Skip to content Skip to site navigation Skip to service navigation

SWDE Installation Requirements for Windows

The following settings will be changed on your computer when you run the SWDE installer.

Requirement Set Enforce

1.1 BigFix installed

BigFix is Stanford's patch management system and is used to enforce settings. For more information see Stanford's BigFix web site.

Yes Yes

1.2 Stanford Anti-Malware installed

The most current version of Stanford Anti-Malware must be installed. Download from Essential Stanford Software

Yes No

2.1 LAN Manager hash disabled

Restricted Data setting: Prevents Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases.

Yes Yes

2.2 NTLM 2 authentication required

Restricted Data setting: Sets the "LMCompatibilityLevel" registry value to 5, the Stanford University standard for computers that are members of the campus WIN domain or that contain High Risk Data. Level 5 requires clients and servers both to use only NTLM 2 authentication, and to use NTLM 2 session security if the server supports it. For more information see How to enable NTLM 2 authentication (KB239869).

Yes Yes

2.3 Require a password when waking from sleep, hibernation, or screen saver

You will be required to enter your password when the computer wakes from sleep, hibernation or from a screen saver.

Yes Yes

2.4 Screen Saver

The screen saver will be configured to lock the screen after 15 minutes of user inactivity. If the computer will never be used to access High Risk Data, this period may be increased to 1 hour.

Yes Yes

3.1 Blank passwords allowed for console logon only

This setting controls whether or not local accounts with blank passwords can log on from the network. After this setting is applied, local accounts with blank passwords cannot be used to connect to the machine from across the network, via Windows Networking or Terminal Services.

Yes Yes

3.2 Digitally sign communications when possible

This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature. The SMB server service will digitally sign communications when possible.

Yes Yes

3.4 NTLM security support provider (SSP) client

Specifies the minimum required security setting of client-side network connections for applications using the NTLM security support provider (SSP). Require 128-bit encryption, NTLMv2 session security, message confidentiality, and message integrity. The connection will fail unless 128-bit encryption and NTLMv2 session security are negotiated.

Yes Yes

3.5 NTLM security support provider (SSP) server

Specifies the minimum required security setting of server-side network connections for applications using the NTLM security support provider (SSP). Require 128-bit encryption, NTLMv2 session security, message confidentiality, and message integrity. The connection will fail unless 128-bit encryption and NTLMv2 session security are negotiated.

Yes Yes

3.6 Remote Desktop disabled

Restricted Data setting: Due to security concerns, Remote Desktop will be disabled on all new and redeployed computers, as well as all computers identified as having access to High Risk Data. However, if users require this functionality, they will be able to turn it on. In such cases, special attention must be paid to security issues such as establishing robust passwords, etc.

Yes No

3.7 Restrict anonymous connections

Restricted Data setting: This setting controls whether or not an anonymous user can connect to your machine over the network, and get a complete list of all its user accounts. This information makes it much easier for a malicious hacker to breach a system.

Yes Yes

3.8 RPC client authentication restrictions

RPC Interface Restrictions provide increased network protection that will make systems less vulnerable to attacks over the network. Restricts access to all RPC interfaces. All anonymous remote calls are rejected by the RPC runtime.

Yes Yes

4.1 Automatic Update enabled and run daily

Enables Windows Automatic Update, so that critical security patches may be automatically acquired from the Windows Update service.

Yes Yes

4.2 Network file sharing disabled

All existing local network shares, excluding hidden administrative shares, will be disabled, and any future sharing of files over a network will be prevented.

Yes No

4.3 Stanford Windows Infrastructure

Reports whether or not the computer is joined to the Stanford Windows Infrastructure.

No No
Last modified November 20, 2016