Beruflich Dokumente
Kultur Dokumente
3.1.1.2 Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'
The recommended state for this setting is 60 or fewer days, but not 0.
Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Password Policy\Maximum password age
Default Value:
42 days.
3.1.2.2 Ensure 'Account lockout threshold' is set to '1 0 or fewer invalid logon
attempt(s),but not 0'
The recommended state for this setting is: 10 or fewer invalid logon attempt(s),
but not 0.
Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Account Lockout Policy\Account lockout threshold
Default Value:
0 failed logon attempts.
3.2.2.8.6 Ensure 'Network access: Named Pipes that can be accessed anonymously' is
set to 'None'
Description:
This policy setting determines which communication sessions, or pipes, will have
attributes and
permissions that allow anonymous access.
The recommended state for this setting is: <blank> (i.e. None).
Audit:
Navigate to the Ul Path articulated in the Remediation section and confirm it is
set as
prescribed. This group policy setting is backed by the following registry location:
HKEY _LOCAL_MACHI N E\SYSTEM\CurrentControiSet\Services\LanManServer\Parameters:
NuIISessionPipes
Remediation:
To establish the recommended configuration via GP, set the following Ul path to
<blank> (i.e.
None):
Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\Network access: Named Pipes that can be accessed
anonymously
Default Value:
None.
3.2.2.8.9 Ensure 'Network access: Restrict anonymous access to Named Pipes and
Shares' is set to 'Enabled'
Description:
When enabled, this policy setting restricts anonymous access to only those shares
and pipes
that are named in the Network access: Named pipes that can be accessed anonymously
and
Network access: Shares that can be accessed anonymously settings. This policy
setting
controls null session access to shares on your computers by adding
RestrictNuiiSessAccess
with the value 1 in the
HKEY\LOCAL \MACH I NE\System\CurrentControiSet\Services\LanManServer\Parameters
registry key. This registry value toggles null session shares on or off to control
whether the
server service restricts unauthenticated clients' access to named resources.
The recommended state for this setting is: Enabled.
Audit:
Navigate to the Ul Path articulated in the Remediation section and confirm it is
set as
prescribed. This group policy setting is backed by the following registry location:
HKEY _LOCAL_MACHI N E\SYSTEM\CurrentControiSet\Services\LanManServer\Parameters: Re
strictN uiiSessAccess
Remediation:
To establish the recommended configuration via GP, set the following Ul path to
Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security
Options\Network access: Restrict anonymous access to Named Pipes and Shares
Default Value:
Enabled. (Anonymous access is restricted to shares and pipes listed in the Network
access:
Named pipes that can be accessed
3.2.2.12.7 Ensure 'User Account Control: Run all administrators in Admin Approval
Mode'is set to 'Enabled'
HKEY _LOCAL_MACHI N E\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
EnableLUA
Default Value:
Enabled. (Admin Approval Mode is enabled. This policy must be enabled and related
UAC
policy settings must also be set appropriately to allow the built-in Administrator
account and all other users who are members of the Administrators group to run in
Admin Approval Mode.)
3.3.8 Ensure 'liS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'
Description:
Enables the server to administer the liS metabase. The liS metabase stores
configuration for
the SMTP and FTP services.
The recommended state for this setting is: Disabled or Not Installed.
Note: This service is not installed by default. It is supplied with Windows, but is
installed by
enabling an optional Windows feature (Internet Information Services).
Note #2: An organization may choose to selectively grant exceptions to web
developers to allow
liS (or another web server) on their workstation, in order for them to locally test
& develop web
pages. However, the organization should track those machines and ensure the
security controls
and mitigations are kept up to date, to reduce risk of compromise.
Audit:
Navigate to the Ul Path articulated in the Remediation section and confirm it is
set as
prescribed. This group policy setting is backed by the following registry location:
I HKEY LOCAL MACHIN E\SYSTEM\CurrentControiSet\Services\IISADM IN :Start
Remediation:
To establish the recommended configuration via GP, set the following Ul path to:
Disabled or
ensure the service is not installed.
Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\IIS
Admin Service
Default Value:
Not Installed (Automatic when installed)
Default Value:
Not Installed (Manual when installed)
3.3.39 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or
'Not
Installed'
Description:
Provides Web connectivity and administration through the Internet Information
Services
Manager.
The recommended state for this setting is: Disabled or Not Installed.
Note: This service is not installed by default. It is supplied with Windows, but is
installed by
enabling an optional Windows feature (Internet Information Services- World Wide Web
Services).
Note #2: An organization may choose to selectively grant exceptions to web
developers to allow
liS (or another web server) on their workstation, in order for them to locally test
& develop web
pages. However, the organization should track those machines and ensure the
security controls
and mitigations are kept up to date, to reduce risk of compromise.
Audit:
Navigate to the Ul Path articulated in the Remediation section and confirm it is
set as
prescribed. This group policy setting is backed by the following registry location:
I HKEY LOCAL MACHINE\SYSTEM\CurrentControiSet\Services\W3SVC:Start
Remediation:
To establish the recommended configuration via GP, set the following Ul path to:
Disabled or
ensure the service is not installed.
Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\World
Wide Web Publishing Service
Default Value:
Not Installed (Automatic when installed)
3.6.7.9.3.17 (BL) Ensure 'Deny write access to removable drives not protected by
Bitlocker' is set to 'Enabled' (Recommended)
Description:
This policy setting configures whether Bitlocker protection is required for a
computer to be able
to write data to a removable data drive.
All removable data drives that are not Bitlocker-protected will be mounted as read-
only. If the
drive is protected by Bitlocker, it will be mounted with read and write access.
The recommended state for this setting is: Enabled.
Audit:
Navigate to the Ul Path articulated in the Remediation section and confirm it is
set as
prescribed. This group policy setting is backed by the following registry location:
HKEY _LOCAL_MACHINE\SYSTEM\CurrentControiSet\Policies\Microsoft\FVE\RDVDenyWriteA
ccess
Remediation:
To establish the recommended configuration via GP, set the following Ul path to
Enabled:
Computer Configuration\Policies\Administrative Templates\Windows
Components\Bitlocker
Drive Encryption\Removable Data Drives\Deny write access to removable drives not
protected
by Bitlocker
Impact:
All removable data drives that are not Bitlocker-protected will be mounted as read-
only. If the
drive is protected by Bitlocker, it will be mounted with read and write access.
Page 734 of 893
Confidential and Proprietary to Beckman Coulter
Effective Date: 05 Jun 2018, InfoCard Number GLB-QS-REF-0094, Revision 1
Vault: QMS-rel, Printed on: 08 Jul 2020, 02:55:18 pm - Printed by: USERMAN
Document: Document#: Revision: 1.0 . BECKMAN Windows 10 Hardening GLB-QS-REF-0094
COULIER
Default Value:
Disabled. (All removable data drives on the computer will be mounted with read and
write
access.)
PAGE 691