USGCB: Guidance for Securing Microsoft Windows 7Systems for IT Professional
This guide has been created to assist IT professionals in effectively securing systems running Microsoft7
Publisher: National Institute of Standards and Technology
Send comments or suggestions to [email protected].
Table of Contents
1 -- Introduction
2 -- Security Guide Development
2.1 -- Windows 7 System Roles and Requirements
2.2 -- Security Categorization of Information and Information Systems
2.3 -- Baseline Security Controls and Threat Analysis Refinement
2.4 -- Environments and Security Controls Documentation
2.5 -- Implementation and Testing of Security Controls
2.6 -- Monitoring and Maintenance
2.7 -- Summary of Recommendations
3 -- Windows 7 Security Components Overview
3.1 -- New Features in Windows 7
3.2 -- Security Features Inherited from earlier Windows versions
3.3 -- Summary of Recommendations
4 -- Installation, Backup, and Patching
4.1 -- Performing a New Installation4.2 -- Backing Up Systems
4.3 -- Updating Existing Systems4.4 -- Identifying Security Issues
4.5 -- Summary of Recommendations
5 -- USGCB Security Settings
5.1 -- Account Policies Group5.2 -- Local Policies Group
5.3 -- System Services Group5.4 -- Advanced Audit Policy Settings
6 -- USGCB Other Settings
6.1 -- Computer Configuration - Administrative Templates - Network Settings
6.2 -- Printers6.3 -- Computer Configuration - Administrative Templates - System Settings
7 -- Security Patches
1 - Introduction
2 - Security Guide Development
In today's computing environment, the security of all computing resources, from network infrastructure devices to users' desktop computers,
is essential. There are many threats to users' computers, ranging from remotely launched network service exploits to malware spread throughe-mails, Web sites, and file downloads. Increasing the security of individual computers protects them from these threats and reduces the
likelihood that a system will be compromised or that data will be disclosed to unauthorized parties. Effective and well-tested securityconfigurations means that less time and money is spent eradicating malware, restoring systems from backups, and reinstalling operating
systems and applications. In addition, having stronger host security increases network security (e.g., home, business, government, theInternet); for example, most distributed denial of service attacks against networks use large numbers of compromised hosts.
The goal of this guide is to provide security configuration guidance to the users and system administrators of Microsoft Windows 7 systems.
This advice can be adapted to any environment, from individual SOHO installations to large geographically diverse organizations. Althoughthe guide is primarily targeted toward business environments and Windows 7 Enterprise Edition, some of the guidance is also appropriate for
other Windows 7 editions. This guide draws on a large body of vendor knowledge and government and security community experience
gained over many years of securing computer systems.
This section of the guide is based largely on the steps proposed in NIST’s FISMA Implementation Project for achieving more secure
information systems. Sections 2.1 and 2.2 address the need to categorize information and information systems. Each Windows 7 system can
be classified as having one of three roles; each system can also be classified according to the potential impact caused by security breaches.Section 2.3 describes threats and provides examples of security controls that can mitigate threats. Section 2.4 outlines the primary types of
environments for information systems - SOHO, Enterprise, Specialized Security-Limited Functionality, and Legacy - and ties each
environment to typical threat categories and security controls. Section 2.5 provides a brief overview of the implementation of the security
controls and the importance of performing functionality and security testing. Finally, Section 2.6 discusses the need to monitor the securitycontrols and maintain the system. Figure 2-1 shows the six facets to Windows 7 security that are covered in Sections 2.1 through 2.6.
Figure 2-1. The Facets of Windows 7 Security
2.1 - Windows 7 System Roles and Requirements
Windows 7 security should take into account the role that the system plays. For the purposes of this guide, Windows 7 systems can be
divided into three roles: inward-facing, outward-facing, and mobile.
Inward-Facing: An inward-facing Windows 7 system is typically a user workstation on the interior of a network that is not directly
accessible from the Internet. Physical access is also generally limited in some manner (e.g., only employees have access to the work area). In
many environments, inward-facing systems share a common hardware and software configuration because they are centrally deployed and
managed (e.g., Microsoft domains, Novell networks). Because an inward-facing system is usually in the same environment all the time (e.g.,desktop on the corporate local area network [LAN]), the threats against the system do not change quickly. In general, inward-facing systems
are relatively easy to secure, compared to outward-facing and mobile systems.
Outward-Facing: An outward-facing Windows 7 system is one that is directly connected to the Internet. The classic example is a home
computer that connects to the Internet through dial-up or broadband access. Such a system is susceptible to scans, probes, and attackslaunched against it by remote attackers. It typically does not have the layers of protection that an inward-facing system has, such as network
firewalls and intrusion detection systems. Outward-facing systems are often at high risk of compromise because they have relatively high
security needs, yet are typically administered by users with little or no security knowledge. Also, threats against outward-facing systems maychange quickly since anyone can attempt to attack them at any time.
Mobile: A system with a mobile role typically moves between a variety of environments and physical locations. For network connectivity,
this system might use both traditional wired methods (e.g., Ethernet, dialup) and wireless methods (e.g., IEEE 802.11). The mobility of the
system makes it more difficult to manage centrally. It also exposes the system to a wider variety of threat environments; for example, in asingle day the system might be in a home environment, an office environment, a wireless network hotspot, and a hotel room. An additional
threat is the loss or theft of the system. This could lead to loss of productivity at a minimum, but could also include the disclosure of
confidential information or the possible opening of a back door into the organization if remote access is not properly secured.
2.2 - Security Categorization of Information and Information Systems
This section discusses the most significant security features inherited from previous Windows versions: Kerberos, smart card support, Internet
Connection Sharing, Internet Protocol Security, and Encrypting File System. For each security feature, the section includes a briefdescription, an analysis of the security impact of each feature, and general recommendations for when the feature should or should not be
used. It is outside the scope of this document to cover the features in great depth, so pointers to resources with additional information are
provided as needed.
The classic model for information security defines three objectives of security: maintaining confidentiality, integrity, and availability.
Confidentiality refers to protecting information from being accessed by unauthorized parties. Integrity refers to ensuring the authenticity of
information—that information is not altered, and that the source of the information is genuine. Availability means that information is accessible
by authorized users. Each objective addresses a different aspect of providing protection for information.
Determining how strongly a system needs to be protected is based largely on the type of information that the system processes and stores.
For example, a system containing medical records probably needs much stronger protection than a computer only used for viewing publicly
released documents. This is not to imply that the second system does not need protection; every system needs to be protected, but the levelof protection may vary based on the value of the system and its data. To establish a standard for determining the security category of a
system, NIST created Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of
Federal Information and Information Systems. FIPS PUB 199 establishes three security categories-low, moderate, and high-based on the
potential impact of a security breach involving a particular system. The FIPS PUB 199 definitions for each category are as follows:
The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect onorganizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality,
integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in
minor financial loss; or (iv) result in minor harm to individuals.
The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect
on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality,
integrity, or availability might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able toperform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational
assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life
threatening injuries.
The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse
effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the
loss of confidentiality, integrity, or availability might (i) cause a severe degradation in or loss of mission capability to an extent and duration thatthe organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in
major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
Each system should be protected based on the potential impact to the system of a loss of confidentiality, integrity, or availability. Protection
measures (otherwise known as security controls) tend to fall into two categories. First, security weaknesses in the system need to be
resolved. For example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the
vulnerability is removed or mitigated. Second, the system should offer only the required functionality to each authorized user, so that no one
can use functions that are not necessary. This principle is known as least privilege. Limiting functionality and resolving security weaknesses
have a common goal: give attackers as few opportunities as possible to breach a system.
Although each system should ideally be made as secure as possible, this is generally not feasible because the system needs to meet the
functional requirements of the system’s users. Another common problem with security controls is that they often make systems less convenient
or more difficult to use. When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be
long and complex, users may write them down. Balancing security, functionality, and usability is often a challenge. This guide attempts to
strike a proper balance and make recommendations that provide a reasonably secure solution while offering the functionality and usability that
users require.
Another fundamental principle endorsed by this guide is using multiple layers of security. For example, a host may be protected from external
attack by several controls, including a network-based firewall, a host-based firewall, and OS patching. The motivation for having multiple
layers is that if one layer fails or otherwise cannot counteract a certain threat, other layers might prevent the threat from successfully breaching
the system. A combination of network-based and host-based controls is generally most effective at providing consistent protection for
systems.
NIST SP 800-53, Recommended Security Controls for Federal Information Systems, proposes minimum baseline management, operational,
and technical security controls for information systems. These controls are to be implemented based on the security categorizations proposedby FIPS 199, as described earlier in this section. This guidance should assist agencies in meeting baseline requirements for Windows 7
Enterprise systems deployed in their environments.
2.3 - Baseline Security Controls and Threat Analysis Refinement
To secure a system, it is essential first to define the threats that need to be mitigated. This knowledge of threats is also key to understanding
the reasons the various configuration options have been chosen in this guide. Most threats against data and resources are possible because of
mistakes—either bugs in operating system and application software that create exploitable vulnerabilities, or errors made by users andadministrators. Threats may involve intentional actors (e.g., an attacker who wants to access credit cards on a system) or unintentional actors
(e.g., an administrator who forgets to disable user accounts of a terminated employee). Threats can be local, such as a disgruntled employee,
or remote, such as an attacker in another country. The following sections describe each major threat category, list possible controls, provide
examples of threats, and summarize the potential impact of the threat. The list of threats is not exhaustive; it simply represents the major threat
categories that were considered during the selection of the security controls as described in this guide. Organizations should conduct risk
assessments to identify the specific threats against their systems and determine the effectiveness of existing security controls in counteracting
the threats, then perform risk mitigation to decide what additional measures (if any) should be implemented.
This section has describes various types of local and remote threats that can negatively impact systems. The possible controls listed for the
threats are primarily technical, as are the controls discussed throughout this document. However, it is important to further reduce the risks of
operating a Windows 7 system by also using management and operational controls. Examples of important operational controls are restricting
physical access to a system; performing contingency planning, backing up the system, storing the backups in a safe and secure location, and
testing the backups regularly; and monitoring Microsoft mailing lists for relevant security bulletins. Management controls could include
developing policies regarding Windows 7 system security and creating a plan for maintaining Windows 7 systems. By selecting and
implementing management, operational, and technical controls for Windows 7, organizations can better mitigate the threats that Windows 7
systems may face.
Another reason to use multiple types of controls is to provide better security in situations where one or more controls are circumvented or
otherwise violated. This may be done not only by attackers, but also by authorized users with no malicious intent. For example, taping a list of
passwords to a monitor for convenience may nullify controls designed to prevent unauthorized local access to that system. Establishing a
policy against writing down passwords (management control), educating users on the dangers of password exposure (operational control),
and performing periodic physical audits to identify posted passwords (operational control) may all be helpful in reducing the risks posed by
writing down
2.3.1 - Local Threats
Local threats either require physical access to the system or logical access to the system (e.g., an authorized user account). Local threats are
grouped into three categories: boot process, unauthorized local access, and privilege escalation.
2.3.1.1 - Boot Process
Threat: An unauthorized individual boots a computer from third-party media (e.g., removable drives, Universal Serial
Bus [USB] token storage devices). This could permit the attacker to circumvent operating system (OS) security measures
and gain unauthorized access to information.
Examples:
While traveling, an employee misplaces a laptop, and the party that acquires it tries to see what
sensitive data it contains.
A disgruntled employee boots a computer off third-party media to circumvent other security controlsso the employee can access sensitive files (e.g., confidential data stored locally, local password file).
Impact: Unauthorized parties could cause a loss of confidentiality, integrity, and availability.
Possible Controls:
Implement physical security measures (e.g., locked doors, badge access) to restrict access to
equipment.
Enable a strong and difficult-to-guess password for the Basic Input Output System (BIOS), andconfigure the BIOS to boot the system from the local hard drive only, assuming that the case
containing the OS and data is physically secure. This will help protect the data unless the hard drive is
removed from the computer.
Secure local files via encryption to prevent access to data in the event the physical media is placed in
another computer.
2.3.1.2 - Unauthorized Local Access
Threat: An individual who is not permitted to access a system gains local access.
Examples:
A visitor to a company sits down at an unattended computer and logs in by guessing a weak
password for a default user account.
A former employee gains physical access to facilities and uses old credentials to log in and gain
access to company resources.
Impact: Because the unauthorized person is masquerading as an authorized user, this could cause a loss of confidentiality
and integrity; if the user has administrative rights, this could also cause a loss of availability.
Possible Controls:
Require valid username and password authentication before allowing any access to system resources,
and enable a password-protected screen saver. These actions help to prevent an attacker from
walking up to a computer and immediately gaining access.
Enable a logon banner containing a warning of the possible legal consequences of misuse.
Implement a password policy to enforce stronger passwords, so that it is more difficult for anattacker to guess passwords.
Do not use or reuse a single password across multiple accounts; for example, the password for a
personal free e-mail account should not be the same as that used to gain access to the Windows 7
host.
Establish and enforce a checkout policy for departing employees that includes the immediate disabling
of their user accounts.
Physically secure removable storage devices and media, such as CD-ROMs, that contain valuableinformation. An individual who gains access to a workspace may find it easier to take removable
media than attempt to get user-level access on a system.
2.3.1.3 - Privilege Escalation
Threat: An authorized user with normal user-level rights escalates the account’s privileges to gain administrator-level
access.
Examples:
A user takes advantage of a vulnerability in a service to gain administrator-level privileges and access
another user’s files.
A user guesses the password for an administrator-level account, gains full access to the system, and
disables several security controls.
Impact: Because the user is gaining full privileges on the system, this could cause a loss of confidentiality, integrity, and
availability.Possible Controls:
Restrict access to all administrator-level accounts and administrative tools, configuration files, and
settings. Use strong, difficult-to-guess passwords for all administrator-level accounts. Do not use the
domain administrator accounts from non-administrative client hosts. These actions will make it more
difficult for users to escalate their privileges.
Disable unused local services. Vulnerabilities in these services may permit users to escalate their
privileges.Install application and OS updates (e.g., hotfixes, service packs, patches). These updates will resolve
system vulnerabilities, reducing the number of attack vectors that can be used.
Encrypt sensitive data. Even administrator-level access would not permit a user to access data in
encrypted files.
2.3.2 - Remote Threats
Unlike local threats, remote threats do not require physical or logical access to the system. The categories of remote threats described in this
section are network services, data disclosure, and malicious payloads.
2.3.2.1 - Network Services
Threat: Remote attackers exploit vulnerable network services on a system. This includes gaining unauthorized access to
services and data, and causing a denial of service (DoS) condition.
Examples:
A worm searches for systems with an unsecured service listening on a particular port, and then uses
the service to gain full control of the system.
An attacker gains access to a system through a service that did not require authentication.
An attacker impersonates a user by taking advantage of a weak remote access protocol.
Impact: Depending on the type of network service that is being exploited, this could cause a loss of confidentiality,
integrity, and availability.
Possible Controls:
Disable unused services. This provides attackers with fewer chances to breach the system.
Test and install application and OS updates (e.g., hotfixes, service packs, patches). These updates
will resolve system software vulnerabilities, reducing the number of attack vectors that can be used.Require strong authentication before allowing access to the service. Implement a password policy to
enforce stronger passwords that are harder to guess. Establish and enforce a checkout policy for
departing employees that includes the immediate disabling of their user accounts. These actions help
to ensure that only authorized users can access each service.
Do not use weak remote access protocols and applications; instead, use only accepted, industry
standard strong protocols (e.g., Internet Protocol Security [IPsec], Secure Shell [SSH], Transport
Layer Security [TLS]) for accessing and maintaining systems remotely.
Use firewalls or packet filters to restrict access to each service to the authorized hosts only. This
prevents unauthorized hosts from gaining access to the services and also prevents worms from
propagating from one host to other hosts on the network.
Enable logon banners containing a warning of the possible legal consequences of misuse.
2.3.2.2 - Data Disclosure
Threat: A third party intercepts confidential data sent over a network.
Examples:
On a nonswitched network, a third party is running a network monitoring utility. When a legitimate
user transmits a file in an insecure manner, the third party captures the file and accesses its data.
An attacker intercepts usernames and passwords sent in plaintext over a local network segment.
Impact: The interception of data could lead to a loss of confidentiality. If authentication data (e.g., passwords) are
intercepted, it could cause a loss of confidentiality and integrity, and possibly a loss of availability, if the intercepted
credentials have administrator-level privileges.
Possible Controls:
Use switched networks, which make it more difficult to sniff packets.
Use a secure user identification and authentication system, such as NT LanManager version 2
(NTLMv2) or Kerberos. Section 3.2.1 contains a discussion of the choices that Windows Windows
7 provides.
Encrypt network communications or application data through the use of various protocols (e.g., TLS,
IPsec, SSH). This protects the data from being accessed by a third party.
2.3.2.3 - Malicious Payloads
Threat: Malicious payloads such as viruses, worms, Trojan horses, and active content attack systems through many
vectors. End users of the system may accidentally trigger malicious payloads.
Examples:
A user visits a Web site and downloads a free game that includes a Trojan horse. When the user
installs the game on her computer, the Trojan horse is also installed, which compromises the system.
A user with administrative-level privileges surfs the Web and accidentally visits a malicious Web site,
which successfully infects the user’s system.
A user installs and operates peer-to-peer (P2P) file sharing software to download music files, and the
P2P software installs spyware programs onto the system.
A user opens and executes a payload that was attached to a spam or spoofed message.
Impact: Malware often gains full administrative-level privileges to the system, or inadvertently crashes the system.Malware may cause a loss of confidentiality, integrity, and availability.
Possible Controls:
Educate users on avoiding malware infections, and make them aware of local policy regarding the use
of potential transmission methods such as instant messaging (IM) software and P2P file sharing
services. Users who are familiar with the techniques for spreading malware should be less likely to
infect their systems.
Use antivirus software and spyware detection and removal utilities as an automated way of preventing
most infections and detecting the infections that were not prevented.
Use e-mail clients that support spam filtering—automatically detecting and quarantining messages that
are known to be spam or have the same characteristics as typical spam.
Do not install or use non-approved applications (e.g., P2P, IM) to connect to unknown servers.
Educate users regarding the potential impact caused by the use of P2P, IM, and other untrusted
software applications.
Operate the system on a daily basis with a limited user account. Only use administrator-level accounts
when needed for specific maintenance tasks. Many instances of malware cannot successfully infect asystem unless the current user has administrative privileges.
Configure server and client software such as e-mail servers and clients, Web proxy servers and
clients, and productivity applications to reduce exposure to malware. For example, email servers and
clients could be configured to block e-mail attachments with certain file extensions. This should help
to reduce the likelihood of infections.
Configure systems, particularly in specialized security-limited functionality environments, so that the
default file associations prevent automatic execution of active content files (e.g., Java, JavaScript,
ActiveX).
2.4 - Environments and Security Controls Documentation
The section describes the types of environments in which a Windows 7 host may be deployed - SOHO, enterprise, and custom - as
described in the NIST Security Configuration Checklists Program for IT Products. The two typical custom environments for Windows 7 are
specialized security-limited functionality, which is for systems at high risk of attack or data exposure, with security taking precedence over
functionality, and legacy, which is intended for situations in which the Windows 7 system has special needs that do not fit into the otherprofiles, such as a requirement for backward compatibility with legacy applications or servers. Each environment description also summarizes
the primary threats and controls that are typically part of the environment. In addition to documenting controls, every environment should have
other various security-related documentation, such as acceptable use policies and security awareness materials, that affects configuration and
usage of systems and applications. The last part of this section lists some common types of security-related documentation.
2.4.1 - SOHO
SOHO, sometimes called standalone, describes small, informal computer installations that are used for home or business purposes. SOHO
encompasses a variety of small-scale environments and devices, ranging from laptops, mobile devices, and home computers, to
telecommuting systems located on broadband networks, to small businesses and small branch offices of a company. Figure 2-2 shows a
typical SOHO network architecture. Historically, SOHO environments are the least secured and most trusting. Generally, the individuals
performing SOHO system administration are less knowledgeable about security. This often results in environments that are less secure than
they need to be because the focus is generally on functionality and ease of use. A SOHO system might not use any security software (e.g.,
antivirus software, personal firewall). In some instances, there are no network-based controls such as firewalls, so SOHO systems may be
directly exposed to external attacks. Therefore, SOHO environments are frequently targeted for exploitation—not necessarily to acquire
information, but more commonly to be used for attacking other computers, or incidentally as collateral damage from the propagation of aworm.
Figure 2-2. Typical SOHO Network Architecture
Because the primary threats in SOHO environments are external, and SOHO computers generally have less restrictive security policies than
enterprise or specialized security-limited functionality computers, they tend to be most vulnerable to attacks from remote threat categories.
(Although remote threats are the primary concern for SOHO environments, it is still important to protect against other threats.) SOHO
systems are typically threatened by attacks against network services and by malicious payloads (e.g., viruses, worms). These attacks are
most likely to affect availability (e.g., crashing the system, consuming all network bandwidth, breaking functionality) but may also affect
integrity (e.g., infecting data files) and confidentiality (e.g., providing remote access to sensitive data, e-mailing data files to others).
SOHO security is improving with the proliferation of small, inexpensive, hardware-based firewall routers that protect to some degree the
SOHO machines behind them. The adoption of personal firewalls (e.g., BlackICE, ZoneAlarm, Windows Firewall) is also helping to better
secure SOHO environments. Another key to SOHO security is strengthening the hosts on the SOHO network by patching vulnerabilities and
altering settings to restrict unneeded functionality.
2.4.2 - Enterprise
The enterprise environment, also known as a managed environment, is typically comprised of large organizational systems with defined,
organized suites of hardware and software configurations, usually consisting of centrally managed workstations and servers protected from
threats on the Internet with firewalls and other network security devices. Figure 2-3 shows a typical enterprise network architecture.
Enterprise environments generally have a group dedicated to supporting users and providing security. The combination of structure and skilled
staff allows better security practices to be implemented during initial system deployment and in ongoing support and maintenance. Enterprise
installations typically use a domain model to effectively manage a variety of settings and allow the sharing of resources (e.g., file servers,
printers). The enterprise can enable only the services needed for normal business operations, with other possible avenues of exploit removed
or disabled. Authentication, account, and policy management can be administered centrally to maintain a consistent security posture across an
organization.
The enterprise environment is more restrictive and provides less functionality than the SOHO environment. Managed environments typically
have better control on the flow of various types of traffic, such as filtering traffic based on protocols and ports at the enterprise’s connections
with external networks. Because of the supported and largely homogeneous nature of the enterprise environment, it is typically easier to use
more functionally restrictive settings than it is in SOHO environments. Enterprise environments also tend to implement several layers ofdefense (e.g., firewalls, antivirus servers, intrusion detection systems, patch management systems, e-mail filtering), which provides greater
protection for systems. In many enterprise environments, interoperability with legacy systems may not be a major requirement, further
facilitating the use of more restrictive settings. In an enterprise environment, this guide should be used by advanced users and system
administrators. The enterprise environment settings correspond to an enterprise security posture that will protect the information in a moderate
risk environment.
In the enterprise environment, systems are typically susceptible to local and remote threats. In fact, threats often encompass all the categories
of threats defined in Section 2.3. Local attacks, such as unauthorized usage of another user’s workstation, most often lead to a loss of
confidentiality (e.g., unauthorized access to data) but may also lead to a loss of integrity (e.g., data modification) or availability (e.g., theft of a
system). Remote threats may be posed not only by attackers outside the organization, but also by internal users who are attacking other
internal systems across the organization’s network. Most security breaches caused by remote threats involve malicious payloads sent by
external parties, such as viruses and worms acquired via e-mail or infected Web sites. Threats against network services tend to payloads and
network service attacks are most likely to affect availability (e.g., crashing the system, consuming all network bandwidth, breaking
functionality) but may also affect integrity (e.g., infecting data files) and confidentiality (e.g., providing remote access to sensitive data). Data
disclosure threats tend to come from internal parties who are monitoring traffic on local networks, and they primarily affect confidentiality.
Figure 2-3. Typical Enterprise Network Architecture
2.4.3 - Specialized Security-Limited Functionality
A specialized security-limited functionality environment is any environment, networked or standalone, that is at high risk of attack or data
exposure. Figure 2-4 shows examples of systems that are often found in specialized security-limited functionality environments, including
outward-facing Web, e-mail, and DNS servers, and firewalls. Typically, providing sufficiently strong protection for these systems involves a
significant reduction in system functionality. It assumes systems have limited or specialized functionality in a highly threatened environment such
as an outward facing firewall or public Web server, or whose data content or mission purpose is of such value that aggressive trade-offs infavor of security outweigh the potential negative consequences to other useful system attributes such as legacy applications or interoperability
with other systems. The specialized security-limited functionality environment encompasses computers that contain highly confidential
information (e.g., personnel records, medical records, financial information) and perform vital organizational functions (e.g., accounting,
payroll processing, air traffic control). These computers might be targeted by third parties for exploitation, but also might be targeted by
trusted parties inside the organization.
A specialized security-limited functionality environment could be a subset of a SOHO or enterprise environment. For example, three desktops
in an enterprise environment that hold confidential employee data could be thought of as a specialized security-limited functionality
environment within an enterprise environment. In addition, a laptop used by a mobile worker might be a specialized security-limited
functionality environment within a SOHO environment. A specialized security-limited functionality environment might also be a self-contained
environment outside any other environment—for instance, a government security installation dealing in sensitive data.
Systems in specialized security-limited functionality environments face the same threats as systems in enterprise environments. Threats from
both insiders and external parties are a concern. Because of the risks and possible consequences of a compromise in a specialized security-
limited functionality environment, it usually has the most functionally restrictive and secure configuration. The suggested configuration is
complex and provides the greatest protection at the expense of ease of use, functionality, and remote system management. In a specializedsecurity-limited functionality environment, this guide is targeted at experienced security specialists and seasoned system administrators who
understand the impact of implementing these strict requirements.
Figure 2-4. Examples of Specialized Security-Limited Functionality Systems
2.4.4 - Legacy
A legacy environment contains older systems or applications that use outdated communication mechanisms. This most often occurs when
machines operating in a legacy environment need more open security settings so they can communicate to the appropriate resources. For
example, a system may need to use services and applications that require insecure authentication mechanisms such as null user sessions or
open pipes. Because of these special needs, the system does not fit into any of the standard environments; therefore, it should be classified as
a legacy environment system. Legacy environments may exist within SOHO and enterprise environments, and in rare cases within specialized
security-limited functionality environments as well. Depending on the situation, a legacy environment may face any combination of internal and
external threats. The potential impact of the threats should be determined by considering the threats that the system faces (as described in the
previous three sections) and then considering what additional risk the system has because of the legacy accommodations.
2.4.5 - SecurityDocumentation
An organization typically has many documents related to the security of Windows 7 systems. Foremost among the documents is a Windows 7
security configuration guide that specifies how Windows 7 systems should be configured and secured. As mentioned in Section 2.2, NIST SP800-53 proposes management, operational, and technical security controls for systems, each of which should have associated documentation.
In addition to documenting procedures for implementing and maintaining various controls, every environment should also have other security-
related policies and documentation that affect the configuration, maintenance, and usage of systems and applications. Examples of such
documents are as follows:
Rules of behavior and acceptable use policy
Configuration management policy, plan, and procedures
Authorization to connect to the network
IT contingency plans
Security awareness and training for end users and administrators.
2.5 - Implementation and Testing of Security Controls
Implementing security controls can be a daunting task. As described in Section 2.2, many security controls have a negative impact on system
functionality and usability. In some cases, a security control can even have a negative impact on other security controls. For example, installing
a patch could inadvertently break another patch, or enabling a firewall could inadvertently block antivirus software from automaticallyupdating its signatures or disrupt patch management software, remote management software and other security and maintenance-related
utilities. Therefore, it is important to perform testing for all security controls to determine what impact they have on system security,
functionality, and usability, and to take appropriate steps to address any significant issues.
As described in Section 5, NIST has compiled a set of security templates, as well as additional recommendations for security-related
configuration changes. The controls proposed in this guide and the NIST Windows 7 security templates are consistent with the FISMA
controls, as discussed in Section 2.2. The NIST template for Specialized Security-Limited Functionality environments represents the
consensus settings from CIS, DISA, Microsoft, NIST, NSA, and USAF; the other NIST templates are based on Microsoft’s templates and
recommendations.
Although the guidance presented in this document has undergone considerable testing, every system is unique, so it is certainly possible for
certain settings to cause unexpected problems. System administrators should perform their own testing, especially for the applications used by
their organizations, to identify any functionality or usability problems before the guidance is deployed throughout organizations. It is also
critical to confirm that the desired security settings have been implemented properly and are working as expected. See Section 4.4 for
information on tools that can identify security-related misconfigurations and vulnerabilities on Windows 7 systems.
2.6 - Monitoring and Maintenance
Every system needs to be monitored and maintained on a regular basis so that security issues can be identified and mitigated promptly,
reducing the likelihood of a security breach. However, no matter how carefully systems are monitored and maintained, incidents may still
occur, so organizations should be prepared to respond to them. Depending on the environment, some preventative actions may be partially or
fully automated. Guidance on performing various monitoring and maintenance activities is provided in subsequent sections of this document or
other NIST publications. Recommended actions include the following:
Subscribing to and monitoring various vulnerability notification mailing lists (e.g., Microsoft Security Notification Service)
Acquiring and installing software updates (e.g., OS and application patches, antivirus signatures)
Monitoring event logs to identify problems and suspicious activity
Providing remote system administration and assistance
Monitoring changes to OS and software settings
Protecting and sanitizing media
Responding promptly to suspected incidents
Assessing the security posture of the system through vulnerability assessments
Disabling unneeded user accounts and deleting accounts that have been disabled for some time
Maintaining system, peripheral, and accessory hardware (periodically and as needed), and logging all hardware
maintenance activities.
2.7 - Summary of Recommendations
Protect each system based on the potential impact to the system of a loss of confidentiality, integrity, or availability.
Reduce the opportunities that attackers have to breach a system by resolving security weaknesses and limiting
functionality according to the principle of least privilege.
Select security controls that provide a reasonably secure solution while supporting the functionality and usability that users
require.
Use multiple layers of security so that if one layer fails or otherwise cannot counteract a certain threat, other layers might
prevent the threat from successfully breaching the system.
Conduct risk assessments to identify threats against systems and determine the effectiveness of existing security controls in
counteracting the threats. Perform risk mitigation to decide what additional measures (if any) should be implemented.
Document procedures for implementing and maintaining security controls. Maintain other security-related policies and
documentation that affect the configuration, maintenance, and usage of systems and applications, such as acceptable use
policy, configuration management policy, and IT contingency plans.
Test all security controls, including the settings in the NIST security templates, to determine what impact they have on
system security, functionality, and usability. Take appropriate steps to address any significant issues before applying the
controls to production systems.
Monitor and maintain systems on a regular basis so that security issues can be identified and mitigated promptly. Actions
include acquiring and installing software updates, monitoring event logs, providing remote system administration andassistance, monitoring changes to OS and software settings, protecting and sanitizing media, responding promptly to
suspected incidents, performing vulnerability assessments, disabling and deleting unused user accounts, and maintaining
hardware.
3 - Windows 7 Security Components Overview
This section presents an overview of the various security features offered by the Windows 7 Enterprise operating system (OS). Many of the
components have been inherited from earlier versions of Windows, often with improvements and enhancements. Windows 7 also includes
several new security features. This guide provides general descriptions of most of these features, with pointers or links to more detailed
information whenever possible.
3.1 - New Features in Windows 7
Windows 7 comes with several new security features. Each new security feature is briefly described below, and most also include a reference
to a Microsoft Web page that contains more detailed information. This section also includes an analysis of the security impact of each feature
and general recommendations for when the feature should or should not be used. The new security features in Windows 7 are as follows:
3.2 - Security Features Inherited from earlier Windows versions
This section discusses the most significant security features inherited from previous Windows versions: Kerberos, smart card support, Internet
Protocol Security, Encrypting File System, Windows Firewall, Bitlocker Drive Encryption, Windows Defender, and User Account Control
(UAC). For each security feature, the section includes a brief description, an analysis of the security impact of each feature, and general
recommendations for when the feature should or should not be used. It is outside the scope of this document to cover the features in great
depth, so pointers to resources with additional information are provided as needed.
3.2.1 - Kerberos
In a domain, Windows 7 provides support for MIT Kerberos v.5 authentication, as defined in Internet Engineering Task Force (IETF)
Request for Comment (RFC) 1510. The Kerberos protocol is composed of three subprotocols: Authentication Service (AS) Exchange,
Ticket-Granting Service (TGS) Exchange, and Client/Server (CS) Exchange. The Kerberos v.5 standard can be used only in pure Windowsdomain environments. Windows domain members use Kerberos as the default network client/server authentication protocol, replacing the
older and less secure NTLM and LanManager (LM) authentication methods. The older methods are still supported to allow legacy Windows
clients to authenticate to a Windows domain environment. Windows 7 standalone workstations and members of NT domains do not use
Kerberos to perform local authentication; they use the traditional NTLM. Because Kerberos provides stronger protection for logon
credentials than older authentication methods, it should be used whenever possible. NIST recommends disabling LM and NTLM v1 in
specialized security-limited functionality environments, and disabling LM in all other environments.
3.2.2 - Smart Card Support
In the past, interactive logon meant an ability to authenticate a user to a network by using a form of a shared credential, such as a hashed
password. Windows 7 supports public-key interactive logon by using a X.509 v.3 certificate stored on a smart card. (This can be used only
to log on to domain accounts, not local accounts, unless third party software has replaced the built-in Graphical Identification and
Authentication [GINA].) Instead of a password, the user types a personal identification number (PIN) to the GINA, and the PIN
authenticates the user to the card. This process is fully integrated with the Microsoft implementation of Kerberos. Smart card-based
authentication is appropriate for specialized security-limited functionality environments in which strong authentication is required, and one-
factor authentication (username and password) is insufficient. Smart cards provide two-factor authentication, because users must possess the
physical smart card and must know the PIN. If smart cards or other types of authentication tokens are being used, the organization should
have a policy and procedures in place to educate users on properly using tokens (e.g., not sharing them with other users) and protecting them
(e.g., immediately reporting a lost or stolen token).
3.2.3 - Internet Protocol Security
Windows 7 includes an implementation of the IETF Internet Protocol Security (IPsec) standard called Windows IP Security. It provides
network-level support for confidentiality and integrity. Confidentiality is achieved by encrypting packets, which prevents unauthorized parties
from gaining access to data as it passes over networks. Integrity is supported by calculating a hash for each packet based partially on a secret
key shared by the sender and receiver, and sending the hash in the packet. The recipient will recalculate the hash, and if it matches the original
hash, then the packet was not altered in transit. Windows IP Security also offers packet filtering capabilities, such as limiting traffic based on
the source or destination IP address. Windows IP Security provides a solution for protecting data traversing public networks (e.g., the
Internet) and for protecting sensitive data on private networks (e.g., an enterprise LAN). It is also commonly used to protect wireless
network communications in enterprise and SOHO environments. Using Windows IP Security in conjunction with a personal firewall such as
Windows Firewall can provide protection against network-based attacks by limiting both inbound and outbound packets.
3.2.4 - Encrypting File System
The Encrypting File System (EFS) provides users a method to transparently encrypt or decrypt files and folders residing on an NTFS-
formatted volume. In addition, EFS now maintains encryption persistence, which means that any file or folder that has been designated asencrypted will remain encrypted when moved to another NTFS-formatted filesystem. Files are still transmitted unencrypted across the
network (except when Web Distributed Authoring and Versioning [WebDAV] is used, which will transmit encrypted files across networks),
so users should transfer the files through a separate encrypting protocol, such as TLS or IPsec. EFS is best used to provide local encryption
for files and is particularly useful for laptops and other systems at high risk of physical attack.
3.2.5 - Windows Firewall
Windows Firewall is a stateful personal firewall. When properly configured, it limits the access that other computers have to the Windows 7
machine through the network. This significantly reduces the exposure of the machine to network-based attacks such as the Blaster worm.
Windows Firewall can also be used to protect shares when a mobile computer is used outside its normal secure and trusted environment, or
to protect access to network shares on an untrusted network. Domain administrators can disable the use of Windows Firewall through Group
Policy, but this is generally not recommended unless it is interfering with required functionality or a third party firewall is already in use.
Administrators can also use Group Policy to set any Windows Firewall configuration option. Windows Firewall can add another layer to a
network security model in enterprise and specialized security-limited functionality environments, and it is sometimes the only layer of network
defense in SOHO environments.
3.2.6 - Bitlocker Drive Encryption
BitLocker helps keep everything from documents to passwords safer by encrypting the entire drive that Windows and your data reside on.
Once BitLocker is turned on, any file you save on that drive is encrypted automatically. BitLocker To Go—a new feature of Windows 7—
gives the lockdown treatment to easily-misplaced portable storage devices like USB flash drives and external hard drives.
3.2.7 - Windows Defender
Windows Defender is software that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware
and other unwanted software by detecting and removing known spyware from your computer. Windows Defender features Real-TimeProtection, a monitoring system that recommends actions against spyware when it's detected, minimizes interruptions, and helps you stay
productive. Windows Defender does not perform the functions normally associated with an anti-virus application.
3.2.8 - User Account Control
User Account Control (UAC) is a security component first introduced in Windows Vista. UAC enables users to perform common tasks as
non-administrators, called standard users in Windows 7, and as administrators without having to switch users, log off, or use Run As. A
standard user account is synonymous with a non-administrative user account in Windows. User accounts that are members of the local
Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity,
UAC is an important enhancement for Windows 7.
3.3 - Summary of Recommendations
Disable LM and NTLM v1 in specialized security-limited functionality environments.
Use Kerberos authentication whenever possible.
As appropriate, use Smart Cards or another multifactor authentication method.
As appropriate, use Windows IP Security to protect data traversing public networks and sensitive data on private
networks.
Use EFS to protect confidential data.
Use host-based firewalls on systems.
Consider implementing Bitlocker Drive Encryption on systems that store sensitive data. This is particular important for
mobile systems and systems that may not be physically secure.
Utilize an anti-spyware product to protect system integrity
Enable User Account Control to help ensure the principle of least privilege while enabling productivity.
4 - Installation, Backup, and Patching
This section of the guide contains advice on performing Windows 7 installations, and backing up and patching Windows 7 systems. It
discusses the risks of installing a new system on a network and the factors to consider when partitioning Windows 7 hard drives. It alsodescribes various installation techniques and provides pointers to more information on performing them. Another important topic is the abilityof Windows 7 to back up and restore data and system configuration information. This section also discusses how to update existing systems
through Microsoft Update and other means to ensure that they are running the latest service packs and hotfixes. Advice is also presented on
identifying missing patches and security misconfigurations on systems.
Organizations should have sound configuration management policies that govern changes made to operating systems and applications, such as
applying patches to an operating system or modifying application configuration settings to provide greater security. Configuration management
policies should also address the initial installation of the operating system, the installation of each application, and the roles, responsibilities,
and processes for performing and documenting system changes caused by upgrades, patches, and other methods of modification.
4.1 - Performing a New Installation
This guide assumes that a new Windows 7 installation is being performed from scratch. If an administrator or user is upgrading an existing
Windows installation, some of the advice in this guide may be inappropriate and could possibly cause problems. Because a machine is
unsecured and very vulnerable to exploitation through the network during installation, it is recommended that all installations and initial
patching be done with the computer disconnected from any network. If a computer must be connected to a network, then it is recommended
that the network be isolated and strongly protected (e.g., shielded by a firewall on a trusted network segment) to minimize exposure to any
network attacks during installation. If possible, the latest service pack and security patches should be downloaded from Microsoft’s Web
site, archived to read-only media, such as CD-ROMs, and kept physically secure.
4.1.1 - Partitioning Advice
One of the major decisions during installation is how to partition hard drives. The primary consideration is how large the disk drive is; for
example, partitioning is not recommended for drives under 6 gigabytes (GB). For larger drives, the following factors should be considered:
How large is the drive?
How many physical drives does the machine have?
If the system only has one drive, is there a desire to logically separate the OS and applications from data? An example of
the benefit of this is that if the OS needs to be upgraded or reinstalled, the data can easily be preserved.
What is the purpose of this computer? For example, if a computer will be used to share files within a workgroup, it may
be useful to have a separate partition for the file share.
Is there a need for redundancy (e.g., mirroring a data partition onto a second drive)?
Windows 7 provides a feature known as dynamic disks. On a dynamic disk, partition sizes can be changed as needed. For example, an
administrator could create an OS and applications partition and a data partition on a large drive, leaving much of the drive space available for
future allocation. As needed, the administrator can use the free space to create new partitions and to expand the existing partitions. This
provides considerable flexibility for future growth. Users are cautioned that, as with any other feature, dynamic disks should be tested before
deploying them on production systems.
Another important consideration during installation is which type of filesystem to use for each partition. NIST recommends using NTFS for
each partition unless there is a particular need to use another type of filesystem. Section 7.1 contains more information on NTFS and other
filesystem options.
4.1.2 - Installation Methods
There are several ways to perform Windows 7 installations. This section covers three primary methods: local installations, cloning through
Sysprep, and the Remote Installation Services (RIS).
4.1.2.1 - Local Installation
The local installation approach refers to traditional methods of installing Windows, such as using a Microsoft CD. This is effective only for
installing a small number of computers at a time because it requires user attention throughout the installation. When installing Windows 7 from
a CD, follow the default steps, except for the following:
For the Network Setting configuration, select Custom and disable all network clients, services, and protocols that are not
required. Although this will help to limit the computer’s exposure to network-based attacks, consider the implications of
disabling each service because this may inadvertently break required functionality (e.g., connecting to remote servers and
printers). See Section 7.5 for more information on network clients, services, and protocols. Consider disabling thefollowing services:
Client for Microsoft Networks (most users will require this service)
Client Service for NetWare
File and Printer Sharing for Microsoft Networks
QoS Packet Scheduler
NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
If possible, assign an Internet Protocol (IP) address, default gateway, and domain name system (DNS) server.
Even if the computer will be joining a domain, choose to be in only a workgroup, and change the workgroup name to
something other than the default of WORKGROUP.
Set all environment-specific settings, such as the time zone.
When the installation prompts for accounts to be added, only one account should be added initially. Other accounts can always been added
later once the system is fully patched and configured. By default, the account created during the installation and the built-in Administrator
account both belong to the Administrators group. After the initial post-installation boot, assign both accounts strong passwords. The next task
is to install the latest service pack and hotfixes. Only after the machine has been brought up to current patch levels should it be connected to a
regular network. Then, the networking configuration can be changed, such as joining the workstation to a domain, or assigning a workgroup
to enable sharing of workgroup resources (e.g., shared directories, printers). Other services that were disabled during installation can be
enabled if needed. It is also helpful to scan through the list of installed Windows components, determine which applications and utilities (e.g.,
Internet games) are not needed, and remove them.
4.1.2.2 - Sysprep
Sysprep is a tool that permits an image from a single Windows 7 computer installation, known as a gold system, to be cloned onto multiple
systems in conjunction with a cloning software program such as Symantec Ghost or cloning hardware. This technique reduces user
involvement in the installation process to approximately 5 to 10 minutes at the start of the installation. The Sysprep approach has several
benefits. Because the standard image can be created with a strong security configuration, Sysprep reduces the possibility of human error
during the installation process. In addition, the Windows 7 installation occurs more quickly with Sysprep. This is beneficial not only for
building new systems, but also for reinstalling and reconfiguring the operating system and applications much more quickly when needed - for
example, as a result of hardware failure or a virus infection. In preparing the “gold” image for Sysprep, the same guidelines used for a local
installation should be used, with the addition of enabling any needed services and patching the system. It is also important to physically secure
image media so that it is not inadvertently or purposely altered.
4.1.2.3 - Remote Installation Services
The Remote Installation Services (RIS) allow a computer to be booted from the network and then to automatically install an instance of
Windows 7. RIS can be configured to perform either a completely automated and unattended installation with RISetup, or one that requires
minimal user attendance (similar to the Sysprep tool) with RIPrep. Several hardware and software dependencies exist; therefore, Microsoft'sdocumentation on the tool should be consulted for detailed instructions regarding how to configure this installation method.
The RIS method has the same advantages as Sysprep. RIS has the additional advantage of not needing the machine to be installed to have
direct access to the physical install media (e.g., a CD-ROM). This can be ideal in a specialized security-limited functionality environment in
which machines might not have CD-ROM drives. The primary disadvantage of RIS is that the machine must be connected to a network while
it is being installed. This could open up a window of opportunity to exploit a security weakness before installation is completed.
4.2 - Backing Up Systems
To increase the availability of data in case of a system failure or data corruption caused by a power failure or other event, Windows 7 has
built-in capabilities to back up and restore data and systems. Users run the Backup and Restore Center, which automates most of the
processes. For example, during a backup the user is presented with several options, including backing up the current user’s files and settings,
backing up all users’ files and settings, and backing up the whole system. This allows the user to back up data and systems without having to
manually indicate which files and directories should be backed up, if the user’s files are where the backup program expects them to be. To
open the Backup and Restore center, perform the following steps:
1. Open the Control Panel and select 'Backup or restore your files'
2. If this is your first time using the center select 'Set up backup'
the Backup and Restore Center is used to both backup or restore files. It is very important to verify periodically that backups and restores
can be performed successfully; backing up a system regularly may not be beneficial if the backups are corrupt or the wrong files are being
backed up, for example. Organizations should have policies and procedures that address the entire backup and recovery process, as well as
the protection and storage of backup media and recovery disks. Because backups may contain sensitive user data as well as system
configuration and security information (e.g., passwords), backup media should be properly protected to prevent unauthorized access.
Besides the backup wizards and utilities provided by Windows 7, there are also various third-party utilities for backing up and restoring files
and systems. It is important to verify that the third-party software can properly back up and restore Windows 7 specific resources, such as
the Windows registry and EFS-encrypted files and folders. Windows 7's built-in utilities also use a shadow copy backup technique when
possible, which allows it to create backups of files that are in use. Third-party backup utilities used on Windows 7 systems should have good
mechanisms for handling open files.
4.3 - Updating Existing Systems
Host security - securing a given computer - has become increasingly important. As such, it is essential to keep a host up to current patch
levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long
way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates:
Automatic Updates and individual patch distribution. In smaller environments, either method may be sufficient for keeping systems current
with patches. Other environments typically have a software change management control process or a patch management program that tests
patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update
Services (WSUS) servers or through a third party configuration management tool. This section discusses Automatic Updates as well as patch
management considerations for managed environments. This section also defines the types of updates that Microsoft typically provides.
4.3.1 - Update Notification
As described later in this section, it is possible to configure Windows 7 systems to download critical updates automatically. However, this still
leaves other updates that can only be downloaded manually. Therefore, it is important for Windows 7 system administrators to be notified of
new updates that Microsoft releases. The Microsoft Security Notification Service is a mailing list that notifies subscribers of new security
issues and the availability of all types of Microsoft updates. Microsoft security bulletins are also available online from the TechNet Security
Resource Center. Individual bulletins are issued for each new vulnerability and are incorporated into monthly bulletins that list the
vulnerabilities and potential severity (e.g., critical, important, moderate). Each bulletin provides guidance regarding under what circumstances
the suggested mitigation strategy (e.g., patch) should be applied.
4.3.2 - Microsoft Update Types
Microsoft releases updated code for Windows 7-related security issues through three mechanisms: hotfixes, security rollups, and service
packs.
A hotfix is a patch that fixes a specific problem. When a new vulnerability is discovered in Windows 7 or a Microsoft
application (e.g., Internet Explorer), Microsoft develops a hotfix that will resolve the problem. Hotfixes are released on an
individual basis as needed. Hotfixes should be applied as soon as practical for vulnerabilities that are likely to be
exploited. (Whenever possible, hotfixes should first be tested on a nonproduction system to ensure that they do not
inadvertently break functionality or introduce a new security problem by invalidating a previously configured security
control.)
A security rollup is a collection of several hotfixes. The security rollup makes the same cumulative changes to the systemthat would be performed if each hotfix were installed separately. However, it is easier to download and install a single
security rollup than 10 hotfixes. Microsoft releases security rollups on occasion when merited. Security rollups are most
useful for updating existing systems that have not been maintained and for patching new systems.
A service pack (SP) is a major upgrade to the operating system that resolves dozens of functional and security problems
and often introduces some new features or makes significant configuration changes to systems. Service packs incorporate
most previously released hotfixes, so once an SP has been applied to a system, there is no need to install the hotfixes that
were included in the service pack. Service packs are released on a periodic basis. Because SPs often make major
changes to the operating system, organizations should test the SP thoroughly before deploying it in production. In SOHO
environments, the best approach is to delay installation of the SP for at least a few weeks so that early adopters can
identify any bugs or issues. However, if the SP provides a fix for a major security issue, and the fix is not available through
hotfixes, it may be less risky to install the SP immediately than to let the system remain unpatched.
4.3.3 - Automatic Updates
One facility that is available to patch systems with little to no user intervention is the Automatic Updates feature. When enabled, it will
automatically check the Microsoft update servers for OS and Microsoft application updates, including service packs, security roll-ups, and
hotfixes, as well as updated hardware drivers. Automatic Updates has a prioritization feature that ensures the most critical security updates
are installed before less important updates.
Automatic Updates provides four configuration options to users:
Install updates automatically
Download updates but let me choose whether to install them
Check for updates but let me choose whether to download and install them
Never check for updates
The following options are also cofigurable:
The day and time to install updates if Install updates automatically is selected.
Give me recommended updates the same way I receive important updates
Allow all users to install updates on the computer
Give me updates for Microsoft products and check for new optional Microsoft software when I update WindowsShow me detailed notifications when new Microsoft software is available
Generally, it is best to configure the system to download updates automatically, unless bandwidth usage is a concern. For example,
downloading patches could adversely affect the functionality of a computer that is connected to the Internet on a slow link. In this case, it
would be preferable for Automatic Updates to be configured to notify the user that new patches are available. The user should then make
arrangements to download the patch at the next time when the computer is not needed for normal functionality. Choosing whether to install
updates automatically or prompt the user is dependent upon the situation. If the user is likely to ignore the notifications, then it may be more
effective to install the updates on a schedule. If the system is in use at unpredictable days and times, then it may be difficult to set a schedule
that will not interfere with system usage. Another issue to consider is that many updates require the system to be rebooted before the update
takes effect. Windows 7 offers an Install updates and shutdown option as part of its Shut Down dialog box, which may be helpful in
reminding users to launch the update installation process.
It is highly recommended that the Automatic Updates service be enabled to keep the OS and key Microsoft applications (e.g., Internet
Explorer, Outlook Express) fully patched. To enable Automatic Updates, perform the following steps:
1. Click the Start menu and select Control Panel.
2. Select System and Security.
3. Select Turn Automatic Updating On or Off.
4. Choose the appropriate selection in the combobox (such as Download updates for me, but let me choose when to
install them).
5. Configure additional options as desired
6. Click OK to apply the settings.
A user can also force the system to check for available updates by selecting Windows Update from the start menu.
Some organizations do not want the latest updates applied immediately to their Windows systems. For example, in a managed environment it
may be undesirable for hotfixes to be deployed to production systems until they have been tested by Windows administrators and security
administrators. In addition, in large environments, many systems may need to download the same hotfix simultaneously. This could cause a
serious impact on network bandwidth. Organizations with such concerns often establish a local WUS or WSUS update server that contains
approved updates or implement another method of patch management. The Automatic Updates feature on Windows 7 systems should then
be configured to point to the local update server. Unfortunately, although WUS and WSUS provide a method for distributing Microsoft
updates, they cannot be used to distribute third party software updates.
4.3.4 - Patching in Managed Environments
Enterprise and specialized security-limited functionality environments, especially those that are considered managed environments, should
have a patch management program that is responsible for acquiring, testing, and verifying each patch, then arranging for its distribution to
systems throughout the organization. NIST SP 800-40 version 2, Creating a Patch and Vulnerability Management Program, provides in-
depth advice on establishing patching processes and testing and applying patches. For each patch that is released, the patch management
team should research the associated vulnerabilities and prioritize the patch appropriately. It is not uncommon for several patches to be
released in a relatively short time, and typically one or two of the patches are much more important to the organization than the others. Each
patch should be tested with system configurations that are representative of the organization’s systems. Once the team determines that the
patch is suitable for deployment, the patch needs to be distributed through automated or manual means for installation on all appropriate
systems. (There are several third-party applications available for patch management and distribution, which support many types of platforms
and offer functionality that supports enterprise requirements.) Finally, the team needs to check systems periodically to confirm that the patch
has been installed on each system, and to take actions to ensure that missing patches are applied.
Microsoft offers the following command-line tools that may be helpful in hotfix deployment, as follows:
The qchain.exe tool allows multiple hotfixes to be installed at one time, instead of installing a hotfix, rebooting, then
installing another hotfix.
The qfecheck.exe tool can be used to track and verify installed hotfixes.
4.4 - Identifying Security Issues
Host security is largely dependent upon staying up to date with security patches as well as identifying and remediating other security
weaknesses. The Microsoft Baseline Security Analyzer (MBSA) is a utility that can scan the local computer and remote computers to identify
security issues. MBSA must have local administrator-level access on each computer that it is scanning. MBSA offers both graphical user
interface (GUI) and command-line interfaces. MBSA can identify which updates are missing from the operating system and common
Microsoft applications (e.g., Internet Explorer, Media Player, Internet Information Services [IIS], Exchange Server, Structured Query
Language [SQL] Server) on each system. For the operating system and a few applications (e.g., Internet Explorer, IIS, SQL Server, Office),
it can also identify other security issues, such as insecure configurations and settings. MBSA only identifies the problems; it has no ability to
change settings or download and install updates onto systems. The methods discussed in Section 4.3 should be used to download and applypatches.
Individual systems can also monitor their own security state and alert users of potential problems. Windows 7 offers the Windows Security
Action Center, which is a service that can be configured to monitor the state of the system’s firewall (either Windows Firewall or a third-party
firewall) and antivirus software, as well as the settings for Automatic Updates. Windows Security Center can generate alerts if the firewall,
antivirus software, or Automatic Updates feature is not enabled, and also if certain major configuration settings are insecure, such as not
setting antivirus software to perform real-time scanning, and not setting Automatic Updates to download and install updates automatically.
Windows Security Center can monitor several types of third-party firewall and antivirus software. Windows Security Center is most helpful in
SOHO environments, so that users can monitor the security state of their systems. In an enterprise environment, systems might be updated
through methods other than Automatic Updates, and the status of systems' firewalls and antivirus software might already be monitored
centrally.
4.5 - Summary of Recommendations
Use the recommendations presented in this guide only on new Windows 7 systems, not systems upgraded from previous
versions of Windows. For upgraded systems, some of the advice in this guide may be inappropriate and could possibly
cause problems.
Have sound configuration management policies that govern changes made to operating systems and applications, such as
applying patches and modifying configuration settings.
Until a new system has been fully installed and patched, either keep it disconnected from all networks, or connect it to an
isolated, strongly protected network.
Use NTFS for each hard drive partition unless there is a particular need to use another type of filesystem.
Disable all network clients, services, and protocols that are not required.
Assign strong passwords to the built-in administrator account and the user account created during installation.
Keep systems up to current patch levels to eliminate known vulnerabilities and weaknesses.
Use MBSA or other similar utilities on a regular basis to identify patch status issues.
5 - USGCB Security Settings
This section identfies specific controls identified as part of the USGCB for Windows 7 that must be implemented. Most of the settings in thissection can be configured manually using the Local Security Policy mmc snap-in.
5.1 - Account Policies Group
5.1.1 - Account Lockout Policy Settings
Attackers often attempt to gain access to user accounts by guessing passwords. Windows 7 can be configured to lock out (disable) an
account when too many failed login attempts occur for a single user account in a certain time period. The following account lockout
parameters are set in the NIST templates:
One of the main challenges in setting account policies is balancing security, functionality, and usability. For example, locking out user accounts
after only a few failed logon attempts in a long time period may make it more difficult to gain unauthorized access to accounts by guessing
passwords, but may also sharply increase the number of calls to the help desk to unlock accounts accidentally locked by failed attempts from
legitimate users. This could also cause more users to write down their passwords or choose easier-to-remember passwords. Organizations
should carefully think out such issues before setting Windows 7 account policies.
CCE-9308-8 Account Lockout Duration
This value specifies how long the user account should be locked out. This is often set to a lowbut substantial value (e.g., 15 minutes), for two reasons. First, a legitimate user that isaccidentally locked out only has to wait 15 minutes to regain access, instead of asking anadministrator to unlock the account. Second, an attacker who is guessing passwords using bruteforce methods will only be able to try a small number of passwords at a time, then wait 15minutes before trying any more. This greatly reduces the chances that the brute force attack willbe successful.
CCE-9136-3 Account Lockout ThresholdThe threshold value specifies the maximum number of failed attempts that can occur before theaccount is locked out.
CCE-9400-3Reset Account Lockout CounterAfter
This specifies the time period to be used with the lockout threshold value. For example, if thethreshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failedlogin attempts occur with a single user account within a 15-minute period, the account will bedisabled.
5.1.2 - Password Policy Settings
In addition to educating users regarding the selection and use of good passwords, it is also important to set password parameters so thatpasswords are sufficiently strong. This reduces the likelihood of an attacker guessing or cracking passwords to gain unauthorized access to
the system.86 As described in Section 3.2.1, NIST recommends the use of NTLM v2 or Kerberos instead of LM or NTLM v1 for
authentication. The following parameters are specified in the NIST templates:
CCE-8912-8 Enforce Password History
This setting determines how many old passwords the system will remember for each account.Users will be prevented from reusing any of the old passwords. For example, if this is set to 24,then the system will not allow users to reuse any of their last 24 passwords. Old passwords mayhave been compromised, or an attacker may have taken a long time to crack encryptedpasswords. Reusing an old password could inadvertently give attackers access to the system.
CCE-9193-4 Maximum Password Age
This forces users to change their passwords regularly. The lower this value is set, the more likelyusers will be to choose poor passwords that are easier for them to remember (e.g., Mypasswd1,Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will becompromised and used by unauthorized parties.
CCE-9330-2 Minimum Password Age
This setting requires users to wait for a certain number of days before changing their passwordagain. The setting prevents a user from changing a password when it reaches the maximum ageand then immediately changing it back to the previous password. Unfortunately, this setting alsoprevents users who inadvertently reveal a new password to others from changing it immediatelywithout administrator intervention.
CCE-9357-5 Minimum Password Length
This setting specifies the minimum length of a password in characters. The rationale behind thissetting is that longer passwords are more difficult to guess and crack than shorter passwords.The downside is that longer passwords are often more difficult for users to remember.Organizations that want to set a relatively large minimum password length should encouragetheir users to use passphrases, which may be easier to remember than conventional passwords.
CCE-9370-8 Password Complexity
Like the Minimum Password Length setting, this setting makes it more difficult to guess or crackpasswords. Enabling this setting implements complexity requirements including not having theuser account name in the password and using a mixture of character types, including upper caseand lower case letters, digits, and special characters such as punctuation marks.
CCE-9260-1 Reversible Password EncryptionIf this setting is enabled, passwords will be stored in a decryptible format, putting them at higherrisk of compromise. This setting should be disabled unless it is needed to support a legacyauthentication protocol, such as Challenge Handshake Authentication Protocol (CHAP).
5.2 - Local Policies Group
5.2.1 - Audit Policy Settings
Windows 7 includes powerful system auditing capabilities. The purpose of auditing is to record certain types of actions to a log, so that
system administrators can review the logs and detect unauthorized activity. Audit logs may also be helpful when investigating a security
incident that has occurred. As shown in Table 6-1, system auditing is available for logon events, account management, directory service
access, object access, policy change, privilege use, process tracking, and system events. Each audit policy category can be configured to
record successful events, failed events, both successful and failed events, or neither. Section 7.3 describes how file auditing can be
configured, as well as how the Event Viewer can be used to review log entries.
5.2.2 - User Rights Assignments
The NIST security templates specify which groups (e.g., Administrators, Users) have certain user rights. The goal is for each group to have
only the necessary rights, and for users to only belong to the necessary groups. This is the principle of least privilege, described previously in
Section 2.2. Examples of user rights that can be specified are as follows:
Accessing the system remotely and locally
Performing backups
Changing the time and date on the system
Managing the logs
Shutting down the system.
Verify that the user right '' has been granted appropriately.
CCE-9253-6Access This Computer From TheNetwork
Verify that the user right 'Access This Computer From The Network' has been grantedappropriately. (Only Administrators) NOTE: This can break IPSec see Microsoft KnowledgeBase article 823659 for further guidance
CCE-9407-8Act As Part Of The OperatingSystem
Verify that the user right 'Act As Part Of The Operating System' has been granted appropriately.(No One)
CCE-9068-8Adjust Memory Quotas For AProcess
Verify that the user right 'Adjust Memory Quotas For A Process' has been granted appropriately.
CCE-9345-0 Log On Locally Verify that the user right 'Allow Log On Locally' has been granted appropriately.
CCE-9107-4 Log On Through Terminal ServicesVerify that the user right 'Allow Log On Through Terminal Services' has been grantedappropriately.
CCE-9389-8 Back Up Files and Directories Verify that the user right 'Back Up Files and Directories' has been granted appropriately.
CCE-8414-5 Bypass Traverse Checking Verify that the user right 'Bypass Traverse Checking' has been granted appropriately.
CCE-8612-4 Change the System Time Verify that the user right 'Change the System Time' has been granted appropriately.
CCE-8423-6 Change the time zone The "Change the time zone" user right should be assigned to the appropriate accounts.
CCE-9185-0 Create A Pagefile Verify that the user right 'Create A Pagefile' has been granted appropriately.
CCE-9215-5 Create A Token Object Verify that the user right 'Create A Token Object' has been granted appropriately.
CCE-8431-9 Create Global Objects Verify that the user right 'Create Global Objects' has been granted appropriately.
CCE-9254-4 Create Permanent Shared Objects Verify that the user right 'Create Permanent Shared Objects' has been granted appropriately.
CCE-8460-8Take Ownership Of Files Or OtherObjects
Verify that the user right 'Take Ownership Of Files Or Other Objects' has been grantedappropriately.
CCE-8583-7 Debug Programs Verify that the user right 'Debug Programs' has been granted appropriately.
Deny Access To This Computer Verify that the user right 'Deny Access To This Computer From The Network' has been granted
CCE-9244-5 From The Network appropriately.
CCE-9212-2 Deny Logon As A Batch Job Verify that the user right 'Deny Logon As A Batch Job' has been granted appropriately.
CCE-9098-5 Deny Logon As A Service Verify that the user right 'Deny Logon As A Service' has been granted appropriately.
CCE-9239-5 Deny Logon Locally Verify that the user right 'Deny Logon Locally' has been granted appropriately.
CCE-9274-2Deny Logon Through RemoteDesktop Services
Verify that the user right 'Deny Logon Through Remote Desktop Services' has been grantedappropriately.
CCE-9336-9Force Shutdown From A RemoteSystem
Verify that the user right 'Force Shutdown From A Remote System' has been grantedappropriately.
CCE-9226-2 Generate Security Audits Verify that the user right 'Generate Security Audits' has been granted appropriately.
CCE-8467-3Impersonate a Client AfterAuthentication
Verify that the user right 'Impersonate a Client After Authentication' has been grantedappropriately.
CCE-9048-0 Increase a Process Working Set The "Increase a Process Working Set" setting should be configured correctly.
CCE-8999-5 Increase Scheduling Priority Verify that the user right 'Increase Scheduling Priority' has been granted appropriately.
CCE-9135-5 Load And Unload Device Drivers Verify that the user right 'Load And Unload Device Drivers' has been granted appropriately.
CCE-9289-0 Lock Pages In Memory Verify that the user right 'Lock Pages In Memory' has been granted appropriately.
CCE-9320-3 Log On As A Batch Job Verify that the user right 'Log On As A Batch Job' has been granted appropriately.
CCE-9461-5 Log On As A Service Verify that the user right 'Log On As A Service' has been granted appropriately.
CCE-9223-9Manage Auditing And SecurityLog
Verify that the user right 'Manage Auditing And Security Log' has been granted appropriately.
CCE-9149-6 Modify an object label The "Modify an object label" user right should be assigned to the appropriate accounts.
CCE-9417-7Modify Firmware EnvironmentValues
Verify that the user right 'Modify Firmware Environment Values' has been granted appropriately.
CCE-8475-6Perform Volume MaintenanceTasks
Verify that the user right 'Perform Volume Maintenance Tasks' has been granted appropriately.
CCE-9388-0 Profile Single Process Verify that the user right 'Profile Single Process' has been granted appropriately.
CCE-9419-3 Profile System Performance Verify that the user right 'Profile System Performance' has been granted appropriately.
CCE-9326-0Remove Computer From DockingStation
Verify that the user right 'Remove Computer From Docking Station' has been grantedappropriately.
CCE-8732-0 Replace A Process Level Token Verify that the user right 'Replace A Process Level Token' has been granted appropriately.
CCE-9124-9 Restore Files And Directories Verify that the user right 'Restore Files And Directories' has been granted appropriately.
CCE-9014-2 Shut Down The System Verify that the user right 'Shut Down The System' has been granted appropriately.
CCE-9309-6Take Ownership Of Files Or OtherObjects
Verify that the user right 'Take Ownership Of Files Or Other Objects' has been grantedappropriately.
5.2.3 - Security Options Settings
Besides the Local Security Policy settings mentioned earlier in this section, additional settings called Security Options can be modified to
achieve greater security than the default settings provide. The NIST templates specify values for dozens of such settings. Examples of the
types of settings available are as follows:
Limiting the use of blank passwords
Renaming the default Administrator and Guest accounts
Restricting remote access to floppy and CD-ROM drives
Encrypting secure channel data in a domain
Securing the interactive logon screen (e.g., not showing the previous user’s account name, displaying a warning banner,
prompting users to change passwords before they expire)
Restricting which types of network access may be performed
Specifying which types of authentication may be used (e.g., NTLM v2).
The Security Options settings can also be accessed and adjusted manually by performing the following steps:
1. From the Start menu, choose Control Panel.
2. Select Administrative Tools, and then choose Local Security Policy.
3. Expand Local Policies and select Security Options.
4. The right pane lists the security option and indicates the current setting for each. Make any necessary changes by double-
clicking on the appropriate security option, modifying the setting, and clicking OK to save the change.
CCE-9199-1Accounts: Administrator accountstatus
The Administrator account status is enabled to allow the administrator to perform configurationcontrol of the system.
CCE-8714-8 Accounts: Guest account status
A system faces an increased vulnerability threat if the built-in guest account is not disabled.This account is a known account that exists on all Windows systems and cannot be deleted.This account is initialized during the installation of the operating system with no passwordassigned. This account is a member of the Everyone user group and has all the rights andpermissions associated with that group, which could subsequently provide access to systemresources to anonymous users. Ensure the built-in guest account is disabled.
CCE-9418-5Accounts: Limit local account useto blank passwords to consolelogon only
In Windows 7, accounts with null or blank passwords can only be used to log on at the physicalsystem’s logon screen. This means that accounts with blank or null passwords cannot be usedover networks or with the secondary logon service (RunAs). This feature prevents attackers andmalware from gaining remote access through blank passwords. Section 6 contains information onother recommended password settings.
CCE-8484-8Accounts: Rename administratoraccount
The Administrator account is created by default when installing Windows 7, but is disabled.Associating the Administrator SID with a different name may thwart a potential hacker who istargeting the built-in Administrator account.
CCE-9229-6 Accounts: Rename guest accountThe Guest account is created by default when installing Windows 7, but is disabled. Associatingthe Guest SID with a different name may thwart a potential hacker who is targeting the built-inGuest account.
CCE-9150-4Audit: Audit the access of globalsystem objects
Controls the ability to audit access of global systems objects. When this setting is enabled,system objects such as mutexes, events, semaphores, and DOS devices, are created with adefault system access control list (SACL).
CCE-8789-0Audit: Audit the use of Backupand Restore privilege
Controls the ability to audit the use of all user privileges, including Backup and Restore. If thispolicy is disabled, certain user rights will not be audited even if "Audit privilege use" auditpolicy is enabled.
CCE-9432-6
Audit: Force audit policysubcategory settings (WindowsVista or later) to override auditpolicy category settings
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policycategory settings
CCE-9026-6Devices: Prevent users frominstalling printer drivers
This setting determines who is allowed to install a printer driver as part of adding a networkprinter.
CCE-9304-7Devices: Restrict CD-ROM accessto locally logged-on user only
Removable media devices (CD-ROM) are readable by others on the network if they are notproperly configured. A process can remain running in the background after a user logs off,thereby, permitting access to the media, while another user is logged on to the system.
CCE-9440-9Devices: Restrict floppy access tolocally logged-on user only
Removable media devices (floppy disks) are readable by others on the network if they are notproperly configured. A process can remain running in the background after a user logs off,thereby, permitting access to the media, while another user is logged on to the system.
CCE-8974-8Domain member: Digitally encryptor sign secure channel data(always)
Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on thesecure channel are authenticated, and sensitive information (such as passwords) is encrypted orsigned. If this policy is enabled, outgoing secure channel traffic should be encrypted.
CCE-9251-0Domain member: Digitally encryptsecure channel data (whenpossible)
Requests sent on the secure channel are authenticated, and sensitive information (such aspasswords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoingsecure channel traffic should be encrypted.
CCE-9375-7Domain member: Digitally signsecure channel data (whenpossible)
Requests sent on the secure channel are authenticated, and sensitive information (such aspasswords) is encrypted, but the channel is not integrity checked. If this policy is enabled, alloutgoing secure channel traffic should be signed.
CCE-9295-7Domain member: Disable machineaccount password changes
Computer account passwords are changed automatically every seven days. Enabling this policyto disable automatic password changes can make the system more vulnerable to maliciousaccess. Frequent password changes can be a significant safeguard for your system. If this policyis disabled, a new password for the computer account will be generated every week.
CCE-9123-1Domain member: Maximummachine account password age
This setting controls the maximum password age that a machine account may have. This settingshould be set to no more that 30 days, ensuring that the machine changes its password monthly.
CCE-9387-2Domain member: Require strong(Windows 2000 or later) sessionkey
This setting controls the required strength of a session key.
CCE-9449-0Interactive logon: Do not displaylast user name
This setting determines whether the name of the last user to log on to the computer will bedisplayed in the Windows logon dialog box.
CCE-9317-9Interactive logon: Do not requireCTRL+ALT+DEL
Disabling the Ctrl+Alt+Del security attention sequence can compromise system security.Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assuredthat any passwords you enter following that sequence are sent only to Windows. If youeliminate the sequence requirement, malicious programs can request and receive your Windowspassword. Disabling this sequence also suppresses a custom logon banner.
CCE-8973-0Interactive logon: Message text forusers attempting to log on
Failure to display the logon banner prior to a logon attempt will negate legal proceedingsresulting from unauthorized access to system resources.
CCE-8740-3Interactive logon: Message title forusers attempting to log on
The logon banner should be titled with a warning label containing the name of the owningorganization.
CCE-8487-1Interactive logon: Number ofprevious logons to cache (in casedomain controller is not available)
The default Windows 7 configuration caches the last logon credentials for users who log oninteractively to a system. This feature is provided for system availability reasons such as theusers machine is disconnected from the network or domain controllers are not available. Eventhough the credential cache is well-protected, storing encrypted copies of users passwords onworkstations do not always have the same physical protection required for domain controllers. Ifa workstation is attacked, the unauthorized individual may isolate the password to a domain useraccount using a password-cracking program, and gain access to the domain.
CCE-9307-0Interactive logon: Prompt user tochange password before expiration
This setting configures the system to display a warning to users telling them how many days areleft before their password expires. By giving the user advanced warning, the user has time toconstruct a sufficiently strong password.
CCE-8818-7Interactive logon: Require DomainController authentication to unlockworkstation
This setting controls the behavior of the system when you attempt to unlock the workstation. Ifthis setting is enabled, the system will pass the credentials to the domain controller (if in adomain) for authentication before allowing the system to be unlocked.
CCE-9067-0Interactive logon: Smart cardremoval behavior
When the smart card for a logged-on user is removed from the smart card reader, the workstationshould be locked.
CCE-9327-8Microsoft network client: Digitallysign communications (always)
This check verifies that the client policy is set to always sign packets.
CCE-9344-3Microsoft network client: Digitallysign communications (if serveragrees)
This check verifies that the client policy is set to sign packets if the server agrees.
CCE-9265-0Microsoft network client: Sendunencrypted password to third-party SMB servers
Some non-Microsoft SMB servers only support unencrypted (plain text) passwordauthentication. Sending plain text passwords across the network, when authenticating to anSMB server, reduces the overall security of the environment. Check with the Vendor of the SMBserver to see if there is a way to support encrypted password authentication.
CCE-9406-0Microsoft network server: Amountof idle time required beforesuspending session
Administrators should use this setting to control when a computer disconnects an inactive SMBsession. If client activity resumes, the session is automatically reestablished.
CCE-9040-7Microsoft network server: Digitallysign communications (always)
This check verifies that the server policy is set to always sign packets.
CCE-8825-2Microsoft network server: Digitallysign communications (if clientagrees)
Microsoft network server: Digitally sign communications (if client agrees). This check verifiesthat the server policy is set to sign packets if the client agrees.
CCE-9358-3Microsoft network server:Disconnect clients when logonhours expire
Users should not be permitted to remain logged on to the network after they have exceeded theirpermitted logon hours. In many cases, this indicates that a user forgot to log off before leavingfor the day. However, it may also indicate that a user is attempting unauthorized access at a timewhen the system may be less closely monitored.
CCE-9531-5Network access: Allow anonymousSID-Name translation
Determines if an anonymous user can request security identifier (SID) attributes for another useror use a SID to get the corresponding username.
CCE-9249-4Network access: Do not allowanonymous enumeration of SAMaccounts
If this setting is disabled, it allows anonymous logon users (null session connections) to list allaccount names, thus providing a map of potential points to attack the system.
CCE-9156-1Network access: Do not allowanonymous enumeration of SAMaccounts and shares
If this setting is disabled, it allows anonymous logon users (null session connections) to list allaccount names and enumerate all shared resources, thus providing a map of potential points toattack the system.
CCE-8654-6
Network access: Do not allowstorage of passwords andcredentials for networkauthentication
This setting controls the storage of authentication credentials or .NET passports on the localsystem. Such credentials should never be stored on the local machine as that may lead toaccount compromise.
CCE-8936-7Network access: Let Everyonepermissions apply to anonymoususers
This setting helps define the permissions that anonymous users have. If this setting is enabledthen anonymous users have the same rights and permissions as the built-in Everyone group.Anonymous users should not have these permissions or rights.
CCE-9218-9Network access: Named Pipes thatcan be accessed anonymously -netlogon, lsarpc, samr, browser
Network access: Named Pipes that can be accessed anonymously. Pipes are internal systemcommunications processes. They are identified internally by ID numbers that vary betweensystems. To make access to these processes easier, these pipes are given names that do notvary between systems. This setting controls which of these pipes anonymous users may access.
CCE-9121-5Network access: Remotelyaccessible registry paths
Network access: Remotely accessible registrypaths(System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications; Software\Microsoft\WindowsNT\CurrentVersion)
CCE-9386-4Network access: Remotelyaccessible registry paths and subpaths
Network access: Remotely accessible registry paths ("Software\Microsoft\WindowsNT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\TerminalServer\UserConfig, System\CurrentControlSet\Control\TerminalServer\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog")
CCE-9540-6Network access: Restrictanonymous access to Named Pipesand Shares
This check determines whether anonymous access is restricted to named pipes and shares.
CCE-9196-7Network access: Shares that can beaccessed anonymously
This setting controls which network shares may be accessed by an anonymous user. The defaultsetting includes the shares, DFS$, and COMCFG. It is recommended that they be left as thedefault setting.
CCE-9503-4Network access: Sharing andsecurity model for local accounts
Windows 7 includes two network-sharing security models Classic and Guest only. It isrecommended that the Classic mode be used.
CCE-8937-5Network security: Do not storeLAN Manager hash value on nextpassword change
This setting controls whether or not a LAN Manager hash of the password is stored in the SAMthe next time the password is changed. The LAN Manager hash is a weak encryption algorithmand there are several tools available that use this hash to retrieve account passwords.
CCE-9704-8Network security: Force logoffwhen logon hours expire
This setting controls whether or not users are forced to log off when their allowed logon hoursexpire. If logon hours are set for users, then this should be enforced.
CCE-8806-2Network security: LAN ManagerAuthentication Level
Windows network authentication has changed considerably as various security vulnerabilitieshave been identified and fixed. The original LAN Manager (or LM) password hash is consideredvery weak, but is still used by most Windows 9x clients. Using commercially available software,and off-the-shelf computers, most LM password hashes can be used to reveal the actualpassword in a matter of days, or hours. With the release of Windows NT 4.0, Microsoftdeveloped NTLM authentication. Serious vulnerabilities made NTLM almost as easy to crack asLM, so NTLM version 2 (NTLMv2) was introduced. NTLMv2 provides significantimprovements to security; when combined with strong password policy, accounts are wellprotected against brute force attacks. All of these authentication methods are incorporated intoWindows 2000. All authentication models work with a hash of the password, not the passworditself. This presents challenges with down-level compatibility between operating systems. Inorder to smooth the transition, when one computer attempts to authenticate with another, thedefault behavior is to send the basic LM hash along with the more secure NTLM hash. Thissetting improves control over the response to an authentication challenge: Send LM and NTLMresponses, Send LM and NTLM, Use NTLMv2 session security if negotiated, Send NTLMresponse only, Send NTLMv2 response only, Send NTLMv2 response only\refuse LM, Send
NTLMv2 response only\refuse LM and NTLM, The default, and weakest option, is the first:send LM and NTLM responses. As a result, using NTLM is ineffective because both protocolsare sent together. In order to take a much more effective stand to protect network authentication,set LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM and NTLM.Enabling this setting may have adverse effects on your ability to communicate with otherWindows machines unless the change is made network-wide. If you find that you are unable torequire a certain level of LM Authentication, back down to “Send LM and NTLM – UseNTLMv2 session security if negotiated” and try your network authentication again.Communication with Windows 9x/Me machines requires the DSCLIENT.EXE utility from theWindows 2000 installation CD.
CCE-9768-3Network security: LDAP clientsigning requirements
Similar to the SMB protocol, the LDAP protocol supports signing. LDAP, “LightweightDirectory Access Protocol,” provides one means for the client to talk to active directory. LDAPprotocol is text-based, but supports authentication to gain access to sensitive sections of thedirectory. Require signing to provide the assurance of mutual authentication for thiscommunications channel.
CCE-9534-9
Network security: Minimumsession security for NTLM SSPbased (including secure RPC)clients
NTLM authentication can provide a security service to manage connection between variousclients and servers, including through the Remote Procedure Call (RPC) service. Windows 2000improved the security model for secure, authenticated client-server communications; this settingmanages the new features for communications established by this workstation.
CCE-9736-0
Network security: Minimumsession security for NTLM SSPbased (including secure RPC)servers
Similar to "Network Security: Minimum session security for NTLM SSP based (including secureRPC) clients", this setting manages features for communication services provided by thisworkstation to other computers.
CCE-8807-0Recovery Console: AllowAutomatic Administrative Logon
The Recovery Console, new to Windows 2000 and XP, provides a limited command-line accessto an otherwise unbootable operating system. The console allows access to the NTFS filesystem, which does not natively allow access when the operating system becomes unbootable.Other third-party applications have been developed to perform this action as well, but theRecovery Console is part of the operating system. It can be installed from the Windows 2000 CDwith the “d:\i386\winnt32.exe /cmdcons” command. It can also be run directly from the Windows2000 installation CD. The Recovery Console does not grant full and unrestricted access to theoperating system by default. It does require that you log on using the password of the defaultAdministrator account. Keep in mind that this must be the local administrator account, not just amember of the local administrators group. Also, the policy for renaming the administratoraccount does not apply to the recovery console, and that password must be used. If configured,a boot to the recovery console could result in automatic logon, and bypass the need for thepassword of the administrator account. Since this gives administrator access to anyone who canreboot the computer, the setting is generally disabled.
CCE-8945-8Recovery Console: Allow FloppyCopy and Access to All Drivesand All Folders
By default, the Recovery Console only allows access to the root folder of each drive, and theoperating system folder (typically C:\Windows). The console also prevents copying files fromthe hard drive onto removable media. Although this protection can be bypassed by enablingfloppy copy and drive access, the setting is enabled by default and should remain disabled.
CCE-9707-1Shutdown: Allow System to beShut Down Without Having to LogOn
Some systems run critical processes and should only be shut down by authorized users.Occasionally, special processes could be evoked during system startup, sometimes eventrojaned processes. In environments where abnormal system reboots could cause problems,require a logon prior to reboot.
CCE-9222-1Shutdown: Clear Virtual MemoryPagefile
Virtual memory extends the physical memory available to the CPU. As data and applications fillthe available physical memory, the operating system writes less-frequently used pages ofmemory out to disk, into the virtual memory pagefile. This greatly extends the amount of“virtual” memory available to the computer. Since the pagefile contains information that was inmemory, it potentially holds a great deal of information useful for an attacker. Digging throughthe pagefile can reveal SSL web pages, queries set from the client to databases, sometimes evenuser ids and passwords from poorly written applications. The workstation does not clean thisinformation from the pagefile on shutdown. Although the file can not be accessed when bootedin Windows, anyone booting the workstation to an alternate operating system (e.g., from a bootCD) may access the page file. Enabling this options provides greater security by erasing the dataduring normal operations; however, this may also significantly increase the time required to shutdown the computer. When enabled, the hibernation file (hiberfil.sys) is also cleaned onshutdown.
CCE-9266-8System Cryptography: Use FIPScompliant algorithms forencryption, hashing, and signing
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case
The Windows operating systems ignore case when accessing resources; for example,“C:\Windows”, “C:\WINDOWS” and “c:\windows” all refer to the same directory. However, the
CCE-9319-5 insensitivity for non-Windowssubsystems
Windows kernel allows interfaces with other case-sensitive operating systems (e.g., Unix).Enabling this setting causes the interoperability features to be case-insensitive as well. Thissetting has no effect when the workstation communicates only with other Windows systems.
CCE-9191-8System objects: Strengthen defaultpermissions of internal systemobjects
This setting actually digs deep into the operating system behavior and should be left at thedefault setting (Enabled) unless explicitly required. “Internal system objects” are shared physicaland logical resources such as semaphores and DOS device name; the objects all are created withaccess control lists (ACLs). When enabled, the ACL allows other non-administrative systemprocesses to query internal system objects, but will not allow them to modify them.
CCE-8811-2User Account Control: AdminApproval Mode for the Built-inAdministrator account
The "User Account Control: Admin Approval Mode for the Built-in Administrator account"setting should be configured correctly.
CCE-8958-1
User Account Control: Behavior ofthe elevation prompt foradministrators in Admin ApprovalMode
The "User Account Control: Behavior of the elevation prompt for administrators in AdminApproval Mode" setting should be configured correctly.
CCE-8813-8User Account Control: Behavior ofthe elevation prompt for standardusers
The "User Account Control: Behavior of the elevation prompt for standard users" setting shouldbe configured correctly.
CCE-9616-4User Account Control: Detectapplication installations andprompt for elevation
The "User Account Control: Detect application installations and prompt for elevation" settingshould be configured correctly.
CCE-9021-7User Account Control: Onlyelevate executables that are signedand validated
The "User Account Control: Only elevate executables that are signed and validated" settingshould be configured correctly.
CCE-9801-2User Account Control: Onlyelevate UIAccess applications thatare installed in secure locations
The "User Account Control: Only elevate UIAccess applications that are installed in securelocations" setting should be configured correctly.
CCE-9189-2User Account Control: Run alladministrators in Admin ApprovalMode
The "User Account Control: Run all administrators in Admin Approval Mode" setting should beconfigured correctly.
CCE-9395-5User Account Control: Switch tothe secure desktop whenprompting for elevation
The "User Account Control: Switch to the secure desktop when prompting for elevation" settingshould be configured correctly.
CCE-8817-9User Account Control: Virtualizefile and registry write failures toper-user locations
The "User Account Control: Virtualize file and registry write failures to per-user locations"setting should be configured correctly.
5.2.4 - MSS Security Options Settings
The settings identified in this section do not appear in the Windows 7 GPO by default. They can be added by obtaining a modified
sceregvl.inf file for use on the system.
CCE-9342-7MSS: (AutoAdminLogon) EnableAutomatic Logon (NotRecommended)
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain,user name, and password stored in the registry to log users on to the computer when the systemstarts. The Log On to Windows dialog box is not displayed.
CCE-9496-1MSS: (DisableIPSourceRouting) IPsource routing protection level(protects against packet spoofing)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packetspoofing)
CCE-8513-4MSS: (EnableICMPRedirect) AllowICMP redirects to override OSPFgenerated routes
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
CCE-9426-8MSS: (KeepAliveTime)How oftenkeep-alive packets are sent inmilliseconds
This value controls how often TCP attempts to verify that an idle connection is still intact bysending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime
CCE-9439-1
MSS: (NoDefaultExempt) EnableNoDefaultExempt for IPSec MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering
Filtering (recommended)
CCE-8562-1
MSS: (NoNameReleaseOnDemand)Allow the computer to ignoreNetBIOS name release requestsexcept from WINS servers
Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, amongother things, provides a means of easily resolving NetBIOS names registered on Windows-based systems to the IP addresses configured on those systems. This value determines whetherthe computer releases its NetBIOS name when it receives a name release request. TheNoNameReleaseOnDemand setting configures the system to refuse name release requests torelease its SMB name. This setting prevents an attacker from sending a name release request to aserver, causing the server to be inaccessible to legitimate clients. If this setting is configured ona client, however, and that client is mis-configured with the same name as a critical server, theserver will be unable to recover the name, and legitimate requests may be directed to the rogueserver instead, causing a denial of service condition at best.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand registry key.
CCE-9458-1
MSS: (PerformRouterDiscovery)Allow IRDP to detect andconfigure DefaultGatewayaddresses (could lead to DoS)
This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDPallows the system to detect and configure Default Gateway addresses automatically.HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery
CCE-9348-4MSS: (SafeDllSearchMode) EnableSafe DLL search mode(recommended)
Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) toavoid having to reimplement functionality. The operating system actually loads several DLLs foreach program, depending on what type of program it is. When the program does not specify anabsolute location for a DLL, the default search order is used to locate it. By default, the searchorder used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and.local 4. Application directory 5. Current working directory 6. System directories (%systemroot%,%systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that thecurrent working directory is searched before the system directories can be used by someonewith access to the file system to cause a program launched by a user to load a spoofed DLL. If auser launches a program by double-clicking a document, the current working directory is actuallythe location of the document. If a DLL in that directory has the same name as a system DLL inthat location will then be loaded instead of the system DLL. This attack vector was actually usedby the Nimda virus. To combat this, a new setting was created in Service Pack 3, which movesthe current working directory to after the system directories in the search order. To avoidapplication compatibility issues, however, this switch was not turned on by default. To turn iton, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\SafeDllSearchMode
CCE-8591-0
MSS: (ScreenSaverGracePeriod)The time in seconds before thescreen saver grace period expires(0 recommended)
Setting Added to Registry to Make Screensaver Password Protection Immediate The defaultgrace period allowed for user movement before the screen – saver lock takes effect is fiveseconds. Leaving the grace period in the default setting makes your computer vulnerable to apotential attack from someone walking up to the console to attempt to log onto the systembefore the lock takes effect. An entry to the registry can be made to adjust the length of thegrace period.
CCE-9456-5
MSS:(TCPMaxDataRetransmissions)How many times unacknowledgeddata is retransmitted (3recommended, 5 is default)
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3recommended, 5 is default)
CCE-9501-8
MSS: (WarningLevel) Percentagethreshold for the security event logat which the system will generate awarning
Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generatinga security audit in the security event log when the security log reaches a user defined threshold.Note: new to W2K3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
CCE-8503-5Microsoft network server: SPNTarget name validation
This policy setting controls the level of validation a computer with shared folders or printers (theserver) performs on the service principal name (SPN) that is provided by the client computerwhen it establishes a session using the server message block (SMB) protocol.
CCE-8655-3
MSS: (DisableIPSourceRoutingIPv6) IP source routing protectionlevel (protects against packetspoofing)
Allowing source routed network traffic allows attackers to obscure their identity and location.
CCE-8560-5
MSS: (Hidden) Hide computer fromthe browse list (Not Recommendedexcept for highly secureenvironments)
Hiding the computer from the Browse List removes one method attackers might use to getherinformation about computers on the network.
MSS:(TcpMaxDataRetransmissions
CCE-9487-0 IPv6) How many timesunacknowledged data isretransmitted (3 recommended, 5 isdefault)
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data isretransmitted (3 recommended, 5 is default).
CCE-9096-9Network security: Allow LocalSystem to use computer identityfor NTLM
This policy setting allows services running as Local System to use the computer identity whennegotiating NTLM authentication.
CCE-8804-7Network security: AllowLocalSystem NULL sessionfallback
This policy setting allows the system to fall back no a NULL session.
CCE-9770-9Network Security: Allow PKU2Uauthentication requests to thiscomputer to use online identities
Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authenticationpackage, Spnego.dll. In previous versions of Windows, Negotiate decides whether to useKerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which istreated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U.
CCE-9532-3Network Security: Configureencryption types allowed forKerberos
This policy setting allows you to specify tdhe allowed encryption types for Kerberosauthentication.
CCE-9301-3
User Account Control: AllowUIAccess applications to promptfor elevation without using thesecure desktop
This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. Itallows certain applications stored in secure folders, such as system32, to bypass the securedesktop so that they can function as designed. Enabling this setting will lower security slightlybut enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx.
5.3 - System Services Group
This section identifies requirements for the state of certain services on the system.
5.3.1 - System Services Settings
This section identifies requirements for the state of certain services on the system.
CCE-10661-7 Bluetooth Support ServiceThe Bluetooth service supports discovery and association of remote Bluetooth devices.Stopping or disabling this service may cause already installed Bluetooth devices to fail tooperate properly and prevent new devices from being discovered or associated.
CCE-10150-1 Fax ServiceEnables you to send and receive faxes, utilizing fax resources available on this computer or onthe network.
CCE-10543-7 HomeGroup Listener
Makes local computer changes associated with configuration and maintenance of thehomegroup-joined computer. If this service is stopped or disabled, your computer will not workproperly in a homegroup and your homegroup might not work properly. It is recommended thatyou keep this service running.
CCE-9910-1 Homegroup Provider
Performs networking tasks associated with configuration and maintenance of homegroups. Ifthis service is stopped or disabled, your computer will be unable to detect other homegroupsand your homegroup might not work properly. It is recommended that you keep this servicerunning.
CCE-10699-7 Media Center Extender Allows Media Center Extenders to locate and connect to the computer.
CCE-10311-9 Parental Controls ServiceThis service is a stub for Windows Parental Control functionality that existed in Vista. It isprovided for backward compatibility only.
5.4 - Advanced Audit Policy Settings
Windows 7 give more control over individual audit policy through subcategories that were not available in earlier versions of Windows
operating systems.
5.4.1 - Account Logon Audit Settings
CCE-9725-3 Credential Validation
CCE-9258-5 Kerberos Authentication Service
CCE-9148-8 Kerberos Service Ticket Operation
CCE-9148-8 Other Account Logon Events
5.4.2 - Account Management Settings
The Account Management audit category helps you track attempts to create new users or groups, rename users or groups, enable or disable
user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting,administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.
CCE-8822-9 Application Group Management
CCE-9498-7 Computer Account Management
CCE-9644-6 Distribution Group Management
CCE-9657-8Other Account ManagementEvents
CCE-9692-5 Security Group Management
CCE-9542-2 User Account Management
5.4.3 - Detailed Tracking Settings
The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process
exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically
set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes
started and the time when they were launched.
CCE-9735-2 DPAPI Activity
CCE-9562-0 Process Creation
CCE-9227-0 Process Termination
CCE-9492-0 RPC Events
5.4.4 - DS Access Settings
The DS Access audit category applies only to domain controllers.
CCE-9628-9Detailed Directory ServiceReplication
CCE-9765-9 Directory Service Access
CCE-9734-5 Directory Service Changes
CCE-9637-0 Directory Service Replication
5.4.5 - Logon Logoff Settings
This audit category generates events that record the creation and destruction of logon sessions. These events occur on the accessed
computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place
to access a share, these events generate on the computer that hosts the accessed resource.
CCE-8853-4 Account Lockout
CCE-9661-0 IPsec Extended Mode
CCE-10939-7 IPsec Main Mode
CCE-9632-1 IPsec Quick Mode
CCE-8856-7 Logoff
CCE-9683-4 Logon
CCE-9076-1 Network Policy Server
CCE-9622-2 Other Logon/Logoff Events
CCE-9763-4 Special Logon
5.4.6 - Object Access Settings
By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses an object—
for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), effectively enabling auditing to takeplace.
CCE-9816-0 Application Generated
CCE-9460-7 Certification Services
CCE-9720-4 Detailed File Share
CCE-9376-5 File Share
CCE-9217-1 File System
CCE-9728-7 Filtering Platform Connection
CCE-9133-0 Filtering Platform Packet Drop
CCE-9789-9 Handle Manipulation
CCE-9803-8 Kernel Object
CCE-9455-7 Other Object Access Events
CCE-9737-8 Registry
CCE-9856-6 SAM
5.4.7 - Policy Change Settings
The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows
Firewall policies, Trust policies, or changes to the Audit policy itself.
CCE-10021-4 Audit Policy Change
CCE-9976-2 Authentication Policy Change
CCE-9633-9 Authorization Policy Change
CCE-9902-8 Filtering Platform Policy Change
CCE-9153-8MPSSVC Rule-Level PolicyChange
CCE-9596-8 Other Policy Change Events
5.4.8 - Privilege Use Settings
The Privilege Use audit category determines whether to audit each instance of a user exercising a user right. If you configure this value to
Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is
generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records.
CCE-9190-0 Non Sensitive Privilege Use
CCE-9988-7 Other Privilege Use Events
CCE-9878-0 Sensitive Privilege Use
5.4.9 - System Settings
The System audit category allows you to monitor system events that succeed and fail, and provides a record of these events that may help
determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event
logs, or other security-related events that affect the entire system.
CCE-9925-9 IPsec Driver
CCE-9586-9 Other System Events
CCE-9850-9 Security State Change
CCE-9863-2 Security System Extension
CCE-9520-8 System Integrity
6 - USGCB Other Settings
USGCB identifies the following additional controls that must be checked in order to verify compliance.
6.1 - Computer Configuration - Administrative Templates - Network Settings
6.1.1 - Link-Layer Topology Discovery
The Link Layer Topology Discovery (LLTD) specification describes how the LLTD protocol operates over wired (802.3 Ethernet) and
wireless (802.11) media. LLTD enables device discovery via the data-link layer and determines the topology of a network. This specification
also describes the Quality of Service (QoS) Extensions that enable stream prioritization and quality media streaming experiences, even on
networks with limited bandwidth.
CCE-9783-2Turn on Mapper I/O (LLTDIO)driver
This policy setting turns on the Mapper I/O network protocol driver. LLTDIO allows a computerto discover the topology of a network it's connected to.
CCE-10059-4Turn on Responder (RSPNDR)driver
This policy setting turns on the Responder network protocol driver. The Responder allows acomputer to participate in Link Layer Topology Discovery requests so that it can be discoveredand located on the network.
6.1.2 - Microsoft Peer-to-Peer Networking Services
CCE-10438-0Turn Off Microsoft Peer-to-PeerNetworking Services
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will causeall dependent applications to stop working.
6.1.3 - Network Connection Settings
The features for implementing and administering small networks are described as follows:
-- Internet Connection Sharing (ICS) --
ICS provides Internet access for a home or small office network by using one common connection as the Internet gateway. The ICS host is
the only computer that is directly connected to the Internet. Multiple ICS clients simultaneously use the common Internet connection and
benefit from Internet services as if the clients were directly connected to the Internet service provider (ISP). Security is enhanced when ICS is
enabled because only the ICS host computer is visible to the Internet. The addresses of ICS clients are hidden from the Internet rendering
ICS clients invisible to the Internet. In addition, ICS simplifies the configuration of small networks by providing local private network services,
such as name resolution and addressing.
Note: You should not use Internet Connection Sharing in an existing network with Windows 2000 Server domain controllers, Domain Name
System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses.
-- Internet Connection Firewall (ICF) --
With ICF, the firewall checks all communications that cross the connection between your network and the Internet and is selective about
which responses from the Internet it allows. ICF protects only the computer on which it is enabled. If ICF is enabled on the Internet
Connection Sharing (ICS) host computer, however, ICS clients that use the shared Internet connection for Internet connectivity are protected
because they cannot be seen from outside your network. For this reason, you should always enable ICF on the ICS host computer. In
addition, if there are clients on your network with direct Internet connections, or if you have a stand-alone computer that is connected to the
Internet, then you should enable ICF on those Internet connections as well.
-- Network Bridge --
Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN
segments. With Network Bridge, multiple LAN segments become a single IP subnet, even if the LAN segments are of mixed network media
types. Network Bridge automates the configuration and management of the address allocation, routing, and name resolution that is typically
required in a network that consists of multiple LAN segments.
Caution If neither ICF nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the
private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates
an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either ICF or ICS is
enabled, this risk is mitigated.
CCE-9953-1Prohibit installation andconfiguration of Network Bridgeon your DNS domain network
Installation and Configuration of Network Bridge on the DNS Domain Network should beproperly configured.
CCE-10359-8Require Domain users to elevatewhen setting a networks location
CCE-10509-8Route all traffic through theinternal network
6.1.4 - TCP/IP Settings
6.1.4.1 - IPv6 Transition Technologies
CCE-10266-5 _6to4 State
CCE-10130-3 ISATAP State
CCE-10011-5 Teredo State
CCE-10764-9 IP HTTPS
6.1.5 - Windows Connect Now
CCE-9879-8Configuration of Wireless SettingsUsing Windows Connect Now
Configuration of Wireless Settings Using Windows Connect Now
CCE-10778-9Prohibit Access of the WindowsConnect Now Wizards
Prohibit Access of the Windows Connect Now Wizards
6.2 - Printers
6.2.1 - Printers Settings
CCE-10782-1Extend point and print connectionto search Windows update anduse alternate connection if needed
6.3 - Computer Configuration - Administrative Templates - System Settings
6.3.1 - Device Installation
CCE-10769-8Allow remote access to the PnPinterface
Computer Configuration\Administrative Templates\System\Device Installation: Allow remoteaccess to the PnP interface.
CCE-9901-0Do not send a Windows ErrorReport when a generic driver isinstalled on a device
Computer Configuration\Administrative Templates\System\Device Installation: Do not send aWindows Error Report when a generic driver is installed on a device.
CCE-10553-6
Prevent creation of a systemrestore point during device activitythat would normally prompcreation of a restore point.
Computer Configuration\Administrative Templates\System\Device Installation: Do not createsystem restore point when new device driver installed.
CCE-10165-9Prevent device metadata retrievalfrom the internet
CCE-9919-2Specify search order for devicedriver source locations
6.3.2 - Driver Installation
6.3.3 - Group Policy Client-Side Extensions
The following rules specify the desired setting for the client-side extensions designed for Group Policy.
CCE-9361-7 Registry PolicyComputer Configuration\Administrative Templates\System: Group Policy - Registry PolicyProcessing.
6.3.4 - Internet Communication Management
6.3.4.1 - Internet Communication settings
CCE-9195-9Turn off downloading of printdrivers over HTTP
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn off downloading of print drivers overHTTP.
CCE-9819-4Turn off event views "Events.asp"links
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn Off Event Views "Events.asp" Links.
CCE-10645-0Turn off handwritingpersonalization data sharing
CCE-10645-0Turn off handwriting recognitionerror reporting
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn Off Handwriting Recognition ErrorReporting.
CCE-10649-2Turn off Internet connectionwizard if URL connection isreferring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn Off Internet Connection Wizard if URLConnection is Referring to Microsoft.com.
CCE-9674-3Turn off Internet download forWeb publishing and onlineordering wizards
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn off Internet download for Web publishingand online ordering wizards.
CCE-10795-3Turn off Internet file associationservice
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn Off Internet File Association Service.
CCE-10061-0 Turn off printing over HTTPComputer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn off printing over HTTP.
CCE-10160-0Turn off registration if URLconnection is referring to
Computer Configuration\Administrative Templates\System\Internet Communication
Microsoft.com Management\Internet Communication settings: Turn Off Registration if URL Connection isReferring to Microsoft.com.
CCE-10140-2Turn off Search Companioncontent file updates
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn off Search Companion content file updates.
CCE-9823-6Turn off the "Order Prints" picturetask
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn Off the "Order Prints" Picture Task.
CCE-9643-8Turn off the "Publish to Web" taskfor files and folders
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn off the "Publish to Web" task for files andfolders.
CCE-9559-6Turn off the Windows MessengerCustomer Experience ImprovementProgram
Computer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn off the Windows Messenger CustomerExperience Improvement Program.
CCE-9831-9Turn off the Windows customerexperience improvement program
CCE-10441-4 Turn Off Windows Error ReportingComputer Configuration\Administrative Templates\System\Internet CommunicationManagement\Internet Communication settings: Turn Off Windows Error Reporting.
6.3.5 - Logon
CCE-10591-6 Always Use Classic Logon Computer Configuration\Administrative Templates\System: Logon - Always Use Classic Logon.
CCE-10154-3 Do not process the run once listComputer Configuration\Administrative Templates\System: Logon - Do not process the runonce list.
6.3.6 - Power Management
6.3.6.1 - Sleep settings
CCE-9829-3Require a Password when aComputer Wakes (On Battery)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings -Require a Password when a Computer Wakes (On Battery).
CCE-9670-1Require a Password when aComputer Wakes (Plugged)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings -Require a Password when a Computer Wakes (Plugged).
6.3.7 - Remote Assistance
CCE-9960-6 Offer Remote AssistanceComputer_Configuration - Administrative_Templates - System: Remote Assistance - OfferRemote Assistance.
CCE-9506-7 Solicited Remote AssistanceComputer_Configuration - Administrative_Templates - System: Remote Assistance - SolicitedRemote Assistance.
CCE-10344-0 Turn on session loggingComputer_Configuration - Administrative_Templates - System: Remote Assistance - Turn onsession logging.
6.3.8 - Remote Procedure Call
CCE-9396-3Restrictions for UnauthenticatedRPC clients
Computer_Configuration - Administrative_Templates - System: Remote Assistance -Restrictions for Unauthenticated RPC clients.
CCE-10181-6RPC Endpoint Mapper ClientAuthentication
Computer_Configuration - Administrative_Templates - System: Remote Assistance - RPCEndpoint Mapper Client Authentication.
6.3.9 - Troubleshooting and Diagnostics
6.3.9.1 - Microsoft Support Diagnostic Tool
CCE-9842-6
Microsoft support diagnostic tool:turn on msdt interactivecommunication with supportprovider
6.3.9.2 - Scripted Diagnostic Settings
CCE-10606-2
Troubleshooting: allow user toaccess online troubleshootingcontent on Microsoft server fromthe troubleshooting control panel
6.3.9.3 - Windows Performance Perftrack
CCE-10219-4 Enable or disable perftrack
6.3.10 - Windows Time Service
6.3.10.1 - Time Providers
CCE-10500-7 Confidure Windows NTP client
6.3.11 - Windows Components
6.3.11.1 - Application Compatibility Settings
CCE-10787-0 Turn off program inventory
6.3.11.2 - Autoplay Policies
Computer Configuration\Administrative Templates\Windows Components: Autoplay Policies
CCE-10527-0 Default behavior for autorun Configures the autorun settings on the system.
CCE-9528-1 Turn off AutoplayComputer Configuration\Administrative Templates\Windows Components\Autoplay Policies:Turn off Autoplay.
CCE-10655-9Turn off autoplay for non volumedevices
6.3.11.3 - Credential User Interface
Computer Configuration\Administrative Templates\Windows Components: Credential User Interface
CCE-9938-2Enumerate administrator accountson elevation
Computer Configuration\Administrative Templates\Windows Components\Credential UserInterface: Enumerate administrator accounts on elevation.
6.3.11.4 - Digital Locker
CCE-10759-9 Do not allow digital locker to run
6.3.11.5 - Desktop Gadgets
CCE-9857-4 Override the More Gadgets Lnk Override the More Gadgets Lnk
CCE-10811-8Disable unpacking and installationof gadgets that are not digitally
Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If youenable this setting, Windows Sidebar will not extract any gadgets that have not been digitally
signed signed. If you disable or do not configure this setting, Window
CCE-10586-6Turn Off User Installed WindowsSidebar Gidgets
Turn Off User Installed Windows Sidebar Gidgets
6.3.11.6 - Event Log Service Settings
Windows 7 records information about significant events in four logs: the Application Log, the Security Log, the Setup Log, and the System
Log. The logs contain error messages, audit information, and other records of activity on the system. The logs can be used not only to identify
suspicious and malicious behavior and investigate security incidents, but also to assist in troubleshooting system and application problems. It is
important to specify the maximum log size because if it is too low, the system will not have much room for storing information on system
activity.
6.3.11.6.1 - Application Log
CCE-9603-2 Maximum Application Log Size Maximum Application Log Size
6.3.11.6.2 - Security Log
CCE-9967-1 Maximum Security Log Size Maximum Security Log Size
6.3.11.6.3 - Setup Log
CCE-10714-4 Maximum Setup Log Size Maximum Setup Log Size
6.3.11.6.4 - System Log
CCE-10156-8 Maximum Setup Log Size Maximum Setup Log Size
6.3.11.7 - Game Explorer
Computer Configuration\Administrative Templates\Windows Components: Game Explorer
CCE-10828-2Turn Off Downloading of GameInformation
Computer Configuration\Administrative Templates\Windows Components\Game Explorer: TurnOff Downloading of Game Information.
CCE-10850-6 Turn off game updates
6.3.11.8 - HomeGroup Settings
CCE-10183-2Prevent the computer from joininga Homegroup
6.3.11.9 - Netmeeting
CCE-10763-1 Disable remote desktop sharing
6.3.11.10 - Remote Desktop Services
6.3.11.10.1 - Remote Desktop Connection Client
CCE-10090-9Do not allow passwords to besaved
The "Do not allow passwords to be saved" setting should be configured correctly for TerminalServices.
6.3.11.10.2 - Remote Desktop Session Host
6.3.11.10.2.1 - Connection Settings
CCE-9985-3Allow users to connect remotelyusing Remote Desktop Services
This policy setting determines whether or not users can connect to the computer using RemoteDesktop Services.
6.3.11.10.2.2 - Security Settings
CCE-10103-0Always prompt client for passwordupon connection
The "Always Prompt Client for Password upon Connection" policy should be set correctly forTerminal Services.
CCE-9764-2Set client connection encryptionlevel
The "Set Client connection Encryption Level" policy should be set correctly for TerminalServices.
6.3.11.10.2.3 - Session Time Limits
CCE-10608-8Set a time limit for active but idleTerminal Services sessions
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
CCE-9858-2Set a time limit for disconnectedsessions
The "Set time limit for disconnected sessions" policy should be set correctly for TerminalServices.
6.3.11.10.2.4 - Temporary Folders
CCE-10856-3Do not delete temp folders uponexit
CCE-9864-0Do not use temporary folders persession
6.3.11.11 - RSS Feeds
CCE-10730-0Turn off downloading ofenclosures
6.3.11.12 - Search
Search
CCE-10496-8 Allow indexing of encrypted files Allow indexing of encrypted files
CCE-9866-5Enable indexing uncachedExchange folders
Prevent indexing uncached Exchange folders
6.3.11.13 - Windows Anytime Upgrade
CCE-10137-8Prevent Windows anytime upgradefrom running
6.3.11.14 - Windows Defender
Windows Defender
CCE-9868-1Configure Microsoft SpyNet
When Windows Defender detects software or changes by software not yet classified for risks,you see how other members responded to the alert. In turn, the action you apply help othermembers choose how to respond. Your actions also help Microsoft choose which software toinvestigate for potential threats. You can choose to send basic or additional information about
Reporting detected software. Additional information helps improve how Windows Defender works. It caninclude, for example, the location of detected items on your computer if harmful software hasbeen removed. Windows Defender will automatically collect and send the information.
6.3.11.15 - Windows Error Reporting
Windows Error Reporting
CCE-10157-6 Disable LoggingIf this setting is enabled Windows Error Reporting events will not be logged to the system eventlog.
CCE-9914-3 Disable Windows Error ReportingIf this setting is enabled, Windows Error Reporting will not send any problem information toMicrosoft. Additionally, solution information will not be available in the Problem Reports andSolutions control panel.
CCE-10709-4 Display Error Notification The "Display Error Notification" setting should be configured correctly.
CCE-10824-1 Do Not Send Additional DataIf this setting is enabled any additional data requests from Microsoft in response to a WindowsError Reporting event will be automatically declined without notice to the user.
6.3.11.16 - Windows Explorer Settings
Windows Explorer
CCE-9918-4Turn off data execution preventionfor explorer
CCE-9874-9Turn off Heap termination oncorruption
Turn off Heap termination on corruption
CCE-10623-7Turn off shell protocol protectedmode
Turn off shell protocol protected mode
6.3.11.17 - Windows Installer Settings
Windows Installer
CCE-9875-6Disable IE security prompt forWindows Installer scripts
Disable IE security prompt for Windows Installer scripts
CCE-9876-4 Enable user control over installsPermits users to change installation options that typically are available only to systemadministrators. This setting bypasses some of the security features of Windows Installer.
CCE-9888-9Prohibit non-administrators fromapplying vendor signed updates
This setting controls the ability of non-administrators to install updates that have been digitallysigned by the application vendor.
6.3.11.18 - Windows Logon Options
Windows Logon Options
CCE-9907-7Report Logon Server Not AvailableDuring User logon
This setting controls the ability of non-administrators to install updates that have been digitallysigned by the application vendor.
6.3.11.19 - Windows Mail
Windows Mail
CCE-11252-4 Turn off the communities features
CCE-10882-9 windows_mail_application_manual_launch_permitted_var
6.3.11.20 - Windows Media Digital Rights Management
Windows Media Digital Rights Management
CCE-9908-5Prevent Windows Media DRMInternet Access
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (orintranet). When enabled, Windows Media DRM is prevented from accessing the Internet (orintranet) for license acquisition and security upgrades.
6.3.11.21 - Windows Media Player Settings
CCE-10692-2Do Not Show First Use DialogBoxes
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should beconfigured correctly.
CCE-10602-1 Prevent Automatic Updates The "Disable Media Player for automatic updates" policy should be set correctly.
6.3.11.22 - Windows Update
CCE-9403-7 Configure automatic updates
CCE-10205-3Reschedule automatic updatesscheduled installation
CCE-9672-7No auto restart with logged onusers for scheduled automaticupdates installations
CCE-9464-9Do not display 'Install updates andshut diown option' in shut downwindows dialog box
6.3.12 - Programs and Features Group
Optional Windows Programs and Features that should not be installed, located at Control Panel\Programs and Features\Turn Windows
features on or off
Games are not installed Games are not installed
Internet Information Services Internet Information Services is not installed
Simple TCPIP Services Simple TCPIP Services is not installed
Telnet Client Telnet Client is not installed
Telnet Server Telnet Server is not installed
TFTP Client TFTP Client is not installed
Windows Media Center Windows Media Center is not installed
6.3.13 - Local User Policy Settings
6.3.13.1 - Local User Policy: Control Panel
6.3.13.1.1 - Personalization
CCE-10051-1 Enable screen saver
CCE-9730-3 Password protect the screen saverDetermines whether screen savers used on the computer are password protected. If you enablethis setting, all screen savers are password protected. If you disable this setting, passwordprotection cannot be set on any screen saver.
CCE-10148-5 Screen Saver timeoutSpecifies how much user idle time must elapse before the screen saver is launched. Whenconfigured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds,
or 24 hours. If set to zero, the screen saver will not be started.
6.3.13.2 - System
6.3.13.2.1 - Internet Communication Management
6.3.13.2.1.1 - Internet Communication Settings
CCE-10295-4 Turn off help ratings
6.3.13.2.2 - Power Management settings
6.3.13.3 - Windows Components
6.3.13.3.1 - Attachment Manager Settings
CCE-10166-7Do not preserve zone informationin file attachments
This policy setting allows you to manage whether Windows marks file attachments withinformation about their zone of origin (i.e. restricted, Internet, intranet, local).
CCE-9684-2Hide mechanisms to remove zoneinformation
This policy setting allows you to manage whether users can manually remove the zoneinformation from saved file attachments by clicking the Unblock button in the file’s propertysheet or by using a check box in the security warning dialog.
CCE-10076-8Notify antivirus programs whenopening attachments
This policy setting allows you to manage the behavior for notifying registered antivirusprograms. If multiple programs are registered, they will all be notified.
6.3.13.3.2 - Network Sharing Settings
CCE-10644-3Prevent users from sharing fileswithin their profile
By default users are allowed to share files within their profile to other users on their networkonce an administrator opts in the computer. An administrator can opt in the computer by usingthe sharing wizard to share a file within their profile.
7 - Security Patches
Securing a given computer has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate
known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a
host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and
Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments
typically have a software change management control process or a patch management program that tests patches before deploying them;
distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, whichprovide approved security patches for use by the Automatic Updates feature.
Security Patches Up-To-Date All known security patches have been installed.