Inappropriate Security Settings

Many Microsoft Windows security guidelines from organizations such as Microsoft, CIS, and NIST contain guidance that may significantly restrict functionality of a system. A Microsoft KB article, Security Configuration Guidance Support, provides information on a number of settings that:

… is inappropriate for the vast majority of systems that are running Windows. We recommend that you do not use the High Security level on general-purpose workstations. We recommend that you use the High Security level only on systems where compromise would cause the loss of life, the loss of extremely valuable information, or the loss of lots of money.

The article suggests taking additional precautions when doing the following:

• Edit access control lists (ACLs) for files and registry keys

• Enable Microsoft network client: Digitally sign communications (always)

• Enable Network security: Do not store LAN Manager hash value on next password change

• Enable System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

• Disable Automatic Update service or Background Intelligent Transfer Service (BITS)

• Disable NetLogon service

• Enable NoNameReleaseOnDemand

Advertisements

Steve Mullen has been involved in information technology for over 35 years. He is also actively involved in the music program (voice and English hand bells) and Vestry of St. Anne’s Episcopal Church in Damascus, MD.

Posted in Blog, IT Management, Microsoft, Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories
June 2006
M T W T F S S
« May   Jul »
 1234
567891011
12131415161718
19202122232425
2627282930  
%d bloggers like this: