- Created by Tareq Abdo Saif, last modified by Ian Vaino on Jun 18, 2019
Summary
Berkeley Lab IT provides a standard Windows Standard Security Configuration, which can be installed in one of two ways:
- It is available as a GPO to systems in the LBL ActiveDirectory domain (for more information, see Active Directory)
- It is available as an offer through BigFix (for more information on using BigFix offers, go to the BigFix Offers page)
This page lists the various settings deployed as part of this configuration profile. Note that page is for reference purposes and was generated by a script. It is not intended to be easily readable.
Configuration Changes
Renames the Administrator user to PCTech
Renames the Guest user to Guest-local
Removes the Guest user from the Guests group
Disables the Guest user
Configures Windows Update to use wsus.lbl.gov
Disabled Services
Note: not all of these services exist in all versions of Windows
| Name | Description |
|---|---|
| browser | Let users easily browse and locate shared resources in neighboring computers |
| wdiservicehost | The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context |
| homegrouplistener | Makes local computer changes associated with configuration and maintenance of the homegroup-joined computer |
| homegroupprovider | Performs networking tasks associated with configuration and maintenance of homegroups. |
| ipbusenum | The PnP-X bus enumerator service manages the virtual network bus. It discovers network connected devices using the SSDP/WS discovery protocols and gives them presence in PnP. |
| Mcx2Svc | Allows Media Center Extenders to locate and connect to the computer. |
| cscservice | The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches interesting events to those interested in Offline Files activities and changes in cache state. |
| remoteregistry | Enables remote users to modify registry settings on this computer. |
| seaport | SeaPort enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement applications and provides server communication for the customer experience improvement program. |
| ssdpsrv | Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. |
| upnphost | Allows UPnP devices to be hosted on this computer. |
| ehrecvr | Windows Media Center Service for TV and FM broadcast reception. |
| ehSched | Starts and stops recording of TV programs within Windows Media Center. |
| wmpnetworksvc | Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. |
Security Profile Applied
Summary
- Configures password complexity requirements
- Configures network authentication behavior
- Sets lockout policies
- Sets logging policies
- Sets federal disclaimer
Security Template
Note: These settings were exported from an AD environment and not all configuration changes are relevant on a standalone system
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 180
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 4
LockoutBadCount = 5
ResetLockoutCount = 10
LockoutDuration = 10
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableGuestAccount = 0
[System Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RestrictGuestAccess = 1
[Security Log]
MaximumLogSize = 81920
AuditLogRetentionPeriod = 0
RestrictGuestAccess = 1
[Application Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RestrictGuestAccess = 1
[Event Audit]
AuditSystemEvents = 1
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 1
AuditAccountManage = 3
AuditDSAccess = 3
AuditAccountLogon = 3
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4,30
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares=7,
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15
machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4,1
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,1
machine\system\currentcontrolset\control\lsa\nolmhash=4,1
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,3
machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1
machine\system\currentcontrolset\control\lsa\forceguest=4,0
machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous=4,0
machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7,This is a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted"," monitored"," recorded"," copied"," audited"," inspected"," and disclosed to authorized site"," Department of Energy"," and law enforcement personnel"," as well as authorized officials of other agencies"," both domestic and foreign. By using this system"," the user consents to such interception"," monitoring"," recording"," copying"," auditing"," inspection"," and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,"NOTICE TO USERS"
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0
machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0
machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,"1"
machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,"2"
machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,"2"
machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0
[Privilege Rights]
seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20
sedebugprivilege =
seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-545
senetworklogonright = *S-1-5-32-544,*S-1-5-32-545
setcbprivilege =
- No labels
