Kebijakan Keamanan Pengaturan Komputer Win10 - PT XXXX

Kebijakan Keamanan Pengaturan Komputer
Windows 10
Versi 1.0
PT xxxxxxxx
Halaman Sejarah Dokumen
Versio Tanggal keterangan

n
V 1.0 Xxxxx Pembuatan dokumen Kebijakan Keamanan Pengaturan Komputer Windows
10
Disusun oleh
Xxxxxx
Xxxxxxxxx
Disetujui Oleh
Xxxxxx
xxxxxxxxx
1.2.1) Password Policy: How To > Computer Configuration\Windows Settings\Security Settings\Account
Policies\Password Policy
9 passwords
Enforce password history
remembered
Maximum password age 90 days
Minimum password age 1 day
Minimum password length 10 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
1.2.2) Account Lockout Policy: How To > Computer Configuration\Windows

Settings\Security Settings\Account Policies\Account Lockout Policy
30 minutes (Account is locked out until
Account lockout duration
administrator unlocks it)
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30

Reset lockout counter after
minutes
1.2.3) List group dan membernya
Satu local administrator yang aktif

Administrators Built-in administrator dinonaktifkan
(password exipired)
Local user
Users
(password expired)
1.3) System Operations and Administration
1.3.1) Audit Policy: How To > Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit
Policy\Advanced Audit Policy Configuration\System Audit Policies\Account Logon
Audit Credential Validation Success, Failure

Policy\Advanced Audit Policy Configuration\System Audit Policies\Account Management
Audit Other Account Management Events Success, Failure

Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Policy\Advanced Audit Policy Configuration\System Audit Policies\Detailed Tracking
Audit PNP Activity Success
Audit Process Creation Success
Policy\Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff
Audit Account Lockout Success, Failure
Audit Group Membership Success
Audit Logoff Success
Audit Logon Success, Failure
Audit Special Logon Success
Policy\Advanced Audit Policy Configuration\System Audit Policies\Object Access
Audit Removable Storage Success, Failure
Audit File Share Success, Failure
Audit Other Object Access Events Success, Failure
Policy\Advanced Audit Policy Configuration\System Audit Policies\Policy Change
Audit Audit Policy Change Success, Failure

Audit Authentication Policy Change Success
Audit Authorization Policy Change Success
Policy\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use
Audit Sensitive Privilege Use Success, Failure
Policy\Advanced Audit Policy Configuration\System Audit Policies\System
Audit IPSec Driver Success, Failure
Audit Other System Events Success, Failure
Audit Security State Change Success
Audit Security System Extension Success, Failure
Audit System Integrity Success, Failure
1.4) Logging : Event Logs file size : How To > Computer

Configuration\Administrative Templates\Windows Components\Event Log Service\
{Application}{Security}{System}{Setup}
Maximum log size: 32768 KB
Application Log When maximum log size is reached:
Overwrite events as needed
Security Log When maximum log size is reached:
System Log When maximum log size is reached:
1.5) Security Options : How To > Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
Accounts: Administrator account status Disabled
Accounts: Block Microsoft accounts Users can’t add Microsoft accounts
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename administrator account dbsadmin
Accounts: Rename guest account W01guest
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category
Enabled
settings
Domain member: Digitally encrypt or sign secure channel data (always) Enabled
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 Days
Domain member: Require strong (Windows 2000 or later) session key Enabled
Interactive logon: Machine inactivity limit 900 seconds
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Disabled
Interactive logon: Smart card removal behavior Lock Workstation
Microsoft network server: Amount of idle time required before suspending session 15 minutes
Microsoft network server: Disconnect clients when logon hours expire Enabled
Microsoft network client: Digitally sign communications (always) Enabled
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if Client agrees) Enabled
Microsoft network server: Server SPN target name validation level Accept if provided by client
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of passwords and credentials for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously (None)
Network access: Restrict anonymous access to Named Pipes and Shares Enabled
Network access: Shares that can be accessed anonymously (None)
Classic – Local users authenticate as
Network access: Sharing and security model for local accounts
themselves
Network security: Allow Local System to use computer identity for NTLM Enabled
Network security: Allow LocalSystem NULL session fallback Disabled
Network Security: Allow PKU2U authentication requests to this computer to use online identities Disabled
Enabled: RC4_HMAC_MD5
AES128_HMAC_SHA1
Network Security: Configure encryption types allowed for Kerberos
AES256_HMAC_SHA1
Future Encryption Types
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: Force logoff when logon hours expire Enabled
Send NTLMv2 Response only.
Network security: LAN Manager authentication level
Refuse LM and NTLM
Network security: LDAP client signing requirements Negotiate Signing
Require NTLMv2 session security,
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Require 128-bit encryption
Require NTLMv2 session security,
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Require 128-bit encryption
Recovery console: Allow automatic administrative logon Disabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links) Enabled
User Account Control: Admin Approval Mode for the Built-in Administrator account Enabled
Prompt for consent on the secure
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
desktop
User Account Control: Behavior of the elevation prompt for standard users Prompt for credentials
User Account Control: Detect application installations and prompt for elevation Enabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations Enabled
User Account Control: Run all administrators in Admin Approval Mode Enabled
User Account Control: Virtualize file and registry write failures to per-user locations Enabled
1.6) User Rights: How To > Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Access Credential Manager as a trusted caller Not Defined
Access this computer from the network Administrators, Authenticated Users
Act as part of the operating system (None)
Adjust memory quotas for a process Administrators, Local Service, Network Service
Allow log on locally Administrators, Users
Back up files and directories Administrators
Change the system time LOCAL SERVICE, Administrators
Create a pagefile Administrators
Create a token object (None)
Administrators, LOCAL SERVICE, NETWORK SERVICE,
Create global objects
SERVICE
Create permanent shared objects (None)
Create Symbolic Links Administrators
Debug programs Administrators
Deny access to this computer from the network Guests
Guests
Deny log on as a batch job
Guest
Deny log on as a service
LOCAL SERVICE
Replace a process level token
NETWORK SERVICE
Guests
Deny log on locally
Deny log on through Remote Desktop Services Guests

Enable computer and user accounts to be trusted for delegation (None)
Force shutdown from a remote system Administrators
Generate security audits Network Service, Local Service
Impersonate a client after authentication Administrators, SERVICE, Local Service, Network Service
Increase scheduling priority Administrators
Load and unload device drivers Administrators
Lock pages in memory (None)
Manage auditing and security log Administrators
Modify an object label (None)
Modify firmware environment values Administrators
Perform volume maintenance tasks Administrators
Profile single process Administrators
Replace a process level token Network Service, Local Service
Restore files and directories Administrators
Take ownership of files or other objects Administrators
1.7) Pengaturan lainnya

Allow Windows to automatically connect Computer Configuration\Administrative
to suggested open hotspots, to Templates\Network\WLAN Service\WLAN Settings
Set to Disable
networks shared by contacts, and to
hotspots offering paid services
Computer Configuration\Administrative
Enable insecure guest logons Set to Disable
Templates\Network\Lanman Workstation
Prohibit use of Internet Connection Computer Configuration\Administrative
Set to Enable
Sharing on your DNS domain network Templates\Network\Network Connections
Set to Enable and Computer Configuration\Administrative
show following Templates\Network\Network Provider
configured in
Hardened UNC Paths
Value Name:
\\*\SYSVOL
Value:
RequireMutualAuthenti
Hardened UNC Paths cation=1,
RequireIntegrity=1
Value Name:
\\*\NETLOGON
Value:
RequireMutualAuthenti
cation=1,
RequireIntegrity=1
Set to Enable with Computer Configuration\Administrative
“ECC Curve Order” Templates\Network\SSL Configuration Settings
ECC Curve Order
NistP384
NistP256
Minimize the number of simultaneous Computer Configuration\Administrative
connections to the Internet or a Set to Enable Templates\Network\Windows Connection Manager
Windows Domain
Prohibit connection to non-domain Computer Configuration\Administrative
networks when connected to domain Set to Enable Templates\Network\Windows Connection Manager
authenticated network
Include command line in process Computer Configuration\Administrative
Set to Enable
creation events Templates\System\Audit Process Creation
Remote host allows delegation of non- Computer Configuration\Administrative
Set to Enable
exportable credentials Templates\System\Credentials Delegation
Set to Enable Computer Configuration\Administrative
Templates\System\Group Policy
Select “Process even if
Configure registry policy processing
the Group Policy
objects have not
changed”
Turn off downloading of print drivers
Set to Enable Templates\System\Internet Communication
over HTTP
Management\Internet Communication settings
Turn off Internet download for Web
Set to Enable Templates\System\Internet Communication
publishing and online ordering wizards
Configure Solicited Remote Assistance Set to Disable Computer Configuration\Administrative
Templates\System\Remote Assistance
Enumerate local users on domain-joined Computer Configuration\Administrative
Set to Disable
computers Templates\System\logon
Turn on convenience PIN sign-in Set to Enable
Templates\System\logon
Do not display network selection UI Set to Enable
Templates\System\logon
Turn off printing over HTTP Set to Enable Templates\System\Internet Communication
Set to Enable, block Computer Configuration\Administrative
Untrusted Font Blocking untrusted fonts and Templates\System\Mitigation Options
log events
Require a password when a computer
Set to Enable Templates\System\Power Management\Sleep
wakes (on battery)
Settings
Require a password when a computer
Set to Enable Templates\System\Power Management\Sleep
wakes (plugged in)
Settings
Enable RPC Endpoint Mapper Client Computer Configuration\Administrative
Set to Enable
Authentication Templates\System\Remote Procedure Call
Set to Enable, Computer Configuration\Administrative
Restrict Unauthenticated RPC clients
Authenticated Templates\System\Remote Procedure Call
Allow Microsoft accounts to be optional Set to Enable
Templates\Windows Components\App Runtime
Prevent downloading of enclosures Set to Enable
Templates\Windows Components\RSS Feeds
Turn on Basic feed authentication over Computer Configuration\Administrative
Set to Disable
HTTP Templates\Windows Components\RSS Feeds
Allow indexing of encrypted files Set to Disable
Templates\Windows Components\Search
Allow user control over installs Set to Disable
Templates\Windows Components\Windows Installer
Always install with elevated privileges Set to Disable
Templates\Windows Components\Windows Installer
Prevent Internet Explorer security Computer Configuration\Administrative
Set to Disable
prompt for Windows Installer scripts Templates\Windows Components\Windows Installer
Sign-in last interactive user Computer Configuration\Administrative
automatically after a system-initiated Set to Disable Templates\Windows Components\Windows Logon
restart Options
Turn off Inventory Collector Set to Enable Templates\Windows Components\Application
Compatibility
Set to Enable / Do not Computer Configuration\Administrative
Set the default behavior for AutoRun execute any autorun Templates\Windows Components\AutoPlay Policies
commands
Turn off Autoplay Set to Enable
Templates\Windows Components\AutoPlay Policies
Turn off toast notifications on the lock User Configuration\Administrative Templates\Start
Set to Enable
screen Menu and Taskbar\Notifications
Disallow Autoplay for non-volume Computer Configuration\Administrative
Set to Enable
devices Templates\Windows Components\AutoPlay Policies
Turn off Microsoft consumer Computer Configuration\Administrative
Set to Enable
experiences Templates\Windows Components\Cloud Content
Enumerate administrator accounts on
Set to Disable Templates\Windows Components\Credential User
elevation
Interface
Download Mode Set to Not Configured Templates\Windows Components\Delivery
Optimization
Do not allow passwords to be saved Set to Enable Templates\Windows Components\Remote Desktop
Services\Remote Desktop Connection Client
Templates\Windows Components\Remote Desktop
Do not allow drive redirection Set to Enable
Services\Remote Desktop Session Host\Device and
Resource Redirection
Always prompt for password upon
Set to Enable Templates\Windows Components\Remote Desktop
connection
Services\Remote Desktop Session Host\Security
Require secure RPC communication Set to Enable Templates\Windows Components\Remote Desktop
Set to Enable and High
Set client connection encryption level Templates\Windows Components\Remote Desktop
level
User Configuration\Administrative Templates\Control
Enable screen saver Set to Enable
Panel\Personalization
User Configuration\Administrative Templates\Control
Password protect the screen saver Set to Enable
Panel\Personalization
Set to Enable (15 User Configuration\Administrative Templates\Control
Screen Saver time out
minutes) Panel\Personalization
Prevent enabling lock screen camera Set to Enable
Templates\Control Panel\Personalization
Prevent enabling lock screen slide show Set to Enable
Templates\Control Panel\Personalization
Turn off Data Execution Prevention for Computer Configuration\Administrative
Set to Disable
Explorer Templates\Windows Components\File Explorer
Turn off heap termination on corruption Set to Disable
Templates\Windows Components\File Explorer
Turn off shell protocol protected mode Set to Disable
Templates\Windows Components\File Explorer
User Configuration\Administrative
Do not preserve zone information in file
Set to Disable Templates\Windows Components\Attachment
attachments
Manager
Allow clearing browsing data on exit Set to Disable
Templates\Windows Components\Microsoft Edge
Allow InPrivate browsing Set to Disable
Configure Password Manager Set to Disable
Enables or disables Windows Game
Set to Disable Templates\Windows Components\Windows Game
Recording and Broadcasting
Recording and Broadcasting
Turn on PowerShell Script Block
Set to Enable Templates\Windows Components\Windows
Logging
PowerShell
Allow Basic authentication Set to Disable Templates\Windows Components\Windows Remote
Management (WinRM)\WinRM Client
Allow unencrypted traffic Set to Disable Templates\Windows Components\Windows Remote
Disallow Digest authentication Set to Enable Templates\Windows Components\Windows Remote
Allow Basic authentication Set to Disable Templates\Windows Components\Windows Remote
Management (WinRM)\WinRM Service
Allow unencrypted traffic Set to Disable Templates\Windows Components\Windows Remote
Disallow WinRM from storing RunAs
Set to Enable Templates\Windows Components\Windows Remote
credentials
Pengaturan
System Value/Parameter yang Cara pengimplementasiannya
Disetujui
All Removable Storage Configuration/Administrative Template/System/Removable Storage Access
Enabled
Classes: Deny All access
Removable Storage Disks: Configuration/Administrative Template/System/Removable Storage Access
Enabled
Deny read access
Removable Storage Disks: Configuration/Administrative Template/System/Removable Storage Access
Enabled
Deny write access
CD and DVD: Deny read Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
CD and DVD: Deny write Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
Floppy Drives: Deny read Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
Floppy Drives: Deny write Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
Tape Drives: Deny read Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
Tape Drives: Deny write Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
WPD Devices: Deny read Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
WPD Devices: Deny write Configuration/Administrative Template/System/Removable Storage Access
Enabled
access
Pengaturan
System Value/Parameter yang Cara pengimplementasiannya
Disetujui
System Value/Parameter DBS Agreed to Setting How to Implement
USB Storage harus disetting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Usb
Set REG_DWORD : 4 (Dec)
Deny Stor
- Grant only to Administrators %SystemRoot%\Inf\Usbstor.pnf
- Deny to SYSTEM Group %SystemRoot%\Inf\Usbstor.inf
Pengaturan tambahan untuk Health Check (setahun dua kali)
Antivirus  automatic update, scheduled automatic scan
Windows update and Patches history  automatic update
Web filtering  block akses internet ke web mail (Hotmail, yahoo, gmail, dan lainnya), storage website
(box, mega, dropbox, icloud, dan lainnya), dan social media (facebook, googleplus, dan lainnya)
Windows properties
Pengaturan email
Contoh perpindahan data sensitive (dienkripsi)
Durasi Screen Saver di lock
Shared folder  IP$C
Software installed  *xxxxxxdiganti sesuai komputerxxxxx*

Last change password Date (net user di CMD)

Kebijakan Keamanan Pengaturan Komputer Win10 - PT XXXX

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Kebijakan Keamanan Pengaturan Komputer Win10 - PT XXXX

Uploaded by

Copyright:

Available Formats

Kebijakan Keamanan Pengaturan Komputer

Versio Tanggal keterangan

1.2.2) Account Lockout Policy: How To > Computer Configuration\Windows

Account lockout threshold 5 invalid logon attempts

Reset account lockout counter after 30

1.2.3) List group dan membernya

Satu local administrator yang aktif

1.3) System Operations and Administration

Audit Credential Validation Success, Failure

Audit Other Account Management Events Success, Failure

Audit Audit Policy Change Success, Failure

1.4) Logging : Event Logs file size : How To > Computer

System objects: Require case insensitivity for non-Windows subsystems Enabled

Deny log on through Remote Desktop Services Guests

1.7) Pengaturan lainnya

Pengaturan tambahan untuk Health Check (setahun dua kali)

Antivirus  automatic update, scheduled automatic scan

Windows update and Patches history  automatic update

Contoh perpindahan data sensitive (dienkripsi)

Durasi Screen Saver di lock

Shared folder  IP$C

Software installed  *xxxxxxdiganti sesuai komputerxxxxx*

You might also like

Software installed  xxxxxxdiganti sesuai komputerxxxxx