Keeping up to date on patches and security updates isn’t always enough to make Windows as secure an environment as you’d like. Three steps you can take to make your desktops more secure are clearing the pagefile on shutdown, disabling guest access to event logs, and preventing users from changing their passwords until prompted. Not every organization will want to take these steps, but, depending on your situation and the type of business you do, these can be good security options.
Clearing the pagefile
When Windows writes memory data to the pagefile, it can contain sensitive information that you don’t want to be accessible on the disk, including passwords. If anyone in your organization works with sensitive information, clearing the pagefile on that desktop is an important step to take to ensure that data isn’t accessible to unauthorized users.
By modifying a registry setting, you can have Windows clear the pagefile on shutdown. This will wipe data written to disk and prevent sensitive files from being accessible. However, the system may take longer to shut down because the computer must write to each page in the pagefile to erase the data contained in it.
To clear the pagefile each time Windows is shut down, perform the following steps:
- Run Regedit.
- Locate the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.
- Set the value for ClearPageFileAtShutdown to 1.
If the value doesn't exist, add the following:
- Value Name: ClearPageFileAtShutdown
- Value Type: REG_DWORD
- Value: 1
You must restart the computer for the setting to take effect.
Because this may lengthen the shutdown time, you may want to give the setting a trial period to see how it works out. If shutdown takes an excessively long time, you may want to change the value for the setting back to 0. But if securing sensitive data is critical to your organization, slow shutdowns may be something you’re willing to live with. For additional information, see Microsoft Knowledge Base article 182086.
Restricting event log access
The default access setting for Windows event logs allows guest and anonymous users to view them. This can make sensitive data openly accessible to users who should not be able to view it. A simple tweak of the registry, however, can rectify the possible security opening. You can block guest and anonymous users from viewing event logs by performing the following steps:
- Run Regedit.
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog.
- Select the Application folder under EventLog.
- On the menu bar, choose Edit | New | DWORD Value.
- Type RestrictGuestAccess and press [Enter].
- Double-click the new RestrictGuestAccess entry.
- In the Edit DWORD Value dialog box, type 1.
- Repeat the previous steps to create the same DWORD entry in the Security and System subkey folders.
This will prevent unauthorized users from having access to sensitive information stored in event logs, information that might be used to gain access to other locations or files that should be secure.
Locking down password changes
Another step you can take to improve security and also cut down on help desk calls is to prevent users from changing their passwords until prompted to do so when the password expires. This may not seem like a necessary security measure, but consider what could happen if a user’s password were stolen or hacked. The unauthorized user could then immediately change the user’s password and effectively lock that person out of the network. By preventing such password changes, you can thwart hackers or others from hijacking user accounts and you can also cut down on the number of calls the help desk receives from users who have changed their passwords and forgotten the new one.
There are two different ways you can lock down users from changing their passwords unless prompted by Windows—individually via a registry setting or globally via a Group Policy setting.
Perform the following steps to require a system prompt for password changes for a group of users:
- Start the Microsoft Management Console (MMC) by choosing Start | Run, typing mmc, and clicking OK.
- On the File menu, choose Add/Remove Snap-in | Add | Active Directory Users and Computers | Add.
- Click Close and then OK. The left pane will display the new snap-in.
- Expand the snap-in, select the group to which the policy applies, right-click, and choose Properties.
- On the Group Policy tab, select the Group Policy Object and click Edit. If no policies are listed, click New to create a new policy and then click Edit.
- Expand the policy folder and then expand the subfolders down to System.
- Select Logon/Logoff.
- Right-click the Disable Change Password policy and then choose Properties.
- On the Policy tab, select the Enabled option and then click OK.
- Close the Group Policy window and then close the console.
- At the command prompt, type the following:
Secedit /refreshpolicy user_policy /enforce
- Press [Enter].
To enforce the same password policy for individual users, perform the following procedures to configure the option in the registry:
- Run the Registry Editor.
- Navigate to the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
- Click the System key. If the System key does not exist, create it by choosing Edit | New and then selecting Key. This will create a new folder called New Key #1. Rename the key to System.
- Select the System and then choose Edit | New | DWORD Value.
- Type DisableChangePassword.
- Press [Enter].
- Double-click the new key.
- Change the value setting to 1.
- Click OK.
- Close Regedit.
For additional details on setting this password policy, see Microsoft Knowledge Base article 309799.
These tips are simple steps you can take to restrict access to sensitive data and better secure your network. They take little time and effort to implement and can protect your organization’s data.