Created Secure Root ACL.
Stronger ACL to stop access to root directory (c:\).
Changed default share ACL from Everyone:F to Everyone:R.
Changed DLL Search Order to start in system directory.
Hardened Internet Explorer.
Increased restrictions on Anonymous users.
Anonymous users are no longer members of “Everyone” by default.
Disabled Anonymous SID\Name translation on servers; this is NOT the default on Domain Controllers.
Put limits on blank passwords.
Local accounts that have blank passwords cannot be used to remotely connect to a machine.
Set LanManCompatibilityLevel=2 on Servers\DCs by default.
By default Windows Sever 2003 will not emit insecure LanMan responses.
Required SMB Packet signing on DCs.
Provides integrity checking for client-DC SMB communications.
Required that secure channel communications be signed or encrypted.
Modified LDAP Signing.
Affects the wldap32.dll LDAP bind initialization sequence so that signing is requested even if the client doesn’t ask for it. This doesn’t kick in if TLS\SSL is used.
Object Case Insensitivity
Protects against canonicalization type attacks.
Stopped allowed paths leakage.
Eliminates unnecessary information disclosure pertaining to system config.
Restricted remote execution of console apps to admins only.
Defense in depth.
Improved auditing for Domain Controllers.
Improved convert story.
Proper coverage for profile directory and optional components.
Fixed Profile Directory issues.
Servicios que corren bajo el “servicio local”
Alerter
Application Layer Gateway Service
Remote Registry
Smart Card
Smart Card Helper
SSDP Discovery Service
TCP/IP NetBIOS Helper
Telnet
UPS
Universal Plug and Play
Web Client
Windows Image Acquisition
WinHTTP Web Proxy Auto-Discovery Service
Servicios que corren bajo el “Servicio de Red”
DHCP Client
Distributed Transaction Coordinator
DNS Client
License Logging
Performance Logs and Alerts
RPC Locator
IIS not installed by default
Alerter
Clipbook
Distributed Link Tracking Server
Human Interface Device Access
Imapi CDROM Burning Service
ICF\ICS
Intersite Messenging
License Logging
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Routing and Remote Access
Telnet
Terminal Service Session Discovery
Themes
WebClient
Windows Image Acquisition (WIA)
The Kerberos KDC is also disabled by default, and then automatically enabled upon DCPromo.
Estudio del Open/Free (GNU/Linux) como plataforma de servicios de red en entornos empresariales
Daniel Caraballo - Mario Madera - Marcelo Odin
Tutor: Ariel Sabiguero Yawelak
2004 - 2005.