SBM powered by Microsoft Lync™ Administrator's Guide 2011-11
B-12
HP SBM Security Hardening
USGCB Recommendations That Must Not Be Implemented
In addition, there are several settings recommended by USGCB that you must
not implement because they will interfere with the installation process or
cause the module to malfunction.
Table B-3 displays the recommended settings that must not be implemented.
The correct setting is configured by default unless a domain policy changes it
when the SBM joins the domain. Therefore, you should check your domain
policies for the settings shown in the table, and disable those policies for the
SBM.
The first column generally lists the registry path for the setting. A few settings
are not registry settings, so the first column lists other identifying information.
Table B-3. Settings that Must Not be Implemented
Setting’s Registry Path or Policy Path Windows 7 USGCB
Recommended Setting
Services Disable SQL Browser
Services Disable SQL Writer
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer!DisableLocalMachineRunOnce
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer!NoAutorun
Enabled: Do not execute any
autorun commands
HKLM\Software\Policies\Microsoft\Windows
NT\Rpc!EnableAuthEpResolution
1
HKLM\Software\Policies\Microsoft\Windows
NT\Rpc!RestrictRemoteClients
1
HKLM\Software\Policies\Microsoft\Windows\Device
Install\Settings!AllowRemoteRPC
0
HKLM\Software\Policies\Microsoft\WindowsFirewall\
DomainProfile!DisableUnicastResponsesToMulticast
Broadcast; set in
HKLM\SYSTEM\CurrentControlSet\services\Shared
Access\Parameters\FirewallPolicy\DomainProfile!
DisableUnicastResponsesToMulticastBroadcast
0
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options
Accounts: Administrator
account status = Disabled
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment
Access this computer from the
network = Administrators,
Backup Operators