ʹѺʹعйӡõ駤Ҥ͹ԡʹ

ź ź
Ţ (Article ID): 885409 - ԵѳǢͧ㹺
· | غ

Һ˹ҹ

ػ

Microsoft ٹҧѺѡҤʹ·ҧԹ (CIS), êҵ Security ˹§ҹ (NSA), ûͧѹк˹§ҹ (DISA), ҵ Institute ͧҵðҹ ෤ (NIST) С "駤Ҥ͹ԡҧʹ" Ѻ Microsoft Windows

дѺѡҤʹ·٧к guides ҹҧҧҨӡѴÿѧѹ÷ӧҹͧкҡ ѧ سôԹӤѭͺ͹سѺйҹ Ңй سͧҵáûͧѹͤسԹõ仹:
  • 䢡Ҷ֧ǤǺ¡ (acl) ѺФըʷ
  • Դҹ繵͢¢ͧ Microsoft: 繪ẺԨԷ ()
  • Դҹʹ¢ͧ͢: 纤μѴ LAN 㹡¹ŧʼҹѴ
  • Դҹк: FIPS algorithms ҡѹѺѺ hashing 繪
  • ԴҹԡáûѺاѵѵ;ѧͧ Transfer Service (BITS)
  • Դҹԡ netlogon
  • ԴҹNoNameReleaseOnDemand
Microsoft ʹѺʹع efforts صˡй㹡ѡҤʹѺ㹴ҹѡҤʹ·٧ ҧá سͧҧ´ͺ㹤йҾǴͧ Ҥسͧõ駤ҡѡҤʹԹҤ Фس guides ͡ Microsoft guides ҹö˹ҷ繨شѺͧâͧͧâͧس ʹѺʹع ѺӶǡѺѷ guides Դͧ÷й㹡ù͡

ҹʹյ Ţͧ˹§ҹ Microsoft ٹѡҤʹ·ҧԹ (CIS), êҵ Security ˹§ҹ (NSA), ûͧѹк˹§ҹ (DISA), Ъҵ Institute ͧҵðҹ ෤ (NIST), С "駤Ҥ͹ԡҧʹ" Ѻ Windows ҡѺǷҧʹ ʹ١ͧ¤ѡɳоɺ usability adverse

guides ҹ guides ҡ Microsoft ҡ CIS ҡ NIST СͺдѺͧõ駤ҡѡҤʹ guides ҹҨ֧дѺ͡ẺѺͤ仹:
  • ÷ӧҹѹѺкԺѵԡ
  • ҾǴͧ
  • ʹ¢٧տѧѹӡѴ

    ˵:дѺѡ¡ҡ Specialized Security дѺѧѹ÷ӧҹӡѴдѺѡҤʹ·٧
дѺʹ·٧ Security Specialized ѧѹӡѴ ͡ẺѺҾǴҡ hostile §Ӥѭͧ੾ дѺ guards ٧ش 蹢ŷ ºҧкѰ дѺʹ·٧شͧйӹҸóѺк˭ Windows Ңй سдѺʹ·٧൪ѹ general-purpose Ңй سдѺʹ·٧кҹ鹷з٭¢ͧءҹ ٭¢ŷդҡ ٭¢ͧ͵Թ

ҧ ӧҹѺ Microsoft 㹡üԵ guides ѡҤʹҹ ¡ó ҹй¤ء¡ѹ ᵡҧá ¡йӵҧ硹Тͧ͡˹ͧ º·ͧ Фͧ÷ӧҹ ͧҡǹ õ駤Ҩᵡҧ仨ҡش˹觢ͧйӡöѴ "ͧ÷й㹡ѡҤʹ·ҹҸó" ǹСͺºػͧ¡йӴҹʹ

ͧ÷й㹡ѡҤʹ·ҹҸó

Microsoft Corporation

Microsoft йǡѺԸա÷ѡҤʹкԺѵԡâͧѷͧ ѺþѲҢдѺ 3 仹ͧõ駤ҡѡҤʹ:
  • 繵ͧͧ (EC)
  • stand-Alone (SA)
  • ʹ specialized ѧѹӡѴ (SSLF)
ҧ´ҷͺйѺʶҹó١Ҩӹǹҡ йӷѺͧ÷ wishes ͪѡҤʹ¢ͧ Windows

ʹѺʹعͧ guides ͧҡ÷ͺҡ·Թ laboratories ͧҤҡѹͧء캹 guides ҹ 䫵仹ͧ Microsoft ʹǹŴ guides ͧ:Ҥسʺѭ բͤԴѧҡس鹺͡ǡѡҤʹ¢ͧ Microsoft سöӵԪ ¡觢ͤsecwish@microsoft.com.

ǵ駤Ҥ͹ԡҧʹ ѺкԺѵԡ Windows Ѻ Internet Explorer ЪشԷԼŢͧ Office 㹵ǨѴäʹͧͧ Microsoft ʹ:http://technet.microsoft.com/en-us/library/cc677002.aspx.


ٹҧѺѡҤʹ¢ͧԹ

CIS Ѳ benchmarks ŷͧ÷ӡõѴԹ informed ǡѺ͡ѡҤʹ·ҹҧҧ CIS ʹ benchmarks дѺ:
  • legacy
  • Enterprise
  • ʹ·٧
Ҥسʺѭ բͤԴѧҡسõ駤ࡳҵðҹ CIS Դ CIS ¡觢ͤѧwin2k-feedback@cisecurity.org.

˵:йӢͧ CIS ա¹ŧͧҡ躷 (3 Ȩԡ¹ 2004) йӡûѨغѹͧ CIS ¡ѺǷҧ Microsoft ѺǡѺйӷ Microsoft ҹǹͧ "Microsoft Corporation" ͹˹㹺

ҵ Institute ͧҵðҹ෤

NIST ѺԴͺѺҧй㹡ѡҤʹѺѰԡ˾ѹѰ NIST ҧдѺͧǷҧʹ· µ᷹Ѵ ˾ѹͧѰԡ ͧǹ ͧҸó:
  • SoHo
  • Legacy
  • Enterprise
  • Specialized Security Limited Functionality
If you experience issues or have comments after you implement the NIST security templates, contact NIST by sending an email message toitsec@nist.gov.

˵:NIST's guidance has changed since we originally published this article (November 3, 2004). NIST's current guidance resembles the guidance that Microsoft provides. For more information about the guidance that Microsoft provides, read the "Microsoft Corporation" section earlier in this article.

The Defense Information Systems Agency

DISA creates guidance specifically for use in the United States Department of Defense (DOD). United States DOD users who experience issues or have comments after they implement the DISA configuration guidance can provide feedback by sending an email message tofso_spt@ritchie.disa.mil.

˵:DISA's guidance has changed since we originally published this article (November 3, 2004). DISA's current guidance is similar or identical to the guidance that Microsoft provides. For more information about the guidance that Microsoft provides, read the "Microsoft Corporation" section earlier in this article.

The National Security Agency (NSA)

NSA has produced guidance to help secure high-risk computers in the United States Department of Defense (DOD). NSA has developed a single level of guidance that corresponds approximately with the High Security level that is produced by other organizations.

If you experience issues or have comments after you implement the NSA Security Guides for Windows XP, you can provide feedback by sending an email message toXPGuides@nsa.gov. To provide feedback on the Windows 2000 guides, send an email message tow2kguides@nsa.gov.

˵:NSA's guidance has changed since we originally published this article (November 3, 2004). NSA's current guidance is similar or identical to the guidance that Microsoft provides. For more information about the guidance that Microsoft provides, read the "Microsoft Corporation" section earlier in this article.

Security guidance issues

As mentioned earlier in this article, the high security levels that are described in some of these guides were designed to significantly restrict the functionality of a system. Because of this restriction, you should thoroughly test a system before you deploy these recommendations.

˵:йӴҹʹ·ѺдѺ SoHo Ẻ ͧ §ҹѧҧռšзͿѧѹ÷ӧҹͧк ҹ focused ѡ㹤йӷ§ѺдѺѡҤʹ٧ش

ҢʹѺʹع efforts صˡй㹡ѡҤʹѺ㹴ҹѡҤʹ·٧ ѧӧҹѺҵðҹʹ¡þѲҤй hardening ªзͺ й㹡ѡҤʹ¨ҡؤŷ͹͡ ¤͹ǴͷͺǷҧҾǴ㹡ѡҤʹ٧· ҧá ͹ҹ heeded Ǩͺ سҧ´ͺá˹ҡѡҤʹ·к¢ͧس 鹵駤Ҥʹ·ᵡҧҡҢйҨش¤ҡѹͧء췴ͺ١ǹ˹觢ͧкԺѵԡ÷ͺкǹ ͡ҡ кؤŷ੾ҧ discourage йẺҧкüԵ·ʹʴ᷹ҾǴ÷ͺ

дѺ٧شͧ guides ѡҤʹҹ֧õ駤ҵҧ سôԹҧͺͺ͹س㹡ûԹ ҡõ駤ҹҨջª㹡ѡҤʹ õ駤ҷҨռŵ adverse usability ͧк

ըʷкҶ֧ǤǺ¡

windows XP Windows 蹷ҡ tightened ԷǷк ѧ ¹ŧè

¹ŧ¡ (DACL) ͧǤǺҶ֧ discretionary Ҩشǹ˭ͧ÷ͺҡѹ;पѹдԹ Microsoft ¤ ¹ŧҹ undergone thorough ͺջԺѵԡ Microsoft 㹡õ駤 óշʹѺʹعлʺóͧŴʴ DACL ¹÷ӧҹͧкԺѵԡ fundamental ¤ѡɳзԹ ¹ŧҹռŵͤҡѹͧءФʶ Ŵѧѹ÷ӧҹ ǢͧѺԷҾФö

ͧҡ¹ŧҹ йسк DACLs кԺѵԡúкüԵ Ңй سԹ¹ŧ ACL ءѡ㨢ʹҨԴ鹫¹ŧҨá˹ҷк guides ͧӡ¹ŧ DACL 鹵§ҡش˵ؼҹ ੾ Ѻ Windows 2000 Ѻ Windows 2000 ¹ŧҧ ͧШ ¹ŧҹ͸Ժ㹹windows 2000 Security Hardening ¡й.

¹ŧԷҡ·Ш·Ƿըʷкöԡ ͧ㹡õԴкԺѵԡ 鹩Ѻ ҨѺšз ѧ Ҥسҡõ駤 Group Policy ӡ¹ŧ DACL ͤس繤к سö͹Ѻ DACLs

¹ DACL 㹹% SystemDrive %ҨԴʶҹóԵ仹:
  • ͡ѧѧѹẺ ö׹
  • Ŵʹ·Ңͧ䫵ͧŶѧ
  • ǢͧӧҹҧҴ
  • Ŵʹ·ẺͺѺҶ֧Ẻҹҧǹ к
  • ѭҴҹԷҾ DACL ӹǹҡŴ Group Policy object 觻СͺҡкդкӢͧк
  • ѭһԷҾ÷ӧҹ к slowdowns ء 16 ͵駤 reapplied 'º¡'
  • ѭҤҡѹͧءءѭ
ͪ¤س㹡źѾͧԷըʷ worst, Microsoft ˹ efforts line with ѭҽʹѺʹعͧس ҧá سö͹Ѻ¹ŧҹ öѺСѹҹ鹷 سöѺ价õ駤͡㹤駷й ¡ÿÿ촴ʡ ¡õԴкԺѵԡ

ҧ Ѻ¹ըʷ DACLs ռŵǹ˭ͧըʷ ҨкӧҹҴ ûѺ¹ DACLs poses ըʷǹջѭҡѺк˭ ҧá سҧѴѧԨóҷͺ͹س¹ŧҹ ա öѺСѹҹ鹷 سöѺ价õ駤͡㹤駷йҡس еԴкԺѵԡ

繵͢¢ͧ Microsoft: 繪ẺԨԷ ()

ͤسԴҹõ駤ҹ ͹ͧŧҳҹͧͤ͡ (SMB) ͼԴͧŧͪ smb 觷͹µ͡Ѻʪѹ hijacking դҷӤѭ աԴҹ¡ѹ¹Դҹ͢¢ͧ Microsoft: 繪ẺԨԷ ()Microsoft network client: Digitally sign communications (if client agrees), the client will be unable to communicate successfully with the server.

ʹ¢ͧ͢: 纤μѴ LAN 㹡¹ŧʼҹѴ

When you enable this setting, the LAN Manager (LM) hash value for a new password will not be stored when the password is changed. The LM hash is relatively weak and prone to attack compared with the cryptographically stronger Microsoft Windows NT hash. Although this setting provides extensive additional security to a system by preventing many common password-cracking utilities, the setting can prevent some applications from starting or running correctly.

к: FIPS algorithms ҡѹѺѺ hashing 繪

When you enable this setting, Internet Information Services (IIS) and Microsoft Internet Explorer use only the Transport Layer Security (TLS) 1.0 protocol. If this setting is enabled on a server that is running IIS, only web browsers that support TLS 1.0 can connect. If this setting is enabled on a web client, the client can connect only to servers that support the TLS 1.0 protocol. This requirement may affect a clients ability to visit websites that use Secure Sockets Layer (SSL).Ѻ ԡŢ仹 ʹٺ㹰ҹͧ Microsoft::
811834Cannot visit SSL sites after you enable FIPS compliant cryptography

Additionally, when you enable this setting on a server that uses Terminal Services, clients are forced to use the RDP client 5.2 or later versions to connect.

Ѻ ԡŢ仹 ʹٺ㹰ҹͧ Microsoft::
811833The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and in later versions of Windows

Automatic Update service or Background Intelligent Transfer Service (BITS) is disabled

One of the key pillars of the Microsoft security strategy is to make sure that systems are kept current on updates. A key component in this strategy is the Automatic Updates service. Both Windows Update and Software Update services use the Automatic Updates service. The Automatic Updates service relies on the Background Intelligent Transfer Service (BITS). If these services are disabled, the computers will no longer be able to receive updates from Windows Update through Automatic Updates, from Software Update services (SUS), or from some Microsoft Systems Management Server (SMS) installations. These services should be disabled only on systems that have an effective update-distribution system that does not rely on BITS.

NetLogon service is disabled

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

NoNameReleaseOnDemand

This setting prevents a server from relinquishing its NetBIOS name if it conflicts with another computer on the network. This setting is a good preventive measure for denial of service attacks against name servers and other very important server roles.

ͤسԴҹõ駤ҹ麹൪ѹ ൪ѹ refuses relinquish NetBIOS Ҫ͢Ѵ駡Ѻͧ͢кӤѭ 蹵ǤǺ ʶҹóԹöԴҹѧѹ÷ӧҹͧӤѭ Microsoft ʹѺʹع efforts صˡйӴҹʹ·Ѻ㹴ҹѡҤʹ·٧ ҧá йӹͧҧ´ͺҾǴͧ кͧõ駤ҡѡҤʹԹҤ guides ͡ Microsoft 繨شѺͧâͧͧâͧͧ ʹѺʹع ѺӶǡѺѷ guides Դͧ÷й㹡ù͡

ҧԧ

٢ǡѺõ駤Ҥʹء Countermeasures: õ駤ҡѡҤʹ Windows Server 2003 Windows XP. ͵ͧôǹŴ¡йӹ 价䫵仹ͧ Microsoft:
http://go.microsoft.com/fwlink/?LinkId=15159
ѺǡѺŢͧõ駤ҡѡҤʹӤѭҧ ԡŢ仹ʹٺ㹰ҹͧ Microsoft:
823659ҡѹҧ繵 ԡҨԴͤسѺ¹õ駤ҤʹСá˹ԷԼ
ѺǡѺѡɳоɡ˹ algorithms ҡѹѺ FIPS ԡŢ仹ʹٺ㹰ҹͧ Microsoft:
811833The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and later versions
Microsoft ŵԴͧ͢ѷ ͪسöѺʹѺʹعҧ෤Ԥ ŵԴ͹Ҩ¹ŧͧҺǧ˹ Microsoft ѺСѹ١ͧͧšõԴ͡Ѻѷ ҹ

For information about your hardware manufacturer, visit the following Microsoft website:
http://support.microsoft.com/gp/vendors/en-us

سѵ

Ţ (Article ID): 885409 - Ǥش: 15 Ҥ 2554 - Revision: 3.0
Ѻ
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows XP Professional Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows 2000 Advanced Server
Keywords:
kbsectools kbhowto kbsecurity kbmt KB885409 KbMtth
¤
Ӥѭ: «ͿŴ¤ͧ Microsoft ᷹繹ѡŷ繺ؤ Microsoft պ¹ѡкŴ¤ سöҶ֧㹰ҹͧ Ңͧسͧ ҧá Ŵ¤Ҩբͺͧ ҨբͼԴҴ㹤Ѿ ٻẺҡó ǡѺóշǵҧҵԾٴԴ;ٴҢͧس Microsoft ǹѺԴͺͤҴ͹ ԴҴͤ·ԴҡҼԴҴ ͡麷Ţͧ١ Microsoft աûѺاͿŴ¤繻Ш
仹繩Ѻѧɢͧ:885409

ʹ

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com