Null Session Registry Settings Anonymous access to the Registry is not restricted. Important: Make sure to test the following configuration changes carefully before deployment to production systems, especially on domain controllers and in other environments where anonymous access may be in legitimate use. Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry key, then perform the following steps appropriate to the system's version of Windows. On Windows NT 4.0: Create or modify the RestrictAnonymous registry value (type REG_DWORD ) to contain a value of 1. A reboot will be required in order for this change to take effect. Note: This vulnerability cannot be fully mitigated on Windows NT 4.0, as only user and share enumeration will be prevented with this setting. Further null session restriction is possible starting with Windows 2000. On Windows 2000: Create or modify the RestrictAnonymous registry value (type REG_DWORD ) to contain a value of 2. This setting will take effect immediately, although existing null sessions will not be affected. A value of 2 will not allow a null session to be established. On Windows XP and Windows Server 2003: Create or modify the RestrictAnonymous registry value (type REG_DWORD ) to contain a value of 1. Create or modify the RestrictAnonymousSAM registry value (type REG_DWORD ) to contain a value of 1. Create or modify the EveryoneIncludesAnonymous registry value (type REG_DWORD ) to contain a value of 0. A reboot will be required in order for these changes to take effect. ----------------------------------------------------------------- Microsoft Windows Terminal Services Disconnected Session Time Limit Terminal Services is not configured to set a time limit for disconnected sessions. Change the policy option for "Set time limit for disconnected sessions" to 1 minute or less. To change the value of this entry, use the Group Policy Object Editor. The corresponding policy is located in Administrative Templates\Windows Components\Terminal Services\Sessions. Alternatively, modify the following registry key to contain a value from 1 to 60000 (in milliseconds): HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services "MaxDisconnectionTime" ____________________________________________________________________________ Microsoft Windows Unauthorized Registry Paths Are Not Restricted - XP Unauthorized registry paths are remotely accessible. For Windows XP: Ensure that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine contains the entries in the following list: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Control\Server Applications System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration __________________________________________________________________________ Microsoft Windows Event Log Security The event log files are not properly secured using NTFS ACLs. The event log files being audited are AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt located in the %SystemRoot%\System32\Config directory. Note: This audit can be customized with the name or SID of the 'Auditors Group'. ___________________________________________________________________________ Microsoft Windows Event Log Security The event log files are not properly secured using NTFS ACLs. The event log files being audited are AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt located in the %SystemRoot%\System32\Config directory. Note: This audit can be customized with the name or SID of the 'Auditors Group'. Set the permissions for AppEvent.Evt, SecEvent.Evt, and SysEvent.Evt located in the %SystemRoot%\System32\Config directory to be: Administrators: Read and Execute SYSTEM: Full Permission "Auditors Group": Full Permission _____________________________________________________________ Microsoft Windows Terminal Services Session Timeout Termination Terminal Services is not configured to disconnect clients when time limits are exceeded. To ensure that timed-out sessions are terminated, edit the following registry key: HKLM:Software\Polices\Microsoft\Windows NT\Terminal Services\fResetBroken Set DWORD to 1 _____________________________________________________________________________________________ Microsoft Windows SMB Client Digitally Sign Communications (always) The client-side SMB component does not require packet signing. To require client-side SMB Signing, edit the following registry settings: Hive: HKEY_LOCAL_MACHINE Key: System\CurrentControlSet\Services\LanManWorkstation\Parameters Value: RequireSecuritySignature Type: REG_DWORD Data: 1 _________________________________________________________________________________________________