Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Audits
- Windows Key + R > secpol.msc > Local Policies > Audit Policy
- A. Enable success/failure for “Account Logon” events
- B. Enable success/failure for “Account Management”
- C. Enable success/failure for “Logon Events”
- D. Enable success/failure for “Policy Change”
- Password Policy
- Windows Key + R > secpol.msc > Account Policies
- A. Password Policy tab
- a. Enforce Password History: 10
- b. Max password age: 60
- c. Min password age: 1
- d. Min Password Length: 8
- e. Store passwords using reversible encryption: Disabled
- f. Complexity Requirements: Enabled
- 1. 8 characters
- 2. 1x Number
- 3. 1x Special Character
- B. Account Lockout Policy
- a. Account lockout threshold: 5
- b. Other two should be 30 mins
- User Right Assignment
- a. Access computer from the network – Make sure only allowed users are there.
- b. Act as part of the Operating System – No objects
- c. Allow logon through Remote Desktop Services – By readme
- d. Deny log on through Remote Desktop Services – By readme
- e. Deny log on locally/from the network – Guest object
- f. Shut down the system – Administrators if server
- g. Target everyone object
- Security Options
- a. Autoconfig
- i. File hosted on my google drive
- ii. BEFORE YOU DO THIS, EXPORT PREVIOUS CONFIG.
- 1. That way you can fix if you break anything.
- 2. Write down any points you do get from the autoconfig, then go back and manually edit them in local
- iii. Local security policy (Top left) > Import > Navigate to .inf file
- b. Accounts
- i. Administrator account status – Disabled
- ii. Guest account status – Disabled
- iii. Limit local account use of blank passwords to console logon only – enabled
- iv. Rename Administrator account – Shrek
- v. Rename Guest account – Donkey
- c. Audit
- i. Shut down system immediately if unable to log security audits – enabled
- d. Devices
- i. Restrict CDROM access to locally logged-on users only – enabled
- ii. Restrict Floppy access to locally logged-on users only – enabled
- iii. Prevent users from installing printer drivers: enabled
- e. Interactive logon
- i. Display user information when the session is locked – Disabled
- ii. Do not display user last name – Enabled
- iii. Do not require CTRL-ALT-DEL – Disabled
- iv. Configure message title/ message text for users attempting to log on
- v. Prompt user to change password before expiration: 5 days
- vi. Machine Inactivity Limit: 60 seconds
- f. Network Client
- i. Digitally sign communications (if server agrees): Enabled
- ii. Send unencrypted password: Disabled
- g. Network Server
- i. Digitally sign communications (if client agrees): Enabled
- ii. Disconnect Clients when logon hours expire: Enabled
- iii. Send unencrypted password to clients: Disabled
- iv. Server SPN Target name validation: Accept if provided by client
- h. Network Access
- i. Do not allow anonymous enumeration of SAM accounts: Enabled
- ii. Do not allow anonymous enumeration of SAM accounts and shares: Enabled
- iii. Let Everyone permissions apply to anonymous users: Disabled
- iv. Named Pipes that can be accessed anonymously: Should be blank
- v. Remotely accessible registry paths: Should be blank
- vi. Remotely accessible registry paths and subpaths: Should be blank
- vii. Shares that can be accessed anonymously: Not defined
- viii. Restrict anonymous access to named pipes and shares: Enabled
- ix. Sharing and security model for local accounts: Classic
- x. Force logoff when logon hours expire: Enabled
- i. Recovery console
- i. Allow automatic administrative logon: disabled
- ii. Allow floppy copy: disabled
- j. Shutdown
- i. Allow system to be shut down without having to log on: Disabled
- ii. Clear virtual memory pagefile: Enabled
- k. User Account Control
- i. Admin Approval Mode for the built-in Administrator account: Enabled
- ii. Detect application installation and prompt for elevation: Enabled
- iii. Only elevate UIAccess applications that are installed in secure locations: Enabled
- iv. Run all administrators in admin approval mode: Enabled
- v. Switch to the secure desktop when prompting for elevation: Enabled
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement