To remove this functionality, set the following Registry key settings: Hive: HKEY_LOCAL_MACHINE Path: System\CurrentControlSet\Services\LanmanServer\Parameters Key: AutoShareServer Type: DWORD Value: 0

To remove automatic administrative shares functionality, set or modify the following registry settings: Hive: HKEY_LOCAL_MACHINE Path: System\CurrentControlSet\Services\LanmanServer\Parameters Key: AutoShareWks Type: DWORD Value: 0

To restrict the allocation of CDROMs to only the interactive user, set the following registry key settings: Hive: HKEY_LOCAL_MACHINE Path: Software\Microsoft\Windows NT\CurrentVersion\Winlogon Value: AllocateCDRoms Type: REG_SZ Data: 1

Allow the user to change their password by doing the following: 1. Open User Manager. 2. Select the user from the list box. 3. Select properties from the User menu. 4. Uncheck "User Cannot Change Password." 5. Click "OK".

This is a security-related warning. The File System Object (FSO) should be disabled and restricted if not needed for administrative tasks or core applications#42;. To unregister the File System Object, perform one of the following: Delete the FSO registry keys "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" including the subkeys, and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" including the subkeys. or Unregister the FSO using the Microsoft "regsvr32" utility. Obtain the FSO file path using the registry editor to view to "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)". From a command prompt or Run menu, type and execute regsvr32 /u FILEPATH to unregister the FSO, where FILEPATH is the data obtained from the (Default) registry value. The "unregister" will be indicated by a message stating the DllUnregisterServer succeeded. #42;Note: Unregistering the FSO on a machine may disable functionality in applications using the Microsoft Scripting Library. #42;#42;Note: It may be necessary to create the appropriate keys or values if such do not exist. A more thorough description can be found in Microsoft KB240797, titled "How to stop an ActiveX control from running in Internet Explorer". To restrict the FSO from being instantiated by applications such as Internet Explorer, set the kill bit for the File System Object's CLSID. To kill bit the FSO, edit the following registry location#42;#42;: Hive: HKEY_LOCAL_MACHINE Path: SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility Key: {0D43FE01-F093-11CF-8940-00A0C9054228} Value: Compatibility Flags Type: DWORD Data: 00000400 (hexadecimal) #42;Note: This audit will continue to report a finding so long as the FSO is registered, since other applications could potentially use the FSO.

To not allow the system to overwrite log files, please follow these steps: Go to Administrative Tools, and then select Event Viewer. From Event Viewer, right click on System Log and select Properties. Within the System Log Properties box, select Do Not Overwrite Events.

To not allow the system to overwrite log files, please follow these steps: Go to Administrative Tools, and then select Event Viewer. From Event Viewer, right click on Security Log and select Properties. Within the System Log Properties box, select Do Not Overwrite Events.

To not allow the system to overwrite log files, please follow these steps: Go to Administrative Tools, and then select Event Viewer. From Event Viewer, right click on Application Log and select Properties. Within the System Log Properties box, select Do Not Overwrite Events.

Review EXECUTE permissions for sp_unprepare and restrict them to trusted accounts that require use of the procedure. Permissions can typically be restricted by implementing a database view or through use of commands such as DENY or REVOKE.

Rename the current "Administrator" account, and create a new standard user account called "Administrator". This will be the decoy administrator account. Finally, disable the decoy "Administrator" account.

To disable drive media autoplay for the local machine, which will apply to all users, edit the following registry key: Hive: HKEY_LOCAL_MACHINE Path: SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer Value: NoDriveTypeAutoRun Type: DWORD Data: 255 (Hex: FF)

Set the PASSWORDREQ flag for the affected account by opening the Command Prompt and typing net user <username> /PASSWORDREQ:YES

It is recommended that account lockout reset time be set to 60 minutes. To set the account lockout counter: For Windows NT 4.0: 1. Open User Manager. 2. Select Account from the Policies menu. 3. Click Account Lockout. 4. Click Reset counter after, Enter the amount of minutes (Recommended 60 or more). For Windows 2000, XP, 2003, Vista, 2008, 2008 R2, 7: 1. Click Start, select Run. 2. Enter secpol.msc and click OK. (Note: This requires elevated privileges) 3. In the Local Security Settings window, expand Account Policies and select Account Lockout Policy. 4. In the right pane, double-click on "Reset account lockout counter after". 5. Enter the amount of minutes to reset the lockout counter (Recommended 60 or more). For Samba: Samba implementations vary depending on operating system. However, a generalized guide on configuring Samba can be found at: http://dp.samba.org/samba/docs/man/Samba-HOWTO-Collection/

It is recommended that the account lockout threshold be set to 3 attempts. Setting the account lockout threshhold to 5 attempts or less is required for Federal Desktop Core Configuration (FDCC) compliance. Setting the account lockout threshhold to 6 attempts or less is required for HiTrust compliance. To set the account lockout threshold: For Windows NT 4.0: 1. Open User Manager. 2. Select Account from the Policies menu. 3. Click Account Lockout. 4. Click Lockout after, Enter the number of bad logon attempts (Recommended 3 or less). For Windows 2000, XP, 2003, Vista, 2008, 2008 R2, 7: 1. Click Start, select Run. 2. Enter secpol.msc and click OK. (Note: This requires elevated privileges) 3. In the Local Security Settings window, expand Account Policies and select Account Lockout Policy. 4. In the right pane, double-click on "Account lockout threshold". 5. Enter the amount of invalid logon attempts (Recommended 5 or less). For Samba: Samba implementations vary depending on operating system. However, a generalized guide on configuring Samba can be found at: http://dp.samba.org/samba/docs/man/Samba-HOWTO-Collection/

For Windows: Set the Password History to 24 or appropriate value: Open the Group Policy Editor. Within Computer Configuration policy, navigate to Windows Settings > Security Settings > Account Policies > Password Policy. Double-click on the setting named "Enforce password history" to edit the Properties. Enter the amount of passwords to be remembered (Recommended 24 or greater). For Samba: Samba implementations vary depending on operating system. However, a generalized guide on configuring Samba can be found at: http://dp.samba.org/samba/docs/man/Samba-HOWTO-Collection/</div>

To ensure that a screen saver is active, set a screen saver using Display or Personalize Control Panel applet for the user, and/or create or modify the following registry settings: Hive: HKEY_USERS Key: ".DEFAULT" or SID\Control Panel\Desktop Value: ScreenSaveActive Type: REG_SZ Data: 1 Value: SCRNSAVE.EXE Type: REG_SZ Data: Path\to\screensaver.scr (e.g. C:\Windows\system32\Mystify.scr) Note: This setting may be overridden if the "No screen saver" Group Policy setting is enabled.

It is recommended that account passwords are a minimum of 14 characters, or 12 characters for Federal Desktop Core Configuration (FDCC) compliance. To set the minimum password length: For Windows NT 4.0: 1. Open User Manager. 2. Select Account from the Policies menu. 3. Click At Least. 4. Enter the minimum password length (Recommended 14 or more). For Windows 2000, XP, 2003, Vista, 2008, 2008 R2, 7: 1. Click Start, select Run. 2. Enter secpol.msc and click OK. (Note: This requires elevated privileges) 3. In the Local Security Settings window, expand Account Policies and select Password Policy. 4. In the right pane, double-click on "Minimum password length". 5. Enter the minimum length allowed for a password (Recommended 14 or more). For Samba: Samba implementations vary depending on operating system. However, a generalized guide on configuring Samba can be found at: http://dp.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Set the minimum password age to be 1 day or more: For Windows NT 4.0: 1. Open User Manager. 2. Select Account from the Policies menu. 3. Click Expires In. 4. Enter the minimum days (Recommended 1 or more). For Windows 2000, XP, 2003, Vista, 2008, 2008 R2, 7: 1. Click Start, select Run. 2. Enter secpol.msc and click OK. (Note: This requires elevated privileges) 3. In the Local Security Settings window, expand Account Policies and select Password Policy. 4. In the right pane, double-click on "Minimum password age". 5. Enter the minimum days allowed until a password can be changed (Recommended 1 or more). For Samba: Samba implementations vary depending on operating system. However, a generalized guide on configuring Samba can be found at: http://dp.samba.org/samba/docs/man/Samba-HOWTO-Collection/

Disable Task Scheduler Service by setting the following registry key: Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Services\Schedule Key: Start Value: 4

To enforce MSCHAP V2 set the following key: Hive: HKEY_LOCAL_MACHINE Path: System\CurrentControlSet\Services\RasMan\PPP Key: SecureVPN Type: REG_DWORD Value: 1

To force encrypted transfers set the following Registry key settings: Hive: HKEY_LOCAL_MACHINE Path: System\CurrentControlSet\Services\RASMAN\PPP Key: ForceEncryptedData Type: REG_DWORD Value: 1

To require client-side SMB Signing, edit the following registry settings: Hive: HKEY_LOCAL_MACHINE Key: System\CurrentControlSet\Services\LanManWorkstation\Parameters Value: RequireSecuritySignature Type: REG_DWORD Data: 1

To ensure that a screen saver is active, set a screen saver using Display or Personalize Control Panel applet for the user, and/or create or modify the following registry settings: Hive: HKEY_USERS Key: ".DEFAULT" or SID\Control Panel\Desktop Value: ScreenSaveActive Type: REG_SZ Data: 1 Value: SCRNSAVE.EXE Type: REG_SZ Data: Path\to\screensaver.scr (e.g. C:\Windows\system32\Mystify.scr) Note: This setting may be overridden if the "No screen saver" Group Policy setting is enabled.

To delete the account For Windows: 1. Open User Manager 2. Select the account to delete 3. Press the "Delete" key 4. Click "Ok" To disable the account (non-built-in accounts only): 1. Open User Manager 2. Select the account to disable 3. Select Properties from the User menu 4. Check "Account Disabled" 5. Click "Ok" For Samba: Samba implementations vary depending on operating system. However, a generalized guide on configuring Samba can be found at:http://dp.samba.org/samba/docs/man/Samba-HOWTO-Collection/

If desired, install KB2661254 to assess the impact of requiring that certificates with RSA keys use 1024 bit key length or greater. Note: Microsoft has announced their intention to release the update via Microsoft Update on October, 2012.

To disable DCOM: 1. Click Start 2. Click Run 3. Type in dcomcnfg 4. Hit Enter 5. (For Windows XP and 2003 only) Click on Component Services, then the Computers folder, and then right-click and choose Properties on the target machine 6. Click the Default Properties tab 7. Uncheck Enable Distributed COM on this computer 8. Click OK

To disable POSIX/SFU/SUA, delete the registry data that allows the POSIX/SFU/SUA subsystem to start. Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems Key: Optional Value: Posix (Delete this value)

To disable 8.3 file names set the following registry key settings: Hive: HKEY_LOCAL_MACHINE Path: System\CurrentControlSet\Control\FileSystem Key: NtfsDisable8dot3NameCreation Type: REG_DWORD Value: 1
Rename the current "Administrator" account, and create a new standard user account called "Administrator". This will be the decoy administrator account. Finally, disable the decoy "Administrator" account.

Filter or block ICMP Timestamp (Type 13) requests on the target using a host-based firewall or endpoint protection software. Note: The procedure for filtering or blocking specific protocols may vary between software and operating systems, therefore it may be necessary to consult vendor-specific resources.

This is a security-related warning. To enable Structured Exception Handling Overwrite Protection (SEHOP), edit the following registry settings: Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Control\Session Manager\kernel Value: DisableExceptionChainValidation Type: DWORD Data: 0 Note: This setting may cause certain applications to improperly function. A data value of 1 disables the setting and 0 enables the setting. By default, this setting is enabled on Windows Server 2008 and disabled on Windows Vista and Windows 7.

Create a backup administrator account and ensure that account information is stored in a secure location. Note: This audit may report a finding if one of the Administrator accounts being assessed is a Domain Administrator Account.

To ensure that a screen saver is active, set a screen saver using Display or Personalize Control Panel applet for the user, and/or create or modify the following registry settings: Hive: HKEY_USERS Key: ".DEFAULT" or SID\Control Panel\Desktop Value: ScreenSaveActive Type: REG_SZ Data: 1 Value: SCRNSAVE.EXE Type: REG_SZ Data: Path\to\screensaver.scr (e.g. C:\Windows\system32\Mystify.scr) Note: This setting may be overridden if the "No screen saver" Group Policy setting is enabled.

This is a security-related warning. The File System Object (FSO) should be disabled and restricted if not needed for administrative tasks or core applications#42;. To unregister the File System Object, perform one of the following: Delete the FSO registry keys "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" including the subkeys, and "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}" including the subkeys. or Unregister the FSO using the Microsoft "regsvr32" utility. Obtain the FSO file path using the registry editor to view to "HKEY_CLASSES_ROOT\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)". From a command prompt or Run menu, type and execute regsvr32 /u FILEPATH to unregister the FSO, where FILEPATH is the data obtained from the (Default) registry value. The "unregister" will be indicated by a message stating the DllUnregisterServer succeeded. #42;Note: Unregistering the FSO on a machine may disable functionality in applications using the Microsoft Scripting Library. #42;#42;Note: It may be necessary to create the appropriate keys or values if such do not exist. A more thorough description can be found in Microsoft KB240797, titled "How to stop an ActiveX control from running in Internet Explorer". To restrict the FSO from being instantiated by applications such as Internet Explorer, set the kill bit for the File System Object's CLSID. To kill bit the FSO, edit the following registry location#42;#42;: Hive: HKEY_LOCAL_MACHINE Path: SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility Key: {0D43FE01-F093-11CF-8940-00A0C9054228} Value: Compatibility Flags Type: DWORD Data: 00000400 (hexadecimal) #42;Note: This audit will continue to report a finding so long as the FSO is registered, since other applications could potentially use the FSO.