LCZ-NT4-WS 1.1 16 May 2009 This document specifies generic technical security policy for implementations of Microsoft Windows NT4.0, and applies to workstation implementations that are part of a domain. 1.1 16 May 2009 FOD Revised for re-release 1.0 05 February 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 workstations. To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 workstations. Controls specified in this document apply to workstation implementations of NT4.0 that are part of a domain. All of the organisation's NT4.0 information systems will be subject to the policies specified within this generic security standard. The policies will be applied to new and existing installations. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This is a workstation standard. Controls specific to server or domain controller implementations are not defined here but will be the subject of additional standards. This document should also be read in conjunction with the NT 4 generic security standard, which specifies controls applicable to all NT4 implementations. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believe that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion. The user right, access this computer from network should be available to everyone Is the user right, access this computer from network, available to everyone? Ensure that the everyone group holds the user access right, access this computer from the network. Business information and applications may be unavailable. Show common program groups Are common program groups shown? Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Disable run on the file menu Is run disabled on the file menu? The standard workstation image should be built with this option unavailable Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.