Distributed Engine Hardening
Introduction
This topic discusses best practices for hardening Secret Server distributed engine servers.
If attackers compromise one of the DE servers, they would have access to all critical DBs, applications, and network devices at the network level. DEs do not store any passwords, PII, or user data in any configuration files.
General Hardening Steps
Restrict RDP Connections
- Limit RDP connections to all PAM Server, except for PAM admins and some users from the hosting team.
- If there is no firewall segmentation in LAN network, you can accomplish this with the Windows OS firewall.
Restrict Incoming Port Access to All DE Servers
- Allow only RDP port access from some internal IPs.
- Allow a SSH proxy port coming from the user's LAN.
- Block all other incoming ports.
Remove Unnecessary User Groups
For administrator and Remote Desktop user groups:
- Remove default domain admins, administrator and some common groups.
- Create one group that is going to have access these servers.
- Disable the built-in local administrator user.
Rename Default Accounts
- Change the names of both the administrator and guest accounts to names that do not indicate their permissions.
- Create a new locked and unprivileged "administrator" user name as bait.
Disable Services
Disable these services:
- Routing and remote access
- Smart card
- Smart card removal policy
- SNMP trap
- Special administration console helper
- Windows error reporting service
- WinHTTP Web proxy auto-discovery service
Restrict Network Protocols
Keep these:
- Client for Microsoft network
- File and printer sharing for Microsoft network
- Internet protocol version 4 (TCP/IPv4)
Remove these:
- QoS packet scheduler
- Link-layer topology discovery mapper IO driver
- Link-layer topology discovery responder
Validate Server Roles
Ensure only the minimum roles and features that are required are defined on the DE Servers. Remove all unnecessary roles and features.
Roles
Application Server
- TCP port sharing
- Windows process activation service support
- Named pipe activation
- TCP activation
Remote Access
- Direct access and VPN (RAS)
- Routing
- Web application proxy (with dependent features)
Web Server (IIS)
- Web server
- Health and diagnostic
- Logging tools
- Tracing
Security
- Centralized SSL certificate support
- Client certificate mapping authentication
- Digest authentication
- IIS client certificate mapping authentication
- IP and domain restrictions
- URL authentication
Application Development
- Server side includes
- Web socket protocols
- Windows deployment services (with dependent features), including all child roles
Features
- Group policy management
- IIS hostable Web core
- Ink and handwriting services
- Media foundation
- RAS connection manager administration kit (CMAK)
- Remote server administration tools, including all child features.
- Windows internal database
- SMB 1.0/CIFS file sharing support
SSL/TLS Settings
Keep your server SSL/TLS settings up to date. Among other settings, the different protocols and cipher suites can be vulnerable to different attacks on SSL/TLS.
- Disable SSL 2.0
- Disable SSL 3.0
- Disable TLS 1.0
- Disable TLS 1.1
- Enable TLS 1.2
GPO Hardening
The following are recommended settings for Microsoft Group Policy Objects (GPO).
User Configuration > Policies > Administrative Templates > Control Panel/Personalization
Vulnerability:
There is no protection against a user with physical and remote desktop access to the server.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Enable screen saver | Enabled |
Force specific screen saver | Enabled |
Password protect the screen saver | Enabled |
Screen saver timeout | Enabled Seconds: 600 |
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies /Security Options
This setting enables advanced auditing in the operating system.
Policy | Recommended Value |
---|---|
Audit: Force audit policy subcategory settings to override audit policy category settings | Enabled |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > Logon Account
Vulnerability:
Lack of information on unauthorized user login attempt. Lack of this type of information prevents identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Credential Validation | Success, Fail |
Other Account Logon Event | Success, Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > Account Management
Vulnerability:
Lack of information on user management in the system (addition and removal of users). Lack of this type of information will prevent identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Application Group Management | Success, Fail |
Computer Account Management | Success, Fail |
Distribution Group Management | Success, Fail |
Other Account Management Events | Success, Fail |
Security Group Management | Success, Fail |
User Account Management | Success, Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > Logon\Logoff
Vulnerability:
Lack of information on unauthorized user login attempt. Lack of this type of information will prevent identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Account Lockout | Success, Fail |
Logoff | Success, Fail |
Logon | Success, Fail |
Network Policy Server | Success, Fail |
Other Logon\Logoff Event | Success, Fail |
Special Logon | Success, Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > Object Access
Vulnerability:
Lack of information on access to sensitive files and folders in the system. Lack of this type of information will prevent identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
Applying Auditing for Success can overload the system. In case an overload is created, it is recommended to apply the auditing for Failure only.
Policy | Recommended Value |
---|---|
Application Generated | Success, Fail |
Certification Services | Success, Fail |
Detailed File Share | Fail |
File Share | Success, Fail |
File System | Success, Fail |
Kernel Object | Success, Fail |
Registry | Success, Fail |
Removable Storage | Success |
SAM | Success, Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > Policy Change
Vulnerability:
Lack of information on changes in the policy. Lack of this type of information will prevent identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Audit Policy Change | Success, Fail |
Authentication Policy Change | Success, Fail |
Authorization Policy Change | Success, Fail |
Filtering Platform Policy Change | Success, Fail |
MPSSVC Rule-Level Policy Change | Success, Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > Privilege Use
Vulnerability:
Lack of information on the use of system authorizations. Lack of this type of information will prevent identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Non Sensitive Privilege Use | Success, Fail |
Sensitive Privilege Use | Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Advance Audit Policy Configuration > System
Vulnerability:
Lack of information on system start-up, shutdown and system changes. Lack of this type of information will prevent identification of intruders to the system, as well as inability to check access to the server or its resources.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Other System Events | Success, Fail |
Security State Change | Success, Fail |
Security System Extension | Success, Fail |
System Integrity | Success, Fail |
Computer Configuration > Policies > Windows Settings > Security Settings > Event Log
Vulnerability:
There is a risk that many log records will not be saved due to the file's size.
Severity of the damage:
Medium
Operational aspects:
None
Policy | Recommended Value |
---|---|
Maximum application log size | 100032 KB |
Maximum security log size | 100032 KB |
Maximum system log size | 100032 KB |
Prevent local guests group from accessing application log | Enabled |
Prevent local guests group from accessing security log | Enabled |
Prevent local guests group from accessing system log | Enabled |
Retention method for application log | As needed |
Retention method for security log | As needed |
Retention method for system log | As needed |
Computer Configuration > Policies > Windows Settings > Security Settings > Registry
The purpose of this GPO setting is to add auditing to the following registry keys:
HKLM\SYSTEM
HKLM\SOFTWARE
Auditing should be applied according to the following parameters:
-
Audit - Success only: Set Value
-
Audit - All: Create Subkey, Create Link, Delete, Read Permissions, Change Permissions
1. Right click on Registry, select Add Key, then select MACHINE\SOFTWARE.
2. Click Advanced, select Auditing tab, click Add.
3. Change Principal to Everyone, select Show Advanced Permissions, select the following boxes:
-
Create Subkey
-
Create Link
-
Delete
-
Read Permissions
-
Change Permissions
4. Click OK, then click Apply Settings.
5. Perform the same steps above for MACHINE\SYSTEM.
Computer Configuration > Policies > Windows Settings > Security Settings > File System
The purpose of this GPO setting is to add auditing to the following directories:
%SystemRoot%\System32\Config
%SystemRoot%\System32\Config \RegBack
Vulnerability:
Lack of information on delete, change of authorizations, gain ownership of sensitive files, or any attempt to do so, will prevent the ability to identify unauthorized access and therefore will make it difficult to prevent such attempts.
Severity of the damage:
Medium
Operational aspects:
None
Permissions and auditing should be applied according to the following parameters:
-
Audit–Failure only: Traverse Folder\ Execute File, List Folder\ Read Data, Read Attributes, Read Extended Attribute.
-
Audit - All: Create Files\ Write Data, Create Folders\ Append Data, Write Attributes, Write Extended Attributes, Delete Subfolders And Files, Delete, Change Permissions, Take Ownership.
-
Permissions: Administrator, System - Full
1. Right click File System, click Add File.
2. Add the folder path %SystemRoot%\System32\Config
3. Click Advanced, then click Auditing tab, and click Add.
-
Change Principal to Everyone, select Show Advanced Permissions, and select the following boxes:
-
Traverse Folder\ Execute File
-
List folder\ Read data
-
Read attributes
-
Read extended attribute
4. Click OK, then click Apply Settings.
5. Perform the same steps above for SystemRoot%\System32\Config\RegBack
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies/Security Options
Policy | Recommended Value | Comment or Vulnerability |
---|---|---|
Accounts: Administrator account status | Enabled | |
Accounts: Guest account status | Disabled | |
Accounts: Limit local account use of blank passwords to console logon only | Enabled | |
Accounts: Rename administrator account | It is recommended to change both the Administrator and the guest names to a name that will not testify about their permissions, and also to create a new locked and unprivileged user name Administrator as bate | Comment: Apply this parameter according to the organization security policy. Vulnerability: The administrators default name is known as a high privilege user. This user is a target for hacking attempts. Severity of the damage: Medium Operational aspects: None |
Audit: Audit the use of Backup and Restore privilege. | Enabled | Vulnerability: The system does not monitor backup and restore activities of files, therefore it does not allow exposing unusual activities in this area. Severity of the damage: Low Operational aspects: None |
Devices: Allowed to format and eject removable media | Administrator | Vulnerability: Users may be able to move data on removable disks to a different computer where they have administrative privileges. The user could then take ownership of any file, grant themselves full control, and view or modify any file. The fact that most removable storage devices will eject media by pressing a mechanical button diminishes the advantage of this policy setting. Severity of the damage: Low Operational aspects: None |
Devices: Prevent users from installing printer drivers | Enabled | Vulnerability: A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. Severity of the damage: Low Operational aspects: None |
Domain member: Disable machine account password changes | Disabled | Vulnerability: Computers that cannot automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account. Severity of the damage: Low Operational aspects: None |
Domain member: Maximum machine account password age | 30 days | Vulnerability: Setting this parameter to 0 will allow an attacker to execute Brute Force attacks to find the computer account password. Severity of the damage: Low Operational aspects: None |
Domain member: Require strong (Windows 2000 or later) session key | Enabled | Vulnerability: Session keys that are used to establish secure channel communications between domain controllers and member computers are much stronger in Windows 2000 than they were in previous Windows operating systems. Severity of the damage: Low Operational aspects: None |
Interactive logon: Do not display last user name | Enabled | Vulnerability: An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services, also known as Terminal Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute force attack to try to log on. Severity of the damage: Low Operational aspects: None |
Interactive logon: Do not require CTRL+ALT+DEL | Disabled | Vulnerability: If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords, If this setting is enabled, an attacker could install a Trojan horse program that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. Severity of the damage: Low Operational aspects: None |
Interactive logon: Number of previous logons to cache (in case domain controller is not available). | 0 | Vulnerability: Users who access the server console will have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. Severity of the damage: Medium Operational aspects: The local Administrator password should be known in case of DC unavailability. |
Policy | Recommended Value | Comment or Vulnerability |
---|---|---|
Interactive logon: Require Domain Controller authentication to unlock workstation | Enabled | Vulnerability: By default, the computer caches in memory the credentials of any users who are authenticated locally. The computer uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account-such as user rights assignments, account lockout, or the account being disabled-are not considered or applied after the account is authenticated. User privileges are not updated, and (more important) disabled accounts are still able to unlock the console of the computer. Severity of the damage: Medium Operational aspects: The local Administrator password should be known in case of DC unavailability |
Microsoft network client: Send unencrypted password to third-party SMB servers. | Disabled | Vulnerability: The server can transmit passwords in plaintext across the network to other computers that offer SMB services. These other computers might not use any of the SMB security mechanisms that are included with Windows Server 2003 and above. Severity of the damage: Medium Operational aspects: None |
Microsoft network server: Amount of idle time required before suspending session | 15 minutes | Vulnerability: Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive. Severity of the damage: Medium Operational aspects: None |
Microsoft network server: Attempt S4U2Self to obtain claim information | Disabled | Vulnerability: Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8. Severity of the damage: Medium Operational aspects: None |
Microsoft network server: Server SPN target name validation level | Off | Vulnerability: This policy setting controls the level of validation that a server with shared folders or printers performs on the service principal name (SPN) that is provided by the client computer when the client computer establishes a session by using the SMB protocol. The level of validation can help prevent a class of attacks against SMB servers (referred to as SMB relay attacks). This setting will affect both SMB1 and SMB2. Severity of the damage: Low Operational aspects: None |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled | Vulnerability: An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. Severity of the damage: Medium Operational aspects: None |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled | Vulnerability: An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social-engineering attacks. Severity of the damage: Medium Operational aspects: None |
Network access: Do not allow storage of passwords and credentials for network authentication. | Enabled | Vulnerability: Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly runs malicious software that reads the passwords and forwards them to another, unauthorized user. Severity of the damage: Medium Operational aspects: This parameter could affect windows schedule task services |
Network access: Let Everyone permissions apply to anonymous users | Disabled | Vulnerability: The system will allow all users, including users who have not identified themselves in the Domain, perform operations of reading information related to user accounts and the names of the shares. Severity of the damage: Medium Operational aspects: None |
Network access: Named Pipes that can be accessed anonymously | List has been deleted |
The policy was enabled and the existing list was deleted. Vulnerability: Ability to remotely access data on the system by an unauthorized user. Severity of the damage: Low Operational aspects: None |
Network access: Remotely accessible registry paths | List has been deleted |
The policy was enabled and the existing list was deleted. Vulnerability: An attacker could use information in the registry to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users. Severity of the damage: Low Operational aspects: None |
Network access: Remotely accessible registry paths and subpaths | List has been deleted |
The policy was enabled and the existing list was deleted. Vulnerability: An attacker could use information in the registry to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users. Severity of the damage: Low Operational aspects: None |
Network access: Restrict anonymous access to Named Pipes and Shares. | Enabled | Vulnerability: Null sessions are a weakness that can be exploited through shared folders on computers environment. Severity of the damage: Low Operational aspects: None |
Network access: Shares that can be accessed anonymously | List has been deleted |
The policy was enabled and the existing list was deleted. Vulnerability: Any shared folders that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data. Severity of the damage: Medium Operational aspects: None |
Network access: Sharing and security model for local accounts | Classic - Local users authenticate as themselves | Vulnerability: With the Guest only model, any user who can authenticate to the server over the network does so with guest privileges, which means that they will not have write access to shared resources on that server. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on the server because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources. Severity of the damage: Low Operational aspects: None |
Network security: Do not store LAN Manager hash value on next password change | Enabled | Vulnerability: The SAM file can be targeted by attackers who seek access to user name and password hashes. Such attacks use special tools to discover passwords, which can then be used to impersonate users and gain access to resources on your network. Severity of the damage: Medium Operational aspects: None |
Network security: Force logoff when logon hours expire | Enabled | Vulnerability: Users can remain connected to the computer outside of their allotted logon hours. Severity of the damage: Low Operational aspects: None |
Network security: LAN Manager authentication level | Send NTLMv2 Responses Only/Refuse LM & NTLM | Vulnerability: The system allows identification of users in the old LM and NTLM protocols. The old identification protocols are vulnerable to attacks. Severity of the damage: Medium Operational aspects: These parameters could effect on legacy system if the system don't support NTLMv2 |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Require NTLMv2 session security Require 128-bit encryption | Vulnerability: Network traffic that uses the NTLM Security Support Provider (NTLM SSP) might be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. Severity of the damage: Medium Operational aspects: None |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Require NTLMv2 session security Require 128-bit encryption | Vulnerability: Network traffic that uses the NTLM Security Support Provider (NTLM SSP) might be exposed such that an attacker who has gained access to the network can create man-in-the-middle attacks. Severity of the damage: Medium Operational aspects: None |
Policy | Recommended Value | Comment or Vulnerability |
---|---|---|
Recovery console: Allow automatic administrative logon | Disabled | Vulnerability: The Recovery Console can be very useful when you need to troubleshoot and repair computers that do not start. However, it is dangerous to allow automatic logon to the console. Anyone could walk up to the server, disconnect the power to shut it down, restart it, select Recover Console from the Restart menu, and then assume full control of the server. Severity of the damage: Medium Operational aspects: None |
Recovery console: Allow floppy copy and access to all drives and all folders | Disabled | Vulnerability: An attacker who can cause the system to restart into the Recovery Console could steal sensitive data and leave no audit or access trail. Severity of the damage: Low Operational aspects: None |
Shutdown: Allow system to be shut down without having to log on | Disabled | Vulnerability: Users who can access the console locally could shut down the computer. Severity of the damage: Low Operational aspects: None |
Shutdown: Clear virtual memory pagefile | Enabled | Vulnerability: Important information that is kept in real memory may be written periodically to the paging file to help the operating system handle multitasking functions. An attacker who has physical access to a server that has been shut down could view the contents of the paging file. The attacker could move the system volume into a different computer and then analyze the contents of the paging file. Although this process is time consuming, it could expose data that is cached from random access memory (RAM) to the paging file. Severity of the damage: Low Operational aspects: It takes longer to shut down and restart the computer, especially on computers with large paging files. |
System Settings: Optional subsystems | No one |
Enable the policy and delete the existing list of users that will be populated by default. Vulnerability: The POSIX subsystem introduces a security risk that relates to processes that can potentially persist across logons. If a user starts a process and then logs out, there is a potential that the next user who logs on to the computer could access the previous user's process. This would allow the second user to take actions on the process by using the privileges of the first user. Severity of the damage: Low Operational aspects: None |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | Enable | Vulnerability: Without the use of software restriction policies, users and computers might be exposed to the running of unauthorized software, such as viruses and Trojans horses. Severity of the damage: Medium Operational aspects: None |
User Account Control: Use Admin Approval Mode for the built-in Administrator account | Enable | Vulnerability: Malicious software running under elevated credentials without the user or administrator being aware of its activity. Severity of the damage: Medium Operational aspects: None |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disable | Vulnerability: Without the use of software restriction policies, users and computers might be exposed to the running of unauthorized software, such as viruses and Trojans horses. Severity of the damage: Medium Operational aspects: None |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows binaries | Vulnerability: Malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run. Severity of the damage: Medium Operational aspects: None |
User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials on the secure desktop | Vulnerability: Malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run. Severity of the damage: Low Operational aspects: None |
User Account Control: Run all administrator in admin approval mode | Enable | Vulnerability: This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system. Severity of the damage: Medium Operational aspects: None |
User Account Control: Switch to the secure desktop when prompting for elevation | Enable | Vulnerability: Elevation prompt dialog boxes can be spoofed, causing users to disclose their passwords to malicious software. Severity of the damage: Medium Operational aspects: None |
User Account Control: Virtualize file and registry write failures to per-user locations | Enable | Severity of the damage: Low Operational aspects: None |
Computer Configuration > Administrative Templates > Windows Components > Security Settings > Remote Desktop Services
Vulnerability:
An unlimited number of open connections can cause denial of Service attack on the Remote Desktop services, also known as Terminal Services.
If a disconnected session kept alive that can lead a session hijacking by an attacker.
Clipboard mapping enables the client to transfer a virus or a malicious application to the server as well as copy configuration or sensitive data from the server back to the client machine. There is a risk of infecting to the whole network or damaging the system.
Severity of the damage:
Medium
Operational aspects:
None
Path | Policy | Recommended Value |
---|---|---|
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | Automatic reconnection | Disabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | Configure keep-alive connection interval | Enabled Keep-Alive interval:1 |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | Deny logoff of an administrator logged in to the console session | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | Do not allow Clipboard redirection | Disabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | Do not allow supported Plug and Play device redirection | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | Do not allow COM port redirection | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | Do not allow LPT port redirection | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection | Do not allow drive redirection | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | Do not allow local administrators to customize permissions | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary Folders | Do not delete temp folders upon exit | Disabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Temporary Folders | Do not use temporary folders per session | Disabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | End session when time limits are reached | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | Remove "Disconnect" option from Shut Down dialog | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment | Remove Windows Security item from Start menu | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | Require secure RPC communication | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security | Set client connection encryption level | Enabled Encryption Level: High Level |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections | Set rules for remote control of Remote Desktop Services user sessions | Enabled View Session without user's permission |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | Set time limit for active but idle Remote Desktop Services sessions | Enabled |
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits | Set time limit for disconnected sessions | Enabled 15 minutes |
Computer Configuration > Policies > Windows Settings > Security Settings > User Rights Assignment
Policy | Recommended Value | Comment |
---|---|---|
Access Credential Manager as a trusted caller | Vulnerability: If an account is given this right, the user of the account can create an application that calls into Credential Manager and is then provided the credentials for another user. Severity of the damage: Medium Operational aspects: None | |
Access this computer from the network | BUILTIN\Administrators | Vulnerability: This right allows the users to use the SMB communications protocol in front of the server. This protocol allows access to the operating resources, such as: sharing and remote system administration using the operating system's built-in tools. Severity of the damage: Medium Operational aspects: None |
Act as part of the operating system | Vulnerability: Users with the Act as part of the operating system user right can take complete control of the computer and erase evidence of their activities. Severity of the damage: Medium Operational aspects: None | |
Adjust memory quotas for a process | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators | Vulnerability: A user with the Adjust memory quotas for a process user right can reduce the amount of memory that is available to any process, which could cause business-critical network applications to become slow or to fail. This privilege could be used to start a denial-of-service (DoS) attack. Severity of the damage: Medium Operational aspects: None |
Allow log on locally | BUILTIN\Administrators | Vulnerability: Any account with the Allow log on locally user right can log on at the console of the computer. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. Severity of the damage: Medium Operational aspects: None |
Allow log on through Remote Desktop Services | BUILTIN\Administrators | Vulnerability: Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. Severity of the damage: Medium Operational aspects: None |
Back up files and directories | BUILTIN\Administrators | Vulnerability: Users who can back up data from a computer could take the backup media to a non-domain computer on which they have administrative privileges and restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set. Severity of the damage: Medium Operational aspects: None |
Bypass traverse checking | NT AUTHORITY\ NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators | Vulnerability: This right allows the user to access files and partitions although he is not authorized to view files and change them. Severity of the damage: Medium Operational aspects: None |
Change the system time | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE | Vulnerability: Users who can change the time on a computer could cause several problems. For example, time stamps on event log entries could be made inaccurate, an attacker who changes a computer's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets. Severity of the damage: Medium Operational aspects: None |
Change the time zone | BUILTIN\Administrator | Vulnerability: Changing the time zone represents little vulnerability because the system time is not affected. This setting merely enables users to display their preferred time zone while being synchronized with domain controllers in different time zones. Severity of the damage: Low Operational aspects: None |
Create a token object | Vulnerability: A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. Severity of the damage: High operational aspects: None | |
Create global objects | NT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators | Vulnerability: Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption. Severity of the damage: Medium Operational aspects: None |
Create permanent shared objects | Vulnerability: Users who have the Create permanent shared objects user right could create new shared objects and expose sensitive data to the network. Severity of the damage: Medium Operational aspects: None | |
Create symbolic links | Administrators | Vulnerability: Users who have the Create symbolic links user right could inadvertently or maliciously expose your system to symbolic link attacks. Symbolic link attacks can be used to change the permissions on a file, to corrupt data, to destroy data, or as a DoS attack. Severity of the damage: Low Operational aspects: None |
Debug programs | BUILTIN\Administrator | Vulnerability: The Debug programs user right can be exploited to capture sensitive computer information from system memory or to access and modify kernel or application structures. Some attack tools exploit this user right to extract hashed passwords and other private security information or to insert rootkit code. Severity of the damage: Low Operational aspects: None |
Deny access to this computer from the network | BUILTIN\Guests | Vulnerability: Users who can log on to the computer over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. Severity of the damage: Medium Operational aspects: None |
Deny log on as a batch job | BUILTIN\Guests | Vulnerability: Accounts that have the Deny log on as a batch job user right could be used to schedule jobs that could consume excessive computer resources and cause a DoS condition. Severity of the damage: Medium Operational aspects: None |
Deny log on as a service | BUILTIN\Guests | Vulnerability: Accounts that can log on as a service could be used to configure and start new unauthorized services, such as a keylogger or other malicious software. Severity of the damage: Medium Operational aspects: None |
Deny log on locally | BUILTIN\Guests | Vulnerability: Any account with the ability to log on locally could be used to log on at the console of the computer. If this user right is not restricted to legitimate users who must log on to the console of the computer, unauthorized users might download and run malicious software that elevates their privileges. Severity of the damage: Medium Operational aspects: None |
Deny log on through Remote Desktop Services | BUILTIN\Guests | Vulnerability: Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the computer. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their privileges. Severity of the damage: Medium Operational aspects: None |
Enable computer and user accounts to be trusted for delegation | BUILTIN\Administrators | Vulnerability: Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network. An attacker could exploit this privilege to gain access to network resources and make it difficult to determine what has happened after a security incident. Severity of the damage: Medium Operational aspects: None |
Force shutdown from a remote system | BUILTIN\Administrators | Vulnerability: Any user who can shut down a computer could cause a DoS condition to occur. Therefore, this user right should be tightly restricted. Severity of the damage: Low Operational aspects: None |
Generate security audits | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE | Vulnerability: Accounts that can write to the Security log could be used by an attacker to fill that log with meaningless events. If the computer is configured to overwrite events as needed, attackers could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log and it is not configured to automatically back up the log files, this method could be used to create a DoS condition. Severity of the damage: Low Operational aspects: None |
Increase scheduling priority | BUILTIN\Administrators | Vulnerability: Increasing the working set size for a process decreases the amount of physical memory that is available to the rest of the system. Severity of the damage: Low Operational aspects: None |
Load and unload device drivers | BUILTIN\Administrators | Vulnerability: Device drivers run as highly privileged code. A user who has the Load and unload device drivers user right could unintentionally install malicious software that masquerades as a device driver. Severity of the damage: Low Operational aspects: None |
Policy | Recommended Value | Comment or Vulnerability |
---|---|---|
Lock pages in memory | BUILTIN\Administrators | Vulnerability: Users with the Lock pages in memory user right could assign physical memory to several processes, which could leave little or no RAM for other processes and result in a DoS condition. Severity of the damage: Low Operational aspects: None |
Manage auditing and security log | BUILTIN\Administrators | Vulnerability: Anyone with the Manage auditing and security log user right can clear the Security log to erase important evidence of unauthorized activity. Severity of the damage: Medium Operational aspects: None |
Modify an object label | Vulnerability: Anyone with the Modify an object label user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower-level processes. Either of these states effectively circumvents the protection offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. Severity of the damage: Low Operational aspects: None | |
Modify firmware environment values | BUILTIN\Administrators | Vulnerability: Anyone who is assigned the Modify firmware environment values user right could configure the settings of a hardware component to cause it to fail, which could lead to data corruption or a DoS condition. Severity of the damage: Medium Operational aspects: None |
Perform volume maintenance tasks | BUILTIN\Administrators | Vulnerability: A user who is assigned the Perform volume maintenance tasks user right could delete a volume, which could result in the loss of data or a DoS condition. Also, disk maintenance tasks can be used to modify data on the disk such as user rights assignments that might lead to escalation of privileges. Severity of the damage: Low Operational aspects: None |
Profile single process | BUILTIN\Administrators | Vulnerability: The Profile single process user right presents a moderate vulnerability. Attackers with this user right could monitor a computer's performance to help identify critical processes that they might want to attack directly. Attackers may be able to determine what processes run on the computer so that they could identify countermeasures that they may need to avoid, such as antivirus software or an intrusion-detection system. They could also identify other users who are logged on to a computer. Severity of the damage: Low Operational aspects: None |
Restore files and directories | BUILTIN\Administrators | Vulnerability: An attacker with the Restore files and directories user right could restore sensitive data to a computer and overwrite data that is more recent, which could lead to loss of important data, data corruption, or a denial-of-service condition. Attackers could overwrite executable files that are used by legitimate administrators or system services with versions that include malicious software to grant themselves elevated privileges, compromise data, or install programs that provide continued access to the computer. Severity of the damage: Medium Operational aspects: None |
Shut down the system | BUILTIN\Administrators | Vulnerability: The ability to shut down the server should be limited to a very small number of trusted administrators. Severity of the damage: Low Operational aspects: None |
Take ownership of files or other objects | BUILTIN\Administrators | Vulnerability: Any users with the Take ownership of files or other objects user right can take control of any object, regardless of the permissions on that object, and then make any changes that they want to make that object. Such changes could result in exposure of data, corruption of data, or a DoS condition. Severity of the damage: High Operational aspects: None |