The Caution ListChanges You Should Not Make

There are certain tweaks that you should not make. Nevertheless, you see them recommended in various sources. It is worth mentioning these and why you should not make them.

Account Lockout

We discussed account lockout at length in Chapter 11, so we do not go into depth about it here. However, account lockout will almost certainly increase your help desk cost significantly. In addition, it also only protects bad passwords. You would be better off getting rid of guessable passwords.

Full Privilege Auditing

FullPrivilegeAuditing, or "Audit: Audit the use of Backup and Restore privilege" in Group Policy, configures the system to audit all file access even when they are performed by a backup program. This setting is one of several "blow up my event logs" settings that will simply fill your event logs with a large amount of mostly useless information that you probably do not care about anyway.

Crash on Audit Failure

CrashOnAuditFail, or "Audit: Shut down system immediately if unable to log security audits " in Group Policy, causes your system to crash if it cannot log security events. This setting is designed for military intelligence environments and should not be used on the vast majority of systems. Use the feature built in to the OS to alert an administrator when the event logs reach a certain threshold and then go archive them instead. Better yet, get an event log collection system and use it to archive event logs. By the time you read this, Microsoft will hopefully have released its Audit Collection System (ACS), which provides this functionality.

Disable Cached Credentials

Many of the security guides out there recommend disabling cached credentials on all machines. As explained in Chapter 11, you should consider this carefully , especially on laptops. There is no real problem with disabling them on servers and desktops. However, if you disable them on laptops, you will break domain logon while disconnected from a domain. That means users will have to log on with a local account instead. Not only will this make them irate because their resources no longer show up, but in most cases we have seen they will use the Administrator account, which will (hopefully) degrade security since their domain account is not a local administrator. (It isn't, is it?) Even if they use a local non-admin account, the chances they will use the same password as on their domain account are significant, which means the password is much more exposed than through cached credentials. Be careful where you turn this setting on.

Clear Virtual Memory Page File

Many administrators want to have the system clear the page file on shutdown to avoid attackers sniffing through it for interesting data in case the system is stolen. Although we have no problem in principle with this, you really have to ask yourself how likely it is that they will actually (a) steal the system, (b) find something interesting, and (c)actually be able to tell that it is interesting. OK, if you are up against a foreign intelligence service, the answers to these questions may dictate that you should clear the page file. If they do, you still need to consider shutdown times, however. It could take up to an additional 40 minutes to clear the page file at shutdown. Do you really want your laptop to take an additional 40 minutes to shut down after the flight attendants announce that "we have now reached an altitude where portable electronics devices may no longer be used?"