ad-assurance - [AD-Assurance] USGCB Settings for Windows
Subject: Meeting the InCommon Assurance profile criteria using Active Directory
List archive
- From: "Capehart,Jeffrey D" <>
- To: "" <>
- Subject: [AD-Assurance] USGCB Settings for Windows
- Date: Wed, 22 May 2013 18:27:41 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
My observations below refer to “The United States Government Configuration Baseline (USGCB) - Microsoft Content”: http://usgcb.nist.gov/usgcb/microsoft_content.html NIST and Microsoft developed a master spreadsheet for domain/group policies (GPO’s) and registry settings and other options in Windows. Each entry lists the recommended setting, rationale, and impact for Windows 7, Vista, and XP. These
are used by the government agencies to help them comply with NIST and FISMA using a configuration baseline (base). Some of these registry settings may look familiar (from the AD cookbook). Interesting to note is that
these baseline configuration settings suggest that you enable RC4_HMAC_MD5 as well as the “Future Encryption Types”. For a report on FY13 metrics for FISMA compliance, including Identity & Access Management and a definition of “Adequate Security”, this publication is intended for Inspectors General, auditors, and other reviewers. http://www.dhs.gov/sites/default/files/publications/FY13%20IG%20metrics.pdf.pdf I have included a few of the USGCB baseline configurations for Windows below. -Jeff USGCB Windows Settings - 2012.05.15 Network Security: Configure encryption types allowed for Kerberos (Windows 7) Enabled:
RC4_HMAC_MD5 AES128_HMAC_SHA1 AES256_HMAC_SHA1
Future Encryption Types Network security: Do not store LAN Manager hash value on next password change (Enabled) Network security: LAN Manager authentication level (Send NTLMv2 Response only. Refuse LM and NTLM) Network security: LDAP client signing requirements (Negotiate Signing) Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (Require NTLMv2 session security, Require 128 bit encryption) System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (Enabled) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Domain member: Digitally encrypt or sign secure channel data (always) -(Enabled) Domain member: Digitally encrypt secure channel data (when possible) -(Enabled) Domain member: Digitally sign secure channel data (when possible) -(Enabled) Jeff Capehart, CISA |
- [AD-Assurance] USGCB Settings for Windows, Capehart,Jeffrey D, 05/22/2013
Archive powered by MHonArc 2.6.16.