---

---

- 5 - csrss.exe Client Server Subsystem winlogon.exe The logon process services.exe The main service handler process pstores.exe Protected storage lsass.exe Local Security Authority rpcss.exe The RPC end-point mapper explorer.exe The Explorer GUI loadwc.exe Explorer related nddeagnt.exe Explorer related Encrypt the system accounts database Run the syskey.exe utility (with the key on disk option). This will provide protection against password cracking tools like L0pht Crack (http://www.l0pht.com/). Apply policies and ACLs Run the Microsoft Security Configuration Editor (SCE) in command line mode. This tool is included in the same archive as this document. This tool is a part of the service pack 4 CD. Our configuration file is called bastion.inf. This file is an ASCII text file. You can take a look at it in your favorite editor, but it’s best viewed with the SCE Microsoft Management Console snap-in. C:> secedit /configure /cfg bastion.inf /db %TEMP%\secedit.sdb /verbose /log %TEMP%\scelog.txt This will make a number of changes to your configuration. Here is a summary of the most significant changes: Account policies Password policy Enforce password uniqueness by remembering last passwords 6 Minimum password age 2 Maximum password age 42 Minimum password length 10 Complex passwords (passfilt.dll) Enabled User must logon to change password Enabled Account lockout policy Account lockout count 5 Lockout account time Forever Reset lockout count after 720 mins Local policies Audit policy Audit account management Success, Failure Audit logon events Success, Failure Audit object access Failure Audit policy change Success, Failure Audit privilege use Failure Audit process tracking No auditing Audit system events Success, Failure User rights assignment SeAssignPrimaryTokenPrivilege No one SeAuditPrivilege No one SeBackupPrivilege Administrators SeCreatePagefilePrivilege Administrators SeCreatePermanentPrivilege No one SeCreateTokenPrivilege No one