Documente Academic
Documente Profesional
Documente Cultură
Windows 10
This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files (.admx an
Windows Server 10 The policy settings included in this spreadsheet cover Windows 10, Windows Server 2012 R2, Windows Server 2012, Wi
Windows 8.1, Windows 8, Windows 7, Windows Vista with SP1,Windows XP Professional with SP2 or earlier service packs, and Microsoft W
These files are used to expose policy settings when you use the Group Policy Management Console (GPMC) to edit Group Policy Objects (G
You can use the filtering capabilities that are included in this spreadsheet to view a specific subset of data, based on one value or a combinat
in one or more of the columns. In addition, you can click Custom in the drop-down list of any of the column headings to add additional filtering
To view a specific subset of data, click the drop-down arrow in the column heading of cells that contain the value or combination of values on
and then click the desired value in the drop-down list. For example, to view policy settings that are available for Windows Server 2012 or Wind
Administrative Template worksheet, click the drop-down arrow next to Supported On, and then click At least Microsoft Windows Server
Legal Notice
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change withou
Some examples depicted herein are provided for illustration only and are fictitious.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your inte
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows Server,
and Windows Vista are trademarks of the Microsoft group of companies.
Default: None.
Deny log on locally
Deny log on through
This security Remote Desktop
setting determines which Services
users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting
Enable
This computer
security settinganddetermines
user accounts which to users
be trusted for delegation
and groups are prohibited from logging on as a Remote Desktop Services client.
Important
Force
This shutdown
security from a remote system
setting determines which users can set the Trusted for Delegation setting on a user or computer object.
Default:
If you apply None. this security policy to the Everyone group, no one will be able to log on locally.
Generate
This usersecuritysecurity
setting audits
determines
The
Important or object that is grantedwhich users are
this privilege allowed
must havetowriteshutaccess
down atocomputer
the account from a remote
control flagslocation on the
on the user ornetwork.
computerMisuse
object.ofAthis userprocess
server right can result on
running in a
Default:
flag set.
Impersonate None. a client after authentication
This user
This securityrightsetting
is defineddetermines which accounts
in the Default can be used
Domain Controller by aPolicy
Group process to add
object entries
(GPO) andto inthe
thesecurity log. The
local security security
policy log is usedand
of workstations to trace unauthorized syste
servers.
This
policy
Increase setting
setting does notworking
is enabled. haveFor any effect
more on Windows
information see2000
Audit:computers
Shut downthat have immediately
system not been updatedif unable to Service Pack 2.audits
to log security
This
Assigninguserarightprocess
this is defined
privilege set
toina the
user Default
allowsDomainprograms Controller
running Groupon behalfPolicy object
of that user (GPO) and in the alocal
to impersonate security
client. policythis
Requiring of user
workstations
right for and servers.
this kind of impersonation pr
Default:
permissions toService
administrative or system levels.
Default:
Increase
This Local
scheduling priority
privilege determines which user accounts can increase or decrease the size of a process’s working set.
Caution
Network Service.
On
Caution
Load workstations
Increase andaunload
process and servers:
working
device set
drivers Administrators.
This
On security
domain setting
controllers: determines which accounts
Administrators, Server can use a process with Write Property access to another process to increase the execution priority assigned to
Operators.
Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that im
This
Lock
Assigningprivilege
pages in
this
This userAdministrators.determines
memory
user right which
can be user
a accounts
security
right determines which users can dynamically risk. can
Only increase
assign or
loadthisanddecrease
user the
rightdevice
unload sizedrivers
to trustedof users.
a process’s
or other code working in toset.
kernel mode. This user right does not apply to Plug an
Default:
Default: Administrators on domain controllers.
Log
Default:
This on as a batch
Users
security setting jobdetermines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual m
Default:
Caution
Log
This on as a service
security setting allows a user tosetbeoflogged on by means of a batch-queue facility andinisphysical
provided onlymemory.
for compatibility with olderresident
versionsandof Windows.
The
Default:working
Administrators
Assigning thisset
None. of aright
user processcan be is the
a security memory
risk. Do pages
not assigncurrently visible
this user to to
right theanyprocess
user, group, RAM
or process that you These
do not pages
want toaretake over the available for an
system.
Log
Local
This on locally
Servicesetting
security allows a security principal to log on as a service. Services canscheduler
be configured to run under thea Local System, Local Service, or Networkuser.
Serv
For
Warning:example, when
Increasing a user
the and submits
working a job by means of the task scheduler, the task logs that
set size for a process decreases the amount of physical memory available to the rest of the system. user on as batch user rather than as an interactive
Networkon
Default Service
workstations servers:
Manage auditing
Determines which anduserssecurity
can logon toAdministrators.
log the computer.
Service setting: None.
Default
Default
Modify
Default:
This on
an domain
object
Administrators
security controllers:
label
setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and regis
Important
Note: ByOperators.
Administrators default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Mod
Backup
Modify firmware environment values
Print
This Operators
This privilege
security determines
setting does which
not allowusera accounts can modify
user to enable file and the integrity
object labelauditing
access of objects, such asFor
in For
general. files, registry
such keys,
auditing or
beprocesses
toabout enabled, owned
the Audit by otheraccess
users. setting
Processe
Modifying
In addition,this setting
a user canmay alsoaffect compatibility
impersonate with clients,
an access token ifservices,
any of the and applications.
following conditions compatibility
exist. information this setting, see object
Allow log on locally in
(htt
Perform
This security volume maintenance tasks
setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non
Default:
You None
can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
Default:
The
Profile access
singletokenprocessthat is being impersonated is for this user.
This
On security
x86-based setting
computers,determinesthe onlywhich
firmwareusers environment
and groups can valuerunthat
maintenance
can bethe tasks by
modified on assigning
a volume, suchuser as remote defragmentation.
The user, in this logon session, created the access token by logging on to network with explicitthis credentials.right is the Last Known Good Configuration setting, w
Default:
•Profile
On On Administrators.
workstations
Itanium-based
systemsetting and
performance servers:
computers, Administrators,
boot information Backup
is stored Operators,
in Power
nonvolatile RAM. Users,
Users Users,
must and
be Guest.
assigned this user right to run bootcfg.exe and to change the Default
The requested
This security level is less than Impersonate,
determines which users such
can use asperformance
Anonymous monitoring
or Identify. tools to monitor the performance of nonsystem processes.
•Use
On
Because
caution
Onall
domain
computers,when
of these
assigning
controllers:
this user
factors,
this is
Account
right
users
user
do
right. Users
Operators,
required
not usually
withor this
toAdministrators,
install
need this
user right
userBackup
upgrade can exploreand
Operators,
Windows.
right.
disks andOperators.
Print extend files in to memory that contains other data. When the extende
Remove
This computer
security settingfrom docking which
determines stationusers can use performance monitoring tools to monitor the performance of system processes.
Default:
Default: Administrators,
Administrators Power users.
Note:
For This
more
Replace security
information,
a process setting
search doesfor not affect who can modify the
"SeImpersonatePrivilege" system
in the environment
Microsoft Platformvariables
SDK. and user environment variables that are displayed on the Advanced
This security
Default: settinglevel
Administrators.
token whether
determines a user can undock a portable computer from its docking station without logging on.
Default:
Restore
Warning
This Administrators.
files and directories
If thissecurity
policy issetting
enabled, determines
the user which
must log user
onaccounts can call the
before removing the CreateProcessAsUser()
portable computer from its application
docking station.programming interface
If this policy (API) so the
is disabled, thatuser
one may
service can start
remove the p
Shut
This
If you down
security
enable thesetting
system
this determines
setting, programs which that users can
previously bypass
had thefile, directory,
Impersonate registry,
privilege and
may other
lose persistent
it, and objects
they may permissions
not run. when restoring backed up files and dire
Default:
Default: Network
Administrators,Service, LocalUsers,
Power Service. Users
Synchronize
This securitythis directory
setting service data
Specifically, userdetermines
right is similar which users who
to granting theare logged permissions
following on locally to to thethecomputer can shut
user or group down theon
in question operating system
all files and using
folders onthe
theShut Down command. Mis
system:
Take
This ownership
security of files
setting or other objects
determines which users and Operators,
groups have the authority to synchronize all directory service data. This is also known as Active Directory sync
Default
Traverse onFolder/Execute
Workstations: Administrators,
File Backup Users.
Accounts:
Write
This securityAdministrator
setting accountwhich
determines statususers can take ownership of any securable object in the system, including Active Directory objects, files and folders, print
Defaults:
Default onNone.
Servers: Administrators, Backup Operators.
Accounts:
This securityBlock Microsoft
setting accounts
determines whether the local Administrator account is enabled or disabled.
Caution
Default
Accounts: on Guest
Domain controllers:
account statusAdministrators, Backup Operators, Server Operators, Print Operators.
This
Notes policy setting prevents users from adding new Microsoft accounts on this computer.
Assigning this user right can be a security risk. Since owners users with this user
of objects rightfull
have can overwrite
control registry
of them, onlysettings,
assign thishideuser
data, andtogain
right ownership
trusted users. of system objects, o
Accounts:
This securityLimit localdetermines
setting account useif oftheblank
Guest passwords toenabled
consoleorlogon
account isoption, only
disabled.
If
If you select the “Users
you tryAdministrators. can’t add Microsoft accounts” users will not be able to create ne Microsoft accounts on
to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password this computer, switch a local account to ay
requirements,
Default:
Accounts: Rename administrator account
Disabling
This
Default: the
security Administrator
setting
Disabled. account
determines can
whether become
local a maintenance
accounts that are issue
not under
password certain circumstances.
protected can be used to log on from locations other than the physical computer c
If you select the “Users can’t add or log on with Microsoft accounts” option, existing Microsoft account users will not be able to log on to Windows. Selecting this
Workstations
Accounts: and
Rename servers:
guest Administrators,
account Backup Operators.
This
Under security
Safe setting
Mode determines
boot, whether
theisdisabled a differentaccount
Administrator accountwill
name
onlyisbe
associated ifwith
the the
enabledSharing security
machine identifier (SID)
is non-domain for the account Administrator. Renaming the we
Default:
Domain
Note:
If you If
Enabled.
controllers:
the
disable Guest
oraccessAdministrators,
doaccount
not thisBackup
disabled
configure and the
policy Operators, Serverusers
security option
(recommended), Operators.
NetworkwillAccess: and Security
be able to use Microsoft Model
accounts forjoined
with local and
Windows.
there is
accounts are
setnotoother
Guestlocal active
Only, administr
network logon
Audit:
This Audit
security the of global system objects
setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-kno
Default:
Default: Administrator.
Disabled.
Audit:
Warning:
This Audit the
security use of
setting Backup and
determines Restore
whether privilege
to audit the access of global system objects.
Default: Guest.
Audit:
This Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
If thissecurity
Computers policythat issetting
are not
enabled, determines
in physically
it causes whether
secure
system to audit the
locations
objects, such use asofmutexes,
should allalways
user privileges,
enforcesemaphores
events, including
strong Backup
passwordand DOS anddevices,
policies Restore,
for all to when
local
be usertheaccounts.
created Audit
withprivilege use
Otherwise,
a default policy
system anyoneis inwith
access effect. Ena
physica
control lis
If you
Audit: Shut
Windows apply this
down
Vista security
and system
later policy
versions to
immediately the
of Everyone
if unableallow
Windows group,
to logaudit no one
security
policy will
audits
to be
be able
managed to log on
in a through
more Remote
precise Desktop
way using Services.
audit policy subcategories. Setting audit policy at th
If you When
Note: disableconfiguring
this policy,this thensecurity
use of the Backup or Restore
will notprivilege is not audited even Windows.
when Audit privilege use is enabled.
the
DCOM: domain or upgraded
Machine Access to Windows setting,
Restrictions Vista or changes
in Security laterDescriptor
versions. Totake allow
Definition
effect until
audit you restart
policy to be managed using subcategories without requiring a change to Group Policy
Notessecurity
This setting determines whether the system shuts down if it is Language
unable to log (SDDL) syntax
security events.
Note:
Default: On Windows
Disabled. versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting c
If thepolicy
DCOM:
This category
Machine
setting level
Launchaudit Restrictions
determines policywhichset here is or
notgroups
in Security
users consistent
Descriptor
can with the events
Definition
access that are(SDDL)
Language currently being
syntax generated, the cause mighttobe that this
the registry key is set.
This
If thissetting
security does not
setting affect logonsit that
is enabled, causes usethedomain
system accounts.
to stop if a DCOM
securityapplication
audit cannot remotely
be logged or locally.
for anyThisreason. setting is used
Typically, an control
event fails attack
to surface
be logged of the
when theco
Default:
It is possible
Devices: Disabled.
Allow for applications
undock that
withoutwhich use
havingusersremote
to logoron interactive logons to bypass this setting.
Default:
This
You policyDisabled
setting determines groups can launch or activate DCOM applications remotely or locally. This setting is used to control the attack surf
If thecan use this
security log policy
is full andsetting to specify
an existing access
entry cannotpermissions
be overwritten, to all the andcomputers
this security to particular users forthe
option is enabled, DCOM applications
following Stop error in the enterprise. When you specify
appears:
is
Thisdefined
Devices:
Note: security in the
Allowed
Remote template,
setting to format
Desktop but
andit eject
Services
determines iswhether
notremovable
was enforced.
called
a Users
media
Terminal
portable and groups
Services
computer canundocked
in previous
can be be given
versions explicit Allow
of Windows
without having ortoServer.
Deny
log privileges
on. If this on both
policy is local access
enabled, logon and
is notremote access.
required and an exa
You can use this setting to grant access to all the computers to users of DCOM applications. When you define this setting, and specify the users or groups that
STOP:
but it
Devices: is C0000244
not enforced.
Prevent {Audit
users Users Failed}
from and groups
installing can
printer be given
drivers explicit
when Allow
connecting or Deny
to sharedprivileges
printers on local launch, remote launch, local activation, and remote activation.
The
This registry
security
An attempt
Default: tosettings
Enabled. setting
generate thata are
determines created
security who
auditasfailed.
is a resultto
allowed offormat
enabling andthe ejectDCOM: Machine
removable NTFS Accessmedia.Restrictions in Security
This capability can be Descriptor
given to: Definition Language (SDDL) syntax
entries
To recover,take precedence
an administrator over the existing
must log on, registry
archive keyslog
the under OLE. This
(optional), clear means
the log,that
and previously
reset this existing
option registry
as desired. settings
Until are security
no longer effective, and ifnoyou make
Devices:
The aregistry
For Restrict
computer
Administrators settings CD-ROM
to print thattoare access
created
a shared to locally
as a result
printer, logged-on
of this
the driver user
forpolicy only
take precedence
that shared printer must over
be the previous
installed registry
on the local settings
computer. Thisthis
in this area. Remote
security setting is reset,
Procedure
setting determines Callwhousers,
Services oth
is allow(
Caution
as part of connecting to a shared printer.
The possible
Administrators
Devices:
Note:
This On Restrict
Windows
security values
and
setting floppyfor
versions this
Interactive
access
determines policy
Users
priorto setting
locally
to Windows
whether a are:
logged-on
Vista
CD-ROM user only thistosecurity
configuring
is accessible both setting,
local and changes
remote will
users not take effect
simultaneously. until you restart Windows.
The possible values for this Group Policy setting are:
Disabling
Default
Devices: on this policydriver
servers:
Unsigned may tempt
Enabled. usersbehavior
installation to try and physically remove the laptop from its docking station using methods other than the external hardware eject butto
ò Blank.
Default:
This
Default:
If this This
This
security
Disabled.
policy represents
ispolicy
setting
enabled, the
isdetermines
not localwhether
defined
itDisabled
allows security
and only policy wayfloppy
Administrators
removable of deleting
have
media the
thisare policy
ability.
accessibleenforcement
to both key.
local This
and value
remote deletes
users the policyisand
simultaneously. then sets
and it as Notisdefined state. T
ò Blank.
Default This
on represents
workstations: the localonly the
security interactively
policy way of logged-on
deleting user to
the policy access removable
enforcement key.CD-ROM
This value media.
deletes If this
thepolicy
policy and enabled
then sets itnotoone loggedstate.
Not defined on inteT
Domain
This controller:
security setting Allow server
determines operators
what happensto schedule
when antasks
attempt is made to install a deviceand driver (by means of policy
Setupwhen API) thatenable
has
ò SDDL.
If this
Default: Thisispolicy
policy isenabled,
the Security Descriptor
it allows only
andthe Definition
interactivelyLanguage is notrepresentation
logged-on user to to
access of locally
the groups
removable privileges
floppy media. you
If thisspecify is you
enabled andnot been
this
no one tested
policy.
is logged by on
theinterac
Windo
ò SDDL.This This is the is not
Security defined
Descriptor CD-ROM
Definition access
Language restricted
representation theof the groups logged-on user.
and privileges you specify when you enable this policy.
Domain
This controller:
securityare: LDAP server signing requirements
setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility.
Notes
The
ò Notoptions
Default: Defined.
This policy This is is not
the defined
default value.
and floppy disk drive access is not restricted to the locally logged-on user.
ò Not Defined. This is the default value.
This
Note: security
This settingsetting
security determines whether theATaLDAP server requires signing to be thenegotiated with LDAP clients, as follows:
This
Note setting
Silently succeeddoes not affect the ability tothe
only affects add schedule
local printer. facility; it does not affect Task Scheduler facility.
Default:
Note
This This policy is not defined, which means that the system treats it as disabled.
If thesetting
Warn
None: but
Data does
allow
administrator
signing not isaffect
installation
is denied Administrators.
permission
not required in order to to
access DCOM
bind with the applications
server. If thedue client to the changes
requests datamade to DCOM
signing, the server in Windows,
supportsthe it. administrator can use the DCOM: M
If
Do thenotadministrator
computer allow
both installation
locally is denied access to using
and remotely activatethisand launch DCOM applications due to the changes made to to DCOM in this version and of Windows,
To do this
this,policy
open setting
Require signature: Unless TLS\SSLby is being used, setting.
the LDAP This will restore
data signingcontrol
option of mustthe DCOM
be application
negotiated. the administrator users. the DC
Machine
Default:
setting and Launch
Warn sets but Restrictions
theallow in
installation.
appropriate Security
SDDL value. Descriptor Definition Language (SDDL) syntax policy setting. This restores control of the DCOM application to the admi
permissions for those groups. This defines the setting and sets the appropriate SDDL value.
Default: This policy is not defined, which has the same effect as None.
Domain controller: Refuse machine account password changes
Domain member:
This security Digitally
setting encrypt
determines or signdomain
whether secure controllers
channel datawill(always)
refuse requests from member computers to change computer account passwords. By default, m
Domain
This member: Digitally encrypt secureall channel
securedata (when possible)
If it issecurity
enabled, setting determines
this setting does not whether
allow a domain channel
controllertraffic initiated
to accept anyby the domain
changes member must
to a computer be signed
account's password.or encrypted.
Domain
This member:
security Digitally
setting determines sign secure
whether channel
a domaindata (when
member possible)
attempts tothat,
negotiate
When
Default: a This
computer policyjoins a domain,
is not defined, a computer
which means account
that theissystem created. After
treats whenencryption
it as Disabled. the systemfor all secure
starts, it useschannel
the computertraffic that it initiates.
account password to create a secure c
Domain
This securitymember: Disable
setting machine
determines account
whether password
a domain member changes attempts tothat,
negotiate signing for all secure channel traffic that account
it initiates.
When a computer joins a domain, a computer account is created. After when
This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. the system starts, it uses the computer password to create
Specifically a secure c
it determine
Domain
negotiated.
Determines member:
If this
whether Maximum
policy is
a domain machine
disabled,
member account
then password
encryption
periodically and
changes age
signing of all
its computer secure channel
account traffic
password. is negotiated
Ifstarts,
this setting with
isthethe
enabled, Domain Controller
the account
domain member in which doescase the level
not attempt of
to si
cc
When
This a computer
setting joins
determines awhether
domain, oranotcomputer
the domain account member is created.
attempts After to that, whenencryption
negotiate the systemfor it useschannel
all secure computer
traffic that password
it initiates. to create
If enabled, theadomain
secure m
default
Domain is every
member: 30 days.
Require strong (Windows 2000 or then
later) session key
channel
This
Domain will
security
member:be encrypted.
setting If
determines
Digitally this
encrypt setting
how often
secure is disabled,
a domain
channel data member the
(when domain
will member
attempt
possible) to will
change not attempt
its computer to negotiate
account secure
password. channel encryption.
This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain mem
Domain
Default:
Interactive
This member:
Disabled.
security logon: Digitally
Do
setting sign secure
not display
determines last user
whether channel
namedata
128-bit key (when
strength possible)
is required for encrypted secure channel data.
Default:
This securityEnabled.
30 days.
setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.
Default:
Interactive Enabled.
Logon: Display user information when session is locked
Default:
Notes
If
When Enabled.
this policy
a computeris enabled,
joins athe name of
domain, the last user
a computer to successfully
account is created.log Afteron that,
is notwhen
displayed in the starts,
the system Logon itScreen.
uses the “. computer account password to create a secure c
Important
Notes:
Interactive logon: Do not require CTRL+ALT+DEL
Notes:
This
If thissecurity
Dependingpolicyon issetting
disabled,
what shouldthe not
version name
of be of
Windows enabled.
the islastComputer
user toonlog account
ondomain passwords
is displayed. are
thatused to establish secure channel communications between members and domain
There
This
This is no known
setting applies reason
to for
Windows disabling
2000 thisrunning
setting.
computers, but itthe
Besides isdual-boot controller
notunnecessarily
available reducing
through theSecurity
the domain
usethe
member
potential
Configuration is communicating
confidentiality
Manager level of with
Iftoolsthe and
onsecure
these the settings
channel,
computers. of the parameters:
disabling this setting
If thesetting
Interactive
This security should
policylogon:
Domain
setting not
Machine be used
member:
determinesaccount in an
Digitally
whether attempt
threshold.
encrypt toorsupport
pressing sign secure
CTRL+ALT+DEL channelscenarios
is data
required that
(always)
before isthe same
enabled,
a user cancomputer
then
log this account.
on. policy you
is assumed want to dual-boot
to be two
enabled regardless installations that a
of its curren
If
Thethis
Default:
Domain policy
machine is
Disabled.
controllers
member: enabled,
lockout are
Digitally the
policy
also policy
is
domain
encrypt Domain
enforced
or only
members
sign member:
onand
secure those Digitally
machines
establish
channel datasign
secure secure
thatchannels
(always) channel
have Bitlocker with data
other (when
enabled possible)
for protecting
domain controllersis assumed
OSin volumes.
the sameto be enabled
Please ensure
domain as regardless
well that
as of its
appropriate
domain current setting
recovery
controllers in t
Note: Domain
Interactive
If this policy is controllers
logon: Machine
enabled, theare also Domain
inactivity
policy domain
limit. members
member:data and establish
Digitally securechannel
channels with(when
other possible)
domain controllers in to
thebesame domain as well of asits domain
currentcontrolle
Domain
If member:
this policy Digitally
is enabled on a encrypt
computer, secure channel
a user is not required (whensign secure
topossible)
data is assumed
press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible
enabled regardless setting
Logon
This
Some information
security
or all ofsetting transmitted
determines
theinactivity
information over the
theisusers
numbersecure of channel
failed logon is secure
always
attempts encrypted
that causes regardless
the machineof whether
to be encryption
locked out.ofdetermines
AALL other
locked secure
out machine channel
or can traffic
only beisrecovered
negotiatedbyis orp
Interactive
Windows logon:
notices Message of athat
text for
logon transmitted
attempting
session, and overif tothe
the log on
amount channel
of inactive will be exceeds
time encrypted. theThis policy
inactivity setting
limit, then the screen whether
saver will not
run,128-bit
lockingkey thestrength
session.
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows (unless they are using a smart card for Windows logon).
Failed password
Interactive
If thissecurity
This setting logon:
is attempts
Message
enabled,
setting against
then
specifies title
a for
the workstations
users
secure
text message channel orwill
attempting
that member
is to not logbeon
displayed servers
establishedthat when
to users have
unless been locked
128-bit
they log using either
encryption
on. can CTRL+ALT+DELETE
be performed. If this setting or password protected
is disabled, then thescreenkey save
stren
Default: not enforced.
Default on domain-computers:
Interactive logon: Number of Disabled.
previous logons to cache (in case domain controller is not available)
The
This machine
Default:
This
Default security
Disabled.
texton lockout
setting
is stand-alone
often used policy
allows
for is enforced
the
legal
computers: specification
reasons, only
Enabled. on
of athose
for example,title to machines
to appear
warn usersinthat have
theabout Bitlocker
title bar
theof the enabled
window of
ramifications formisusing
that protecting
contains OSInteractive
the
company volumes. Please ensure
to warnthat
logon:orMessage
information text
them thefor
appropriate
that users recov
their attempting
actions m
Interactive
All previous logon:
users'Prompt user to change
logon information password
is cached before
locally expiration
so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are abl
Default:
Important
Default: No
No message.
message.
Interactive
Determines logon:
how far Require Domain
in advance Controller
(in days) authentication
users are thatunlock
to
Windows cannot connect to a server to confirm yourwarned
logon settings. theirYoupassword
have beenis about to expire.
logged With
on using this advance
previously warning,
stored accountthe user has time
information. to changed
If you constructyour
a paa
In order
Interactive to take advantage
logon: Require of this
smart cardto unlock a locked computer.and
policy on member workstations servers, all domain controllers that constitute the member's domain must be running Windo
Logon
In information must be provided For domain accounts, this security setting determines whether a domain controller must be co
If aorder
Default:
domainto take
14 days. advantage
controller of this policy
is unavailable and on domain
a user's controllers,
logon informationall domain controllers
is not cached, the in theissame
user domain
prompted withasthis
wellmessage:
as all trusted domains must run Windows 2000
Interactive
This logon:
security Smart card removal behavior
setting requires users to log on to a computer using a smart card.
Default: Disabled.
The system
Microsoft cannotclient:
network log you on now
Digitally because
sign the domain(always)
communications <DOMAIN_NAME> is not available.
This
The securityare:
options setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
Important
In
Thisthissecurity
Microsoft policy setting,
network
setting a value
client: of 0whether
Digitally
determines disables logon caching.
sign communications
packet signing(ifisAny
servervalue
required above
agrees)
by 50 only
the SMB caches
client 50 logon attempts.
component.
The options
Enabled: are:
Users can toonly log on to the computers,
computer using aissmart card. through the Security Configuration Manager tools on these computers.
This setting
Microsoft applies Windows 2000 but it not available
Default:
Disabled.
This
The 25network
Users
security settingclient:
can log Send
on unencrypted
to the
determines computer
whether the password
using
SMB any to attempts
connect to
themethod.
client to third-party
negotiate SMB packet
file SMB
serverssigning.
ò Noserver
Default:Action message
Disabled.
block (SMB) protocol provides basis for Microsoft and print sharing and many other networking operations, such as remote Window
further
Microsoft
ò
If Lock
this communication
network
Workstation
security server:
setting iswith an
Amount
enabled, SMB of
the server
idle
Server is
time permitted.
required
Message before
Block suspending
(SMB) a
redirector session
is allowed to send and
plaintext
The server message block (SMB) protocol provides the basis for Microsoft file and print sharing manypasswords to non-Microsoft
other networking operations,SMB
suchservers that do
as remote not s
Window
ò Force
Important
SMB
Microsoft Logoff
packet signing
network when
server: it connects
Attempt to
S4U2Self an SMB
to server.
obtain claim information
If
ò this
This setting
security
Disconnect
Sending is enabled,
setting
if a
unencrypted the
determines
Remote Microsoft
Desktop
passwords the network
aamount
isServices
security client will not
ofrisk.
continuous
session communicate
idle time that must with a Microsoft
pass network
in a Server server
Message unless
Block that session
(SMB) server agrees
before to
theperform
sessionSMB packet sign
is suspended d
Microsoft
This
If thissetting
settingnetwork
will
is server:
apply
enabled, istoto anyDigitally
the computers
Microsoft signnetwork
communications
running Windows
client will (always)
2000
ask of the through
serverprior changes
to inSMBthe registry, butIf the security setting is notthe viewable through thebeenSecurity Cono
Default:
If yoube
Default:
security
AdministratorsDisabled.
click Lock
Disabled.
setting
can use
Workstation thissupport
policy
in the
clients
toProperties
controlrunning
when a aversion
dialog computer
box fortothis
Windows
suspends
policy, anperform
the
to Windows
inactive
workstation SMB packet
8 Consumer
isifsession.
locked
signing
when client upon
Preview
the
session
activity
smart
that aresetup.
resumes,
card
trying
is removed,
Iftopacket
access
session signing
aisfile
allowing
has
share
automatically
users
that
to leave
enabled
requires
reestabl
the ar
only
Microsoft set to
network enabled server: if the file
Digitally server is using
sign communications user claims control
(if required
client agrees) access to files, and the file server will support client principals whose accounts may be in
This
Default:security
Enabled. setting determines whether packet signing is by the SMB server component.
Important
For
If you this policy
click Force setting,
Logoff a value
in the of 0 meansdialog
Properties to disconnect
box for an idle
this policy, sessionthe as quickly
user is as is reasonably
automatically logged possible.
off when Thesmart
the maximum card value
is removed.is 99999, which is 208 days; in
This
This setting
Microsoft
security should
networksetting be
server: set Disconnect
determines to automatic whether (default)
clients
the when
SMB soserver
that the
logon hours
willfilenegotiate
server
expire can SMB automatically
packet signing evaluatewith and whether
clients that claims
request areit.needed for the user. An administrator would
The server
Notes message block (SMB) protocol provides the basis for Microsoft file and print sharing many other networking operations, such as remote Window
For
If this
Default:This
you click
further policy to
policy
Disconnect
communication takeis effect
not defined,
if aServer
with on
Remote
an computers
SMB which
Desktop
client running
means that
Services Windows
the system
session, 2000,removal client-side
treats it as 15
ofexamine packet
the smartminutes signing
card for must
servers
disconnects also
and be
undefined
the enabled. for
session without To enable
workstations.
logging client-side
the user SMB
off. Thispacket allowssigning,
the use se
Microsoft
When
This security
Computers
The server
network
enabled that
message this
setting
have
server:
security
determines
this policy
block setting
(SMB)
SPN
set will
whetherwillcause
protocol nottoisprovides
target
be
permitted.
name
the
disconnect
able
validation
Windows
tothe users
communicate
basis
level
filewho server
for are to
with
Microsoft connected
computers
file and the
to theaccess
that
print local
do not
sharing token andofmany
computer
have an authenticated
outside
server-side othertheir user
packet
networking network
account's
signing client principal
valid
enabled.
operations, logon
By default,
such as and
hours. determine
remote This if c
setting
server-side
Window
All
accessWindows
antoken
Server-side operating
for
packet the systems
client
signing principal.
can support
it.be both
A claims-enabled
enabled on acomputers
client-side token SMB
runningmay component
be neededand
Windows a and
to access
2000 server-side
filesby orSMB folderscomponent.
which have Toclaim-based
take server:
advantage access of SMB signpacket
control policy signing,
applied. both(if t
when
Network
Note:
If
Thethisserver
server-side
SMB
access:
Remote
setting message
SMB
client
Allow
isDesktop
enabled, requests
block
components
anonymous
Services
the(SMB) Microsoftwas SID/name
called
protocolnetwork translation
Terminal
server
provides theServices
will not
basis inpolicy
previous
communicate
for file and versions
with
printer of later
a Microsoft
sharing Windows
and
setting
network
many Server. Microsoft
client
other unless
networking
network
that client
operations, agrees Digitally
suchtoexpire.
perform
as
communications
remoteSMB Windows packetadminsigni
When
Server-sidethis policypacket is enabled,
signing can it is becontrolled
causes enabledclient by
on the
sessions following
computers with four
the
running SMB Windows settings:
Service to be
NT 4.0forcibly
Service disconnected
Pack 3 and when later by thesetting
client's thelogon hours
following registry value to 1:
setting
Microsoft will affect
network both
client: SMB1 Digitally and SMB2.
sign communications (always) -toControls awhether or notasthe client-side SMB component
If this
Network
This setting
access:
This
is
is
policy
disabled,
Do
enabled,
setting not
notthe
isdetermines
the Microsoft
allow
defined,
Windows
anonymous
if an
which
file server
network enumeration
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
If thissecurity
setting meansserver
anonymous will
user
that
not
will
thecanofattempt
SAM
negotiate
systemrequest obtain
accounts
SMB
security packet claim-enabled
signing
identifier access
requested
(SID) attributes token
for for
thethe
byanother client
client. That
user. is,requires
principal. if packetpacket signing signing.
has been enabled o
Default:
Microsoft
If this policy network
is disabled,client: Digitally
an established sign communications
client session is(ifallowed server treats agrees)
to
it as
be maintained
No
- Controls action. whether
after the client'sor not logon
the client-side
hours have SMB component has packet signing enabled.
expired.
This
Network security
Microsoft access:
networksetting Do determines
not
server: allow
Digitally the
anonymous
signlevel of validation
enumeration
communications a SMB
of SAM
(always) server
accounts performs
- Controls and on
shares
whether the service principal name (SPN) provided by the SMB client when trying to es
Default:
This
Server-side
Default:
If
On this
Windows
Automatic.
security
Enabled
policy issetting
packet
Vista on
enabled, determines
signing
domain
and a user
above: cannot what
controllers
with be
For signthis
additional
enabled
only. to
knowledge
setting ofpermissions
on computers
an
work, administrator's
the
will be
running granted
Windows
SID could forcontactor or
anonymous
95 not the
Windows
aservice
computer
server-side
connections
98. that has to SMB
this
component requires packet signing.
the computer.
policy enabled and use the SID to get the adminis
Disabled
Microsoft
Default on for member
network
Windows server:servers.
Vista: Digitally
Enabled. communications (if Smart Card
client agrees) Removal
- Controls Policy whether must
or not the beserver-side
started. SMB component has packet signing enabled.
Network
Enabled
The
This optionsaccess:
for
security domain
are:
setting Docontrollers.
not allow storage
determines whether of credentials
anonymous or .NET Passports for accounts
network authentication
If server-side
Default
Windows on WindowsSMB signing
XP:and is users
Disabled required, a client will notenumeration
be able tosuch of as
establishSAM a session and the shares
with that server is
of allowed.
unlessaccounts it has client-side SMB shares.signing This enabled. By default,for cl
Notes
Important
Default onallows
workstationsanonymous member to servers:
perform certain
Disabled. activities, enumerating names domain and network is convenient,
Similarly,
Network if client-side
access: Let SMB
Everyone signing is
permissions required, apply thatto client
anonymous will not be
users able to establish a session with servers that do not have packet signing enabled. By default
Default
Notes
No on
Thisvalidation
security domain
setting
-SMB controllers:
validationdeterminesofadditional
the Enabled.
whether
SPN towill Stored
not User activities,
becertain
performed Names by and Passwords saves passwords, credentials, or .NET and Passports forshares.
later use when it gains doma
Windows
If
Allserver-side
This
For security
Windows
Windows
allows anonymous
2000 signing
option
operating allows
serverssystems isto users
enabled,
support
negotiate
perform
SMBbothpacket
restrictions
signing to signing
with be
a client-side placed
Windows SMBwillthe
onbe
NT
SMB
such
anonymous
component
4.0
asserver.
negotiated enumerating
clients, and with
connections
thea following
the names
clients
server-side that
as have of
follows:
SMB
registry
domain
client-side
component.
value
accounts
must SMB be Tosetsigning
take
network
1 onenabled.
to advantage the server of SMB
This
runningpacket
is convenient,
signing,2000:
Windows
for
both tH
Network
Using
This
signing SMB access:
security packet
for client setting Named
and signing
determinespipes
server-side can that
degrade
what
SMB can be
additionalaccessed
performance anonymously
up
permissions to 15 are percent
granted on file
for service
anonymous transactions.
connections to the computer.
If
Allit Windows
is enabled,
Validate
Default: ifDoprovided
Disabled. this
operating setting systems
by enumeration
client prevents
- the support
SMB thecomponents
Stored
bothaccounts.
server User
awill isNames
client-side controlled
validate SMB
theand SPN
by the following
Passwords
component
provided from
andby athe
four
storingpolicy settings:
SMB passwords
server-side client SMB and credentials.
andcomponent.
allow a session Tothe
take beadvantage
tosecurityestablished of SMB packet
if it matches signing,
the SMBboth serve t
Enabled:
Microsoft
Notes
Network not allow
network
access: client:
Remotely Digitally
accessible sign of communications
SAM
registry paths This
(always)option replaces
- Controls Everyone
whether orwith
not Authenticated
the client-side Users SMB componentin requirespermissions for
packet signing. resources.
server-side
This security
Disabled: SMBsetting
Noconfiguring components
additional determines
restrictions. is controlled
which by
communicationthe followingsessions four policy
(pipes) settings:
will have attributes and permissions that allow anonymous access.
Windows
Microsoft allows
network anonymous
client: Digitally userssign toRely on default
perform
communicationscertain permissions.
activities,
(if server such as enumerating the Windows.
names of the
domain accounts and network shares. This signing
is convenient, for
Note:
Microsoft
Require When network
match from client:
client this security
Digitally
- the SMB signsetting, changes
communications
client MUST sendwill not
(always)
a SPN take -agrees)
name effect
Controls - Controls
until you
whether whether
restart
or not
andIfthe
orclient-side
not client-side
SMB SMB
component component
requires has
packet packetsigning. enabled.
Therefore,
Network
Microsoft
All
ForWindows
This more
security permissions
access:
network
operating
information
setting Remotely
server: granted
systems
about
determines accessible
Digitally
Stored to the
sign
support
whichUser Everyone
registry
both
Names
registry group
a paths
communicationsclient-side
and
keys anddo
Passwords,
can be not
subpaths
(always)
SMB apply
accessedcomponent
see toin
- Controls
session
anonymous
Stored
over whether
and
the User
setup,users.
or not
a server-side
Names
network,
the
and this
the
regardlessSMB
SPN
option name
server-side is set,
component.
Passwords.
of the
provided
SMB
users anonymous
To
or
MUSTusers
component
takecomponent
groups
match
advantage
listed can
requires
the
in the
SMB
ofonly
packet
SMB
access
serverthose
access signing.
packet
control
that is
signing,
list
being re
resources
bothot
(ACL)
Microsoft
Default:
Default network
None.
onnetwork
workstations: client: Digitally
Enabled. sign communications (if server agrees) - Controls whether or not the client-side SMB has packet signing enabled.
Microsoft
server-side
Microsoft SMB
network server:
components Digitally
server: anonymous
Digitally sign
is controlled
signaccesscommunications
by the following
communications (if client
four policy
(always) agrees)
- Shares
Controls - Controls
settings: whetherwhether or not the or server-side
not the server-side SMB component SMB component requireshas packetpacket signing enabled.
signing.
Default:
Network
Default
If this No
on
policy validation
access: Restrict
server:Disabled.
issetting
enabled, the Everyone SID towill
is added Named toand
the Pipes
tokento andthat is created for anonymous connections. In this ofcase, anonymous users are in able
This security
server-side
Microsoft
Default: network
Disabled. SMB determines
signing
client: is
Digitally which
required,
sign registry
a client
communications paths not be subpaths
able
(always) - can
establish
Controls be aaccessed
session
whether or over
with
not the server,
that network,
client-side regardless
unless SMB it has the users
client-side
component requires or groups
SMB signing
packet listed
enabled.
signing. thetoBy access
access con
default, anc
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
default,
Microsoft
Network
If server-side
server-side network
access: SMB SMB
client:
Shares
signing signing
Digitally
thatis is
sign
cansupport enabled
berestricts
required, accessed
a clientonly
communications on domain
anonymously
will not be(if able controllers.
server to agrees)
establish - Controls
a session whether
with that or not
server the client-side
unless it has SMB component
client-side SMB has
signing packetenabled. signing By enabled.
default, cl
All
When Windows
Important enabled,
Disabled.operating
this systems
security setting both a client-side
anonymous SMB
access component
to shares andand a
pipes server-side
to the SMB
settings component.
for: This setting affects the server SMB behavior, and
Default:
If server-side SMBserver:signing issigning
enabled, SMB packet
Microsoft network
System\\CurrentControlSet\\Control\\ProductOptions
Similarly,
for if client-side
SMB servers". SMB Digitally sign communications
is required, that signing
client(always)willnot
will be-be negotiated
Controls
able to whether with clients
establish ora not that
session thehave withclient-side
server-side
servers SMB SMB
that dosigning
component
not have enabled.
requires packet signing.
packet signing enabled. By default
Using
Network
Microsoft SMB access:
packet
network Sharing
signing
server:
System\\CurrentControlSet\\Control\\Server
This
If security
server-side setting
SMB determines
signing and
can
Digitally
is security
impose signmodel
which
enabled, up topacket
network
SMB afor15
communications local
percent
Applications
shares accounts
can
signing (ifperformance
client
accessed
will be agrees) by
negotiated hit- on
anonymous file service
Controls
with whether
users.
clients transactions.
that orhave
not the server-side
client-side SMB SMB
signing component
enabled. has packet signing enabled.
Network
This policy access:
has noNamed
impact pipes
on
System\\CurrentControlSet\\Control\\Print\\Printers that can
domain be accessed anonymously
controllers.
If server-side SMB signing
Software\\Microsoft\\Windows
Using SMB packet signing can is required, aperformance
NT\\CurrentVersion
degrade client will notup beto able15 to establish
percent on file a session
service with that server unless it has client-side SMB signing enabled. By default, cl
transactions.
Network access:
security: Shares
Dodetermines
not that
store canLAN beManager
accessed hashanonymously
System\\CurrentControlSet\\Services\\Eventlog
This security
Similarly,
Default: setting
if client-side
None specified. SMB signing how isnetwork
required, thatvalue
logons that on
client willnext
use local
not passwordable to change
beaccounts are authenticated.
establish a session Ifwith thisservers
setting that is set dotonotClassic,
have packet networksigning logonsenabled. that useBy local acco
default
Default: Enabled.
Software\\Microsoft\\OLAP Server
If server-side
Caution
Network
Important security: SMBForce signing is
logoff enabled,
when SMBhours
logon packet signing will be negotiated with clients that have client-side SMB signing enabled.
expire
This security setting
Software\\Microsoft\\Windows
If this setting
Using SMB packet is set to determines
Guestcan
signing only, if, at the next
NT\\CurrentVersion\\Print
network
impose up logons password
to a 15 that percent change,
use performance
local accountsthe LAN Manager
hitareon automatically (LM) hash
file service transactions. value for the new password is
mapped to the Guest account. By using the Guest model, you can hastored. The LM hash is relatively we
Software\\Microsoft\\Windows
Network
Incorrectly security:
editing LAN Manager
thedetermines
registry NT\\CurrentVersion\\Windows
authentication level
This
For security
this policy setting
to take effect onmay severely
whether
computers damage
torunning
disconnect your
Windows users system.who are
2000, Before making
connected
server-side changes
to
packet localtocomputer
thesigning the
must registry,
alsooutsidebeyou should
their user
enabled. Toback up any
account's
enable valued
valid logon
server-side data
SMB onpacket
the This
hours. computer.
setting
signing,
System\\CurrentControlSet\\Control\\ContentIndex
Default
Note: This onnetwork
domain
securityserver:computers:
setting is not Classic.
available on earlier versions of Windows.
Microsoft
Default
Network on Windows
security: LDAP Vista: Digitally
Enabled
client signing signrequirements
communications (if server agrees) The security setting that appears on computers running Windows XP, "Network acces
System\\CurrentControlSet\\Control\\Terminal
Default
This
Remotely
When onaccessible
security
this stand-alone
setting computers:
determines
registry itpaths whichGuest
and only
subpaths. Server with the
challenge/response authentication
SMB serverprotocol is used for network when logons. theThis choice affects theexpire.
level of authentication proto
Default on policy
Windows is enabled,
XP:
System\\CurrentControlSet\\Control\\Terminal Disabled. causes client sessions
Server\\UserConfig
to be forcibly disconnected client's logon hours
Default:
For
NetworkWindows security: 2000 servers
Minimum to negotiate
session signing
security for with
NTLM Windows
SSP based NT 4.0 clients,
(including the
secure following
RPC) registry
clients value must be set to 1 on the Windows 2000 server:
This security setting determines
System\\CurrentControlSet\\Control\\Terminal
Important
Send the level of data signing that is requested
Server\\DefaultUserConfiguration onneverbehalfuse of clients issuing LDAP BIND domainrequests, as follows:
If this LMpolicy& NTLMis disabled,responses: an establishedClients use LM
client
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
Important
and
session NTLM authentication
is allowed and
to be maintained after NTLMv2
the client's session
logon hours security; have expired. controllers accept LM, NTLM, and NTL
Software\\Microsoft\\Windows
Sendsecurity
LMsecurity:
& NTLM - use NTLMv2 NT\\CurrentVersion\\Perflib
session security if negotiated: Clients use LM and NTLM authentication
Network
None: The LDAP
Minimum
System\CurrentControlSet\Control\ProductOptions
This setting BIND allowsrequest asession
client
is tosecurity
issued require
with
for
the
the
NTLM SSP based
negotiation
options that ofare (including
128-bit
specified encryption secure
the and/or
bynetwork
RPC)NTLMv2
caller.
servers sessionand use NTLMv2
security. These values sessionare security
dependent if the on server
the LANsupport
Ma
System\\CurrentControlSet\\Services\\SysmonLog
With
Send the
NTLM Guest only
response model,
only: any
Clients user who can access yourwith computer andover the (including anonymous Internet users)it;can access your shared resources.
System\CurrentControlSet\Control\Server
Default:
Computers
Windows
Negotiate Enabled.
2000that
signing: have
Service
If thisPack
Transport policy 2 set use
(SP2)
Layer will
and
NTLM
not above
Security/Secure
authentication
Applications
communicate
offer compatibility
Sockets
only
computers
Layer with
usethat NTLMv2dohas
authentication
(TLS\SSL) notsession
have
notto previous
been
security
client-side
started,
ifpacket
versions
the server
the of
LDAP signing supports
Windows,
BIND enabled.
such
request
domain
Client-side
asis
controllers
Microsoft
initiated packet
Windows
with the
accept
signing
LDAP NT
LM,
can
4.0.
data
NTL
be
sig e
System\\CurrentControlSet\\Services\\CertSvc
anyone
Send
This to
NTLMv2
security accesssetting shared
response allows system
only: resources.
Clients
a NT\CurrentVersion
server touse NTLMv2
require authentication
the negotiation onlyprotocol
of 128-bit and useisNTLMv2
encryption session security if the serverThesesupports it; domain controllers on accept
the LANLM,
Software\Microsoft\Windows
Require
This setting
Require NTLMv2 canresponse
signature: session
affect
Thisthe security:
ability
isonly\\refuse
the same of The as connection
computers
Negotiate running will
signing. failHowever,
Windows if NTLMv2 2000 Server,
if the LDAP notand/or
Windows
server's negotiated.
2000
NTLMv2 session
Professional,
intermediate
security.
Windows
saslBindInProgress XP, and
values
response
are dependent
the supports
Windows
does not Server
indicate 2003 thatfamily
LDAPto
M
System\\CurrentControlSet\\Services\\Wins
Send
Note: ThisNTLMv2 security setting behaves LM: Clients
as an account use NTLMv2 authentication only and use NTLMv2 session security if the server it; domain controllers
Require 128-bit encryption: The connection will failpolicy.
if strong Forencryption
domain accounts, (128-bit) there is not can be only one account policy. The account policy must be defined in the
negotiated.
Note:
Send
Require
policy NTLMv2
NTLMv2
applied toresponse
session
the only\\refuse
security: The
organizational unitLMthat & NTLM:
connection
contains Clients
willthefail use NTLMv2
if message
domain authentication
integrity
controller. only
is not negotiated.
By default, and use NTLMv2
workstations and servers session
that aresecurity
joinedif to thea server
domainsupports (for example, it; domainmemb co
Caution
Caution 128-bit
Require encryption. The connection will fail ifare strong encryption (128-bit)computers.
is not negotiated.
contains
Default: No therequirements.
member computers. Kerberos settings not applied to member
This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services. Remote Desktop Serv
Important
If you setNo
Incorrectly
Default: the server
editing
requirements.thetoregistry
Requiremay signature,
severely you must also
damage yourset the client.
system. Before Notmakingsetting changes
the clienttoresults in a loss
the registry, you of should
connection backwith up any the valued
server.data on the computer.
policy will
This setting canhave affect nothe impactabilityonofcomputerscomputersrunning runningWindowsWindows2000. 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Network security:
This policy settingRestrict NTLM:
allows you Incoming
to deny NTLM
or audit trafficNTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote ser
outgoing
Network
This security: Restrict NTLM: AuditorIncoming NTLM NTLM Traffic traffic.
If youpolicy selectsetting
"Allowallows all" or you do not to denyconfigure allowthis incoming
policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
Network
This policy security:
setting Restrict
allows NTLM:
you to auditNTLM authentication
incoming NTLM in
traffic. this domain
If
If youyou select
select "Allow
"Audit all," all" orthedoclient not configure
computerthis logspolicy an event setting, for each the server NTLMwill allow all NTLM
authentication request authentication
to a remote requests.
server. This allows you to identify those servers rece
Network
This policy security:
setting Restrict
allows NTLM:
you to deny AuditorNTLM allow authentication
NTLM authentication in this domain within anotdomain from this domain controller. This policy does not affect interactive logon to th
If
If you
you select "Disable", or do not configure this policy setting, the server will log events for incoming NTLM traffic.
If you select
Network select "Deny
"DenyRestrict
security:
all
all,"domain
theNTLM:client accounts,"
computer
Add remote
thecannotserverauthenticate
server
will deny NTLM
exceptions identities
for
authentication
NTLM toauthentication
a remote requests
server for domain
by using NTLM logonauthentication.
and display anYou NTLM canblocked
use the error,
"Network but allow
security:locaR
This
If you policy
select setting
"Disabled" allows or you
do to audit
not configure NTLMthis authentication
policy setting, in thea domaindomain from this domain
controller will controller.
allow all NTLM pass-through authentication requests within the domain.
If
If you select
youpolicy
select "Enable
"Deny allauditing
accounts," for domain
the server accounts",
will deny the NTLM server will log events
authentication for NTLM
requests from pass-through
incoming traffic authentication
and displayrequests an NTLM that woulderror.
blocked be blocked when the "N
This
Network
This policy is
security: supported
setting Restrict
allows on youat to
NTLM: least Add
create Windowsserver
an this 7exceptions
exception or Windows list of Server
inremote
this domain 2008 R2.
servers to whichwill clients areevents
allowed toNTLM
use NTLM authentication ifdomain.
the "Network Security: Res
If
If you
you select
select "Disable"
"Deny or
forauditingdo
domainfor not configure
accounts to domain policy setting,
servers" the
the domain controller not log for authentication in this
If
This youpolicy
select is "Enable
supported on at areleast all Windows
accounts", the
7this
or Windowsserver will logdomain
Server events
2008
controller
for all NTLM will authentication
deny all NTLMrequests authentication that would logonbe attempts
blockedtowhen all servers in the domain
the "Network Security: th
Network
Note:
This
If youyoupolicy
security:
Audit
configure and
setting this
Allow
blockallows
policy
LocalSystem
events you to
setting, recorded
create
you can
NULL on session
an exception
define
fallback
acomputer
listofofremote
list in theservers
servers in thisR2.
"NTLMBlock" domain
to which Log located
toclients
which under
clients
are are
allowed theallowed
to Applications
use NTLM and
to useauthentication.
NTLM Services
pass-throughLog/Microsoft/Windows/Securi
authentication if the "Ne
If
If select
youpolicy
select "Enable
"Deny for domain
for domain accounts
account" to domain servers," the domain controller will log events for NTLM authentication logon attempts for domain accounts
This
Network
Note: isevents
security:
Block supported
Allow
are on
Local
recordedat least
System on Windows
this totheuse domain
computer 7 or
computer controller
Windows identity will
Server fordeny 2008
NTLM allR2.NTLM authentication logon attempts from domain accounts and return an NTLM block
Allow
If
If you
you
NTLM
configure
do not
to fall
thisback
configure policy to setting,
this
NULL
policy
session
you
setting, can when
no define used
exceptions ainlist the
with "NTLMBlock"
ofwillLocalSystem.
servers
be in this
applied.
Log domainlocated to under
which the clientsApplications
are allowed andtoServices
use NTLM Log/Microsoft/Windows/Security-NTLM.
authentication.
If
If you
you
Network select
select "Enable
"Deny
security: for
Allow for domain
domain
PKU2U accounts,"
servers"
authentication the the
domain domain
requests controllercontroller
to this will will
deny
computer log NTLM events
to use for NTLM
authentication
online authentication
identities. requests to logon
all serversattempts in the that
domain use domain
and return accounts
an NTLM when NTLMea
blocked
Note:
This default
The Audit events
policy setting
isconfigure
TRUE are
allows recorded
toLocal
upthis Windows on
System this
Vista computer
services
and FALSE in
that use the "NTLMBlock"
inwill Log located under the
Negotiate7.to use the computer identity when reverting to NTLM authentication.
Windows Applications and Services Log/Microsoft/Windows/Security-NTLM.
If
The you do
naming not format forforservers policy setting,
onservers"
this exception no exceptionslist iscontroller
theKerberos be applied.
fully qualified domain name (FQDN) or NetBIOS server name used in bythe thedomain
application, listed one per li
If
If
This you
Network
you select
select "Enable
security:
"Deny Configure
all," domain
the encryption
offdomain controller the
types domain
allowed
will deny for
allmachines.
NTLM will log
pass-through events for NTLM
authentication authentication
requests requests
from its toable
serversall servers
and for its accounts
to theand when returnNTLM an authent
NTLM
machb
If youpolicy
wildcard will
character.
enable thisbepolicy
turned setting, by default
services on domain
running as joined
Local System thatThis use would disallow
Negotiate willthe use online identities
the computer to be
identity. Thisto authenticate
might cause some domain
authentication joined reque
The
Recovery naming format
console: for
Allow servers
automatic on this exception
administrative list is
logon the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one
If youpolicy
This
This selectsetting
"Enable all" on
allows the
youatdomain
to setWindowscontroller
the encryption will log types eventsthat for NTLM is
Kerberos pass-through
allowed to use. authentication requests from its servers and for its accounts which would b
If youpolicy do notisconfigure
supported this policy least setting, services Server 2008
running R2.
as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymo
Recovery
This console: Allow floppy copy and access to all drives and all folders
This
If
Note: notsecurity
policy
Blockis
selected, setting
supported determines
the encryption on at least type if the
onwill
password
Windows
thisnot beServer for the
allowed. in 2008
Administrator
This R2. setting may account
affect must be givenwith
compatibility before
clientaccess
computers to theor system
services is granted. If this option
and applications. is enabled,
Multiple selections the
This
Shutdown: policy isevents
Allowsupported are recorded
system onto atbe least
shut Windowsdown
computer
without 7 or having
Windows the "NTLMBlock"
to SETServer
log on 2008 Log R2. located under the Applications and Services Log/Microsoft/Windows/Security-NTLM.
Enabling
Default: this
This security
policy option
is not makes the Recovery Console command available, which allows you to set the following Recovery Console environment variab
Note:policy
This Audit events
is supported are ondefined
recorded at least on and thisautomatic
Windows computer 7 oradministrative
in the "NTLMBlock"
Windows Server logon 2008 isLognot
R2. allowed.
located under the Applications and Services Log/Microsoft/Windows/Security-NTLM.
Shutdown:
This security Clear
setting virtual memory whether
determines pagefile a computer can be shut down without having to log on to Windows.
AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
AllowAllPaths:
System
This cryptography:
security Allow determines
setting access
Use FIPS to allwhether
140filescompliant
and thefolders on
cryptographic
virtual memorythe computer. algorithms,
pagefile including encryption, hashing and signing algorithms
When this policy
AllowRemovableMedia: is enabled, Allowthe filesShut to be Down copied command to removable is available media, onis the
such
cleared
Windows when
as a floppy logonthe system
disk. screen. is shut down.
System
NoCopyPrompt: Cryptography: Do notForce
prompt strong
when key protection
overwriting for user keys stored disables on the computer
For
Virtual
When
thememory
Schannel
this policy
Security
support uses
is encryption,
disabled,
Service
a system
the
Provider
option pagefile
to shut
(SSP), toan
down swap existing
this security
pages
thecryptography
computer
file.
ofsetting
memory
does not diskthe
toappear when weaker
on
Secure
are not Sockets
theyWindows
the used.
logon On
Layer
screen.a running(SSL)system,
In this
protocols
case, thisand supportsopened
pagefile
must beisable
only theexclusive
Transp
3DES
that sensitive
System and AES
objects: for
information
Default from process
owner RSA
for or
objects ECC
memory public
created that key
bymight members goainto for the
pagefile
of the Administrators TLS key
isused. exchange
group toand
not available an authentication,
unauthorized user and only
who the users
managesSecure to Hashing
directly access
to log on(SHA
Algorithm the page
to th
This
Default: security
This setting
policy determines
is not defined if users'
and the private
recover keys console require SET password
command to
is be
not available.
Description
Default on workstations: Enabled.
For
System
When Encrypting
objects:
this File
RequireSystem case Serviceinsensitivity(EFS), it supports
for non-Windows the(SID)Triple
to subsystems Data Encryption theStandard (DES) andenable
Advanced Encryption Standard a (AES) encryption algorithm
This
Default
The
XP for on policy
security
options setting
servers:
encryptingare: is enabled,
file
determines
Disabled. it causeswhich the system
security pagefile
principal
data. For information about EFS, see Encrypting File System.
bewill cleared
be assigned upon clean shutdown.
OWNER If you
of objects when this security
the object is option,
created the
by hibernation
member offilethe(hiberfil.sys)
Administra
Default:
System objects: Strengthen default permissions of internal is system objects (e.g., Symbolic The Links)
This
Default:
Windows security
Disabled.
XP: setting
User determines
SID whether case insensitivity enforced for all subsystems. Win32 subsystem is case insensitive. However, the kernel suppor
User
For input
Remote isDesktop
not required Services,when itnew supportskeys are only stored
the and used
Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.
Windows
System
User
This 2003
settings:
issetting
prompted : Administrators
Optional
when the subsystems Group
keyinsensitivity
isthefirst usedis enforced
If thissecurity setting
is enabled, determines
case strength of the default for alldiscretionary
directory objects, accesssymbolic control list links, (DACL)
and IO forobjects,
objects.including file objects. Disabling this setting does no
User
System must
Note:security Remote enter
settings: aUse
Desktop password Services
Certificate eachRuleswas time they
called
on use a key
Terminal
Windows Services
Executables in forprevious Software versions
Restrictionof Windows Policies Server.
This
For
Active more setting
information,
Directory maintainsdetermines
see Public
a global which
key subsystems
listinfrastructure. can optionally be
of shared system resources, such as DOS device names, mutexes, and started up to support your applications. With this securityInsetting,
semaphores. this way, youobjects
can specify
can beaslocatedmany
Default: Enabled.
User
For
This Accountsetting
BitLocker,
security Control:
this policy Adminneeds
determines Approval
to be enabled
if digital Mode for
certificatesbefore the are Built-in
anyprocessed Administrator
encryption key is
when aaccount
generated.
user or process Please note that
attempts to runwhen this policy
software withisanenabled,
.exe fileBitLocker
name extension.will prevent Thisthe securcre
Default:
Default:
If this POSIX.
This
policy ispolicy
enabled, is not the defined.
default DACL is stronger, allowing
on
User theAccount
digital certificate
Control: that
Behavior is associated
of the with
elevation the software.
prompt for In users
order for
administrators
whocertificate
are not administrators
in Admin rules
Approval to take Mode
to read
effect, you shared
must objects
enable but this not allowing
security these users to modify sh
setting.
This
Default: security
Disabled. setting determines the behavior of Admin Approval mode for the Built-in Administrator account.
Default:
When
User Enabled.
certificate
Account rulesdetermines
Control: are enabled,
Behavior of software restriction policies will check a certificate revocation list (CRL) to make sure the software's certificate and signature
This options
The securityare: setting thethe elevation
behavior of theprompt elevation for standard prompt users
for administrators
Note:security
This The Federal setting Information
determinesProcessing the behavior Standard
of the elevation (FIPS) 140 is a security
prompt for standard implementation
users designed for certifying cryptographic software. FIPS 140 validated s
User
Default: Account
Disabled. Control: Detect application installations and prompt for elevation
The
ò options
Enabled: The are: Built-in Administrator will logon in Admin Approval Mode. By default any operation that requires elevation of privilege will prompt the Consent Ad
The
Useroptions Account are:Control: Only elevate
This security setting determines the executables
behavior of application that are signed and validated
installation detection for the entire system.
ò Disabled:
ò Prompt forThe consent:
Built-in AnAdministrator
operation that willrequires
logon inelevation
XP compatibleof privilege mode will
and prompt
run allthe Consent Admin
applications to select with either Permit or Deny. If the Consent Admin sele
ò
User
This PromptAccount for
securityare: credentials:
Control: Only An operation
elevate that
UIAccess requires
applications
setting will enforce PKI signature checks on any interactive application elevation that of privilege
are installed willin prompt
secure the
that user
locations
requests to by default
enter an administrative
elevation
full administrative
of privilege. user Enterprisename privilege.
and password. can
administrators If the user ent
control the
The options
ò Prompt
Default:
User for
Disabled
Account credentials:
Control: Run An alloperation
users, that
including requires elevation
administrators, of
as privilege
standard will prompt
users. the Consent Admin to enter their user name and password. If the user ente
ò Automatically
This
The securityare:
options denywill
setting elevation
enforcerequests: the requirement This option thatresults applications in an access that request denied error message
execution being returned
with a UIAccess integrity to thelevel standard
(via a markinguser when they try to perform
of UIAccess=true an
in their
ò Enabled: Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation prom
ò Elevate
User
This Account
security withoutsetting prompting:
Control: SwitchThis
determines to thetheoption secure
behavior allowsdesktop
of the
all Consent
UAC when Admin
prompting
policies for to for
the perform
elevation
entire an operation that requires elevation without consent or credentials. Note: this sce
system.
-Default:
ò à\Program
Enabled: Prompt Files\,
Enforces for including
credentials (home) /chain
PKI subdirectories
therunning certificate Automatically
validation deny a elevation
ofthat given executable requestsbefore (enterprise)it is permitted to run. like Group Policy Software Install (GPSI) or SMS will d
-ò
UserDisabled:
Default:
This Prompt
security
Enterprises
à\Windows\system32\
Account Control:
for
setting Virtualizesstandard
consent
determines file andthe
whether
users
registry desktops
elevation writerequest failures leverage
to per-user
will prompt
delegated
onlocations
the
installation technologies
interactive users desktop or the Secure Desktop.
The options
-ò à\Program are:
Files not (x86)\, including subdirectories
Disabled:
Default:
User Enabled
Account Does (home)
Control: enforce
Allow PKI certificate
/ Disabled
UIAccess (enterprise) chainfor
applications
64 bit versions
validationpromptbefore
to application for elevation aofgiven
Windows executable
without usingisthe permitted
secureinto run.
desktop.
This
The security
options setting
are: enables the redirection of legacy write failures to defined locations both the registry and file system. This feature mitigates tho
ò Enabled:
Note: Windows Admin Approval
enforces Mode and all other UAC policies are dependent on this option being enabled. Changing integrity this setting requires a systemof thereboot.
Default:
Maximum
This security Disabled
application
setting log asize
controls
PKI signature check on any interactive application that requests execution with UIAccess
whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable
level
the secure desktop
regardless
for
state of this
elevation promp
Virtualization
ò Enabled: All facilitates
elevation the running
requests by of pre-Vista
default will (legacy)
go to the applications
secure desktop that historically failed to run as Standard User. An administrator running only Windows Vist
ò
TheDisabled:
Maximumoptions Admin
are:
security Approval
log size Mode user type and all related UAC policies will be disabled. Note: the Security Center will notify that the overall security of the ope
This
If security
youoptions
enableare: setting specifies the maximum size of the application event log,
this setting, UIA programs including Windows Remote Assistance can automatically disable the secure desktop for elevation prompts. Unless you h which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).
The
ò Disabled: All elevation requests will go to the interactive users desktop
Default:
Maximum
ò Enabled:
This Enabled
security system
An setting logspecifies
application size will only
the maximum launch with size UIAccess
of the security integrity if it resides
event log, which in ahas secure location inmaximum
a theoretical the file system. of 4 GB. Practically the limit is lower (~300MB).
Notes
If you disable or do notthe configure this setting, of theapplication
secure desktop can onlytobe disabled bylocations
the user for of the
ò Enabled:
Default:
Prevent Facilitates
Enabled
local guests group runtime
and redirection
ANONYMOUS LOGIN users writefrom failures
accessing defined
application user log bothinteractive
the file system desktop andorregistry.
by disabling the "User Account Co
This
ò securityAn
Disabled:
Notes setting
applicationspecifies will the launch maximum with size of the
UIAccess system
integrity event
even log,
ifis itnotdoes which has a in
not reside theoretical
a secure maximum
location in ofthe4 GB. Practically the limit is lower (~300MB).
file system.
Log
UIA file sizes
programs must be
are designed a multipletowrite of
interact 64 KB. If you
withprotected
Windows enter anda value that
application programs a multiple of
on behalf 64 KB, Event Viewer will round he log file size up to to a multiple of 64 KB.
ò Disabled:
Prevent
This localApplications
setting
security guests
does
setting group
notdetermines
appearthatand in the data
ANONYMOUSLocaltoComputer
if guests are prevented LOGIN locations
Policy users
from object. will simply
from
accessing accessing fail application
the as they
security did log inofprevious
event
a user. versions
log.
This setting allows UIA programs
of Windows. bypass the secure deskt
Notes
Default:
Log file Enabled
sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.
Event
Since Log
UIA sizeguests
programs and log mustwrapping
be able should
toLocal
respondbe defined toLOGIN
prompts to match the
regarding business security andsystem
security requirements you determined prompt,when UIA designing
programs your mustenterprise securityIn pla
Prevent
Default
This
Default:
Notes
local
:For
settingEnabled
security does
setting
the Windows
group
notdetermines
appear and
Serverin ANONYMOUS
the
if2003
guests Computer
are prevented
family, 16enter MB; Policyfor
users
from object.
Windows
from
accessing accessing
XPnot the issues,
application
Professional
suchlogevent
Service
as the log.
Pack
UAC elevation
1,Viewer
8 MB; for Windows XP Professional, 512
be highly trusted.
KB. of 64 KB.
o
Log
Event fileLog ..\Program
sizes size must
and be
logFiles\
a wrapping(and
multiple subfolders)
of 64
should KB. be If you
defined to a
matchvalue thethat is
business a multiple
and security of 64 KB, Event
requirements you will
determinedround he
when log file size
designing up to
your a multiple
enterprise security pla
Retain
This application
setting
security ..\Program
does
setting logdetermines
not Files
appear (x86)\
in the if(and Local
guests subfolders,
Computer
are prevented in Policy
64-bit versions
object. of Windows only)Service
Default:
Notes
This For
setting the
does Windows
notlog appear Serverin the 2003 Local family,
Computer 16 MB; Policyforfrom Windows
object.
accessing XP the application
Professional eventPack log. 1, 8 MB; for Windows XP Professional, 512 KB.
..\Windows\System32\
Event Log size and wrapping should be defined to match the business and security requirements you determined when designing your enterprise security pla
Retain
This security
security log
setting determines the number of16 days' worth of eventsXP toProfessional
be retained for the application
Default:
Notes
This For does
setting the Windows
notaffects
appear Serverin the 2003 Local family,
Computer MB; Policyfor Windows
object. Service Pack 1, 8 log MB;if for theWindows
retention XP method for the application
Professional, 512 KB. log is By Day
This security
The requirement
Retain system setting
log to be only
in a protected computers path can running
be disabled Windows by the 2000 "User and AccountWindowsControl: XP. Only elevate UIAccess applications that are installed in secure location
This
Set security
this value setting
onlynot if determines
you archive the
theLocalnumber
log atComputer of days' worth
scheduled intervals of eventsand you to be make retained
sure that for the the security
Maximum logapplication
if the retention log size method is large for the security
enough log is By Days.
to accommodate the in
This
This setting
security does
setting appear
affects in the
only computers running Policy
Windows object. 2000 and Windows XP.
Default:
Retention
Whilesecurity
This Enabled
this method
setting
setting for
forWindows
applies application
determinesto any XP, log
UIA
the Disabled
program,
number for
of Windows
itdays'
will be worth used 2000
of primarily
events to inbe certain
retained Windowsfor the Remote
system Assistance
log if the scenarios.
retention method The for Windows
the Remote
system log Assistance
is By Days. progr
Set
Note: this value
This settingonlydoes if younot archive
appear theinlog theatLocal scheduled Computer intervalsPolicy and object. you make sure that the Maximum security log size is large enough to accommodate the inter
This security
Default:
Retention Enabled
methodsetting for
for affects
Windows
security only XP,
log computers
Disabled running
for Windows Windows 2000 2000 and Windows XP.
IfDefault:
This
Seta user
this None.
security
requests
value setting
onlyremoteif determinesassistance
you archive the
the "wrapping"
from
log atan scheduled method
administrator for the
intervals andand application
the you remote make log.
assistance
sure thatsession the Maximum is established,
system log anysize elevation
is large prompts
enoughappear on the interactive
to accommodate the interv us
Notes
box when
Default:
Retention setting for
Enabled
method up
for the
Windowsremote
system XP,
log assistance
Disabled session.
for Windows However, 2000 selecting this check box itself requires that the interactive user respond to an elevation prompt on
This
If setting
security
you Thisdo not does
setting
archive not appear
determines
thenot in
application the
the Local
"wrapping"Computer method Policy for object.
the security log.
Note:
A user must setting
possess does the Manage appearauditing inlog,
theinLocal the Properties
Computer
and security
dialog box
logPolicy
user right object. for this policy, select the Define this policy setting check box, and then click Overwrite event
to access the security log.
Restricted
If yousecurity
Default:
This enable
None.Groups
this setting,
setting determines("User the Account "wrapping" Control: methodAllow for UIAccess
thebox system applications log. to prompt for elevation without using the secure desktop”), , requests for elevation
Default:
If
If you do
you archiveNone.
not archive
the log at forthe security
scheduled log, in the Properties
intervals, in the Properties dialog box dialog for this policy,
for this select
policy,the select Definethe this
Define policy thissetting
policy settingcheck box, check and then
box, andclick
then Overwrite
click Overwrite events e a
appropriate credentials elevation.
This
If you security
do setting
not archive allows
the an
system log, administrator in the Propertiesto define two properties
dialog box for this for security-sensitive
policy, select the groups
Define ("restricted"
this policy groups).
setting check box, andbox,thenand click Overwrite events as
If
If you archive
yousetting
must retain the logall the at scheduled
events intervals, in the Properties dialog box for this policy, select thethe Define this policy setting check then click DoOverwrite e
This does not change theinbehavior
the log, in of the
the Properties
UAC elevation dialog box
prompt forforthis policy,
administrators. select Define this policy setting check box, and then click not overwr
The
If you two
you must properties
archive the log are Members
at scheduled and Member
intervals, Of. The Members list defines who belongs and who does not belong to the restricted group. The Member Of list s
If
Note: retain all the events in the log,Localin inthethe Properties
Properties dialog
dialog box box forfor this this policy,
policy, select
select thethe Define
Define this this policy
policy setting
setting checkcheck box, box,and and
then then click
click DoOverwrite
not overwr e
If you Thisplan setting
to enable does thisnot appear
setting, you in should
the also Computer
review the Policyeffect object.
of the "User Account Control: Behavior of the elevation prompt for standard users" setting. If it
When
.If a Restricted Groups Policy is enforced, any current member of a restricted
you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overw group that is not on the Members list is removed. Any user on the Members lis
Notes
Default: None.
System Services security settings
Registry
Allows ansecurity settings
administrator to define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system serv
File System
Allows security settings
Default:an administrator
Undefined. to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs))
Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs))
Default:
Notes Undefined.
Default:
Note: Undefined.
This setting does not appear
This setting does not appear in the in the Local
Local Computer
Computer PolicyPolicy
object.object.
If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention.
Note: This setting does not appear in the Local Computer Policy object.
For performance optimization, set unnecessary or unused services to Manual.
Reboot Comments
Required
No
No
No
No
No
No
No
No
No
No clients will get the new
setting after a maximum
No clients will but
of 8 hours get for
theDCsnew
setting
to assignafter a maximum
these new
No clients
of will but
8 hours get for
theDCsnew
settings
setting a Gpupdate
after a maximum
No to assign
/force
clientsis these
required
will but
get fornewor
theDCsnew
of 8 hours
settings a Gpupdate
waiting
setting
to assignfor
afterthe usual
a maximum
these new 5
No /force
clients
minutes
of is
8 hoursrequired
will get
when the or
theDCs
but for new
SCE
settings
waiting
setting a
for Gpupdate
afterthe usual
a maximum 5
No engine
to
/force isassigns
assign these
required all
newor
minutes
of 8 hours
modified
settings when
but the
for
settings.
a Gpupdate SCE
DCs
waiting
engine for the usual
new 5
No to
minutesisassigns
assign
/force these
required
when
all
theor SCE
modified
settings
waiting asettings.
Gpupdate
for the usual
No engineisassigns
/force required allor 5
minutes
modified when the SCE
waiting forsettings.
engine assignsthe usual
all 5
No minutes
modifiedwhen the SCE
settings.
No engine assigns all
modified settings.
No
No
No
No
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: In Windows 2000
Server, Windows 2000
No Logoff required
Professional, Windows
No XP Professional,
Note: See also the and
the Windows Server
corresponding Windows
No 2003
Logofffamily,
Server 2003 the
required
AllowTasklog
Scheduler
on locally automatically
policy
No Logoff required
grants
setting,this rightinas
earlier this
No necessary.
worksheet.
Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No
No
No
No
No
Yes
Yes
No
Yes
No
No
No
No
No For the policy change to
take effect, the spooler
No service needs to be
No stopped/restarted, but
the system does not
No have to be rebooted.
Yes Restart of service might
be sufficient
No
No
No Important: In order to
take advantage of this
No policy on member
No workstations and
servers, all domain
No controllers that
constitute the member’s
No Important:
domain must This
besetting
running
applies
Windows to NT
Windows
4.0
No 2000 computers,
Service Pack 6 orbut it
No is not available through
higher.
the Security
In order to take
Configuration Manager
advantage of this policy
tools on these
on doma
No computers.
No
No
No
No
No
No
No Important: This setting
applies to Windows
No Important: This setting
2000 computers, but it
will apply
is not to anythrough
available
No Only LogOff
computers is required
running
the Security
for W2K, XP and W2K3
Windows
Configuration2000 through
Yes Important:
computers.
changes
ForInManager
in the
this
Vista,
registry,
tools
policy on
to these
take
start/restart effect on
the setting
Yes but the security
computers.
computers running
scpolicysvc
is not viewable will work or
Yes Windows
LogOff 2000,through
client-
the Security
side packet signing
Yes Configuration Manager
must also be enabled.
tool more
For set. information,
No search for "Security
Yes Settings
Important:Descriptions"
For this in
the Windows
policy to take Server
effect on
No 2003 Help. running
computers
No Windows 2000, server-
side packet signing
No must also be enabled.
For more information,
No search for "Security
No Settings
Important:Descriptions"
This policy in
the
has Windows
no impactServer
on
No 2003
domainHelp.
controllers. For
No more information,
search for "Security
No Settings Descriptions" in
the Windows Server
Yes 2003 Help.
No Important: The
Network access:
No Important: On
Remotely accessible
Windows
registry pathsXP, this security
Yes security setting was on
setting that appears
Yes called
computers"Networkrunningaccess:
Remotely
Windows XP accessible
No registry
Important:
correspondspaths."This Ifsetting
to theyou
configure
only affects
Network this setting on
computers
access:
No Important:
a member
running ofWindows
Windows the XP
Remotely
2000 Service accessible
Pack 2
No Windows
Professional
registry Server
paths which
and2003
are
(SP2)
family
not and
that
joined above
is
to joined
a offer
domain.to a
subpaths
compatibility security
with
No domain,
This
Important:
policy thiswill
policy
setting setting
This
onhave isno
setting
authentication
inherited
impact
can onby
affect to
computers
computers
the ability of
members
previous of the
versions Wiof
Yes running Windows
computers running2000.
Windows,
For more 2000
Windows such as
information,
Server,
No Warning:
Microsoft This setting
Windows NT
search
Windows
will applyforto"Security
2000 any
No 4.0.
Setting Descriptions"
Professional,
Warning: This settingin
Windows
computers
This setting running
can affect
the
XP
will Win
Professional,
apply
Windows to
2000 and
anythrough
the
the ability
Windows
computers ofrunning
computers
Server
changes
running in the
Windows registry
2000
2003
Windows
but thefamily2000
securityto through
setting
Server,
communicate
changes Windows
thewith
inviewable 2000
registry
will
Pr not be
computers
but therunning
the security
through setting
Security
Windows
will not beNT
Configuration 4.0
viewable and
Manager
earlier
tool set.over
through Forthe
the netwo
Security
more
No
No
No
No
No
No
No
No
No
No
No
No Require restart of
recoveryrestart
Require consoleof
No
recovery console
No Requires logoff
Yes Vista does NOT require
reboot
No
Yes Requires reboot with
CNG on Vista; Does not
No This policy
require does
reboot not
with
exist
CAPIon onVista
Vista; Does not
Yes
require reboot on XP,
Yes 2003 with CAPI
Yes
No
No
No
No
No
No
No
Yes
No
No
No
No Note: This setting does
not appear in the Local
No Note:
ComputerThisPolicy
settingobject.
does
not appear in the Local
No Note:
ComputerThisPolicy
settingobject.
does
not appear in
Important: the Local
Modifying
No Notes:
Computer This setting
Policy object.
this setting
does may affect
not appear in the
No compatibility
Notes: This with
setting
Local Computer Policy
clients,
does
object.notservices,
appear in andthe
No Note: This setting
applications.
Local Computer For does
Policy
This
not security setting
appear ininformation
the Local
No compatibility
object.
affects
Notes: only
This computers
setting
Computer
about
This this Policy
setting,
security object.
see
setting
running
does notWindows
appear in2000,the
No the "Event
affects
Notes:
Windows
Local only
ThisLog:
computers
setting
Server Policy
Computer 2003,
Maximum
running
does
and not
Windows
object. sec
Windows
appear in2000,
the
XP. does
No This
Note: security
Windows
Local ThisServer setting
setting
Computer 2003,
Policy
A user
affects
not must possess
onlyincomputers
appear the
No and
Note:Windows
object.
the Manage
This XP.Local
auditing
setting does
running
Computer
A user Windows
mustPolicy 2000,
object.
possess
and
not security
appear
Windows log2003,
in the
Server user
Local
No the Manage
Note:
right This auditing
setting
to access
Computer Policy does
theobject.
and
and
not Windows
security
appear inlogXP.
theuser
Local
No security
Note: log.setting
This does
right to acces
Computer Policy object.
not appear in the Local
Computer Policy object.
Note: This setting does
not appear in the Local
Note: This Policy
Computer settingobject.
does
not appear in the Local
Note: This Policy
Computer settingobject.
does
not appear in the Local
Computer Policy object.