The AD domain controller automatically creates a Kerberos account for this user with an accompanying keytab. Note the following:. You can generate and export the keytab file for the Kerberos account by using the Ktpass tool.
Note that the version of the Ktpass tool that you use must match the Windows version of the domain controller. You enter different commands for generating and exporting the keytab file, depending on whether you are generating the keytab file from a server running Microsoft Windows , Windows Server , Windows Server , or Windows Server R2.
COM -mapuser ns1 corpxyz. To export the keytab file using a Microsoft Windows Resource Kit:. This must be des-cbc-md5. Include this if you did not enable DES encryption for the account. A Windows Server or Windows Server R2 domain controller allows you to generate a keytab file with multiple keys for one principal. To generate the keytab file using the Ktpass tool:. COM-mapuserns1 corpxyz. After you execute the command to generate the keytab file, the AD domain controller displays a series of messages similar to the following to confirm that it successfully generated the keytab file: Targeting domain controller: qacert.
The keytab file contains highly sensitive data for the NIOS appliance account. Ensure that you store and transport its contents securely. To import the keytab file:. If a principal name and version number are listed, there is a keytab file loaded on the appliance. Compare this information with that for the NIOS appliance account on the Kerberos server to make sure that they match.
If there is no keytab file on the NIOS appliance or if the loaded keytab file does not match that on the Kerberos server, you must load the correct keytab file. Such rights would allow the account to bypass or modify required security restrictions on that machine and V High The default autorun behavior must be configured to prevent autorun commands.
Allowing autorun commands to execute may introduce malicious code to a system. Configuring this setting prevents autorun commands from executing. Attackers are constantly looking for vulnerabilities in systems and applications. Data Execution Prevention DEP prevents harmful code from running in protected memory locations reserved for Standard user accounts must not be granted elevated privileges.
Enabling Windows Installer to elevate privileges when installing applications can allow malicious persons and applications to gain V High Administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. Using applications that access the Internet or have potential Internet sources using administrative privileges exposes a system to compromise. If a flaw in an application is exploited while V High The Debug programs user right must only be assigned to the Administrators group.
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the "Debug Programs" user right can attach a debugger to any process or V High The Create a token object user right must not be assigned to any groups or accounts. The "Create a token object" user right allows a process to create an access token V High Autoplay must be turned off for non-volume devices.
Allowing autoplay to execute may introduce malicious code to a system. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs or V High Reversible password encryption must be disabled.
Storing passwords using reversible encryption is essentially the same as storing clear-text versions of the passwords. For this reason, this policy must never be enabled. Basic authentication uses plain text passwords that could be used to compromise a system.
V High The Act as part of the operating system user right must not be assigned to any groups or accounts. Accounts with the "Act as part of the operating system" user right can assume the V High Credential Guard must be running on Windows 10 domain-joined systems. Credential Guard uses virtualization based security to protect information that could be used in credential theft attacks if compromised.
This authentication information, which was stored in the Only authorized users must be able to perform such translations. Anonymous enumeration of SAM accounts allows anonymous log on users null session connections to list all accounts names, thus providing a list of potential points to attack the system.
V High Autoplay must be disabled for all drives. V Medium Alternate operating systems must not be permitted on the same system. Allowing other operating systems to run on a secure system may allow security to be circumvented. V Medium Enhanced anti-spoofing for facial recognition must be enabled on Window Enhanced anti-spoofing provides additional protections when using facial recognition with devices that support it.
Windows Defender SmartScreen helps protect systems from programs downloaded from the internet that may be malicious. Enabling Windows Defender SmartScreen will warn or prevent users from running Data Execution Prevention DEP provides additional protection by performing checks on memory to help prevent malicious code from running. This setting will prevent Data Execution Prevention V Medium Windows Telemetry must not be configured to Full. Some features may communicate with the vendor, sending system information or downloading data or components for the feature.
Limiting this capability will prevent potentially sensitive information V Medium If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics.
V Medium Windows 10 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where HBSS is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider CNDSP.
An approved tool for continuous network scanning must be installed and configured to run. V Medium Windows 10 information systems must use BitLocker to encrypt all disks to protect the confidentiality and integrity of all information at rest. If data at rest is unencrypted, it is vulnerable to disclosure.
Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, V Medium The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.
Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized software decreases risk by limiting the number of Restricting remote rpc connections to the SAM to Administrators helps protect those credentials.
V Medium The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Access by anonymous users must be restricted. If this setting is enabled, then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users must not have Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES and RC4 encryption suites.
PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems.
Authentication will be centrally managed with Windows user NTLM sessions that are allowed to fall back to Null unauthenticated sessions may gain unauthorized access.
This setting controls the signing requirements for LDAP clients. This setting must be set to Negotiate signing or Require signing, depending on the environment and type of LDAP server in use. V Medium The password history must be configured to 24 passwords remembered. A system is more vulnerable to unauthorized access when system users recycle the same password several times without being required to change a password to a unique password on a regularly Inadequate log size will cause the log to fill up quickly.
This may prevent audit events from being recorded properly and require frequent attention by administrative personnel. Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks.
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks Some protocols and services do not support required security features, such as encrypting passwords or traffic.
V Medium Users must be prompted for a password on resume from sleep on battery. Authentication must always be required when accessing a system. This setting ensures the user is prompted for a password on resume from sleep on battery. V Medium Local users on domain-joined computers must not be enumerated.
The username is one part of logon credentials that could be used to gain access to a system. Preventing the enumeration of users limits this information to authorized personnel. V Medium The user must be prompted for a password on resume from sleep plugged in.
This setting ensures the user is prompted for a password on resume from sleep plugged in. V Medium Only accounts responsible for the backup operations must be members of the Backup Operators group. Backup Operators are able to read and write to any file in the system, regardless of the rights assigned to it. Backup and restore rights permit users to circumvent the file access restrictions V Medium Non system-created file shares on a system must limit access to groups that require it.
Shares which provide network access, should not typically exist on a workstation except for system-created administrative shares, and could potentially expose sensitive information. If a share is V Medium Permissions for system files and directories must conform to minimum requirements.
Changing the system's file and directory permissions allows the possibility of unauthorized and anonymous modification to the operating system and installed applications. V Medium Only authorized user accounts must be allowed to create or run virtual machines on Windows 10 systems.
Allowing other operating systems to run on a secure system may allow users to circumvent security. The registry is integral to the function, security, and stability of the Windows system. Changing the system's registry permissions allows the possibility of unauthorized and anonymous The ECA root certificates will To ensure users do not experience denial of service when performing certificate-based authentication to DoD websites due to the system chaining to a root other than DoD Root CAs, the DoD Drive-by DMA attacks can lead to disclosure The DoD root certificates will ensure that the trust V Medium Exploit Protection mitigations in Windows 10 must be configured for wmplayer.
Exploit protection in Windows 10 provides a means of enabling additional mitigations against potential threats at the system and application level. Without these additional application V Medium Exploit Protection mitigations in Windows 10 must be configured for wordpad. V Medium The built-in administrator account must be disabled. The built-in administrator account is a well-known account subject to attack.
It also provides no accountability to individual administrators on a system. It must be disabled to prevent its use. V Medium The built-in guest account must be disabled. A system faces an increased vulnerability threat if the built-in guest account is not disabled.
This account is a known account that exists on all Windows systems and cannot be deleted. V Medium The network selection user interface UI must not be displayed on the logon screen.
Enabling interaction with the network selection UI allows users to change connections to available networks without signing into Windows. V Medium The Restore files and directories user right must only be assigned to the Administrators group. Accounts with the "Restore files and directories" user right can circumvent file and V Medium The Take ownership of files or other objects user right must only be assigned to the Administrators group.
Accounts with the "Take ownership of files or other objects" user right can take V Medium The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Accounts with the "Perform volume maintenance tasks" user right can manage volume and V Medium The Profile single process user right must only be assigned to the Administrators group.
Accounts with the "Profile single process" user right can monitor non-system processes V Medium Windows 10 permissions for the Application event log must prevent access by non-privileged accounts. V Medium Windows 10 permissions for the Security event log must prevent access by non-privileged accounts.
V Medium Windows 10 permissions for the System event log must prevent access by non-privileged accounts. V Medium File Explorer shell protocol must run in protected mode. The shell protocol will limit the set of folders applications can open when run in protected mode.
Restricting files an application can open, to a limited set of folders, increases the security V Medium The system must be configured to require a strong session key. A computer connecting to a domain controller will establish a secure channel. Requiring strong session keys enforces bit encryption between systems. Windows PowerShell 5. Disabling the Windows PowerShell 2. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS V Medium A host-based firewall must be installed and enabled on the system.
A firewall provides a line of defense against attack, allowing or blocking inbound and outbound connections based on a set of rules. V Medium Inbound exceptions to the firewall on Windows 10 domain workstations must only allow authorized remote management hosts. Allowing inbound access to domain workstations from other systems may allow lateral movement across systems if credentials are compromised.
Limiting inbound connections only from authorized V Medium Outgoing secure channel traffic must be encrypted when possible. Requests sent on the secure channel are authenticated, and sensitive information such as passwords is encrypted, but not all information is encrypted.
If this policy is enabled, outgoing secure V Medium Outgoing secure channel traffic must be encrypted or signed. V Medium The Telnet Client must not be installed on the system. V Medium Remote Desktop Services must always prompt a client for passwords upon connection.
This setting controls the ability of users to supply passwords automatically as part of their remote desktop connection. Disabling this setting would allow anyone to use the stored credentials in Allowing unsecure RPC communication exposes the system to man in the middle attacks and data disclosure attacks.
A man in the middle attack occurs when an intruder captures packets between a V Medium Remote Desktop Services must be configured with the client connection encryption set to the required level. Remote connections must be encrypted to prevent interception of data or sensitive information. Selecting "High Level" will ensure encryption of Remote Desktop Services sessions in both directions. Attachments from RSS feeds may not be secure.
This setting will prevent attachments from being downloaded from RSS feeds. V Medium Indexing of encrypted files must be turned off. Indexing of encrypted files may expose sensitive data. This setting prevents encrypted files from being indexed. V Medium Users must be prevented from changing installation options. Installation options for applications are typically controlled by administrators.
This setting prevents users from changing installation options that may bypass security features. V Medium Users must be notified if a web-based program attempts to install software. Web-based programs may attempt to install malicious software on a system. Ensuring users are notified if a web-based program attempts to install software allows them to refuse the installation.
V Medium Automatically signing in the last interactive user after a system-initiated restart must be disabled. Windows can be configured to automatically sign the user back in after a Windows Update restart. Some protections are in place to help ensure this is done in a secure fashion; however, disabling V Medium Bluetooth must be turned off unless approved by the organization.
If not configured properly, Bluetooth may allow rogue devices to communicate with a system. If a rogue device is paired with a system, there is potential for sensitive information to be compromised. Unencrypted remote access to a system can allow sensitive information to be compromised. Windows remote management connections must be encrypted to prevent this. V Medium Windows 10 must cover or disable the built-in or attached camera when not in use. It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives.
These unnecessary capabilities or services are often V Medium Camera access from the lock screen must be disabled. Enabling camera access from the lock screen could allow for unauthorized use. Requiring logon will ensure the device is only used by authorized personnel. V Medium The system must be configured to prevent IP source routing. Configuring the system to disable IP source routing protects against spoofing.
V Medium IPv6 source routing must be configured to highest protection. Configuring the system to disable IPv6 source routing protects against spoofing. V Medium The display of slide shows on the lock screen must be disabled. Slide shows that are displayed on the lock screen could display sensitive information to unauthorized personnel. Turning off this feature will limit access to the information to a logged on user. V Medium Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems.
A compromised local administrator account can provide means for an attacker to move laterally between domain systems. With User Account Control enabled, filtering the privileged token for Accounts or groups given rights on a system may show up as unresolved SIDs for various reasons including deletion of the accounts or groups. If the account or group objects are reanimated, there The Secondary Logon service provides a means for entering alternate credentials, typically used to run commands with elevated privileges.
Using privileged credentials in a standard user session V Medium Bluetooth must be turned off when not in use. V Medium The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. The "Deny log on as a batch job" right defines accounts that are prevented from V Medium The system must notify the user when a Bluetooth device attempts to connect.
If a rogue device is paired with a system, there is potential for sensitive information to be compromised V Medium Windows 10 account lockout duration must be configured to 15 minutes or greater. The account lockout feature, when enabled, prevents brute-force password attacks on the system. This parameter specifies the amount of time that an account will remain locked after the specified V Medium Windows 10 non-persistent VM sessions should not exceed 24 hours. For virtual desktop implementations VDIs where the virtual desktop instance is deleted or refreshed upon logoff, the organization should enforce that sessions be terminated within 24 hours.
V Medium The Create symbolic links user right must only be assigned to the Administrators group. Accounts with the "Create symbolic links" user right can create pointers to other V Medium The Back up files and directories user right must only be assigned to the Administrators group. Accounts with the "Back up files and directories" user right can circumvent file and Accounts with the "Change the system time" user right can change the system time, V Medium The Create a pagefile user right must only be assigned to the Administrators group.
Accounts with the "Create a pagefile" user right can change the size of a pagefile, V Medium The password manager function in the Edge browser must be disabled. Passwords save locally for re-use when browsing may be subject to compromise. Disabling the Edge password manager will prevent this for the browser. V Medium Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Web security certificates provide an indication whether a site is legitimate.
The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites and file downloads. If users are allowed to ignore warnings from the V Medium Windows 10 must be configured to require a minimum pin length of six characters or greater.
Windows allows the use of PINs as well as biometrics for authentication without sending a password to a network or website where it could be compromised. Longer minimum PIN lengths increase the V Medium The use of a hardware security device with Windows Hello for Business must be enabled.
Keys stored in the TPM may only be used on that system while keys stored Windows Game Recording and Broadcasting is intended for use with games, however it could potentially record screen shots of other applications and expose sensitive data. Disabling the feature The Windows Defender SmartScreen filter in Microsoft Edge provides warning messages and blocks potentially malicious websites. Preventing users from sharing the local drives on their client computers to Remote Session Hosts that they access helps reduce possible exposure of sensitive data.
Saving passwords in the Remote Desktop Client could allow an unauthorized user to establish a remote desktop session to another system. Consult with the SA to determine which Rules meet the intent of the server-to-server authentication. If Rules exist, double-click on each Rule to verify the following: For the "Authentication:" tab, click on the "Customize On the Authentication tab, verify "Authentication mode:" is set to "Request authentication for inbound and outbound connections".
Under "Method", ensure the "Advanced:" radio button is selected. Click on the "Customize" button. For "First authentication methods:", double-click on the entry.
0コメント