Security Option Recommendations To Follow When Creating Security Templates

By Author: Mike Jones
Total Articles: 256
Comment this article

Set to Enabled to prevent access using accounts with no passwords over the network. Of course, on all client Microsoft exam 70-297 computers no account should have blank passwords, and this can be controlled by local security policy. However, if users have local Administra?tor rights, they can change the local password policy. They can change this security option as well, but they might not see a need to because they are only wanting easier local access.
Reduce the attack surface by obscuring the name of this powerful account. Enabling this setting does not change the description of the Administrator account.
Enable this setting to ensure an attacker is not given account names. The last logon name is normally displayed when a user attempts to log on at the console. This scenario provides an attacker with a valid account name; the attacker then only has to guess the password. If no account name is provided, an attacker must guess both the account name and password.
Provide a logon warning prepared by your legal department that identifies the restrictions on logon on this ...
... computer. Doing this will not prevent an attacker from logging on if the attacker knows or can deduce an authorized account and password, but it will prove that she was not "invited" in.
Allow Floppy Copy And Access To All Drives And Folders When Using Recovery Console Consider disabling this setting for all client computers. If an attacker can use the recovery console, he can copy the local 70-297 practice test Security Accounts Manager (SAM) and attack it on a computer where he is administrator. He can also copy sensitive files that might be protected otherwise, or access and delete sensitive files. This setting is sometimes enabled to allow technicians an easier way to repair a computer. This might be acceptable for some client systems, especially those that do not store sensi?tive information, but it is not acceptable for systems that require a high security level.

File System and Registry Key Permissions Consider recommendations in the Windows XP Security Guide for Secure Clients. Settings are adequate for most cli?ents; additional hardening might be necessary on sensitive client computers. Any changes, however, should be thoroughly tested before being made in a produc?tion environment.
System Services Control startup values for services by making changes in this area of Group Policy. Consider disabling, at a minimum, the services listed in Table 11-2. Evaluate the need for other services on a case-by-case basis. Set permissions on all services to ensure, except in unique circumstances, only adminis?trators can stop and start services and change the startup value. If there is a valid need for an ordinary user to start a service—for example, when he needs to exe?cute a program that runs as a Free A+ exam questions service—grant him the right to start the service but not to change its startup mode.