1. Disable Storage of Credentials and .NET
Passwords (Windows XP)This setting controls
the storage of authentication credentials and .NET passwords on the local
system. By disabling this feature, passwords will not be stored. Create a new DWORD value, or modify the existing value called
'DisableDomainCreds' using the settings below.| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] |
| Name:
DisableDomainCreds |
| Type: REG_DWORD
(DWORD Value) |
| Value: (0 =
enable storage (default), 1 = disable storage) |
2. Disable System Restore Tools and
Settings (Windows XP)System Restore allows
users to revert Windows settings and configuration changes to an earlier point
in time (called Restore Points). This tweak can be used to restrict user access
to the System Restore tools and settings.
Disable System Restore on Start Menu
Create a new DWORD value
called "DisableSR" and set it to "1" to disable the System Restore tools on the
Start menu (Start > Programs > Accessories > System Tools > System
Restore).
Restrict Access to System Restore Settings
Create a new DWORD value
called "DisableConfig" and set it to "1" to disable System Restore
Settings link in the System Restore interface and the Control Panel >
System > System Restore page.
Changes take effect immediately.
Note: These settings will not stop Windows from making automatic
System Checkpoints, but will disable access to restore them.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore] |
| Name:
DisableConfig, DisableSR |
Type: REG_DWORD
(DWORD Value)
|
| Value: (1 =
enable restriction) |
3. Configure Windows Software Update
Services (Windows 2000/XP)
These settings allow
you to configure Windows client machines to use custom Microsoft Software Update
Services (SUS) located on an internal corporate network instead of the Windows
Update Internet site.
Open your registry and find or create the key below.
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU]
Create a new DWORD value called "UseWUServer" and set it to "1" to use custom
update servers or delete the value to use the default Internet site.
Then open the key
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate]
and create two new string values called "WUServer" and "WUStatusServer", set
these values to the names of the custom update servers (e.g.
"http://intranetupdate").
Note: Information in Microsoft Software Update Services (SUS) can be
found online at http://www.microsoft.com/windows2000/windowsupdate/sus/
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate] |
| Name:
UseWUServer, WUServer, WUStatusServer |
4. Restrict Shortcut and WinHelp
Commands (Windows
NT/2000/XP)
This restriction can be
used to specify which directories contain Help files that can use the Shortcut
and WinHelp commands. By clearing this setting you can also completely disable
the help commands on the system.
Create a new Expanded String value, or modify the existing value called
'HelpQualifiedRootDir' using the settings below.
Note: With features in HTML Help, you can run executable programs from a
help (.chm) file. The Shortcut command is used to run an executable program that
is external to the Help file. The WinHelp command is used to run Winhlp32.exe to
display a Winhelp (.hlp) file. This article describes how to restrict the Help
files that are allowed to use the Shortcut and WinHelp commands.
| Settings: |
System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
|
| Name:
HelpQualifiedRootDir |
Type:
REG_EXPAND_SZ (Expanded String Value)
|
| Value: Allowed
Help File Directories (semi-colon delimiter) |
5. Secure Access to Removable Drives
(Windows NT/2000/XP)
This setting determines
whether the ability to access removable drives is available to other
users.
Create a new string value, or modify the existing value, called
"AllocateDASD" and set it according to the table below.
- 0 - Administrators only
- 1 - Administrators and power users
- 2 - Administrators and the interactive user
| Settings: |
System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
|
| Name:
AllocateDASD |
Type: REG_SZ
(String Value)
|
6. Restrict the Language and Locale
Region (Windows 2000/XP)This restriction is
used to set the language used in menus and dialog boxes in Windows and prevent
users from changing it. When enabled the system disables the menus and dialog
boxes in the Regional Options in Control Panel. Create a new DWORD value called "MultiUILanguageID" and set it to a value
from the table below to restrict the system to that language.
| Language |
Decimal |
Hexadecimal |
| Arabic |
1025 |
0x401 |
| Brazilian |
1046 |
0x416 |
| Chinese (Simplified) |
2052 |
0x804 |
| Chinese (Traditional) |
1028 |
0x404 |
| Czech |
1029 |
0x405 |
| Danish |
1030 |
0x406 |
| Dutch |
1043 |
0x413 |
| English (Default) |
1033 |
0x409 |
| Finnish |
1035 |
0x40b |
| French |
1036 |
0x40c |
| German |
1031 |
0x407 |
| Greek |
1032 |
0x408 |
| Hebrew |
1037 |
0x40d |
| Hungarian |
1038 |
0x40e |
| Italian |
1040 |
0x410 |
| Japanese |
1041 |
0x411 |
| Korean |
1042 |
0x412 |
| Norwegian |
1044 |
0x414 |
| Polish |
1045 |
0x415 |
| Portuguese |
2070 |
0x816 |
| Russian |
1049 |
0x419 |
| Spanish |
3082 |
0xc0a |
| Swedish |
1053 |
0x41D |
| Turkish |
1055 |
0x41f |
| Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop] |
| Name:
MultiUILanguageID |
Type: REG_DWORD
(DWORD Value)
|
| Value: Language
Identifier |
7. Disable Group Policy Objects (Windows 2000/XP)
This setting is used to
disable the use of group policy objects on the local computer. Create a new DWORD value, or modify the existing value called 'DisableGPO' using
the settings below. | Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System] |
| Name:
DisableGPO |
| Type: REG_DWORD
(DWORD Value) |
| Value: (0 =
default, 1 = disable group policy) |
8. Change Default Administrator
Ownership (Windows XP)Windows XP may assign
the ownership of some file system objects to the Administrator account, instead
of the Administrators group. This behaviour may not be desirable where there are
multiple administrative users. Create a new DWORD value, or modify the existing value called
'NoDefaultAdminOwner' using the settings below. | Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] |
| Name:
NoDefaultAdminOwner |
Type: REG_DWORD
(DWORD Value)
|
| Value: (0 =
disabled, 1 = default) |
9. Reboot Windows After a Crash (Windows
NT/2000/XP)This parameter controls
whether Windows should automatically reboot after a system failure or if the
blue crash screen should be displayed. Create a new DWORD value, or modify the existing value called 'AutoReboot' using
the settings below. | Settings: |
System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl]
|
Name:
AutoReboot
|
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
disabled, 1 = auto reboot)
|
10. Configure Windows Script Signature
Security (All Windows)
This setting is used to
define whether trusted and untrusted scripts should be executed when using
signature verification. By requiring a signature the system will only execute
scripts from verified authors.
Create a new DWORD value, or modify the existing value called 'TrustPolicy'
using the settings below.
| Settings: |
| User Key:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script Host\Settings] |
| Name:
TrustPolicy |
| Type: REG_DWORD
(DWORD Value) |
| Value: "0" =
all, "1" = prompt, "2" = only trusted |
11. Secure Access to Floppy Drives
(Windows NT/2000/XP)
This setting
determines whether data in the floppy disk drive is accessible to other
users.
Because the floppy
disk drive is a volume, by default it is shared as an administrative share on
the network. If the value of this entry is 1, the floppy disk drive is allocated
to the user as part of the interactive logon process and, therefore, only the
current user can access it. This prevents administrators and remote users (and
even the same user at a different workstation) from accessing the drive while
the current user is logged on. The drive is shared again when the current user
logs off.
Value Meanings:
'0' = Floppy disks in the floppy disk drive can be accessed by all
administrators in the domain.
'1' = Only the user logged on locally can access data on the floppy disks in
the floppy disk drive.
Note: This value entry satisfies, in part, the C2 security requirement
that you must be able to secure removable media.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] |
| Name:
AllocateFloppies |
| Type: REG_SZ
(String Value) |
| Value: (0 =
enabled, 1 = disabled) |
12. Secure Access to CD-ROM Drives
(Windows NT/2000/XP)
This setting
determines whether data in the CD-ROM drive is accessible to other users.
Because the CD-ROM
drive is a volume, by default, it is shared as an administrative share on the
network. If the value of this entry is 1, the CD-ROM drive is allocated to the
user as part of the interactive logon process and, therefore, only the current
user can access it. This prevents administrators and remote users (and even the
same user at a different workstation) from accessing the drive while the current
user is logged on to the computer. The drive is shared again when the current
user logs off the computer.
Value Meanings:
'0' = Compact discs in the CD-ROM drive can be accessed by all
administrators in the domain.
'1' = Only the user logged on locally can access data on the compact discs
in the CD-ROM drive.
Note: This value entry satisfies, in part, the C2 security requirement
that you must be able to secure removable media.
| Settings: |
System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
|
| Name:
AllocateCDRoms |
| Type: REG_SZ
(String Value) |
Value: (0 =
enabled, 1 = disabled)
|
13. Specify Executable Files to be Lauched by
Winlogon (Windows NT/2000/XP)
This setting specifies
a list of executable files to be run by Winlogon in the system context when
Windows starts.
Create a new String value, or modify the existing value called 'System' using
the settings below.
| Settings: |
System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
|
| Name:
System |
Type: REG_SZ
(String Value)
|
| Value: (default
= lsass.exe) |
14. Secure Network Access to the Windows
Registry (Windows
NT/2000/XP)
Windows supports
accessing a remote registry via the Registry Editor across a network. The
default setting allows for users to connect and modify data within the remote
registry.
By creating the new
key listed below, or modifying the existing key if it already exits, it is
possible to control access to the registry remotely.
Use REGEDT32 to modify the permissions on the key below to suit your security
requirements, the permissions on this key represent the remote access
permissions to the registry.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] |
15. Restrict Access to Base System
Objects (Windows
NT/2000/XP)
In Windows the core
operating system libraries are kept in virtual memory and shared between the
programs running on the system. This has exposed a vulnerability that could
allow a user to gain administrative privileges on the computer the user is
interactively logged onto.
To enable stronger
protection on system base objects such as the KnownDLLs list, change the value
of 'ProtectionMode' to equal '1' in the registry key below.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] |
Name:
ProtectionMode
|
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
disabled, 1 = enabled)
|
16. Specify a Replacement GINA Authentication
DLL (Windows
NT/2000/XP)
Windows is shipped to
load and execute the standard Microsoft GINA DLL (Graphical Identification and
Authentication dynamic-link library) called MSGina.dll. You can specify a
replacement GINA DLL using this setting.
Create a new String value, or modify the existing value called 'GinaDLL' using
the settings below.
| Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon] |
| Name:
GinaDLL |
Type: REG_SZ
(String Value)
|
17. Restart the Shell Automatically
(Windows
NT/2000/XP)By default if the
Windows user interface or one of its components fails, the interface is
restarted automatically, the can be changed so that you must restart the
interface by logging off and logging on again manually. Create a new DWORD value, or modify the existing value called 'AutoRestartShell'
using the settings below. | Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon] |
| Name:
AutoRestartShell |
| Type: REG_DWORD
(DWORD Value) |
| Value: (0 =
disable, 1 = enabled) |
18. Prompt for Password on Resume
(Windows
XP)This setting allows you
to configure the computer to always lock and require a password after resuming
from hibernate or suspend mode.
Create a new DWORD value, or modify the existing value called
'PromptPasswordOnResume' using the settings below. | Settings: |
| User Key:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power] |
System Key:
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Power]
|
| Name:
PromptPasswordOnResume |
| Type: REG_DWORD
(DWORD Value) |
Value: (0 = no
prompt, 1 = prompt)
|
19. Restrict Access to the Event Logs
(Windows
NT/2000/XP)The Windows event log
contains records documenting application, security and system events taking
place on the machine. As these logs can contain sensitive data this tweak allows
you to restrict access to administrators and system accounts only.
Under this key are three sub-keys: Application, Security and System. These
subkeys represent each section of the event log. To restrict access to each
section create a new DWORD value of 'RestrictGuestAccess' under each sub-key and
set it to equal '1'. To restrict access to only certain sections, then only add
the value to that specific key. | Settings: |
| System Key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog] |
| Name:
RestrictGuestAccess |
| Type: REG_DWORD
(DWORD Value) |
Value: (0 =
guest access, 1 = restricted access)
|
