SBM powered by Microsoft Lync Administrator's Guide 2010-11
B-12
HP SBM Security Hardening
USGCB Recommendations That Must Not Be Implemented
policies for the settings shown in the table, and disable those policies for the
SBM.
The first column generally lists the registry path for the setting. A few settings
are not registry settings, so the first column lists other identifying information.
Table B-3. Settings that Must Not be Implemented
Setting’s Registry Path or Policy Path Windows 7 USGCB
Recommended Setting
Services Disable SQL Browser
Services Disable SQL Writer
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer!DisableLocalMachineRunOnce
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer!NoAutorun
Enabled: Do not execute any
autorun commands
HKLM\Software\Policies\Microsoft\Windows
NT\Rpc!EnableAuthEpResolution
1
HKLM\Software\Policies\Microsoft\Windows
NT\Rpc!RestrictRemoteClients
1
HKLM\Software\Policies\Microsoft\Windows\Device
Install\Settings!AllowRemoteRPC
0
HKLM\Software\Policies\Microsoft\WindowsFirewall\
DomainProfile!DisableUnicastResponsesToMulticast
Broadcast; set in
HKLM\SYSTEM\CurrentControlSet\services\Shared
Access\Parameters\FirewallPolicy\DomainProfile!
DisableUnicastResponsesToMulticastBroadcast
0
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options
Accounts: Administrator
account status = Disabled
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
Access this computer from the
network = Administrators,
Backup Operators
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
Impersonate a client after
authentication =
Administrators, SERVICE,
Local Service, and Network
Service
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
Replace a process level token
= Network Service, Local
Service