Набор стандартных групповых политик домена Active Directory, рекомендуемых к применению на сервер, выполняющий роль Indeed PAM Gateway, для обеспечения безопасности.
Раздел Computer Configuration -> Policies -> Windows Settings -> Security Settings
(Конфигурация компьютера -> Политики -> Конфигурация Windows -> Параметры безопасности)
Local Policies/User Rights Assignment
(Локальные политики/Назначение прав пользователя)
Policy | Setting |
Access Credential Manager as a trusted caller | |
Act as part of the operating system | |
Adjust memory quotas for a process (Настройка квот памяти для процесса) | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators |
Allow log on locally | BUILTIN\Administrators |
Allow log on through Remote Desktop Services | BUILTIN\Administrators, группа пользователей PAM |
Back up files and directories | BUILTIN\Administrators |
Bypass traverse checking (Обход перекрестной проверки) | BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Change the system time (Изменение системного времени) | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE |
Change the time zone (Изменение часового пояса) | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE |
Create a token object (Создание маркерного объекта) | |
Create global objects (Создание глобальных объектов) | BUILTIN\Administrators, NT AUTHORITY\SERVICE |
Create permanent shared objects (Создание постоянных общих объектов) | |
Create symbolic links (Создание символических ссылок) | BUILTIN\Administrators |
Debug programs (Отладка программ) | BUILTIN\Administrators |
Deny access to this computer from the network (Отказать в доступе к этому компьютеру из сети) | BUILTIN\Guests |
Deny log on as a batch job (Отказать во входе в качестве пакетного задания) | BUILTIN\Guests |
Deny log on as a service (Отказать во входе в качестве службы) | BUILTIN\Guests |
Deny log on locally (Запретить локальный вход) | BUILTIN\Guests |
Deny log on through Terminal Services (Запретить вход в систему через службы удаленных рабочих столов) | BUILTIN\Guests |
Enable computer and user accounts to be trusted for delegation (Разрешение доверия к учетным записям компьютеров и пользователей при делегировании) | BUILTIN\Administrators |
Force shutdown from a remote system (Принудительное удаленное завершение работы) | BUILTIN\Administrators |
Generate security audits (Создание аудитов безопасности) | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Impersonate a client after authentication (Имитация клиента после проверки подлинности) | BUILTIN\Administrators, NT AUTHORITY\SERVICE |
Increase scheduling priority (Увеличение приоритета выполнения) | BUILTIN\Administrators |
Load and unload device drivers (Загрузка и выгрузка драйверов устройств) | BUILTIN\Administrators |
Lock pages in memory (Блокировка страниц в памяти) | |
Log on as a batch job (Вход в качестве пакетного задания) | BUILTIN\Administrators |
Manage auditing and security log (Управлять аудитом и журналом безопасности) | BUILTIN\Administrators |
Modify an object label (Изменение метки объекта) | |
Modify firmware environment values (Изменение параметров среды изготовителя) | BUILTIN\Administrators |
Perform volume maintenance tasks (Выполнение задач по обслуживанию томов) | BUILTIN\Administrators |
Profile single process (Профилирование одного процесса) | BUILTIN\Administrators |
Profile system performance (Профилирование производительности системы) | BUILTIN\Administrators |
Replace a process level token (Замена маркеров уровня процесса) | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Restore files and directories (Восстановление файлов и каталогов) | BUILTIN\Administrators |
Shut down the system (Завершение работы системы) | BUILTIN\Administrators |
Take ownership of files or other objects (Смена владельцев файлов и других объектов) | BUILTIN\Administrators |
Local Policies/Security Options
Accounts
Policy | Setting |
Accounts: Administrator account status | Enabled |
Accounts: Guest account status | Disabled |
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Audit
Policy | Setting |
Audit: Audit the use of Backup and Restore privilege | Enabled |
Devices
Policy | Setting |
Devices: Allowed to format and eject removable media | Administrators |
Devices: Prevent users from installing printer drivers | Enabled |
Devices: Restrict CD-ROM access to locally logged-on user only | Enabled |
Devices: Restrict floppy access to locally logged-on user only | Enabled |
Interactive Logon
Policy | Setting |
Interactive logon: Do not display last user name | Enabled |
Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 0 logons |
Interactive logon: Require Domain Controller authentication to unlock workstation | Enabled |
Microsoft Network Client
Policy | Setting |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Network Access
Policy | Setting |
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Do not allow storage of passwords and credentials for network authentication | Enabled |
Network access: Let Everyone permissions apply to anonymous users | Disabled |
Network access: Named Pipes that can be accessed anonymously | |
Network access: Remotely accessible registry paths | |
Network access: Remotely accessible registry paths and sub-paths | |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Network access: Shares that can be accessed anonymously | |
Network access: Sharing and security model for local accounts | Classic - local users authenticate as themselves |
Network Security
| Policy | Setting |
| Network security: Do not store LAN Manager hash value on next password change | Enabled |
| Network security: Force logoff when logon hours expire | Enabled |
| Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled |
| Require NTLMv2 session security | Enabled |
| Require 128-bit encryption | Enabled |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled |
| Require NTLMv2 session security | Enabled |
| Require 128-bit encryption | Enabled |
Shutdown
Policy | Setting |
Shutdown: Allow system to be shut down without having to log on | Disabled |
Shutdown: Clear virtual memory pagefile | Enabled |
System Settings
Policy | Setting |
System settings: Optional subsystems | |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | Enabled |
User Account Control
Policy | Setting |
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent for non-Windows binaries |
User Account Control: Behavior of the elevation prompt for standard users | Prompt for credentials on the secure desktop |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Other
Policy | Setting |
Accounts: Block Microsoft accounts | Users can't add Microsoft accounts |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Interactive logon: Display user information when the session is locked | User display name only |
Interactive logon: Machine account lockout threshold | 5 invalid logon attempts |
Microsoft network server: Amount of idle time required before suspending session | 15 minutes |
Microsoft network server: Attempt S4U2Self to obtain claim information | Disabled |
Microsoft network server: Disconnect clients when logon hours expire | Enabled |
Microsoft network server: Server SPN target name validation level | Off |
Recovery console: Allow automatic administrative logon | Disabled |
Recovery console: Allow floppy copy and access to all drives and all folders | Disabled |
Event Log
Policy | Setting |
Maximum application log size | 100032 kilobytes |
Maximum security log size | 100032 kilobytes |
Maximum system log size | 100032 kilobytes |
Prevent local guests group from accessing application log | Enabled |
Prevent local guests group from accessing security log | Enabled |
Prevent local guests group from accessing system log | Enabled |
Retention method for application log | As needed |
Retention method for security log | As needed |
Retention method for system log | As needed |
System Services
Service Name (Startup mode) | Permissions | Auditing |
Routing and Remote Access (Startup Mode: Disabled) | No permissions specified | No auditing specified |
| Special Administration Console Helper (Startup Mode: Disabled) | No permissions specified | No auditing specified |
| SNMP Trap (Startup Mode: Disabled) | No permissions specified | No auditing specified |
| Telephony (Startup Mode: Disabled) | No permissions specified | No auditing specified |
Windows Error Reporting Service (Startup Mode: Disabled) | No permissions specified | No auditing specified |
| WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled) | No permissions specified | No auditing specified |
File System
%SystemRoot%\System32\config
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read and Execute | This folder, subfolders and files |
Allow | CREATOR OWNER | Full Control | Subfolders and files only |
Allow | NT AUTHORITY\SYSTEM | Full Control | This folder, subfolders and files |
Allow | BUILTIN\Administrators | Full Control | This folder, subfolders and files |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
Failure | Everyone | Traverse Folder/Execute File, List folder / Read data, Read attributes, Read extended attributes | This folder, subfolders and files |
All | Everyone | Write | This folder, subfolders and files |
All | Everyone | Delete subfolders and files, Delete, Change permissions, Take ownership | This folder, subfolders and files |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
%SystemRoot%\System32\config\RegBack
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read and Execute | This folder, subfolders and files |
Allow | CREATOR OWNER | Full Control | Subfolders and files only |
Allow | NT AUTHORITY\SYSTEM | Full Control | This folder, subfolders and files |
Allow | BUILTIN\Administrators | Full Control | This folder, subfolders and files |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
Failure | Everyone | Traverse Folder/Execute File, List folder / Read data, Read attributes, Read extended attributes | This folder, subfolders and files |
All | Everyone | Write | This folder, subfolders and files |
All | Everyone | Delete subfolders and files, Delete, Change permissions, Take ownership | This folder, subfolders and files |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
Registry
MACHINE\SOFTWARE
Configure this key then: Propagate inheritable permissions to all subkeys | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | BUILTIN\Administrators | Full control | This key and subkeys |
Allow | CREATOR OWNER | Full control | Subkeys only |
Allow | NT AUTHORITY\SYSTEM | Full control | This key and subkeys |
Allow | BUILTIN\Users | Read | This key and subkeys |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read | This key and subkeys |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
All | Everyone | Create Subkey, Create Link, Delete, Read permissions, Change permissions | This key and subkeys |
Success | Everyone | Set Value | This key and subkeys |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
MACHINE\SYSTEM
Configure this key then: Propagate inheritable permissions to all subkeys | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | BUILTIN\Administrators | Full control | This key and subkeys |
Allow | CREATOR OWNER | Full control | Subkeys only |
Allow | NT AUTHORITY\SYSTEM | Full control | This key and subkeys |
Allow | BUILTIN\Users | Read | This key and subkeys |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read | This key and subkeys |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
Type | Name | Access | Apply To |
All | Everyone | Create Subkey, Create Link, Delete, Read permissions, Change permissions | This key and subkeys |
Success | Everyone | Set Value | This key and subkeys |
Allow inheritable auditing entries from the parent to propagate to this object and all child objects | Enabled | ||
MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
Configure this key then: Propagate inheritable permissions to all subkeys | |||
Permissions | |||
Type | Name | Permission | Apply To |
Allow | BUILTIN\Administrators | Full control | This key and subkeys |
Allow | CREATOR OWNER | Full control | Subkeys only |
Allow | NT AUTHORITY\SYSTEM | Full control | This key and subkeys |
Allow | BUILTIN\Users | Read | This key and subkeys |
Allow | APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES | Read | This key and subkeys |
Allow inheritable permissions from the parent to propagate to this object and all child objects | Disabled | ||
Auditing | |||
No auditing specified | |||
Advanced Audit Configuration
Account Logon
Policy | Setting |
Audit Credential Validation | Success, Failure |
Audit Other Account Logon Events | Success, Failure |
Account Management
Policy | Setting |
Audit Application Group Management | Success, Failure |
Audit Computer Account Management | Success, Failure |
Audit Distribution Group Management | Success, Failure |
Audit Other Account Management Events | Success, Failure |
Audit Security Group Management | Success, Failure |
Audit User Account Management | Success, Failure |
Logon/Logoff
Policy | Setting |
Audit Account Lockout | Success, Failure |
Audit Logoff | Success, Failure |
Audit Logon | Success, Failure |
Audit Network Policy Server | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success, Failure |
Object Access
Policy | Setting |
Audit Application Generated | Success, Failure |
Audit Certification Services | Success, Failure |
Audit Detailed File Share | Failure |
Audit File Share | Success, Failure |
Audit File System | Success, Failure |
Audit Kernel Object | Success, Failure |
Audit Registry | Success, Failure |
Audit Removable Storage | Success |
Audit SAM | Success, Failure |
Policy Change
Policy | Setting |
Audit Audit Policy Change | Success, Failure |
Audit Authentication Policy Change | Success, Failure |
Audit Authorization Policy Change | Success, Failure |
Audit Filtering Platform Policy Change | Success, Failure |
Audit MPSSVC Rule-Level Policy Change | Success, Failure |
Privilege Use
Policy | Setting |
Audit Non Sensitive Privilege Use | Success, Failure |
Audit Sensitive Privilege Use | Failure |
System
Policy | Setting |
Audit Other System Events | Success, Failure |
Audit Security State Change | Success, Failure |
Audit Security System Extension | Success, Failure |
Audit System Integrity | Success, Failure |
Раздел Administrative Templates
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
Policy | Setting |
Automatic reconnection | Disabled |
Configure keep-alive connection interval | Enabled Keep-Alive interval: 1 |
Set rules for remote control of Remote Desktop Services user sessions | Enabled Options: Full Control without user's permission |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
Policy | Setting |
Do not allow COM port redirection | Enabled |
Do not allow LPT port redirection | Enabled |
Do not allow supported Plug and Play device redirection | Enabled |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environment
Policy | Setting |
Remove "Disconnect" option from Shut Down dialog | Enabled |
Remove Windows Security item from Start menu | Enabled |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
Policy | Setting |
Require secure RPC communication | Enabled |
Set client connection encryption level | Enabled Encryption Level: High Level |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits
Policy | Setting |
End session when time limits are reached | Enabled |
Set time limit for disconnected sessions | Enabled End a disconnected session: 1 minute |
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary folders
Policy | Setting |
Do not delete temp folders upon exit | Disabled |
Do not use temporary folders per session | Disabled |
