ࡱ> (& !")` kbjbj 4fE%ZZZ8Z[ 'hdpf"fff)hJshh$hl%h)hllffqqqlffqlqqBfd Їa]ZoXf0'<of8.hiqAjj5hhhHqXhhh'llll$  CSU Windows Security Group Securing Windows Server Tasks Draft 6 May 20, 2005 This is a draft prepared by the campus Windows Security Group, which is a sub group of the campus Windows group. It is a cut and paste of separate documents so the formatting is not yet consistent. It is intended to give an overview of the direction the group is taking and to solicit feedback. The intent of this document is to outline basic security steps that the average IT administrator can quickly take to increase the security of their Windows servers. The Windows Security Group plans to host brown bag training sessions throughout Spring 2005 to help administrators master the skills needed to implement these recommendations. Windows Security Tasks Auditing Physical Security Setup and Patching Account Management* Restrict Anonymous Access & NTLM Authentication * One item under Account Management, strong passwords, is now a mandatory requirement under CSUs Campus IT Security Policy. I. Auditing If no auditing is configured, it will be difficult or impossible to determine what took place during a security incident. However, if auditing is configured so that too many authorized activities generate events, the security event log will fill up with useless data. Audit events A-E below typically do not generate large amounts of logs and should be set as recommended by all IT administrators. Audit events F-I will generate large amounts of information and will often fill up the logs, therefore it is recommended that these only be set when detailed logging is required (i.e., under attack, etc.) The following values can be configured in the Domain Group Policy section of Windows Server 2000/2003 at the following location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy A. Audit login = Success, Failure (Recommended settings) The Audit account logon events setting determines whether to audit each instance of a user logging on to or off another computer that validates the account. Authenticating a domain user account on a domain controller generates an account logon event. The event is logged in the domain controller's security log. Authenticating a local user on a local computer generates a logon event. The event is logged in the local security log. There are no Account logoff events logged. Can be implemented with GPOs: YES B. Audit account management = Success, Failure (Recommended settings) The Audit account management setting determines whether to audit each account management event on a computer. Examples of account management events include: A user account or group is created, changed, or deleted. A user account is renamed, disabled, or enabled. A password is set or changed. Organizations need to be able to determine who has created, modified, or deleted both domain and local accounts. Unauthorized changes could indicate mistaken changes made by an administrator who does not understand how to follow corporate policies or a deliberate attack. Can be implemented with GPOs: YES C. Audit logon events = Success, Failure (Recommended settings) The Audit logon events setting determine whether to audit each instance of a user logging on to or off of a computer. Records are generated from the Account logon events setting on domain controllers to monitor domain account activity and on local computers to monitor local account activity. Configuring the Audit logon events setting to No auditing makes it difficult or impossible to determine which user has either logged on or attempted to log on to computers in the enterprise. Enabling the Success value for the Auditing logon events setting on a domain member will generate an event each time that someone logs on to the system regardless of where the accounts reside on the system. If the user logs on to a local account, and the Audit account logon events setting is Enabled, the user logon will generate two events. There will be no audit record evidence available for analysis after a security incident takes place if the values for this setting are not configured to Success and Failure. Can be implemented with GPOs: YES D. Audit policy change = Failure (Recommended settings) The Audit policy change setting determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies. This includes making changes to the audit policy itself. Configuring this setting to Success generates an audit entry for each successful change to user rights assignment policies, audit policies, or trust policies. Configuring this setting to Failure generates an audit entry for each failed change to user rights assignment policies, audit policies, or trust policies. Can be implemented with GPOs: YES E. Audit system events = Success, Failure (Recommended settings) The Audit system events setting determines whether to audit when a user restarts or shuts down a computer or when an event occurs that affects either the system security or the security log. Configuring this setting to Success generates an audit entry when a system event is executed successfully. Can be implemented with GPOs: YES These recommendations marked with an * identify those settings that will generate a significant amount of log entries. Audit events F-I will generate large amounts of information and will often fill up the logs, therefore it is recommended that these only be set when detailed logging is required (i.e., under attack, etc.). F. Audit directory service access = Failure* (Recommended settings) The Audit directory service access setting determines whether to audit the event of a user accessing a Microsoft Active Directory service object that has its own system access control list (SACL) specified. Setting Audit directory service access to No Auditing makes it difficult or impossible to determine what Active Directory objects may have been compromised during a security incident. There will be no audit record evidence available for analysis after a security incident if the values for this setting are not set to Success and Failure. Can be implemented with GPOs: YES G. Audit object access = Failure* (Recommended settings) By itself, this setting will not cause any events to be audited. The Audit object access setting determines whether to audit the event of a user accessing an object for example, a file, folder, registry key, printer, and so forth that has a specified SACL. A SACL is comprised of access control entries (ACEs). Each ACE contains three pieces The security principal (user, computer, or group) to be audited. The specific access type to be audited, called an access mask. A flag to indicate whether to audit failed access events, successful access events, Configuring this setting to Success generates an audit entry each time that a user successfully accesses an object with a specified SACL. Configuring this setting to Failure generates an audit entry each time that a user unsuccessfully attempts to access an object with a specified SACL. Corporations should define only the actions they want enabled when configuring SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track the replacement or changes to those files, which computer viruses, worms, and Trojan horses will commonly cause. Similarly, you might want to track changes to or even the reading of sensitive documents. Can be implemented with GPOs: YES H. Audit privilege use = Failure* (Recommended settings) The Audit privilege use setting determines whether to audit each instance of a user exercising a user right. Configuring this value to Success generates an audit entry each time that a user right is exercised successfully. Configuring this value to Failure generates an audit entry each time that a user right is exercised unsuccessfully. Can be implemented with GPOs: YES I. Audit process tracking = No auditing* (Recommended settings) The Audit process tracking setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Configuring this setting to Success generates an audit entry each time the process being tracked succeeds. Configuring this setting to Failure generates an audit entry each time the process being tracked fails. Enabling Audit process tracking will generate a large number of events, so typically it is set to No Auditing. However, these settings can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched. Can be implemented with GPOs: YES J. Maximum application log size = 16384 kilobytes Restrict guest access to application log = enabled Retention method for application log = As Needed K. Maximum security log size = 81920 kilobytes Restrict guest access to security log = enabled Retention method for security log = As Needed L. Maximum system log size = 16384 kilobytes Restrict guest access to system log = enabled Retention method for system log = As Needed The log size is a Microsoft recommendation; this value can certainly be changed. The retention method is set to overwrite events as needed. This will keep the logs from filling up and displaying error messages on servers. Can be implemented with GPOs: YES II. Physical Security Per CSUs IT Security Policy General IT Security Policies and Guidelines, servers shall be housed in a physically secure facility where access is limited to only those individuals requiring access to perform routine or emergency maintenance on the system. III. Setup and Patching Following these guidelines will allow you to build and maintain a Windows server that is relatively secure. Windows 2003 server should be installed unless there is a compatibility issue. In place upgrades are discouraged. We recommend adding BIOS password protection and turning off unnecessary ports such as USB, serial, and parallel unless needed. We also recommend that the boot order be modified on Domain Controllers to boot from the operating system volume first and disable booting from PXE and USB. Automate the install process to ensure consistent, complete security. Create a process document to outline the installation process to insure consistency of server builds. Use Ghost or other imaging techniques, if possible, to have a consistent build process. Can be implemented with GPOs: NO Format all partitions as NTFS volumes. Security is better on an NTFS volume than a FAT volume. Recommended boot drive size is 15-20 GB. Can be implemented with GPOs: NO Install operating system while the server is disconnected from the network. Obtain a CD with the latest operating system version and service packs from Software Cellar. This will mean less patching after the initial install. Can be implemented with GPOs: NO Only install TCP/IP for the network transport. This follows with only installing necessary services. Can be implemented with GPOs: NO Do not install SMTP unless necessary. - This follows with only installing necessary services. Can be implemented with GPOs: NO Do not install IIS on Domain Controllers. We recommend that you do not install IIS on anything that isnt a web server. This follows with only installing necessary services. Can be implemented with GPOs: YES Only enable required services. See Appendix A Windows 2003 Server Baseline Services Settings for a list of services and how Microsoft recommends they should be set for baseline servers. You should test any changes in your environment to be sure they work for you. Save a list of original Service States you can export an existing state of the services list before making changes. Use this list as a reference to get back your original configuration in the event of a conflict. Right-Click on Services in the MMC and chose Export List. Can be implemented with GPOs: YES The following is a list of additional services which may need to be enabled for various server roles beyond the baseline table in Appendix A. Services can be managed with GPOs with an appropriate OU structure. For example, an Exchange server placed in its own OU can then have Exchange-specific GPOs applied. Citrix Terminal Services Licensing DHCP Server DHCP Server Exchange HTTP SSL IIS Admin Service Microsoft POP3 Service Network News Transfer Protocol (NNTP) Simple Mail Transport Protocol (SMTP) World Wide Web Publishing Service Internet Authentication Server Internet Authentication Service Internet Information Server (IIS) ASP .NET State Service Distributed Transaction Coordinator FTP Publishing Service HTTP SSL IIS Admin Service Indexing Service Simple Mail Transport Protocol (SMTP) World Wide Web Publishing Service Remote Installation Server (RIS) Single Instance Storage Groveler Trivial FTP Daemon SQL Distributed Transaction Coordinator MSSQLServer MSSQLServerADHelper SQLSERVERAGENT OTHER Many 3rd party applications require additional services such as Dell OpenManage, Symantec System Center, Symantec Ghost, Webroot SpySweeper, etc. Run anti-virus on all servers. We recommend this unless you have a known conflict. Test the anti-virus software thoroughly before putting the server into a production environment. Can be implemented with GPOs: NO Apply all current service packs and hot fixes and keep up to date. Connect the server to a firewall before trying to download service packs and hotfixes. This will protect your server from being compromised while obtaining the critical updates. Installing from the most current version of Windows media will cut down on the number of critical updates you will need to download. Can be implemented with GPOs: NO Automate and audit service pack and hot fix levels. We recommend that you subscribe to Microsoft security bulletins and other popular IT security bulletins. Test service packs and critical updates prior to deploying in a production environment. Hotfixes have a high priority and should be applied no later than when ACNS releases them to their Security Update Server (SUS). Consider building your own SUS server or use the ACNS SUS server for automated critical hotfix updates. Do not lag behind the ACNS SUS server. ACNS maintains a listserv for SUS administrators. To join the list go to:  HYPERLINK "http://www.colostate.edu/Services/ACNS/listserv/subother.html" http://www.colostate.edu/Services/ACNS/listserv/subother.html and select the SUSADMINS list. Can be implemented with GPOs: NO Prevent local guests from accessing application and system logs. Local guest accounts should not have access to the application and system logs. Can be implemented with GPOs: YES Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Event log: Application log SDDL Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Event log: System log SDDL Prevent local guests from accessing security logs. Local guest accounts should not have access to the security log. Can be implemented with GPOs: YES Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Manage auditing and security log IV. Account Management A. Limit the Number of Local Administrator Accounts There should be no more than two (2) local administrator account on Windows servers. There should no more than two (2) local administrator accounts on Windows workstations (i.e., Windows XP). Minimize the number of user accounts that are members of the Local Administrators Group and Domain Admins Group. WHY: If an administrative account is compromised, this can help reduce the spread and severity of unauthorized access. Can be implemented with GPOs: NO (In a tightly restricted homogenous lab environment there are Restricted Groups GPO settings that can control local group membership.) B. Enforce the Least Privilege Principle Under the least privilege principle a user is granted the lowest level of local permissions needed to perform their job. Most standard software runs fine for accounts set as User. For those programs that do not run correctly with a User account, administrators can use applications such as Filemon and Regmon to help identify which specific files and registry keys need permissions adjusted. These utilities are available for free from  HYPERLINK "http://www.sysinternals.com/" http://www.sysinternals.com/. It is likely that other people on campus have already determined the necessary permissions changes for common applications; send an inquiry to the subnet managers listserv ( HYPERLINK "mailto:subnet-managers@yuma.colostate.edu" subnet-managers@yuma.colostate.edu) WHY: Users can perform the majority of their daily tasks without requiring elevated privileges. These measures can reduce the amount of installed spyware and rogue applications. Can be implemented with GPOs: NO C. Use Separate Administrative and User Accounts for Administrative Users Viruses and spyware can do far greater damage to a computer and network resources if it occurs when an administrative user is logged in. Network administrators should log onto workstations with a User account for non-administrative daily activity. When an administrative task must be performed, use the Run As feature or Remote Desktop Connection. Administrators should not use the same password for both the administrative account and the user account. WHY: These measures can help minimize potential damage caused by malware, carelessness and mistakes. Can be implemented with GPOs: NO D. Rename the Default Local Accounts and Create Decoy Accounts Renaming the local Administrator and Guest accounts may help prevent common attacks on Windows systems. Right-Click on the default local Administrator account and select Rename. Give the account a name that can be remembered and tracked when reviewing login attempts in the log files. Right-Click, Properties on the renamed local Administrator account and cut the Description field text. Type in an innocuous description, something that doesnt imply administrative permissions. Create a new account named Administrator (use a capital A). Paste the description from the original Administrator account into the Description field of this new Administrator account. Go back into the Properties of the Decoy Administrator account and clear out the Full Name field. Create a strong and complex password for both the renamed Administrator account and the decoy Administrator account. Change this password periodically! Do not add the decoy Administrator account to the local Administrators group. Instead, remove the decoy Administrator account from all groups on the Member Of tab. Repeats steps 1-6 above for the default Guest account (making name changes where appropriate). Be sure to disable the renamed Guest account. Prevent local guests group from accessing logs! WHY: Default accounts are often targets for attack, these measures can help thwart common attacks. Can be implemented with GPOs: YES (only the Rename portion) Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options Computer Configuration / Windows Settings / Security Settings / Event Log E. Use Strong Password Complexity Under the mandatory section of CSUs Campus IT Security Policy item 5 states Strong passwords shall be implemented on all systems. 1. General System Passwords a. Passwords for general systems shall be at least eight (8) characters in length. Passwords for server administrative access on Windows operating systems shall be a minimum of 15 characters. b. Passwords shall not be derived from a users name or login ID. c. Passwords shall not be derived from system-specific information such as hostname, aliases or entries in users files. d. Commonly used words or words appearing in either English or foreign language dictionaries shall not be used. 2. In addition, passwords should follow a minimum rule set for complexity. One such set of rules for password complexity that should be considered (there are others) is that passwords shall conform to at least three (3) of the following conditions: Contain one or more upper case characters Contain one or more lower case characters Contain one or more numerals (0, 1, 2 9) Contain one or more special characters (non-alphabetic and non-numeric e.g., punctuation symbols or any of #, $, %, ^, &, *) Finally, use of the same administrative or root password across administrative boundaries is prohibited. For example, system administrators should select an administrative password for configuring network hardware in their area, another password for administering their Windows servers, and yet another unique root password for UNIX servers. Separate and distinct passwords shall also be used for units managing more than one Windows domain. Note: If you plan to eliminate the local storage of LM hashes, (as described in V. section J), your users will need to change their passwords. You may want to coordinate your password complexity implementation with the elimination of the storage of LM hashes so that your users will only have to change their passwords once. WHY: Complex and longer passwords are harder to crack. Can be implemented with GPOs: YES (must be set in Default Domain Policy) Computer Configuration / Windows Settings / Security Settings / Account Policies / Password Policy F. User Password Management Microsoft Windows provides several parameters for controlling user passwords. Password Policy (must be set at the Domain level) History Windows can keep track of previous passwords used and prevent a user from using the same password repeatedly. Ageing users can be required to change passwords after a specified number of days. Length users can be required to use passwords that have a minimum number of characters. Complexity see Section E. Accounts Lockout Policy user accounts can be locked for a certain amount of time after a specified number of unsuccessful logon attempts. Note: If you configure an Account Lockout Policy, a network-based Denial of Service attack can potentially cause a lockout on many or all of your accounts. Account lockout duration: 30 minutes (Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked.) Account lockout threshold: 10 invalid logon attempts (Determines the number of failed logon attempts that causes a user account to be locked out Reset account lockout counter after (Observation Window): 30 minutes (Determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.) WHY: Enforcing various parameters of passwords can help strengthen security (i.e., preventing blank passwords, enforcing complex passwords). Enforcing lockout policies can help thwart brute force hack attempts. Can be implemented with GPOs: YES Computer Configuration / Windows Settings / Security Settings / Account Policies / Account Lockout Policy G. Disable Terminated Employee Accounts Employees who have left the university should have their access to network resources disabled immediately. Consider network accounts, email accounts, eID, etc. Each department should devise a procedure that notifies IT administrators that an employee has been terminated. WHY: Terminated employees should not have access to CSU systems; disabling accounts can help prevent unauthorized access. Can be implemented with GPOs: NO V. Restrict Anonymous Access & NTLM Authentication A. Restrict Anonymous on Windows XP and 2003 Systems There are multiple places to configure anonymous access on XP and 2003 systems. Note: These settings will break connectivity with Windows NT 4 systems. Per CSUs Campus IT Security Policy, Only operating systems that are secure according to current best practices and require strong authentication shall be used. In particular, only Windows 2000 or later Windows operating systems shall be used. Note: Microsoft Outlook clients older than the 2003 version that are doing a MAPI connection to an Exchange server require anonymous access to global catalogue servers. If you have these clients in your environment then you should not turn on restrict anonymous on your global catalog servers. 1.) Restrict Anonymous Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: RestrictAnonymous Data Type: REG_DWORD Valid Range:0,1 Preferred: 1 Default: 0 Description: 0 - None. Rely on default permissions 1 - Do not allow enumeration of SAM accounts and names GPO/Security Policy Settings: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network: Do not allow anonymous enumeration of SAM accounts and shares. Preferred Setting: Enabled B. Restrict Anonymous SAM Microsoft states that this setting has no effect on DCs. This setting is not entirely clear at this point but it may be used in conjunction with RestrictAnonymous on XP boxes to give the equivalent of RestrictAnonymous Level 2 on Windows 2000 machines. Further research is required. Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: RestrictAnonymousSAM Data Type: REG_DWORD Valid Range: 0,1 Preferred: 1 Default: 0 Description: 0 - None. Rely on default permissions 1 - No access without explicit anonymous permissions GPO/Security Policy Settings: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network: Do not allow anonymous enumeration of SAM accounts Preferred Setting: Enabled Can be implemented with GPOs: YES C. Restrict Anonymous SID/Name translation This setting determines whether an anonymous user can request Security Identification Number (SID) attributes for another user. Registry Settings: N/A GPO/Security Policy Settings: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network: Allow anonymous SID/Name translation. Preferred Setting: Disabled Can be implemented with GPOs: YES D. Let Everyone permissions apply to anonymous users This is already disabled in Windows 2003 by default but is not defined in Windows 2000. Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: everyoneincludesanonymous Data Type: REG_DWORD Valid Range: 0,1 Preferred: 0 Default: 0 Description: 0 - None. Rely on default permissions 1 - No access without explicit anonymous permissions GPO/Security Policy Settings: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ Network access: Let Everyone permissions apply to anonymous users Preferred Setting: Disabled Can be implemented with GPOs: YES E. Restrict Anonymous on Windows 2000 Systems Microsoft states that setting this option to level 2 should only be done in a purely Windows 2000 environment. Q 246261: How to Use the RestrictAnonymous Registry Value in Windows 2000 ( HYPERLINK "http://support.microsoft.com/kb/246261/EN-US/" http://support.microsoft.com/kb/246261/EN-US/) Note: Exchange 2000 will not function correctly with restrict anonymous set to level 2. Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: RestrictAnonymous Data Type: REG_DWORD Valid Range: 0-2 Preferred: 2 Default: 0 Description: 0 - None. Rely on default permissions 1 - Do not allow enumeration of SAM accounts and names 2 - No access without explicit anonymous permissions GPO/Security Policy Settings: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Additional restrictions for anonymous connections Preferred Setting: No access without explicit anonymous permissions Can be implemented with GPOs: YES F. Restrict Anonymous on Windows NT 4.0 Systems Microsoft notes that this setting prevents the provided tools from enumerating users and shares, there are other API calls that support anonymous individual user lookup. This may mean that some hacking utilities can still enumerate user lists on Windows NT 4.0 anonymously with this setting in place. Q143474: Restricting information available to anonymous logon users (http://support.microsoft.com/kb/143474/EN-US/) Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: RestrictAnonymous Data Type: REG_DWORD Valid Range: 0-1 Preferred: 1 Default: 0 Description: 0 - None. Rely on default permissions 1 - Do not allow enumeration of SAM accounts and names Can be implemented with GPOs: NO G. Implementing NTLM Authentication Security Settings Restricting which LANMAN encryption method your network uses can be a difficult and potentially disruptive exercise. The best way to minimize impact to network users is to plan and proceed carefully and slowly. The process begins with determining what operating systems and applications you have in your network. Once you have identified the various configurations, you then test the settings you wish to use in a non-production environment to see if it is possible and what steps you may need to make it so. Finally, determine what order of implementation will minimize impact on your network users. This may mean installing additional drivers on legacy systems to allow them to use higher encryption standards and preparing other resources to allow alternatives to services that may no longer be available under the higher encryption standards. You may determine that it is not currently feasible to move to NTLMv2 only. In that case, you should at least prohibit the use of LM which is by far the weakest encryption method. Once LM compatibility is set, it is relatively easy to set LM hash storage settings with minimal impact on the network. Password complexity rules can be implemented at any time but you may want to wait until LM hash storage is disabled. The last calculated LM hash stays on the system until the next password change so, it makes sense to implement password complexity last then force a password change afterward. You may feel that you can not wait for the length of time necessary for the LM compatibility implementation process before requiring strong passwords however. Step 1. Inventory your network Determine how many different operating systems are on your network. Windows 2000 and XP are ready for NTLMv2 out of the box but Win9x/ME and WinNT 4.0 are not. Also, new versions of Mac operating systems (X and higher?) support NTLMv2 but older versions require a little help. Also, note any software that uses or provides resources over the network. If a program provides an interface remotely or gathers remote data or uses any other remote resources, it may be impacted by a change in NTLM authentication. Step 2. Testing Once you have a list of all the legacy operating systems and network applications on your network, you should test any that you are uncertain of their behavior. Windows 2000 and XP work fine with NTLMv2, Windows 9X/ME and NT4.0 require the Directory Services Client from Microsoft to operate properly. Since this behavior is known, you may not need to test this ahead of time. Any Mac OS prior to X will probably require the latest Microsoft User Authentication Module (UAM) installed. We are not aware exactly which versions started natively supporting NTLMv2 so, when in doubt, test ahead of time. This could be done by setting a test box to use NTLMv2 only (refuse LM and NTLM), sharing out a directory and attempting to connect to it with the Mac. All critical applications should be tested in a non-production environment before implementing the change on your network. A typical test environment would include a DC (using the same OS as your production network), a client system and one or more server systems running the software in question. In networks with mixed DS operating systems, you should either use the lowest level OS or match your production environment by running multiple DSs in the test network. See Application Compatibility for more information on applications and situations to watch out for. Step 3. Workstation Implementation Once testing is done, start implementing LM Compatibility settings with the workstations in your domain. First, install any additional software necessary for the OS to use NTLMv2. Directory Services Client (NT4.0 and Win9X/ME)  HYPERLINK "http://support.microsoft.com/default.aspx?scid=kb;en-us;288358" http://support.microsoft.com/default.aspx?scid=kb;en-us;288358 Microsoft User Authentication Module (Mac)  HYPERLINK "http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows2000sfm" http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows2000sfm Take any steps necessary to allow other applications to run using NTLMv2 as discovered in your testing. We did not encounter anything that required special settings on workstations in our implementation. Also, keep in mind that any workstation that shares out resources (file or printer shares for example) needs to be set to NTLMv2 after (or at the same time as) other machines that use those resources. LM Compatibility settings can be implemented via registry changes, the local security settings console (Win2k and up) or Group Policy Objects (Win2k and up). GPOs offer the greatest ease of implementation and management. Instead of making this change in the Default Domain Policy, you should create an Organizational Unit structure to isolate workstation accounts from other machine accounts that you do not want to set NTLMv2 on right away and create an authentication security policy for them. You have to use registry settings on legacy operating systems (Win9x/ME, WinNT4.0). H. NTLMv2 on Windows NT4.0, XP, 2000 and 2003 Systems: Note: If you use the Symantec Ghost drive mapping boot disk option, it uses LM authentication and it does not support NTLM authentication. Note: If you use University Relations RamCopy Xerox printers with network scanning, this feature uses LM authentication and it does not support NTLM authentication. GPO/Security Policy Settings: Windows 2003, XP: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: LAN Manager Authentication Level Preferred Setting: Send NTLMv2 response only\refuse LM & NTLM Windows 2000: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\LAN Manager Authentication Level Preferred Setting: Send NTLMv2 response only\refuse LM & NTLM Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value: LMCompatibilityLevel Value Type: REG_DWORD - Number Valid Range: 0-5 Preferred: 5 Default: 0 Description: This parameter specifies the type of authentication to be used. Level 0 - Send LM response and NTLM response; never use NTLMv2 session security Level 1 - Use NTLMv2 session security if negotiated Level 2 - Send NTLM authentication only Level 3 - Send NTLMv2 authentication only Level 4 - DC refuses LM authentication Level 5 - DC refuses LM and NTLM authentication (accepts only NTLMv2) I. NTLMv2 on Windows 9x Systems: Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value Name: LMCompatibility Data Type: REG_DWORD Valid Range: 0,3 Preferred: 3 Default: 0 Description: This parameter specifies the mode of authentication and session security to be used for network logons. It does not affect interactive logons. Level 0 - Send LM and NTLM response; never use NTLM 2 session security Level 3 - Send NTLM 2 response only. Clients will use NTLM 2 authentication and use NTLM 2 session security if the server supports it; Step 4. Member Server Implementation After the workstations on your network have been set to NTLMv2 only for a few days (and youve worked out any problems), configure the member servers (non-domain controllers). This might include Exchange, IIS, SQL Servers, etc. Again, the best way to implement this is via GPO. Put all of your member servers beneath an OU and create a GPO specifically to control LM Compatibility for them. Step 5. Domain Controller Implementation Once member servers are using NTLMv2 only and youve had time to work out any issues this caused, you can move your Domain Controllers. Step 6. Implement No LM Hash Storage for all systems Once your network is operating without LM you can tell your systems never to store the LM hash for passwords. Once this is done, all users need to change their passwords once to get rid of the existing calculated LM hash. There is no way to prevent LM hash storage on legacy systems (Windows 9x/ME). You could create new GPOs for this or use the same ones created earlier for LM compatibility. At this point it is safe to implement this domain wide so you either could create a single GPO setting at the domain level or on each OU used to store computer objects. J. No LM hash storage on Windows XP, 2000 and 2003 Systems: GPO/Security Policy Settings: Windows 2003, XP: Location: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN Manager hash value on next password change Preferred Setting: Enabled Windows 2000: N/A Not available when using a Windows 2000 client to edit GPO's. Registry Settings: Location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA Value: NoLMHash Value Type: REG_DWORD - Number Valid Range: 0-1 Preferred: 1 Default: 0 Description: This parameter specifies the type of authentication to be used. Level 0 - Store LM hash for password locally. Level 1 - Do not store LM hash for passwords locally. Step 7. Implement Password Complexity Rules Finally, you can configure password complexity rules for your domain. This must be done at the domain level (where the Default Domain Policy resides). As a best practice, you should not modify the Default Domain Policy. Instead create a new policy at this level and move it higher that the default policy in precedence to be sure it works properly. These rules can only be implemented domain wide, not on an individual OU (even though it looks like it is possible in the interface). The following settings closely mimic the Campus Security Committee recommendations. Further settings affecting account lockout, password aging and history are also available in the same GPO section. K. Password Complexity Settings on Windows XP, 2000 and 2003 Systems: GPO/Security Policy Settings: Location: 1. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length Preferred Setting: 8 characters 2. Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements Preferred Setting: Enabled L. Troubleshooting: After implementing these security settings you will likely run in to problems that may be related. A good example is running Outlook with and Exchange account on a system you just joined to the domain. The default location where new computers are added to the domain is the Computers container at the AD root. Unless you use a single GPO to set LM compatibility at the root of the domain, new computer accounts will not be set to use NTLMv2 initially. You will be able to logon to the machine because that uses Kerberos but you probably wont be able to set up Outlook properly. When you try to open Outlook with an Exchange MAPI profile, you keep getting authentication dialog boxes that do not seem to work. You can not apply a GPO directly to the computers container but there are a few solutions to this problem: 1. Set LM compatibility at the root of the domain (same place as the Default Domain Policy). This will apply to computers in the default computers container but you may not want or be able to use the same settings for all systems in your domain. 2. Pre-create computer accounts in the correct OU as an administrator then join to the domain. This allows you to put the account in a location to receive the GPO settings immediately. 3. Move the account from the computers container to the correct OU before setting up Outlook. This requires no special settings but you need to remember to periodically move machine accounts to an OU. 4. Change the default location of new computer objects created in the domain. If you have all Windows 2003 DCs you can change the default location where new computer objects are created. This is described in the following KB article:  HYPERLINK "http://support.microsoft.com/default.aspx?scid=kb;en-us;324949" http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 If you have a system that just doesnt seem to authenticate properly, make sure that it is receiving the proper LM compatibility setting. For legacy clients, you need to check the registry setting and be sure the DSClient is installed. For newer systems (W2K, XP, W2K3), you can check this either in the registry or in the local security settings console under Administrative tools. If the system is not getting the GPO, try to refresh the policy at a command prompt as follows: Windows 2000: Secedit.exe /refreshpolicy machine_policy Windows XP/2003: Gpupdate.exe Check the setting again and look in the Application Event Log for errors receiving the policy (source = SceCli). If the system still does not get the GPO setting, double check the GPO structure to make sure the computer account should be getting the setting. The account may be in a location in AD that does not have the setting applied to it or there may be a conflicting GPO with higher precedence. If all else fails, try setting the level manually in the local security policy console or the registry. M. Application Compatibility The following is a list of applications to watch out for and what is known about their behavior when using NTLMv2 only: 1). Database Servers (SQL Server, Oracle, MySQL, etc): We do not have information on database servers at this time. Make sure that management tools, development tools and client applications can authenticate using whatever mode you have selected (integrated vs. non-integrated authentication, database accounts vs. machine or network accounts, etc.). 2). Web Servers (IIS, Apache, etc): IIS appears to work fine with NTLMv2 but you probably want to make sure that all workstations are set to NTLMv2 before moving the server, particularly if using IE integrated authentication on protected sites. You will probably need to use basic authentication with SSL encryption to allow authentication on password protected sites. Anonymous sites should not be impacted. We have no data on other web servers at this point. The thing to watch for in particular is proper operation of restricted sites. 3). Windows Compatible File Sharing (SAMBA, NAS/SNAP servers etc): As of Version 3.0, SAMBA should be capable of supporting NTLMv2 but we no experience with this yet. We do not have any data on other NAS/SNAP or other file sharing boxes but any existing in your environment should be researched and tested with a client set to NTLMv2 only. 4). Mail Servers and Clients (Exchange, Outlook, IMAP clients, etc.): Exchange 2003 server running on Windows 2003 works properly with NTLMv2 but it must be rolled out in the proper order to work correctly. With the DCs set to NTLMv2 Only and the Exchange server set to accept all authentication methods, IMAP authentication would not work properly. We had to scale back the DCs to accept NTLMv2 and NTLM until we were ready to move the Exchange server to NTLMv2 only. As with most scenarios, you need to make sure all client systems using a MAPI client like Outlook are set to send NTLMv2 before moving the server. That includes any systems not in your domain like home systems or machines in other domains. Once all the client machines are using NTLMv2, you can safely set the DCs and Exchange servers to NTLMv2 Only. While we have not tested Exchange 2000, it is likely to behave similarly. The Outlook versions tested were Office XP and 2003 and older versions should be tested before putting these settings into production. As long as the DCs and Exchange servers are at a similar level, IMAP clients should work properly with Exchange. We currently have no data on other mail servers. If they use Windows user accounts, then they will likely be impacted by this setting and should definitely be researched and tested. 5). Cisco VPN: ACNS runs a Cisco VPN Concentrator used predominately by campus wireless users and off-campus machines. There are two ways in which authentication can occur Radius or Windows. The default VPN group set up by ACNS uses Radius authentication with users entering their eID and password and this is not impacted by NTLMv2 settings. A few departments have asked to have a special VPN group configured to authenticate against their Windows domain. The Cisco equipment/OS in use does not support NTLMv2 so Windows domain authentication is not possible at this time with these settings. Keep in mind that home machines must be configured to send NTLMv2 regardless of VPN use. 6). Off Campus and Off Domain Machines: All machines connecting to your domain need to be configured to send NTLMv2 to use shared resources. If they are also sharing resources, they need to be able to accept NTLMv2 as well. These systems can be configured with a registry change or the Local Security Policy console (Win2K or up). If the machines are in another domain and LM Compatibility level is set in a GPO, the setting needs to be corrected in the GPO. APPENDIX A Windows 2003 Server Baseline Services Settings Service NameService Application NameDefault SettingMember ServerDomain ControllerAlerterAlerterDisabledDisabledDisabledApplication Layer Gateway ServiceALGDisabledDisabledDisabledApplication ManagementAppMgmtDisabledDisabledDisabledASP .NET State Serviceaspnet_stateDisabledDisabledDisabledAutomatic UpdateswuauservAutomaticAutomaticAutomaticBackground Intelligent Transfer ServiceBITSManualManualManualCertificate ServicesCertSvcDisabledDisabledDisabledClient Service for NetWareNWCWorkstationDisabledDisabledDisabledClipBookClipSrvDisabledDisabledDisabledCluster ServiceClusSvcDisabledIf NeededIf NeededCOM+Event ServicesEventSystemManualManualManualCOM+ System ApplicationCOMSysAppDisabledDisabledDisabledComputer BrowserBrowserAutomaticAutomaticAutomaticCyrptographic ServicesCryptSvcAutomaticAutomaticAutomaticDHCP ClientDhcpAutomaticAutomaticAutomaticDHCP ServerDHCPServerDisabledIf NeededDisabledDistributed File System (typically DCs only)DfsDisabledDisabledAutomaticDistributed Link Tracking ClientTrkWksDisabledDisabledDisabledDistributed Link Tracking ServerTrkSvrDisabledDisabledDisabledDistributed Transaction CoordinatorMSDTCDisabledDisabledDisabledDNS ClientDnscacheAutomaticAutomaticAutomaticDNS Server (ACNS only)DNSDisabledDisabledDisabledError Reporting ServiceERSvcDisabledDisabledDisabledEvent LogEventlogAutomaticAutomaticAutomaticFax ServiceFaxDisabledDisabledDisabledFile Replication (typically DCs only)NtFrsDisabledDisabledAutomaticFile Server for MacintoshMacFileDisabledIf NeededIf NeededFTP Publishing ServiceMSFtpsvcDisabledDisabledDisabledHelp and SupporthelpsvcDisabledDisabledDisabledHTTP SSLHTTPFilterDisabledDisabledDisabledHuman Interface Device AccessHidServDisabledDisabledDisabledIAS Jet Database AccessIASJetDisabledDisabledDisabledIIS Admin ServiceIISADMINDisabledIf NeededDisabled Service NameService Application NameDefault SettingMember ServerDomain ControllerIMAPI CD-Burning COM ServiceImapiServiceDisabledDisabledDisabledIndexing ServicecisvcDisabledDisabledDisabledInfrared MonitorIrmonDisabledDisabledDisabledInternet Authentication ServiceIASDisabledDisabledDisabledInternet Confection Firewall (ICF)/Internet Connection Sharing (ICS)SharedAccessDisabledDisabledDisabledIntersite MessagingIsmServAutomaticAutomaticAutomaticIP Version 6 Helper Service6to4DisabledDisabledDisabledIPSec Policy Agent (IPSec Service)PolicyAgentAutomaticAutomaticAutomaticKerberos Key Distribution CenterKdcAutomaticAutomaticAutomaticLicense Logging ServiceLicenseServiceDisabledDisabledDisabledLogical Disk ManagerdmserverManualManualManualLogical Disk Manager Administrative ServicedmadminManualManualManualMessage QueuingmsmqDisabledDisabledDisabledMessage Queuing Down Level ClientsmqdsDisabledDisabledDisabledMessage Queuing TriggersMqtgsvcDisabledDisabledDisabledMessengerMessengerDisabledDisabledDisabledMicrosoft POP3 ServicePOP3SVCDisabledDisabledDisabledMS Software Shadow Copy ProviderSwPrvManualManualManualMSSQL$UDDIMSSQL$UDDIDisabledDisabledDisabledMSSQLServerADHelperMSSQLServerADHelperDisabledDisabledDisabled.NET Framework Support ServiceCORRTSvcDisabledDisabledDisabledNetlogonNetlogonAutomaticAutomaticAutomaticNetMeeting Remote Desktop SharingmnmsrvcDisabledDisabledDisabledNetwork ConnectionsNetmanManualManualManualNetwork DDENetDDEDisabledDisabledDisabledNetwork DDE DSDMNetDDEdsdmDisabledDisabledDisabledNetwork Location Awareness (NLA)NLAManualManualManualNetwork News Transfer Protocol (NNTP)NntpSvcDisabledDisabledDisabledNTLM Security Support ProviderNtLmSspAutomaticAutomaticAutomaticPerformance Logs and AlertsSysmonLogManualManualManualService NameService Application NameDefault SettingMember ServerDomain ControllerPlug and PlayPlugPlayAutomaticAutomaticAutomaticPortable Media Serial NumberWmdmPmSNDisabledDisabledDisabledPrint Server for MacintoshMacPrintDisabledDisabledDisabledPrint SpoolerSpoolerDisabledIf NeededIf NeededProtected StorageProtectedStorageAutomaticAutomaticAutomaticRemote Access Auto Connection ManagerRasAutoDisabledDisabledDisabledRemote Access Connection ManagerRasManDisabledDisabledDisabledRemote Administration ServiceSrvcSurgManualManualManualRemote Desktop Help Session ManagerRDSessMgrDisabledDisabledDisabledRemote InstallationBINLSVCDisabledDisabledDisabledRemote Procedure Call (RPC)RpcSsAutomaticAutomaticAutomaticRemote Procedure Call (RPC) LocatorRpcLocatorAutomaticAutomaticAutomaticRemote Registry ServiceRemoteRegistryAutomaticAutomaticAutomaticRemote Server ManagerAppMgrDisabledDisabledDisabledRemote Server MonitorAppmonDisabledDisabledDisabledRemote Storage NotificationRemote_Storage_User_LinkDisabledDisabledDisabledRemote Storage ServerRemote_Storage_ServerDisabledDisabledDisabledRemovable StorageNtmsSvcManualManualManualResultant Set of Policy ProviderRSoPProvDisabledDisabledDisabledRouting and Remote AccessRemoteAccessDisabledDisabledDisabledSAP AgentnwsapagentDisabledDisabledDisabledSecondary LogonseclogonDisabledDisabledDisabledSecurity Accounts ManagerSamSsAutomaticAutomaticAutomaticServerlanmanserverAutomaticAutomaticAutomaticShell Hardware DetectionShellHWDetectionDisabledDisabledDisabledSimple Mail Transport Protocol (SMTP)SMTPSVCDisabledIf NeededDisabledSimple TCP/IP ServicesSimpTcpDisabledDisabledDisabledSingle Instance Storage GrovelerGrovelerDisabledDisabledDisabledSmart CardSCardSvrDisabledDisabledDisabledSNMP ServiceSNMPDisabledDisabledDisabledSNMP Trap ServiceSNMPTRAPDisabledDisabledDisabledSpecial Administration Console HelperSacsvrDisabledDisabledDisabledService NameService Application NameDefault SettingMember ServerDomain ControllerSQLAgent$* (* UDDI or WebDB)SQLAgent$WEBDBNot DefinedNot DefinedNot DefinedSystem Event NotificationSENSAutomaticAutomaticAutomaticTask SchedulerScheduleDisabledDisabledDisabledTCP/IP NetBIOS Helper ServiceLMHostsAutomaticAutomaticAutomaticTCP/IP Print ServerLPDSVCDisabledDisabledDisabledTelephonyTapiSrvDisabledDisabledDisabledTelnetTlntSvrDisabledDisabledDisabledTerminal ServicesTermServiceAutomaticAutomaticAutomaticTerminal Services LicensingTermServLicensingDisabledIf NeededIf NeededTerminal Services Session DirectoryTssdisDisabledDisabledDisabledThemesThemesDisabledDisabledDisabledTrivial FTP DaemontftpdDisabledDisabledDisabledUninterruptible Power SupplyUPSDisabledIf NeededIf NeededUpload ManagerUploadmgrDisabledDisabledDisabledVirtual Disk ServiceVDSDisabledDisabledDisabledVolume Shadow CopyVSSManualManualManualWebClientWebClientDisabledDisabledDisabledWeb Element ManagerelementmgrDisabledDisabledDisabledWindows AudioAudioSrvDisabledDisabledDisabledWindows Image Acquisition (WIA)StiSvcDisabledDisabledDisabledWindows InstallerMSIServerAutomaticAutomaticAutomaticWindows Internet Name Service (WINS)WINSDisabledDisabledIf NeededWindows Management InstrumentationwinmgmtAutomaticAutomaticAutomaticWindows Management Instrumentation Driver ExtensionsWmiManualManualManualWindows Media ServicesWMServerDisabledDisabledDisabledWindows System Resource ManagerWindowsSystemResourceManagerDisabledDisabledDisabledWindows TimeW32TimeAutomaticAutomaticAutomaticWinHTTP Web Proxy Auto-Discovery ServiceWinHttpAutoProxySvcDisabledDisabledDisabledWireless ConfigurationWZCSVCDisabledDisabledDisabledWMI Performance AdapterWmiApSrvManualManualManualWorkstationlanmanworkstationAutomaticAutomaticAutomaticWorld Wide Web Publishing ServiceW3SVCDisabledIf NeededDisabled APPENDIX B Resource Links Securing Windows 2000 Server HYPERLINK "http://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en" \t "_parent"   HYPERLINK "http://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en" \t "_parent" http://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en Windows 2000 Security Hardening Guide HYPERLINK "http://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=en" \t "_parent"   HYPERLINK "http://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=en" \t "_parent" http://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=en Windows Server 2003 Security Guide HYPERLINK "http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en" \t "_parent"   HYPERLINK "http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en" \t "_parent" http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP HYPERLINK "http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en" \t "_parent"   HYPERLINK "http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en" \t "_parent" http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en Windows Deployment and Resource Kits  HYPERLINK "http://www.microsoft.com/windows/reskits/default.asp" \t "_parent" http://www.microsoft.com/windows/reskits/default.asp Exchange Server 2003 Security Hardening Guide  HYPERLINK "http://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en" http://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en National Security Agency Operating Systems Security Guides HYPERLINK "http://nsa2.www.conxion.com/" \t "_parent"   HYPERLINK "http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1" \t "_parent" http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1 Port Requirements for the Microsoft Windows Server System  HYPERLINK "http://support.microsoft.com/default.aspx?scid=kb;en-us;832017" \t "_parent" http://support.microsoft.com/default.aspx?scid=kb;en-us;832017 How To Harden the TCP Stack  HYPERLINK "http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp" \t "_parent" http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp How To Disable NetBIOS on Windows 2000 Servers in Untrusted Networks  HYPERLINK "http://www.microsoft.com/technet/security/guidance/secmod153.mspx" \t "_parent" http://www.microsoft.com/technet/security/guidance/secmod153.mspx Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments  HYPERLINK "http://support.microsoft.com/default.aspx?scid=kb;en-us;823659" \t "_parent" http://support.microsoft.com/default.aspx?scid=kb;en-us;823659 Additional Security & Hardening-related Registry Settings  HYPERLINK "http://www.microsoft.com/technet/security/guidance/secmod57.mspx" \t "_parent" http://www.microsoft.com/technet/security/guidance/secmod57.mspx     PAGE  PAGE 1 =DEFGMTU} . / 0 9 I ` a b c e Ľį˨ġĝĝġˎzoeh h%5\hT;h5>*\hT;h-g5>*hT;h%5>*h he5 h hhT; h hA: h h-g h h"V h hX{ h hq h hYIh hYI5 hT;5h hq5 h95 h5v5h h%5 h h% h hY'=TU  0 a b c MN h7$8$H$gdW & F hgdW $ ha$gdW hgdWEj M N _ `   } ~ >IJKLN$%&89ABHI_`aeyذذثؙ} h h/D hT; h hT;h hT;5\h h%5\hT;hT;6 hT;5h h5h h-g5hh%6h h-g6h h%6h h%5hB h hK h hC* h h-g h h%1%&`a=>bcHGHm34X & F h7$8$H$gdW hgdW h7$8$H$gdW/0_`=>abc%&uv  ()/0FHLX_p⪢򯐉 h hh h5\h h-g5h hT;6 hC*6h h%5\hT;hT;6 hT;5h h%5h h5 h hT; h%6h h%6h h 6 h h% h h/D 4?@}9AOde,GRYij&*134WX\yzDE !$+uvޥޥޥޥޥh h6 h hhT;hT;6 hT;5h h5h h-g5 h%6h h%6h h 6 h h/D h h%h h%5\h h/D 5\>Xi  78\]^  6  h7$8$H$^gdW h7$8$H$gdW hgdW  %`a8\]^ۿ{tphd\h hC*5h%h hC*6hT; h hKhT;hA5>*hT;hK5>*hT;hC*5>*h hT;6 h-g6h h%6 h h/D h h%5\ h h%hT;hT;6 hT;5h h5h h%5h hK5h h>/5 h hT; h6$BC=>   5 6 7 8 < Z [ q s !!""""I#Q#####$$D$c$m$n$$$%%T%w%x%y%z%~%%%»ޤ»h h/D 5\ hT;5h hK5 h h-gh hT;6 hC*6h hC*6 h h/D h hC*5\ h hC*h hC*5hT;hT;6@6 7 8 r s x!y!!"N"""#S%T%x%y%z%%%' '-'.'/'p' & F h7$8$H$gdW h7$8$H$gdW hgdW%%%%%& &<&D&a&b&&&&&& ','-'.'/'0'X'Y'o'p'q'u''''((O(W(t(u((((()))')i)l)m)t))) * **?*@*A*B*F*Ŝh hT;6 hC*6h hT;5h hK5 h h-g h hT; h-g6h hC*6h h/D 5\ h h/D h hC*5\ h hC*h hC*5hT;hT;6:p'q'))**@*A*B*u**** +:+h+i+++++,,, h`gdW h7$8$H$^gdW h7$8$H$gdW hgdWF*u****** +9+:+h+i+m++++++,,,,,,--X-....+.,.-...*0o0011121R1¸𱩡Œ{tlh h>/6 h h  h h4<hT;h4<>*aJhT;h4<>*hT;hZ96 hT;6hT;h 6hT;h9"6 h h9"hT;h-g5>*hT;h%5>* hT;5h h%6h hK5h h-g5 h h-g h h%h h%5(,--...-...)0*01121T1U1V11122222 3 hh^hgdW hhh^h`hgdW & F hgdW  & F hgdW hgdWR1S1T1U1V1|111122222P2222 3 3 333=3v3w3x333333333344444H4444444455%5&5:5V5]5u555556ƾƾƾƾƾշեշh h hJKhT; h h h hKh h%6h h>/6 h h  h h%h h%5 h h>/ h hT; h%6h h|36= 333w3x3333334444444677A7B7|8 & F+ hgdW hgdW hhh^h`hgdW & F hgdW hh^hgdW66(6:6<6K6v6y6~666677777=7>7@7A7B7\7g7{77777y8{8|8}888888d99999:::::ļyyyyyh h6 V5>*h h\5>* h h6 V h h~_Q h h d h h\hv! h h`h h|36h h6h h%6 hT;6 h h  h h% h hKhT; h hh hv!5 h hv!/|8}888888888889A9c9d999999::!:3:D:j: hh^hgdW h^gdWj:::::::: ;;+;:;;;<;B;;;;<<<<<1> hhh^h`hgdW & F hgdW hgdW hh^hgdW: ;;+;:;;;<;B;H;J;;;;;;<<<<<<<<0>1>2>R>S>T>U>V>a>b>>?7@^@@@@ǒ~wwpw h hJ h hh h0c(5 h%6 h h h h>/h h|36h h%6h h>/6 h h h h%5 h h% h hT;hv!h hv!H* h hv!h h\5>* hT;5>* h h` h h6 V'1>2>T>U>V>UAVAxAyAzABB2BB!C"C#CCCC hh7$8$H$^hgdW hhh^h`hgdW & F hgdW hgdW hgdT; & F hgdT; hh^hgdW@@@@@4A5ATAUAVAvAwAxAyAzAAAAAAB B B B BBB.B1B2B C!C"C#CVCtCCCCǿxpkcϝh hT;6 h?6h h?6h h>/6 h h  h hA h hh h?5h h%5 h hT;h% h h%h h|36h h%6h h6 h h>/h h0Jjh hU h hjh hU&CCCCC@DBDCDZD[DDDDDDDDEE#E$EEEE>F?F_FFFFFFFFGHHIIIļĸıııĢռwiwjmh h%Ujh h%UhR#h{6h h50c6h h1U6h h%>*h h>/>* h hT; h h4hT;h h%5 h h%hT;h%5>* hT;5 h 5h h6h h|36h h%6h h>/6'C@DADBDZD[DDEE>F?FdFFFG/J0JJJK KTKM MMMM hgdW hh7$8$H$^hgdWIIIIIIIIIIJ J J,J-J.J/J0J4JJJK KTKLLM M$MbMkMxM{MMMMMMMUOXOQ QQQRRRRRѽ嵭奝嵭奝}嵭 h 5 h%6 h hh h%5 h hT;h h%6h h>/6h h%>*h h>/>*hr3hr30JjVh8Ujhr3Uh\`hr3hT; h h%jh h%Uh h%0J1MMMMUNVNOOPPPQ3RRRRVSWSSSBTCTfTTT U h`gdW & F hgdW hgdWRVSWSBTCTfTkTlTpTTTTTT UUUVV7Z;ZZZZZ[[[[,\-\\\\\H]W]X]e]x]y]z]^^K_Ľ{{v{{ hB6h h%>* hT;>*h h>/>*hT;hT;5hT;ho h hT;h ho6 h hk h ho h hh hR6 h h|3 h hRh h%5 h h>/h h%6h h>/6 h h%, UU VVVVWXEXoXXXZZ[[,\-\y\\\\H]z] & F, hgdW h8^8`gdW hgdW h8^8gdWz]]G^^^^L_M___````aa^aaa h8^8gdP{ & F0 h8`gdP{ h8^8gdi? h8^8gdW & F* hgdW hgdi? hgdW & F hgdWK_L_M_R_S_}_~________`````````aa;aPa^a_aaaaabb^c_c`ccdddee@eAeBeûöû˪ûâ˒ˋˢ˒| h h{h h%5 h h>/h h>/6h h%>*h h>/>* h h< hP{6 h%6h ho6h h%6 h h% h hi?h hi?6h:h-_ hi?hi?hi?hi?5hi?h%.abbb_c`ccddee@eAeBeveweeee*hT;h 5>* hT;5.ii#i.i@P݈ވ߈KL߻±ߦߘߦ߁jh h Uh h 0JjHh h Ujh h U h 5 hK 5 hT;hK h@05 h hT;h h 6h h 6 h h h h 5 hT;5hT;hT;hT;52+v\v]vvvvvw'xWxXxkxxxxxx yyy?ywyxyyyy h^gdT; hgdW h^gdWy}}>?@PEF`a K hgdW#bPQRp1\v012Eޑߑ8?~q$Yÿ횓hI hK 5 hT;hK h h 6 h!|6hmh!|h!|5h!|h h2h8hT;h85 h=5 h 5h h 5 h@05 h hT;h h h jh h U6OQRp0\]kv12E‘ h^gdW hgdW hgd!| hgd8‘ӑ:8~'8EP4 hgdW h^gdWpq#$YϚК ϛݛ!"#$7y h^gdk2 h^gdW hgdWϚК ǛΛϛ"$7ĜŜMTcdefiˠ֠٠L`lmnq )^_ӨԨ !"`aí>ABt묺h h 0Jjrh h Ujh h U h 6 h@05 h hT;h hT;5hk2h h 6 h h h h 5 h@,5@ƜќMdefˠ֠LMmn) hgdW h^gdW)bc^_ҨӨbcIJYZĭŭ h^gdW hgdWŭ=>RS׼ؼ#<LZl$ h$Ifa$gdW hb^bgdW $ ha$gdJ^ hgdWįñű]ͷQSUWa -ؼټ<Kl&5=>F4>OWX`Z[P̾|hAh5CJ\aJhAh5CJaJhhAh<CJaJhAh|3CJaJhAh5CJ\aJhAh|35CJ\aJ h h|3h*?5h5,5 h h\`h\` h h h h 5 h@05 hT;50lmu}3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2}$ h$Ifa$gdW3&& h$IfgdWkd $$IflrD 4"(S  TFF0#(44 la]p2Ƚѽڽ$ h$Ifa$gdWڽ۽3&& h$IfgdWkd $$Ifl rD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW-:3&& h$IfgdWkd $$IflrD 4"(S  TFF0#(44 la]p2:CLU$ h$Ifa$gdWUVhq3&& h$IfgdWkd $$IflrD 4"(S  TFF0#(44 la]p2q{$ h$Ifa$gdW3&& h$IfgdWkd $$IflrD 4"(S  TFF0#(44 la]p2ľ˾Ҿ$ h$Ifa$gdWҾӾ3&& h$IfgdWkd$$Ifl rD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW '63&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p26?HQ$ h$Ifa$gdWQR[c3&& h$IfgdWkd$$Ifl rD 4"(S  TFF0#(44 la]p2clu~$ h$Ifa$gdW~3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdWȿԿ3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2Կۿ$ h$Ifa$gdW 3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2 '$ h$Ifa$gdW'(9A3&& h$IfgdWkd$$Ifl rD 4"(S  TFF0#(44 la]p2AKU_$ h$Ifa$gdW_`w3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW153&&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p25>GQ$ h$Ifa$gdWQRsz3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2z$ h$Ifa$gdW3&& h$IfgdWkd$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd$$Ifl rD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW +43&& h$IfgdWkd$$Ifl rD 4"(S  TFF0#(44 la]p24>HR$ h$Ifa$gdWRSjn3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2nw$ h$Ifa$gdW3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd $$IflrD 4"(S  TFF0#(44 la]p2!$ h$Ifa$gdW!"IO3&& h$IfgdWkd!$$IflrD 4"(S  TFF0#(44 la]p2OXak$ h$Ifa$gdWkl3&& h$IfgdWkd"$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd#$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd$$$IflrD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW&13&& h$IfgdWkd&$$IflrD 4"(S  TFF0#(44 la]p21:CL$ h$Ifa$gdWLMks3&& h$IfgdWkd'$$IflrD 4"(S  TFF0#(44 la]p2s|$ h$Ifa$gdW3&& h$IfgdWkd($$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd)$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW31!$ h$Ifa$gdF!kd*$$IflrD 4"(S  TFF0#(44 la]p2*:HZ$ h$Ifa$gdSU$ h$Ifa$gdF!Z[x3&& h$IfgdWkd+$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd,$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd-$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW'+3&& h$IfgdWkd.$$IflrD 4"(S  TFF0#(44 la]p2+4=F$ h$Ifa$gdWFG3&& h$IfgdWkd/$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd0$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW 3&& h$IfgdWkd1$$IflrD 4"(S  TFF0#(44 la]p2#,$ h$Ifa$gdW,-P\3&& h$IfgdWkd2$$Ifl rD 4"(S  TFF0#(44 la]p2\fpz$ h$Ifa$gdWz{3&& h$IfgdWkd3$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd4$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW 3&& h$IfgdWkd5$$IflrD 4"(S  TFF0#(44 la]p2 '.5$ h$Ifa$gdW56bj3&& h$IfgdWkd6$$IflrD 4"(S  TFF0#(44 la]p2jqx$ h$Ifa$gdW3&& h$IfgdWkd7$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd 8$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd!9$$Ifl rD 4"(S  TFF0#(44 la]p2(1$ h$Ifa$gdW12<F3&& h$IfgdWkd":$$Ifl rD 4"(S  TFF0#(44 la]p2FOXa$ h$Ifa$gdWaby3&& h$IfgdWkd#;$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd$<$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd%=$$Ifl rD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW 43&& h$IfgdWkd&>$$IflrD 4"(S  TFF0#(44 la]p24=FO$ h$Ifa$gdWOPox3&& h$IfgdWkd'?$$IflrD 4"(S  TFF0#(44 la]p2x$ h$Ifa$gdW3&& h$IfgdWkd(@$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd)A$$IflrD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW &3&& h$IfgdWkd*B$$Ifl rD 4"(S  TFF0#(44 la]p2&-4;$ h$Ifa$gdW;<HO3&& h$IfgdWkd+C$$IflrD 4"(S  TFF0#(44 la]p2OXaj$ h$Ifa$gdWjk|3&& h$IfgdWkd,D$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd-E$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW 3&& h$IfgdWkd.F$$Ifl rD 4"(S  TFF0#(44 la]p2 '$ h$Ifa$gdW'(GO3&& h$IfgdWkd/G$$Ifl rD 4"(S  TFF0#(44 la]p2OYcm$ h$Ifa$gdWmn3&& h$IfgdWkd0H$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3##$ h$Ifa$gdSUkd1I$$Ifl rD 4"(S  TFF0#(44 la]p2P\3401NOPQRFGJlmDE»h h5,0Jh h5,>*\jh h5,Ujh h5,U\h h5,\ h h? h h5,h h5,5 h h|3hAhHCJaJhAhCJaJhAh5CJ\aJhAh*?5CJaJ2$ h$Ifa$gdSU3&& h$IfgdWkd2J$$Ifl rD 4"(S  TFF0#(44 la]p2",6$ h$Ifa$gdW67T]3&& h$IfgdWkd3K$$IflrD 4"(S  TFF0#(44 la]p2]fox$ h$Ifa$gdWxy3&& h$IfgdWkd4L$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd5M$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd6N$$IflrD 4"(S  TFF0#(44 la]p2$.$ h$Ifa$gdW./U]3&& h$IfgdWkd7O$$IflrD 4"(S  TFF0#(44 la]p2]fox$ h$Ifa$gdWxy3&& h$IfgdWkd8P$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd9Q$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW(3&& h$IfgdWkd:R$$Ifl rD 4"(S  TFF0#(44 la]p2(1:C$ h$Ifa$gdWCDX`3&& h$IfgdWkd;S$$Ifl rD 4"(S  TFF0#(44 la]p2`ir{$ h$Ifa$gdW{|3&& h$IfgdWkdV$$Ifl rD 4"(S  TFF0#(44 la]p22<FP$ h$Ifa$gdWPQgn3&& h$IfgdWkd?W$$IflrD 4"(S  TFF0#(44 la]p2nw$ h$Ifa$gdW3&& h$IfgdWkd@X$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdAY$$IflrD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW*@3&& h$IfgdWkdBZ$$Ifl rD 4"(S  TFF0#(44 la]p2@IR[$ h$Ifa$gdW[\nv3&& h$IfgdWkdC[$$IflrD 4"(S  TFF0#(44 la]p2v}$ h$Ifa$gdW3&& h$IfgdWkdD\$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdE]$$Ifl rD 4"(S  TFF0#(44 la]p2 $ h$Ifa$gdW*3&& h$IfgdWkdF^$$Ifl rD 4"(S  TFF0#(44 la]p2*3<E$ h$Ifa$gdWEFV_3&& h$IfgdWkdG_$$IflrD 4"(S  TFF0#(44 la]p2_hqz$ h$Ifa$gdWz{3&& h$IfgdWkdH`$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdIa$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdJb$$IflrD 4"(S  TFF0#(44 la]p2 )2$ h$Ifa$gdW23Ya3&& h$IfgdWkdKc$$IflrD 4"(S  TFF0#(44 la]p2ajt}$ h$Ifa$gdW}~3&& h$IfgdWkdLd$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdMe$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW 3&& h$IfgdWkdNf$$Ifl rD 4"(S  TFF0#(44 la]p2%.$ h$Ifa$gdW./<A3&& h$IfgdWkdOg$$IflrD 4"(S  TFF0#(44 la]p2AJS\$ h$Ifa$gdW\]ox3&& h$IfgdWkdPh$$IflrD 4"(S  TFF0#(44 la]p2x$ h$Ifa$gdW3&& h$IfgdWkdQi$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3##$ h$Ifa$gdSUkdRj$$Ifl rD 4"(S  TFF0#(44 la]p2!3$ h$Ifa$gdSU34Q`3&& h$IfgdWkdSk$$Ifl rD 4"(S  TFF0#(44 la]p2`lx$ h$Ifa$gdW3&& h$IfgdWkdTl$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdUm$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdVn$$IflrD 4"(S  TFF0#(44 la]p2'1;$ h$Ifa$gdW;<PW3&& h$IfgdWkdWo$$Ifl rD 4"(S  TFF0#(44 la]p2W`ir$ h$Ifa$gdWrs}3&& h$IfgdWkdXp$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdYq$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdZr$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW %73&& h$IfgdWkd[s$$IflrD 4"(S  TFF0#(44 la]p27@JT$ h$Ifa$gdWTUy3&& h$IfgdWkd\t$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd]u$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd^v$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkd_w$$IflrD 4"(S  TFF0#(44 la]p2%/9$ h$Ifa$gdW9:IS3&& h$IfgdWkd`x$$Ifl rD 4"(S  TFF0#(44 la]p2S\en$ h$Ifa$gdWno3&& h$IfgdWkday$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdbz$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdc{$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW 3&& h$IfgdWkdd|$$IflrD 4"(S  TFF0#(44 la]p2 )2;$ h$Ifa$gdW;<JS3&& h$IfgdWkde}$$IflrD 4"(S  TFF0#(44 la]p2S\en$ h$Ifa$gdWno3&& h$IfgdWkdf~$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdg$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdh$$IflrD 4"(S  TFF0#(44 la]p2 )3$ h$Ifa$gdW34W_3&& h$IfgdWkdi$$Ifl rD 4"(S  TFF0#(44 la]p2_is}$ h$Ifa$gdW}~3&& h$IfgdWkdj$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3&& h$IfgdWkdk$$Ifl rD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW )F3&& h$IfgdWkdl$$IflrD 4"(S  TFF0#(44 la]p2FOXa$ h$Ifa$gdWabow3&& h$IfgdWkdm$$Ifl rD 4"(S  TFF0#(44 la]p2w$ h$Ifa$gdW3&& h$IfgdWkdn$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW 3&& h$IfgdWkdo$$Ifl rD 4"(S  TFF0#(44 la]p2 ($ h$Ifa$gdW()AJ3&& h$IfgdWkdp$$IflrD 4"(S  TFF0#(44 la]p2JQX_$ h$Ifa$gdW_`l~3&& h$IfgdWkdq$$Ifl rD 4"(S  TFF0#(44 la]p2~$ h$Ifa$gdW3&& h$IfgdWkdr$$IflrD 4"(S  TFF0#(44 la]p2$ h$Ifa$gdW3* $ ha$gdW hgdWkds$$Ifl rD 4"(S  TFF0#(44 la]p2QIJvwt hh^hgdW  hh^hgdW hgdWEWX>?stuv !"]^23qrΓh h? 0Jjh h? U h h? hX4h-0Jjth-U h-h-jh-Uh-h5,h h5,0J h h5,h h5,>*\jh h5,Ujh h5,U\h h5,\2tufgOPijEGHJKMNPQZ[\gh]hgd1v &`#$gd| hgdW hh^hgdW cd LM'(fgBCEFHIKLNOQRXYZ\]cdefgijkιhH`0JmHnHuhH` hH`0JjhH`0JUhT2jhT2U h h? h h? 0Jjh h? U,ghijk hh^hgdWh]hgd1v21h:pho/ =!"#$% mDyK >http://www.colostate.edu/Services/ACNS/listserv/subother.htmlyK |http://www.colostate.edu/Services/ACNS/listserv/subother.htmlDyK http://www.sysinternals.com/yK :http://www.sysinternals.com/DyK yK Tmailto:subnet-managers@yuma.colostate.edu-DyK .http://support.microsoft.com/kb/246261/EN-US/yK \http://support.microsoft.com/kb/246261/EN-US/qDyK ?http://support.microsoft.com/default.aspx?scid=kb;en-us;288358yK ~http://support.microsoft.com/default.aspx?scid=kb;en-us;288358DyK Qhttp://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows2000sfmyK http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows2000sfmqDyK ?http://support.microsoft.com/default.aspx?scid=kb;en-us;324949yK ~http://support.microsoft.com/default.aspx?scid=kb;en-us;324949$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2 $$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5F/ a]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l0#(,5S 5 5T5Fa]p2$$If]!vh5S 5 5T5F5F#vS #v #vT#vF:V l 0#(,5S 5 5T5Fa]p2)DyK mhttp://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=enyK http://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=en@@@ %NormalCJ_HaJmH sH tH P@P % Heading 1$ & F@&5CJOJQJaJDA@D Default Paragraph FontRi@R  Table Normal4 l4a (k@(No List6U@6 % Hyperlink >*B*ph4 @4 1vFooter  !.)@. 1v Page Number4O"4 9"N+ & F^aJH@2H  Balloon TextCJOJQJ^JaJ4@B4 5,Header  !FV@QF T;FollowedHyperlink >*B* phkfl0=TU 0abcMN%&`a= > b c H   G H m 34Xi  78\]^678rsxyNSTxyz -./pq!!""@"A"B"u"""" #:#h#i#####$$$%%&&&-&.&)(*(1)2)T)U)V)))***** +++w+x++++++,,,,,,,.//A/B/|0}000000000001A1c1d11111122!232D2j22222222 33+3:3;3<3B3333444441626T6U6V6U9V9x9y9z9::2::!;";#;;;;@<A<B<Z<[<<==>>?>d>>>?/B0BBBC CTCE EEEEEEEUFVFGGHHHI3JJJJVKWKKKBLCLfLLL MM NNNNOPEPoPPPRRSS,T-TyTTTTHUzUUGVVVVLWMWWWXXXXYY^YYYZZZ_[`[[\\]]@]A]B]v]w]]]]<_=_f`g`~````aa#a.ax?z@zPzE}F}`a KOQRp0\]kv12E‰Ӊ:8~'8EP4pq#$YϒВ ϓݓ!"#$7yƔєMdef˘֘LMmn)bc^_ҠӠbcIJYZĥť=>RS״ش#<LZlmu}ȵѵڵ۵ -:CLUVhq{Ķ˶ҶӶ '6?HQR[clu~ȷԷ۷ '(9AKU_`wĸθϸ۸15>GQRszǹйٹڹ  +4>HRSjnwúĺκ׺!"IOXaklû̻ջ޻ &1:CLMks|ɼʼܼ*:HZ[xʽӽԽ'+4=FGɾѾ۾ #,-P\fpz{׿ '.56bjqx(12<FOXaby 4=FOPox &-4;<HOXajk| '(GOYcmn",67T]foxy$./U]foxy(1:CDX`ir{| #2<FPQgnw *@IR[\nv} *3<EFV_hqz{ )23Yajt}~ %./<AJS\]ox!34Q`lx'1;<PW`irs} %7@JTUy%/9:IS\eno )2;<JS\eno )34W_is}~ )FOXabow ()AJQX_`l~QIJvwtufgOPijEGHJKMNPQZ[\ghil000000000 0 0 0 0 0000000000000000000000 0 0 00000000000000000000000000000000000000000000 0 0 000000000000000000000000000000000000000000000000 00000 00000 00000 00000 00000 0000 0+ 000000000000000000000000000000000000000000000000 00000 00000 0 0000 0 000000 0 000000000000000000000000000000000 0 0 0 0 0 0 0 0 000000000000000000, 0, 0, 0, 00000000000000 0 0 0 000000* 000* 0000 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 000000000000000000000000000000000000000@00y00@00y00@00y00@00y00@01@0@0@0@0@0y00=TU 0abcMN%&`a= > c H  G H m 34i  78\^78rsxyNSTyz ./pq!""A"B"u"""" #:#h#i#####$$$%%-&.&)(*(1)2)U)V)))****++w+x+++++,,,,,,./A/|0}000000000001A1c1d11111122!232D2j22222222 33+3:3;3B333444441626U6V6U9x9z9::2::";#;;;@<Z<[<<>>>>?/BC CTCEEEUFVFGGHH3JJKBLfL NPPyTTTTHUzUVVVLWMWWWXX^YYZ\]@]B]v]w]]]]<_=_f`g`~````a.adaaabccd4dIdrdddddeeee fffffYgugvggg=hhhhiOimixijj2j3jXjYjjCkkk llalllll+mamm\n]nnno'pkpppp q?qwqxqF}`a KOQE8~'8P4pϒВ!"7yƔєMMҠӠĥ=>S״ش#<LZlmu}ȵѵڵ۵ -:CLUVhq{Ķ˶ҶӶ '6?HQR[clu~ȷԷ۷ '(9AKU_`wĸθϸ۸15>GQRszǹйٹڹ  +4>HRSjnwúĺκ׺!"IOXaklû̻ջ޻ &1:CLMks|ɼʼܼ*:HZ[xʽӽԽ'+4=FGɾѾ۾ #,-P\fpz{׿ '.56bjqx(12<FOXaby 4=FOPox &-4;<HOXajk| '(GOYcmn",67T]foxy$./U]foxy(1:CDX`ir{| #2<FPQgnw *@IR[\nv} *3<EFV_hqz{ )23Yajt}~ %./<AJS\]ox!34Q`lx'1;<PW`irs} %7@JTUy%/9:IS\eno )2;<JS\eno )34W_is}~ )FOXabow ()AJQX_`l~QIJufgPjl000000000 0 0 0 0 000000@000000000000000 0 0 00000000000000000000000000000000000000 0 0 00000000000000000000000000000000000000000 0000 0000 0000 0000 0000 0000 0+ 00000000000000000000000000000000000000000000 00000 00000 0 0{00{00 0 {00@00{00 1{00 @0@0@0@0@0{00{00@0@0@0@0@0@0@0@0@0@0@ 0@ 0@ 0@ 0@ 0@ 0@0@0@0{00{00{00{000{000{030 {030 {040{040 {002{01{01{00{00{01{040 {040{040{000{040@0{03 {03@0@0{00 4}{00@0K0<0K0<0K0<0K0<0K0<0K0<0@0@0@0@0K00BK00>K0E0K0F0@0@0K0J0I@0@0@0K00BK00>K0E0K00?K0O0P@0@0@0K0Q0RK0V0(@0@0@0@0@0K0\03]@0K0Q0@0@0@0@0K00BK00>K0E0K0O0@0@0K0h0%K0h0%i@0K0Q0@0@0@0K0<0{081{081@0@0@0@0K00BK00>K0E0K0F0K00?@0@0@0K0b0 @0K0<0K0<0@0@0@0K00BK00>K0E0K0F0@0K00K00K00K00K000yK00K00K00K00{0_1m`p>{0_1l{0_1kK0<0K0<0K0<0K0<0K00K00?@0K00?K00>K00<@0@0K00GK00K00K00B@0K00BK00>K00@K00?K00?K0 0!K0 0K0"0K00K00K00@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0K0809K080K0800yK00K000yK00{0h1i>q{0h1{0h1@0K00@0@0 @0 @0 @0 @0 @0 @0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0  @0 @0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0 @0 @0 @0 @0 @0 @0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0 @0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0@0 @0 @0 @0 @0 @0{04{00{00{00{00{00{00{00{00{00{00{00{00{00{00{00{00{00{00{040{050{05{050{0 50{0 50 $$$' %F*R16:@CIRK_BemsPEkvy{|~)X6 p', 3|8j:1>CM Uz]ailor+vy‘)ŭl}ڽ:UqҾ 6Qc~Կ 'A_5Qz4Rn!Ok1LsZ+F,\z 5j1Fa 4Ox &;Oj 'Om6]x.]x(C`{ 2Pn@[v*E_z2a}.A\x3`;Wr7T9Sn ;Sn3_}Faw (J_~tgkwz}      !"#$%&'(*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~jx8849@AAA B,BDkkkހKӠ!`0NOQFlDW>s!]2qc L'fBkXXXXXXXXXXXXXXXXXXXXXXXX  '!!Ob$ ˁo^.b$f~9mJe׹b$y:6%(Wb$>՝aB{=!uO@0(  B S  ?k OLE_LINK1 OLE_LINK2 RANGE!A1:E128LLlPP"lBf4rCf4Df읐EfD$Ff<Gfl4HfIf JfܐKf$Lf #MfNfܤOf>PflƓQfNRf̿11113333{{l     11113333$$l    =*urn:schemas-microsoft-com:office:smarttags PlaceType=*urn:schemas-microsoft-com:office:smarttags PlaceName9*urn:schemas-microsoft-com:office:smarttagsplace }׿biow%HN| GNT\U\'#1gm*?nu)V^ 4<JOQ_}%6yIRJRW^)EAIl}EEGGHHJKMNPQilEEGGHHJKMNPQil>>AACCEEBLBLVVKWWXXYYddІֆPQQ::Γϓ""ͯQuDEEGGHHJKMNPQilEEGGHHJKMNPQil0&Pq.mT!+7Q"v7Hp- gU-ؿ? ,Lj La1jr @LG$CXbBY!<#\hV&x )&B ';,rrb{,P @ZY-Tb'/0$*b9sS<*(b2CҫnfF.pbF>lxeIGJҞN ZK>dGX9P~SFS$dgYTj aT٪G Z I4lKZxBm[(ɴ%{dt9{Ie&f%ePf4A?1Wh`nK%yi$ukT"x,[lLaIlV{wczd{*;2qqm~8ސ~ 'h88^8`OJQJo(hHh^`OJQJ^Jo(hHoh  ^ `OJQJo(hHh  ^ `OJQJo(hHhxx^x`OJQJ^Jo(hHohHH^H`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hH ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" h ^`o(hH.h^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH^`o(.h^`OJQJo(hHh^`OJQJo(hHh^`OJQJo(hHh^`OJQJo(hH L^`LhH. ^`hH. ^`hH. PLP^P`LhH. hh^h`56o(. 88^8`hH. L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH.h   ^ `hH.h ^`hH.h L^`LhH.h | | ^| `hH.h LL^L`hH.h L^`LhH.h ^`hH.h ^`hH.h L^`LhH.h^`OJQJo(hH 88^8`hH. L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH^`o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" YY^Y`o(. ))^)`hH. L^`LhH.   ^ `hH.   ^ `hH. iLi^i`LhH. 99^9`hH.   ^ `hH. L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" 808^8`0o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH. ^`o(. ^`hH. L^`LhH.   ^ `hH. \ \ ^\ `hH. ,L,^,`LhH. ^`hH. ^`hH. L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" hh^h`o(. 88^8`hH. L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH.hh^h`o(.pp^p`.@ L@ ^@ `L.^`.^`.L^`L.^`.PP^P`. L ^ `L.hhh^h`.^`o(.hpLp^p`L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" h^`o(.h^`.h L ^ `L.h@ @ ^@ `.h^`.hL^`L.h^`.h^`.hPLP^P`L.h  ^ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh| | ^| `OJQJo(hHhLL^L`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh   ^ `hH.h ^`hH.h L^`LhH.h | | ^| `hH.h LL^L`hH.h L^`LhH.h ^`hH.h ^`hH.h L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" h   ^ `hH.h ^`hH.h L^`LhH.h | | ^| `hH.h LL^L`hH.h L^`LhH.h ^`hH.h ^`hH.h L^`LhH.::^:`o(.   ^ `hH. L^`LhH.   ^ `hH. z z ^z `hH. JLJ^J`LhH. ^`hH. ^`hH. L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" hh^h`5o(. 88^8`hH. L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" h ^`hH.h ^`hH.h pLp^p`LhH.h @ @ ^@ `hH.h ^`hH.h L^`LhH.h ^`hH.h ^`hH.h PLP^P`LhH. p^ `pOJQJo(hH  ^ `OJQJ^Jo(hHo  ^ `OJQJo(hHxx^x`OJQJo(hHHH^H`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" 88^8`o(.p0p^p`0o(.  L ^ `LhH.   ^ `hH. xx^x`hH. HLH^H`LhH. ^`hH. ^`hH. L^`LhH. hh^h`56o(. 88^8`hH. L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo("  ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" h88^8`OJQJo(hHh^`OJQJ^Jo(hHoh  ^ `OJQJo(hHh  ^ `OJQJo(hHhxx^x`OJQJ^Jo(hHohHH^H`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHYY^Y`o(. ))^)`hH. L^`LhH.   ^ `hH.   ^ `hH. iLi^i`LhH. 99^9`hH.   ^ `hH. L^`LhH. ^`OJQJo("  ^`OJQJo("  pp^p`OJQJo("  @ @ ^@ `OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  ^`OJQJo("  PP^P`OJQJo(" ^`OJQJo(hH^`OJQJ^Jo(hHopp^p`OJQJo(hH@ @ ^@ `OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH^`OJQJo(hH^`OJQJ^Jo(hHoPP^P`OJQJo(hH0nfF><#$qqm~,[l+7b9$uk&PqgU-7H e)&CX;,b'/1SFSbFYTlKZaTIlX9P[mT?1WhGJY!9{Ie~eIsS<b{,K%yihV& ZN ZK{w zd{LG2CZY-{d f00         u:@jV bpʁ`\MTĀw                                                                        u"b0kM$Gjnz@>A||U4D~6        C­[<Ă\uοXM< N        |>        .;~chFn2`OD,fz|        V#X       p&.?Ԩh:Ժ|.vvػ8,A+                          xB*Fh9B0Xk΢`'v~4,F1V6@Fqu*0QTFfH$ʭnkԄFkd*lfvKNHNC,J~                  :J"PΞx<f˾_B>rPH?Fe,v-QJ%hZZvjz\/6?j:`/zx6p42pը@l<,t\aHBhqI^9<&V0uZ8         Xs@         ,>d{"^ F0En&nVޚ>nddB^T"=J~P¬Β8{SzE0T=       x:        ^:N H8X2$2HF`JpOdTB}RY:V]dd:,(ڔ          W        (RJ,:2[ˬ9 RB,0^         Kt[N?'wY$'?.|oQQ^O_Q-.|oN[C0 Rc .|o .|o tbfb.|oycc.|oY.|o-R.|oTwY$'M\.|o.2&.|o>!wY$'6D".|ob"wY$'S["wY$'$N[B&.|owY$'Z0;$U'.|o{(wY$'/).|o-<"r-.|oh..|oC0Oj5K=Pz$6.|oWo7wY$'S8.|oZ0;jO <A>wY$'[N?R?.|o++C.|o LFK=Pzm[M.|o'9uM-EVMN[Z8N'9uM;^NwY$'Q^OK=PjO <T6QQbS.|oIUK=P05Wk]VZ.|o.p].|o- _.|o^_wY$'B`.|opXb.|o#\i.|o~k.|o}+l.|o,JlwY$'l.|o.|o05WOq.|olrt+,s.|o@ovK=Py.|oINz.|ofz.|o.G{.|o>l}.|o'9uM$:W  K S  I ? /D J^AKq@0H`F!v! "9"%#-#R#6%H%&$'h(0c(w(4t)@,>/W/T2L3 25*?58 88Z9A:T;BG;<uOA BBeCFD#&HYILzL=Q~_QR[,U1USU6 VWY\K^`\`<a50c d-geilBp`8rit5vtxf4yX{!|1v \{`eT64% mu||3-_P{93h2LBBi Fo<Hhoi?o~ W=~d, <4< C*0 ge*r3-V"VJKk?k(5,|rJ bn/k2t867Vr6NnA? #<LZlmu}ȵѵڵ۵ -:CLUVhq{Ķ˶ҶӶ '6?HQR[clu~ȷԷ۷ '(9AKU_`wĸθϸ۸15>GQRszǹйٹڹ  +4>HRSjnwúĺκ׺!"IOXaklû̻ջ޻ &1:CLMks|ɼʼܼ*:HZ[xʽӽԽ'+4=FGɾѾ۾ #,-P\fpz{׿ '.56bjqx(12<FOXaby 4=FOPox &-4;<HOXajk| '(GOYcmn",67T]foxy$./U]foxy(1:CDX`ir{| #2<FPQgnw *@IR[\nv} *3<EFV_hqz{ )23Yajt}~ %./<AJS\]ox!34Q`lx'1;<PW`irs} %7@JTUy%/9:IS\eno )2;<JS\eno )34W_is}~ )FOXabow ()AJQX_`l~l@ kp@UnknownGz Times New Roman5Symbol3& z Arial5& zaTahoma?5 z Courier New;Wingdings"1h࢕࢕{#!Zt!Zt!4d 2QHX ?%21CSU Windows Group  Securing Windows Server TasksACNSACNS0                           ! " # $ % & ' ( ) * + , - . / Oh+'0$ 4@ ` l x 4CSU Windows Group Securing Windows Server TasksACNS Normal.dotACNS2Microsoft Office Word@F#@S @ha]@ha]!Z՜.+,D՜.+,t0 hp  Colorado State Universityt 2CSU Windows Group Securing Windows Server Tasks Title 8@ _PID_HLINKSAEAhttp://www.microsoft.com/technet/security/guidance/secmod57.mspx= B?http://support.microsoft.com/default.aspx?scid=kb;en-us;823659P?Bhttp://www.microsoft.com/technet/security/guidance/secmod153.mspxgl<[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp8)9?http://support.microsoft.com/default.aspx?scid=kb;en-us;832017g 6<http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1LE3http://nsa2.www.conxion.com/Y0mhttp://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=enS-5http://www.microsoft.com/windows/reskits/default.aspVP*mhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=enVP'mhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en]]$mhttp://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en]]!mhttp://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=enmhttp://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=enmhttp://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=enPmhttp://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=enPmhttp://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en0/?http://support.microsoft.com/default.aspx?scid=kb;en-us;324949MQhttp://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows2000sfm<. ?http://support.microsoft.com/default.aspx?scid=kb;en-us;288358T .http://support.microsoft.com/kb/246261/EN-US/z]*mailto:subnet-managers@yuma.colostate.eduZLhttp://www.sysinternals.com/BE>http://www.colostate.edu/Services/ACNS/listserv/subother.html  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~    %Root Entry FBa]'Data 1Table_WordDocument4fSummaryInformation( DocumentSummaryInformation8HCompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89qRoot Entry FKeV'Data 1Table_WordDocument4f    5+,-./01234՜.+,D՜.+,t0 hp  Colorado State Universityt 2CSU Windows Group Securing Windows Server Tasks Title 8@ _PID_HLINKSAEAhttp://www.microsoft.com/technet/security/guidance/secmod57.mspx= B?http://support.microsoft.com/default.aspx?scid=kb;en-us;823659P?Bhttp://www.microsoft.com/technet/security/guidance/secmod153.mspxgl<[http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod109.asp8)9?http://support.microsoft.com/default.aspx?scid=kb;en-us;832017g 6<http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1LE3http://nsa2.www.conxion.com/Y0mhttp://www.microsoft.com/downloads/details.aspx?familyid=6A80711F-E5C9-4AEF-9A44-504DB09B9065&displaylang=enS-5http://www.microsoft.com/windows/reskits/default.aspVP*mhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=enVP'mhttp://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-9346-F93A4081EEA8&displaylang=en]]$mhttp://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=en]]!mhttp://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89-b655-521ea6c7b4db&displaylang=enmhttp://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=enmhttp://www.microsoft.com/downloads/details.aspx?familyid=15E83186-A2C8-4C8F-A9D0-A0201F639A56&displaylang=enPmhttp://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=enPmhttp://www.microsoft.com/downloads/details.aspx?FamilyID=9964cf42-e236-4d73-aef4-7b4fdc0a25f6&displaylang=en0/?http://support.microsoft.com/default.aspx?scid=kb;en-us;324949MQhttp://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=windows2000sfm<. ?http://support.microsoft.com/default.aspx?scid=kb;en-us;288358T .http://support.microsoft.com/kb/246261/EN-US/z]*mailto:subnet-managers@yuma.colostate.eduZLhttp://www.sysinternals.com/BE>http://www.colostate.edu/Services/ACNS/listserv/subother.htmlSummaryInformation( DocumentSummaryInformation8*HCompObjq