Level II Assessment Forms
The following forms, as shown in Tables B.5, B.6, and B.7, can be used when assessing servers and during system demonstrations.
|
Password Action |
Recommended Value |
Actual Value |
|---|---|---|
|
Enforce password history |
10 days |
|
|
Maximum password age |
30 days |
|
|
Minimum password age |
1 day |
|
|
Minimum password length |
7 characters |
|
|
Passwords must meet complexity |
Enabled |
|
|
Account lockout threshold |
After 3 attempts |
|
Auditing |
Recommended Value |
Actual Value |
|---|---|---|
|
Audit system events |
Success and failure |
|
|
Audit process tracking |
None |
|
|
Audit privilege use |
Failure |
|
|
Audit account logon events |
Failure |
|
|
Audit account management |
Success and failure |
|
|
Audit directory service access |
None |
|
|
Audit logon events |
Failure |
|
|
Audit object access |
Success |
|
|
Audit policy change |
Failure |
|
Access Options |
Recommended Value |
Actual Value |
|---|---|---|
|
Rename administrator account |
Rename |
|
|
Audit the use of backup and restore privilege |
Enabled |
|
|
Shut down system immediately if unable to log security audits |
Enabled |
|
|
Do not display last username |
Enabled |
|
|
Display message text for users attempting to log on |
Enabled |
|
|
Message title for users attempting to log on |
Enabled |
|
|
Prompt user to change password before expiration |
1 week |
|
|
Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
|
|
Can shares be accessed anonymously |
No |
|
|
Force logoff when logon hours expire |
Enabled |
|
|
Suspend session time |
30 minutes |
|
|
Do not display last username |
Enabled |
|
|
Restrict floppy, CD-ROM, and USB ports |
Enabled |