticode

Not configured

Enabled:Disable

Restricted Sites Zone\Run ActiveX controls and plugins

Not configured

Enabled:Disable

Restricted Sites Zone\Script ActiveX controls marked safe for scripting

Not configured

Enabled:Disable

Restricted Sites Zone\Scripting of Java applets

Not configured

Enabled:Disable

Restricted Sites Zone\Software channel permissions

Not configured

Enabled:High Safety

Restricted Sites Zone\Use Pop-up Blocker

Not configured

Enabled:Enable

Restricted Sites Zone\Web sites in less privileged Web content zones can navigate into this zone

Not configured

Enabled:Disable

§ - Denotes Group Policy settings that are new in Windows Vista.

Access data sources across domains
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

The Access data sources across domains setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Allow active scripting
This policy setting allows you to manage whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. If you disable this policy setting, script code on pages in the zone is prevented from running. If you do not configure this policy setting, script code on pages in the zone is prevented from running.

The Allow active scripting setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Allow binary and script behaviors
This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. If you enable this policy setting, binary and script behaviors are available. If you select Administrator approved in the drop-down box, only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager.

The Allow binary and script behaviors setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Allow cut, copy, or paste operations from the clipboard via script
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. If you disable this policy setting, a script cannot perform a clipboard operation. If you do not configure this policy setting, a script cannot perform a clipboard operation.

The Allow cut, copy, or paste operations from the clipboard via script setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Allow drag and drop or copy and paste files
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. If you disable this policy setting, users are prevented from dragging files or copying and pasting files from this zone.

If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone.

The Allow drag and drop or copy and paste files setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Allow file downloads
This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. If you enable this policy setting, files can be downloaded from the zone. If you disable this policy setting, files are prevented from being downloaded from the zone. If you do not configure this policy setting, files are prevented from being downloaded from the zone.

The Allow file downloads setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Allow font downloads
This policy setting allows you to manage whether pages of the zone may download HTML fonts.

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

The Allow font downloads setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Allow installation of desktop items
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are:

Enable users can install desktop items from this zone automatically.

Prompt users are queried to choose whether to install desktop items from this zone.

Disable users are prevented from installing desktop items from this zone.

If you do not configure this policy setting, users are prevented from installing desktop items from this zone.

The Allow installation of desktop items setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Allow META REFRESH
This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting to redirect browsers to another Web page. If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. If you disable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page. If you do not configure this policy setting, a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page.

The Allow META REFRESH setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Allow script-initiated windows without size or position constraints
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.

The Allow script-initiated windows without size or position constraints setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Allow status bar updates via script
This policy setting allows you to manage whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. If you disable this policy setting, script is not allowed to update the status bar. If you do not configure this policy setting, status bar updates via scripts will be disabled.

The Allow status bar updates via script setting is configured to Disabled for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Automatic prompting for file downloads
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts.

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt.

The Automatic prompting for file downloads setting is configured to Enabled:Enable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Download signed ActiveX controls
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by untrusted publishers. Code signed by trusted publishers is silently downloaded. If you Disable the policy setting, signed controls cannot be downloaded.

If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.

The Download signed ActiveX controls setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Download unsigned ActiveX controls
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.

If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls.

The Download unsigned ActiveX controls setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Initialize and script ActiveX controls not marked as safe
This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

The Initialize and script ActiveX controls not marked as safe setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Java permissions
This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Low Safety enables applets to perform all operations**. Medium Safety** enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. If you disable this policy setting, Java applets cannot run. If you do not configure this policy setting, the permission is set to High Safety.

The Java permissions setting is configured to Enabled:Disable Java for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Launching applications and files in an IFRAME
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.

The Launching applications and files in an IFRAME setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Logon Options
This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options:

Anonymous logon disables HTTP authentication and uses the guest account only for the Common Internet File System (CIFS) protocol.

Prompt for user name and password queries users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon only in Intranet zone queries users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session.

Automatic logon with current user name and password attempts logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password.

If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone.

The Logon Options setting is configured to Enabled:Prompt for Username and Password for the SSLF environment in the Internet Zone and Enabled:Anonymous Logon in the Restricted Sites Zone. The setting is Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Navigate sub-frames across different domains
This policy setting allows you to manage the opening of sub-frames and access of applications across different domains. If you enable this policy setting, users can open sub-frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow sub-frames or access to applications from other domains.

If you disable this policy setting, users cannot open sub-frames or access applications from different domains. If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains.

The Navigate sub-frames across different domains setting is configured to Disabled for the SSLF environment in the Internet Zone and to Enabled:Disable in the Restricted Sites Zone. The setting is Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Open file based on content, not file extension
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature. If you enable this policy setting, the MIME Sniffing Safety Feature will not apply in this zone; the security zone will run without the added layer of security provided by this feature. If you disable this policy setting, the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone, as dictated by the feature control setting for the process. If you do not configure this policy setting, the MIME Sniffing Safety Feature will not apply in this zone.

The Open file based on content,not file extension setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Run .NET Framework-reliant components not signed with Authenticode
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode® can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

The Run .NET Framework-reliant components not signed with Authenticode setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Run .NET Framework-reliant components signed with Authenticode
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. If you do not configure this policy setting, Internet Explorer will not execute signed managed components.

The Run .NET Framework-reliant components signed with Authenticode setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Run ActiveX controls and plugins
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. If you enable this policy setting, controls and plug-ins can run without user intervention. If you selected Prompt in the drop-down box, users are asked to choose whether to allow the controls or plug-in to run. If you disable this policy setting, controls and plug-ins are prevented from running. If you do not configure this policy setting, controls, and plug-ins are prevented from running.

The Run ActiveX controls and plugins setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Script ActiveX controls marked safe for scripting
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. If you enable this policy setting, script interaction can occur automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow script interaction. If you disable this policy setting or do not configure this policy setting, script interaction is prevented from occurring.

The Script ActiveX controls marked as safe for scripting setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Scripting of Java applets
This policy setting allows you to manage whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow scripts to access applets. If you disable this policy setting or do not configure this policy setting, scripts are prevented from accessing applets.

The Scripting of Java applets setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone.

Software channel permissions
This policy setting allows you to manage software channel permissions. If you enable this policy setting, you can choose the following options from the drop-down box:

Low safety allows a user to be notified of software updates by e-mail, software packages to be automatically downloaded to a user's computers, and software packages to be automatically installed on a user's computers.

Medium safety allows a user to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) a user's computers.

High safety prevents a user from being notified of software updates by e-mail, and from having software packages automatically downloaded or automatically installed on the user's computers.

If you disable this policy setting, permissions are set to High safety.

The Software channel permissions setting is configured to Enabled:High safety for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Use Pop-up Blocker
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, many unwanted pop-up windows are prevented from appearing. If you disable this policy setting, pop-up windows are not prevented from appearing. If you do not configure this policy setting, many unwanted pop-up windows are prevented from appearing.

The Use Pop-up blocker setting is configured to Enabled:Enable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Web sites in less privileged Web content zones can navigate into this zone
This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

The Web sites in less privileged Web content zones can navigate into this zone setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone.

Offline Pages

You can configure these prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Internet Explorer\Offline Pages

The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Note These settings do not apply to Internet Explorer 7. They are only configured for the EC environment because these environments might contain computers running Windows XP with Internet Explorer 6.0.

Table A71. Recommended Offline Pages Settings

Setting EC user SSLF user

Disable adding channels

Enabled

Not configured

Disable adding schedules for offline pages

Enabled

Not configured

Disable all scheduled offline pages

Enabled

Not configured

Disable channel user interface completely

Enabled

Not configured

Disable downloading of site subscription content

Enabled

Not configured

Disable editing and creating of schedule groups

Enabled

Not configured

Disable editing schedules for offline pages

Enabled

Not configured

Disable offline page hit logging

Enabled

Not configured

Disable removing channels

Enabled

Not configured

Disable removing schedules for offline pages

Enabled

Not configured

Disable adding channels
This policy setting removes users' ability to add channels to Internet Explorer. Channels are Web sites that are updated automatically on computers that run Internet Explorer, and the update schedule is specified by the channel provider. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content. It is a best practice to only allow a computer to download pages from the Internet when a user makes requests directly from the computer.

For these reasons, the Disable adding channels setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable adding schedules for offline pages
This policy setting removes a user's ability to specify that Web pages can be downloaded and viewed offline. This capability allows users to view Web pages when their computers are not connected to the Internet.

The Disable adding schedules for offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable all scheduled offline pages
This policy setting disables any existing schedules that are set up to download Web pages so that they can be viewed offline. If you enable this policy, the check boxes for schedules on the Schedule tab of the Web page properties dialog box are cleared and users cannot select them. To display this tab, users click the Tools menu, Synchronize, select a Web page, then click the Properties button and the Schedule tab. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Disable all scheduled offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment

Disable channel user interface completely
This policy setting removes users' ability to view the Channel Bar interface. Channels are Web sites that are automatically updated on computers, and the schedule is specified by the channel provider. If you enable this policy setting, users will not be able to access the Channel Bar interface and select the Internet Explorer Channel Bar check box on the Web tab in the Display Properties dialog box. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Disable channel user interface completely setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable downloading of site subscription content
This policy setting removes users' ability to download subscription content from Web sites. However, synchronization of Web page content will still occur when the user returns to a page that was previously accessed to determine if any content has been updated. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Disable downloading of site subscription content setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable editing and creating of schedule groups
This policy setting removes users' ability to add, edit, or remove schedules for offline review of Web pages and groups of Web pages to which they subscribe. A subscription group is a favorite Web page and the Web pages that link to it. If you enable this policy, the Add, Remove, and Edit buttons are dimmed on the Schedule tab in the Web page Properties dialog box. To display this tab, users click Tools and then Synchronize in Internet Explorer, select a Web page, click the Properties button, and then click the Schedule tab. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

For these reasons, the Disable editing and creating of schedule groups setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable editing schedules for offline pages
This policy setting removes users' ability to edit any existing schedules that are set up to download Web pages for offline review. If you enable this policy, users will not be able to display the schedule properties of pages that have been set up for offline review. No properties will display when users click Tools, Synchronize in Internet Explorer, select a Web page, and then click the Properties button. Users do not receive any message that states the command is unavailable. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Disable editing schedules for offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable offline page hit logging
This policy setting removes the ability of channel providers to record how often their channel pages are viewed by users when they are offline. This policy setting is one of several that block the ability of Internet Explorer to automatically download content.

The Disable offline page hit logging setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable removing channels
This policy setting removes users' ability to disable channel synchronization in Internet Explorer. It is a best practice to only allow a computer to download pages from the Internet when a user makes requests directly from the computer.

For this reason, the Disable removing channels setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Disable removing schedules for offline pages
This policy setting removes users' ability to clear preconfigured settings for Web pages to download for offline review. If you enable this policy setting, preconfigured Web page settings are protected. This policy setting is one of several settings that block the ability of Internet Explorer to automatically download content.

The Disable removing schedules for offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment.

Windows Explorer

Windows Explorer is used to browse the file system on client computers that run Windows Vista.

You can configure the following prescribed user settings in the following location within the Group Policy Object Editor:

User Configuration\Administrative Templates\Windows Components
\Windows Explorer

The following table summarizes the recommended Windows Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table.

Table A72. Recommended Windows Explorer User Configuration Settings

Setting EC computer SSLF computer

Remove CD Burning features

Not configured

Enabled

Remove Security tab

Not configured

Enabled

Remove CD Burning features
This policy setting removes the built-in Windows Vista features that allow users to burn CDs through Windows Explorer. Windows Vista allows you to create and modify rewritable CDs if you have a read/write CD drive connected to your computer. This feature can be used to copy large amounts of data from a hard drive to a CD, which may then be removed from the computer.

The Remove CD Burning features setting is Not configured for the EC environment and is configured to Enabled for the SSLF environment.

Note   This policy setting does not prevent CDs from being modified or created by third-party applications that use a CD writer. This guide recommends the use of software restriction policies to block the creation or modification of CDs by third-party applications.

Another way to prevent users from burning CDs is to remove the CD writers from the client computers in your environment or replace them with read-only CD drives.

Remove Security tab
This policy setting disables the Security tab on the file and folder properties dialog boxes in Windows Explorer. If you enable this policy setting, users cannot access the Security tab after opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives. Because the Security tab is inaccessible, users cannot change settings or view the list of users.

For these reasons, the Remove Security tab setting is Not configured for the EC environment and is configured to Enabled for the SSLF environment.

Top Of Page Top of page

More Information

The following links provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide for Windows Vista:

Support and Feedback

The Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other Solution Accelerators.

Please contribute comments to the Discussions in Security newsgroup on the Windows Vista Help and Support Web site.

Or e-mail your feedback to the following address: mailto:secwish@microsoft.com.

We look forward to hearing from you.

Top Of Page Top of page

In This Article

Download

Get the Windows Vista Security Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions