Viewable by the world

Summary

Berkeley Lab IT provides a standard Windows Standard Security Configuration, which can be installed in one of two ways:

  1. It is available as a GPO to systems in the LBL ActiveDirectory domain (for more information, see Active Directory)
  2. It is available as an offer through BigFix (for more information on using BigFix offers, go to the BigFix Offers page)

This page lists the various settings deployed as part of this configuration profile. Note that page is for reference purposes and was generated by a script. It is not intended to be easily readable.

Configuration Changes

Renames the Administrator user to PCTech
Renames the Guest user to Guest-local
Removes the Guest user from the Guests group
Disables the Guest user
Configures Windows Update to use wsus.lbl.gov

Disabled Services

Note: not all of these services exist in all versions of Windows

NameDescription
browserLet users easily browse and locate shared resources in neighboring computers
wdiservicehostThe Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context
homegrouplistenerMakes local computer changes associated with configuration and maintenance of the homegroup-joined 
computer
homegroupproviderPerforms networking tasks associated with configuration and maintenance of homegroups.
ipbusenumThe PnP-X bus enumerator service manages the virtual network bus. It discovers network connected devices 
using the SSDP/WS discovery protocols and gives them presence in PnP.
Mcx2SvcAllows Media Center Extenders to locate and connect to the computer.
cscserviceThe Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon 
and logoff events, implements the internals of the public API, and dispatches interesting events to those 
interested in Offline Files activities and changes in cache state.
remoteregistryEnables remote users to modify registry settings on this computer.
seaportSeaPort enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement applications and provides server communication for the customer experience improvement program.
ssdpsrvDiscovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also 
announces SSDP devices and services running on the local computer.
upnphostAllows UPnP devices to be hosted on this computer.
ehrecvrWindows Media Center Service for TV and FM broadcast reception.
ehSchedStarts and stops recording of TV programs within Windows Media Center.
wmpnetworksvcShares Windows Media Player libraries to other networked players and media devices using Universal Plug 
and Play.

Security Profile Applied

Summary

  • Configures password complexity requirements
  • Configures network authentication behavior
  • Sets lockout policies
  • Sets logging policies
  • Sets federal disclaimer

Security Template

Note: These settings were exported from an AD environment and not all configuration changes are relevant on a standalone system

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 0
MaximumPasswordAge = 180
MinimumPasswordLength = 8
PasswordComplexity = 1
PasswordHistorySize = 4
LockoutBadCount = 5
ResetLockoutCount = 10
LockoutDuration = 10
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
LSAAnonymousNameLookup = 0
EnableGuestAccount = 0
[System Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RestrictGuestAccess = 1
[Security Log]
MaximumLogSize = 81920
AuditLogRetentionPeriod = 0
RestrictGuestAccess = 1
[Application Log]
MaximumLogSize = 16384
AuditLogRetentionPeriod = 0
RestrictGuestAccess = 1
[Event Audit]
AuditSystemEvents = 1
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 1
AuditAccountManage = 3
AuditDSAccess = 3
AuditAccountLogon = 3
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage=4,30
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares=7,
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15
machine\system\currentcontrolset\control\lsa\restrictanonymoussam=4,1
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,1
machine\system\currentcontrolset\control\lsa\nolmhash=4,1
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,3
machine\system\currentcontrolset\control\lsa\limitblankpassworduse=4,1
machine\system\currentcontrolset\control\lsa\forceguest=4,0
machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous=4,0
machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=7,This is a Federal computer system and is the property of the United States Government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted"," monitored"," recorded"," copied"," audited"," inspected"," and disclosed to authorized site"," Department of Energy"," and law enforcement personnel"," as well as authorized officials of other agencies"," both domestic and foreign. By using this system"," the user consents to such interception"," monitoring"," recording"," copying"," auditing"," inspection"," and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,"NOTICE TO USERS"
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0
machine\software\microsoft\windows\currentversion\policies\system\disablecad=4,0
machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption=1,"1"
machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,"2"
machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd=1,"2"
machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel=4,0
[Privilege Rights]
seassignprimarytokenprivilege = *S-1-5-19,*S-1-5-20
sedebugprivilege =
seinteractivelogonright = *S-1-5-32-544,*S-1-5-32-545
senetworklogonright = *S-1-5-32-544,*S-1-5-32-545
setcbprivilege =

  • No labels