|
|
; Seetings based on ; Reference(s): 1- Microsoft paper: Securing Windows NT 4.0 Installation ; 2- http://www.it.kth.se/~rom/ntsec.html ; 3- Microsoft paper: Building a Secure Marble OFX Gateway (Windows NT 4.0) ; 4- Microsoft Knowledge Base article Q143474 ; 5- Microsoft Proxy Server Documentation ; NOTICE: Search for My-Vars in the text to update the lines with the ; correct values ; ================================== ; HKEY_LOCAL_MACHINE\SYSTEM settings ; ================================== HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA ; Restrict anonymous connections from listing account names RestrictAnonymous = REG_DWORD 1 ; Enable auditing on base system objects AuditBaseObjects = REG_DWORD 1 ; Shutdown option on Full Audit Log CrashOnAuditFail = REG_DWORD 1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager ; Enable stronger protection on base objects ; Restrict control of drive letters and printers ProtectionMode = REG_DWORD 1 ; Disable the OS/2 and POSIX subsystems SubSystems Optional = REG_MULTI_SZ HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Control\SecurePipeServers ; Only Administrators have remote access to the. ; By default already like that on servers but just to be sure. winreg [1] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog ; Restrict access to view event logs Application [1 17] RestrictGuestAccess = REG_DWORD 1 Security [1 17] RestrictGuestAccess = REG_DWORD 1 System [1 17] RestrictGuestAccess = REG_DWORD 1 ; Restrict access to the Schedule Service (AT Command) ; In this key (and other) we found a special access (QSCENDR) permission for a ; BUILTIN\Account Unknown. We will set only Full for Administrators HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule [1] ; Disable external ports used for RPC listening HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPC\Linkage\Bind ; Next is the entry that represents your internal network adapter ; You can use the ipconfig /all command to get the correct internal ; adapter name from the IP Address, or use the Registry Editor. ; My-Vars: El90x2 = REG_SZ ; Hide the system from network browsing. To avoid audit events. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Hidden = REG_DWORD 1 ; To turn on auditing for RAS (uncomment next section if using RAS on the server) ;HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters ; Logging = REG_DWORD 1 ; ==================================== ; HKEY_LOCAL_MACHINE\SOFTWARE settings ; ==================================== HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ; Prevent display of a user name in the Logon dialog box. DontDisplayLastUserName = REG_SZ 1 ; Require users to log on before shutting down the computer. ; By default on servers ShutdownWithoutLogon = REG_SZ 0 ; Allocate Floppy Drives During Log On AllocateFloppies = REG_SZ 1 ; Allocate CD-ROMs During Log On AllocateCDRoms = REG_SZ 1 ; Disable Caching of Logon Credentials during interactive logon ; Document [1] says the registry key value type is REG_DWORD, it should be REG_SZ. ; Information from: ; Date: Thu, 2 Apr 1998 13:45:37 -0800 ; From: Peter Brundrett ; To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM ; Thanks to Frank Heyne for the comment/correction CachedLogonsCount = REG_SZ 0 ; =================== ; HKEY_USERS settings ; =================== ; Set Full for Administrators and System and Read only permissions for Everyone. ; By default already like that on servers but just to be sure. HKEY_USERS\.DEFAULT [1 17 8]