Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7

This guide is a reference to the security settings in Windows Server® 2008 R2 and Windows® 7 that provide countermeasures for specific threats against the current versions of the operating systems.

Note

For a downloadable version of this document, see Threats and Countermeasures Guide in the Microsoft Download Center.

Many of the countermeasures that are described in this guide are not intended for specific computer roles in the companion guides, or in some cases, for any roles at all. These countermeasures help ensure compatibility, usability, manageability, availability, or performance.

Generally, as security increases, functionality decreases, and vice versa. However, there are exceptions, and some security countermeasures actually help improve functionality.

Each section begins with a brief explanation of what is in the section, followed by a list of subsection headings, each of which corresponds to a setting or group of settings. Each subsection includes a brief explanation of what the countermeasure does and the following subsections:

  • Vulnerability   Explains how an attacker might exploit a feature or its configuration.

  • Countermeasure   Explains how to implement the countermeasure.

  • Potential impact   Explains the possible negative consequences of countermeasure implementation.

For example, the section Domain Level Account Policies begins with the following subsections:

Account Policies

  • Enforce password history

    • Vulnerability

    • Countermeasure

    • Potential impact

  • Maximum password age

    • Vulnerability

    • Countermeasure

    • Potential impact

This pattern is repeated throughout this guide. Settings that are closely related are presented in a single subsection. For example, in the Security Options section, four related settings are placed into the same subsection as follows:

Microsoft network client and server: Digitally sign communications

  • Microsoft network client: Digitally sign communications (always)

  • Microsoft network server: Digitally sign communications (always)

  • Microsoft network client: Digitally sign communications (if server agrees)

  • Microsoft network server: Digitally sign communications (if client agrees)

This guide focuses on Group Policy settings that are considered security settings, and those that are intended to help organizations manage their environments are not documented. This guide examines only the settings and features in Windows Server 2008 R2 and Windows 7 that can help organizations secure their enterprises against specific threats. Settings and features that were added in service packs after the release of Windows 7 and Windows Server 2008 R2, or functionalities that may have been added by software released after those service packs, may not be discussed in this guide. Also, management features and those security features that are not configurable by administrators are not described in this guide.

The information that is provided within this guide should help you and members of your organization understand the countermeasures that are available in the current versions of the operating systems.

Section overviews

This guide consists of the following sections, which provide a reference to the settings that you should consider when planning the security policy for your organization.

Threats and Countermeasures Guide: Account Policies

This section discusses the Group Policy settings that are applied at the domain level: password policies, account lockout policies, and Kerberos protocol authentication policies.

Threats and Countermeasures Guide: Advanced Security Audit Policy

This section discusses the use of advanced audit policy settings, which are now integrated with Group Policy to monitor and enforce your security measures. It describes the various settings, and it provides examples of how audit information is modified when the settings are changed.

Threats and Countermeasures Guide: User Rights

This section discusses the various logon rights and privileges that are provided by the Windows 7 and Windows Server 2008 R2 operating systems, and it provides guidance about which accounts should be assigned these rights.

Threats and Countermeasures Guide: Security Options

This section provides guidance about security settings for digital data signatures, Administrator and Guest account names, drive access, driver installation behavior, and logon prompts.

Threats and Countermeasures Guide: Event Log

This section provides guidance about how to configure the settings that relate to the various event logs on computers running Windows Server 2008 R2 or Windows 7.

Threats and Countermeasures Guide: System Services

Windows Server 2008 R2 and Windows 7 include a variety of system services. Many of these services are configured to run by default, but others are not present unless you install specific components. This section describes the various services included with the operating systems so that you can best decide which ones to leave enabled and which ones can be safely disabled.

Threats and Countermeasures Guide: Software Restriction Policies

This section provides a brief overview of the Software Restriction Policy feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Threats and Countermeasures Guide: Application Control Policies

This section provides a brief overview of the AppLocker™ feature that is available in Windows Server 2008 R2 and Windows 7. It provides links to additional resources about how to design and use policy settings to control which applications can be used in your organization.

Threats and Countermeasures Guide: External Storage Devices

This section describes Group Policy settings that can be used to limit, prevent, or allow the use of external storage devices in networked computers.

Threats and Countermeasures Guide: Additional Resources

This section provides links to additional information sources about Windows security topics from Microsoft that you may find useful.