mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-15 23:07:23 +00:00
Acrolinx Enhancement Effort
This commit is contained in:
Siddarth Mandalika
parent
a861796474
commit
b58faec4dd
@ -27,26 +27,26 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
## Reference
|
||||
|
||||
The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md).
|
||||
The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account can't be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md).
|
||||
|
||||
Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks.
|
||||
However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account.
|
||||
However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account.
|
||||
|
||||
Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine.
|
||||
|
||||
### Possible values
|
||||
|
||||
It is possible to configure the following values for the **Account lockout threshold** policy setting:
|
||||
It's possible to configure the following values for the **Account lockout threshold** policy setting:
|
||||
- A user-defined number from 0 through 999
|
||||
- Not defined
|
||||
|
||||
Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article.
|
||||
Because vulnerabilities can exist when this value is configured and when it's not, organizations should weigh their identified threats and the risks that they're trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article.
|
||||
|
||||
### Best practices
|
||||
|
||||
The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization.
|
||||
|
||||
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
|
||||
As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout).
|
||||
|
||||
Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article.
|
||||
|
||||
@ -73,7 +73,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirements
|
||||
|
||||
None. Changes to this policy setting become effective without a computer restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy setting become effective without a computer restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### <a href="" id="bkmk-impleconsiderations"></a>Implementation considerations
|
||||
|
||||
@ -81,7 +81,7 @@ Implementation of this policy setting depends on your operational environment. C
|
||||
|
||||
- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats.
|
||||
|
||||
- When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
|
||||
- When there's a negotiation of encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases.
|
||||
|
||||
- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold.
|
||||
|
||||
@ -105,24 +105,24 @@ However, a DoS attack could be performed on a domain that has an account lockout
|
||||
|
||||
### <a href="" id="bkmk-countermeasure"></a>Countermeasure
|
||||
|
||||
Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
|
||||
Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are:
|
||||
|
||||
- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
|
||||
- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts won't be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users can't accidentally lock themselves out of their accounts. Because it doesn't prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met:
|
||||
|
||||
- The password policy setting requires all users to have complex passwords of eight or more characters.
|
||||
- A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment.
|
||||
|
||||
- Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account.
|
||||
|
||||
[Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack.
|
||||
[Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack.
|
||||
|
||||
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems.
|
||||
Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems.
|
||||
|
||||
### Potential impact
|
||||
|
||||
If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls.
|
||||
If this policy setting is enabled, a locked account isn't usable until it's reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate many more Help Desk calls.
|
||||
|
||||
If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
|
||||
If you configure the **Account lockout threshold** policy setting to 0, there's a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism isn't in place.
|
||||
|
||||
If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts.
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ All account policies settings applied by using Group Policy are applied at the d
|
||||
> [!NOTE]
|
||||
> Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO).
|
||||
|
||||
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies.
|
||||
The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply.
|
||||
|
||||
## In this section
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ The following conditions prevent disabling the Administrator account, even if th
|
||||
1. Disabled
|
||||
2. Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment
|
||||
|
||||
If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password.
|
||||
If the Administrator account is disabled, you can't enable it if the password doesn't meet requirements. In this case, another member of the Administrators group must reset the password.
|
||||
|
||||
### Possible values
|
||||
- Enabled
|
||||
@ -48,7 +48,7 @@ By default, this setting is **Not defined** on domain controllers and **Enabled*
|
||||
|
||||
### Best practices
|
||||
|
||||
- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there is no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status.
|
||||
- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there's no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status.
|
||||
|
||||
### Location
|
||||
|
||||
@ -73,16 +73,16 @@ The following table lists the actual and effective default values for this polic
|
||||
Disabling the administrator account can become a maintenance issue under certain circumstances. Reasons that an organization might consider disabling the built-in administrator account include:
|
||||
|
||||
- For some organizations, periodically changing the passwords for local accounts can be a daunting management challenge.
|
||||
- By default, the administrator account cannot be locked—no matter how many failed attempts to sign in a user accrues. This makes it a prime target for brute-force, password-guessing attacks.
|
||||
- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID.
|
||||
- By default, the administrator account can't be locked—no matter how many failed attempts to sign in a user accrue. This open state of the account makes it a prime target for brute-force, password-guessing attacks.
|
||||
- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This authentication approach means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID.
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Safe mode considerations
|
||||
|
||||
When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled.
|
||||
When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account isn't enabled.
|
||||
|
||||
### How to access a disabled Administrator account
|
||||
|
||||
@ -96,17 +96,17 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The built-in administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum.
|
||||
The built-in administrator account can't be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to sign in. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account cannot be used in a normal system startup.
|
||||
If it is very difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack.
|
||||
Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account can't be used in a normal system startup.
|
||||
If it's difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there is no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail.
|
||||
If the current administrator password does not meet the password requirements, you cannot enable the administrator account after it is disabled. If this situation occurs, another member of the administrators group must set the password on the administrator account.
|
||||
Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there's no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail.
|
||||
If the current administrator password doesn't meet the password requirements, you can't enable the administrator account after it's disabled. If this situation occurs, another member of the administrators' group must set the password on the administrator account.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -27,27 +27,27 @@ Describes the best practices, location, values, management, and security conside
|
||||
|
||||
## Reference
|
||||
|
||||
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md).
|
||||
This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md).
|
||||
|
||||
There are two options if this setting is enabled:
|
||||
|
||||
- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
|
||||
- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the sign-in screen). However, users can't use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts).
|
||||
|
||||
- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
|
||||
- **Users can’t add or log on with Microsoft accounts** means that users can't add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**.
|
||||
|
||||
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
|
||||
If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
|
||||
|
||||
### Possible values
|
||||
- This policy is disabled
|
||||
- Users can’t add Microsoft accounts
|
||||
- Users can’t add or log on with Microsoft accounts
|
||||
- Users can’t add or sign in with Microsoft accounts
|
||||
|
||||
By default, this setting is not defined on domain controllers and disabled on stand-alone servers.
|
||||
By default, this setting isn't defined on domain controllers and disabled on stand-alone servers.
|
||||
|
||||
### Best practices
|
||||
|
||||
- By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users.
|
||||
- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts.
|
||||
- If this policy setting is disabled or isn't configured on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This ability to connect provides a convenient option for your users.
|
||||
- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users won't be able to use the **Settings** app to add new connected accounts.
|
||||
|
||||
### Location
|
||||
|
||||
@ -72,7 +72,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -80,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult.
|
||||
Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account isn't easily distinguishable, auditing and forensics become more difficult.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
|
||||
Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users won't be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account.
|
||||
|
||||
### Potential impact
|
||||
|
||||
|
||||
@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for
|
||||
## Reference
|
||||
|
||||
The **Accounts: Guest account status** policy setting determines whether the Guest account is enabled or disabled.
|
||||
This account allows unauthenticated network users to gain access to the system by logging on as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This can lead to the exposure or corruption of data.
|
||||
This account allows unauthenticated network users to gain access to the system by signing in as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This privilege means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This accessibility can lead to the exposure or corruption of data.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -38,7 +38,7 @@ This account allows unauthenticated network users to gain access to the system b
|
||||
|
||||
### Best practices
|
||||
|
||||
Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those performed by the SMB Service—will fail.
|
||||
Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those logons performed by the SMB Service—will fail.
|
||||
|
||||
### Location
|
||||
|
||||
@ -63,15 +63,15 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The default Guest account allows unauthenticated network users to log on as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data.
|
||||
The default Guest account allows unauthenticated network users to sign in as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Disable the **Accounts: Guest account status** setting so that the built-in Guest account cannot be used.
|
||||
Disable the **Accounts: Guest account status** setting so that the built-in Guest account can't be used.
|
||||
|
||||
### Potential impact
|
||||
|
||||
All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it is the default setting starting with Windows Vista and Windows Server 2003.
|
||||
All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it's the default setting starting with Windows Vista and Windows Server 2003.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -29,12 +29,12 @@ Describes the best practices, location, values, and security considerations for
|
||||
|
||||
The **Accounts: Limit local account use of blank passwords to console logon only** policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords. If this policy setting is enabled, a local account must have a nonblank password to be used to perform an interactive or network logon from a remote client.
|
||||
|
||||
This policy setting does not affect interactive logons that are performed physically at the console or logons that use domain accounts. It is possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting.
|
||||
Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to log on to systems.
|
||||
This policy setting doesn't affect interactive logons that are performed physically at the console or logons that use domain accounts. It's possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting.
|
||||
Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to sign in to systems.
|
||||
|
||||
Devices that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can log on by using a user account that does not have a password. This is especially important for portable devices.
|
||||
Devices that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can sign in by using a user account that doesn't have a password. This policy is especially important for portable devices.
|
||||
|
||||
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
|
||||
If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services.
|
||||
|
||||
### Possible values
|
||||
|
||||
@ -44,7 +44,7 @@ If you apply this security policy to the Everyone group, no one will be able to
|
||||
|
||||
### Best practices
|
||||
|
||||
- It is advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled.
|
||||
- It's advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled.
|
||||
|
||||
### Location
|
||||
|
||||
@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
@ -77,7 +77,7 @@ The policy as distributed through the GPO takes precedence over the locally conf
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. Starting with Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.
|
||||
Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. From Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to sign in.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -93,7 +93,7 @@ Enable the **Accounts: Limit local account use of blank passwords to console log
|
||||
|
||||
### Potential impact
|
||||
|
||||
None. This is the default configuration.
|
||||
None. This non-impact behavior is the default configuration.
|
||||
|
||||
## Related topics
|
||||
[Security Options](security-options.md)
|
||||
|
||||
@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
@ -70,7 +70,7 @@ None.
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -78,9 +78,9 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation.
|
||||
The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it's slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation.
|
||||
|
||||
The built-in administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on.
|
||||
The built-in administrator account can't be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to sign in.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -88,7 +88,7 @@ Specify a new name in the **Accounts: Rename administrator account** setting to
|
||||
|
||||
### Potential impact
|
||||
|
||||
You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account was not disabled.)
|
||||
You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account wasn't disabled.)
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage
|
||||
|
||||
### Restart requirement
|
||||
|
||||
None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy.
|
||||
None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy.
|
||||
|
||||
### Policy conflict considerations
|
||||
|
||||
@ -70,7 +70,7 @@ None.
|
||||
|
||||
### Group Policy
|
||||
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in.
|
||||
|
||||
## Security considerations
|
||||
|
||||
@ -83,7 +83,7 @@ or install software that could be used for a later attack on your system.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
|
||||
Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it's slightly more difficult for unauthorized persons to guess this privileged user name and password combination.
|
||||
|
||||
### Potential impact
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security
|
||||
|
||||
## Reference
|
||||
|
||||
The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access is not limited to what is associated with the user by default. The calling process may request that arbitrary additional privileges be added to the access token. The calling process may also build an access token that does not provide a primary identity for auditing in the system event logs.
|
||||
The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access isn't limited to what is associated with the user by default. The calling process may request that arbitrary extra privileges be added to the access token. The calling process may also build an access token that doesn't provide a primary identity for auditing in the system event logs.
|
||||
Constant: SeTcbPrivilege
|
||||
|
||||
### Possible values
|
||||
@ -35,8 +35,8 @@ Constant: SeTcbPrivilege
|
||||
- Not defined
|
||||
|
||||
### Best practices
|
||||
- Do not assign this right to any user accounts. Only assign this user right to trusted users.
|
||||
- If a service requires this user right, configure the service to log on by using the local System account, which inherently includes this user right. Do not create a separate account and assign this user right to it.
|
||||
- Don't assign this right to any user accounts. Only assign this user right to trusted users.
|
||||
- If a service requires this user right, configure the service to sign in by using the local System account, which inherently includes this user right. Don't create a separate account and assign this user right to it.
|
||||
|
||||
### Location
|
||||
|
||||
@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values for the
|
||||
|
||||
## Policy management
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
A restart of the device isn't required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
@ -77,11 +77,11 @@ This section describes how an attacker might exploit a feature or its configurat
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The **Act as part of the operating system** user right is extremely powerful. Users with this user right can take complete control of the device and erase evidence of their activities.
|
||||
The **Act as part of the operating system** user right is powerful. Users with this user right can take complete control of the device and erase evidence of their activities.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Restrict the **Act as part of the operating system** user right to as few accounts as possible—it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which inherently includes this privilege. Do not create a separate account and assign this user right to it.
|
||||
Restrict the **Act as part of the operating system** user right to as few accounts as possible—it shouldn't even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to sign in with the Local System account, which inherently includes this privilege. Don't create a separate account and assign this user right to it.
|
||||
|
||||
### Potential impact
|
||||
|
||||
|
||||
@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c
|
||||
|
||||
## Reference
|
||||
|
||||
This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain.
|
||||
This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to 10 workstations to the domain.
|
||||
Adding a machine account to the domain allows the device to participate in Active Directory-based networking.
|
||||
|
||||
Constant: SeMachineAccountPrivilege
|
||||
@ -47,7 +47,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignm
|
||||
|
||||
### Default values
|
||||
|
||||
By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers.
|
||||
By default, this setting allows access for Authenticated Users on domain controllers, and it isn't defined on stand-alone servers.
|
||||
|
||||
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
|
||||
|
||||
@ -62,11 +62,11 @@ The following table lists the actual and effective default policy values for the
|
||||
|
||||
## Policy management
|
||||
|
||||
Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right.
|
||||
Users can also join a computer to a domain if they've the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they've the **Add workstations to domain** user right.
|
||||
|
||||
Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right.
|
||||
Furthermore, machine accounts that are created through the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created through permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right.
|
||||
|
||||
A restart of the device is not required for this policy setting to be effective.
|
||||
A restart of the device isn't required for this policy setting to be effective.
|
||||
|
||||
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
|
||||
|
||||
@ -87,8 +87,8 @@ This policy has the following security considerations:
|
||||
|
||||
### Vulnerability
|
||||
|
||||
The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative
|
||||
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group.
|
||||
The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative
|
||||
privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group.
|
||||
|
||||
### Countermeasure
|
||||
|
||||
@ -96,7 +96,7 @@ Configure this setting so that only authorized members of the IT team are allowe
|
||||
|
||||
### Potential impact
|
||||
|
||||
For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain.
|
||||
For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those organizations that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It doesn't affect existing computers unless they're removed from and then added to the domain.
|
||||
|
||||
## Related topics
|
||||
- [User Rights Assignment](user-rights-assignment.md)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user