Here is the set of standard group policies of Active Directory domain that are recommended to be applied to the Indeed PAM Gateway server to provide for security.
Section Computer Configuration -> Policies -> Windows Settings -> Security Settings
Local Policies/User Rights Assignment
Policy | Setting |
Access Credential Manager as a trusted caller | |
Act as part of the operating system | |
Adjust memory quotas for a process | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Allow log on locally | BUILTIN\Administrators |
Allow log on through Terminal Services | BUILTIN\Administrators, группа пользователей PAM |
Back up files and directories | BUILTIN\Administrators |
Bypass traverse checking | BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Change the system time | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE |
Change the time zone | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE |
Create a token object | |
Create global objects | BUILTIN\Administrators, NT AUTHORITY\SERVICE |
Create permanent shared objects | |
Create symbolic links | BUILTIN\Administrators |
Debug programs | BUILTIN\Administrators |
Deny access to this computer from the network | BUILTIN\Guests |
Deny log on as a batch job | BUILTIN\Guests |
Deny log on as a service | BUILTIN\Guests |
Deny log on locally | BUILTIN\Guests |
Deny log on through Terminal Services | BUILTIN\Guests |
Enable computer and user accounts to be trusted for delegation | BUILTIN\Administrators |
Force shutdown from a remote system | BUILTIN\Administrators |
Generate security audits | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Impersonate a client after authentication | BUILTIN\Administrators, NT AUTHORITY\SERVICE |
Increase scheduling priority | BUILTIN\Administrators |
Load and unload device drivers | BUILTIN\Administrators |
Lock pages in memory | |
Log on as a batch job | BUILTIN\Administrators |
Manage auditing and security log | BUILTIN\Administrators |
Modify an object label | |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Profile system performance | BUILTIN\Administrators |
Replace a process level token | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Restore files and directories | BUILTIN\Administrators |
Shut down the system | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |
Local Policies/Security Options
Accounts
Policy | Setting |
Accounts: Administrator account status | Enabled |
Accounts: Guest account status | Disabled |
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Audit
Policy | Setting |
Audit: Audit the use of Backup and Restore privilege | Enabled |
Devices
Policy | Setting |
Devices: Allowed to format and eject removable media | Administrators |
Devices: Prevent users from installing printer drivers | Enabled |
Devices: Restrict CD-ROM access to locally logged-on user only | Enabled |
Devices: Restrict floppy access to locally logged-on user only | Enabled |
Interactive Logon
Policy | Setting |
Interactive logon: Do not display last user name | Enabled |
Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 0 logons |
Interactive logon: Require Domain Controller authentication to unlock workstation | Enabled |
Microsoft Network Client
Policy | Setting |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Network Access
Policy | Setting |
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Do not allow storage of passwords and credentials for network authentication | Enabled |
Network access: Let Everyone permissions apply to anonymous users | Disabled |
Network access: Named Pipes that can be accessed anonymously | |
Network access: Remotely accessible registry paths | |
Network access: Remotely accessible registry paths and sub-paths | |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Network access: Shares that can be accessed anonymously | |
Network access: Sharing and security model for local accounts | Classic - local users authenticate as themselves |
Network Security
| Policy | Setting |
| Network security: Do not store LAN Manager hash value on next password change | Enabled |
| Network security: Force logoff when logon hours expire | Enabled |
| Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled |
| Require NTLMv2 session security | Enabled |
| Require 128-bit encryption | Enabled |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled |
| Require NTLMv2 session security | Enabled |
| Require 128-bit encryption | Enabled |
Shutdown
Policy | Setting |
Shutdown: Allow system to be shut down without having to log on | Disabled |
Shutdown: Clear virtual memory pagefile | Enabled |
System Settings
Policy | Setting |
System settings: Optional subsystems | |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | Enabled |
User Account Control
Policy | Setting |
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows binaries |
User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials on the secure desktop |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Other
Policy | Setting |
Accounts: Block Microsoft accounts | Users can't add Microsoft accounts |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Interactive logon: Display user information when the session is locked | User display name only |
Interactive logon: Machine account lockout threshold | 5 invalid logon attempts |
Microsoft network server: Amount of idle time required before suspending session | 15 minutes |
Microsoft network server: Attempt S4U2Self to obtain claim information | Disabled |
Microsoft network server: Disconnect clients when logon hours expire | Enabled |
Microsoft network server: Server SPN target name validation level | Off |
Recovery console: Allow automatic administrative logon | Disabled |
Recovery console: Allow floppy copy and access to all drives and all folders | Disabled |
Event Log
Policy | Setting |
Maximum application log size | 100032 kilobytes |
Maximum security log size | 100032 kilobytes |
Maximum system log size | 100032 kilobytes |
Prevent local guests group from accessing application log | Enabled |
Prevent local guests group from accessing security log | Enabled |
Prevent local guests group from accessing system log | Enabled |
Retention method for application log | As needed |
Retention method for security log | As needed |
Retention method for system log | As needed |
System Services
Service Name (Startup mode) | Permissions | Auditing |
Routing and Remote Access (Startup Mode: Disabled) | No permissions specified | No auditing specified |
Service Name (Startup mode) | Permissions | Auditing |
Special Administration Console Helper (Startup Mode: Disabled) | No permissions specified | No auditing specified |
Service Name (Startup mode) | Permissions | Auditing |
SNMP Trap (Startup Mode: Disabled) | No permissions specified | No auditing specified |
Service Name (Startup mode) | Permissions | Auditing |
Telephony (Startup Mode: Disabled) | No permissions specified | No auditing specified |
Service Name (Startup mode) | Permissions | Auditing |
Windows Error Reporting Service (Startup Mode: Disabled) | No permissions specified | No auditing specified |
Service Name (Startup mode) | Permissions | Auditing |
WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled) | No permissions specified | No auditing specified |
File System
%SystemRoot%\System32\config
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read and Execute | This folder, subfolders and files |
Allow | CREATOR OWNER | Full Control | Subfolders and files only |
Allow | NT AUTHORITY\SYSTEM | Full Control | This folder, subfolders and files |
Allow | BUILTIN\Administrators | Full Control | This folder, subfolders and files |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
Failure | Everyone | Traverse Folder/Execute File, List folder / Read data, Read attributes, Read extended attributes | This folder, subfolders and files |
All | Everyone | Write | This folder, subfolders and files |
All | Everyone | Delete subfolders and files, Delete, Change permissions, Take ownership | This folder, subfolders and files |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
%SystemRoot%\System32\config\RegBack
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read and Execute | This folder, subfolders and files |
Allow | CREATOR OWNER | Full Control | Subfolders and files only |
Allow | NT AUTHORITY\SYSTEM | Full Control | This folder, subfolders and files |
Allow | BUILTIN\Administrators | Full Control | This folder, subfolders and files |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
Failure | Everyone | Traverse Folder/Execute File, List folder / Read data, Read attributes, Read extended attributes | This folder, subfolders and files |
All | Everyone | Write | This folder, subfolders and files |
All | Everyone | Delete subfolders and files, Delete, Change permissions, Take ownership | This folder, subfolders and files |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
Registry
MACHINE\SOFTWARE
Configure this key then: Propagate inheritable permissions to all subkeys | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | BUILTIN\Administrators | Full control | This key and subkeys |
Allow | CREATOR OWNER | Full control | Subkeys only |
Allow | NT AUTHORITY\SYSTEM | Full control | This key and subkeys |
Allow | BUILTIN\Users | Read | This key and subkeys |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read | This key and subkeys |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
All | Everyone | Create Subkey, Create Link, Delete, Read permissions, Change permissions | This key and subkeys |
Success | Everyone | Set Value | This key and subkeys |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
MACHINE\SYSTEM
Configure this key then: Propagate inheritable permissions to all subkeys | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | BUILTIN\Administrators | Full control | This key and subkeys |
Allow | CREATOR OWNER | Full control | Subkeys only |
Allow | NT AUTHORITY\SYSTEM | Full control | This key and subkeys |
Allow | BUILTIN\Users | Read | This key and subkeys |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read | This key and subkeys |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
All | Everyone | Create Subkey, Create Link, Delete, Read permissions, Change permissions | This key and subkeys |
Success | Everyone | Set Value | This key and subkeys |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Configure this key then: Propagate inheritable permissions to all subkeys | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | BUILTIN\Administrators | Full control | This key and subkeys |
Allow | CREATOR OWNER | Full control | Subkeys only |
Allow | NT AUTHORITY\SYSTEM | Full control | This key and subkeys |
Allow | BUILTIN\Users | Read | This key and subkeys |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read | This key and subkeys |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
No auditing specified | |||
Advanced Audit Configuration
Account Logon
Policy | Setting |
Audit Credential Validation | Success, Failure |
Audit Other Account Logon Events | Success, Failure |
Account Management
Policy | Setting |
Audit Application Group Management | Success, Failure |
Audit Computer Account Management | Success, Failure |
Audit Distribution Group Management | Success, Failure |
Audit Other Account Management Events | Success, Failure |
Audit Security Group Management | Success, Failure |
Audit User Account Management | Success, Failure |
Logon/Logoff
Policy | Setting |
Audit Account Lockout | Success, Failure |
Audit Logoff | Success, Failure |
Audit Logon | Success, Failure |
Audit Network Policy Server | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success, Failure |
Object Access
Policy | Setting |
Audit Application Generated | Success, Failure |
Audit Certification Services | Success, Failure |
Audit Detailed File Share | Failure |
Audit File Share | Success, Failure |
Audit File System | Success, Failure |
Audit Kernel Object | Success, Failure |
Audit Registry | Success, Failure |
Audit Removable Storage | Success |
Audit SAM | Success, Failure |
Policy Change
Policy | Setting |
Audit Audit Policy Change | Success, Failure |
Audit Authentication Policy Change | Success, Failure |
Audit Authorization Policy Change | Success, Failure |
Audit Filtering Platform Policy Change | Success, Failure |
Audit MPSSVC Rule-Level Policy Change | Success, Failure |
Privilege Use
Policy | Setting |
Audit Non Sensitive Privilege Use | Success, Failure |
Audit Sensitive Privilege Use | Failure |
System
Policy | Setting |
Audit Other System Events | Success, Failure |
Audit Security State Change | Success, Failure |
Audit Security System Extension | Success, Failure |
Audit System Integrity | Success, Failure |
Section Administrative Templates
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
Policy | Setting |
Automatic reconnection | Disabled |
Configure keep-alive connection interval | Enabled Keep-Alive interval: 1 |
Set rules for remote control of Remote Desktop Services user sessions | Enabled Options: Full Control without user's permission |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
Policy | Setting |
Do not allow COM port redirection | Enabled |
Do not allow LPT port redirection | Enabled |
Do not allow supported Plug and Play device redirection | Enabled |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environment
Policy | Setting |
Remove "Disconnect" option from Shut Down dialog | Enabled |
Remove Windows Security item from Start menu | Enabled |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
Policy | Setting |
Require secure RPC communication | Enabled |
Set client connection encryption level | Enabled Encryption Level: High Level |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits
Policy | Setting |
End session when time limits are reached | Enabled |
Set time limit for disconnected sessions | Enabled End a disconnected session: 1 minute |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary folders
Policy | Setting |
Do not delete temp folders upon exit | Disabled |
Do not use temporary folders per session | Disabled |
