USGCB CCE-8513-4, CCE-8560-5, CCE-8562-1, CCE-8591-0, CCE-8654-6
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Disabled To minimize the risk of network routing problems for the computer. ICMP redirects will not override OSPF generated routes, this should have little impact since the computer is not supposed to be providing routing and remote access services. AC-3 CM-6 CM-7 SC-5 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
This can cause problems with RAS machines, most people shouldn’t see issues. ICMP can be redirected if it passes through a server, this setting only allows it from first hop routers.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments Enabled To make it harder for a malicious user to gain information about the computer over the network. The computer will not appear on the browse list or in the Network Neighborhood of other computers on the network. AC-4 SC-5 HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
When you look in network neighborhood or Network on win7, computers will no longer appear there. While convenient, it is not necessary and creates an easy way for users to search for resources they shouldn’t be accessing.
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Enabled To minimize the risk of spoofing attacks against the NetBIOS protocol. Problems may arise if 2 or more computers on the network share the same NetBIOS name. AC-4 SC-5 HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 Recommended) 5 To lower the risk of an unauthorized user gaining access to the logon session of another user. When the screensaver activates the user will only have 5 seconds to move the mouse or strike a key before the desktop session will be locked. AC-3 AC-11 CM-6 CM-7 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Network access: Do not allow storage of passwords and credentials for network authentication Enabled To minimize the risk of malicious software gaining access to cached passwords. Users will have to always enter their username and password when accessing network resources not accessible to their domain account. IA-4 HKLM\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
This is also good defense against usb key based attack devices if an attacker gains physical access to a company computer. Many prebuilt packages are floating around on the net that will suck all the stored passwords out of browsers, windows etc in a few seconds.