Keeping up to date on patches and security updates isn't always enough to make Windows as secure an environment as you'd like. Three steps you can take to make your desktops more secure are clearing the pagefile on shutdown, disabling guest access to event logs, and preventing users from changing their passwords until prompted.
Not every organisation will want to take these steps, but, depending on your situation and the type of business you do, these can be good security options.
Clearing the pagefile
When Windows writes memory data to the pagefile, it can contain sensitive information that you don't want to be accessible on the disk, including passwords.
If anyone in your organisation works with sensitive information, clearing the pagefile on that desktop is an important step to take to ensure that data isn't accessible to unauthorised users.
By modifying a registry setting, you can have Windows clear the pagefile on shutdown. This will wipe data written to disk and prevent sensitive files from being accessible. However, the system may take longer to shut down because the computer must write to each page in the pagefile to erase the data contained in it.
To clear the pagefile each time Windows is shut down, perform the following steps:
- Run Regedit.
- Locate the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management.
- Set the value for ClearPageFileAtShutdown to 1.
If the value doesn't exist, add the following:
- Value Name: ClearPageFileAtShutdown
- Value Type: REG_DWORD
- Value: 1
You must restart the computer for the setting to take effect.
Because this may lengthen the shutdown time, you may want to give the setting a trial period to see how it works out. If shutdown takes an excessively long time, you may want to change the value for the setting back to 0. But if securing sensitive data is critical to your organization, slow shutdowns may be something you're willing to live with. For additional information, see Microsoft Knowledge Base article 182086.
Restricting event log access
The default access setting for Windows event logs allows guest and anonymous users to view them. This can make sensitive data openly accessible to users who should not be able to view it.
A simple tweak of the registry, however, can rectify the possible security opening. You can block guest and anonymous users from viewing event logs by performing the following steps:
- Run Regedit.
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog.
- Select the Application folder under EventLog.
- On the menu bar, choose Edit | New | DWORD Value.
- Type RestrictGuestAccess and press [Enter].
- Double-click the new RestrictGuestAccess entry.
- In the Edit DWORD Value dialog box, type 1.
- Repeat the previous steps to create the same DWORD entry in the Security and System subkey folders.
This will prevent unauthorised users from having access to sensitive information stored in event logs, information that might be used to gain access to other locations or files that should be secure.
2%
4%
