Thursday, January 15, 2009

8 minimum Windows Security Best Practices

Inside of your "Domain security policy", "Local Policies", "Security Options"

Network Security: (enable these)
1) LAN Manager authentication level: "Send NTLMv2 response only, Refuse LM"
2) LDAP client signing requirements :"Negotiate Signing"
3) Do not allow anonymous enumeration of SAM accounts (and shares)
4) Do not store LAN Manager has value on next password change

Microsoft Network client
5) Digitally sign communications (always + if server agrees) = Enabled
6) Send

Microsoft Network server
7) Digitally sign communications (always + if server agrees) = Enabled

Domain Member:
8) Digitally encrypt and sign whenever possible.

No comments: