REGEDIT4

; ==============================================================================================
; Written / Updated by HB3^, Jan. 08, 2001
; (c) 2000 Node Solutions Inc. - http://node.bc.ca
; This Registry File helps Administrators SECURE their Win NT4.0(ws/server) and possibly some Win2k machines.
; Just to be sure that everything applies to your machine go and check all the entires. 
; If you want to remove one entry just add ';' infront of it.
; Added some more Registry Entries to NT_Security.reg
; Disclaimer: I am in no way responsible if you damage your registry and I strongly advise you to
; have a look over these entries before you proceed into executing the file.
; Note: I didn't come up with all these entries just by myself, some were found by me but others
; where found in various books / publications / advisories / software(s) etc.
; If you need any help don't hesitate to drop me a line at alazar@node.bc.ca
; ===============================================================================================

; Enable TCP/IP Filtering
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPip\Parameters]
"EnableSecurityFilters"=dword:00000001

; Disable ICMP Redirect
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPip\Parameters]
"EnableICMPRedirect"=dword:00000000

; 'Disable' IP source routing
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DisableIPSourceRouting"=dword:0000001

; Disallow Fragmented IP
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\IPFilterDriver\Parameters]
"EnableFragmentChecking"=dword:00000001

; Disable forwarding of fragmented IP packets
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\IPFilterDriver\Parameters]
"DefaultForwardFragments"=dword:00000000

; Disable IP Forwarding
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters]
"IPEnableRouter"=dword:00000000

; Fix for MS DNS Compatibility with BIND versions earlier than 4.9.4
;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters]
;"BindSecondaries"=dword:00000001

; Diable chaching of logon credintials - this can be done via Usrmgr.exe too
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CachedLogonCount"=dword:00000001

; Restrict the installation of printer drivers to Admins and Print Operators
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\servers]
"AddPrintDrivers"=dword:00000001

; Your machine will crash if it fails to Audit System / Application / Security Events
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"CrashOnAuditFail"=dword:00000001

; This key enforces MS CHAP v2.0 for VPN connections
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP]
"SecureVPN"=dword:00000001

; Disable the caching of the dial-up passwords
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters]
"DisableSavePassword"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\servers]
"AddPrintDrivers"=dword:00000001

; Disables administrative shares on a NT4.0 Server (eg: C$, D$, E$ etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"AutoShareServer"=dword:00000000

; Disables administrative shares on a NT4.0 Workstation (eg: C$, D$, E$ etc)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]
"AutoShareWks"=dword:00000000

; Require PPP clients to authenticated before connecting
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\PPP]
"ForceEncryptedPassword"=dword:00000002

; Enable RAS logging
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters]
"Logging"=dword:00000001

; turn off NTFS 8.3 name generation
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem]
"NtfsDisable8dot3NameGeneration"=dword:00000001

; restrict anonymous connections to ipc$ 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
"RestrictAnonymous"=dword:00000001

; this will enable SMB signatures
; 1st option == server
;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
;"RequireSecuritySignature"=dword:00000001

; 2nd option == client
; [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters] ;"RequireSecuritySignature"=dword:00000001

; NT "Pass the Hash" with Modified SMB Client Vulnerability
; A modified SMB client can mount shares on an SMB host by ; passing the
; username and corresponding LanMan hash of an account that is
; authorized to access the host and share. The modified SMB ; client
; removes the need for the user to "decrypt" the password hash ; into its
; clear-text equivalent.
; For more info check out http://www.securityfocus.com

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA]
"LMCompatibilityLevel"=dword:00000004

; NT LSA DoS (Phantom) Vulnerability
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\AeDebug]
"Auto"="0"

; set MDAC to operate in safe [1] / unsafe [0] mode
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo]
"HandlerRequired"=dword:00000001

; Disable Lan Manager authentication, 0 - Send both WinNT and Lan Manager passwd 
; forms. 1 - Send Windows NT and Lan Manager password forms if server requests it. 2 
; - Only send Windows NT password form
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA]
"LMCompatibilityLevel"=dword:00000002

; To disable DCOM, utilize the "DCOMCNFG.EXE" program, select default properties and make sure
; that 'enable distributed COM on this computer' box is deselected OR Set 
; the following registry key to disable the DCOM service:
;[HKEY_LOCAL_MACHINE\Software\Microsoft\Ole]
;"EnableDCOM"="N"

; restrict Null user's and guest access to the Application Event log
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application]
"RestrictGuestAccess=dword:00000001

; restrict Null user's and guest access to the Security Event log
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security]
"RestrictGuestAccess=dword:00000001

; This will restrict Null user's and guest access to the System Event log
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System]
"RestrictGuestAccess=dword:00000001

; Disable last logged in user display
;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
;"DontDisplayLastUerName"="1"

; Restrict Floppy Disk Drive access to the current logged on interactive user
;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon]
;"AllocateFloppies"="1"

; Restrict CDROM Drive access to the current logged on interactive user
;[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
;"AllocateCDRoms"="1" - NTFS PERM ARE DOING THE JOB HERE - IDS is monitoring

; Clear page file during system shutdown
;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
;"ClearPageFileAtShutdown"=dword:00000001 - SECURITY MEASURES 

; Disabling cashing of logon credintials
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"CachedLogonsCount"="1"

; Enable screen saver lockout
;[HKEY_USERS\.DEFAULT\ControlPannel\Desktop]
;"ScreenSaveActive"="1"

; Disable Autorun for the CDROM Drive (1=enabled 0=disabled)
;[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
;"Autorun"=dword:00000000

; To make IIS server run CGI scrits in the context of the IIS IUSR_computername ; account 'un-remark' this.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"CreateProcessAsUser"=dword:00000001

; Enable logging of successful http requests on your WWW server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"LogSuccessfulRequests"=dword:00000001

; Enable logging of bad http requests on the WWW server
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters]
"LogErrorRequests"=dword:00000001

; Disable IIS FTP bounce attack - applies to IIS2.0 / 3.0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters]
"EnablePortAttack"=dword:00000000