Protecting SAM and Security Hives phần 2

Recommended Settings for the Account Lockout Policy Description Recommended setting The number of minutes a locked-out account will stay 30 minutes locked out. If this is set to 0
Nội dung trích xuất từ tài liệu:
Protecting SAM and Security Hives phần 2 Table 9.3: Recommended Settings for the Account Lockout PolicySetting Description Recommended settingAccount The number of minutes a locked-out account will stay 30 minuteslockout locked out. If this is set to 0, the account will have to beduration unlocked by an administrator or someone who has been given the right to do so.Account The number of incorrect attempts at guessing a password 5 invalid logonslockout that can be made before the account is locked out.thresholdReset The number of minutes after which the count of invalid 10 minutesaccount logon attempts will be reset. If the number of minuteslockout between one invalid logon and another is greater than thecounter after number of minutes to which this setting is configured, the previous invalid logon attempts wont matter.Note A good password policy is essential to network security, but, unfortunately, it is often overlooked. Here are several tips about the worst practices that you should avoid under all circumstances: • Do not create local Administrator accounts (or common domain-level administrator accounts) using a variation of the company name, computer name, advertising tag lines or dictionary words, such as %companyname%#1, win2k%companyname%, etc. • Do not create new user accounts with simple passwords that arent required to change the password after the first logon. Be aware that none of the above-described settings can force your end users to create strong passwords. Similarly, even the strongest password policy can prevent users from writing down their passwords and attaching a note to their monitors, sharing passwords with other users, or complaining to management when they have to get help to reset a password they have forgotten.Protecting the Local Administrator AccountWhen your Windows NT-based system is joined to a domain, the local Administratoraccount is still present (as was already mentioned, it resides in(%SystemRoot%\System32\Config\SAM). Actually, members of the Domain Adminsgroup can administer the local system only because this group is added to the localAdministrators group. Hence, it is necessary to protect the local Administrators accountfrom unauthorized use or misuse. This goal could be achieved by taking the followingprotective steps: As aforementioned, physical security is essential. Although this recommendation might seem elementary, you must not overlook such obvious things. As statistics have shown, most security incidents in corporate environments occur from the inside. Therefore, it is necessary to physically secure all servers (they should be placed in a physically secure room with monitored access) and critical workstations (consider locking the cases or using removable hard drives that are locked up at night). On physically unsecured systems, disable the ability to boot from a CD or floppy. Also, for extra security, disable AutoRun functionality for CD-ROM drives on physically insecure systems. Finally, when considering physical security, do not forget about securing your backup media. Use NTFS on all partitions. For Windows 2000, Windows XP, and Windows Server 2003, enable EFS (Encrypting File System)—a built-in powerful encryption system, which adds an extra layer of security to drives, folders, or files. Be sure to enable encryption on folders, not just files. All files that are placed in that folder will be encrypted. In particular, it is recommended that the user encrypt the TEMP folder, which is used by applications to temporarily store copies of files being modified (notice that applications do not always clean that folder after closing the files). Restrict the number of unnecessary user accounts, such as any duplicate user accounts, accounts created for testing purposes, shared accounts, etc. Most generic accounts have weak passwords and provide lots of unnecessary access rights. In Windows NT 4.0, disable the Guest account. Although Windows 2000 and its successors disable the Guest account by default, it is still recommended that you make sure that someone has not enabled it. For additional security, assign a complex password to the account anyway, and restrict its logon hours. Restrict the addition of local accounts to the local Administrators group, and require a strong password for the local Administrator account. Rename the Administrator account. Although this wont stop qualified intruders (they will use the SID to find out what is the name of the Administrator account), it will still result in a time delay. When renaming the local Administrator account, try to avoid using the word Admin in its name. Also, consider creating a dummy account named Administrator, having a long, rather complex password and no privileges. Enable auditing on this account to get information when someone is tampering with it. Shut down and disable unnecessary services, since they take up system resources and can open holes into your operating system. IIS, RAS, and Terminal Services have security and configuration issues of their own, and should be implemented carefully if required. You should be aware of all the services that run on your servers and audit them periodically. Also, on Windows 2000 systems, it is recommended that you remove OS/2 and POSIX subsystems if you do not usethem (and, in fact, they ...