Professional Documents
Culture Documents
February 2009
Contents
1. Download and on-line locations for the Security Compliance Management Toolkit 2. Brief description of the Security Compliance Management Toolkit 3. Getting started 4. Contents of download package 6. Copyright and license agreement 7.6 Windows Vista Security Guide Release Notes 7. Windows XP Security Guide Release Notes 8. Windows Server 2008 Security Guide Release Notes 9. Windows Server 2003 Security Guide Release Notes 10. 2007 Microsoft Office Security Guide Release Notes 11. GPOAccelerator Release Notes 12. Security Compliance Management Release Notes
1. Download and on-line locations for the Security Compliance Management Toolkit
The Security Compliance Management Toolkit is free on Microsoft TechNet and the Microsoft Download Center.
As in the previous releases of these security guides, each guide describes the following two environments:
as recommendations for an organizational unit (OU) structure that is adequate for deploying the settings in either environment. The security guides in the download for this Solution Accelerator are intended to work with the GPOAccelerator. The GPOAccelerator tool allows users to configure security settings for Microsoft operating systems and applications for either the Enterprise Client (EC) baseline or Specialized Security Limited Functionality (SSLF) baseline that organizations can create and establish to test in minutes before deploying them. The GPOAccelerator companion How-to guide provides test and deployment guidance for these activities.
3. Getting started
To start using this Solution Accelerator, Microsoft recommends first reading the "Overview" section of each security guide that is relevant to your environment. The Overview defines the purpose and scope of each guide, the intended audience for each guide, and indicates how the guidance is organized to assist you in locating information both in the guides and the resources that accompany them. The Overview section of each guide also describes the tools and templates, and the user prerequisites for each guide. To obtain the most value from this material, Microsoft recommends reading the entire guide of each Microsoft product that is relevant to your organization. However, it is possible to read individual portions of the guides to achieve specific aims. The "Chapter Summaries" section in the Overview of each guide briefly introduces each chapter. For more information about security topics and settings related to these security guides, see the companion guide, Threats and Countermeasures. To best take advantage of the security guidance, templates, and tools, Microsoft recommends the following steps: 1. Read the Release Notes (this document). 2. Read the Overview and Chapter 1 of each security guide that is relevant to your environment. 3. Read additional portions of each security guide as appropriate. 4. Determine the risk posture for your environment: EC settings and recommendations are appropriate for most organizations; SSLF settings and recommendations are only suitable for organizations where concern for security is so great that a significant loss of functionality and manageability is acceptable. 5. Install the GPOAccelerator. 6. Use the GPOAccelerator to configure a security baseline for your organization. 7. Customize the security configuration. 8. Test and verify the security configuration. 9. Deploy the security configuration. 10. Read the Baseline Compliance Management Overview and the DCM Configuration Pack User Guide in the DCM Configuration Packs folder of the Security Compliance Management Toolkit for your security baseline. 11. Use the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007 Service Pack 1 (SP1) with the Configuration Packs for the operating systems and Office applications in your environment to monitor your security baseline. Security guides for 2007 Microsoft Office Security Guide, Windows XP Security Guide, Windows Vista Security Guide, Windows Server 2003 Security Guide, and the Windows Server 2008 Security Guide are also available on TechNet.
Release Notes.rtf Security Compliance Management Toolkit - All.zip Security Compliance Management Toolkit - FAQ.docx
Security Compliance Management Toolkit_2007 Office.zip Security Compliance Management Overview.docx 2007 Microsoft Office Security Guide.docx 2007 Microsoft Office Security Baseline Settings.xlsm 2007 Microsoft Office Security Baseline.xml
GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows Server 2003 Security Compliance Management Overview.docx Windows Server 2003 Security Guide.docx Windows Server 2003 Attack Surface Reference.xlsx Windows Server 2003 Security Baseline Settings.xlsm Windows Server 2003 Security Baseline.xml INF Files WS03-EC-Domain.inf WS03-EC-Domain-Controller.inf WS03-EC-Member-Server.inf WS03-SSLF-Domain.inf WS03-SSLF-Domain-Controller.inf WS03-SSLF-Member-Server.inf
GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows Server 2008 Security Compliance Management Overview.docx Windows Server 2008 Security Guide.docx Windows Server 2008 Attack Surface Reference.xlsx Windows Server 2008 Security Baseline Settings.xlsm Windows Server 2008 Security Baseline.xml INF Files WS08-EC-Domain.inf WS08-EC-Domain-Controller.inf WS08-EC-Member-Server.inf WS08-SSLF-Domain.inf WS08-SSLF-Domain-Controller.inf WS08-SSLF-Member-Server.inf
GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows Vista Security Compliance Management Overview.docx Windows Vista Security Guide.docx Windows Vista Security Baseline Settings.xlsm Windows Vista Security Baseline.xml INF Files VSG-EC-Domain.inf VSG-EC-Desktop.inf VSG-EC-Laptop.inf VSG-SSLF-Domain.inf VSG-SSLF-Desktop.inf VSG-SSLF-Laptop.inf
GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx Security Compliance Management Toolkit_Windows XP Security Compliance Management Overview.docx Windows XP Security Guide.docx Windows XP Security Baseline Settings.xlsm Windows XP Security Baseline.xml INF Files XPG-EC-Domain.inf XPG-EC-Desktop.inf XPG-EC-Laptop.inf XPG-SSLF-Domain.inf XPG-SSLF-Desktop.inf XPG-SSLF-Laptop.inf
GPOAccelerator
GPOAccelerator.msi How to Use the GPOAccelerator.docx
If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this
documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual property.
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious.
Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server, Windows Vista, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.
2) Changes in this guide version: Version 3.0 of this guide reflects content changes to align it with the other security guides included in these release notes. 3) Known issues. The following are known issues indicated by date for all releases of the 2007 Microsoft Office Security Guide: The following list contains Group Policy settings that were found in recent tests to be obsolete in the 2007 Microsoft Office release, which will be visible in the Group Policy Management Console (GPMC). These Group Policy settings were found to be obsolete in our tests and therefore were removed from the Security Settings for 2007 Office Applications workbook. For more information, see this Knowledge Base article. Allow in-place activation of embedded OLE objects (Outlook 2007) Allow the use of ActiveX Custom Controls in InfoPath forms (InfoPath 2007) Always use Rich Text formatting in S/MIME messages (Outlook 2007) Assume structured storage format of workbook is intact when recovering data (Excel 2007) Automatic Query Refresh (Excel 2007) Automatically download enclosures (Outlook 2007) Completely disable the Smart Documents feature in Word and Excel (Office 2007) Control behavior when opening forms in the Local Machine security zone (InfoPath 2007) Disable Password Caching (Office 2007) Display a warning that a form is digitally signed (InfoPath 2007) Display OLE package objects (Outlook 2007) Do not allow users to upgrade Information Rights Management configuration (Office 2007) Do not upload media files (Office 2007) Download Office Controls (Office 2007) Enable Cryptography Icons (Outlook 2007) Hide Spotlight entry point (Office 2007) Locally cache network file storages (Excel 2007) Locally cache PivotTable reports (Excel 2007) Microsoft Office Online (Office 2007) OLAP PivotTable connect warning (Excel 2007) OLAP PivotTable User Defined Function (UDF) security setting (Excel 2007) PivotTable External Data Source connect warning (Excel 2007) Prevent access to Web-based file storage (Office 2007) Prevent Word and Excel from loading managed code extensions (Office 2007) Refresh Alert Settings (Excel 2007) Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 (InfoPath 2007) Send copy of pictures with HTML messages instead of reference to Internet location (Outlook 2007) Suppress High Security Macro alert for unsigned Macros (Excel 2007) Windows Internet Explorer Feature (Office 2007)
Security Guide to the local policy of a computer. GPOAccelerator v3 was released with the Windows Server 2008 Security Guide. This version adds the following functionality: Includes the GPOAccelerator Tool Wizard to provide a graphical user interface (GUI) for the tool. Creates the GPOs described in the Windows Server 2008 Security Guide.
GPOAccelerator v2 was released as a separate download in November 2007. Version 2 adds the following functionality: Support for computers running Windows XP and Windows Server 2003. Creates the GPOs described in the Windows XP Security Guide. Creates the GPOs described in the 2007 Microsoft Office Security Guide.
GPOAccelerator v1 was first released with the Windows Vista Security Guide in November 2006. Version 1 includes the following functionality: Only supports computers running Windows Vista or later. Tool works only from the command line. Creates the GPOs described in the Windows Vista Security Guide.
3) Known issues. The following are known issues indicated by date for all releases of the GPOAccelerator: Users may notice one or more additional "Extra Registry Settings" entries in the reports generated by the Group Policy Results report in the Group Policy Management Console (GPMC) and the Resultant Set of Policy tools. This has no impact on the expected behavior of the settings included in the GPOs created by the GPOAccelerator, and is expected behavior for these tools. (11-08-06) Administrative installation of the .msi file is not supported. (11-08-06) The following list of Windows operating system settings appear in the GPOAccelerator templates, but they are not supported in the security guides or any related output files (2-12-09): Allow Install On Demand (Internet Explorer) Audit Policy Other Privilege Use Events Display Error Notification Modify an object label Report Errors Specify intranet Microsoft update service location The GPOAccelerator fails and then displays error code 0xC0000135 if Microsoft .NET 3.0 is not installed on the computer where the tool is attempting to run. To avoid this error, ensure to install .NET 3.0 or later on the computer before running the GPOAccelerator. (2-12-09). On stand-alone computers, the GPOAccelerator may not set the ADMbased settings. This known issue applies mostly to computers running Windows XP SP3. If this occurs, the likely cause is that the stand-alone computers do not contain the correct VC++ runtime. To resolve this issue, download and install the Microsoft Visual C++ 2005 SP1 Redistributable Package (x86). (2-12-09).
Configuration Manager 2007 R2. (6-6-08) 3.2) The toolkit provides more than 700 security settings, including user rights assignment settings, such as Access this computer from the network, backup files and directories, and so on. This Release Note includes a partial list of these settings. The Resultant Set of Policy (RSoP) data in the Windows Management Instrumentation (WMI) repository may not represent the actual state of the corresponding settings for the following two reasons: Reason 1: One or more recently changed Group Policy has not yet taken effect on the particular system. Group Policy is applied during system startup and at a predefined interval. By default, computers running Windows operating systems apply Group Policy at 90 minute intervals. For domain controllers, the default interval is 5 minutes. If Group Policy has been changed and the toolkit is run during the Group Policy refresh interval, the toolkit report data may differ from the actual system state. Reason 2: One or more setting has been configured using local policies. The RSoP data of a system does not include local security policies, such as user rights, password policies, and so on. If any setting has been configured using local policies, the toolkit report data may differ from the actual system state. The following setting data is collected from the Windows Management Instrumentation (WMI) repository, but it may not be synchronized with the data in the Local Security Authority of Windows. Please view the security compliance reports as informational. (6-6-08) Account lockout duration Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Reset account lockout counter after Store passwords using reversible encryption Access this computer from the network Act as part of the operating system Add workstations to domain Adjust memory quotas for a process Allow Logon locally Allow Logon through Terminal Services Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events Back up files and directories Bypass traverse checking Change the system time Change the time zone Create a pagefile Create a token object Create global objects Create permanent shared objects Create symbolic links Debug programs Deny access to this computer from the network Deny logon as a batch job Deny logon as a service
Deny Logon locally Deny Logon through Terminal Services Enable computer and user accounts to be trusted for delegation Force shutdown from a remote system Generate security audits (SeAuditPrivilege) Impersonate a client after authentication Increase a process working set Increase scheduling priority Load and unload device drivers Lock pages in memory Logon as a batch job Logon as a service Manage auditing and security log Modify firmware environment values Perform Volume Maintenance Tasks Profile single process Profile system performance Remove computer from docking station Replace a process level token Restore files and directories Shut down the system Synchronize directory service data Take ownership of files or other objects (SeTakeOwnershipPrivilege)
3.3) The compliance check results for the setting "Domain controller: LDAP server signing requirements" may not be correct for computers running Windows Server 2003 SP2. (6-6-08) 3.4) Some of the prescriptive steps and figures in this release of the toolkit do not align with updated Configuration Pack file names in the toolkit. (2-12-09) 3.5) Some settings may incorrectly display as noncompliant in DCM reports. These are known issues due to inconsistent policy references between the Security Templates for the GPOAccelerator and the DCM Configuration Packs for this Beta release. (2-12-09) 3.6) Windows Vista SP1 and Windows Server 2008 RTM share the same operating system version (6001). For this reason, the DCM configuration packs for Windows Vista SP1 and Windows Server 2008 can be applied to each other, but this may not provide you with correct monitoring results. Ensure to carefully apply the correct DCM packs to each operating system collection. (2-12-09) 3.7) The DCM feature does not work on computers running Server Core installations of Windows Server 2008. Server Core does not support .NET Framework 2.0, which is required for the DCM agent (2-12-09). 3.8) The following settings are documented and used in the GPOAccelerator, but they are not collected in the SCM Configuration Packs (6-6-08) and (2-12-09): Administrator account status Guest account status Enforce user logon restrictions Internet Explorer Processes (MK Protocol) Maximum Media Log size.xlsm MSS (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths and sub-paths Network access: Remotely accessible registry paths Network access: Shares that can be accessed anonymously Network security Force logoff when logon hours expire Registry policy processing Rename administrator account Rename guest account
3.9) The baseline values of the settings listed in this release note item for the EC environment that the Configuration Packs provide are not the same as those that the GPOAccelerator provides. This is because the values that the GPOAccelerator provides for these settings allow for backward compatibility. These settings appear in the following locations (2-12-09): Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events
And: Computer Configuration\Windows Settings\Security Settings\Local Policies\Event Log Maximum application log size Maximum security log size Maximum system log size
4.0) The setting MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) is mentioned in the toolkits for Windows XP and Windows Server 2003. However, this setting does not apply to the security baselines for these operating systems. (2-12-09)