Table 8 Recommended security options
Policy
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank
passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore
privilege
Audit: Shut down system immediately if unable
to log security audits
DCOM: Machine Access Restrictions in Security
Descriptor Definition Language
DCOM: Machine Launch Restrictions in Security
Descriptor Definition Language
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable
media
Devices: Prevent users from installing printer
drivers
Devices: Restrict CD-ROM access to locally
logged-on user only
Devices: Restrict floppy access to locally
logged-on user only
Devices: Unsigned driver installation behavior
Domain controller: Allow server operators to
schedule tasks
Domain controller: LDAP server signing
requirements
Domain controller: Refuse machine account
password changes
Domain member: Digitally encrypt or sign
secure channel data (always)
Domain member: Digitally encrypt secure
channel data (when possible)
Domain member: Digitally sign secure channel
data (when possible)
Domain member: Disable machine account
password changes
Domain member: Maximum machine account
password age
Cisco TMS Secure Server Configuration Guide 13.0
Securing Windows Server 2003 tasks
Security Setting
Enabled
Disabled
Enabled
(Rename to a unique name and delete
description)
(Rename to a unique name)
Disabled
Disabled
Enabled
Note: This setting creates some overhead.
Not Defined
Not Defined
Disabled
Administrators
Enabled
Disabled
Disabled
Warn but allow installation
Not defined
Not defined
Not defined
Enabled
Enabled
Enabled
Disabled
30 Days
Page 24 of 34