Legal notice - (Registry)

  1. Use Regedt32.exe to add the value "LegalNoticeCaption", to HKEY_LOCAL_MACHINE\Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)
  2. Double-click the "LegalNoticeCaption" key and set the value to the desired message box title
  3. Add the value "LegalNoticeText", also to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA (value type: REG_SZ)
  4. Double-click the "LegalNoticeText" key and set the value to the desired text of the message box.
  5. Restart Computer
Protect registry from access via Win32 APIs - (Registry)
  1. Use Regedt32.exe to remove "System\CurrentControlSet\Services\Replicator" from HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\
    SecurePipeServers\winreg
    \AllowedPaths\Machine
  2. Restart Computer
Remove default shares
  1. Use Regedt32.exe to add the value "AutoShareWks", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
    LanmanServer\Parameters (value type: REG_ DWORD)
  2. Double-click the "AutoShareWks" key and set the value to: 0
  3. Restart Computer
Prevent guests/null sessions from viewing Event logs - (Registry)
  1. Use Regedt32.exe to add the value "RestrictGuestAccess", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
    EventLog\Application,

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
    EventLog\Security, and

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
    EventLog\System (value type: REG_ DWORD)
  2. Double-click each of the "RestrictGuestAccess" keys and set the values to: 1
  3. Restart Computer
Strong protection over shared objects - (Registry)
  1. Use Regedt32.exe to add the value "ProtectionMode", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\
    Session Manager (value type: REG_ DWORD)
  2. Double-click the "ProtectionMode" key and set the value to: 1
  3. Restart Computer
Protect registry from remote connections by all but admin- (Registry permissions)
  1. Install latest Service Pack
  2. Use Regedt32.exe to select HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\
    SecurePipeServers\winreg
  3. Choose "Permissions" from the "Security" menu
  4. Remove all groups but "Administrator"
  5. Restart Computer
Restrict access to Run/RunOnce/Uninstall - (Registry permissions)
  1. Use Regedt32.exe to select the "Run," "RunOnce" and "Uninstall" keys in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\
  2. For each key choose "Permissions" from the "Security" menu
  3. For the "Everyone" group change the access permissions to Read.
  4. Restart the Computer
Min. password length of 5 characters
  1. From "User Manager" select "Account" from "Policies" menu
  2. For "Minimum Password Length" enter 5
Password Age of 180 days - (user manager policy)
  1. From "User Manager" select "Account" from "Policies" menu
  2. For "Maximum Password Age" enter 180
Users accounts as such (i.e. Users don't get Admin/Power User accounts)
As systems are set up, create accounts for users with the least number of permissions necessary (generally "User")
Disable guest accounts
  1. From "User Manager" open "Guest" from users list
  2. Check the "disable account" option
  3. Click OK
Format all partitions using NTFS
If installing NT-
  1. Select NTFS for file system format.
  2. Set appropriate permissions as described below.
On existing systems-
  1. Run "convert : /FS:NTFS" from the Command Prompt
  2. Restart the computer
  3. Set appropriate permissions as described below.
Secure the WinNT directories -
  1. Select the directory in Explorer
  2. From the File menu select "Properties"
  3. Choose the security Tab

* Note - Be sure to apply permissions to parent directories before applying permissions to subdirectories.
Directory

Permissions
\WINNT and all subdirectories under it.
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
SYSTEM: Full Control

\WINNT\REPAIR
Administrators: Full Control
\WINNT\SYSTEM32\CONFIG
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: List
SYSTEM: Full Control

\WINNT\SYSTEM32\SPOOL
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
Power Users: Change
SYSTEM: Full Control

\WINNT\COOKIES
\WINNT\FORMS
\WINNT\HISTORY
\WINNT\OCCACHE
\WINNT\PROFILES
\WINNT\SENDTO
\WINNT\Temporary Internet Files
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access - Read, Write and Execute, Special File Access - None
System : Full Control
\TEMP directory
Administrators: Full Control
SYSTEM: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access - Read, Write and Execute, Special File Access - None

Secure boot files using the same method used for directories
File

Permissions
\Boot.ini, \Ntdetect.com, \Ntldr
Administrators: Full Control
SYSTEM: Full Control

\Autoexec.bat, \Config.sys
Everybody: Read
Administrators: Full Control
SYSTEM: Full Control

Disable NetBT -
  1. From the Control Panel, open the "Network" applet
  2. Select the Bindings tab
  3. Disable the NetBios bindings with the TCP/IP protocol stack
  4. Click "OK"
  5. Restart the computer as prompted
Restrict Scheduler service to Admin -
  1. Use Regedt32.exe to add the value "Submit Control", to HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\Lsa
    (value type: REG_ DWORD)
  2. Double-click the "Submit Control" key and set the value to: 0
  3. Restart Computer
Hide last username -
  1. Use Regedt32.exe to add the value "DontDisplayLastUserName", to HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows NT\Current Version\Winlogon (value type: REG_SZ)
  2. Double-click the "DontDisplayLastUserName" key and set the value to: 1
  3. Restart Computer
Restrict anonymous net access to lookup accounts/groups/shares via null sessions-
  1. Use Regedt32.exe to add the value "RestrictAnonymous", to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\LSA
    (value type: REG_DWORD)
  2. Double-click the "RestrictAnonymous" key and set the value to: 1
  3. Restart Computer
User rights
  • Log on locally - Admin, Power Users, Users
  • Shutdown System - Admin, Power Users, Users
  • Access from network - Admin, Power Users, Users

منبع سايت http://chemistry.berkeley.edu



موضوعات مشابه: