SBM powered by Microsoft Lync Administrator's Guide 2010-11
B-9
HP SBM Security Hardening
Security Hardening at the SBM Factory Default Settings
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateDASD
Policy setting:
Devices: Allowed to format and eject removable media
Administrators and
Interactive Users (only
Administrators for the
SBM)
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateFloppies
Policy setting:
Devices: Restrict floppy access to locally logged-on user only
Disabled
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount
Policy setting:
Interactive logon: Number of previous logons to cache (in case
domain controller is not available)
2
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning
Policy setting:
Interactive logon: Prompt user to change password before
expiration
14 days
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption
Policy setting:
Interactive logon: Smart card removal behavior
Lock Workstation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
System\DontDisplayLastUserName
Policy setting:
Interactive logon: Do not display last user name
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
System\Kerberos\Parameters\SupportedEncryptionTypes
Policy setting:
Network Security: Configure encryption types allowed for
Kerberos
Enabled:
RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future Encryption Types
HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibility
Level
Policy setting:
Network security: LAN Manager authentication level
Send NTLMv2 Response
only. Refuse LM and
NTLM
set as part of local security policy;
HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0\allownull
sessionfallback
Policy setting:
Network security: Allow LocalSystem NULL session fallback
Disabled