Policy setting as it appears in the Group Policy Editor of Windows Server 2003

Computer Configuration Software Settings Software installation Windows Settings Scripts (Startup/Shutdown) Security Settings Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store password using reversible encyrption for all users in the domain Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment

Access this computer from the network (SeNetworkLogonRight)

Act as part of the operating system (SeTcbPrivilege) Add workstations to domain (SeMachineAccountPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Allow logon locally (SeInteractiveLogonRight)

Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)

Back up files and directories (SeBackupPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Change the system time (SeSystemTimePrivilege) Create a pagefile (SeCreatePagefilePrivilege) Create a token object (SeCreateTokenPrivilege) Create global objects (SeCreateGlobalPrivilege) Create permanent shared objects (SeCreatePermanentPrivilege) Debug programs (SeDebugPrivilege) Deny access to this computer from the network (SeDenyNetworkLogonRight) Deny logon as a batch job (SeDenyBatchLogonRight)

Deny logon as a service (SeDenyBatchLogonRight) Deny logon locally (SeDenyInteractiveLogonRight) Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight) Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) Force shutdown from a remote system (SeRemoteShutdownPrivilege) Generate security audits (SeAuditPrivilege)

Impersonate a client after authentication (SeImpersonatePrivilege) Increase scheduling priority (SeIncreaseBasePriorityPrivilege) Load and unload device drivers (SeLoadDriverPrivilege) Lock pages in memory (SeLockMemoryPrivilege) Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight) Manage auditing and security log (SeSecurityPrivilege) Modify firmware environment values (SeSystemEnvironmentPrivilege) Perform Volume Maintenance Tasks (SeManageVolumePrivilege) Profile single process (SeProfileSingleProcessPrivilege) Profile system performance (SeSystemProfilePrivilege) Remove computer from docking station (SeUndockPrivilege) Replace a process level token (SeAssignPrimaryTokenPrivilege)

Restore files and directories (SeRestorePrivilege)

Shut down the system (SeShutdownPrivilege)

Synchronize directory service data (SeSynchAgentPrivilege) Take ownership of files or other objects (SeTakeOwnershipPrivilege) Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account

Accounts: Rename guest account Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain controller: Refuse machine account password changes Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Network access: Allow anonymous SID/Name translation

Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Remotely accessible registry paths and subpaths

Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts

Network security: Do not store LAN Manager hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on

Shutdown: Clear virtual memory pagefile System cryptography: Force strong key protection for user keys stored on the computer System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-Windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended) MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmittions when a connection request is not acknowledged

MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (ActiveX Signed Controls) RunInvalidSignatures (RPC Endpoint Mapper) EnableAuthEpResolution (RPC Endpoint Mapper) RestrictRemoteClients (WebDAV Redirector) DisableBasicOverClearChannel (WebDAV Redirector) UseBasicAuth Event Log Settings for Event Logs Maximum application log size Maximum security log size Maximum system log size Restrict guest access to application log Restrict guest access to security log Restrict guest access to system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups System Services - See next worksheet, System Services Registry File System Public Key Policies Encrypted Data Recovery Agents Automatic Certificate Request Settings Trusted Root Certification Authorities Enterprise Trust IP Security Policies on Active Directory Client (Respond Only) Secure Server (Require Security) Server (Request Security) Administrative Templates

Windows Components NetMeeting Disable remote Desktop Sharing Internet Explorer Internet Control Panel Security Zones: Use only machine settings Security Zones: Do not allow users to change policies Security Zones: Do not allow users to add/delete sites Make proxy settings per-machine (rather than per-user) Disable Automatic Install of Internet Explorer components Disable Periodic Check for Internet Explorer software updates Disable software update shell notifications on program launch Turn off Crash Detection Do not allow users to enable or disable add-ons Allow software to run or install even if the signature is invalid Allow active content from CDs to run on user machines Allow third-party browser extensions (only under Windows 2003) Check for server certificate revocation (only under Windows 2003) Do not save encrypted pages to disk (only under Windows 2003) Empty Temporary Internet Files folder when browser is closed (only under Windows 2003) Security Features Security Page Advanced Page Binary Behavior Security Restriction Internet Explorer Processes Process List All Processes Admin-approved behaviors MK Protocol Security Restriction Internet Explorer Processes Process List All Processes Local Machine Zone Lockdown Security Internet Explorer Processes Process List All Processes Consistent MIME Handling Internet Explorer Processes Process List All Processes MIME Sniffing Safety Features Internet Explorer Processes Process List All Processes Protection From Zone Elevation Internet Explorer Processes Process List All Processes Restrict ActiveX Install

Internet Explorer Processes Process List All Processes Restrict File Download Internet Explorer Processes Process List All Processes Add-on Management Internet Explorer Processes Process List All Processes Network Protocol Lockdown Internet Explorer Processes Process List All Processes Restricted Protocols per Security Zone Internet Information Services Prevent IIS installation Terminal Services Deny log off of an administrator logged in to the console session Do not allow local administrators to customize permissions Sets rules for remote control of Terminal Services user sessions Client/Server data redirection Allow Time Zone Redirection Do not allow clipboard redirection Allow audio redirection Do not allow COM port redirection Do not allow client printer redirection Do not allow LPT port redirection Do not allow drive redirection Do not set default client printer to be default printer in a session Encryption and Security Always prompt client for password upon connection Set client connection encryption level RPC Security Policy Secure Server (Require Security) Sessions Set time limit for disconnected sessions Allow reconnection from original client only Windows Explorer Turn off shell protected mode Windows Messenger Do not allow Windows Messenger to be run Windows Update Configure Automatic Updates Specify intranet Microsoft update service location Reschedule Automatic Updates scheduled installations No auto-restart for scheduled Automatic Updates installations System

Display Shutdown Event Tracker Specify Windows installation file location Specify Windows Service Pack installation file location Remove Boot / Shutdown / Logon / Logoff status messages Verbose vs normal status messages Restrict these programs from being launched from Help Turn off Autoplay Do not automatically encrypt files moved to encrypted folders Download missing COM components User Profiles Do not check for user ownership of Roaming Profile Folders Delete cached copies of roaming profiles Do not detect slow network connections Slow network connection timeout for user profiles Wait for remote user profile Prompt user when slow link is detected Timeout for dialog boxes Log users off when roaming profile fails Maximum retries to unload and update user profile Add the Administrators security group to roaming user profiles Prevent Roaming Profile changes from propagating to the server Only allow local user profiles Scripts Turn off autoplay Logon Don't display the Getting Started welcome screen at logon Do not process the run once list Do not process the legacy run list Group Policy Registry policy processing Internet Explorer Maintenance policy processing Security policy processing IP Security policy processing Remote Assistance Solicited Remote Assistance Offer Remote Assistance Error Reporting Display Error Notification Report Errors Distributed COM Application Compatibility Settings Allow local activation security check exemptions Define Activation Security Check exemptions User Configuration Administrative Templates Windows Components Internet Explorer Disable Changing Advanced page settings

Disable Internet Connection Wizard Disable Changing Connection Settings Disable Changing Proxy Settings Disable Changing Automatic Configuration Se Disable Changing Certificate Settings Do not allow AutoComplete to save passwords Configure Outlook Express Internet Control Panel Disable the Security Page Disable the Advanced Page Offline Pages Disable adding channels Disable removing channels Disable adding schedules for offline pages Disable editing schedules for offline pages Disable removing schedules for offline pages Disable offline page hit logging Disable all scheduled offline pages Disable channel user interface completely Disable downloading of site subscription content Disable editing and creating of schedule groups Browser menus Disable Save this program to disk option Persistence Behavior File size limits for the Local Machine zone File size limits for the Intranet zone File size limits for the Trusted Sites zone File size limits for the Internet zone File size limits for the Restricted Sites zone Attachment Manager Default risk level for file attachments Inclusion list for high risk file types Inclusion list for moderate risk file types Inclusion list for low file types Trust logic for file attachments Do not preserve zone information in file attachments Hide mechanisms to remove zone information Notify antivirus programs when opening attachments Windows Explorer Remove Security tab Remove CD Burning features Control Panel Display Hide Screen Saver tab Screen Saver Screen Saver executable name Password protect the screen saver Screen Saver timeout System

Prevent access to registry editing tools Power Management Prompt for password on resume from hibernate / suspend

Default Domain Policy

Default Domain Controller Policy

Stand-Alone Server Default Settings

DC Effective Default Settings

Member Server Effective Default Settings

24 passwords remembered 42 days 1 day 7 characters Enabled Disabled Not defined 0 invalid login attempts Not defined Enabled 600 minutes 10 hours 7 days 5 minutes

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

0 passwords remembered 42 days 0 days 0 characters Disabled Disabled Not applicable 0 invalid login attempts Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable

24 passwords remembered 42 days 1 day 7 characters Enabled Disabled Not defined 0 invalid login attempts Not defined Enabled 600 minutes 10 hours 7 days 5 minutes

24 passwords remembered 42 days 1 day 7 characters Enabled Disabled Not defined 0 invalid login attempts Not defined Not applicable Not applicable Not applicable Not applicable Not applicable

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Success Success Success Success No auditing Success No auditing No auditing Success

Success No auditing No auditing Success No auditing No auditing No auditing No auditing No auditing

Success Success Success Success No auditing Success No auditing No auditing Success

Success No auditing No auditing Success No auditing No auditing No auditing No auditing No auditing

Not defined

Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access No one Authenticated Users LOCAL SERVICE, NETWORK SERVICE, Administrators Administrators, Backup Operators, Account Operators, Server Operators, Print Operators Not defined

Everyone, Administrators, Users, Power Users, Backup Operators

Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access No one Authenticated Users LOCAL SERVICE, NETWORK SERVICE, Administrators Administrators, Backup Operators, Account Operators, Server Operators, Print Operators Administrators

Backup Operators, Power Users, Users, Administrators, Everyone

Not defined Not defined Not defined

Not defined Not defined LOCAL SERVICE, NETWORK SERVICE, Administrators Administrators, Users, Power Users, Backup Operators

Not defined Not defined Administrators, NETWORK SERVICE, LOCAL SERVICE Backup Operators, Power Users, Users, Administrators

Not defined

Not defined

Not defined

Not defined

Administrators, Remote Desktop Users Administrators, Administrators, Backup Operators, Backup Operators Server Operators Everyone, Everyone, Administrators, Administrators, Authenticated Users, Power Users, PreUsers, Backup Windows 2000 Operators Compatible Access Administrators, Server Operators Administrators No one Not defined No one Administrators, Power Users Administrators Not defined Administrators, SERVICE Not defined

Remote Desktop Users, Administrators Administrators, Backup Operators, Backup Operators, Administrators Server Operators Everyone, Backup Operators, Administrators, Power Users, Authenticated Users, Users, PreAdministrators, Windows 2000 Everyone Compatible Access Administrators, Server Operators Administrators No one SERVICE, Administrators No one Power Users, Administrators Administrators Not defined SERVICE, Administrators Not defined

Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined

Administrators

Administrators

Administrators

Administrators

SUPPORT_388945 SUPPORT_388945 SUPPORT_388945 SUPPORT_388945 a0 a0 a0 a0 No one Not defined No one Not defined

Not defined Not defined Not defined Not defined Not defined Not defined

No one SUPPORT_388945 a0 Not defined Administrators Administrators, Server Operators LOCAL SERVICE, NETWORK SERVICE Administrators, SERVICE Administrators Administrators, Print Operators No one LOCAL SERVICE, SUPPORT_388945 a0 NETWORK SERVICE Administrators Administrators Not defined Administrators

Not defined SUPPORT_388945 a0 Not defined Not defined Administrators

No one SUPPORT_388945 a0 Not defined Administrators

Not defined SUPPORT_388945 a0 Not defined Not defined Administrators NETWORK SERVICE, LOCAL SERVICE SERVICE, Administrators Administrators Administrators Not defined SUPPORT_388945 a0 , LOCAL SERVICE NETWORK SERVICE Administrators Administrators Administrators Power Users, Administrators Administrators Power Users, Administrators NETWORK SERVICE, LOCAL SERVICE Backup Operators, Administrators Backup Operators, Power Users, Administrators, Users Not defined Administrators Enabled Disabled Enabled Administrator

Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined

Not defined

Not defined Not defined Not defined Not defined Not defined Not defined

Administrators, Server Operators LOCAL SERVICE, LOCAL SERVICE, NETWORK NETWORK SERVICE SERVICE Administrators, SERVICE, SERVICE Administrators Administrators Administrators Administrators Administrators, Print Operators Not defined No one LOCAL SERVICE, LOCAL SERVICE, SUPPORT_388945 SUPPORT_388945 a0 a0 NETWORK NETWORK SERVICE SERVICE Administrators Administrators Administrators Administrators Administrators Administrators Administrators, Administrators Power Users Administrators Administrators Administrators Administrators Administrators, Administrators Power Users LOCAL SERVICE, LOCAL SERVICE, LOCAL SERVICE, NETWORK NETWORK NETWORK SERVICE SERVICE SERVICE Administrators, Administrators, Administrators, Backup Operators, Backup Operators Backup Operators, Server Operators Server Operators Administrators, Administrators, Administrators, Backup Operators, Power Users, Backup Operators, Server Operators, Backup Operators, Server Operators, Print Operators Users Print Operators No one Not defined No one Administrators Administrators Administrators Not defined Not defined Not defined Not defined Enabled Disabled Enabled Administrator Enabled Disabled Enabled Administrator

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined None Not defined Enabled Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Enabled Enabled Not defined Not defined

Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Enabled Disabled Disabled Warn but allow installation Not defined Not defined Not defined Enabled Enabled Enabled Disabled 30 days Disabled Not defined Disabled Disabled Not defined Not defined 10 logons 14 days Disabled Disabled No Action Disabled Enabled Disabled 15 minutes Enabled Enabled Enabled Disabled

Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Enabled Disabled Disabled Warn but allow installation Not defined None Not defined Enabled Enabled Enabled Disabled 30 days Disabled Not defined Disabled Disabled Not defined Not defined 10 logons 14 days Disabled Disabled No Action Disabled Enabled Disabled 15 minutes Enabled Enabled Enabled Enabled

Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Enabled Disabled Disabled Warn but allow installation Not defined Not defined Not defined Enabled Enabled Enabled Disabled 30 days Disabled Not defined Disabled Disabled Not defined Not defined 10 logons 14 days Disabled Disabled No Action Disabled Enabled Disabled 15 minutes Enabled Enabled Enabled Disabled

Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined

Enabled Disabled Disabled Disabled COMNAP,COMNO DE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks ,TrkSvr System\CurrentCon trolSet\Control\Prod uctOptions, System\CurrentCon trolSet\Control\Serv er Applications, Software\Microsoft\ Windows NT\CurrentVersion

Enabled Disabled Disabled Disabled COMNAP,COMNO DE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks ,TrkSvr System\CurrentCon trolSet\Control\Prod uctOptions, System\CurrentCon trolSet\Control\Serv er Applications, Software\Microsoft\ Windows NT\CurrentVersion

Enabled Disabled Disabled Disabled COMNAP,COMNO DE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks ,TrkSvr System\CurrentCon trolSet\Control\Prod uctOptions, System\CurrentCon trolSet\Control\Serv er Applications, Software\Microsoft\ Windows NT\CurrentVersion

Not defined

Not defined

Not defined

Not defined

Not defined Not defined Not defined

Not defined Not defined Not defined

System\CurrentCon trolSet\Control\Print \Printers, System\CurrentCon trolSet\Services\Ev entlog, Software\Microsoft\ OLAP Server, Software\Microsoft\ Windows NT\CurrentVersion\ Print, Software\Microsoft\ Windows NT\CurrentVersion\ Windows, System\CurrentCon trolSet\Control\Cont entIndex, System\CurrentCon trolSet\Control\Ter minal Server, System\CurrentCon trolSet\Control\Ter minal Server\UserConfig, System\CurrentCon trolSet\Control\Ter minal Server\DefaultUser Configuration, Software\Microsoft\ Windows Enabled COMCFG,DFS$ Classic - local users authenticate as themselves Disabled Disabled Send NTLM response only Negotiate signing No minimum No minimum Disabled Disabled Disabled

System\CurrentCon trolSet\Control\Print \Printers, System\CurrentCon trolSet\Services\Ev entlog, Software\Microsoft\ OLAP Server, Software\Microsoft\ Windows NT\CurrentVersion\ Print, Software\Microsoft\ Windows NT\CurrentVersion\ Windows, System\CurrentCon trolSet\Control\Cont entIndex, System\CurrentCon trolSet\Control\Ter minal Server, System\CurrentCon trolSet\Control\Ter minal Server\UserConfig, System\CurrentCon trolSet\Control\Ter minal Server\DefaultUser Configuration, Software\Microsoft\ Windows Enabled COMCFG,DFS$ Classic - local users authenticate as themselves Disabled Disabled Send NTLM response only Negotiate signing No minimum No minimum Disabled Disabled Disabled

System\CurrentCon trolSet\Control\Print \Printers, System\CurrentCon trolSet\Services\Ev entlog, Software\Microsoft\ OLAP Server, Software\Microsoft\ Windows NT\CurrentVersion\ Print, Software\Microsoft\ Windows NT\CurrentVersion\ Windows, System\CurrentCon trolSet\Control\Cont entIndex, System\CurrentCon trolSet\Control\Ter minal Server, System\CurrentCon trolSet\Control\Ter minal Server\UserConfig, System\CurrentCon trolSet\Control\Ter minal Server\DefaultUser Configuration, Software\Microsoft\ Windows Enabled COMCFG,DFS$ Classic - local users authenticate as themselves Disabled Disabled Send NTLM response only Negotiate signing No minimum No minimum Disabled Disabled Disabled

Not defined Disabled Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Send NTLM response only Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Disabled Not defined Disabled Administrators group Enabled Enabled Posix Disabled Disabled Enabled Enabled Medium, source routed packets are ignored when IP forwarding is enabled Disabled Enabled Enabled Disabled 7200000 Enabled Disabled Enabled Disabled 2 (enable only if DHCP sends the Perform Router Discovery option) Enabled 5 Enabled

Disabled Not defined Disabled Administrators group Enabled Enabled Posix Disabled Disabled Enabled Enabled Medium, source routed packets are ignored when IP forwarding is enabled Disabled Enabled Enabled Disabled 7200000 Enabled Disabled Enabled Disabled 2 (enable only if DHCP sends the Perform Router Discovery option) Enabled 5 Enabled

Disabled Not defined Disabled Administrators group Enabled Enabled Posix Disabled Disabled Enabled Enabled Medium, source routed packets are ignored when IP forwarding is enabled Disabled Enabled Enabled Disabled 7200000 Enabled Disabled Enabled Disabled 2 (enable only if DHCP sends the Perform Router Discovery option) Enabled 5 Enabled

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined

Not defined Not defined Not defined

Not defined

Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined

2 (3 & 6 seconds, half-open connections dropped after 21 seconds) 5 0 (not configured) Disabled Disabled 0 0 (Disabled) 0 (Disabled)

2 (3 & 6 seconds, half-open connections dropped after 21 seconds) 5 0 (not configured) Disabled Disabled 0 0 (Disabled) 0 (Disabled)

2 (3 & 6 seconds, half-open connections dropped after 21 seconds) 5 0 (not configured) Disabled Disabled 0 0 (Disabled) 0 (Disabled)

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

16384 KB 16384 KB 16384 KB Not defined Not defined Not defined Not defined Not defined Not defined Overwrite as needed Overwrite as needed Overwrite as needed

16384 KB 131072 KB 16384 KB Enabled Enabled Enabled Not defined Not defined Not defined Overwrite as needed Overwrite as needed Overwrite as needed

16384 KB 16384 KB 16384 KB Enabled Enabled Enabled Not defined Not defined Not defined Overwrite as needed Overwrite as needed Overwrite as needed

Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured

Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured

Not configured Not configured

Full Service Name

Service Name

DC Startup Type Disabled Automatic

Member Server Startup Type Disabled Automatic

Alerter Application Experience Lookup Service Application Layer Gateway Service Application Management ASP .NET State Service Automatic Updates Background Intelligent Transfer Service Certificate Services Client Service for NetWare ClipBook Cluster Service COM+Event System COM+ System Application Computer Browser Cyrptographic Services DCOM Server Process Launcher DHCP Client DHCP Server Distributed File System Distributed Link Tracking Client Distributed Link Tracking Server Distributed Transaction Coordinator DNS Client DNS Server Error Reporting Service Event Log Fax Service File Replication File Server for Macintosh

Alerter AELookupSvc

ALG AppMgmt aspnet_state wuauserv BITS

Manual Manual Not installed Automatic Manual

Manual Manual Not installed Automatic Manual

CertSvc NWCWorkstation ClipSrv ClusSvc EventSystem COMSysApp Browser CryptSvc DcomLaunch Dhcp DHCPServer Dfs TrkWks TrkSvr MSDTC

Not installed Not installed Disabled Not installed Manual Manual Automatic Automatic Automatic Automatic Automatic Automatic Automatic Disabled Automatic

Not installed Not installed Disabled Not installed Manual Manual Automatic Automatic Automatic Automatic Not installed Automatic Automatic Disabled Automatic

Dnscache DNS ERSvc Eventlog Fax NtFrs MacFile

Automatic Automatic Automatic Automatic Not installed Automatic Not installed

Automatic Not installed Automatic Automatic Not installed Manual Not installed

FTP Publishing Service Help and Support HTTP SSL Human Interface Device Access IAS Jet Database Access IIS Admin Service IMAPI CD-Burning COM Service Indexing Service Infrared Monitor Internet Authentication Service Intersite Messaging IP Version 6 Helper Service IPSec Policy Agent (IPSec Service) Kerberos Key Distribution Center License Logging Service Logical Disk Manager

MSFtpsvc helpsvc HTTPFilter HidServ IASJet IISADMIN ImapiService cisvc Irmon IAS

Not installed Automatic Manual Disabled Not installed Not installed Disabled Disabled Not installed Not installed

Not installed Automatic Manual Disabled Not installed Not installed Disabled Disabled Not installed Not installed

IsmServ 6to4 PolicyAgent Kdc LicenseService dmserver

Automatic Not installed Automatic Automatic Disabled Automatic Manual

Disabled Not installed Automatic Disabled Disabled Automatic Manual

Logical Disk Manager dmadmin Administrative Service

Machine Debug Manager Message Queuing Message Queuing Down Level Clients Message Queuing Triggers Messenger Microsoft POP3 Service Microsoft Software Shadow Copy Provider MSSQL$UDDI MSSQLServerADHelp er .NET Framework Support Service Netlogon

MDM msmq mqds Mqtgsvc Messenger POP3SVC SwPrv

Not installed Not installed Not installed Not installed Disabled Not installed Manual

Not installed Not installed Not installed Not installed Disabled Not installed Manual

MSSQL$UDDI MSSQLServerADHelper CORRTSvc Netlogon

Not installed Not installed Not installed Automatic

Not installed Not installed Not installed Automatic

NetMeeting Remote mnmsrvc Desktop Sharing Network Connections Netman Network DDE Network DDE DSDM Network Location Awareness (NLA) Network Provisioning Service Network News Transfer Protocol (NNTP) NTLM Security Support Provider Performance Logs and Alerts Plug and Play Portable Media Serial Number Print Server for Macintosh Print Spooler Protected Storage QoS RSVP Service Remote Access Auto Connection Manager NetDDE NetDDEdsdm NLA xmlprov NntpSvc

Disabled Manual Disabled Disabled Manual Manual Not installed

Disabled Manual Disabled Disabled Manual Manual Not installed

NtLmSsp SysmonLog PlugPlay WmdmPmSN MacPrint Spooler ProtectedStorage RSVP RasAuto

Manual Manual Automatic Manual Not installed Automatic Automatic Not installed Manual

Manual Manual Automatic Manual Not installed Automatic Automatic Not installed Manual

Remote Access RasMan Connection Manager Remote SrvcSurg Administration Service Remote Desktop Help RDSessMgr Session Manager Remote Installation Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Service Remote Server Manager Remote Server Monitor Remote Storage Notification BINLSVC RpcSs RpcLocator RemoteRegistry AppMgr Appmon Remote_Storage_User_Link

Manual Not installed

Manual Not installed

Manual

Manual

Not installed Automatic Automatic Automatic Not installed Not installed Not installed

Not installed Automatic Manual Automatic Not installed Not installed Not installed

Remote Storage Server Removable Storage Resultant Set of Policy Provider Routing and Remote Access SAP Agent Secondary Logon Security Accounts Manager Server Shell Hardware Detection Simple Mail Transport Protocol (SMTP) Simple TCP/IP Services Single Instance Storage Groveler Smart Card SNMP Service SNMP Trap Service Special Administration Console Helper SQLAgent$* (* UDDI or WebDB) System Event Notification Task Scheduler TCP/IP NetBIOS Helper Service TCP/IP Print Server Telephony Telnet Terminal Services Terminal Services Licensing Terminal Services Session Directory Themes Trivial FTP Daemon Uninterruptible Power Supply Upload Manager Virtual Disk Service Volume Shadow Copy

Remote_Storage_Server NtmsSvc RSoPProv RemoteAccess nwsapagent seclogon SamSs lanmanserver ShellHWDetection SMTPSVC

Not installed Manual Manual Disabled Not installed Automatic Automatic Automatic Automatic Not installed

Not installed Manual Manual Disabled Not installed Automatic Automatic Automatic Automatic Not installed

SimpTcp Groveler SCardSvr SNMP SNMPTRAP Sacsvr

Not installed Not installed Manual Not installed Not installed Manual

Not installed Not installed Manual Not installed Not installed Manual

SQLAgent$WEBDB SENS Schedule LMHosts LPDSVC TapiSrv TlntSvr TermService TermServLicensing Tssdis Themes tftpd UPS Uploadmgr VDS VSS

Not installed Automatic Automatic Automatic Not installed Manual Disabled Manual Not installed Disabled Disabled Not installed Manual Manual Manual Manual

Not installed Automatic Automatic Automatic Not installed Manual Disabled Manual Not installed Disabled Disabled Not installed Manual Manual Manual Manual

WebClient Web Element Manager Windows Audio Windows Firewall (WF)/Internet Connection Sharing (ICS) Windows Image Acquisition (WIA) Windows Installer Windows Internet Name Service (WINS) Windows Management Instrumentation Windows Management Instrumentation Driver Extensions Windows Media Services Windows System Resource Manager Windows Time WinHTTP Web Proxy Auto-Discovery Service Wireless Configuration WMI Performance Adapter Workstation World Wide Web Publishing Service

WebClient elementmgr AudioSrv SharedAccess

Disabled Not installed Disabled Disabled

Disabled Not installed Disabled Disabled

StiSvc MSIServer WINS

Disabled Manual Not installed

Disabled Manual Not installed

winmgmt

Automatic

Automatic

Wmi

Manual

Manual

WMServer WindowsSystemResourceManager W32Time WinHttpAutoProxySvc

Not installed Not installed Automatic Manual

Not installed Not installed Automatic Manual

WZCSVC WmiApSrv lanmanworkstation W3SVC

Automatic Manual Automatic Not installed

Automatic Manual Automatic Not installed

Stand-Alone Server Startup Type Disabled Automatic

Logon As

Local Service Local System

Manual Manual Not installed Automatic Manual

Local Service Local System

Local System Local System

Not installed Not installed Disabled Not installed Manual Manual Automatic Automatic Automatic Automatic Not installed Automatic Automatic Disabled Automatic Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Network Service Network Service

Automatic Not installed Automatic Automatic Not installed Manual Not installed

Local System Local System Local System Local System Local System

Not installed Automatic Manual Disabled Not installed Not installed Disabled Disabled Not installed Not installed Local System Local System Local System

Local System Local System

Disabled Not installed Automatic Disabled Disabled Automatic Manual

Local System

Local System Local System Network Service Local System Local System

Not installed Not installed Not installed Not installed Disabled Not installed Manual Local System

Local System

Not installed Not installed Not installed Manual Local System

Disabled Manual Disabled Disabled Manual Manual Not installed

Local System Local System Local System Local System Local System Local System

Manual Manual Automatic Manual Not installed Automatic Automatic Not installed Manual

Local System Network Service Local System Local System

Local System Local System Local System

Manual Not installed

Local System

Manual

Local System

Not installed Automatic Manual Automatic Not installed Not installed Not installed

Local System Network Service Local Service

Not installed Manual Manual Disabled Not installed Automatic Automatic Automatic Automatic Not installed Local System Local System Local System

Local System Local System Local System Local System

Not installed Not installed Manual Not installed Not installed Manual Local Service

Local System

Not installed Automatic Automatic Automatic Not installed Manual Disabled Manual Not installed Disabled Disabled Not installed Manual Manual Manual Manual Local System Local System Local Service

Local System Local System Local System

Local System Local System Local Service Local System Local System Local System

Disabled Not installed Disabled Disabled

Local Service

Local System Local System

Disabled Manual Not installed

Local Service Local System

Automatic

Local System

Manual

Local System

Not installed Not installed Automatic Manual Local System Local Service

Automatic Manual Automatic Not installed

Local System Local System Local System

Policy setting as it appears in the Group Policy Editor of Windows XP

Computer Configuration Software Settings Software installation Windows Settings Scripts (Startup/Shutdown) Security Settings Account Policies Password Policy Enforce password history Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store password using reversible encyrption for all users in the domain Account Lockout Policy Account lockout duration Account lockout threshold Reset account lockout counter after Kerberos Policy Enforce user logon restrictions Maximum lifetime for service ticket Maximum lifetime for user ticket Maximum lifetime for user ticket renewal Maximum tolerance for computer clock synchronization Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network (SeNetworkLogonRight)

Act as part of the operating system (SeTcbPrivilege) Add workstations to domain (SeMachineAccountPrivilege) Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight) Back up files and directories (SeBackupPrivilege) Bypass traverse checking (SeChangeNotifyPrivilege)

Change the system time (SeSystemTimePrivilege) Create a pagefile (SeCreatePagefilePrivilege) Create a token object (SeCreateTokenPrivilege) Create global objects (SeCreateGlobalPrivilege) Create permanent shared objects (SeCreatePermanentPrivilege) Debug programs (SeDebugPrivilege) Deny access to this computer from the network (SeDenyNetworkLogonRight) Deny logon as a batch job (SeDenyBatchLogonRight) Deny logon as a service (SeDenyBatchLogonRight) Deny logon locally (SeDenyInteractiveLogonRight) Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight) Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) Force shutdown from a remote system (SeRemoteShutdownPrivilege) Generate security audits (SeAuditPrivilege) Increase scheduling priority (SeIncreaseBasePriorityPrivilege) Load and unload device drivers (SeLoadDriverPrivilege) Lock pages in memory (SeLockMemoryPrivilege) Log on as a batch job (SeBatchLogonRight) Log on as a service (SeServiceLogonRight) Log on locally (SeInteractiveLogonRight)

Manage auditing and security log (SeSecurityPrivilege) Modify firmware environment values (SeSystemEnvironmentPrivilege) Perform Volume Maintenance Tasks (SeManageVolumePrivilege) Profile single process (SeProfileSingleProcessPrivilege) Profile system performance (SeSystemProfilePrivilege) Remove computer from docking station (SeUndockPrivilege) Replace a process level token (SeAssignPrimaryTokenPrivilege) Restore files and directories (SeRestorePrivilege)

Shut down the system (SeShutdownPrivilege)

Synchronize directory service data (SeSynchAgentPrivilege) Take ownership of files or other objects (SeTakeOwnershipPrivilege) Security Options Accounts: Administrator account status Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Shut down system immediately if unable to log security audits DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only Devices: Unsigned driver installation behavior Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain controller: Refuse machine account password changes Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Network access: Allow anonymous SID/Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET Passports for network authentication

Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and all folders Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Default owner for objects created by members of the Administrators group System objects: Require case insensitivity for non-Windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended) MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmittions when a connection request is not acknowledged MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (ActiveX Signed Controls) RunInvalidSignatures (RPC Endpoint Mapper) EnableAuthEpResolution (RPC Endpoint Mapper) Restrict Remote Clients (Security Center) AntiVirusDisableNotify (Security Center) FirewallDisableNotify (Security Center) UpdatesDisableNotify (StorageDevicePolicies) WriteProtect

Event Log Settings for Event Logs Maximum application log size Maximum security log size Maximum system log size Restrict guest access to application log Restrict guest access to security log Restrict guest access to system log Retain application log Retain security log Retain system log Retention method for application log Retention method for security log Retention method for system log Restricted Groups System Services - See next worksheet, System Services Registry File System Public Key Policies Encrypted Data Recovery Agents

Automatic Certificate Request Settings Trusted Root Certification Authorities Enterprise Trust IP Security Policies on Active Directory Client (Respond Only) Secure Server (Require Security) Server (Request Security) Administrative Templates Windows Components NetMeeting Disable remote Desktop Sharing Internet Explorer Internet Control Panel Security Zones: Use only machine settings Security Zones: Do not allow users to change policies Security Zones: Do not allow users to add/delete sites Make proxy settings per-machine (rather than per-user) Disable Automatic Install of Internet Explorer components Disable Periodic Check for Internet Explorer software updates Disable software update shell notifications on program launch Turn off Crash Detection Do not allow users to enable or disable add-ons Allow software to run or install even if the signature is invalid Allow active content from CDs to run on user machines Security Features Security Page Advanced Page Binary Behavior Security Restriction Internet Explorer Processes Process List All Processes Admin-approved behaviors MK Protocol Security Restriction Internet Explorer Processes Process List All Processes Local Machine Zone Lockdown Security Internet Explorer Processes Process List All Processes Consistent MIME Handling Internet Explorer Processes Process List All Processes MIME Sniffing Safety Features Internet Explorer Processes Process List All Processes Protection From Zone Elevation Internet Explorer Processes

Process List All Processes Restrict ActiveX Install Internet Explorer Processes Process List All Processes Restrict File Download Internet Explorer Processes Process List All Processes Add-on Management Internet Explorer Processes Process List All Processes Network Protocol Lockdown Internet Explorer Processes Process List All Processes Restricted Protocols per Security Zone Terminal Services Deny log off of an administrator logged in to the console session Do not allow local administrators to customize permissions Sets rules for remote control of Terminal Services user sessions Client/Server data redirection Allow Time Zone Redirection Do not allow clipboard redirection Allow audio redirection Do not allow COM port redirection Do not allow client printer redirection Do not allow LPT port redirection Do not allow drive redirection Do not set default client printer to be default printer in a session Encryption and Security Always prompt client for password upon connection Set client connection encryption level RPC Security Policy Secure Server (Require Security) Sessions Set time limit for disconnected sessions Allow reconnection from original client only Windows Explorer Turn off shell protected mode Windows Messenger Do not allow Windows Messenger to be run Windows Update Configure Automatic Updates Specify intranet Microsoft update service location Reschedule Automatic Updates scheduled installations No auto-restart for scheduled Automatic Updates installations

System Display Shutdown Event Tracker Specify Windows installation file location Specify Windows Service Pack installation file location Remove Boot / Shutdown / Logon / Logoff status messages Verbose vs normal status messages Restrict these programs from being launched from Help Turn off Autoplay Do not automatically encrypt files moved to encrypted folders Download missing COM components User Profiles Do not check for user ownership of Roaming Profile Folders Delete cached copies of roaming profiles Do not detect slow network connections Slow network connection timeout for user profiles Wait for remote user profile Prompt user when slow link is detected Timeout for dialog boxes Log users off when roaming profile fails Maximum retries to unload and update user profile Add the Administrators security group to roaming user profiles Prevent Roaming Profile changes from propagating to the server Only allow local user profiles Scripts Turn off autoplay Logon Don't display the Getting Started welcome screen at logon Do not process the run once list Do not process the legacy run list Group Policy Registry policy processing Internet Explorer Maintenance policy processing Security policy processing IP Security policy processing Remote Assistance Solicited Remote Assistance Offer Remote Assistance Error Reporting Display Error Notification Report Errors Distributed COM Application Compatibility Settings Allow local activation security check exemptions Define Activation Security Check exemptions User Configuration Administrative Templates Windows Components Internet Explorer

Disable Changing Advanced page settings Disable Internet Connection Wizard Disable Changing Connection Settings Disable Changing Proxy Settings Disable Changing Automatic Configuration Se Disable Changing Certificate Settings Do not allow AutoComplete to save passwords Configure Outlook Express Internet Control Panel Disable the Security Page Disable the Advanced Page Offline Pages Disable adding channels Disable removing channels Disable adding schedules for offline pages Disable editing schedules for offline pages Disable removing schedules for offline pages Disable offline page hit logging Disable all scheduled offline pages Disable channel user interface completely Disable downloading of site subscription content Disable editing and creating of schedule groups Browser menus Disable Save this program to disk option Persistence Behavior File size limits for the Local Machine zone File size limits for the Intranet zone File size limits for the Trusted Sites zone File size limits for the Internet zone File size limits for the Restricted Sites zone Attachment Manager Default risk level for file attachments Inclusion list for high risk file types Inclusion list for moderate risk file types Inclusion list for low file types Trust logic for file attachments Do not preserve zone information in file attachments Hide mechanisms to remove zone information Notify antivirus programs when opening attachments Windows Explorer Remove Security tab Remove CD Burning features Control Panel Display Hide Screen Saver tab Screen Saver Screen Saver executable name Password protect the screen saver Screen Saver timeout

System Prevent access to registry editing tools Power Management Prompt for password on resume from hibernate / suspend

Default Domain Policy

Stand-Alone Windows XP Default Settings

Domain Member Windows XP Effective Default Settings

24 passwords remembered 42 days 1 days 7 characters Enabled Disabled Not defined 0 invalid login attempts Not defined Enabled 600 minutes 10 hours 7 days 5 minutes

0 passwords remembered 42 days 0 days 0 characters Disabled Disabled Not applicable 0 invalid login attempts Not applicable Not applicable Not applicable Not applicable Not applicable Not applicable

24 passwords remembered 42 days 1 days 7 characters Enabled Disabled Not defined 0 invalid login attempts Not defined Not applicable Not applicable Not applicable Not applicable Not applicable

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing Everyone, Administrators, Users, Power Users, Backup Operators Not defined Not defined LOCAL SERVICE, NETWORK SERVICE, Administrators

No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing Backup Operators, Power Users, Users, Administrators, Everyone Not defined Not defined LOCAL SERVICE, NETWORK SERVICE, Administrators

Not defined Not defined Not defined

Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined

Administrators, Remote Desktop Users Administrators, Backup Operators Everyone, Administrators, Users, Power Users, Backup Operators Administrators, Power Users Administrators Not defined Not Applicable Not defined

Administrators, Remote Desktop Users Administrators, Backup Operators Everyone, Administrators, Users, Power Users, Backup Operators Administrators, Power Users Administrators Not defined Not Applicable Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Administrators Support_xxxxxxxx, Guest Not defined Not defined Support_xxxxxxxx, Guest Not defined Not defined Administrators LOCAL SERVICE, NETWORK SERVICE Administrators Administrators Not defined Support_xxxxxxxx NETWORK SERVICE Administrators, Users, Power Users, Backup Operators Administrators Administrators Administrators Administrators, Power Users

Administrators Support_xxxxxxxx, Guest Not defined Not defined Support_xxxxxxxx, Guest Not defined Not defined Administrators LOCAL SERVICE, NETWORK SERVICE Administrators Administrators Not defined Support_xxxxxxxx NETWORK SERVICE Administrators, Users, Power Users, Backup Operators Administrators Administrators Administrators Administrators, Power Users

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Administrators Administrators Administrators, Power Users Administrators, Power Users LOCAL SERVICE, NETWORK SERVICE Administrators, Backup Operators LOCAL SERVICE, NETWORK SERVICE Administrators, Backup Operators

Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Administrators, Power Users, Backup Operators, Users Not defined Administrators Enabled Disabled Enabled Administrator Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Disabled Disabled Disabled Warn but allow installation Not defined Not defined Not defined Enabled Enabled

Administrators, Power Users, Backup Operators, Users Not defined Administrators Enabled Disabled Enabled Administrator Guest Disabled Disabled Disabled Not defined Not defined Enabled Administrators Disabled Disabled Disabled Warn but allow installation Not defined Not defined Not defined Enabled Enabled

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Enabled Disabled 30 days Disabled Disabled Not defined Not defined Not defined 10 logons 14 days Disabled Not defined No Action Disabled Enabled Disabled 15 minutes Disabled Disabled Enabled Disabled Enabled Disabled Disabled

Enabled Disabled 30 days Disabled Disabled Not defined Not defined Not defined 10 logons 14 days Disabled Not defined No Action Disabled Enabled Disabled 15 minutes Disabled Disabled Enabled Disabled Enabled Disabled Disabled

Not defined Not defined

Disabled COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr System\CurrentControlSet\C ontrol\Print\Printers, System\CurrentControlSet\S ervices\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows , System\CurrentControlSet\C ontrol\ContentIndex, System\CurrentControlSet\C ontrol\Terminal Server, System\CurrentControlSet\C ontrol\Terminal Server\UserConfig, System\CurrentControlSet\C ontrol\Terminal Server\DefaultUserConfigura tion, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\S ervices\SysmonLog

Disabled COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr System\CurrentControlSet\C ontrol\Print\Printers, System\CurrentControlSet\S ervices\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows , System\CurrentControlSet\C ontrol\ContentIndex, System\CurrentControlSet\C ontrol\Terminal Server, System\CurrentControlSet\C ontrol\Terminal Server\UserConfig, System\CurrentControlSet\C ontrol\Terminal Server\DefaultUserConfigur ation, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\S ervices\SysmonLog

Not defined

Not defined Not defined Not defined Disabled Not defined Not defined Not defined Not defined

COMCFG,DFS$ Guest only - local users authenticate as Guest Disabled Disabled

COMCFG,DFS$ Classic - local users authenticate as themselves Disabled Disabled

Send LM & NTLM responses Send LM & NTLM responses Negotiate signing Negotiate signing No minimum No minimum No minimum No minimum

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Disabled Disabled Enabled Disabled Disabled Object creator Enabled Enabled Disabled Enabled Enabled Medium, source routed packets are ignored when IP forwarding is enabled Disabled Enabled Enabled Disabled 7200000 Enabled Disabled Enabled Disabled 2 (enable only if DHCP sends the Perform Router Discovery option) Disabled

Disabled Disabled Enabled Disabled Disabled Object creator Enabled Enabled Disabled Enabled Enabled Medium, source routed packets are ignored when IP forwarding is enabled Disabled Enabled Enabled Disabled 7200000 Enabled Disabled Enabled Disabled 2 (enable only if DHCP sends the Perform Router Discovery option) Disabled

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined

Not defined Not defined Not defined

5 Disabled 2 (3 & 6 seconds, half-open connections dropped after 21 seconds) 5 0 (not configured) Disabled Disabled 1 0 0 0 0

5 Disabled 2 (3 & 6 seconds, half-open connections dropped after 21 seconds) 5 0 (not configured) Disabled Disabled 1 0 0 0 0

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined

512 KB 512 KB 512 KB Enabled Enabled Enabled 7 days 7 days 7 days Overwrite events as needed

512 KB 512 KB 512 KB Enabled Enabled Enabled 7 days 7 days 7 days Overwrite events as needed

Overwrite events as needed Overwrite events as needed Overwrite events as needed Overwrite events as needed

Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured

Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured Not configured

Not configured Not configured Not configured Not configured Not configured

Not configured Not configured

Full Service Name

Service Name

Alerter Application Layer Gateway Service Application Management Automatic Updates Background Intelligent Transfer Service ClipBook COM+Event System COM+ System Application Computer Browser Cyrptographic Services DCOM Server Process Launcher DHCP Client Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client Error Reporting Service Event Log Fast User Switching Compatibility Help and Support Human Interface Device Access IMAPI CD-Burning COM Service Indexing Service Infrared Monitor Internet Connection Sharing IPSec Services Logical Disk Manager

Alerter ALG AppMgmt wuauserv BITS

Domain Member Windows XP Startup Type Manual Manual Manual Automatic Manual

Stand-Alone Windows XP Startup Type Manual Manual Manual Automatic Manual

ClipSrv EventSystem COMSysApp Browser CryptSvc DcomLaunch Dhcp TrkWks MSDTC

Manual Manual Manual Automatic Automatic Automatic Automatic Automatic Manual

Manual Manual Manual Automatic Automatic Automatic Automatic Automatic Manual

Dnscache ERSvc Eventlog FastUserSwitchingCompatibility helpsvc HidServ ImapiService cisvc Irmon

Automatic Automatic Automatic Manual Automatic Disabled Manual Manual Not installed

Automatic Automatic Automatic Manual Automatic Disabled Manual Manual Not installed Automatic Automatic Manual

PolicyAgent dmserver

Automatic Automatic Manual

Logical Disk Manager dmadmin Administrative Service

Machine Debug Manager Message Queuing Message Queuing Down Level Clients Message Queuing Triggers Messenger Microsoft Software Shadow Copy Provider Netlogon NetMeeting Remote Desktop Sharing Network Connections Network DDE Network DDE DSDM Network Location Awareness (NLA) Network Provisioning Service NTLM Security Support Provider Performance Logs and Alerts Plug and Play Portable Media Serial Number Print Spooler Protected Storage QoS RSVP Remote Access Auto Connection Manager

MDM msmq mqds Mqtgsvc Messenger SwPrv

Not installed Not installed Not installed Not installed Automatic Manual

Not installed Not installed Not installed Not installed Automatic Manual

Netlogon mnmsrvc Netman NetDDE NetDDEdsdm NLA xmlprov NtLmSsp SysmonLog PlugPlay WmdmPmSN Spooler ProtectedStorage RSVP RasAuto

Automatic Manual Manual Manual Manual Manual Manual Manual Manual Automatic Automatic Automatic Automatic Manual Manual

Manual Manual Manual Manual Manual Manual Manual Manual Manual Automatic Automatic Automatic Automatic Manual Manual

Remote Access RasMan Connection Manager Remote Desktop Help RDSessMgr Session Manager Remote Procedure Call (RPC) Remote Procedure Call (RPC) Locator Remote Registry Service Removable Storage Routing and Remote Access Secondary Logon RpcSs RpcLocator RemoteRegistry NtmsSvc RemoteAccess seclogon

Manual Manual

Manual Manual

Automatic Manual Automatic Manual Disabled Automatic

Automatic Manual Automatic Manual Disabled Automatic

Security Accounts Manager Security Center Server Shell Hardware Detection Smart Card SSDP Discovery Service System Event Notification System Restore Service Task Scheduler TCP/IP NetBIOS Helper Service Telephony Telnet Terminal Services Themes Uninterruptible Power Supply Upload Manager Universal Plug and Play Device Host Volume Shadow Copy

SamSs wscsvc lanmanserver ShellHWDetection SCardSvr SSDPSRV SENS sr Schedule LMHosts TapiSrv TlntSvr TermService Themes UPS Uploadmgr upnphost VSS

Automatic Automatic Automatic Automatic Automatic Manual Automatic Automatic Automatic Automatic Manual Disabled Manual Automatic Manual Manual Manual Manual Automatic Automatic Manual

Automatic Automatic Automatic Automatic Automatic Manual Automatic Automatic Automatic Automatic Manual Disabled Manual Automatic Manual Manual Manual Manual Automatic Automatic Automatic

WebClient WebClient Windows Audio AudioSrv Windows Connection SharedAccess Firewall (WF)/Internet Connection Sharing (ICS) Windows Image Acquisition (WIA) Windows Installer Windows Management Instrumentation Windows Management Instrumentation Driver Extensions Windows Time Wireless Zero Configuration WMI Performance Adapter Workstation StiSvc MSIServer winmgmt

Manual Manual Automatic

Manual Manual Automatic

Wmi

Automatic

Manual

W32Time WZCSVC WmiApSrv lanmanworkstation

Automatic Automatic Manual Automatic

Automatic Automatic Manual Automatic

Logon As

Local Service Local Service Local System Local System Network Service

Local System Local System Local System Local System Local System Local System Network Service Local System Network Service

Network Service Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System Local System

Local System Local System

Local System Local System Local System Local System Local System Local System Local System Local System Network Service Local System Local System Local System Local System Local System Local System

Local System Local System

Local System Network Service Local Service Local System Local System Local System

Local System Local System Local System Local System Local Service Local Service Local System Local System Local System Local Service Local System Local System Local System Local System Local Service Local System Local System Local System Local Service Local System Local System

Local Service Local System Local System

Local System

Local System Local System Local System Local System