Some of that stuff is good, notably most of the stuff in the first section.
Although, on a physically secure stand-alone machine, having no password is
often more secure than having one.
Renaming the admin account is meaningless. Leaving it with the default name
makes it no easier at all to break into an insecure system, but it can break
apps if you rename it.
Replacing Everyone with Authenticated Users not only has absolutely no
impact on Security, it also will almost certainly break your system and
render it unsupported and unsupportable (see KB 885409
http://support.microsoft.com/kb/885409). Everyone and Users include the Guest
account, since INTERACTIVE is a member of Users. Authenticated Users do not
include guests, but as the Guest account is disabled by default, and the
vast majority of systems have no members of Guests, there is no functional
difference between Everyone and Authenticated Users on the vast majority of
systems, and hence no reason to make that change.
Preventing the last logged in user name from being displayed provides
security if your username is the primary secret stopping bad guys. Take a
moment and look at your business card. I bet it shows your username, with an
@-sign right after it. And, if you take your first initial and last name,
there are most usernames. In other words, hiding the last logged on username
doesn't help.
Disabling remote desktop breaks remote assistance and is generally
inadvisable unless you have no options other than to have extremely weak
passwords.
The firewall should be on if you have a network connection. Period.
Regardless of whether it is permanent or not.
Encrypting the local offline files cache in XP is totally meaningless. In
Vista it is not.
Encrypting the %temp% folder is not only not supported, it can't be done.
Clearing the pagefile at shutdown is a valid countermeasure if the attacker
you are worried about is the Chinese/North Korean/U.S./U.K./Russian/SomeOther
Intelligence agency. It is highly, no, make that entirely, unlikely that a
run-of-the-mill attacker that has stolen your machine is going to wade
through a 2 billion byte binary file with a hex editor on the off chance that
there (a) is anything interesting in there, (b) Windows or the other app that
put it there did not encrypt it, and (c) he actually manages to recognize it.
On the other hand, if you like shutdowns to take 15-30 minutes, then clearing
the pagefile at shutdown is a good way to ensure they do.
The auditing settings are not only broken in that there are no failed system
events (uh, dude, I tried to shutdown but failed because it took too long to
clear the pagefile); if you set the audit settings in this guide you will
generate somewhere around 1,000 events per _second_ on a default system. Go
ahead. Tell me when you find any interesting ones. It is somewhat comical
(tragicomical really) that this checklist has absolutely nothing about
actuallly _looking_ at your logs. Generate thousands of events, but have no
log management system in place. That doesn't sound like it makes anyone any
more secure.
Disabling the default shares is totally, utterly, completely, entirely
meaningless. An attacker that has an admin account already can turn them back
on in half a second. An attacker that doesn't have an admin account can't use
them anyway. Why take the app compat hit from turning them off to get
absolutely no gain, not to mention that if you took the advice above and
turned on the firewall, they are impervious anyway. Defense in Depth is a
reasoned strategy by which you protect a system against meaningful and
realistic threats on multiple levels. It is not a phrase to justify dangerous
tweaks that you can't justify any other way.
The part about disabling boot from floppy or CDROM just made me laugh. The
author first of all has missed the crucial point that if the bad guy has
physical access to your system, it ain't your system any longer. Second, he
(she?) does not understand what the "restrict floppy access..." security
settings do. If you (a) enable those settings, AND (b) there is a floppy/CD
in the drive, AND (c) you have manually created a share for that drive (there
is none by default), AND (d) the share permits the attacker to map it, AND
(e) there is someone currently logged on locally, THEN, and only then can
remote users not use the shares across the network. As soon as you log off,
the shares are remotely accessible again.
Please do yourselves a favor: don't implement security guides from third
parties, at least not without a complete understanding of the impact of the
changes they recommend. The vast majority of third party security guides will
render your system unstable in one or more respects. I have seen some that
will prevent users from logging on, and one that caused the system to
self-destruct if it was turned off for seven days. There is plenty of
trustworthy documentation from Microsoft. Use that. And, before you do,
analyze who you are trying to protect yourself from.
If your objective is to secure your home computer, turn on the firewall,
install an anti-malware program, create a separate account to administer your
system, make sure your day-to-day account is a non-admin, and enable Windows
Update to auto-install patches. You're done.
If the enemy is some foreign intelligence service, hire folks that are true
experts in system hardening and don't trust random documents on the web,
written by people who do not have an obvious interest in your system being
secure, nor an obvious skillset to bring to bear on a risk management
problem, not to mention absolutely no idea what risks you are facing and the
threats that are meaningful to you. If there were a "one-size-fits-all"
security configuration, don't you think Microsoft would have shipped the
system that way in the first place?
