This article contains information on the Security hardening of Cloud Server standard template images.

  1. Account Policies
    • Enforce password history: Disabled
    • Maximum password age: 90 days
    • Minimum password age: Disabled
    • Minimum password length: 9 characters
    • Password must meet complexity requirements: Enabled
    • Account lockout duration: 30 minutes
    • Account lockout threshold: Set to 6 attempts
    • Reset account lockout counter after: 15 minutes 
      .
  2. Detailed Security Auditing
    • Logon-Logoff: Logoff: Success
    • Privilege Use: Sensitive Privilege Use: No auditing
    • Policy Change: Audit Policy Change: Success and failure
    • Account Management: Other Account Management Events: Success
      .
  3. Event Log
    • Application: Maximum Log Size (KB): Set to 350MB
    • Security: Maximum Log Size (KB): Set to 350MB
    • System: Maximum Log Size (KB): Set to 350MB
      .
  4. Windows Firewall
    • Apply local connection security rules (Domain): Not configured
    • Apply local connection security rules (Private): Not configured
      .
    • Apply local firewall rules (Domain): Not configured
    • Apply local firewall rules (Private): Not configured
    • Apply local firewall rules (Public): Not configured
      .
    • Display a notification (Domain: Not defined
    • Display a notification (Private): Not defined
    • Display a notification (Public): Not configured
      .
    • Protect all network connections (Domain): Enabled
    • Protect all network connections (Standard): Enabled
      .
  5. Windows Update
  6. User Account Control
    • Admin Approval Mode for the Built-in Administrator account: Enabled
    • Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for consent
    • Behavior of the elevation prompt for standard users: Automatically deny elevation requests
    • Detect application installations and prompt for elevation: Enabled
      .
  7. User Rights
    • Access this computer from the network: Administrators, Authenticated Users
    • Shut down the system: Administrators
    • Deny log on through Terminal Services: Guests
      .
  8. Security Options
    • Network security: Minimum session security for NTLM SSP based servers: Require NTLMv2 session security, Require 128-bit encryption
      .
    • Network access: Remotely accessible registry paths and sub-paths: Not defined
    • Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
    • Network access: Named Pipes that can be accessed anonymously: Not Defined
      .
    • Accounts: Rename administrator account: "administratus"
    • Accounts: Rename guest account: "cirrus"
      .
    • Devices: Restrict CD-ROM access to locally logged-on user only: Disabled
    • Devices: Restrict floppy access to locally logged-on user only: Disabled
      .
    • Domain member: Require strong (Windows 2000 or later) session key: Enabled
      .
    • Interactive logon: Do not display last user name: Enabled
    • Interactive logon: Do not require CTRL+ALT+DEL: Disabled
    • Interactive logon: Number of previous logons to cache: 0 logons
    • Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled
    • Interactive logon: Message text for users attempting to log on: "This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials". 
    • Interactive logon: Message title for users attempting to log on: "Attention"
      .
    • Microsoft network client: Digitally sign communications (always): Disabled
    • Microsoft network server: Digitally sign communications (always): Enabled
    • Microsoft network server: Digitally sign communications (if client agrees): Enabled
      .
  9. Terminal Services
    • Always prompt client for password upon connection: Enabled
    • Set client connection encryption level: Enabled: High Level
      .
  10. Internet Communication
    • Turn off the Windows Messenger Customer Experience Improvement Program: Enabled
      .
  11. Additional Security Settings
    • Turn off Autoplay: Not configured