Windows Vista Security GuideAppendix A: Security Group Policy SettingsOn This Page Overview OverviewThis appendix identifies the security policy settings for the Enterprise Client (EC) and Specialized Security – Limited Functionality (SSLF) environments. The appendix also provides the recommended settings configured through the automated process that the Windows Vista Security Guide prescribes in Chapter 1, "Implementing the Security Baseline" and Chapter 5, "Specialized Security – Limited Functionality." The Windows Vista Security Guide Settings.xls file that accompanies this guide provides another resource that you can use to compare the setting values. The appendix presents the settings according to how they appear in the Group Policy Object Editor user interface (UI) in the Windows Vista™ operating system. Note Group Policy settings that are new in Windows Vista are denoted with the § symbol. The security settings this guide addresses are grouped into the following three main sections:
Tables in each of the main sections list the setting names and refer to baseline values that the engineering team developed for both the EC and the SSLF security configurations prescribed in this guide. Possible values vary considerably by setting. Most settings are configured to either Enabled or Disabled or some other value listed in the Group Policy Object Editor. However, many settings also require you to specify numerical values or security groups. User rights policy settings require specific user and group names. When a particular user right is not granted to any user or group, the Group Policy Object Editor displays the setting as enabled, but no users or groups will be listed. The tables in this appendix use the value No one to describe settings configured in this way. Settings configured to Not Defined or Not configured are not affected by the Group Policy objects (GPOs) included with this guide. This is very different than having a setting configured to No one as described previously. Settings not modified by the GPOs included with this guide can easily be modified by local computer administrators if the setting is not already configured by another GPO in your environment. This can lead to configuration inconsistencies across your environment, which could compromise security. For this reason, many prescribed settings merely enforce the default Windows Vista setting. The following table shows a couple of examples that can help you understand the different possible configurations:
Notice the default for the Allow log on through Terminal Services setting. The setting is Not Defined in the EC Computer GPO, which means no changes are made to the default. However, in the SSLF Computer GPO, the No one setting (an enabled setting that is blank in the Group Policy Object Editor) means that no user or group has the right to log on through Terminal Services. Furthermore a local computer administrator cannot easily change this setting because it is enforced through Group Policy. Similarly, notice the default for the Adjust memory quotas for a process setting. Once again the EC Computer GPO does not modify the default. Under this configuration, a local computer administrator could easily modify this setting. However, in the SSLF environment, this would not be possible because the SSLF Computer GPO enforces the default setting. Finally, there are several settings prescribed in the guide that require specific environment information to provide the proper functionality. Because it is not possible to include these settings in the GPOs included with this guide, they are configured in the tables with a value of Recommended. You should further investigate these settings to determine the proper configuration. Warning The functionality of many settings in this appendix are dependent on other settings, and these dependencies are by design. Also, the values for some settings require you to customize them to the specific needs of your environment for them to work properly. For these reasons, if you alter any of the prescribed settings values for either the EC or SSLF environment, be prepared to extensively test the client computers in your environment to ensure their full functionality. Top of page Domain PolicyThe security settings in this section of the appendix apply to the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, the following setting groups appear in the Windows Settings sub-node:
Password Policy SettingsComplex passwords that you change regularly help reduce the likelihood of a successful password attack. Password policy settings control the complexity and lifetime of passwords. You configure password policy settings only by Group Policy at the domain level. You can configure the password policy settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy The following table summarizes the password policy setting recommendations for the two types of secure environments defined in this guide. The following subsections describe each of the settings. Table A2. Password Policy Setting Recommendations
Enforce password history Configure the Enforce password history setting to 24 passwords for the two security environments in this guide. Maximum password age Configure the Maximum password age setting to a value of 90 days for the two security environments defined in this guide. Minimum password age The value for the Minimum password age setting must be less than that specified for the Maximum password age setting, unless the value for the Maximum password age setting is configured to 0, which causes passwords never to expire. If the value for the Maximum password age setting is configured to 0, the value for this policy setting can be configured to any value between 0 and 999. If you want the Enforce password history setting to be effective, configure this value to be greater than 0. If the Minimum password age setting is 0, users can cycle through passwords repeatedly until they can re-use an old favorite. Configure the Minimum password age setting to a value of 1 day for the two security environments defined in this guide. This value discourages users from repeated re-use of the same password because it requires them to wait a full day before they can change passwords. It also encourages users to remember new passwords because they must use them for at least a day before they can reset them. Finally, it does not allow users to circumvent the Enforce password history setting restriction. Minimum password length In the EC environment, ensure that the value for the Minimum password length setting is configured to 8 characters. This policy setting is long enough to provide adequate security. In the SSLF environment, configure the value to 12 characters. Password must meet complexity requirements When this policy is enabled, passwords must meet the following minimum requirements:
Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack. Store passwords using reversible encryption You must enable this policy setting when using the Challenge-Handshake Authentication Protocol (CHAP) through remote access or Internet Authentication Service (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). Ensure that the Store passwords using reversible encryption for all users in the domain setting has a Disabled configuration, as it is in the Default Domain Group Policy object (GPO) of Windows Server 2003 and in the local security policy for workstations and servers. This policy setting is also Disabled in the two environments that are defined in this guide. How to Make Users Change Passwords Only When RequiredIn addition to these password policies, centralized control over all users is a requirement for some organizations. This section describes how to prevent users from changing their passwords except when they are required to do so. Centralized control of user passwords is a cornerstone of a well-crafted Windows Vista security scheme. You can use Group Policy to set minimum and maximum password ages as discussed previously. However, frequent password change requirements can enable users to circumvent the Enforce password history setting for your environment. Requirements for passwords that are too long may also lead to help desk calls from users who forget their passwords. Users can change their passwords during the period between the minimum and maximum password age settings. However, the SSLF environment security design requires that users change their passwords only when prompted by the operating system after their passwords have reached the maximum age of 42 days. To achieve this level of control, administrators can disable the Change Password button in the Windows Security dialog box that appears when you press CTRL+ALT+DEL. You can implement this configuration for an entire domain through Group Policy, or edit the registry to implement it for one or more specific users. For more information about this configuration, see Microsoft Knowledge Base article 324744, "How To: Prevent Users from Changing a Password Except When Required in Windows Server 2003." If you have a Windows 2000–based domain, see Knowledge Base article 309799, "How To: Prevent Users from Changing a Password Except When Required in Windows 2000." Account Lockout Policy SettingsThe account lockout policy is an Active Directory® directory service security feature that locks a user account. The lock prevents logon after a specified number of failed logon attempts occur within a specified period. Domain controllers track logon attempts and the number of allowed attempts and the period are based on the values that are configured for the account lockout settings. In addition, you can specify the duration of the lock. These policy settings help prevent attackers from guessing user passwords, and they decrease the likelihood of successful attacks on your network environment. However, an enabled account lockout policy will probably result in more support issues for network users. Before you enable the following settings, ensure that your organization wants to accept this additional management overhead. For many organizations, an improved and less-costly solution is to automatically scan the Security event logs for domain controllers and generate administrative alerts when it appears that someone is attempting to guess passwords for user accounts. You can configure the account lockout policy settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings The following table includes the account lockout policy setting recommendations for both of the security environments defined in this guide. The following subsections describe each of the settings. Table A3. Account Lockout Policy Setting Recommendations
Account lockout duration To reduce the number of help desk support calls and also help provide a secure infrastructure, configure the value for the Account lockout duration setting to 15 minutes for both the EC and SSLF environments that are defined in this guide. Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. The recommended setting value of 15 minutes was determined to be a reasonable amount of time for users to wait to log on again, in addition to providing a level of protection against brute force password attacks. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. Account lockout threshold Configure the value for the Account lockout threshold setting to 50 invalid logon attempts for EC environments and 10 invalid logon attempts for SSLF environments. Because it is possible for an attacker to use this lockout state as a denial of service (DoS) by triggering a lockout on a large number of accounts, your organization should determine whether to use this policy setting based on identified threats and the risks you want to mitigate. There are two options to consider for this policy setting.
Reset account lockout counter after Configure the value for the Reset account lockout counter after setting to 15 minutes for both the EC and SSLF environments defined in this guide. If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts as described earlier in this appendix. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended setting value of 15 minutes was determined to be a reasonable amount of time that users are likely to accept, which should help to minimize the number of calls to the help desk. Users should be aware of the length of time they must wait before attempting to logon so they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. Top of page Computer PolicyThe security settings in this section of the appendix apply to desktop and laptop computers in the domain. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, these settings appear in the Windows Settings and Administrative Templates sub-nodes. Computer Configuration\Windows SettingsThe following setting groups appear in the Computer Configuration\Windows Settings\Security Settings\Local Policies subdirectory:
The following setting groups appear in the Computer Configuration\Windows Settings\Security Settings subdirectory:
Audit Policy SettingsAn audit policy determines the security events to report to administrators so that there is a record of user or system activity in specified event categories. The administrator can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment. However, before you implement an Audit policy you must investigate which event categories to audit in your environment. The audit settings you choose within the event categories define your Audit policy. When you define audit settings for specific event categories, an administrator can create an Audit policy that will meet the security needs of your organization. If you do not configure audit settings, it will be difficult or impossible to determine what took place during a security incident. However, if you configure audit settings so that too many authorized activities generate events, the Security event log will fill up with too much data. The information in the following sections will help you decide what to monitor to facilitate the collection of relevant audit data for your organization. Windows Vista includes the same nine audit policy categories present in previous versions of Windows, which are:
However, Windows Vista allows audit policy to be managed in a more precise way by including fifty audit policy subcategories. Although not all subcategories apply to Windows Vista-based computers, many of them can be configured to record specific events that provide valuable information. In the past, configuring any of the nine audit categories was easily accomplished using Group Policy. Although the same is possible with Windows Vista, the new audit subcategories cannot be configured individually using the Group Policy Object Editor because the subcategories are not exposed in the Group Policy Object Editor. If you configure any of the audit categories in Windows Vista using the settings present in the Group Policy Object Editor, all subcategories will also be configured. This will most likely cause excessive audit logging that will quickly fill up your event logs. The recommended approach is to configure only the necessary audit subcategories. Configuring each subcategory requires using a command-line tool included in Windows Vista called AuditPol.exe. Having to use a command-line tool makes it very difficult to implement the prescribed audit policy across many computers. However, Microsoft has developed a solution for configuring audit subcategories using Group Policy. This solution is automatically implemented by the scripts and GPOs included with this guide. When you run the GPOAccelerator.wsf script as described in Chapters 1 and 5 of this guide, the script automatically copies the following files to the NETLOGON share of one of your domain controllers. For the EC environment:
For the SSLF environment:
These files will then automatically replicate to the NETLOGON share of domain controllers in your Active Directory domain. The computer-specific GPOs created by the GPOAccelerator.wsf script include a computer startup script that runs these files to configure the prescribed audit policy settings. The first time these files run on a computer, a scheduled task named VSGAudit is created. This task will run every hour to help ensure the audit policy settings are up to date. For more information on the solution for configuring the new audit policy settings in Windows Vista in a Windows Server 2003-based domain, see the Knowledge Base article 921469, "How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain." The following table summarizes the audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide. You should review these recommendations and adjust them as appropriate for your organization. Information about how to modify the audit policy settings configured by GPOs included with this guide is provided at the end of this section. However, be very cautious about audit settings that can generate a large volume of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategories, the high volume of audit events generated will make it difficult to find other types of entries in the Security event log. Such a configuration could also have a significant impact on performance. The following sections provide a brief description of each Audit policy. The tables in each section include recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide. Note Due to time constraints, descriptions of each of the audit policy subcategories are not provided in this guide. The forthcoming release of theThreats and Countermeasures guide will include detailed descriptions of each of the 50 audit policy subcategories. SystemThe System audit category allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system. In Windows Vista, the System audit category contains the subcategories represented in the following table. Table A4. System Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. Logon/LogoffThis audit category generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. In Windows Vista, the Logon\Logoff events audit category contains the subcategories represented in the following table. Table A5. Logon/Logoff Audit Policy Subcategory
§ - Denotes Group Policy settings that are new in Windows Vista. Object AccessBy itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), effectively enabling auditing to take place. A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces of information:
If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user fails in an attempt to access an object with a specified SACL. Organizations should define only the actions they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed. The Object Access events audit category contains the subcategories represented in the following table. Table A6. Object Access Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. The following procedures describe how to configure audit rules on a file or folder and how to test each audit rule for each object in the specified file or folder. Note You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events for the following steps to log events in the Security event log. To define an audit rule for a file or folder
Note The User,Group, and Built-in security principal object types are selected by default.
Note Remember that each access may generate multiple events in the event log and cause it to grow rapidly.
To test an audit rule for the file or folder
Privilege UseThe Privilege Use audit category determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records. The Privilege Use events audit category contains the subcategories represented in the following table. Table A7. Privilege Use Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. Detailed TrackingThe Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched. The Detailed Tracking events audit category contains the subcategories represented in the following table. Table A8. Detailed Tracking Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. Policy ChangeThe Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, by adding the Debug programs privilege or theBack up files and directories privilege. The Policy Change events audit category contains the subcategories represented in the following table. Table A9. Policy Change Audit Policy subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. Account ManagementThe Account Management audit category helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts. The Account Management events audit category contains the subcategories represented in the following table. Table A10. Account Management System Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. DS AccessThe DS Access audit category applies only to domain controllers. For this reason, the DS Access audit category and all related subcategories are configured to No Auditing for both environments discussed in this guide. The DS Access events audit category contains the subcategories represented in the following table. Table A11. DS Access Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. Account LogonThe Account Logon audit category generates events for credential validation. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. The Account Logon events audit category contains the subcategories represented in the following table. Table A12. Account Logon Audit Policy Subcategory Recommendations
§ - Denotes Group Policy settings that are new in Windows Vista. Modifying Audit Policy SettingsTo modify the audit policy subcategories and settings configured by the GPOs included with this guide requires you to use Auditpol.exe to modify the configuration of one computer in your environment, and generate a file that contains the audit policy settings for your environment. The computer GPOs included with this guide will then apply the modified audit policy to computers in your environment. To modify your audit policy configuration
auditpol /clear
Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line. auditpol /set /subcategory:"user account management" /success:enable /failure:enable auditpol /set /subcategory:"logon" /success:enable /failure:enable auditpol /set /subcategory:"IPSEC Main Mode" /failure:enable Note To see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER: Type the following line at the command prompt, and then press ENTER: auditpol /backup /file:EC-AuditPolicy.txt (or SSLF-AuditPolicy.txt)
The computer GPOs included with this guide will use the new EC-AuditPolicy.txt (or SSLF-AuditPolicy.txt) file to modify and configure the audit policy settings on your computers. Removing the Audit Policy ConfigurationAs previously discussed, the solution implemented by the GPOs included with this guide for configuring the audit policy subcategories creates the VSGAudit scheduled task on all computers in your environment. If you have removed the GPOs included with this guide from your environment, you might want to delete the VSGAudit scheduled task. The VSGAudit scheduled task should not affect the performance of computers running Windows Vista even if the GPOs included with this guide have been removed from your environment. To delete the VSGAudit scheduled task from computers across your environment
For the EC environment:
For the SSLF environment:
The VSGAudit scheduled task checks for the DeleteVSGAudit.txt file every time it runs, and when it finds the file, the VSGAudit scheduled task deletes itself. Since the VSGAudit scheduled task is configured to run every hour, it should not take long before the task is deleted from all computers across your environment. Audit Policies for Computers Running Windows XP in the EC EnvironmentThe GPOs included with this guide include settings that configure the audit categories present in previous versions of Windows. If you use the script and the GPOs included with this guide, these settings will not apply to computers running Windows Vista. The GPOs intended for use in the EC environment have been designed to work with Windows XP-based computers. Settings for audit categories are included in these GPOs so that computers running Windows XP in your environment receive the recommended audit policy settings for Windows XP-based computers. You can configure the Audit policy settings in Windows Vista at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings The following table summarizes the Audit policy setting recommendations for both desktop and laptop client computers in the two types of secure environments discussed in this guide. Table A13. Audit Policy Setting Recommendations
Note Because GPOs for the EC environment are designed to work with computers running Windows XP, the recommended audit policy settings are included in these GPOs. However, because the SSLF GPOs are only designed to work with computers running Windows Vista, audit policy settings are not included in the SSLF GPOs. User Rights Assignment SettingsIn conjunction with many of the privileged groups in Windows Vista, a number of user rights can be assigned to certain users or groups that typical users do not have. To set the value of a user right to No one, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting. You can configure the user rights assignment settings in Windows Vista at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment The following table summarizes user rights assignment setting recommendations for user rights that begin with the letters A through E. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this guide. The following subsections provide more detailed information about each of the settings. Recommendations for user rights that begin with the rest of the letters in the alphabet are summarized in Table A5, and additional detailed information about those user rights is provided in the subsections that follow that table. Note Many features in IIS require certain accounts such as IIS_WPG, IIS IUSR_<ComputerName>, and* IWAM_<ComputerName>* to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, seeIIS and Built-in Accounts (IIS 6.0). User Rights A - EThe following table summarizes user rights assignment setting recommendations for user rights that start with the letters A through E. The subsections that follow this table provide more detailed information about each of these settings. Table A14. User Rights Assignment Setting Recommendations,Part 1
§ - Denotes Group Policy settings that are new in Windows Vista. Access this computer from network The Access this computer from network setting is configured to Administrators and Users for the EC environment and to Administrators for the SSLF environment. Act as part of the operating system For this reason, the Act as part of the operating system setting is restricted to No one for both of the environments that are discussed in this guide. Adjust memory quotas for a process For this reason, the Adjust memory quotas for a process setting is restricted to Administrators, Local Service, andNetwork Service for the SSLF environment and configured to Not Defined for the EC environment. Allow log on locally The Guest account is assigned this user right by default. Although this account is disabled by default, Microsoft recommends that you enable this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to theBackup Operators group if your organization requires that they have this capability. The Allow log on locally setting is restricted to theUsers andAdministrators groups for the two environments that are discussed in this guide. Allow log on through Terminal Services Restrict this user right to theAdministrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. The Allow log on through Terminal Services setting is configured to Not Defined for the EC environment. For additional security this policy setting is configured to No one for the SSLF environment. Back up files and directories The Back up files and directories setting is configured to Not Defined for computers in the EC environment and to the Administrators group for the SSLF environment. Bypass traverse checking The Bypass traverse checking setting is configured to Not Defined for computers in the EC environment. It is configured to the Administrators, Users ,Local Service,and Network Service groups and accounts for the SSLF environment. Change the system time The Change the system time setting is configured to the Local Service and to the Administrators group for both of the environments that are discussed in this guide. Note Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers. Change time zone The Change time zone setting is configured to Not Defined for the EC environment, and to Administrators,Local Service, and Users for the SSLF environment. Create a pagefile The Create a pagefile setting is configured to theAdministrators for both the EC environment and the SSLF environment. Create permanent shared objects The Create a permanent shared objects setting is configured to Not Defined for the EC environment, and toNo one for the SSLF environment. Create a token object The Create a token object setting is configured to Not Defined for the EC environment and to No one for the SSLF environment. Create global objects Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption. The Create global objects setting is configured to Not Defined for the EC environment and to Administrators,Service,Local Service,and Network Service for the SSLF environment. Create symbolic links Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only Administrators can create symbolic links. The Create symbolic links setting is configured to Not Defined for computers in the EC environment and to theAdministrators group for the SSLF environment to enforce the default configuration. Debug programs Note Microsoft released several security updates in October 2003 that used a version of Update.exe that required the administrator to have theDebug programs user right. Administrators who did not have this user right were unable to install these security updates until they reconfigured their user rights. This is not typical behavior for operating system updates. For more information, see the Knowledge Base article 830846, "Windows Product Updates may stop responding or may use most or all the CPU resources." Because an attacker could exploit this user right, it is assigned only to the Administrators group by default. The Debug programs policy setting is configured toAdministrators for the EC environment and toNo one for the SSLF environment. Deny access to this computer from the network The Deny access to this computer from the network setting is configured to theGuests group for computers in both of the environments that are discussed in this guide. Deny log on as a batch job The Deny log on as a batch job setting is configured to Not Defined for the EC environment and to theGuests group for the SSLF environment. Deny log on locally The Deny log on locally setting is configured to theGuests group for both of the environments that are discussed in this guide. Also, any service accounts for the SSLF environment that are added to the computer should be assigned this user right to prevent their abuse. Deny log on through Terminal Services The Deny log on through Terminal Services setting is configured to Not Defined for the EC environment and to theEveryone group for the SSLF environment. Enable computer and user accounts to be trusted for delegation For this reason, the Enable computer and user accounts to be trusted for delegation setting is configured to Not Defined for the EC environment and to No one for the SSLF environment. User Rights F - TThe following table summarizes user rights assignment setting recommendations for user rights that start with the letters F through T. The subsections that follow this table provide more detailed information about each of these settings. Table A15. User Rights Assignment Setting Recommendations,Part 2
§ - Denotes Group Policy settings that are new in Windows Vista. Force shutdown from a remote system The Force shutdown from a remote system setting is configured to theAdministrators group for both of the environments that are discussed in this guide. Generate security audits For this reason, theGenerate security audits setting is configured to theLocal Service and Network Service groups for both of the environments that are discussed in this guide. Impersonate a client after authentication Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started. Also, a user can impersonate an access token if any of the following conditions exist:
An attacker with theImpersonate a client after authentication user right could create a service, trick a client to make them connect to the service, and then impersonate that client to elevate the attacker's level of access to that of the client. For this reason, theImpersonate a client after authentication setting is configured toNot Defined for the EC environment and toAdministrators,Service,Local Service,and Network Service for the SSLF environment. Increase a process working set This right is granted to all users by default. However, increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. It would be possible for malicious code to increase the process working set to a level that could severely degrade system performance and potentially cause a denial of service. Certain environments can help mitigate this risk by limiting which users can increase the process working set. For this reason, the Increase a process working set user right is configured to Not Defined for the EC environment and to Administrators for the SSLF environment. Increase scheduling priority For this reason, theIncrease scheduling priority setting is configured to the Administrators group for both of the environments that are discussed in this guide. Load and unload device drivers Because this user right could be used by an attacker, theLoad and unload device drivers setting is configured to the Administrators group for both of the environments that are discussed in this guide. Lock pages in memory For this reason, theLock pages in memory setting is configured toNo one for both of the environments that are discussed in this guide. Log on as a batch job Therefore, the Log on as a batch job user right is configured toNot Defined for the EC environment and toNo one for the SSLF environment. Log on as a service The Log on as a service setting is configured toNot Defined for the EC environment and toNo one for the SSLF environment. Manage auditing and security log Because this capability represents a relatively small threat, theManage auditing and security log setting enforces the default value of the Administrators group for both of the environments that are discussed in this guide. Modify firmware environment variables Because this capability represents a relatively small threat, theModify firmware environment variables setting enforces the default value of theAdministrators group for both of the environments that are discussed in this guide. Perform volume maintenance tasks The Perform volume maintenance tasks setting enforces the default value of the Administrators group for both of the environments that are discussed in this guide. Profile single process The Profile single process setting is configured to Not Defined for computers in the EC environment and to the Administrators group for the SSLF environment. Profile system performance The Profile system performance setting enforces the default of theAdministrators group for both of the environments that are discussed in this guide. Remove computer from docking station The Remove computer from docking station setting is configured to theAdministrators and Users groups for both of the environments discussed in this guide. Replace a process level token The Replace a process level token setting is configured to the default values of Local Service and Network Service for both of the environments discussed in this guide. Restore files and directories The Restore files and directories setting is configured to Not Defined for the EC environment and to theAdministrators group for the SSLF environment. Shut down the system The Shut down the system setting is configured to the Administrators and Users groups for both of the environments that are discussed in this guide. Take ownership of files or other objects The Take ownership of files or other objects setting is configured to the default value of the Administrators group for both of the environments discussed in this guide. Security Options SettingsThe security option settings that are applied through Group Policy on computers that run Windows Vista in your environment are used to enable or disable capabilities and features such as floppy disk drive access, CD-ROM drive access, and logon prompts. These settings are also used to configure various other settings, such as those for the digital signing of data, administrator and guest account names, and how driver installation works. You can configure the security option settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Not all of the settings that are included in this section exist on all types of systems. Therefore, the settings that comprise the Security Options portion of Group Policy that are defined in this section may need to be manually modified on systems in which these settings are present to make them fully operable. Alternatively, the Group Policy templates can be edited individually to include the appropriate setting options so that the prescribed settings will take full effect. The following sections provide security option setting recommendations, and are grouped by type of object. Each section includes a table that summarizes the settings, and detailed information is provided in the subsections that follow each table. Recommendations are provided for both desktop and laptop client computers in the two types of secure environments that are discussed in this guide: the Enterprise Client (EC) environment and the Specialized Security - Limited Functionality (SSLF) environment. This section of the appendix includes tables and recommendations for the following object type settings that reside in theSecurity Options subdirectory:
AccountsThe following table summarizes the recommended security option settings for accounts. Additional information is provided in the subsections that follow the table. Table A16. Security Options Setting Recommendations - Accounts
Accounts: Administrator account status The Accounts: Administrator account status setting is configured toNot Defined for the EC environment and to Disabled for the SSLF environment. Accounts: Guest account status The Accounts: Guest account status security option setting is configured toDisabled for the two environments that are discussed in this guide. Accounts: Limit local account use of blank passwords to console logon only The Accounts: Limit local account use of blank passwords to console logon only setting is configured to Enabled for the two environments discussed in this guide. Accounts: Rename administrator account The recommendation to use the Accounts: Rename administrator account setting applies to both of the environments that are discussed in this guide. Note This policy setting is not configured in the Security Templates, nor does this guide suggest a user name for the account. Suggested user names are omitted to ensure that organizations that implement this guidance will not use the same new user name in their environments. Accounts: Rename guest account The recommendation to use the Accounts: Rename guest account setting applies to both of the environments discussed in this guide. Note This policy setting is not configured in the Security Templates, nor is a new user name for the account suggested here. Suggested user names are omitted to ensure that organizations that implement this guidance will not use the same new user name in their environments. AuditThe following table summarizes the recommended Audit settings. Additional information is provided in the subsections that follow the table. Table A17. Security Option Setting Recommendations - Audit
§ - Denotes Group Policy settings that are new in Windows Vista. Audit: Audit the access of global system objects If theAudit: Audit the access of global system objects setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured toNot Defined for the EC environment and Disabled for the SSLF environment. Audit: Audit the use of Backup and Restore privilege If theAudit: Audit the use of Backup and Restore privilege setting is enabled, a very large number of security events could quickly fill the Security event log. Therefore, this policy setting is configured toNot Defined for the EC environment and Disabled for the SSLF environment. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this guide, theAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting is configured to Enabled for both of the environments that are discussed in this guide. Audit: Shut down system immediately if unable to log security audits If theAudit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. Therefore, this policy setting is configured toNot Defined for the EC environment and Disabled for the SSLF environment. DevicesThe following table summarizes the recommended security option settings for devices. Additional information is provided in the subsections that follow the table. Table A18. Security Option Setting Recommendations - Devices
Devices: Allow undock without having to log on TheDevices: Allow undock without having to log on setting is configured to Not Defined for the EC environment and toDisabled for the SSLF environment. Devices: Allowed to format and eject removable media TheDevices: Allow to format and eject removable media setting is restricted to theAdministrators and Interactive Users groups for the EC environment, and to theAdministrators group only for the SSLF environment for added security. Devices: Prevent users from installing printer drivers TheDevices: Prevent users from installing printer drivers setting is configured to Enabled for desktop computers in both of the environments that are discussed in this guide and toDisabled for laptop users in both of the environments. Devices: Restrict CD-ROM access to locally logged on user only TheDevices: Restrict CD-ROM access to locally logged on user only setting is configured to Not Defined for the EC environment and toDisabled for the SSLF environment. Devices: Restrict floppy access to locally logged on user only TheDevices: Restrict floppy access to locally logged on user only setting is configured to Not Defined for the EC environment and toDisabled for the SSLF environment. Domain MemberThe following table summarizes the recommended security option settings for domain members. Additional information is provided in the subsections that follow the table. Table A19. Security Option Setting Recommendations - Domain Member
Domain member: Digitally encrypt or sign secure channel data (always) TheDomain member: Digitally encrypt or sign secure channel data (always) setting is configured toEnabled for both of the environments that are discussed in this guide. Domain member: Digitally encrypt secure channel data (when possible) TheDomain member: Digitally encrypt secure channel data (when possible) setting is configured toEnabled for both of the environments that are discussed in this guide. Domain member: Digitally sign secure channel data (when possible) TheDomain member: Digitally sign secure channel data (when possible) setting is configured toEnabled for both of the environments that are discussed in this guide. Domain member: Disable machine account password changes Therefore, theDomain member: Disable machine account password changes setting is configured toDisabled for both of the environments that are discussed in this guide. Domain member: Maximum machine account password age Therefore, theDomain member: Maximum machine account password age setting is configured to30 days for both of the environments that are discussed in this guide. Domain member: Require strong (Windows 2000 or later) session key To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel data with a strong key, which means all domain controllers must be running Microsoft Windows 2000 or later. If communication to non-Windows 2000-based domains is required, Microsoft recommends that you disable this policy setting. TheDomain member: Require strong (Windows 2000 or later) session key setting is configured toEnabled for both of the environments that are discussed in this guide. Interactive LogonThe following table summarizes the recommended security option settings for interactive logon. Additional information is provided in the subsections that follow the table. Table A20. Security Option Setting Recommendations - Interactive Logon
Interactive Logon: Do not display last user name TheInteractive logon: Do not display last user name setting is configured toEnabled for the two environments that are discussed in this guide. Interactive Logon: Do not require CTRL+ALT+DEL TheInteractive logon: Do not require CTRL+ALT+DEL setting is configured toDisabled for the two environments that are discussed in this guide. Interactive Logon: Message text for users attempting to log on Note Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, theInteractive logon: Message text for users attempting to log on and theInteractive logon: Message title for users attempting to log on settings mustboth be enabled for either one to work properly. Interactive Logon: Message title for users attempting to log on Note Any warning that you display should first be approved by your organization's legal and human resources representatives. Also, theInteractive logon: Message text for users attempting to log on and theInteractive logon: Message title for users attempting to log on settings must both be enabled for either one to work properly. Interactive Logon: Number of previous logons to cache (in case domain controller is not available) TheInteractive logon: Number of previous logons to cache (in case domain controller is not available) setting is configured to2 for both desktop and laptop computers in the EC environment and for the laptop computers in the SSLF environment. However, this policy setting is configured to0 for desktops in the SSLF environment because these computers should always be securely connected to the organization's network. Interactive Logon: Prompt user to change password before expiration TheInteractive logon: Prompt user to change password before expiration setting is configured to14 days for both of the environments that are discussed in this guide. Interactive Logon: Require Domain Controller authentication to unlock workstation TheInteractive logon: Require Domain Controller authentication to unlock workstation setting is configured toEnabled for desktop computers in both the EC and SSLF environments. However, this policy setting is configured toDisabled for laptops in both of the environments, which allows these users to work when they are away from the office. Interactive Logon: Smart card removal behavior TheInteractive logon: Smart card removal behavior setting is configured to theLock Workstation option for both of the environments that are discussed in this guide. Microsoft Network ClientThe following table summarizes the recommended security option settings for Microsoft network client computers. Additional information is provided in the subsections that follow the table. Table A21. Security Option Setting Recommendations - Microsoft Network Client
Microsoft network client: Digitally sign communications (always) The Microsoft network client: Digitally sign communications (always) setting is configured to Enabled for computers for both of the environments in this guide. Note When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. Microsoft network client: Digitally sign communications (if server agrees) The Microsoft network client: Digitally sign communications (if server agrees) setting is configured to Enabled for the two environments that are discussed in this guide. Note Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. Microsoft network client: Send unencrypted password to third-party SMB servers The Microsoft network client: Send unencrypted password to third-party SMB servers setting is configured to Disabled for the two environments that are discussed in this guide. Microsoft Network ServerThe following table summarizes the recommended Microsoft network server security option settings. Additional information is provided in the subsections that follow the table. Table A22. Security Option Setting Recommendations - Microsoft Network Server
Microsoft network server: Amount of idle time required before suspending session The Microsoft network server: Amount of idle time required before suspending session setting is configured to a period of 15 minutes in both of the environments that are discussed in this guide. Microsoft network server: Digitally sign communications (always) The Microsoft network server: Digitally sign communications (always) setting is configured to Enabled for both of the environments that are discussed in this guide. Microsoft network server: Digitally sign communications (if client agrees) The Microsoft network server: Digitally sign communications (if client agrees) setting is configured to Enabled for the two environments that are discussed in this guide. Note Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. Microsoft network server: Disconnect clients when logon hours expire If your organization configures logon hours for users, it makes sense to enable this policy setting. The Microsoft network client: Disconnect client when logon hours expire setting is configured to Enabled for the two environments that are discussed in this guide. MSS SettingsThe following settings include registry value entries that do not display by default through the Security Configuration Editor (SCE). These settings, which are all prefixed with MSS:, were developed by the Microsoft Solutions for Security group for previous security guidance. The GPOAccelerator.wsf script discussed in Chapter 1, "Implementing the Security Baseline," modifies the SCE so that it properly displays the MSS settings. The following table summarizes the MSS settings recommended for each of the environments discussed in this guide. Additional information about each setting is provided after the table. Table A23. Security Option Setting Recommendations - MSS Settings
MSS: (AutoAdminLogon) Enable Automatic Logon This setting is separate from the Welcome screen feature in Windows XP and Windows Vista; if that feature is disabled, this setting is not disabled. If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks to which the computer is connected. Also, if you enable automatic logon, the password is stored in the registry in plaintext, and the specific registry key that stores this value is remotely readable by the Authenticated Users group. For these reasons the setting is configured to Not Defined for the EC environment, and the default Disabled setting is explicitly enforced for the SSLF environment. For additional information, see the Knowledge Base article 315231, "How to turn on automatic logon in Windows XP." MSS: (DisableIPSourceRouting) IP source routing protection level IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. This setting is configured to Not Defined for the EC environment and to Highest Protection,source routing is completely disabled for the SSLF environment. MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways When dead gateway detection is enabled, the IP may change to a backup gateway if a number of connections experience difficulty. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment. MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment. MSS: (Hidden) Hide Computer From the Browse List You can configure a computer so that it does not send announcements to browsers on the domain. If you do so, you hide the computer from the Browse list, which means that the computer will stop announcing itself to other computers on the same network. An attacker who knows the name of a computer can more easily gather additional information about the system. You can enable this setting to remove one method that an attacker might use to gather information about computers on the network. Also, this setting can help reduce network traffic when enabled. However, the security benefits of this setting are small because attackers can use alternative methods to identify and locate potential targets. For this reason, Microsoft recommends that you enable this setting only in SSLF environments. This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment. For additional information, see the Knowledge Base article 321710, "HOW TO: Hide a Windows 2000-Based Computer from the Browser List." MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. This setting is configured to Not Defined for the EC environment and to 30000 or 5 minutes for the SSLF environment. MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic The default exemptions to IPsec policy filters are documented in the online help for the specific operating system. These filters make it possible for Internet Key Exchange (IKE) and the Kerberos authentication protocol to function. The filters also make it possible for the network Quality of Service (QoS) to be signaled (RSVP) when the data traffic is secured by IPsec, and for traffic that IPsec might not secure such as multicast and broadcast traffic. IPsec is increasingly used for basic host-firewall packet filtering, particularly in Internet-exposed scenarios, and the affect of these default exemptions has not been fully understood. Therefore, some IPsec administrators may create IPsec policies that they think are secure, but are not actually secure against inbound attacks that use the default exemptions. Microsoft recommends that you enforce the default setting in Windows XP with SP2, Multicast,broadcast,and ISAKMP are exempt, for both of the environments that are discussed in this guide. For additional information, see the Knowledge Base article 811832, "IPSec Default Exemptions Can Be Used to Bypass IPsec Protection in Some Scenarios." MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives AutoRun starts to read from a drive on your computer as soon as media is inserted into it. As a result, the setup file of programs and the sound on audio media starts immediately. This setting is configured to 255,Disable Autorun for all drives for both of the environments that are discussed in this guide. MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. It is set to Not Defined for the EC environment and Enabled for the SSLF environment. MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames Windows Server 2003 supports 8.3 file name formats for backward compatibility with16-bit applications. The 8.3 file name convention is a naming format that allows file names up to eight characters long. This setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment. MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses This setting is used to enable or disable the Internet Router Discovery Protocol (IRDP), which allows the system to detect and configure default gateway addresses automatically as described in RFC 1256 on a per-interface basis. This setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment. MSS: (SafeDllSearchMode) Enable Safe DLL Search Order The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways:
When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. This setting is configured to Enabled for both of the environments that are discussed in this guide. MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires Windows includes a grace period between when the screen saver is launched and when the console is actually locked automatically when screen saver locking is enabled. This setting is configured to 0 seconds for both of the environments that are discussed in this guide. MSS: (SynAttackProtect) Syn attack protection level This setting causes TCP to adjust retransmission of SYN-ACKs. When you configure this value, the connection responses time out more quickly if a connect request (SYN) attack is detected. This setting is configured to Not Defined for the EC environment and to Connections timeout sooner if SYN attack is detected for the SSLF environment. MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged This setting determines the number of times that TCP retransmits a SYN before the attempt to connect is aborted. The retransmission time-out is doubled with each successive retransmission in a given connect attempt. The initial time-out value is three seconds. This setting is configured to Not Defined for the EC environment and to 3 & 6 seconds,half-open connections dropped after 21 seconds for the SSLF environment. MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted This setting controls the number of times that TCP retransmits an individual data segment (non-connect segment) before the connection is aborted. The retransmission time-out is doubled with each successive retransmission on a connection. It is reset when responses resume. The base time-out value is dynamically determined by the measured round-trip time on the connection. This setting is configured to Not Defined for the EC environment and to 3 for the SSLF environment. MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. This setting is configured to Not Defined for the EC environment and to 90 for the SSLF environment. Note If log settings are configured to Overwrite events as needed or Overwrite events older thanxdays, this event will not be generated. Network AccessThe following table summarizes the recommended security option settings for network access. Additional information is provided in the subsections that follow the table. Table A24. Security Option Setting Recommendations - Network Access
§ - Denotes Group Policy settings that are new in Windows Vista. Network access: Allow anonymous SID/Name translation The Network access: Allow anonymous SID/Name translation setting is configured to Disabled for the two environments that are discussed in this guide. Network access: Do not allow anonymous enumeration of SAM accounts The Network access: Do not allow anonymous enumeration of SAM accounts setting is configured to Enabled for the two environments that are discussed in this guide. Network access: Do not allow anonymous enumeration of SAM accounts and shares The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting is configured to Enabled for the two environments that are discussed in this guide. Network access: Do not allow storage of credentials or .NET Passports for network authentication The Network access: Do not allow storage of credentials or .NET Passports for network authentication setting is configured to Enabled for the two environments that are discussed in this guide. Network access: Let Everyone permissions apply to anonymous users Therefore, the Network access: Let Everyone permissions apply to anonymous users setting is configured to Disabled for both of the environments in this guide. Network access: Named Pipes that can be accessed anonymously For the EC environment the Network access: Named Pipes that can be accessed anonymously setting is configured to Not Defined. However, the following default values are enforced for the SSLF environment:
Network access: Remotely accessible registry paths For the EC environment the Network access: Remotely accessible registry paths setting is configured to Not Defined. But the SSLF environment the following default values are enforced:
Network access: Remotely accessible registry paths and sub-paths The Network access: Remotely accessible registry paths and sub-paths setting is configured to Not Defined for the EC environment. For the SSLF environment the setting is configured to the following:
Network access: Restrict anonymous access to Named Pipes and Shares The Network access: Restrict anonymous access to Named Pipes and Shares setting is configured to Not Defined for the EC environment and Enabled in the SSLF environment. Network access: Shares that can be accessed anonymously The Network access: Shares that can be accessed anonymously setting is configured to Not Defined for the EC environment. However, ensure that this setting is configured to None for the SSLF environment. Note It can be very dangerous to add other shares to this Group Policy setting. Any network user can access any shares that are listed, which could exposure or corrupt sensitive data. Network access: Sharing and security model for local accounts Therefore, the Sharing and security model for local accounts setting uses the default Classic option for both of the environments that are discussed in this guide. Network SecurityThe following table summarizes the recommended security option settings for network security. Additional information is provided in the subsections that follow the table. Table A25. Security Option Setting Recommendations - Network Security
Network security: Do not store LAN Manager hash value on next password change For this reason, the Network security: Do not store LAN Manager hash value on next password change setting is configured to Enabled for both of the environments that are discussed in this guide. Note Older operating systems and some third-party applications may fail when this policy setting is enabled. Also you will need to change the password on all accounts after you enable this setting. Network security: Force logoff when logon hours expire The Network security: Force logoff when logon hours expire setting is configured to Not Defined for both environments in the appendix. Network security: LAN Manager authentication level Microsoft recommends that you configure this policy setting to the strongest possible authentication level for your environment. In environments that run only Windows 2000 Server or Windows Server 2003 with Windows Vista or Windows XP Professional-based workstations, configure this policy setting to the Send NTLMv2 response only. Refuse LM and NTLM option for the highest security. The Network security: LAN Manager authentication level setting is configured to Send NTLMv2 response only. Refuse LM for the EC environment. However, this policy setting is configured to the more restrictive Send NTLMv2 response only. Refuse LM and NTLM for the SSLF environment. Network security: LDAP client signing requirements Therefore, the value for the Network security: LDAP client signing requirements setting is configured to Negotiate signing for both of the environments that are discussed in this guide. Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
If all of the computers on your network can support NTLMv2 and 128-bit encryption (for example, Windows Vista, Windows XP Professional SP2 and Windows Server 2003 SP1), all four setting options can be selected for maximum security. The Require NTLMv2 session security and Require 128-bit encryption options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting in both of the environments that are discussed in this guide. Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
If all of the computers on your network can support NTLMv2 and 128-bit encryption (for example, Windows Vista, Windows XP Professional SP2 and Windows Server 2003 SP1), all four options can be selected for maximum security. The Require NTLMv2 session security and Require 128-bit encryption options are enabled for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers setting in both of the environments that are discussed in this guide. Recovery ConsoleThe following table summarizes the recommended security option settings for the recovery console. Additional information is provided in the subsections that follow. Table A26. Security Option Setting Recommendations - Recovery Console
Recovery console: Allow automatic administrative logon The Recovery console: Allow automatic administrative logon setting is configured to Disabled for the two environments that are discussed in this guide. Recovery console: Allow floppy copy and access to all drives and all folders
The Recovery console: Allow floppy copy and access to all drives and all folders setting is configured to Not Defined for the EC environment. However, for maximum security, this setting is configured to Disabled for the SSLF environment. ShutdownThe following table summarizes shutdown security option setting recommendations. Additional information is provided in the subsections that follow the table. Table A27. Security Option Setting Recommendations - Shutdown
Shutdown: Allow system to be shut down without having to log on The Shutdown: Allow system to be shut down without having to log on setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment. Shutdown: Clear virtual memory pagefile For these reasons, the Shutdown: Clear virtual memory pagefile setting is configured to Enabled for SSLF laptop computers, and Disabled for all other computer types in both of the environments that are discussed in this guide. System CryptographyThe following table summarizes the recommended security option settings for system cryptography. Additional information is provided after the table. Table A28. Security Option Setting Recommendations - System Cryptography
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing The System cryptography: Use FIPS compliant algorithms for encryption,hashing,and signing setting is configured to Not Defined for the EC environment and to Disabled for the SSLF environment. Note If you enable this policy setting, computer performance will be slower because the 3DES process is performed on each block of data in the file three times. This policy setting should only be enabled if your organization is required to be FIPS compliant. System ObjectsThe following table summarizes the recommended security option settings for system objects. Additional information is provided in the subsections that follow the table. Table A29. Security Option Setting Recommendations - System Objects
System objects: Require case insensitivity for non-Windows subsystems To ensure consistency of file names, the System objects: Require case insensitivity for non-Windows subsystems setting is configured to Not Defined for the EC environment and to Enabled for the SSLF environment. System objects: Strengthen default permissions of internal system objects Therefore, the System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) setting is configured to the default setting of Enabled for both of the environments that are discussed in this guide. User Account ControlUser Account Control (UAC) reduces the exposure and attack surface of the operating system by requiring that all users run in standard user mode, even if they have logged on with administrative credentials. This limitation helps minimize the ability for users to make changes that could destabilize their computers or inadvertently expose the network to viruses through undetected malware that has infected the computer. When a user attempts to perform an administrative task, the operating system must raise their security level to allow the task to take place. The UAC settings in GPOs configure how the operating system responds to a request to heighten security privileges. The following table summarizes the recommended security option settings for User Account Control. Additional information is provided in the subsections that follow the table. Table A30. Security Option Setting Recommendations - User Account Control
User Account Control: Admin Approval Mode for the Built-in Administrator account Windows Vista configures the setting to Disabled by default for new installations and for upgrades where the built-in Administrator is not the only local active administrator on the computer. Windows Vista disables the built-in Administrator account by default for installations and upgrades on domain-joined computers. Windows Vista configures the setting to Enabled by default for upgrades when Windows Vista determines that the built-in Administrator account is the only active local administrator on the computer. If this is the case, Windows Vista enables the built-in Administrator account following the upgrade. The configuration of the User Account Control: Admin Approval Mode for the Built-in Administrator setting is Enabled for both of the environments that are discussed in this guide. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
The configuration for the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode is to Prompt for credentials for both of the environments that are discussed in this guide. User Account Control: Behavior of the elevation prompt for standard users
The configuration of the User Account Control: Behavior of the elevation prompt for standard users setting is to Automatically deny elevation requests for both of the environments that are discussed in this guide. This setting prevents standard users from elevating their privileges. In other words, a standard user cannot provide administrative account credentials to perform an administrative task. Right-clicking a program file and selecting Run as administrator will not work for the standard user. Standard users who need to perform administrative tasks must log off and then log back on using their administrative account to complete an administrative task. Although this process is somewhat inconvenient, it does help better secure your environment. User Account Control: Detect application installations and prompt for elevation
The configuration for the User Account Control: Detect application installations and prompt for elevation setting is Enabled for both of the environments that are discussed in this guide. User Account Control: Only elevate executables that are signed and validated
The configuration of the User Account Control: Only elevate executables that are signed and validated setting is Disabled for both of the environments that are discussed in this guide. User Account Control: Only elevate UIAccess applications that are installed in secure locations The configuration for the User Account Control: Only elevate UIAccess applications that are installed in secure locations setting is Enabled for both of the environments that are discussed in this guide. User Account Control: Run all administrators in Admin Approval Mode
The configuration for the User Account Control: Run all administrators in Admin Approval Mode setting is Enabled for both of the environments discussed in this guide. User Account Control: Switch to the secure desktop when prompting for elevation
The configuration of the User Account Control: Switch to the secure desktop when prompting for elevation setting is Enabled for both of the environments that are discussed in this guide. User Account Control: Virtualize file and registry write failures to per-user locations UAC-compliant applications should not write to protected areas and cause write failures. As a result, environments that are only utilizing UAC-compliant applications should disable this setting. There are two possible values for this setting:
If you are not certain that all applications in your environment are UAC-compliant, you should configure this setting to Enabled. For this reason, the configuration of the User Account Control: Virtualize file and registry write failures to per-user locations setting is Enabled for both environments in this guide. Event Log Security SettingsThe event log records events on the system, and the Security log records audit events. The event log container of Group Policy is used to define attributes that are related to the Application, Security, and System event logs, such as maximum log size, access rights for each log, and retention settings and methods. You can configure the event log settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Event Log This section provides details about the prescribed settings for the environments that are discussed in this guide. For a summary of the prescribed settings in this section, see the Windows Vista Security Guide Settings.xls For information about the default settings and a detailed explanation of each of the settings discussed in this section, see the Threats and Countermeasures guide. This companion guide also includes detailed information about the potential for lost event log data when the log sizes are set to very large values. The following table summarizes the recommended event log security settings for both desktop and laptop clients in the two types of environments that are discussed in this guide. The following subsections provide detailed information about each of the settings. Table A31. Security Option Setting Recommendations - Event Log Security Settings
Maximum application log size The Maximum application log size setting is configured to 32768 KB for all computers in the two environments that are discussed in this guide. Maximum security log size The Maximum security log size setting is configured to 81920 KB for all computers in the two environments that are discussed in this guide. Maximum system log size The Maximum system log size setting is configured to 32768 KB for all computers in the two environments that are discussed in this guide. Retention method for application log The Retention method for application log is configured to As Needed for both of the environments that are discussed in this guide. Retention method for security log The Retention method for security log is configured to As Needed for both of the environments that are discussed in this guide. Retention method for system log The Retention method for system log is configured to As Needed for both of the environments that are discussed in this guide. Windows Firewall with Advanced Security SettingsThe firewall included with Windows Vista allows for more precise control of its configuration. You can configure the Windows Firewall with Advanced Security settings in the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings To control these settings, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Windows Firewall Properties link. In the Windows Firewall with Advanced Security dialog box, you can specify settings for the Domain, Private, and Public profiles. For each profile, you can specify general settings in the State section and then, in the Settings section, you can click the Customize button to specify customized settings. This section of the appendix includes tables and recommendations for each of the profiles that you can configure in the Windows Firewall with Advanced Security dialog box. Domain ProfileThis profile applies when a computer is connected to a network and authenticates to a domain controller in the domain to which the computer belongs. Table A32. Recommended Domain Profile Settings
§ - Denotes Group Policy settings that are new in Windows Vista. The recommended Windows Firewall with Advanced Security configuration for the EC environment includes firewall rules that allow for Remote Desktop, and Remote Assistance communications to occur. Furthermore, local administrators of computers in the EC environment can configure local firewall rules to permit additional communications to a computer. In the SSLF environment, all inbound communications are blocked by default and local firewall rules are ignored by computers. Additions or modifications to firewall rules must be configured using the Group Policy Object Editor. Important The prescribed firewall settings for the SSLF environment greatly limit inbound connections to your computers. You should extensively test this firewall configuration in your environment to ensure all applications work as expected. To see which rules are defined for the Domain Profile, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Inbound Rules link. Private ProfileThis profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. Table A33. Recommended Private Profile Settings
§ - Denotes Group Policy settings that are new in Windows Vista. The recommended Windows Firewall with Advanced Security configuration for the EC environment includes firewall rules that allow for Remote Desktop communications to occur. Furthermore, local administrators of computers in the EC environment can configure local firewall rules to permit additional communications to a computer. In the SSLF environment, all inbound communications are blocked by default and local firewall rules are ignored by computers. Additions or modifications to firewall rules must be configured using the Group Policy Object Editor. To see which rules are defined for the Private Profile, within the Windows Firewall with Advanced Security section of the Group Policy Object Editor, click the Inbound Rules link. Public ProfileThis profile is the default network location type when the computer is not connected to a domain. Public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as within an IT environment. Table A34. Recommended Public Profile Settings
§ - Denotes Group Policy settings that are new in Windows Vista. In both the EC and SSLF environments, all inbound communications are blocked by default and no firewall rules exist that allow for additional communications to a computer. Furthermore, local firewall rules are ignored by computers in both environments described in this guide. Additions or modifications to firewall rules that apply to the Public Profile must be configured using the Group Policy Object Editor. The following sections briefly describe the settings you can configure for each of the firewall profiles. Firewall state Inbound connections Outbound connections Important If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying. Display a notification Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored. Allow unicast response Apply local firewall rules Apply local connection security rules Computer Configuration\Administrative TemplatesThe following setting groups for the computer policy contain settings that this guide prescribes. The settings appear in the Computer Configuration\Administrative Templates subnode of the Group Policy Object Editor.
Network ConnectionsThere are no specific security-related configurations in the Network container of Group Policy. However, there are a number of very important settings in the Network Connections\Windows Firewall container. Microsoft recommends configuring the Windows Firewall using the Windows Firewall with Advanced Security settings available in the Group Policy Object Editor. However, the recommended settings for Windows Firewall with Advanced Security will change the state of several settings in this area of Group Policy. Furthermore, several of the recommended settings help maintain compatibility with computers running Windows XP in the EC environment described in this guide. In Windows XP, Windows Firewall settings are configured in two profiles: Domain Profile and Standard Profile. Whenever a domain environment is detected, the Domain Profile is used, and whenever a domain environment is not available, the Standard Profile is used. When a Windows Firewall setting is Recommended in one of the following two tables, the specific value to use will vary for different organizations. Because each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall, it is not feasible for this guide to define a list that will be broadly useful. When you need to determine which applications or ports might need exceptions, it may be helpful to enable Windows Firewall logging, Windows Firewall auditing, and network tracing. For more information, see the "Configuring a Computer for Windows Firewall Troubleshooting" article. Typically, the Domain Profile is configured to be less restrictive than the Standard Profile because a domain environment often provides additional layers of protection. The policy setting names are identical in both profiles. The following two tables summarize the policy settings for the different profiles, and more detailed explanations are provided in the subsections that follow the tables. Network Connections\Windows Firewall\Domain ProfileThe settings in this section configure the Windows Firewall Domain Profile. You can configure these settings in the following location within the Group Policy Object Editor: Administrative Templates\Network\Network Connections Table A35. Recommended Windows Firewall Domain Profile Settings
Note When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful. Network Connections\Windows Firewall\Standard ProfileThe settings in this section configure the Windows Firewall Standard Profile. This profile is often more restrictive than the Domain Profile, which assumes a domain environment provides some basic level of security. The Standard Profile is expected to be used when a computer is on an untrusted network, such as a hotel network or a public wireless access point. Such environments pose unknown threats and require additional security precautions. Note The Standard Profile only applies to computers running Windows XP. The following recommendations apply only to the EC environment described in this guide to maintain compatibility with Windows XP. You can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\Network\Network Connections Table A36. Recommended Windows Firewall Standard Profile Settings
Note When a Windows Firewall setting is Recommended in this table, the specific value to use will vary for different organizations. For example, each organization will have a unique list of applications that will require defined exceptions for the Windows Firewall. Therefore, it is not feasible for this guide to define a list that will be broadly useful. Windows Firewall: Allow ICMP exceptions If you configure the Windows Firewall: Allow ICMP exceptions setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you configure this policy setting to Disabled, Windows Firewall blocks all unsolicited inbound ICMP message types and the listed outbound ICMP message types. As a result, utilities that rely on ICMP may fail. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. Also, ICMP messages are used to estimate network performance when Group Policy is downloaded and processed; if ICMP messages are blocked, Group Policy may not be applied to affected systems. For that reason, Microsoft recommends that you configure the Windows Firewall: Allow ICMP exceptions setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure this policy setting with the appropriate message types. Whenever the computer is on an untrusted network, the Windows Firewall: Allow ICMP exceptions setting should be configured to Disabled. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions. Windows Firewall: Allow inbound file and printer sharing exception If you disable the Windows Firewall: Allow inbound file and printer sharing exception setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment that run Windows Vista will not typically share files and printers, Microsoft recommends you configure the Windows Firewall: Allow inbound file and printer sharing exception setting to Disabled. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions. Windows Firewall: Allow inbound remote administration exception To provide flexibility for remote administration, the Windows Firewall: Allow inbound remote administration exception setting is available. If this policy setting is enabled, the computer can receive the unsolicited incoming messages that are associated with remote administration on TCP ports 135 and 445. This policy setting also allows Svchost.exe and Lsass.exe to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. If you enable this policy setting, you need to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure the Windows Firewall: Allow inbound remote administration exception setting to Disabled, Windows Firewall makes none of the described exceptions. The impact of configuring this policy setting to Disabled may be unacceptable to many organizations because many remote administration tools and tools that scan for vulnerabilities will fail. Therefore, Microsoft recommends that only the most security-sensitive organizations enable this policy setting. For the Domain Profile, Microsoft recommends that the Windows Firewall: Allow inbound remote administration exception setting be Enabled for computers in the EC environment only when necessary. If you enable this setting, computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers that are used for remote administration. Microsoft recommends that the Windows Firewall: Allow inbound remote administration exception setting be Disabled for all computers in the Standard Profile to avoid known attacks that specifically use exploits against TCP ports 135 and 445. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions. Windows Firewall: Allow inbound Remote Desktop exceptions To provide flexibility for remote administration, the Windows Firewall: Allow inbound Remote Desktop exceptions setting is available. If you enable this policy setting, Windows Firewall opens TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these inbound messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator adds this port to a local port exceptions list in an attempt to open it, Windows Firewall does not open the port. To maintain the enhanced management capabilities that are provided by Remote Desktop, you need to configure this policy setting to Enabled for the EC environment. You must specify the IP addresses and subnets of the computers that are used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible. Windows Firewall: Allow inbound UPnP framework exceptions If you enable the Windows Firewall: Allow inbound UPnP framework exceptions setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these inbound messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages. Blocking UPnP network traffic effectively reduces the attack surface of computers in your environment. On trusted networks, Microsoft recommends that you configure the Windows Firewall: Allow inbound UPnP framework exception setting to Disabled unless you use UPnP devices on your network. This policy setting should always be Disabled on untrusted networks. Windows Firewall: Allow local port exceptions If you enable the Windows Firewall: Allow local port exceptions setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list. For that reason, Microsoft recommends that the Windows Firewall: Allow local port exceptions setting be configured to Disabled. Windows Firewall: Allow local program exceptions For enterprise client computers, there may be conditions that justify local program exceptions. These conditions may include applications that were not analyzed when the organization's firewall policy was created or new applications that require nonstandard port configuration. If you choose to enable the Windows Firewall: Allow local program exceptions setting for such situations, remember that the attack surface of the affected computers is increased. Windows Firewall: Define inbound port exceptions If you enable the Windows Firewall: Define inbound port exceptions setting, you can view and change the port exceptions list that is defined by Group Policy. To view and modify the port exceptions list, configure the setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means that you can accidentally create multiple entries for the same port with Scope or Status values that conflict. If you disable the Windows Firewall: Define inbound port exceptions setting, the port exceptions list that is defined by Group Policy is deleted but other settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions setting. Environments with nonstandard applications that require specific ports to be open should consider program exceptions instead of port exceptions. Microsoft recommends that the Windows Firewall: Define inbound port exceptions setting be configured to Enabled and that a list of port exceptions be specified only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times. Note If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow inbound file and printer sharing exception, Windows Firewall: Allow inbound remote administration exception, and Windows Firewall: Define inbound port exceptions. Windows Firewall: Define inbound program exceptions If this policy setting is Enabled you can view and change the program exceptions list. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port that it requests Windows Firewall to open, even if that port is blocked by another setting. If you configure this policy setting to Disabled, the program exceptions list that is defined by Group Policy is deleted. Note If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. Because the entry is not checked, you can add programs that you have not installed yet. You can also accidentally create multiple exceptions for the same program with Scope or Status values that conflict. Windows Firewall: Do not allow exceptions Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. Such environments may need to configure the Windows Firewall: Do not allow exceptions setting to Disabled to allow those applications and services to run properly. However, before you configure this policy setting, you should test the environment to determine exactly what communications need to be allowed. Note This policy setting provides a strong defense against external attackers and should be set to Enabled in situations in which you require complete protection from external attacks, such as the outbreak of a new network worm. If you set this policy setting to Disabled, Windows Firewall will be able to apply other policy settings that allow unsolicited incoming messages. Windows Firewall: Prohibit notifications The Windows Firewall: Prohibit notifications setting determines whether these settings are shown to the users. If you configure this policy setting to Enabled, Windows Firewall prevents the display of these notifications. If you configure it to Disabled, Windows Firewall allows the display of these notifications. Windows Firewall: Prohibit unicast response to multicast or broadcast requests Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attempt to probe a known computer. Microsoft recommends that the Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting be configured to Enabled to help prevent this type of attack. Note This policy setting has no effect if the unicast message is a response to a DHCP broadcast message that is sent by the computer. Windows Firewall always permits those DHCP responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts. Windows Firewall: Protect all network connections If Windows Firewall: Protect all network connections is configured to Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored. Note If you enable this policy setting, Windows Firewall runs and ignores the setting for Computer Configuration\Administrative Templates\Network\Network Connections SystemWithin the Computer Configuration\Administrative Templates\System location, the following additional sections are configured:
LogonYou can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Logon The following table summarizes the recommended Logon settings. Additional information about each setting is provided in the subsections that follow the table. Table A37. Recommended Logon Settings
Do not process the legacy run list
You can enable the Do not process the legacy run list setting to help prevent a malicious user from running a program each time Windows Vista starts, which could compromise data on the computer or cause other harm. When this policy setting is enabled, certain system programs are prevented from running, such as antivirus software, and software distribution and monitoring software. Microsoft recommends that you evaluate the threat level to your environment before you determine whether to use this policy setting for your organization. The Do not process the legacy run list setting is Not configured for the EC environment and Enabled for the SSLF environment. Do not process the run once list Note Customized run once lists are stored in the registry at the following location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. The Do not process the run once list setting should cause minimal functionality loss to users in your environment, especially if the client computers have been configured with all of your organization's standard software before this policy setting is applied through Group Policy. The Do not process the run once list setting is set to Not configured for the EC environment and to Enabled for the SSLF environment. Group PolicyYou can configure this prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Group Policy Table A38. Recommended Group Policy Settings
Registry policy processing
Some settings that are configured through the Administrative Templates are made in areas of the registry that are accessible to users. User changes to these settings will be overwritten if this policy setting is enabled. The Registry policy processing setting is configured to Enabled for both of the environments that are discussed in this guide. Remote AssistanceYou can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\System\Remote Assistance The following table summarizes the recommended Remote Assistance settings. Additional information about each setting is provided in the subsections that follow. Table A39. Recommended Remote Assistance Settings
Offer Remote Assistance Note The expert cannot connect to the computer unannounced or control it without permission from the user. When the expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation after the Offer Remote Assistance setting is configured to Enabled. If this policy setting is enabled the following options are available:
When you configure this policy setting, you can also specify a list of users or user groups known as "helpers" who may offer remote assistance. To configure the list of helpers
If this policy setting is disabled or not configured, users and or groups will not be able to offer unsolicited remote assistance to computer users in your environment. The Offer Remote Assistance setting is Not configured for the EC environment. However, this policy setting is configured to Disabled for the SSLF environment to prevent access to Windows Vista client computers across the network. Solicited Remote Assistance Note Experts cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation. If the Solicited Remote Assistance setting is enabled, the following options are available:
Also, the following options are available to configure the amount of time that a user help request remains valid:
When a ticket (help request) expires, the user must send another request before an expert can connect to the computer. If you disable the Solicited Remote Assistance setting, users cannot send help requests and the expert cannot connect to their computers. If the Solicited Remote Assistance setting is not configured, users can configure solicited remote assistance through the Control Panel. The following settings are enabled by default in the Control Panel: Solicited Remote Assistance, Buddy support, and Remote control. The value for the Maximum ticket time is set to 30 days. If this policy setting is disabled, no one will be able to access Windows Vista client computers across the network. The Solicited Remote Assistance setting is Not configured for the EC environment and is configured to Disabled for the SSLF environment. Remote Procedure CallYou can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\System\Remote Procedure Call The following table summarizes the recommended Remote Procedure Call settings. Additional information about each setting is provided in the subsections that follow the table. Table A40. Recommended Remote Procedure Call Settings
Because unauthenticated RPC communication can create a security vulnerability, the Restrictions for Unauthenticated RPC clients setting is configured to Enabled and the RPC Runtime Unauthenticated Client Restriction to Apply value is set to Authenticated for both of the environments that are discussed in this guide. Note RPC applications that do not authenticate unsolicited inbound connection requests may not work properly when this configuration is applied. Ensure you test applications before you deploy this policy setting throughout your environment. Although the Authenticated value for this policy setting is not completely secure, it can be useful for providing application compatibility in your environment. RPC Endpoint Mapper Client Authentication Internet Communication Management\Internet Communication SettingsThere are several configuration settings available in the Internet Communication settings group. This guide recommends that many of these settings be restricted, primarily to help improve the confidentiality of the data on your computer systems. If these settings are not restricted, information could be intercepted and used by attackers. Although the actual occurrence of this type of attack today is rare, proper configuration of these settings will help protect your environment against future attacks. You can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Administrative Templates\System\Internet Communication Management\Internet Communication settings The following table summarizes the recommended Internet Communication settings. Additional information about each setting is provided in the subsections that follow the table. Table A41. Recommended Internet Communication Settings
Turn off the "Publish to Web" task for files and folders If you configure the Turn off the "Publish to Web" task for files and folders setting to Enabled, these options are removed from the File and Folder tasks in Windows folders. By default, the option to publish to the Web is available. Because this capability could be used to expose secured content to an unauthenticated Web client computer, this policy setting is configured to Enabled for both the EC and SSLF environments. Turn off Internet download for Web publishing and online ordering wizards Because the Turn off "Publish to Web" task for files and folders setting was enabled for both the EC and SSLF environments (see the previous setting), this option is not needed. However, the Turn off Internet download for Web publishing and online ordering wizards setting is configured to Enabled to minimize the attack surface of client computers and to ensure that this capability cannot be exploited in other ways. Turn off the Windows Messenger Customer Experience Improvement Program Many large enterprise environments may not want to have information collected from managed client computers. The Turn off the Windows Messenger Customer Experience Improvement Program setting is configured to Enabled for both of the environments that are discussed in this guide to prevent information being collected. Turn off Search Companion content file updates The Turn off Search Companion content file updates setting is configured to Enabled for both the EC and SSLF environments to help control unnecessary network communications from each managed client computer. Note Internet searches will still send the search text and information about the search to Microsoft and the chosen search provider. If you select Classic Search, the Search Companion feature will be unavailable. You can select Classic Search by clicking Start, Search, Change Preferences, and then Change Internet Search Behavior. Turn off printing over HTTP Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise environments. The Turn off printing over HTTP setting is configured to Enabled for both the EC and SSLF environments to help prevent a potential security breach from an insecure print job. Note This policy setting affects the client side of Internet printing only. Regardless of how it is configured, a computer could act as an Internet Printing server and make its shared printers available through HTTP. Turn off downloading of print drivers over HTTP The Turn off downloading of print drivers over HTTP setting is configured to Enabled to prevent print drivers from being downloaded over HTTP. Note This policy setting does not prevent the client computer from printing to printers on the intranet or the Internet over HTTP. It only prohibits drivers that are not already installed locally from downloading. Turn off Windows Update device driver searching Because there is some risk when any device drivers are downloaded from the Internet, the Turn off Windows Update device driver searching setting is configured to Enabled for the SSLF environment and Disabled for the EC environment. The reason for this configuration is because the types of attacks that can exploit a driver download will typically be mitigated by proper enterprise resource and configuration management. This will also help ensure compatibility and stability across the computers in your environment. Note See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted before Windows Update is searched for device drivers if a driver is not found locally. Windows ComponentsYou can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components In the Administrative Templates\Windows Components section, you can configure settings for:
AutoPlay PoliciesAutoplay is a feature of Windows that will automatically open or start media files or installation programs as soon as they are detected by your computer. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Table A42. Recommended AutoPlay Settings
Turn off Autoplay The Turn off Autoplay setting is configured to Not configured for the EC environment and to Enabled - All Drives for the SSLF environment only. Note You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives. Credential User InterfaceThe Credential User Interface settings control the UI seen by users when prompted to supply their account name and password to authorize elevated tasks that require approval through the Secure Desktop. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface Table A43. Recommended UAC Credential User Interface Settings
§ - Denotes Group Policy settings that are new in Windows Vista. Enumerate administrator accounts on elevation The Enumerate administrator accounts on elevation setting is configured to Not configured for the EC environment and to Disabled for the SSLF environment only. Require trusted path for credential entry If you disable or do not configure this policy setting, users will enter Windows credentials within the user's desktop session, potentially allowing malicious code access to the user's Windows credentials. The Require trusted path for credential entry setting is configured to Not configured for the EC environment and to Enabled for the SSLF environment only. Internet ExplorerMicrosoft Internet Explorer® Group Policy helps you enforce security requirements for Windows Vista computers, and prevent the exchange of unwanted content through Internet Explorer. Use the following criteria to secure Internet Explorer on the workstations in your environment:
Important You need to ensure that Internet Explorer is properly configured to access the Internet before you apply the GPOs included with this guide. Many environments require specific proxy settings for proper Internet access. The recommended settings included in this guide prevent users from changing the configuration of Internet Explorer proxy settings. You can configure the prescribed computer settings for Internet Explorer in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer The following table summarizes many of the Internet Explorer setting recommendations. Additional information about each setting is provided in the subsections that follow the table. Table A44. Recommended Internet Explorer Settings
Disable Automatic Install of Internet Explorer components The Disable Automatic Install of Internet Explorer components setting is configured to Enabled for the two environments that are discussed in the appendix. Note Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy to update Internet Explorer through Microsoft Update or a similar service. Disable Periodic Check for Internet Explorer software updates The Disable Periodic Check for Internet Explorer software updates setting is configured to Enabled for the two environments that are discussed in this guide. Note Before you enable this policy setting, Microsoft recommends that you set up an alternative strategy for the administrators in your organization to ensure that they periodically accept new updates for Internet Explorer on the client computers in your environment. Disable software update shell notifications on program launch The Disable software update shell notifications on program launch setting is configured to Enabled for the two environments that are discussed in this guide. Do not allow users to enable or disable add-ons Users often choose to install add-ons that are not permitted by an organization's security policy. Such add-ons can pose a significant security and privacy risk to your network. Therefore, this policy setting is configured to Enabled for the two environments that are discussed in this guide. Note You should review the GPO settings in Internet Explorer\Security Features\Add-on Management to ensure that appropriate authorized add-ons can still run in your environment. For example, you may want to read the Knowledge Base article 555235, "Outlook Web Access and Small Business Server Remote Web Workplace do not function if XP Service Pack 2 Add-on Blocking is enabled via group policy." Make proxy settings per-machine (rather than per-user) The Make proxy settings per-machine (rather than per-user) setting is configured to Enabled for desktop client computers for the two environments that are discussed in this guide. However, the policy setting is configured to Disabled for laptop client computers because mobile users may have to change their proxy settings as they travel. Security Zones: Do not allow users to add/delete sites The Security Zones: Do not allow users to add/delete sites setting is configured to Enabled for the two environments that are discussed in this guide. Note If you enable the Disable the Security page setting (located in \User Configuration\ Security Zones: Do not allow users to change policies The Security Zones: Do not allow users to change policies setting is configured to Enabled for the two environments that are discussed in this guide. Note If you enable the Disable the Security page setting (located in \User Configuration\ Security Zones: Use only machine settings The Security Zones: Use only machine settings setting is configured to Enabled for the two environments that are discussed in this guide. Turn off Crash Detection Because Internet Explorer crash report information could contain sensitive information from the computer's memory, the Turn off Crash Detection setting is configured to Enabled for both of the two environments that are discussed in this guide. If you experience frequent repeated crashes and need to report them for follow-up troubleshooting, you could temporarily configure the policy setting to Disabled. Within the Computer Configuration\Administrative Templates\Windows Components\Internet Explorer, the following additional setting sections are configured:
The default values for these settings provide enhanced security compared to earlier versions of Windows. However, you might want to review these settings to determine whether you want to require them or relax them in your environment for usability or application compatibility. For example, you can now configure Internet Explorer to block pop-ups for all Internet zones by default. You might want to ensure that this policy setting is enforced on all computers in your environment to help eliminate pop-up windows and to help reduce the possibility of malicious software and spyware installations that are often spawned from Internet Web sites. Conversely, your environment might contain applications that require the use of pop-ups to function. If so, you could configure this policy to allow pop-ups for Web sites within your intranet. Internet Explorer\Internet Control Panel\Advanced PageYou can configure this prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page Table A45. Recommended Advanced Page Settings
Allow software to run or install even if the signature is invalid The Allow software to run or install even if the signature is invalid setting allows you to manage whether downloaded software can be installed or run by users even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file. If you enable this policy setting, users will be prompted to install or run files with an invalid signature. If you disable this policy setting, users cannot run or install files with an invalid signature. Because unsigned software can create a security vulnerability, this policy setting is configured to Disabled for both of the environments that are discussed in this guide. Note Some legitimate software and controls may have an invalid signature and still be OK. You should carefully test such software in isolation before you allow it to be used on your organization's network. Internet Explorer\Security Features\MK Protocol Security RestrictionYou can configure this prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A46. Recommended MK Protocol Settings
Internet Explorer Processes (MK Protocol) Because the MK protocol is not widely used, it should be blocked wherever it is not needed. This policy setting is configured to Enabled for both of the environments that are discussed in this guide. Microsoft recommends that you block the MK protocol unless you specifically need it in your environment. Note Because resources that use the MK protocol will fail when you deploy this policy setting, you should ensure that none of your applications use the protocol. Internet Explorer\Security Features\Consistent MIME HandlingYou can configure this prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A47. Recommended Consistent MIME Handling Settings
Internet Explorer Processes (Consistent MIME Handling) If you enable this policy setting, Internet Explorer examines all received files and enforces consistent MIME data for them. If you disable or do not configure this policy setting, Internet Explorer does not require consistent MIME data for all received files and will use the MIME data that is provided by the file. MIME file type spoofing is a potential threat to your organization. You should ensure that these files are consistent and properly labeled to help prevent malicious file downloads that may infect your network. This policy setting is configured to Enabled for both of the environments that are discussed in this guide. Note This policy setting works in conjunction with, but does not replace, the MIME Sniffing Safety Features settings. Internet Explorer\Security Features\MIME Sniffing Safety FeaturesYou can configure this prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A48. Recommended MIME Sniffing Settings
Internet Explorer Processes (MIME Sniffing) MIME file-type spoofing is a potential threat to your organization. Microsoft recommends that you ensure these files are consistently handled to help prevent malicious file downloads that may infect your network. The Internet Explorer Processes (MIME Sniffing) setting is configured to Enabled for both of the environments that are discussed in this guide. Note This policy setting works in conjunction with, but does not replace, the Consistent MIME Handling settings. Internet Explorer\Security Features\Scripted Window Security RestrictionsYou can configure this prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A49. Recommended Scripted Window Restrictions Settings
Internet Explorer Processes (Scripted Window Security Restrictions) The Internet Explorer Processes (Scripted Window Security Restrictions) setting restricts pop-up windows and does not allow scripts to display windows in which the title and status bars are not visible to the user or that hide other windows' title and status bars. If you enable this policy setting, pop-up windows will not display in Windows Explorer and Internet Explorer processes. If you disable or do not configure this policy setting, scripts will still be able to create pop-up windows and windows that hide other windows. The Internet Explorer Processes (Scripted Window Security Restrictions) setting is configured to Enabled for both of the environments that are discussed in this guide. When enabled, this policy setting help make it difficult for malicious Web sites to control your Internet Explorer windows or fool users into clicking the wrong window. Internet Explorer\Security Features\Protection From Zone ElevationYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A50. Recommended Zone Elevation Protection Settings
Internet Explorer Processes (Zone Elevation Protection) If you enable the Internet Explorer Processes (Zone Elevation Protection) setting, any zone can be protected from zone elevation by Internet Explorer processes. This approach helps prevent content that runs in one zone from gaining the elevated privileges of another zone. If you disable this policy setting, no zone receives such protection for Internet Explorer processes. Because of the severity and relative frequency of zone elevation attacks, the Internet Explorer Processes (Zone Elevation Protection) setting is configured to Enabled for both of the environments that are discussed in this guide. Internet Explorer\Security Features\Restrict ActiveX InstallYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A51. Restrict ActiveX Install Settings
Internet Explorer Processes (Restrict ActiveX Install) Users often choose to install software such as ActiveX controls that are not permitted by their organization's security policy. Such software can pose significant security and privacy risks to networks. Therefore, the Internet Explorer Processes (Restrict ActiveX Install) setting is configured to Enabled for both of the environments that are discussed in this guide. Note This policy setting also blocks users from installing authorized legitimate ActiveX controls that will interfere with important system components like Windows Update. If you enable this policy setting, make sure to implement some alternate way to deploy security updates such as Windows Server Update Services (WSUS). For more information about WSUS, see the Windows Server Update Services Product Overview page. Internet Explorer\Security Features\Restrict File DownloadYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A52. Recommended Restrict File Download Settings
Internet Explorer Processes (Restrict File Download) If you configure the Internet Explorer Processes (Restrict File Download) setting to Enabled, file download prompts that are not user-initiated are blocked for Internet Explorer processes. If you configure this policy setting to Disabled, file download prompts will occur that are not user-initiated for Internet Explorer processes. The Internet Explorer Processes (Restrict File Download) setting is configured to Enabled for both of the environments that are discussed in this guide to help prevent attackers from placing arbitrary code on a user's computers. Internet Explorer\Security Features\Add-on ManagementYou can configure these prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A53. Add-on Management Settings
Deny all add-ons unless specifically allowed in the Add-on List If you enable this policy setting, Internet Explorer only allows add-ins that are specifically listed (and allowed) through the Add-on List. If you disable this policy setting, users may use Add-on Manager to allow or deny any add-ons. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used. Add-on List If you enable the Add-on List setting, you are required to list the add-ons to be allowed or denied by Internet Explorer. Because the specific list of add-ons that should be included on this list will vary from one organization to another, this guide does not provide a detailed list. For each entry that you add to the list, you must provide the following information:
If you disable the Add-on List setting, the list is deleted. You should consider using both the Deny all add-ons unless specifically allowed in the Add-on List and the Add-on List settings to control the add-ons that can be used in your environment. This approach will help ensure that only authorized add-ons are used. NetMeetingMicrosoft NetMeeting® allows users to conduct virtual meetings across the network in your organization. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components\ Table A54. Recommended NetMeeting Settings
Disable remote Desktop Sharing The Disable remote Desktop Sharing setting is Not configured for the EC environment. However, it is configured to Enabled for the SSLF environment to prevent users from sharing desktops remotely through NetMeeting. Terminal ServicesTerminal Services settings provide options to redirect client computer resources to servers that are accessed through Terminal Services. This section includes settings for:
Terminal Services\Remote Desktop Connection ClientYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Administrative Templates\Windows Components\Terminal Services Table A55. Recommended Do Not Allow Passwords to be Saved Setting
Do not allow passwords to be saved Because saved passwords can cause additional compromise, the Do not allow passwords to be saved setting is configured to Enabled for both of the environments that are discussed in this guide. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server. Terminal Services\Terminal Server\ConnectionsYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A56. Recommended Connections Setting
Allow users to connect remotely using Terminal Services In the SSLF environment, users are required to log on directly to the physical computer console. For this reason, the Allow users to connect remotely using Terminal Services setting is configured to Disabled for the SSLF environment. However, this policy setting is Not configured for the EC environment. Terminal Services\Terminal Server\Device and Resource RedirectionYou can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components Table A57. Recommended Device and Resource Redirection Setting
Do not allow drive redirection \\TSClient\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. For this reason, the Do not allow drive redirection setting is configured to Enabled for the SSLF environment. However, this policy setting is Not configured for the EC environment. Terminal Services\Terminal Server\SecurityYou can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates Table A58. Recommended Terminal Server Security Settings
Always prompt client for password upon connection The Always prompt client for password upon connection setting is configured to Enabled for both of the environments that are discussed in this guide. Note If you do not configure this policy setting, the local computer administrator can use the Terminal Services Configuration tool to either allow or prevent passwords from being automatically sent. Set client connection encryption level The encryption level is set to Enabled:High Level to enforce 128-bit encryption for the two environments that are discussed in this guide. Windows MessengerWindows Messenger is used to send instant messages to other users on a computer network. The messages may include files and other attachments. You can configure the following prescribed computer setting in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates Table A59. Recommended Windows Messenger Setting
Note This setting only affects Windows Messenger software included in Windows XP. This setting will not prevent users from running MSN® Messenger or Windows Live™ Messenger. Windows UpdateAdministrators use Windows Update settings to manage how updates and hotfixes are applied on Windows Vista-based workstations. Updates are available from Windows Update. Alternatively, you can set up an intranet Web site to distribute updates and hotfixes in a similar manner with additional administrative control. Windows Server Update Services (WSUS) is an infrastructure service that builds on the success of the Microsoft Windows Update and Software Update Services (SUS) technologies. WSUS manages and distributes critical Windows updates that resolve known security vulnerabilities and other stability issues with Windows operating systems. WSUS eliminates manual update steps with a dynamic notification system for critical updates that are available to Windows-based client computers through your intranet server. No Internet access is required from client computers to use this service. This technology also provides a simple and automatic way to distribute updates to your Windows-based workstations and servers. Windows Server Update Services also offers the following features:
Note If you choose to distribute updates through another method, such as Microsoft Systems Management Server, this guide recommends that you disable the Configure Automatic Updates setting. There are several Windows Update settings. A minimum of three settings is required to make Windows Update work: Configure Automatic Updates, No auto-restart for scheduled Automatic Updates installations, and Reschedule Automatic Updates scheduled installations. A fourth setting is optional and depends on the requirements of your organization: Specify intranet Microsoft update service location. You can configure the following prescribed computer settings in the following location within the Group Policy Object Editor: Computer Configuration\Administrative Templates\Windows Components The settings that are discussed in this section do not individually address specific security risks, but relate more to administrator preference. However, configuration of Windows Update is essential to the security of your environment because it helps ensure that the client computers in your environment receive security updates from Microsoft soon after they are available. Note Windows Update depends on several services, including the Remote Registry service and the Background Intelligence Transfer Service. The following table summarizes the recommended Windows Update settings. Additional information about each setting is provided in the subsections that follow the table. Table A60. Recommended Windows Update Settings
Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box Because updates are important to the overall security of all computers, the Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box setting is configured to Disabled for both of the environments that are discussed in this guide. This policy setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box setting. Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box Because updates are important to the overall security of all computers, the Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box setting is configured to Disabled for both of the environments that are discussed in this guide. Note This policy setting has no effect if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box setting is Enabled. Configure Automatic Updates After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work:
If you disable this policy setting, you will need to download and manually install any available updates from Windows Update. The Configure Automatic Updates setting is configured to Enabled for the two environments that are discussed in this guide. No auto-restart for scheduled Automatic Updates installations If the No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled or Not configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation. If automatic restarts are a concern, you can configure the No auto-restart for scheduled Automatic Updates installations setting to Enabled. If you do enable this policy setting, schedule your client computers to restart after normal business hours to ensure that the installation is completed. The No auto-restart for scheduled Automatic Updates installations setting is configured to Disabled for the two environments that are discussed in this guide. Note This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is configured to Disabled, it will not work. Reschedule Automatic Updates scheduled installations The Reschedule Automatic Updates scheduled installations setting is configured to Enabled for the two environments that are discussed in this guide. After you enable this policy setting, you may change the default waiting period to one that is appropriate for your environment. Note This policy setting only works when Automatic Updates is configured to perform scheduled update installations. If the Configure Automatic Updates setting is Disabled, the Reschedule Automatic Updates scheduled installations setting has no effect. You can enable the latter two settings to ensure that previously missed installations will be scheduled to install each time the computer restarts. Top of page Top of page User PolicyThe remaining sections of this appendix discuss User Configuration setting recommendations. These settings need to be applied to users, not computers. They should be implemented in a Group Policy that is linked to the OU that contains the users you want to configure. Apply these settings through a GPO that is linked to an OU that contains user accounts. Note User configuration settings are applied to any Windows Vista–based computer that a user logs on to in an Active Directory domain. However, computer configuration settings apply to all client computers that are governed by a GPO in Active Directory without regard for which user logs on to the computer. User Configuration\Administrative TemplatesThe following setting groups for the user policy contain settings that this guide prescribes. The settings appear in the User Configuration\Administrative Templates sub-node of the Group Policy Object Editor:
SystemYou can configure the following prescribed setting in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\System The following table summarizes the recommended Registry Editor User configuration settings. Table A61. Recommended System User Configuration Settings
Prevent access to registry editing tools The Prevent access to registry editing tools setting is Not configured for the EC environment. However, this policy setting is configured to Enabled for the SSLF environment. Power ManagementYou can configure the following prescribed setting in this location in the Group Policy Object Editor: User Configuration\Administrative Templates\System\Power Management The following table summarizes the recommended Prompt for password on resume from hibernate/suspend configuration settings. Table A62. Recommended System\Power Management User Configuration Settings
Prompt for password on resume from hibernate/suspend For this reason, the Prompt for password on resume from hibernate/suspend setting is configured to Enabled for the two environments discussed in this guide. Windows ComponentsYou can configure the following prescribed setting in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Registry Editor User configuration settings. Attachment ManagerYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Attachment Manager user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A63. Recommended Attachment Manager User Configuration Settings
Do not preserve zone information in file attachments If the Do not preserve zone information in file attachments setting is enabled, file attachments are not marked with their zone information. If this policy setting is disabled, Windows is forced to store file attachments with their zone information. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, Microsoft recommends that you configure this policy setting to Disabled to help ensure that as much security information as possible is preserved with each file. The Do not preserve zone information in file attachments setting is configured to Disabled for both of the environments that are discussed in this guide. Hide mechanisms to remove zone information When the Hide mechanisms to remove zone information setting is enabled, Windows hides the check box and Unblock button. When this policy setting is disabled, Windows displays the check box and the Unblock button. Because dangerous attachments are often downloaded from untrusted Internet Explorer zones such as the Internet zone, Microsoft recommends that you configure this policy setting to Enabled to help ensure that as much security information as possible is retained with each file. The Hide mechanisms to remove zone information setting is configured to Enabled for both of the environments that are discussed in this guide. Note To configure whether files are saved with zone information, see the previous Do not preserve zone information in file attachments setting. Notify antivirus programs when opening attachments The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, this policy setting configures Windows to call the registered antivirus program and have it scan file attachments when they are opened by users. If the antivirus scan fails, the attachments are blocked from being opened. If this policy setting is disabled, Windows does not call the registered antivirus program when file attachments are opened. To help ensure that virus scanners examine every file before it is opened, Microsoft recommends that this policy setting be configured to Enabled in all environments. The Notify antivirus programs when opening attachments setting is configured to Enabled for both of the environments that are discussed in this guide. Note An updated antivirus program must be installed for this policy setting to function properly. Internet ExplorerYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components\ The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A64. Recommended Internet Explorer User Configuration Settings
§ - Denotes Group Policy settings that are new in Windows Vista. Configure Outlook Express The Configure Outlook Express setting is configured to Enabled with the Block attachments that could contain a virus option for the EC environment in this guide. Disable "Configuring History" If you enable this policy setting, a user cannot set the number of days that Internet Explorer keeps track of the pages viewed in the History List. You must specify the number of days that Internet Explorer keeps track of the pages viewed in the History List. Users will not be able to delete browsing history. If you disable or do not configure this policy setting, a user can set the number of days that Internet Explorer keeps track of the pages viewed in the History List and has the freedom to Delete Browsing History. The Disable "Configuring History" setting is Not configured for the EC environment and is configured to Enabled:40 for the SSLF environment. Disable AutoComplete for forms The Disable AutoComplete for forms setting is Not configured for the EC environment and Enabled for the SSLF environment. Disable changing Automatic Configuration settings To view the LAN Settings dialog box
The Disable changing Automatic Configuration settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Note The Disable the Connections page setting removes the Connections tab from Internet Explorer in Control Panel and takes precedence over this Disable changing Automatic Configuration settings configuration option. If the former setting is enabled, the latter setting is ignored. The Disable the Connections page setting is located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor. Disable changing certificate settings The Disable changing certificate settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Note When this policy setting is enabled, users can still double-click the software publishing certificate (.spc) file to run the Certificate Manager Import Wizard. This wizard enables users to import and configure settings for certificates from software publishers that are not already configured in Internet Explorer. Note The Disable the Content page setting removes the Content tab from Internet Explorer in Control Panel and takes precedence over this Disable changing certificate settings configuration option. If the former setting is enabled, the latter setting is ignored. The Disable the Content page setting located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor. Disable changing connection settings The Disable changing connection settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Note If you configure the Disable the Connections page setting, you do not need to configure this policy setting. The Disable the Connections page setting removes the Connections tab from the interface. The Disable the Connections page setting is located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor. Disable changing proxy settings The Disable changing proxy settings setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Note If you configure the Disable the Connections page setting, you do not need to configure this policy setting. The Disable the Connections page setting removes the Connections tab from the interface. This setting is located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel in the Group Policy Object Editor. Do not allow users to enable or disable add-ons The Do not allow users to enable or disable add-ons setting is configured to Not configured for the EC environment and Enabled for the SSLF environment. Prevent "fix settings" functionality The Prevent "fix settings" functionality setting is Not configured for the EC environment and Disabled for the SSLF environment. Prevent deletion of "Temporary Internet Files and Cookies" The Prevent deletion of "Temporary Internet Files and Cookies" setting is Not configured for the EC environment and Enabled for the SSLF environment. Turn off "Delete Browsing History" functionality The Turn off "Delete Browsing History" functionality setting is Not configured for the EC environment and Enabled for the SSLF environment. Turn off the Security Settings Check feature The Turn off the Security Settings Check feature setting is Not configured for the EC environment and Disabled for the SSLF environment. Turn on the auto-complete feature for user names and passwords on forms The Turn on the auto-complete feature for user names and passwords on forms setting is configured to Disabled for the two environments discussed in this guide. Within Computer Configuration\Administrative Templates\Windows Components\Internet Explorer, the following additional setting sections are configured:
Browser MenusYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A65. Recommended Browser menus Settings
Disable Save this program to disk option The Disable Save this program to disk option setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Internet Control PanelYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A66. Recommended Internet Control Panel Explorer User Configuration Settings
§ - Denotes Group Policy settings that are new in Windows Vista. Disable the Advanced Page The Disable the Advanced Page setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Disable the Security Page The Disable the Security Page setting is configured to Enabled only for the SSLF environment. This policy setting is Not configured for the EC environment. Prevent ignoring certificate errors The Prevent ignoring certificate errors setting is configured to Not configured for the EC environment and Enabled for the SSLF environment. Internet Control Panel\Advanced PageYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A67. Recommended Advanced Page Settings
§ - Denotes Group Policy settings that are new in Windows Vista. Allow Install On Demand (Internet Explorer) If you enable this policy setting, Web Components such as fonts will be automatically installed as necessary. If you disable this policy setting, users will be prompted when Web Components such as fonts would be downloaded. If you do not configure this policy, users will be prompted when Web Components such as fonts would be downloaded. The Allow Install On Demand (Internet Explorer) setting is configured to Not configured for the EC environment and Disabled for the SSLF environment. Allow software to run or install even if the signature is invalid If you enable this policy setting, users will be prompted to install or run files that have an invalid signature. If you disable this policy setting, users cannot run or install files that have an invalid signature. If you do not configure this policy, users can choose to run or install files that have an invalid signature. The Allow software to run or install even if the signature is invalid setting is configured to Not configured for the EC environment and Disabled for the SSLF environment. Automatically check for Internet Explorer updates If you enable this policy setting, Internet Explorer checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are available. If you disable this policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them. If you do not configure this policy setting, Internet Explorer does not check the Internet for new versions of the browser, so does not prompt users to install them. The Automatically check for Internet Explorer updates setting is configured to Not configured for the EC environment and Disabled for the SSLF environment. Check for server certificate revocation If you enable this policy setting, Internet Explorer will check to see if server certificates have been revoked. If you disable this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. If you do not configure this policy setting, Internet Explorer will not check server certificates to see if they have been revoked. The Check for server certificate revocation setting is configured to Not configured for the EC environment and Enabled for the SSLF environment. Internet Control Panel\Security PageYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A68. Recommended Security Page Settings
Intranet Sites: Include all network paths (UNCs) If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. The Intranet Sites: Include all network paths (UNCs) setting is configured to Disabled for the SSLF environment and Not configured for the EC environment. Internet Control Panel\Security Page\Internet ZoneYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Note The settings for the Internet and Restricted Sites zones are very similar. Descriptions for settings in both zones are provided below. Table A69. Recommended Internet Zone Settings
Internet Control Panel\Security Page\Restricted Sites ZoneYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Note The settings for the Internet and Restricted Sites zones are very similar. Descriptions for settings in both zones are provided below. Table A70. Recommended Restricted Sites Zone Settings
§ - Denotes Group Policy settings that are new in Windows Vista. Access data sources across domains If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. The Access data sources across domains setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Allow active scripting The Allow active scripting setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Allow binary and script behaviors If you disable this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. If you do not configure this policy setting, binary and script behaviors are not available unless applications have implemented a custom security manager. The Allow binary and script behaviors setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Allow cut, copy, or paste operations from the clipboard via script The Allow cut, copy, or paste operations from the clipboard via script setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Allow drag and drop or copy and paste files If you do not configure this policy setting, users are queried to choose whether to drag or copy files from this zone. The Allow drag and drop or copy and paste files setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Allow file downloads The Allow file downloads setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Allow font downloads If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. If you disable this policy setting, HTML fonts are prevented from downloading. If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. The Allow font downloads setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Allow installation of desktop items Enable users can install desktop items from this zone automatically. Prompt users are queried to choose whether to install desktop items from this zone. Disable users are prevented from installing desktop items from this zone. If you do not configure this policy setting, users are prevented from installing desktop items from this zone. The Allow installation of desktop items setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Allow META REFRESH The Allow META REFRESH setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Allow script-initiated windows without size or position constraints The Allow script-initiated windows without size or position constraints setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Allow status bar updates via script The Allow status bar updates via script setting is configured to Disabled for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Automatic prompting for file downloads If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Information Bar instead of the file download dialog. Users can then click the Information Bar to allow the file download prompt. The Automatic prompting for file downloads setting is configured to Enabled:Enable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Download signed ActiveX controls If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. The Download signed ActiveX controls setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Download unsigned ActiveX controls If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. If you disable this policy setting, users cannot run unsigned controls. If you do not configure this policy setting, users cannot run unsigned controls. The Download unsigned ActiveX controls setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Initialize and script ActiveX controls not marked as safe If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. The Initialize and script ActiveX controls not marked as safe setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Java permissions The Java permissions setting is configured to Enabled:Disable Java for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Launching applications and files in an IFRAME If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. If you do not configure this policy setting, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. The Launching applications and files in an IFRAME setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Logon Options Anonymous logon disables HTTP authentication and uses the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password queries users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon only in Intranet zone queries users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password attempts logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. If you disable this policy setting, logon is set to Automatic logon only in Intranet zone. If you do not configure this policy setting, logon is set to Automatic logon only in Intranet zone. The Logon Options setting is configured to Enabled:Prompt for Username and Password for the SSLF environment in the Internet Zone and Enabled:Anonymous Logon in the Restricted Sites Zone. The setting is Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Navigate sub-frames across different domains If you disable this policy setting, users cannot open sub-frames or access applications from different domains. If you do not configure this policy setting, users can open sub-frames from other domains and access applications from other domains. The Navigate sub-frames across different domains setting is configured to Disabled for the SSLF environment in the Internet Zone and to Enabled:Disable in the Restricted Sites Zone. The setting is Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Open file based on content, not file extension The Open file based on content,not file extension setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Run .NET Framework-reliant components not signed with Authenticode If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. The Run .NET Framework-reliant components not signed with Authenticode setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Run .NET Framework-reliant components signed with Authenticode If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. If you do not configure this policy setting, Internet Explorer will not execute signed managed components. The Run .NET Framework-reliant components signed with Authenticode setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Run ActiveX controls and plugins The Run ActiveX controls and plugins setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Script ActiveX controls marked safe for scripting The Script ActiveX controls marked as safe for scripting setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Scripting of Java applets The Scripting of Java applets setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for the Restricted Sites Zone. Software channel permissions Low safety allows a user to be notified of software updates by e-mail, software packages to be automatically downloaded to a user's computers, and software packages to be automatically installed on a user's computers. Medium safety allows a user to be notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) a user's computers. High safety prevents a user from being notified of software updates by e-mail, and from having software packages automatically downloaded or automatically installed on the user's computers. If you disable this policy setting, permissions are set to High safety. The Software channel permissions setting is configured to Enabled:High safety for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Use Pop-up Blocker The Use Pop-up blocker setting is configured to Enabled:Enable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Web sites in less privileged Web content zones can navigate into this zone If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The Web sites in less privileged Web content zones can navigate into this zone setting is configured to Enabled:Disable for the SSLF environment and Not configured for the EC environment for both the Internet Zone and the Restricted Sites Zone. Offline PagesYou can configure these prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Internet Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Note These settings do not apply to Internet Explorer 7. They are only configured for the EC environment because these environments might contain computers running Windows XP with Internet Explorer 6.0. Table A71. Recommended Offline Pages Settings
Disable adding channels For these reasons, the Disable adding channels setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable adding schedules for offline pages The Disable adding schedules for offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable all scheduled offline pages The Disable all scheduled offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment Disable channel user interface completely The Disable channel user interface completely setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable downloading of site subscription content The Disable downloading of site subscription content setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable editing and creating of schedule groups For these reasons, the Disable editing and creating of schedule groups setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable editing schedules for offline pages The Disable editing schedules for offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable offline page hit logging The Disable offline page hit logging setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable removing channels For this reason, the Disable removing channels setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Disable removing schedules for offline pages The Disable removing schedules for offline pages setting is configured to Enabled for the EC environment and is Not configured for the SSLF environment. Windows ExplorerWindows Explorer is used to browse the file system on client computers that run Windows Vista. You can configure the following prescribed user settings in the following location within the Group Policy Object Editor: User Configuration\Administrative Templates\Windows Components The following table summarizes the recommended Windows Explorer user configuration settings. Additional information about each setting is provided in the subsections that follow the table. Table A72. Recommended Windows Explorer User Configuration Settings
Remove CD Burning features The Remove CD Burning features setting is Not configured for the EC environment and is configured to Enabled for the SSLF environment. Note This policy setting does not prevent CDs from being modified or created by third-party applications that use a CD writer. This guide recommends the use of software restriction policies to block the creation or modification of CDs by third-party applications. Another way to prevent users from burning CDs is to remove the CD writers from the client computers in your environment or replace them with read-only CD drives. Remove Security tab For these reasons, the Remove Security tab setting is Not configured for the EC environment and is configured to Enabled for the SSLF environment. Top of page More InformationThe following links provide additional information about security topics and in-depth discussion of the concepts and security prescriptions in this guide for Windows Vista:
Support and FeedbackThe Solution Accelerators – Security and Compliance (SASC) team would appreciate your thoughts about this and other Solution Accelerators. Please contribute comments to the Discussions in Security newsgroup on the Windows Vista Help and Support Web site. Or e-mail your feedback to the following address: mailto:secwish@microsoft.com. We look forward to hearing from you. Top of page |
In This Article
Download Get the Windows Vista Security Guide Solution Accelerator Notifications Feedback |