Legal notice - (Registry)
Use Regedt32.exe to add the value "LegalNoticeCaption", to HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)
Double-click the "LegalNoticeCaption" key and set the value to the desired message box title
Add the value "LegalNoticeText", also to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA (value type: REG_SZ)
Double-click the "LegalNoticeText" key and set the value to the desired text of the message box.
Restart Computer
Protect registry from access via Win32 APIs - (Registry)
Use Regedt32.exe to remove "System\CurrentControlSet\Services\Replicator" from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\
SecurePipeServers\winreg\AllowedPaths\Machine
Restart Computer
Remove default shares
Use Regedt32.exe to add the value "AutoShareWks", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
LanmanServer\Parameters (value type: REG_ DWORD)
Double-click the "AutoShareWks" key and set the value to: 0
Restart Computer
Prevent guests/null sessions from viewing Event logs - (Registry)
Use Regedt32.exe to add the value "RestrictGuestAccess", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
EventLog\Application,
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
EventLog\Security, and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
EventLog\System (value type: REG_ DWORD)
Double-click each of the "RestrictGuestAccess" keys and set the values to: 1
Restart Computer
Strong protection over shared objects - (Registry)
Use Regedt32.exe to add the value "ProtectionMode", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\
Session Manager (value type: REG_ DWORD)
Double-click the "ProtectionMode" key and set the value to: 1
Restart Computer
Protect registry from remote connections by all but admin- (Registry permissions)
Install latest Service Pack
Use Regedt32.exe to select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\
SecurePipeServers\winreg
Choose "Permissions" from the "Security" menu
Remove all groups but "Administrator"
Restart Computer
Restrict access to Run/RunOnce/Uninstall - (Registry permissions)
Use Regedt32.exe to select the "Run," "RunOnce" and "Uninstall" keys in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\
For each key choose "Permissions" from the "Security" menu
For the "Everyone" group change the access permissions to Read.
Restart the Computer
Min. password length of 5 characters
From "User Manager" select "Account" from "Policies" menu
For "Minimum Password Length" enter 5
Password Age of 180 days - (user manager policy)
From "User Manager" select "Account" from "Policies" menu
For "Maximum Password Age" enter 180
Users accounts as such (i.e. Users don't get Admin/Power User accounts)
As systems are set up, create accounts for users with the least number of permissions necessary (generally "User")
Disable guest accounts
From "User Manager" open "Guest" from users list
Check the "disable account" option
Click OK
Format all partitions using NTFS
If installing NT-
Select NTFS for file system format.
Set appropriate permissions as described below.
On existing systems-
Run "convert : /FS:NTFS" from the Command Prompt
Restart the computer
Set appropriate permissions as described below.
Secure the WinNT directories -
Select the directory in Explorer
From the File menu select "Properties"
Choose the security Tab
* Note - Be sure to apply permissions to parent directories before applying permissions to subdirectories. Directory
Permissions
\WINNT and all subdirectories under it.
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
SYSTEM: Full Control
\WINNT\REPAIR
Administrators: Full Control
\WINNT\SYSTEM32\CONFIG
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: List
SYSTEM: Full Control
\WINNT\SYSTEM32\SPOOL
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
Power Users: Change
SYSTEM: Full Control
\WINNT\COOKIES
\WINNT\FORMS
\WINNT\HISTORY
\WINNT\OCCACHE
\WINNT\PROFILES
\WINNT\SENDTO
\WINNT\Temporary Internet Files
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access - Read, Write and Execute, Special File Access - None
System : Full Control
\TEMP directory
Administrators: Full Control
SYSTEM: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access - Read, Write and Execute, Special File Access - None
Secure boot files using the same method used for directories
File
Permissions
\Boot.ini, \Ntdetect.com, \Ntldr
Administrators: Full Control
SYSTEM: Full Control
\Autoexec.bat, \Config.sys
Everybody: Read
Administrators: Full Control
SYSTEM: Full Control
Disable NetBT -
From the Control Panel, open the "Network" applet
Select the Bindings tab
Disable the NetBios bindings with the TCP/IP protocol stack
Click "OK"
Restart the computer as prompted
Restrict Scheduler service to Admin -
Use Regedt32.exe to add the value "Submit Control", to HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa
(value type: REG_ DWORD)
Double-click the "Submit Control" key and set the value to: 0
Restart Computer
Hide last username -
Use Regedt32.exe to add the value "DontDisplayLastUserName", to HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)
Double-click the "DontDisplayLastUserName" key and set the value to: 1
Restart Computer
Restrict anonymous net access to lookup accounts/groups/shares via null sessions-
Use Regedt32.exe to add the value "RestrictAnonymous", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA
(value type: REG_DWORD)
Double-click the "RestrictAnonymous" key and set the value to: 1
Restart Computer
User rights
Log on locally - Admin, Power Users, Users
Shutdown System - Admin, Power Users, Users
Access from network - Admin, Power Users, Users
منبع سايت http://chemistry.berkeley.edu
موضوعات مشابه: