The following settings will be changed on your computer when you run the SWDE installer.
| Requirement | Set | Enforce |
|---|---|---|
|
1.1 BigFix installed (Min OS: Win 2000, Platform: All) BigFix is Stanford's patch management system, and is used by the DCM system to enforce settings. For more information see Stanford's BigFix web site. |
Yes | Yes |
|
1.2 Sophos Anti-Virus installed (Min OS: Win 2000, Platform: All) The most current version of Sophos Anti-Virus must be installed. Download Sophos Anti-Virus from Essential Stanford Software |
Yes | No |
|
2.1 Fast User Switching disabled (Min OS: Win 2000, Max OS: Win XP, Platform: All) Fast User Switching allows you to have more than one user logged on to a computer at the same time with the ability to switch among them quickly. Although this may be convenient in some cases, it prevents the computer from joining a domain, and is not considered as secure as single-use logon. |
Yes | Yes |
|
2.2 LAN Manager hash disabled (Min OS: Win 2000, Platform: All) Restricted Data setting: Prevents Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases. |
Yes | Yes |
|
2.3 NTLM 2 authentication required (Min OS: Win 2000, Platform: All) Restricted Data setting: Sets the "LMCompatibilityLevel" registry value to 5, the Stanford University standard for computers that are members of the campus WIN domain or that contain Prohibited or Restricted Data. Level 5 requires clients and servers both to use only NTLM 2 authentication, and to use NTLM 2 session security if the server supports it. For more information see How to enable NTLM 2 authentication (KB239869). |
Yes | Yes |
|
2.4 Require a password when waking from sleep, hibernation, or screen saver. (Min OS: Win 2000, Platform: All) You will be required to enter your password when the computer wakes from sleep, hibernation or from a screen saver. |
Yes | Yes |
|
2.5 Screen Saver (Min OS: Win 2000, Platform: All) The screen saver will be configured to lock the screen after 15 minutes of user inactivity. |
Yes | Yes |
|
3.1 Blank passwords allowed for console logon only (Min OS: Win 2000, Platform: All) This setting controls whether or not local accounts with blank passwords can log on from the network. After this setting is applied, local accounts with blank passwords cannot be used to connect to the machine from across the network, via Windows Networking or Terminal Services. |
Yes | Yes |
|
3.2 Digitally sign communications when possible (Min OS: Win Vista, Platform: All) This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature. The SMB server service will digitally sign communications when possible. |
Yes | Yes |
|
3.4 Firewall exceptions for Stanford services (Min OS: Win XP SP2, Max OS: Win XP, Platform: All) The following Stanford University-specific ports will be opened: BigFix (UDP 52311). Incoming ICMP echo requests will be allowed. For more information about BigFix see the BigFix web site. |
Yes | Yes |
|
3.5 NTLM security support provider (SSP) client (Min OS: Win Vista, Platform: All) Specifies the minimum required security setting of client-side network connections for applications using the NTLM security support provider (SSP). Require 128-bit encryption, NTLMv2 session security, message confidentiality, and message integrity. The connection will fail unless 128-bit encryption and NTLMv2 session security are negotiated. |
Yes | Yes |
|
3.6 NTLM security support provider (SSP) server (Min OS: Win Vista, Platform: All) Specifies the minimum required security setting of server-side network connections for applications using the NTLM security support provider (SSP). Require 128-bit encryption, NTLMv2 session security, message confidentiality, and message integrity. The connection will fail unless 128-bit encryption and NTLMv2 session security are negotiated. |
Yes | Yes |
|
3.7 Remote Desktop disabled (Min OS: Win 2000, Platform: All) Restricted Data setting: Due to security concerns, Remote Desktop will be disabled on all new and redeployed computers, as well as all computers identified as having access to Prohibited or Restricted Data. However, if users require this functionality, they will be able to turn it on. In such cases, special attention must be paid to security issues such as establishing robust passwords, etc. |
Yes | No |
|
3.8 Restrict anonymous connections (Min OS: Win 2000, Platform: All) Restricted Data setting: This setting controls whether or not an anonymous user can connect to your machine over the network, and get a complete list of all its user accounts. This information makes it much easier for a malicious hacker to breach a system. |
Yes | Yes |
|
3.9 RPC client authentication restrictions (Min OS: Win Vista, Platform: All) RPC Interface Restrictions provide increased network protection that will make systems less vulnerable to attacks over the network. Restricts access to all RPC interfaces. All anonymous remote calls are rejected by the RPC runtime. |
Yes | Yes |
|
4.1 Automatic Update enabled and run daily (Min OS: Win 2000, Platform: All) Enables Windows Automatic Update, so that critical security patches may be automatically acquired from the Windows Update service. |
Yes | Yes |
|
4.2 Network file sharing disabled (Min OS: Win 2000, Platform: All) All existing local network shares, excluding hidden administrative shares, will be disabled, and any future sharing of files over a network will be prevented. |
Yes | Yes |
|
4.3 Simple File Sharing disabled (Min OS: Win 2000, Max OS: Win XP, Platform: All) Restricted Data setting: Disables Windows XP's Simple File Sharing, which is enabled by default, for existing as well as new or redeployed computers having access to Prohibited or Restricted Data. |
Yes | Yes |
|
4.4 Stanford Windows Infrastructure (Min OS: Win 2000, Platform: All) Reports whether or not the computer is joined to the Stanford Windows Infrastructure. |
No | No |
