Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Windows 10
This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files (.admx an
Windows 10, version 1803. The policy settings included in this spreadsheet also cover Windows Server 2016, Windows 10, Windows Server
Windows 8.1, Windows 8, Windows 7, Windows Vista with SP1,Windows XP Professional with SP2 or earlier service packs, and Microsoft W
These files are used to expose policy settings when you use the Group Policy Management Console (GPMC) to edit Group Policy Objects (G
You can use the filtering capabilities that are included in this spreadsheet to view a specific subset of data, based on one value or a combinat
in one or more of the columns. In addition, you can click Custom in the drop-down list of any of the column headings to add additional filtering
To view a specific subset of data, click the drop-down arrow in the column heading of cells that contain the value or combination of values on
and then click the desired value in the drop-down list. For example, to view policy settings that are available for Windows Server 2012 or Wind
Administrative Template worksheet, click the drop-down arrow next to Supported On, and then click At least Microsoft Windows Server
Legal Notice
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change withou
Some examples depicted herein are provided for illustration only and are fictitious.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your inte
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows Server,
and Windows Vista are trademarks of the Microsoft group of companies.
Default: None.
Deny log on locally
Deny log on through
This security Remote Desktop
setting determines which Services
users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting
Enable
This computer
security settinganddetermines
user accounts which to users
be trusted for delegation
and groups are prohibited from logging on as a Remote Desktop Services client.
Important
Forcesecurity
This shutdown fromdetermines
setting a remote system which users can set the Trusted for Delegation setting on a user or computer object.
Default:
If you apply None. this security policy to the Everyone group, no one will be able to log on locally.
Generate
This securitysecurity
setting audits
determines
The user
Important or object that is grantedwhich users are
this privilege allowed
must havetowriteshutaccess
down atocomputer
the account from a remote
control flagslocation on the
on the user ornetwork.
computerMisuseobject.ofAthis userprocess
server right can result on
running in a
Default: None.
Impersonate
This a client determines
after authentication
This security
This rightsetting
user right is defined
defined in in the which accounts
the Default
Default can be used
Domain Controller
Controller Groupby aPolicy
process to add
object (GPO)entries
andtointhe
thesecurity log. The
local security
security security
policy log is usedand
of workstations to trace unauthorized syste
servers.
This user
setting does is not have any effect onDomain
Windows 2000 computers Group Policy object
that have (GPO)
not beenand in
updated the tolocal
Service Pack policy
2. of workstations and servers.
Increase athis
Assigning process
privilegeworking set allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation pr
to a user
Default:
Default: Local Service
Caution
Network
Increase Service.
scheduling priority
This
Caution privilege determines which user accounts can increase or decrease the size of a process’s working set.
On
Misuseworkstations
Increase ofathis user
process andright,
servers:
working or ofsetAdministrators.
the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that im
Load
On
This and unload
domain
security settingdevice
controllers: drivers which accounts
Administrators,
determines Server Operators.
can use a process with Write Property access to another process to increase the execution priority assigned to
Assigning this user right can be a security risk. Only assign this user right to trusted users.
Default:
This
Lock Administrators
privilege
pages in determines
memory onwhich
domain usercontrollers.
accounts can increase or decrease the size of a process’s working set.
This userAdministrators.
Default: right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug an
Default:
Default:
Log
This on asUsers
security a batch
setting jobdetermines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual m
Caution
Administrators
Log
The
This
Local on as a service
working
security
Service set of a allows
setting process is thetoset
a user beoflogged
memory on pages
by means currently visible to thefacility
of a batch-queue processandinisphysical
provided RAM
onlymemory. These pages
for compatibility are resident
with older versionsand available for an
of Windows.
Default:
Assigning None.
this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
Network
Log on Service
locally
This
Warning:
For
Service security
example, setting
when aallows
Increasing the
user a security
working
submits principal
seta size
job by to log
formeans
a processofon as a service.
decreases
the task the Services
scheduler, amount ofcan
the task be configured
physical
scheduler memory
logs thatto run under
available
user toas
on Local
thearest ofSystem,
batch the system.
user Local
rather thanService, or Networkuser.
as an interactive Serv
Default on workstations and servers: Administrators.
Manage
Determines auditing
which and security log
users can log on to the computer.
Default
Note: Bysetting: None.
Default ondefault,
domainservices
controllers:that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Mod
Default:
Modify
This anAdministrators
object label
security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and regis
Administrators
Important
Backup
In addition,Operators.
a user can also impersonate an access token if any of the following conditions exist.
Print
Modify Operators
firmware environment values
This
This privilege determines which usera accounts can modify the integrity labelauditing
of objects, such asFor files, registry keys, or
beprocesses owned by otheraccess
users. setting
Processe
Modifying thissetting
security settingdoesmay not allow
affect user to enable
compatibility file and
with clients, object
services, access
and applications. in For
general.
compatibility such auditing
information toaboutenabled, the
this setting, Audit
see object
Allow log on locally in
(htt
The
Performaccessvolumetoken that is
maintenance being impersonated is for this user.
tasks
This user,
Default:security setting determines who canthe modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non
The
You
Default:can Nonein this
view logon
audited session,
events created
in the security access
log of thetoken
Event by logging A
Viewer. onuser
to the network
with with
this privilegeexplicit
can also credentials.
view and clear the security log.
The
Profile
This requested
security level is
single setting
process less than Impersonate,
determines which users such
and as Anonymous
groups can run or Identify. tasks on a volume, such as remote defragmentation.
maintenance
On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, w
•Because
Default:
On
of these factors,
Administrators.
OnItanium-based
workstations and usersAdministrators,
servers:
computers,
do not usually need thisOperators,
boot information Backup
user right.Power Users, Users, and Guest.
is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default
Profile
This
• Onall system
security
domain performance
setting
controllers:determines
Account which users
Operators, can use performance monitoring tools to monitor the performance of nonsystem processes.
Use
On caution
For more computers,when
information,
assigning
this user
search
this is
right user
required toAdministrators,
right. Users with
install
for "SeImpersonatePrivilege" or this
upgrade Backup
user right Operators,
in theWindows.
can exploreand
Microsoft Platform SDK.
Print
disks andOperators.
extend files in to memory that contains other data. When the extende
Remove
This computer
security setting from docking which
determines stationusers can use performance monitoring tools to monitor the performance of system processes.
Default: Administrators
Default: Administrators, Power users.
Note:
Warning This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced
Replace
This a process
security settinglevel token whether a user can undock a portable computer from its docking station without logging on.
determines
Default: Administrators.
Default:
If you Administrators.
enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
Restore
This files and directories
If thissecurity
policy issetting
enabled, determines
the user which must log useronaccounts can call the
before removing the CreateProcessAsUser()
portable computer from its application programming
docking station. interface
If this policy (API) so the
is disabled, thatuser
one may
service can start
remove the p
Shut security
This down thesetting
system determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and dire
Default:
Default: Network
Administrators,Service, LocalUsers,
Power Service. Users
Synchronize
This securitythisdirectory
setting service data
Specifically, userdetermines
right is similar which users who
to granting theare logged permissions
following on locally to to thethe
computer can shut
user or group down theon
in question operating system
all files and using
folders onthe
theShut Down command. Mis
system:
Take
This ownership
security of files
setting or other objects
determines which users and Operators,
groups have the authority to synchronize all directory service data. This is also known as Active Directory sync
Default
TraverseonFolder/Execute
Workstations: Administrators,
File Backup Users.
Write
Accounts: Administrator
This security account status
setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, print
Defaults:
Default onNone.
Servers: Administrators, Backup Operators.
Accounts:
Caution
This Block Microsoft
security setting accounts
determines whether the local Administrator account is enabled or disabled.
Caution
Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.
Accounts:
This
Assigning Guest account
policy setting prevents status
users from adding new Microsoftwith
accounts onright
this computer.
Assigning this
Notes this user
user right
right can
can be
be a
a security
security risk.
risk. Since
Since users this user
owners of objects can
have full overwrite
control registry
of them, onlysettings, hideuser
assign this data, andtogain
right ownership
trusted users. of system objects, o
Accounts:
This securityLimit localdetermines
setting account useif oftheblank
Guest passwords toenabled
consoleorlogon
account isoption, only
disabled.
If you
you select
Default:
If the “Users
tryAdministrators.
to reenable thecan’t add Microsoft
Administrator accounts”
account users
after it has been will notand
disabled, be able
if thetocurrent
createAdministrator
ne Microsoft accounts
passwordon thisnot
does computer,
meet theswitch a local
password account to ay
requirements,
Default:
Disabling
Accounts:
This securitythe Administrator
Rename account
administrator can
account become a maintenance issue under certain circumstances.
setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer c
Default:
If Disabled.
you select
Workstations the
and“Users can’t
servers: add or log on Backup
Administrators, with Microsoft accounts” option, existing Microsoft account users will not be able to log on to Windows. Selecting this
Operators.
Accounts:
Domain
Under Safe
This security Rename
controllers:
Mode
settingguest
boot, theaccount
Administrators,
disabled
determines Backup
whether Operators,
Administrator
a different Server
account
account will
nameOperators.
onlyisbe enabled ifwith
associated the the
machine is non-domain
security joined
identifier (SID) andaccount
for the there are no other localRenaming
Administrator. active administr
the we
Default:
Note: Enabled.
If you If the Guest
disable or doaccount is disabled
not configure and the
this policy security option users
(recommended), Network willAccess:
be able Sharing and Security
to use Microsoft Model
accounts for Windows.
with local accounts is set to Guest Only, network logon
Audit:
This Audit
security the
Disabled. access
setting of global
determines system
whether objects
a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-kno
Default: Administrator.
Warning:
Audit:
This Audit the
security use of
setting Backup and
determines Restore
whether privilege
to audit the access of global system objects.
Default: Guest.
Audit:security
ComputersForce audit arepolicy subcategory settings (Windows Vista or later) to override audit policy category settings.
If this policythat
This issetting
enabled,not in physically
determines
it causes secure
whether
system to locations
audit
objects, the
such should
use allalways
asofmutexes,user enforce
privileges,
events, strong password
including
semaphores Backup
and DOSpolicies for
anddevices, all to
Restore, local
be user
when theaccounts.
created Audit Otherwise,
withprivilege
a default use anyone
policy
system is inwith
access physica
effect.
controlEna
lis
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.
Audit:
Windows Shut down
Vista andsystem
later immediately
versions of if unableallow
Windows to logaudit
security
policy audits
to be managed in a more precise way using audit policy subcategories. Setting audit policy at th
If you When
Note: disableconfiguring
this policy,this thensecurity
use of setting,
the Backup or Restore
changes will notprivilege
take effect is not audited
until even Windows.
you restart when Audit privilege use is enabled.
Notes
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
This
If security
the category setting determines
levelversions
audit policy whether the system shuts down if it is unable to log security events.
Note:
Default:OnDisabled.
Windows priorset
to here
Windows is notVista
consistent with the
configuring thisevents
security that are currently
setting, changes being generated,
will not take effect theuntil
cause youmight beWindows.
restart that this registry keythis
Enabling is set.
setting c
This
DCOM:
This setting does
Machine
policy setting not
Launch affect
determines logons
Restrictions
which that
usersuse domain
in Security
or groups accounts.
Descriptor
can Definition
access DCOM Language
application (SDDL) syntax
remotely or locally. This setting is used to control the attack surface of the
If
It this
Default:security
Disabled
is possible for setting is enabled,
applications it causes
that use remote theinteractive
system tologonsstop if to a security
bypass this auditsetting.
cannot be logged for any reason. Typically, an event fails to be logged when theco
Default: Disabled.
Devices:
This Allow
policy settingundock withoutwhich
determines havingusers to logoron groups can launch or the
activate DCOMtoapplications remotely or locally. This setting is used to control theyou
attack surf
You
If thecan use
security this policy setting to specify access permissions to all andcomputers securityofparticular users for DCOM applications in the enterprise. When specify
Note: Remote log is full and
Desktop an existing
Services was called entry cannot
Terminal be overwritten,
Services in previous this
versions option
Windowsis enabled,
Server.the following Stop error appears:
Devices:
This Allowed
security settingto format
determines and eject
whetherremovable
a portable mediacomputertocan be undocked without having to logyou
on.define
If this this
policy is enabled, logon the
is not required and an exa
You registry
The can usesettings
this settingthatto grant
are access
created as a to all theofcomputers
result enabling the users
DCOM: of DCOM
Machineapplications. When
Access Restrictions in Security setting,
Descriptor and specify
Definition users
Language or groups
(SDDL) that
syntax
STOP: C0000244 {Audit Failed}
Devices:
An attempt
This Prevent
securitytosetting users
generate from installing
a securitywho
determines audit printer
is failed. drivers when connecting to shared printers
allowed to format and eject removable NTFS media. This capability can be given to:
Default:
The Enabled.
registry settings thatthis
arepolicy
created as aare: result of this policy take precedence over the previous registry settings in this area. Remote Procedure Call Services (
The possiblean
To recover, values for
administrator must setting
log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, oth
Devices:
For Restrict CD-ROM access
a computer to print to a shared printer, the to locally logged-on
driver foruserthat only
shared printer must be installed on the local computer. This security setting determines who is allow
Administrators
Caution
The
ò possible
Blank. This values
represents for this
the Group
local Policy setting
security policy are:
way of deleting thesecurity
policy enforcement key. This value deletes
Note: On Windows
Administrators
Devices: Restrict and versions
Interactive
floppy access prior to
Users
to Windows
locally Vista
logged-on configuring
user only this setting, changes will not take effect the
untilpolicy and then
you restart sets it as Not defined state. T
Windows.
This security
Default settingEnabled.
on servers: determines whether a CD-ROM is accessible to both local and remote users simultaneously.
Disabling
ò Blank. this
This policy
represents may tempt
the local users to
security try and physically
policy way remove
of deleting the laptop from
the policy enforcement its docking station using methods other than the external hardware eject butto
ò SDDL.on
Default
Default:
Domain This is theAllow
workstations:
Disabled.
This policy
controller: Security
is Descriptor
notDisabled
defined
server and only
operators Definition Language
toAdministrators
schedule taskshaverepresentation
this ability. of the groupskey. andThis value deletes
privileges you specify the policy
when and
you then
enablesets
thisit to Not defined
policy. state. T
This
If thissecurity
policy issetting
enabled, determines
it allows whether
only the removable
interactivelyfloppy media
logged-on are
user accessible
to to both local
access removable and remote
CD-ROM media. users simultaneously.
If this policy is enabled and no one is logged on inte
ò
ò SDDL. This isThis
Not Defined. the isSecurity Descriptor
the default value. Definition Language representation of the groups and privileges you specify when you enable this policy.
This
If thissecurity
policy issetting
enabled, determines
it allows ifonlyServer Operators are
the interactively allowed to
logged-on usersubmit jobs by
to access means offloppy
removable the ATmedia.
schedule facility.
If this policy is enabled and no one is logged on interac
Default:
Notes This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.
ò Not Defined. This is the default value.
Note
Note:
Default:This security
This policy is setting
is denied only affects
not defined the ATdisk
and floppy schedule
drive facility; isit not
access does not affecttothe
restricted Task Scheduler facility.
If thesetting
This
Default:administrator
Thisdoes
policy notisaffect permission
the
not defined, ability
which to
to add access
means a local DCOM
that printer. applications
the system treats itdue to the the
as disabled.
locally
changes logged-on
made to DCOMuser.in Windows, the administrator can use the DCOM: M
Note
This setting does not affect Administrators.
If the administrator is denied access to activate and launch DCOM applications due to the changes made to DCOM in this version of Windows, this policy setting
Domain controller: LDAP server signing requirements
Domain controller:
This security settingRefuse machine
determines account
whether the password changes
LDAP server requires signing to be negotiated with LDAP clients, as follows:
Domain
This member: Digitally encrypt or signdomain
secure channel data will(always)
None:security setting
Data signing isdetermines
not required whether
in order to bindcontrollers
with the server. refuse
If therequests from member
client requests computers
data signing, to change
the server computer
supports it. account passwords. By default, m
Require
Domain signature:
member: Unless
Digitally TLS\SSL
encrypt is being
secureall used,
channel the LDAP data signing option must be negotiated.
This
If it issecurity
enabled, setting determines
this setting does not whether securedata
allow a domain channel (when possible)
controllertraffic initiated
to accept anyby the domain
changes member must
to a computer be signed
account's or encrypted.
password.
Default:
Domain
This This policy
member:
security setting isdetermines
not defined,
Digitally sign secure which
whether has
channel thedata
a domain same(when
member effect as None.to negotiate encryption for all secure channel traffic that it initiates.
possible)
attempts
When
Default: a This
computer
policyjoins
is nota domain,
defined, a computer
which means account
that theissystemcreated. Afteritthat,
treats when the system starts, it uses the computer account password to create a secure c
as Disabled.
Domain
Caution
This member:
security settingDisable machine
determines account
whether a password
domain member changes attempts to negotiate signing for all secure channel traffic that account
it initiates.
When a computer
This setting joins awhether
determines domain,oranot computer
all secure account
channel is created. After that,
traffic initiated when
by the the system
domain member starts,
meets it uses the computer
minimum security requirements. password to create
Specifically a secure c
it determine
Domain
Determines
If yousetting
set member:
whether Maximum
thedetermines
server a domain
to Require machine
member account
Signature, you password
periodically changes
mustmember
also age its computer account password. If this setting is enabled, the domain member does not attempt to cc
When
This a computer joins awhether
domain, orasecure
computer
not thechannel
domainaccount is set the client.
created.
attemptsAfter toNot
that,setting
whenencryption
negotiate client results
the system starts,
for initloss
all secure ofthe
connection
useschannel traffic with
computer the
account
that server.
password
it initiates. to create
If enabled, theadomain
secure m
Domain member: Digitally encrypt data (when possible)
Domain
This member:
security settingRequire
Digitally strong
sign
determines (Windows
secure
how channel
often a 2000
domain or (when
data later)
member session
possible)
will key
attempt to change its computer account password.
Default:
Notes
This Disabled.
setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain mem
Default: Enabled.
Interactive
This
Default:securityLogon:
setting
Enabled. Display user information
determines whether 128-bit whenkey session
strength is locked
is required for encrypted secure channel data.
Notes
This 30 days.
setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Pro
Default:
Important Enabled.
Interactive
If signing logon: Do
is required, not
then require
LDAP simpleCTRL+ALT+DEL
bind and LDAPissimple bind through SSL requests arestarts,
rejected. No Microsoft LDAP clients password
running Windows
When
Notes:
Important a computer joins a domain, a computer account created. After that, when the system it uses the computer account to createXP Professc
a secure
This
Notes: security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain
There is nologon:
Interactive knownDon'treason for disabling
display last signedthisinsetting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting
setting should
This security settingnot be used in
determines an attempt
whether to support
pressing CTRL+ALT+DELdual-boot scenarios
is required thatbefore
use the same
a user cancomputer
log on. account. If you want to dual-boot two installations that a
Depending
This policyon
If thissetting is what
enabled,
applies version
to Windows of Windows
the policy Domain
2000 is member:
runningbut
computers, onDigitally
itthe domain
is not sign controller
secure
available thatthe
channel
through the domain
data member
(whenConfiguration
Security possible) is is
communicating
assumed
Manager to be
tools with
on and
enabled
these the settings of
regardless
computers. of the parameters:
its current setting
If the policy
Note: Domain
Interactive Domain member:
controllers
logon: Don't are
display Digitally
also
last domain encrypt
signed members
in or signand secure channel
establish secure datachannels
(always)with is enabled,
other then this
domain policy isin
controllers assumed
thebesame todomain
be enabled regardless
as well asitsdomain of its curren
controlle
If this
If this policy
policy isis enabled
enabled,on theapolicy
computer, Domain a member:
user is not Digitally sign
required to secure
press channel data (when
CTRL+ALT+DEL to log possible)
on. Not is assumed
having to pressto enabled
CTRL+ALT+DEL regardless
leaves ofusers current setting
susceptible
Domain member:
Domain controllersDigitally
are alsoencrypt
domainormembers
sign secure andchannel
establish secure
data (always)channels with other domain controllers in the same domain as well as domain controllers in t
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or
Interactive
Domain member: logon: Machine accountsecure
Digitally encrypt threshold.
channel data (when possible)
If thismachine
The policy is disabled, anyisuser is required to press CTRL+ALT+DEL before logging on to for
Windows (unless they are using a smart card for Windows recovery
logon).
Some or all oflockout policy
the information enforced
that only on
is transmitted those
over machines
the securethat have
channel Bitlocker
will enabled
be encrypted. Thisprotecting OS volumes.
policy setting determines Please
whether ensure that128-bit
or not appropriate
key strength is
Interactive logon: Machine inactivity limit.
Default
This on domain-computers: Disabled.
If thissecurity
setting
Interactive
setting
is
logon:
determines
enabled,
Message then text
the
thefor number
secure
users
of failed
channel
attempting will logon
not beon attempts
established thatunless
causes128-bit
the machine to becan
encryption locked out. A locked
be performed. outsetting
If this machine can only be
is disabled, then recovered by p
the key stren
Default
Windows onnotices
stand-alone computers:
inactivity of a logon Enabled.
session, and if to
thelog amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.
Failed
Default: password
Interactive Disabled.
logon: attempts
Message against
titlea for workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen save
This
Default:security setting
not enforced. specifies textusers
messageattempting
that is to log on
displayed to users when they log on.
The machine
Interactive
Important
This lockout
logon: policyofthe
Number isprevious
enforced only on
logons oftoathose
cache machines that
(in case in
domainhave Bitlocker
controller is enabled
not for protecting
available) OSInteractive
volumes. Please ensure that theforappropriate recov
This security setting
text is often usedallows specification
for legal reasons, title to
for example, toappear
warn userstheabout
title bar
theof the window
ramifications that
of contains
misusing the
company logon:orMessage
information text
to warn them thatusers
their attempting
actions m
Interactive
All previous
In order logon:
to take users' Prompt
advantage user
logon information
of this to change
policy onpassword
is cached member locally before
so that,
workstations expiration
in the
andevent
servers, that all a domain
domaincontrollercontrollers is that
unavailable
constitute during subsequent
the member's logonmust
domain attempts, they are
be running abl
Windo
Default:
Default: No
No message.
message.
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000
Interactive logon:
Determines how far Require
in advance Domain (in Controller
days) users authentication
are to unlock
Windows cannot connect to a server to confirm yourwarned that
logon settings. theirYou password
have been is aboutlogged to expire.
on using With this advance
previously stored warning,
accountthe user has time
information. If youto changed
constructyour a paa
Interactive
Logon logon: Require
information must besmart provided cardto unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be co
Default:
If a domain 14 days.
controller is unavailable and a user's logon information is not cached, the user is prompted with this message:
Interactive
This security logon:
setting Smart card users
requires removal behavior
to log on to a computer using a smart card.
Default: Disabled.
The system cannot log you on now because the domain <DOMAIN_NAME> is not available.
Microsoft
This security networksetting client: Digitallywhat
determines sign happens
communications when the(always) smart card for a logged-on user is removed from the smart card reader.
The options
Important are:
In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts.
Microsoft
This security networksetting client: Digitallywhether
determines sign communications
packet signing(ifisserver required agrees)
by the SMB client component.
The
Enabled:options Users are: can to only log on to the computers,
computer using
This setting applies Windows 2000 but itaissmart card. through the Security Configuration Manager tools on these computers.
not available
Default:
Disabled.
Microsoft 25 Users
network can log
client: on to the
Send unencrypted computer using
password any method.
to attempts
connect to
This
The security setting determines whether the SMB client to third-party
negotiate SMB packet
file SMB
serverssigning.
ò Noserver
Default: Action message
Disabled.
block (SMB) protocol provides the basis for Microsoft and print sharing and many other networking operations, such as remote Window
ò Lock
Microsoft
If thisserverWorkstation
network
security server:
setting block Amount
is enabled, of
the idle time
Serverprovides required
Message before
Block suspending
(SMB) redirector a session
isand
allowed to send and plaintext
The
If this setting message (SMB) protocol the
is enabled, the Microsoft network client will not communicate with a Microsoft basis for Microsoft file print sharing
network server manypasswords
other
unlessnetworking
to non-Microsoft SMB
that serveroperations,
agrees to perform such servers
asSMB
remotethat do not s
Window
packet sign
ò Force
Important Logoff
Microsoft
ò Disconnect
This security networksetting server:
if a Remote determinesAttempt
Desktop the S4U2Self
Services
amount to obtain
session
ofrisk. claim information
continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended d
Sending
If this settingunencrypted passwords is a security
is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled o
Default: Disabled.
This setting
Microsoft will apply
network server: to any computers
Digitally running Windows(always)
sign communications 2000 through changes in the registry, but the security setting is not viewable through the Security Con
This
If you security
click
Administrators Locksetting
can is to
Workstation
use thissupport in the
policy clients
toProperties
control running a aversion
dialog
when box for
computer ofthis
Windowspolicy,prior
suspends the to Windows
an workstation
inactive SMB is8session.
Consumer
locked when Preview
If clienttheactivity
smart thatcard
are is
resumes,trying to access
removed,
the allowing
session aisfile sharetothat
users
automatically leaverequires
the ar
reestabl
Default:
Default: Disabled.
Enabled.
Important
Microsoft
This security networksetting server:
determinesDigitally sign
whether communications
packet signing (if client
is required agrees)
bycanthe SMB server component.
This
If you
For setting
click
this policy should
Force setting, be
Logoff set
a into
valuethe automatic
Properties
of 0 means (default)
dialog so
box
to disconnect that
for thean file
this server
policy,
idle the
session asautomatically
user is automatically
quickly evaluate
as is reasonably logged whether
off when
possible. claims
the are
Thesmart needed
maximum card is for the
is user.
removed.
value 99999, Anwhich
administrator
is 208 days; would in
Notes
For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, se
Microsoft
This security networksetting server:
determinesDisconnect whether clients
the when
SMB logon
server hours
will expire
negotiate SMB packet signing with clients that request it.
The server
Computers message
that have block
this (SMB)
policy set protocol
willcause
not provides
be able tothe basis
communicate for Microsoft
with file
computers and print
that sharing and many other networking operations, such as remote Window
When
If enabled
you click
Default:This this
Disconnect
policy security
is setting
if adefined,
not Remote will
Desktop
which means the
Services Windows
that thesession,
system file removal
server
treats to
it of
asexamine
the
15 smart thecard
minutes fordo
access not
disconnects
servers have
token andofserver-side
an
the sessionpacket
authenticated
undefined without
for signing
network
logging
workstations. enabled.
client
the user By
principaloff.default,
This server-side
and allows
determine if c
the use
All Windows
Server-side
Microsoft operating
packet
network systems
signing
server: can be
Server support
SPNenabled both
target onacomputers
nameclient-side
validation SMB
running component
level Windows and
2000a to server-side
and later SMB
bycomputer
setting component.
Microsoft To take server:
network advantage of SMB
Digitally sign packet signing, both
communications (if t
This
The security
server
Microsoft networksetting
message determines
client:block (SMB)
Digitally whether
protocol
sign to disconnect
provides
communications the users
basis
(always) who
for are
Microsoftconnected
-toControls file
whetherand the
print local
sharing
or not the and
client-sidemanyoutside
SMB other their user
networking
component account's
operations,
requires valid
packet logon
such ashours.
signing. remote This setting
Window
If
If this
this setting
Server-side
setting is
packet
is enabled,
signing
disabled, the
the canMicrosoft
be
Windows enablednetwork
file on
server server
computers
will
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. will
not not
running
attempt communicate
Windows
obtain a with
NT a
4.0 Microsoft
Service
claim-enabled network
Pack
access 3 andclient
token later
forunless
by
the that
setting
client client
the agrees
following
principal. to perform
registry SMB
value to packet
1: signi
Microsoft
Network
The server network
access:
message client:
Allow Digitally
anonymous
block (SMB) sign communications
SID/name
protocol translation
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
provides the(if server
basis agrees) - Controls whether or not the client-side SMB component hasaspacket signing enabled.
When
If thisnetwork
this setting
Microsoft policy isserver:
is enabled, enabled, the it causes
Microsoft
Digitally signclient
network sessions
server with
communications the for
will(always) SMB
negotiate
fileService
and printer
SMB packet
- Controls to besharing
whether forcibly
signingor not
and
as
many
disconnected
requested
the
other
server-side by
networking
whentheSMB client.
operations,
thecomponent
client's
That logon
such
hours
is, ifrequires
packet expire.
signing
packet
remote Windows
has been enabled o
signing.
admin
Default:
Default: Automatic.
This policy is not defined, which means that the system treats it as No action.
Network
Microsoft
This access:
security
Server-side networksetting
packet Do not
server: allow
determines
signing Digitally
cannotanonymous
if sign
an anonymous enumeration
communications user of
can(if SAM
client
request accounts
agrees)
security - Controls
identifier whether
(SID) or not
attributes theforserver-side
another SMB
user. component has packet signing enabled.
This
thissecurity
If server-side
policy issetting
disabled, determines
an is thebelevel
established enabled on computers
of validation SMBrunning
a allowed Windows
serverbeperforms 95the
on or Windows
service 98. logon
principal name (SPN) provided
expired. by the SMB client when trying to es
Default:
If
Disabled Enabled SMB
for member onsigning
domain
servers. required, aclient
controllers clientsession
only. will not is be able to to establishmaintained
a session afterwiththethatclient's
server unless hours have
it has client-side SMB signing enabled. By default, cl
On
This Windows
Network access:
security Vista
settingDo andnot above:
allow
determines For
anonymous
what thisadditional
setting topermissions
work, the
enumeration of Smart
SAM will Card
accounts
be Removal
granted and for Policy service
shares
anonymous must be started.
connections to the computer.
Similarly,
Enabled
If thisoptions
Notes
The policy if client-side
for domain
is enabled,
are: SMB
controllers.
a user signing is required,of
with knowledge that
anclient will not beSID
administrator's ablecouldto establish
contactaasession computer withthatservers
has this that do not
policy have packet
enabled and use signing
the SID enabled.
to get the By default
adminis
Default
Important on Windows
If server-side SMB signing Vista: Enabled.
is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
Network
Default
This onaccess:
security Windows
settingDo determines
not allow
XP: Disabled storage
whether of credentials
anonymous orenumeration
.NET Passports of SAM for accounts
network authentication
and shares is allowed.
Windows
Using onallows
SMB packet anonymous
signing users to servers:
perform certain activities, such asonenumerating the names of component.
domain accounts andadvantage
network shares.of SMBThis is convenient, fort
Notes
Default
All Windows
No validation workstations
operating
- validation andofcan
systems member
the degrade
support
SPN performance
will both
not be aDisabled.
client-side
performed up toSMB
by15the percent
component
SMB server. fileandservice transactions.
a server-side SMB To take packet signing, both
For
Default
NetworkWindows
Microsoft on domain
access:
network 2000 Let servers
controllers:
Everyone
client: to negotiate
Digitally Enabled.
permissions
sign signing
apply
communications withto Windows
anonymous
(always) NT-users
4.0 clients,
Controls the following
whether or not registry
the value SMB
client-side must component
be set to 1 on the server
requires packet running
signing. Windows 2000: H
This
Windows security allows setting determines
anonymous users whether Stored
to restrictions
perform User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains doma
This
All security
Windows
Microsoft
Validate ifnetwork
option
operating
provided
allows
client: systems
by client
additional
Digitally
- the support
sign both acertain
SMBcommunications
server will
to beactivities,
client-side
validate
placedSMB
(if server
the SPN
such
oncomponent
agrees)
as enumerating
anonymous
provided and connections
by athe
- Controls
the names
server-side
whether
SMB client
asor of component.
follows:
SMBnot
andthe
domain accounts
client-side
allow a session ToSMBtakeandadvantage
to be
network shares.
component
established of SMB
has if packet
This
packet
it matches
is convenient,
signing,
signing
the SMB
fort
both
enabled.serve
Notes
Network
Microsoft
This access:
security networksettingNamed
client: pipes
Digitally
determines
server: Digitally thatsign
what can
sign be accessed
communications
additional
communications anonymously
permissions (always)
(always) are - Controls
granted
- Controls for whether
anonymous
whether oror not
not the client-side
connections
the server-sideto SMB
the component
computer.
SMB component requires
requires packet
packet signing.
signing.
If it is enabled,
Default: Disabled. this setting prevents the Stored User Names and Passwords from storing passwords and credentials.
Enabled:
Microsoft Do not allow
network client: enumeration of communications
SAM accounts. This optionagrees)
replaces Everyonewhether with Authenticated Users in SMB the security permissions for resources.
Require
Network match
access: from clientDigitally
server:
Remotely
Digitally
- accessible
the SMB sign
sign communications
client
registryMUST pathssend (if server
a(ifSPN
client name in session - Controls setup, and the or SPN
not the nameclient-side
server-side
providedSMB MUST component
component
match the has
hasSMBpacket
packet
serversigning
that enabled.
signing isenabled.
being re
All
This Windows
Disabled:
Windows security
Microsoft
If server-side No
allowsoperating
network additional
setting
SMB server:
anonymous
signingsystems
restrictions.
determinesDigitally
users
issecuritysupport
which
required, toRely
sign a both acertain
on default
communication client-side
communications
perform
client will permissions.
not be SMBtocomponent
sessions
(always)
activities,
able (pipes) as will
- effect
such Controls
establish aand
have
whether
enumerating a attributes
session server-side
or
the
with not and
the
names
that SMB of component.
permissions
server-side
server, unlessSMB
domain that To
accounts
it has take
allow
component
and advantage
anonymous
client-side requires
network of
SMBshares. SMBThis
access.
packet
signing packet
signing.signing,
is convenient,
enabled. both
By default, forct
Note:
Microsoft When configuring
network client: this
Digitally sign setting, changes
communications will not
(always) take - Controls until you
whether restart
or not Windows.
the client-side SMB component requires packet signing.
Microsoft
If server-side
Default:
For more No network SMB
validation
information server:
signing
about Digitally
is enabled,
Stored sign
User communications
SMB Names packet and signing (if client
Passwords, will beagrees)
negotiated
see Stored - Controls
with
User whether
clients
Names that
and orhave
not the server-side
client-side
Passwords. SMB SMB
signing component
enabled. has packet signing enabled.
Network
This access:
security settingRemotely
determines accessiblewhich registry
registry paths
keys and
can subpaths
(ifbe accessed over the network,
Microsoft
Default
Default:
If this
Using on
server-side
policy
SMB network
None.workstations:
isSMB client:
enabled,
packet signing Digitally
Enabled.
the isEveryone
can sign SID
required,
impose communications
a
upclient
is a will
to added not be
to the
15 percent server
able
token agrees)
tothat
performance establish hit- a
is created Controls
on session
forservice
file withregardless
whether
anonymous thatorserver
not theofunless
connections.
transactions.
the users
client-sideit has
In
or client-side
thisSMB
groups listed
case,component SMB
anonymous
in the
has access
signing packet
users
controlBylist
aresigning
enabled. (ACL) cl
able to enabled.
default,
access
o
an
Microsoft
Default
Similarly,
Network on network
if
access: server:
server:Disabled.
client-side
Restrict SMB Digitally
signing
anonymous sign
is communications
required,
access to that
Named client (always)
will
Pipes not
and -beControls
able
Shares to whether
establish ora not
sessionthe server-side
with servers SMB that component
do not have requires
packet packet signing.
signing enabled. By default
All Windows
Default:
This
Default: Disabled.
security operating
setting systems support
determines which both a paths
registry client-side SMB component
and(ifsubpaths and a server-side
can be- Controls
accessed over theorSMB network, component.
regardless This of setting affects
the component
users the server
or groups listedSMBin thebehavior,
access con and
Microsoft
If server-side
Default: network
Disabled. SMBserver:signingDigitally
is enabled, signSMB communications
packet signing client
will beagrees)
negotiated whether
with clients that have not the server-side
client-side SMBSMB signing enabled.has packet signing enabled.
If server-side
Important
Network
Using SMB access: SMB
packet signing
Shares
signing thatis
can required,
can be
degrade a
accessedclient
performancewill not
anonymously be
up
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: able
to 15 to establish
percent on a
file session
service with that
transactions. server unless it has client-side SMB signing enabled. By default, cl
Default:
System\\CurrentControlSet\\Control\\ProductOptions
Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default
System\\CurrentControlSet\\Control\\Server
Network
If server-side
This policy access:
security
Important has SMB noSharing
setting signing
impact
determinesand
on security
is domain
enabled,
which model
SMB
controllers.
network Applications
forshares
packet local accounts
signing will be negotiated
can accessed by anonymous with clients users. that have client-side SMB signing enabled.
Network access: Named pipes
System\\CurrentControlSet\\Control\\Print\\Printers that can be accessed anonymously
Software\\Microsoft\\Windows
Using SMB packet signing can NT\\CurrentVersion
impose up to a 15 percent performance hit on file service transactions.
Network security:
access: Shares Do not that
System\\CurrentControlSet\\Services\\Eventlog
Network storecan LAN be accessedhash anonymously
This
Default:
For security
this None
policy setting
to takedetermines
specified. effectServer howManager
on computers network logons
running
value
that on
Windows usenext local
2000,
password
accountschange
server-side are authenticated.
packet signing must If this setting
also is set toTo
be enabled. Classic,
enablenetwork
server-side logons SMB thatpacket
use local acco
signing,
Default: Enabled.
Software\\Microsoft\\OLAP
Caution
Microsoft network server: Digitally sign communications (if server agrees)
Network security:
Software\\Microsoft\\Windows
This Force logoff when logon hours
NT\\CurrentVersion\\Print expire
If thissecurity
setting is setting
set todetermines
Guest only, if,network
at the next logonspassword
that use change, the LAN are
local accounts Manager (LM) hash
automatically mappedvalue to forthe theGuest
new password
account. By is stored.
using the The LM hash
Guest model,is relatively
you can ha we
Software\\Microsoft\\Windows
Incorrectly editing the registry NT\\CurrentVersion\\Windows
may severely damage your system. Before making changes registry to the registry, you should back uptheany valued data on the computer.
For
This Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following value must be set to 1 on Windows 2000 server:
Note:security settingsettingdetermines
System\\CurrentControlSet\\Control\\ContentIndex
Default This security
on domain computers: is not whether
availabletoon
Classic.
disconnect
earlier versions
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
users who are connected
of Windows. to the local
The security setting computer
that appears outside ontheir user account's
computers running validWindows logonXP, hours.
"NetworkThis setting
acces
System\\CurrentControlSet\\Control\\Terminal
Default
Default:on
Default on Windows
stand-alone Vista: EnabledGuest only Server
computers:
When this policy is enabled,
System\\CurrentControlSet\\Control\\Terminal
Default on Windows XP: Disabled. it causes client sessions with
Server\\UserConfig the SMB server to be forcibly disconnected when the client's logon hours expire.
Computers that have this policy set will not communicate
System\\CurrentControlSet\\Control\\Terminal with computers that do not have client-side packet signing enabled. Client-side packet signing can be e
Server\\DefaultUserConfiguration
System\CurrentControlSet\Control\ProductOptions
Important
If this policy is disabled, an established
Software\\Microsoft\\Windows
Important
System\CurrentControlSet\Control\Server client
NT\\CurrentVersion\\Perflibsession is allowed to be maintained after the client's logon hours have expired.
Applications
System\\CurrentControlSet\\Services\\SysmonLog
Software\Microsoft\Windows
With the Guest only model, any NT\CurrentVersion
user who can access your computer over the network (including anonymous Internet users) can access your shared resources.
Network security: LAN Manager authentication level
Network security:
This security LDAP
setting client signing
determines whichrequirements
challenge/response authentication protocol is used for network logons. This choice affects the level of authentication proto
Network
This security: Minimum session the security for NTLM SSP based (including secure RPC) clients
Sendsecurity
LM & NTLM setting determines
responses: Clients level
useof LM dataandsigningNTLM that is requested
authentication and onnever
behalfuse of clients
NTLMv2 issuing
session LDAP BIND domain
security; requests, as follows:
controllers accept LM, NTLM, and NTL
Send
Network LM & NTLM
security: - use
Minimum NTLMv2 session session
security security
for NTLM if negotiated:
SSP based Clients
(including use LM and
secure NTLM
RPC)NTLMv2 authentication and use NTLMv2
servers session security. These values are session security if the server support
This
None: security
The LDAP setting allows
BINDonly: requesta client to
is issued require the
with the negotiation
options thatonly of 128-bit
are specified encryption and/or
by the caller. dependent on the LAN Ma
Send NTLM response Clients use NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTL
Negotiate
Sendsecurity
NTLMv2 signing: If
response Transport
only: Layer
Clients Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data sig
Network
This security:
Require signature:
NTLMv2 setting Restrict
allows
session
NTLM:
a server
security: touse
Outgoing NTLMv2
require NTLM authentication
traffic
the negotiation to remote only
of 128-bitservers and use NTLMv2
encryption notand/or
session
NTLMv2 security
session if the serverThese
security. supportsvalues it; domain controllers
are dependent on accept
the LANLM, M
Require
Send NTLMv2 response the sameThe
This isonly\\refuse asLM:
connection
Negotiate
Clients use
will failHowever,
signing. if NTLMv2
NTLMv2 authentication if protocol
the LDAP is server's
only
negotiated.
and use intermediate
NTLMv2 session saslBindInProgress
security if the responseserver supports does not indicate controllers
it; domain that LDAP
Require
Network 128-bit
security: encryption:
Restrict The
NTLM: connection
Incoming will
NTLM fail if
trafficstrong encryption (128-bit) is not negotiated.
Send
This
Require NTLMv2
policy setting
NTLMv2 response
allows only\\refuse
session you to deny
security: The LM & NTLM:
orconnection
audit outgoing Clients
will fail NTLM use NTLMv2
traffic
if message from authentication
this Windows
integrity only
7 orand
is not negotiated. this use NTLMv2
Windows Serversession 2008security
R2 computerif the server
to anysupports
Windowsit;remote domainser co
Caution
Require
Default:
Network 128-bit
No encryption.
requirements.
security: Restrict The
NTLM: connection
AuditorIncoming will fail if
NTLM NTLM strong encryption
Traffic traffic. (128-bit) is not negotiated.
This youpolicy
Important
If selectsetting
"Allowallows all" or you do not to denyconfigure allow
this incoming
policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.
Default:
Network
This policyNo requirements.
security:
setting Restrict
allows NTLM:
you to auditNTLM authentication
incoming NTLM in this domain
traffic.
If
This
If you select
yousetting
select can "Allow
"Audit affectall"the
all," or
thedo not configure
ability
client of computers
computer this policy
logsrunning
an event setting,
Windows
for eachthe 2000server
NTLM will
Server, allow
Windows
authentication all NTLM 2000
request authentication
Professional,
to a remote requests.
Windows
server. This XP allows
Professional, and thethose
you to identify Windows Server
servers rece
Note:
Network This setting Restrict
security: does notNTLM: have any Audit impact
NTLM onauthentication
ldap_simple_bind in thisordomain ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professi
This
If you policy setting
you select "Deny allows
"Disable",domain you
or do not to deny
configuretheor allow NTLM
thisserver
policywill authentication
setting, within a domain from this domain controller. This policy does not affect interactive logon to th
If
If you select
Default: select "Deny all all," the client accounts,"
computer cannot authenticatedeny the NTLM server
identities
will not log events
authentication
to a remote requests
server for
for incoming
domain
by using
NTLM
NTLM
traffic.
logonauthentication.
and display anYou NTLM canblocked
use the error,"Network but allow locaR
security:
Default:
Network
This policyNegotiate
security:
setting signing.
Restrict
allows NTLM: Add remote server exceptions for NTLM authentication
If
If you
you select
select "Disabled"
"Enable oryou
auditing do notto auditconfigure
for "send
domain
NTLMthis authentication
accounts", policythe setting,
server
in the
a domain
will domain
log events
from this domain
controller
for NTLM will allow controller.
pass-throughall NTLMauthentication
pass-through requests authentication
that would requests within the
be blocked whendomain.
the "N
If
This youpolicy
Windows select is"Deny
2000 and all
supported accounts,"
windows on atXP least the server
Windows LM &will
NTLM
7 or deny NTLM
responses
Windows authentication
Server 2008 R2.requests from incoming traffic and display an NTLM blocked error.
on server"
Network
This
Windows policy security:
setting
Server Restrict
allows
2003: Send NTLM:
younotNTLM Add
to configure
create server
an this
response exceptions
exception
only in
list of remotethis domain
servers to whichwill clients areevents
allowed toNTLM
use NTLM authentication ifdomain.
the "Network Security: Res
If
If you
you select
select "Disable"
"Deny or
forauditingdo
domainfor accounts to domain policy setting,
servers" the
the domain controller not log for authentication in this
If
This youpolicy
Windows select is
Vista"Enable
supported
and Windows on at are least
Server all Windows
accounts",
2008: the
7this
Send or NTLMv2server
Windows will logdomain
Server
response eventsonlyfor
2008
controller
R2.all NTLM
will authentication
deny all NTLMrequests authentication that would logonbe attempts
blockedtowhen all servers in the domain
the "Network Security:th
Note:
Network Audit and
security: block
Allow events
LocalSystem recorded NULL on session computer
fallback in the "NTLMBlock" Log located under the Applications and Services Log/Microsoft/Windows/Securi
This
If you policy
configuresetting this allows
policy you to create
setting, you an exception
can define a listofofremote
list serversservers in this domainto which toclients
whichare clients
allowed are allowed
to use to useauthentication.
NTLM NTLM pass-through authentication if the "Ne
If you
If you select
select "Deny
"Enableforfordomain domainaccount" accounts thetodomain
domaincontroller servers," will the domain controller will log events for attempts
NTLM authentication
from domainlogon attempts for domain accounts
This
Note: policy
Block isevents
supported on at least
are recorded onWindows
this 7 or Windows Serverdeny 2008 allR2.
NTLM authentication logon accounts and return an NTLM block
Network
Allow NTLM security:
to fall Allow
back Local
to setting,
NULL System session tocomputer
use
when computer
used
in theidentity
with
"NTLMBlock" for NTLM
LocalSystem.
Log located under the Applications and Services Log/Microsoft/Windows/Security-NTLM.
If
If you
you configure
do not "Enable this
configure policy
this you
policyaccounts," can
setting, nothe define
exceptions a list of servers
will be applied. in this domain to which clients are allowed to use NTLM authentication.
If
If you select
you Audit
selectevents
"Deny are forfordomain
domain servers" domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLMea
Note:
Network security: Allow recorded
PKU2U on this the
authentication
domain
computer incontroller
requests the "NTLMBlock" will deny
toNegotiate
this computer
NTLM
Log authentication
located under the requests
Applications to all servers
and Services in the domain and return an NTLM
Log/Microsoft/Windows/Security-NTLM. blocked
This
The policy
default setting
is TRUE allows
up to Local
Windows System Vista services
and FALSEthat use in Windows 7.to usetothe usecomputer
online identities.
identity when reverting to NTLM authentication.
If younaming
The do not format
configure this policy
forforservers setting,
onservers"
this exception no exceptionslist iscontroller
the will be qualified
fully applied. domain name (FQDN) or NetBIOS server name used by the application, listed one per li
If
If you
you select
select "Enable
"DenyConfigure
all," domain
the domain controller the domain
will denyfor NTLMwill
all Kerberos log events for
pass-through NTLM authentication
authentication requests from requests to all servers
its servers and forinitsthe domainand
accounts when NTLM
return an authent
NTLM b
Network
This security: encryption types allowed
If youpolicy
enable willthis
bepolicy
turnedsetting,off by default
services on domain
running asjoined
Localmachines.
System that This usewould disallow
Negotiate willthe use online identities identity.
the computer to be able to might
This authenticate
cause some to the authentication
domain joined reque mach
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one
If
This youpolicy
Recovery select is"Enable
supported
console: all" on
Allow the atdomain
least
automatic controllerServer
Windows
administrative will logon
log2008 events R2. for NTLM pass-through authentication requests from its servers and for its accounts which would b
This policy setting allows you to set the encryption types that Kerberos is allowed to use.
If you do not configure this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymo
This
Recovery
Note:
This policy
Block isevents
supported
console: Allow
are on
recordedat least
floppy copy
ifon Windows
and
this access
computer Server tointhe2008
all
the drivesR2.and all folders
"NTLMBlock" Log located under the Applications and Services Log/Microsoft/Windows/Security-NTLM.
If notsecurity
selected, setting determines
the encryption type the
will password
not be allowed. for Administrator
This setting may account
affect must be given
compatibility before
with clientaccess
computersto the orsystem
services is granted. If this option
and applications. is enabled,
Multiple the
selections
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Shutdown:
Note:
Enabling AuditthisAllow
events system
security are optionto be
recorded shut
makes on down
this
the without having
computer
Recovery in the
Console to SET
log on
"NTLMBlock" command Log located
available, underwhich the Applications
allows you to and
set theServices
following Log/Microsoft/Windows/Security-NTLM.
Recovery Console environment variab
Default:
This policyThis is policy
supported is notondefined
at leastand Windowsautomatic 7 oradministrative
Windows Server logon 2008 is notR2.allowed.
Shutdown:
This security Clear
settingvirtual memory whether
determines pagefile a computer can be shut down without having to log on to Windows.
AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
AllowAllPaths:
System Allow access
cryptography: Use FIPS to all140 filescompliant
and folders on the computer.
cryptographic algorithms, including encryption, hashing and signing algorithms
This
When security
this policy setting determines
is enabled, whether thecommand
virtual memory pagefile onis cleared when the system
screen. is shut down.
AllowRemovableMedia: Allowthe filesShut to be Down copied to removable is available media, the
such Windows
as a floppy logon disk.
NoCopyPrompt:
System
For Cryptography:
thememory
Schannel Do notForce
Security promptService when
strong keyoverwriting
Provider protection
(SSP), anfor existing
this user
security file.setting
keys stored disableson the computer
Virtual
When this policysupport
is disabled, uses a system
the option pagefile
to shut down to swap thepagescomputer of memory
does not diskthe
toappear weaker
when
on the
Secure
theyWindowsare not Sockets
used.
logon On
Layer
screen.a running(SSL)system,
protocols
In this case, users thisand supportsopened
pagefile
must beisable
only theexclusive
Transp
to log on to th
System
Default:
This objects:
This policy
security Default
setting notowner
isdetermines
defined for objects
if and
users' created
theprivate
recover keys by members
console require SET of the Administrators
command
a password is be
to notused. group
available.
For
When Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) andenable
Advanced Encryption Standard (AES) encryption algorithm
Defaultthis
Description on policy is enabled,
workstations: it causes
Enabled. the system pagefile to be cleared upon clean shutdown. If you this security option, the hibernation file (hiberfil.sys)
System
Default
This objects:
on
security servers: Require
setting Disabled. case insensitivity
determines which for non-Windows
security principal (SID) subsystems
will be assigned the OWNER of objects when the object is created by a member of the Administra
The Remote
For options are: Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.
Default: Disabled.
Default:
System
This objects:
security Strengthen
setting determines default whetherpermissions of internal is
case insensitivity system
enforced objects for all(e.g., Symbolic The
subsystems. Links) Win32 subsystem is case insensitive. However, the kernel suppor
Windows
User XP: User SID
Note:input Remote is not required
Desktop when new
Services waskeys called are stored and
Terminal Servicesused in previous versions of Windows Server.
Windows
User
System is 2003 : Optional
prompted
settings: Administrators
when the key
subsystemsisGroup
first used
This
If thissecurity
setting is setting
enabled, determines the strength
case insensitivity of the default
is enforced for alldiscretionary
directory objects, accesssymbolic
control list links, (DACL)
and IO forobjects,
objects.including file objects. Disabling this setting does no
User must enter
For BitLocker, thisa password
policy needs each to time
be enabledthey use a keyany encryption key is generated. Please note that when this policy is enabled, BitLocker will prevent the cre
before
System
For more
This settings:
securityinformation, Use Certificate
see Publicwhich
setting determines Rules on Windows
key infrastructure. Executables for Software Restriction Policies
subsystems can optionally be started up to support your applications. With this security setting, you can specify as many
Active
Default:Directory
Enabled.maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located
Default:
User Disabled.
Account Control: Admin Approval
This security
Default: settingisdetermines
Thisispolicy
POSIX. not defined. if digitalMode for the are
certificates Built-in
processedAdministrator when aaccount user or process attempts to run software with an .exe file name extension. This secur
If this policy enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify sh
Note:
User The
Account
This security FederalControl:
setting Information
Behavior Processing
of the Standard
elevation prompt (FIPS) for 140 is
administratorsa security in implementation
Admin Approval designed
Mode for certifying cryptographic software. FIPS 140 validated s
When certificate rulesdetermines
are enabled, thesoftware
behaviorrestriction
of Admin Approval policies will mode check for athe Built-in
certificate Administrator
revocation listaccount. (CRL) to make sure the software's certificate and signature
Default: Enabled.
User
This Accountsetting
security Control: Behavior of
determines thethe elevation
behavior of theprompt elevation for standardprompt users for administrators
The
Default:options are:
Disabled.
This security setting determines the behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
The optionsThe
ò Enabled: are:Built-in Administrator will logon in Admin Approval Mode. By default any operation that requires elevation of privilege will prompt the Consent Ad
The options are:
User Account
This security setting Control: Only elevate
determines the executables
behavior of application that are signed and validated
installation detection for the entire system.
ò
ò Prompt
Disabled: forTheconsent:
Built-in AnAdministrator
operation that willrequires
logon inelevation XP compatible of privilege modewill and prompt
run allthe Consent Admin
applications to select
by default with either Permit or Deny.
full administrative If the Consent Admin sele
privilege.
ò
User Prompt for credentials:
Accountsetting Control: Only An operation
elevate that
UIAccess requires
applications elevation of privilege
thatinteractive
are installed willinprompt
securethat the user to enter an administrative user name and password. If the user ent
locations
This security
The options are: will enforce PKI signature checks on any application requests elevation of privilege. Enterprise administrators can control the
ò PromptDisabled
Default: for credentials: An operation that requires elevation of privilege will prompt the Consent Admin to enter their user name and password. If the user ente
ò Automatically
User
This Accountsetting
security denywill
Control: elevation
Run requests:
all users,
enforce This option
including
the requirement thatresults
administrators, applications in as an standard
access
that request denied
users. error message
execution with a UIAccessbeing returned integrity to thelevel standard user when
(via a marking they try to perform
of UIAccess=true an
in their
The options
ò Enabled: are:
Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation prom
ò Elevate without prompting: This option allows the Consent Admin to perform an operation that requires elevation without consent or credentials. Note: this sce
User
Default:
This Account
Prompt
security Control:
setting Switch to(home)
for including
credentials
determines the behavior
the secure desktop
/ Automatically
of all UAC when deny prompting
elevation
policies for the for elevation
requests
entire (enterprise)
system.
- à\Program
ò Files\, PKI subdirectories
ò Enabled:
Disabled: Enforces
Enterprises therunning certificate
standard chain
users validation
desktops ofthat
a given leverage executable delegated before it is permitted
installation to run. like Group Policy Software Install (GPSI) or SMS will d
technologies
-Default: Prompt
à\Windows\system32\
User security
Accountsetting for
Control: consent
Virtualizeswhether file andthe registry writerequest failures will to per-user locations
This
The options are: determines elevation prompt on the interactive users desktop or the Secure Desktop.
-ò à\Program
Disabled: Files not
Does (x86)\,enforceincluding subdirectories
PKI certificate chainfor 64 bit versions
validation before aofgiven Windows executable is permitted to run.
Default: Enabled (home) / Disabled (enterprise)
User
This Accountsetting
security Control: Allow UIAccess
enables the redirection applications
of legacy to application
prompt for elevation write failures without using the
to defined secureindesktop.
locations both the registry and file system. This feature mitigates tho
The
ò options
Enabled: are: Approval
Admin Mode and all check other UAC policies are dependent
Note:
Default: Windows
Disabled enforces a PKI signature on any interactive applicationonthat thisrequests
option being execution enabled. Changing integrity
with UIAccess this settinglevel requires
regardlessa system of thereboot.
state of this
Maximum
This security application
setting log sizewhether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation promp
controls
Virtualization
ò Enabled: All facilitates
elevation the running
requests by ofdefault
pre-Vista will (legacy)
go to the applications
secure desktop that historically failed to run as Standard User. An administrator running only Windows Vist
ò
TheDisabled:
options Admin are: Approval Mode user type and all related UAC policies will be disabled. Note: the Security Center will notify that the overall security of the ope
Maximum
This security security
setting log size
specifies the maximum size ofWindows the application
If youoptions
The enableare: this setting, UIA programs including Remoteevent Assistancelog, which can has a theoretical
automatically maximum
disable the secure of 4 GB. desktopPractically the limit
for elevation is lowerUnless
prompts. (~300MB).you h
ò Disabled:
Default: All elevation requests will go to the interactive users desktop
Enabled
ò Enabled:
Maximum An application
system log size will only launch with UIAccess integrity if it resides in a secure location in the file system.
This
Notes security setting specifies the maximum size of the security event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).
If
ò you disable
Enabled: or do notthe
Facilitates configure
runtimethis setting, of
redirection theapplication
secure desktop can onlytobe
write failures disabled
defined user bylocations
the user for of the
bothinteractive
the file system desktop andorregistry.
by disabling the "User Account Co
Default: Enabled
ò Disabled:
Prevent
This localAn
security application
guests
setting groupwill
specifies andthelaunch
ANONYMOUS
maximum with UIAccess
sizeLOGIN of the integrity
users
system even
fromevent if itlog,
accessingdoes whichnot reside
has a in
application a secure maximum
log
theoretical location inof the file system.
4 GB. Practically the limit is lower (~300MB).
Notes
Log file sizes must be a multiple of 64 KB. IfWindows
you enterand a value that is not a multiple of 64 KB,
UIA programs
ò Disabled: are designed
Applications thattowriteinteract datawith to protected locations application
will simply programs
fail as they on behalf
did inofprevious aEvent Viewer
user. versions
This will round
setting allowshe
of Windows. UIAlogprograms
file size up to to a multiple
bypass of 64 KB.
the secure deskt
This
Preventsetting
Default:
This localdoes
Enabled
security guests
setting notdetermines
appearand
group in the Local Computer
ANONYMOUS
if guests LOGIN
are prevented Policy users
from object.
from
accessing accessing security log
the application event log.
Notes
Log fileLog
sizes must be awrapping
multiple of 64 KB. Ifdefined
you enter a valuethe that is not a and multiple of 64requirements
KB, Event Viewer will round when he logdesigning
file size up to aenterprise
multiple ofsecurity
64 KB. pla
Event
Since UIA size and log should be to match business security
programs must be able to respond to prompts regarding security issues, such as the UAC elevation prompt, UIA programs must be highly trusted. In o you determined your
Default
This
Prevent :local
settingEnabled
does
guests notdetermines
appear
group andin the Local
ANONYMOUS Computer LOGIN Policy users object.
from accessing systemService logeventPack
Default:
This
Notes For
security the Windows
setting
..\Program Files\ Server
(and if2003
guests
subfolders) family, 16
are prevented MB; for Windows
from accessing XP Professional
the application log. 1, 8 MB; for Windows XP Professional, 512 KB.
Log fileLog
Event sizessizemustandbe logawrapping
multiple of 64 KB.
should beIfdefined
you enter a valuethe
to match that is not a and
business multiple
securityof 64requirements
KB, Event Viewer will round when
you determined he logdesigning
file size up to aenterprise
your multiple ofsecurity
64 KB. pla
This
Retain setting ..\Program
does
application not
log Files
appear (x86)\
in the (andLocal subfolders,
Computer in 64-bit
Policy versions
object. of Windows only)
Default:
This
Notes For the
security Windows
setting Serverif2003
determines guests family,
are 16 MB; forfrom
prevented Windows accessing XP Professional
the application Service event Pack
log. 1, 8 MB; for Windows XP Professional, 512 KB.
..\Windows\System32\
This
Event setting
Log size does and notlog appear
wrapping in the Localbe
should Computer
defined to Policy
match object.
the business and security requirements you determined when designing your enterprise security pla
Default:
This
Notes For the
security Windows
setting Serverthe
determines 2003 family,of16
number days'MB;worth for Windows
of eventsXP toProfessional
be retained for Service Pack 1, 8 log
the application MB;if for
theWindows
retention XP Professional,
method 512 KB. log is By Day
for the application
This
This setting
securitydoes
The requirement to
setting notbe appear
affects in the
in a protected
only Local
computers pathComputer
can be disabled
running Policy
Windows object.
by the 2000 "User
and Account
WindowsControl: XP. Only elevate UIAccess applications that are installed in secure location
Set
Thisthis value onlynot
if you archive theLocal
log atComputer
scheduled intervals and you make sure that the Maximum application log size is large enough to accommodate the in
Whilesetting
This security
this
Default:
does
setting
setting
Enabled
appear
affects
applies
for Windows
in the
to only
any computers
UIA
XP, program,
Disabled will Policy
running Windows
foritWindows
be usedobject.
2000 2000 and
primarily in Windows XP.
certain Windows Remote Assistance scenarios. The Windows Remote Assistance progr
Note:
This This setting
security does
setting not appear
affects only in the Local Computer
computers Policy object.
Default:
IfDefault:
a user Enabled
requests for Windows XP, Disabled running Windows
for Windows 20002000 and Windows XP.
None. remote assistance from an administrator and the remote assistance session is established, any elevation prompts appear on the interactive us
Retain security log
Retain systemsetting
This security log determines the number of days' worth of events to be retained for the security log if the retention method for the security log is By Days.
Retention
This method fordetermines
security application lognumber of days' worth of events to be retained for the system log if the retention method for the system log is By Days.
Set this valuesetting
only if you archive the the log at scheduled intervals and you make sure that the Maximum security log size is large enough to accommodate the inter
Retention
This method
security fordetermines
setting security logthe "wrapping" method for the application log.
Set
Notes this value only if you archive the log at scheduled intervals and you make sure that the Maximum system log size is large enough to accommodate the interv
This security
setting
Retention
This does
method not appear
system in
fordetermines
setting logthe
theLocal Computer
"wrapping" Policy
method object.
fordialog
the security
If you do not
Note: archive thenot
application inlog,
theinLocal
the Properties box for log.
this policy, select the Define this policy setting check box, and then click Overwrite event
A userThismust setting
possessdoes appearauditing
the Manage Computer
and security logPolicy object.
user right to access the security log.
Default:
Restricted
Default:
This None.
Groups
None.
security setting determines the "wrapping" method for the system log.
If you
If you archive
do not archive
the log the security log,
at scheduled in the Properties
intervals, dialog box
in the Properties for box
dialog this for
policy,
this select
policy,the Define
select the this policy
Define thissetting check box,
policy setting checkand then
box, andclick Overwrite
then events e
click Overwrite a
System
This Services
security security
setting allows settings
an administrator to define two properties for security-sensitive groups ("restricted" groups).
If
If you do not archive the system log, in the Properties dialog box for this policy, select the Define this policy setting check box, andbox,
thenand
click Overwrite events as
If you
you archive
must retainthe log at scheduled
all the events in the intervals,
log, in in
thethe Properties
Properties dialog
dialog boxbox
forfor this
this policy,
policy, select
select thethe Define
Define this
this policy
policy setting
setting check
check box, and thenthen click
click DoOverwrite
not overwr e
Registry
Allows an security settings
administrator to define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system serv
The
If you two properties
archive are
the log atMembers
scheduled and Member
intervals, Of. The Members list box
defines this
whopolicy,
belongs and thewhoDefine
does not belong to the restricted group. The Member Of list se
If you This
Note: mustsetting
retain all
does the events
not appearin the in in
log,Local
in the thethe Properties
Properties
Computer
dialog
dialog
Policy box forfor
object. this policy, select
select the Define this
this policy
policy setting
setting check
check box,
box, and
and thenthen click
click DoOverwrite
not overwr
File System
Allows an security settings
administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs))
Default:
When Undefined.
.If you amust
Notes
Restricted Groups
retain all Policyinisthe
the events enforced, anyProperties
log, in the current member of afor
dialog box restricted group
this policy, that the
select is not on the
Define Members
this list is check
policy setting removed.
box,Any
anduser
thenon theDo
click Members lis
not overw
Default: None.
Allows
Default: an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs))
Undefined.
Notes
You can use Restricted Groups policythe to controlComputer
group membership. Using the policy, you can specify what members are part of a group. Any members that are
Note: This
This setting setting
does notdoes not
appear appear
in the in Local Local
Computer PolicyPolicyobject.object.
Default:
Note: Undefined.
This setting does not appear in the Local Computer Policy object.
This
For setting
example, does not appear in the Local Computer Policy object.
you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. W
Default:
A None.
userchoose
must possess the Manage
If you to set system serviceauditing
startupand security log
to Automatic, user right
perform to access
adequate the to
testing security log. the services can start without user intervention.
verify that
Note: This setting does not appear in the Local Computer Policy object.
For
There performance
are two ways optimization, set unnecessary
to apply Restricted or unused services to Manual.
Groups policy:
Default: None.
Define the policy in a security template, which will be applied during configuration on your local computer.
Define the setting on a Group Policy object (GPO) directly, which means that the policy goes into effect with every refresh of policy. The security settings are refr
Default: None specified.
Caution
If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This ca
Notes
Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.
An empty Members list means that the restricted group has no members; an empty Member Of list means that the groups to which the restricted group belongs
Reboot ReComments
No
No
No
No
No
No
No
No
No
No clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the
No clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the
No clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the
No clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the
No clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is required or waiting for the
No
No
No
No
No
No
No
No
No
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family, the Task Scheduler
No Logoff required
No Note: See also the corresponding Windows Server 2003 Allow log on locally policy setting, earlier in this worksheet.
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No
No
No
he preferred option if you need to limit the use of Microsoft accounts in your enterprise.
No
log on and manage the system.
No
Yes
Yes
No
Yes
No
No
No
No
No For the policy change to take effect, the spooler service needs to be stopped/restarted, but the system does not have to be rebooted.
No
No
Yes Restart of service might be sufficient
No
No
No Important: In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member’s doma
In order to take advantage of this policy on doma
No
No
No
No Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these comp
No
No
No
No
No
No
No
No
No
No
No Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these com
No Important: This setting will apply to any computers running Windows 2000 through changes in the registry, but the security setting is not viewable t
No Only LogOff is required for W2K, XP and W2K3 computers. In Vista, start/restart the scpolicysvc will work or LogOff
Yes Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. For more informatio
Yes
Yes
Yes
No
Yes Important: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. For more informati
No
No
No
No
No Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions" in the Windows Serv
No
No
No
Yes
No Important: The Network access: Remotely accessible registry paths security setting that appears on computers running Windows XP corresp
No Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure this setting on
Yes
Yes
No Important: This setting only affects computers running Windows XP Professional which are not joined to a domain.
This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descriptions" in the Win
No Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Micro
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Pr
No
No Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional,
Yes
No Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setting will not be viewab
No Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setting will not be viewab
No
No
No
No
No
No
No
No
No
No
No
No Require restart of recovery console
No
Require restart of recovery console
No Requires logoff
Yes Vista does NOT require reboot
No
Yes Requires reboot with CNG on Vista; Does not require reboot with CAPI on Vista; Does not require reboot on XP, 2003 with CAPI
No This policy does not exist on Vista
Yes
Yes
Yes
No
No
No
No
No
No
No
Yes
No
No
No
No Note: This setting does not appear in the Local Computer Policy object.
No Note: This setting does not appear in the Local Computer Policy object.
Important: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, s
No Note: This setting does not appear in the Local Computer Policy object.
No Notes: This setting does not appear in the Local Computer Policy object.
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP.
No Notes: This setting does not appear in the Local Computer Policy object.
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP.
No Note:
A userThis
mustsetting
possessdoes
thenot appearauditing
Manage in the Local Computer
and security logPolicy object.
user right to acces
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP.
No Notes: This setting does not appear in the Local Computer Policy object.
A user must possess the Manage auditing and security log user right to access the security log.
No Notes: This setting does not appear in the Local Computer Policy object.
No Note: This setting does not appear in the Local Computer Policy object.
No Note: This setting does not appear in the Local Computer Policy object.
No Note: This setting does not appear in the Local Computer Policy object.
No Note: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
n, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column.
ministrators group.
main controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
ate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
ate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
ate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
ate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
ate /force is required or waiting for the usual 5 minutes when the SCE engine assigns all modified settings.
erver 2003 family, the Task Scheduler automatically grants this right as necessary.
also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.
t also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.
mputers running Windows XP corresponds to the Network access: Remotely accessible registry paths and subpaths security policy setting on members of the Wi
paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inherited by computers
omain.
rity Setting Descriptions" in the Win
s versions of Windows, such as Microsoft Windows NT 4.0.
ofessional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the netwo
the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for "Security Setting De
t the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for "Security Setting De
ibility information about this setting, see the "Event Log: Maximum sec
n the Member Of column.
setting on members of the Wi
earlier over the netwo