The following settings will be changed on your computer when you run the SWDE installer.
| Requirement | Set | Enforce |
|---|---|---|
|
1.1 BigFix installed BigFix is Stanford's patch management system and is used to enforce settings. For more information see Stanford's BigFix web site. |
Yes | Yes |
|
1.2 Stanford Anti-Malware installed The most current version of Stanford Anti-Malware must be installed. Download from Essential Stanford Software. |
Yes | No |
|
2.1 LAN Manager hash disabled Restricted Data setting: Prevents Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases. |
Yes | Yes |
|
2.2 NTLM 2 authentication required Restricted Data setting: Sets the "LMCompatibilityLevel" registry value to 5, the Stanford University standard for computers that are members of the campus WIN domain or that contain High Risk Data. Level 5 requires clients and servers both to use only NTLM 2 authentication, and to use NTLM 2 session security if the server supports it. For more information see How to enable NTLM 2 authentication (KB239869). |
Yes | Yes |
|
2.3 Require a password when waking from sleep, hibernation, or screen saver You will be required to enter your password when the computer wakes from sleep, hibernation or from a screen saver. |
Yes | Yes |
|
2.4 Screen Saver The screen saver will be configured to lock the screen after 15 minutes of user inactivity. If the computer will never be used to access High Risk Data, this period may be increased to 1 hour. |
Yes | Yes |
|
3.1 Blank passwords allowed for console logon only This setting controls whether or not local accounts with blank passwords can log on from the network. After this setting is applied, local accounts with blank passwords cannot be used to connect to the machine from across the network, via Windows Networking or Terminal Services. |
Yes | Yes |
|
3.2 Digitally sign communications when possible This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature. The SMB server service will digitally sign communications when possible. |
Yes | Yes |
|
3.4 NTLM security support provider (SSP) client Specifies the minimum required security setting of client-side network connections for applications using the NTLM security support provider (SSP). Require 128-bit encryption, NTLMv2 session security, message confidentiality, and message integrity. The connection will fail unless 128-bit encryption and NTLMv2 session security are negotiated. |
Yes | Yes |
|
3.5 NTLM security support provider (SSP) server Specifies the minimum required security setting of server-side network connections for applications using the NTLM security support provider (SSP). Require 128-bit encryption, NTLMv2 session security, message confidentiality, and message integrity. The connection will fail unless 128-bit encryption and NTLMv2 session security are negotiated. |
Yes | Yes |
|
3.6 Remote Desktop disabled Restricted Data setting: Due to security concerns, Remote Desktop will be disabled on all new and redeployed computers, as well as all computers identified as having access to High Risk Data. However, if users require this functionality, they will be able to turn it on. In such cases, special attention must be paid to security issues such as establishing robust passwords, etc. |
Yes | No |
|
3.7 Restrict anonymous connections Restricted Data setting: This setting controls whether or not an anonymous user can connect to your machine over the network, and get a complete list of all its user accounts. This information makes it much easier for a malicious hacker to breach a system. |
Yes | Yes |
|
3.8 RPC client authentication restrictions RPC Interface Restrictions provide increased network protection that will make systems less vulnerable to attacks over the network. Restricts access to all RPC interfaces. All anonymous remote calls are rejected by the RPC runtime. |
Yes | Yes |
|
4.1 Automatic Update enabled and run daily Enables Windows Automatic Update, so that critical security patches may be automatically acquired from the Windows Update service. |
Yes | Yes |
|
4.2 Network file sharing disabled All existing local network shares, excluding hidden administrative shares, will be disabled, and any future sharing of files over a network will be prevented. |
Yes | No |
|
4.3 Stanford Windows Infrastructure Reports whether or not the computer is joined to the Stanford Windows Infrastructure. |
No | No |
