Skip to Content.
Sympa Menu

ad-assurance - [AD-Assurance] USGCB Settings for Windows

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

[AD-Assurance] USGCB Settings for Windows


Chronological Thread 
  • From: "Capehart,Jeffrey D" <>
  • To: "" <>
  • Subject: [AD-Assurance] USGCB Settings for Windows
  • Date: Wed, 22 May 2013 18:27:41 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

My observations below refer to “The United States Government Configuration Baseline (USGCB) - Microsoft Content”:

http://usgcb.nist.gov/usgcb/microsoft_content.html

 

NIST and Microsoft developed a master spreadsheet for domain/group policies (GPO’s) and registry settings and other options in Windows.  Each entry lists the recommended setting, rationale, and impact for Windows 7, Vista, and XP.  These are used by the government agencies to help them comply with NIST and FISMA using a configuration baseline (base).  Some of these registry settings may look familiar (from the AD cookbook).

 

Interesting to note is that these baseline configuration settings suggest that you enable RC4_HMAC_MD5 as well as the “Future Encryption Types”.

 

For a report on FY13 metrics for FISMA compliance, including Identity & Access Management and a definition of “Adequate Security”, this publication is intended for Inspectors General, auditors, and other reviewers.

http://www.dhs.gov/sites/default/files/publications/FY13%20IG%20metrics.pdf.pdf

 

I have included a few of the USGCB baseline configurations for Windows below.

-Jeff

 

USGCB Windows Settings - 2012.05.15

 

Network Security: Configure encryption types allowed for Kerberos

 

(Windows 7) Enabled: RC4_HMAC_MD5    AES128_HMAC_SHA1  AES256_HMAC_SHA1 Future Encryption Types

 

 

Network security: Do not store LAN Manager hash value on next password change  (Enabled)

 

Network security: LAN Manager authentication level (Send NTLMv2 Response only. Refuse LM and NTLM)

 

Network security: LDAP client signing requirements (Negotiate Signing)

 

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients  (Require NTLMv2 session security, Require 128 bit encryption)

 

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (Enabled)

 

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Domain member: Digitally encrypt or sign secure channel data (always)   -(Enabled)

Domain member: Digitally encrypt secure channel data (when possible)  -(Enabled)

Domain member: Digitally sign secure channel data (when possible)       -(Enabled)

 

 

Jeff Capehart, CISA
IT Audit Manager
University of Florida - Office of Internal Audit
(352) 273-1882

http://oia.ufl.edu

 


  • [AD-Assurance] USGCB Settings for Windows, Capehart,Jeffrey D, 05/22/2013

Archive powered by MHonArc 2.6.16.

Top of Page