Maxi-Pedia Forum

Information Technologies and Systems (IT/IS) => Security => Topic started by: animal on September 08, 2011, 02:36:19 pm


Title: Local Security Policy Recommended Changes?
Post by: animal on September 08, 2011, 02:36:19 pm
Hi there!

What would you recommend changing (for security reasons) from the original default settings in secpol.msc.

I'm connecting directly to a modem with a single PC that's not used for file sharing or remote use etc.


Thanks for any help.

Regards,
animal

Title: Re: Local Security Policy Recommended Changes?
Post by: atari on September 09, 2011, 10:33:12 am
Hello,

I would recommend the following policies:

Code:
[b]Interactive logon: Do not require CTRL+ALT+DEL (disabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableCAD = 0

[b]Always use classic logon (enabled)[/b]
Local Computer Policy\Computer Configuration\Administrative Templates\System\Logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
LogonType = 0

[b]Interactive logon: Do not display last user name (enabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
DontDisplayLastUserName = 1

[b]Hide entry points for Fast User Switching (enabled)[/b]
Local Computer Policy\Computer Configuration\Administrative Templates\System\Logon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HideFastUserSwitching = 1

[b]Store passwords using reversible encryption (disabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy

[b]Screen Saver (enabled)[/b]
User Configuration\Administrative Templates\Control Panel\Display
HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveActive = 1

[b]Screen Saver timeout (enabled, 900 sec.)[/b]
User Configuration\Administrative Templates\Control Panel\Display
HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut = 900

[b]Password protect the screen saver (enabled)[/b]
User Configuration\Administrative Templates\Control Panel\Display
HKEY_USERS\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure = 1

[b]Configure Automatic Updates (enabled; 4 – Auto download and schedule)[/b]
Local Computer Policy\Computer Configuration\Adinistrative Templates\Windows Components\Windows Update
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate= 0
AUOptions = 4

[b]Automatic Updates detection frequency (enabled; 16 hours)[/b]
Local Computer Policy\Computer Configuration\Adinistrative Templates\Windows Components\Windows Update
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
DetectionFrequency = 16
DetectionFrequencyEnabled = 1

[b]Allow Automatic Updates immediate installation (enabled)[/b]
Local Computer Policy\Computer Configuration\Adinistrative Templates\Windows Components\Windows Update
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AutoInstallMinorUpdates = 1

[b]Shutdown: Clear virtual memory pagefile (disabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
ClearPageFileAtShutdown = 1

[b]User Account Control: Run all administrators in Admin Approval Mode (enabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

[b]User Account Control: Detect application installations and prompt for elevation (enabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

[b]User Account Control: Switch to the secure desktop when prompting for elevation (enabled)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

[b]User Account Control: Behavior of the elevation prompt for administrators in Admin Aproval Mode (Prompt for consent)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

[b]User Account Control: Behavior of the elevation prompt for standard users (Automatically deny elevation requests)[/b]
Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Cheers.

Title: Re: Local Security Policy Recommended Changes?
Post by: animal on September 09, 2011, 11:43:27 am
that's excellent.

thank you for taking the time to reply.

Title: Re: Local Security Policy Recommended Changes?
Post by: atari on September 12, 2011, 04:15:28 pm
You are welcome.