Security Compliance Management Toolkit Release Notes

February 2009

2009 Microsoft Corporation. All rights reserved.

Contents
1. Download and on-line locations for the Security Compliance Management Toolkit
2. Brief description of the Security Compliance Management Toolkit
3. Getting started
4. Contents of download package
6. Copyright and license agreement
67. Windows Vista Security Guide Release Notes
7. Windows XP Security Guide Release Notes
8. Windows Server 2008 Security Guide Release Notes
9. Windows Server 2003 Security Guide Release Notes
10. 2007 Microsoft Office Security Guide Release Notes
11. GPOAccelerator Release Notes
12. Security Compliance Management Release Notes

1. Download and on-line locations for the Security Compliance Management Toolkit
The Security Compliance Management Toolkit is free on Microsoft TechNet and the Microsoft Download Center.

2. Brief description of the Security Compliance Management Toolkit

The Solution Accelerators Security and Compliance (SA-SC) team developed the security guides included in this suite
to provide you with recommendations for hundreds of Group Policy security settings designed to assist customers in
making the environments of their organizations more secure.
In the past, deploying the prescribed security guidance was a long and tedious process that involved multiple manual
steps. Correctly deploying the security guidance, even in a test environment, could take hours. The updated guides
include tools and templates that take advantage of built-in features in Windows operating systems and Microsoft Office
applications to enable users to deploy all the prescribed settings efficiently.
This guide has been reviewed and tested by Microsoft engineering teams, consultants, support engineers, partners, and
customers in an effort to make it:

Proven Based on field experience.

Authoritative Offers the best advice available.
Accurate Technically validated and tested.
Actionable Provides the steps to success.
Relevant Addresses real-world security concerns.

As in the previous releases of these security guides, each guide describes the following two environments:

Enterprise Client (EC) In this environment organizations seek to balance security and functionality. Typical
security-conscious enterprises, government departments, and other organizations should start with the EC setting
recommendations and customize them to meet their individual circumstances and requirements.
Specialized Security - Limited Functionality (SSLF) In this environment, organizations maintain very
stringent security standards. Concern for security is so great that a significant loss of functionality and
manageability is acceptable. SSLF setting recommendations are designed for organizations and departments with
national security responsibilities or that handle highly classified information.

1
Warning The SSLF security settings are not intended for the majority of organizations. The configuration for
these settings has been developed for organizations where security is more important than functionality.

These guides include recommendations for Group Policy settings that are specific to each of these environments, as well
as recommendations for an organizational unit (OU) structure that is adequate for deploying the settings in either
environment.
The security guides in the download for this Solution Accelerator are intended to work with the GPOAccelerator. The
GPOAccelerator tool allows users to configure security settings for Microsoft operating systems and applications for either
the Enterprise Client (EC) baseline or Specialized Security Limited Functionality (SSLF) baseline that organizations can
create and establish to test in minutes before deploying them. The GPOAccelerator companion How-to guide provides
test and deployment guidance for these activities.

3. Getting started
To start using this Solution Accelerator, Microsoft recommends first reading the "Overview" section of each security guide
that is relevant to your environment. The Overview defines the purpose and scope of each guide, the intended audience
for each guide, and indicates how the guidance is organized to assist you in locating information both in the guides and
the resources that accompany them. The Overview section of each guide also describes the tools and templates, and the
user prerequisites for each guide.
To obtain the most value from this material, Microsoft recommends reading the entire guide of each Microsoft product that
is relevant to your organization. However, it is possible to read individual portions of the guides to achieve specific aims.
The "Chapter Summaries" section in the Overview of each guide briefly introduces each chapter. For more information
about security topics and settings related to these security guides, see the companion guide, Threats and
Countermeasures.
To best take advantage of the security guidance, templates, and tools, Microsoft recommends the following steps:
1.

Read the Release Notes (this document).

2.

Read the Overview and Chapter 1 of each security guide that is relevant to your environment.

3.

Read additional portions of each security guide as appropriate.

4.

Determine the risk posture for your environment: EC settings and recommendations are appropriate for most
organizations; SSLF settings and recommendations are only suitable for organizations where concern for security is
so great that a significant loss of functionality and manageability is acceptable.

5.

Install the GPOAccelerator.

6.

Use the GPOAccelerator to configure a security baseline for your organization.

7.

Customize the security configuration.

8.

Test and verify the security configuration.

9.

Deploy the security configuration.

10. Read the Baseline Compliance Management Overview and the DCM Configuration Pack User Guide in the DCM

Configuration Packs folder of the Security Compliance Management Toolkit for your security baseline.
11. Use the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007

Service Pack 1 (SP1) with the Configuration Packs for the operating systems and Office applications in your
environment to monitor your security baseline.
Security guides for 2007 Microsoft Office Security Guide, Windows XP Security Guide, Windows Vista Security Guide,
Windows Server 2003 Security Guide, and the Windows Server 2008 Security Guide are also available on TechNet.

4. Contents of download package

The Security Compliance Management Toolkit download package for this Solution Accelerator enables you to download the
following files:
Release Notes.rtf
Security Compliance Management Toolkit - All.zip
Security Compliance Management Toolkit - FAQ.docx

Security Compliance Management Toolkit_2007 Office.zip

Security Compliance Management Overview.docx
2007 Microsoft Office Security Guide.docx
2007 Microsoft Office Security Baseline Settings.xlsm
2007 Microsoft Office Security Baseline.xml
DCM Configuration Packs
Baseline Compliance Management Overview.docx
DCM Configuration Pack User Guide.docx
OSG-EC.cab
OSG-SSLF.cab
GPOAccelerator

GPOAccelerator.msi
How to Use the GPOAccelerator.docx

Security Compliance Management Toolkit_Windows Server 2003

Security Compliance Management Overview.docx
Windows Server 2003 Security Guide.docx
Windows Server 2003 Attack Surface Reference.xlsx
Windows Server 2003 Security Baseline Settings.xlsm
Windows Server 2003 Security Baseline.xml
INF Files
WS03-EC-Domain.inf
WS03-EC-Domain-Controller.inf
WS03-EC-Member-Server.inf
WS03-SSLF-Domain.inf
WS03-SSLF-Domain-Controller.inf
WS03-SSLF-Member-Server.inf
DCM Configuration Packs
Baseline Compliance Management Overview.docx
DCM Configuration Pack User Guide.docx
WS03-EC-Domain.cab
WS03-EC-Domain-Controller.cab
WS03-EC-Member-Server.cab
WS03-SSLF-Domain.cab

WS03-SSLF-Domain-Controller.cab
WS03-SSLF-Member-Server.cab
GPOAccelerator

GPOAccelerator.msi
How to Use the GPOAccelerator.docx

Security Compliance Management Toolkit_Windows Server 2008

Security Compliance Management Overview.docx
Windows Server 2008 Security Guide.docx
Windows Server 2008 Attack Surface Reference.xlsx
Windows Server 2008 Security Baseline Settings.xlsm
Windows Server 2008 Security Baseline.xml
INF Files
WS08-EC-Domain.inf
WS08-EC-Domain-Controller.inf
WS08-EC-Member-Server.inf
WS08-SSLF-Domain.inf
WS08-SSLF-Domain-Controller.inf
WS08-SSLF-Member-Server.inf
DCM Configuration Packs
Baseline Compliance Management Overview.docx
DCM Configuration Pack User Guide.docx
WS08-EC-Domain.cab
WS08-EC-Domain-Controller.cab
WS08-EC-Member-Server.cab
WS08-SSLF-Domain.cab
WS08-SSLF-Domain-Controller.cab
WS08-SSLF-Member-Server.cab
GPOAccelerator

GPOAccelerator.msi
How to Use the GPOAccelerator.docx

Security Compliance Management Toolkit_Windows Vista

Security Compliance Management Overview.docx

Windows Vista Security Guide.docx
Windows Vista Security Baseline Settings.xlsm
Windows Vista Security Baseline.xml
INF Files
VSG-EC-Domain.inf
VSG-EC-Desktop.inf
VSG-EC-Laptop.inf
VSG-SSLF-Domain.inf
VSG-SSLF-Desktop.inf
VSG-SSLF-Laptop.inf
DCM Configuration Packs
Baseline Compliance Management Overview.docx
DCM Configuration Pack User Guide.docx
VSG-EC-Domain.cab
VSG-EC-Desktop.cab
VSG-EC-Laptop.cab
VSG-SSLF-Domain.cab
VSG-SSLF-Desktop.cab
VSG-SSLF-Laptop.cab
GPOAccelerator

GPOAccelerator.msi
How to Use the GPOAccelerator.docx

Security Compliance Management Toolkit_Windows XP

Security Compliance Management Overview.docx
Windows XP Security Guide.docx
Windows XP Security Baseline Settings.xlsm
Windows XP Security Baseline.xml
INF Files
XPG-EC-Domain.inf
XPG-EC-Desktop.inf
XPG-EC-Laptop.inf
XPG-SSLF-Domain.inf
XPG-SSLF-Desktop.inf
XPG-SSLF-Laptop.inf
DCM Configuration Packs

Baseline Compliance Management Overview.docx

DCM Configuration Pack User Guide.docx
XPG-EC-Domain.cab
XPG-EC-Desktop.cab
XPG-EC-Laptop.cab
XPG-SSLF-Domain.cab
XPG-SSLF-Desktop.cab
XPG-SSLF-Laptop.cab
GPOAccelerator

GPOAccelerator.msi
How to Use the GPOAccelerator.docx

5. Copyright and license agreement

Copyright 2009 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is your responsibility. By using or
providing feedback on this documentation, you agree to the license agreement below.

If you are using this documentation solely for non-commercial purposes internally within YOUR company or organization, then this
documentation is licensed to you under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California
94105, USA.

This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation
cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular
user based upon that users particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND,
DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN
CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.
Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this
documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these
patents, trademarks or other intellectual property.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise note
the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are
fictitious.
Microsoft, Access, Active Directory, ActiveX, Excel, InfoPath, Internet Explorer, Outlook, PowerPoint, Visual Basic, Windows, Windows Server,
Windows Vista, and Windows XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other
countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to the documentation. However, if
you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your
Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products,
technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not
give Feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include
your Feedback in them.

6. Windows Vista Security Guide Release Notes

1) Windows Vista version used: This version of the Windows Vista Security Guide was developed and tested using the released
builds for Windows Vista Ultimate, Windows Vista Business, and Windows Vista Enterprise Edition.
2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with
the other security guides included in these release notes. This version reflects the significant security enhancements in
Windows Vista SP1, and was developed and tested on computers running Windows Vista SP1 joined to a domain that uses Active
Directory, and on stand-alone computers.
3) Known issues. The following are known issues indicated by date for all releases of the Windows Vista Security Guide:

The GPOAccelerator tool had some files missing that resulted in the tool not functioning properly. The files were missing
from the 12-04-06 release only. (12-20-06)

Version 1.1 of the download fileWindows Vista Security Guide.msithat was published 12-04-06 did not include all of the
GPOAccelerator Tool files. The file was replaced with version 1.0 on 12-14-06. (12-14-06)

The "Limited Services" section in Chapter 5, "Specialized Security Limited Functionality" was included in error. The GPOs
and .inf files that the guide includes do not modify the configuration of any default services on computers running
Windows Vista. (12-01-06)

Users may notice one or more additional Extra Registry Settings entries in the reports generated by the Group Policy
Results report in the Group Policy Management Console and the Resultant Set of Policy tools. This has no impact on the
expected behavior of the Group Policy settings detailed in this guide and is expected behavior for this release of Windows
Vista. (11-08-06)

Administrative installation of the .msi file is not supported. (11-08-06)

7. Windows XP Security Guide Release Notes

1) Windows XP version used: This version of the Windows XP Security Guide was developed and tested using the released builds
for Windows XP Professional Service Pack 3 (SP3).
2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with
the other security guides included in these release notes. Version 2.2 of this guide corrected an error in the Optional-FilePermissions.inf in the tools and templates which accompany this guide. Some links have been updated and some minor
typographical errors have been corrected.
3) Known issues. The following are known issues indicated by date for all releases of the Windows XP Security Guide:

None for this release.

8. Windows Server 2008 Security Guide Release Notes

1) Windows Server 2008 version used: This version of the Windows Server 2008 Security Guide was developed and tested using
client computers in the EC environment that can run either Windows XP Professional SP3 or later, or Windows Vista SP1.
However, the servers that manage these client computers on the network must run Windows Server 2008 or Windows Server 2003
SP2 or later. Client computers in the SSLF environment can only run Windows Vista SP1 and the servers that manage them can
only run Windows Server 2008.
2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with
the other security guides included in these release notes.
3) Known issues. The following are known issues indicated by date for all releases of the Windows Server 2008 Security Guide:

None for this release.

9. Windows Server 2003 Security Guide Release Notes

1) Windows Server 2003 version used: This version of the Windows Server 2003 Security Guide was developed and tested using
servers running Windows Server 2003 SP2.
2) Changes in this guide version: Version 3.0 of this guide reflects content changes to closely align the structure of this guide with
the other security guides included in these release notes. Version 2.1 corrected some errors in the tools and templates which
accompany this guide and updated some links and minor typographical errors in the guide. The Optional-File-Permissions.inf in
the Security Template files was updated. Some registry settings and registry paths were updated in the Security Template .inf files.

In chapters 4 and 5, the Local Service account was granted the Change the System Time user right in some of the baseline policy
Security Templates. In Chapter 11, the default algorithm for EFS was updated in line with new product and service pack releases.
3) Known issues. The following are known issues indicated by date for all releases of the Windows Server 2003 Security Guide:

Managing Bastion Hosts After Lockdown. Ensure that the bastion hosts and the High Security - Bastion Host.inf Security
Template are configured to enable the functionality your environment requires before applying the security settings. The
recommended configuration included in this guide disables many system services, making it very difficult to manage or
reconfigure bastion hosts that have been locked down. For example, the Windows Installer service is disabled, making it
impossible to reconfigure a bastion host using the Add or Remove Programs applet in Control Panel. Administrators can
work around some of these limitations by temporarily enabling and restarting services as required. Restart the bastion host
after completing any management tasks to ensure the Bastion Host Local Policy (BHLP) takes effect. (4-03)

10. 2007 Microsoft Office Security Guide Release Notes

1) 2007 Microsoft Office version used: This version of the 2007 Microsoft Office Security Guide describes the security features
in the 2007 Office release and how they address issues of confidentiality, integrity, and availability. The guide also contains
prescriptive guidance for configuring your environment through Group Policy. The Security Settings for 2007 Office
Applications workbook lists Group Policy settings that relate to security and privacy for the 2007 versions of Microsoft
Office Access, Excel, InfoPath, Outlook, PowerPoint, and Word. The workbook provides the default, Enterprise
Client and Specialized Security Limited Functionality settings.
2) Changes in this guide version: Version 3.0 of this guide reflects content changes to align it with the other security guides
included in these release notes.
3) Known issues. The following are known issues indicated by date for all releases of the 2007 Microsoft Office Security Guide:
The following list contains Group Policy settings that were found in recent tests to be obsolete in the 2007 Microsoft Office
release, which will be visible in the Group Policy Management Console (GPMC). These Group Policy settings were found to be
obsolete in our tests and therefore were removed from the Security Settings for 2007 Office Applications workbook. For more
information, see this Knowledge Base article.

Allow in-place activation of embedded OLE objects (Outlook 2007)

Allow the use of ActiveX Custom Controls in InfoPath forms (InfoPath 2007)
Always use Rich Text formatting in S/MIME messages (Outlook 2007)
Assume structured storage format of workbook is intact when recovering data (Excel 2007)
Automatic Query Refresh (Excel 2007)
Automatically download enclosures (Outlook 2007)
Completely disable the Smart Documents feature in Word and Excel (Office 2007)
Control behavior when opening forms in the Local Machine security zone (InfoPath 2007)
Disable Password Caching (Office 2007)
Display a warning that a form is digitally signed (InfoPath 2007)
Display OLE package objects (Outlook 2007)
Do not allow users to upgrade Information Rights Management configuration (Office 2007)
Do not upload media files (Office 2007)
Download Office Controls (Office 2007)
Enable Cryptography Icons (Outlook 2007)
Hide Spotlight entry point (Office 2007)
Locally cache network file storages (Excel 2007)
Locally cache PivotTable reports (Excel 2007)
Microsoft Office Online (Office 2007)
OLAP PivotTable connect warning (Excel 2007)
OLAP PivotTable User Defined Function (UDF) security setting (Excel 2007)
PivotTable External Data Source connect warning (Excel 2007)
Prevent access to Web-based file storage (Office 2007)
Prevent Word and Excel from loading managed code extensions (Office 2007)
Refresh Alert Settings (Excel 2007)
Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003
SP1 (InfoPath 2007)
Send copy of pictures with HTML messages instead of reference to Internet location (Outlook 2007)
Suppress High Security Macro alert for unsigned Macros (Excel 2007)
Windows Internet Explorer Feature (Office 2007)

11. GPOAccelerator Release Notes

1) GPOAccelerator version used: Version 3.5 of the GPOAccelerator was developed and tested using client computers in the EC
environment that can run either Windows XP Professional SP3 or later, or Windows Vista SP1. However, the servers that manage
these client computers on the network must run Windows Server 2008 or Windows Server 2003 SP2 or later. Client computers in
the SSLF environment can only run Windows Vista SP1 and the servers that manage them can only run Windows Server 2008.
2) Changes in this version: Version 3.5 of the GPOAccelerator and How to Use the GPOAccelerator reflect content changes to
align the structure of this guide with the other security guidance included in these release notes.
GPOAccelerator v3.5 was released in coordination with the Security Compliance Management Toolkit. This version adds the
following functionality:

Creates the GPOs described in the Windows Server 2003 Security Guide.
Includes functionality that enables users to apply Administrative Template settings to the local policy of a computer. Previous
version only applied .INF based settings
Includes functionality that enables users to apply the recommended settings from the 2007 Microsoft Office Security Guide to
the local policy of a computer.

GPOAccelerator v3 was released with the Windows Server 2008 Security Guide. This version adds the following functionality:

Includes the GPOAccelerator Tool Wizard to provide a graphical user interface (GUI) for the tool.
Creates the GPOs described in the Windows Server 2008 Security Guide.

GPOAccelerator v2 was released as a separate download in November 2007. Version 2 adds the following functionality:

Support for computers running Windows XP and Windows Server 2003.

Creates the GPOs described in the Windows XP Security Guide.
Creates the GPOs described in the 2007 Microsoft Office Security Guide.

GPOAccelerator v1 was first released with the Windows Vista Security Guide in November 2006. Version 1 includes the following
functionality:

Only supports computers running Windows Vista or later.

Tool works only from the command line.
Creates the GPOs described in the Windows Vista Security Guide.

3) Known issues. The following are known issues indicated by date for all releases of the GPOAccelerator:

Users may notice one or more additional "Extra Registry Settings" entries in the reports generated by the Group Policy
Results report in the Group Policy Management Console (GPMC) and the Resultant Set of Policy tools. This has no impact
on the expected behavior of the settings included in the GPOs created by the GPOAccelerator, and is expected behavior for
these tools. (11-08-06)
Administrative installation of the .msi file is not supported. (11-08-06)
The following list of Windows operating system settings appear in the GPOAccelerator templates, but they are not supported
in the security guides or any related output files (2-12-09):
Allow Install On Demand (Internet Explorer)
Audit Policy Other Privilege Use Events
Display Error Notification
Modify an object label
Report Errors
Specify intranet Microsoft update service location
The GPOAccelerator fails and then displays error code 0xC0000135 if Microsoft .NET 3.0 is not installed on the computer
where the tool is attempting to run. To avoid this error, ensure to install .NET 3.0 or later on the computer before running the
GPOAccelerator. (2-12-09).
On stand-alone computers, the GPOAccelerator may not set the ADMbased settings. This known issue applies mostly to
computers running Windows XP SP3. If this occurs, the likely cause is that the stand-alone computers do not contain the
correct VC++ runtime. To resolve this issue, download and install the Microsoft Visual C++ 2005 SP1 Redistributable
Package (x86). (2-12-09).

12. Security Compliance Management Release Notes

1) Security Compliance Management version used: This version of the Security Compliance Management Toolkit is intended to
work with the desired configuration management (DCM) feature of Microsoft System Center Configuration Manager 2007
Service Pack 1 (SP1). The toolkit is designed to help you plan, deploy, and monitor security baselines on computers running
Windows Vista SP1, Windows XP Professional SP3, Windows Server 2008, Windows Server 2003 SP2, and 2007 Microsoft
Office SP1.
2) Changes in this guide version: Version 2.0 of the Baseline Compliance Management Overview and the DCM Configuration
Pack User Guide includes updated DCM Configuration Pack information to align it with the Microsoft operating systems and
applications addressed in the earlier sections of these release notes.
3) Known issues. The following are known issues indicated by date for all releases of Security Compliance Management:
3.1) The guidance for the Security Compliance Management toolkit has not been tested on System Center Configuration Manager
2007 R2. (6-6-08)
3.2) The toolkit provides more than 700 security settings, including user rights assignment settings, such as Access this computer
from the network, backup files and directories, and so on. This Release Note includes a partial list of these settings. The
Resultant Set of Policy (RSoP) data in the Windows Management Instrumentation (WMI) repository may not represent the actual
state of the corresponding settings for the following two reasons:
Reason 1: One or more recently changed Group Policy has not yet taken effect on the particular system.
Group Policy is applied during system startup and at a predefined interval. By default, computers running Windows operating
systems apply Group Policy at 90 minute intervals. For domain controllers, the default interval is 5 minutes. If Group Policy has
been changed and the toolkit is run during the Group Policy refresh interval, the toolkit report data may differ from the actual
system state.
Reason 2: One or more setting has been configured using local policies.
The RSoP data of a system does not include local security policies, such as user rights, password policies, and so on. If any setting
has been configured using local policies, the toolkit report data may differ from the actual system state.
The following setting data is collected from the Windows Management Instrumentation (WMI) repository, but it may not be
synchronized with the data in the Local Security Authority of Windows. Please view the security compliance reports as
informational. (6-6-08)

Account lockout duration

Maximum password age
Minimum password age
Minimum password length
Passwords must meet complexity requirements
Reset account lockout counter after
Store passwords using reversible encryption
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow Logon locally
Allow Logon through Terminal Services
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network

Deny logon as a batch job

Deny logon as a service
Deny Logon locally
Deny Logon through Terminal Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits (SeAuditPrivilege)
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Logon as a batch job
Logon as a service
Manage auditing and security log
Modify firmware environment values
Perform Volume Maintenance Tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects (SeTakeOwnershipPrivilege)

1. 3.3) The compliance check results for the setting "Domain controller: LDAP server signing requirements" may not be correct
for computers running Windows Server 2003 SP2. (6-6-08)
3.4) Some of the prescriptive steps and figures in this release of the toolkit do not align with updated Configuration Pack file
names in the toolkit. (2-12-09)
3.5) Some settings may incorrectly display as noncompliant in DCM reports. These are known issues due to inconsistent policy
references between the Security Templates for the GPOAccelerator and the DCM Configuration Packs for this Beta release. (212-09)
3.6) Windows Vista SP1 and Windows Server 2008 RTM share the same operating system version (6001). For this reason, the
DCM configuration packs for Windows Vista SP1 and Windows Server 2008 can be applied to each other, but this may not
provide you with correct monitoring results. Ensure to carefully apply the correct DCM packs to each operating system collection.
(2-12-09)
3.7) The DCM feature does not work on computers running Server Core installations of Windows Server 2008. Server Core does
not support .NET Framework 2.0, which is required for the DCM agent (2-12-09).
2. 3.8) The following settings are documented and used in the GPOAccelerator, but they are not collected in the SCM
Configuration Packs (6-6-08) and (2-12-09):

Administrator account status

Guest account status
Enforce user logon restrictions
Internet Explorer Processes (MK Protocol)
Maximum Media Log size.xlsm
MSS (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths and sub-paths
Network access: Remotely accessible registry paths
Network access: Shares that can be accessed anonymously
Network security Force logoff when logon hours expire
Registry policy processing
Rename administrator account
Rename guest account
System settings: Optional subsystems

3. 3.9) The baseline values of the settings listed in this release note item for the EC environment that the Configuration Packs
provide are not the same as those that the GPOAccelerator provides. This is because the values that the GPOAccelerator provides
for these settings allow for backward compatibility. These settings appear in the following locations (2-12-09):
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Audit account logon events

Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events

4. And:
5. Computer Configuration\Windows Settings\Security Settings\Local Policies\Event Log

Maximum application log size

Maximum security log size
Maximum system log size

6. 4.0) The setting MSS: (TCPMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3
recommended, 5 is default) is mentioned in the toolkits for Windows XP and Windows Server 2003. However, this setting does
not apply to the security baselines for these operating systems. (2-12-09)