-
Standard Security
[LEFT][LTR]
[FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Legal notice - (Registry)[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "LegalNoticeCaption", to HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "LegalNoticeCaption" key and set the value to the desired message box title[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Add the value "LegalNoticeText", also to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA (value type: REG_SZ)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "LegalNoticeText" key and set the value to the desired text of the message box.[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Protect registry from access via Win32 APIs - (Registry)[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to remove "System\CurrentControlSet\Services\Replicator" from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
SecurePipeServers\winreg[/SIZE][/FONT][FONT=Arial, Helvetica, sans-serif][SIZE=2]\AllowedPaths\Machine [/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Remove default shares[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "AutoShareWks", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
LanmanServer\Parameters (value type: REG_ DWORD)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "AutoShareWks" key and set the value to: 0[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer [/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Prevent guests/null sessions from viewing Event logs - (Registry)[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "RestrictGuestAccess", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
EventLog\Application,
[/SIZE][/FONT][FONT=Arial, Helvetica, sans-serif][SIZE=2]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
EventLog\Security, and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
EventLog\System (value type: REG_ DWORD)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click each of the "RestrictGuestAccess" keys and set the values to: 1[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Strong protection over shared objects - (Registry) [/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "ProtectionMode", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
Session Manager (value type: REG_ DWORD) [/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "ProtectionMode" key and set the value to: 1[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Protect registry from remote connections by all but admin- (Registry permissions)[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Install latest Service Pack[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
SecurePipeServers\winreg[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Choose "Permissions" from the "Security" menu[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Remove all groups but "Administrator"[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Restrict access to Run/RunOnce/Uninstall - (Registry permissions)[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to select the "Run," "RunOnce" and "Uninstall" keys in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\ [/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]For each key choose "Permissions" from the "Security" menu[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]For the "Everyone" group change the access permissions to Read.[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart the Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Min. password length of 5 characters[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]From "User Manager" select "Account" from "Policies" menu[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]For "Minimum Password Length" enter 5[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Password Age of 180 days - (user manager policy)[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]From "User Manager" select "Account" from "Policies" menu[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]For "Maximum Password Age" enter 180[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Users accounts as such (i.e. Users don't get Admin/Power User accounts)[/U][/SIZE][/FONT]
[FONT=Arial, Helvetica, sans-serif][SIZE=2]As systems are set up, create accounts for users with the least number of permissions necessary (generally "User")[/SIZE][/FONT]
[FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Disable guest accounts[/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]From "User Manager" open "Guest" from users list[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Check the "disable account" option[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Click OK[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Format all partitions using NTFS[/U][/SIZE][/FONT]
[FONT=Arial, Helvetica, sans-serif][SIZE=2]If installing NT-[/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Select NTFS for file system format.[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Set appropriate permissions as described below.[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]On existing systems-[/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Run "convert <DRIVE letter>: /FS:NTFS" from the Command Prompt[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart the computer[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Set appropriate permissions as described below.[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Secure the WinNT directories - [/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Select the directory in Explorer[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]From the File menu select "Properties"[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Choose the security Tab[/SIZE][/FONT][/LEFT][/LIST]
[FONT=Arial, Helvetica, sans-serif][SIZE=2]* Note - Be sure to apply permissions to parent directories before applying permissions to subdirectories.[/SIZE][/FONT] [INDENT][INDENT][LEFT][B][FONT=Arial Narrow][SIZE=2]Directory[/SIZE][/FONT][/B]
[B][FONT=Arial Narrow][SIZE=2]Permissions[/SIZE][/FONT][/B]
[FONT=Arial][SIZE=1]\WINNT and [I]all subdirectories[/I] under it. [/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
SYSTEM: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\REPAIR [/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\SYSTEM32\CONFIG [/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: List
SYSTEM: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\SYSTEM32\SPOOL [/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
Power Users: Change
SYSTEM: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\COOKIES[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\FORMS[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\HISTORY[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\OCCACHE[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\PROFILES[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\SENDTO[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\WINNT\Temporary Internet Files[/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]CREATOR OWNER: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]Everyone: Special Directory Access - Read, Write and Execute, Special File Access - None [/SIZE][/FONT]
[FONT=Arial][SIZE=1]System : Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\TEMP directory[/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control
SYSTEM: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access - Read, Write and Execute, Special File Access - None [/SIZE][/FONT]
[/LEFT][/INDENT][/INDENT][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Secure boot files using the same method used for directories[/U][/SIZE][/FONT][/LEFT]
[INDENT][INDENT][LEFT][B][FONT=Arial Narrow][SIZE=2]File[/SIZE][/FONT][/B]
[B][FONT=Arial Narrow][SIZE=2]Permissions[/SIZE][/FONT][/B]
[FONT=Arial][SIZE=1]\Boot.ini, \Ntdetect.com, \Ntldr[/SIZE][/FONT]
[FONT=Arial][SIZE=1]Administrators: Full Control
SYSTEM: Full Control[/SIZE][/FONT]
[FONT=Arial][SIZE=1]\Autoexec.bat, \Config.sys[/SIZE][/FONT]
[FONT=Arial][SIZE=1]Everybody: Read
Administrators: Full Control
SYSTEM: Full Control[/SIZE][/FONT]
[/LEFT][/INDENT][/INDENT][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Disable NetBT - [/U][/SIZE][/FONT]
[/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]From the Control Panel, open the "Network" applet[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Select the Bindings tab[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Disable the NetBios bindings with the TCP/IP protocol stack[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Click "OK"[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart the computer as prompted[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Restrict Scheduler service to Admin - [/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "Submit Control", to HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa
(value type: REG_ DWORD)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "Submit Control" key and set the value to: 0[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Hide last username - [/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "DontDisplayLastUserName", to HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "DontDisplayLastUserName" key and set the value to: 1[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]Restrict anonymous net access to lookup accounts/groups/shares via null sessions- [/U][/SIZE][/FONT][/LEFT]
[LIST=1][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Use Regedt32.exe to add the value "RestrictAnonymous", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
(value type: REG_DWORD)[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Double-click the "RestrictAnonymous" key and set the value to: 1[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Restart Computer[/SIZE][/FONT][/LEFT][/LIST][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2][U]User rights[/U][/SIZE][/FONT][/LEFT]
[LIST][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Log on locally - Admin, Power Users, Users[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Shutdown System - Admin, Power Users, Users[/SIZE][/FONT][/LEFT][*][LEFT][FONT=Arial, Helvetica, sans-serif][SIZE=2]Access from network - Admin, Power Users, Users[/SIZE][/FONT][/LEFT][/LIST][LEFT][/LTR][/LEFT]
منبع سايت [URL="http://chemistry.berkeley.edu"]http://chemistry.berkeley.edu[/URL]