msc files.Įnabled (recommended): Keeps "Run As Different User" from appearing in the context menu when the user holds Shift while right-clicking on a. This setting controls whether "Run As Different User" appears on the Shift+RightClick context menu for. Remove "Run As Different User" from context menus For more information, see Įnable LSA protection. For this setting to work on Windows 7, Windows 8, Windows Server 2008 R2 or Windows Server 2012, KB2871997 must first be installed.Įnable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection.
#Windows server 2008 security guide update
Update KB2871997 must first be installed to disable WDigest authentication using this setting in Windows 7, Windows 8, Windows Server 2008 R2 and Windows Server 2012.ĭisabled (recommended): Disables WDigest authentication. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2 it is enabled by default in earlier versions of Windows and Windows Server. Microsoft recommends disabling WDigest authentication unless it is needed. When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. WDigest Authentication (disabling may require KB2871997) įor more information about LocalAccountTokenFilterPolicy, see.
#Windows server 2008 security guide full
This is the default behavior for Windows.ĭisabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1.įor more information about local accounts and credential theft, see "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques". For each credential, Microsoft recommends students possess a good understanding of network fundamentals and knowledge of server hardware before beginning their studies. This configures the LocalAccountTokenFilterPolicy registry value to 0. There’s also an MCSA: Windows Server 2008, but most professionals will aim to achieve certifications aligning to more modern versions of Windows Server. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. Enabling this policy significantly reduces that risk.Įnabled (recommended): Applies UAC token-filtering to local accounts on network logons. Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.).
Apply UAC restrictions to local accounts on network logons
0 kommentar(er)
