JSI Tip 8746. Security configuration guidance support.
December 1, 2004
Microsoft Knowledge Base Article 885409 contains the following summary:
Microsoft, the Center for Internet Security (CIS), the National Security Agency (NSA), the Defense Information Systems Agency (DISA), and the National Institute of Standards and Technology (NIST) have published “security configuration guidance” for Microsoft Windows.
The high security levels that are specified in some of these guides may significantly restrict functionality of a system. Therefore, you should perform significant testing before you deploy these recommendations. We recommend that you take additional precautions when you do the following:
• | Edit access control lists (ACLs) for files and registry keys |
• | Enable Microsoft network client: Digitally sign communications (always) |
• | Enable Network Security: Do Not Store LAN Manager hash value on next password change |
• | Enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
• | Disable Automatic Update Service or Background Intelligent Transfer Service (BITS) |
• | Disable NetLogon Service |
• | Enable NoNameReleaseOnDemand |
Microsoft strongly supports industry efforts to provide security guidance for deployments in high security areas. However, you must thoroughly test the guidance in the target environment. If you require additional security settings beyond the default settings, we highly recommend that you see the Microsoft-issued guides. These guides can serve as a starting point for your organization's requirements. For support or questions regarding third-party guides, contact the organization that issued the guidance.
About the Author
You May Also Like