Professional Documents
Culture Documents
Windows Server 2012 and Windows 8 Group Policy Settings
Windows Server 2012 and Windows 8 Group Policy Settings
This spreadsheet lists the policy settings for computer and user configurations that are included in the Administrative template files (.admx and
Windows Server 2012. The policy settings included in this spreadsheet cover Windows Server 2012, Windows Server 2008 R2, Windows Ser
Windows 8, Windows 7, Windows Vista with SP1,Windows XP Professional with SP2 or earlier service packs, and Microsoft Windows 2000 w
These files are used to expose policy settings when you use the Group Policy Management Console (GPMC) to edit Group Policy Objects (GP
You can use the filtering capabilities that are included in this spreadsheet to view a specific subset of data, based on one value or a combinati
in one or more of the columns. In addition, you can click Custom in the drop-down list of any of the column headings to add additional filtering
To view a specific subset of data, click the drop-down arrow in the column heading of cells that contain the value or combination of values on w
and then click the desired value in the drop-down list. For example, to view policy settings that are available for Windows Server 2012 or Wind
Administrative Template worksheet, click the drop-down arrow next to Supported On, and then click At least Microsoft Windows Server 2
What's New
The Administrative Template spreadsheet contains three columns that provide more information about each policy setting's behavior related to
These columns are the following:
Reboot Required: A "Yes" in this column means that the Windows operating systems requires a restart before it applies the described po
Logoff Required: A "Yes" in this column means that the Windows operating system requires the user to log off and log on again before it
Active Directory Schema or Domain Requirements: A "Yes" in this column means that you must extend the Active Directory schema b
Status: A "New" in this column means that the setting did not exist prior to Windows Server 2012 and Windows 8. It does not mean that t
and Windows 8. Refer to the column entitled "supported on" to determine to which operating system the policy setting applies.
Legal Notice
This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change witho
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your in
Active Directory, Hyper-V, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, Windows NT, Windows Server,
and Windows Vista are trademarks of the Microsoft group of companies.
Default: None.
Deny log on locally
Deny log on through
This security setting determines Remote Desktop which Services users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy settin
Enable
This computer
security setting anddetermines
user accounts which tousers
be trusted and groups for delegation are prohibited from logging on as a Remote Desktop Services client.
Important
Force
This shutdown
security from a remote system
setting determines which users can set the Trusted for Delegation setting on a user or computer object.
Default:
If you apply None. this security policy to the Everyone group, no one will be able to log on locally.
Generate
This security security
setting auditsdetermines
The user
Important or object that is grantedwhich users are
this privilege mustallowed havetowrite shutaccessdown atocomputerthe account fromcontrol
a remote flagslocation
on the on user the ornetwork.
computerMisuse object.ofAthis serveruserprocess
right can result on
running in
Default:
Impersonate None. a client after authentication
This user
This security right setting
is determines which accounts can be used by a process to add entries
andto the security log. The security log is usedand to trace unauthorized syst
This
log
This user
security
setting right
audits
does is defined
defined haveinany
notworking
in the Default
the effect
Default Domain Controller
onDomain
Windows Controller
2000 computers
Group
Group Policy Policy object
that object
have not
(GPO)
(GPO) beenand
in
in the
updated the to local
local security
security
Service Pack
policy
policy of workstations
2. of workstations and servers.
servers.
Increase
Assigning athis
process privilege to a userset allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation
Default:
Caution
Increase
Default:
This privilegescheduling
Local Service
determines priority which user accounts can increase or decrease the size of a processs working set.
Caution
Network Service.
Increase
On
Load
Misuse of a
workstations
and process
unload
this user and working
device servers:
right, set
drivers
or of Administrators.
thewhichTrusted for Delegation
This securitycontrollers:
On domain setting determines accounts can use setting, a process could
withmakeWritethe network
Property vulnerable
access to anotherto sophisticated
process to increaseattacks using Trojan horse
the execution programs
priority assigned thatto
Assigning this user rightAdministrators, can be a security Server risk.Operators.
Only assign this user right to trusted users.
This
Lock
This
Default:privilege
pages
user indetermines
right memory
Administratorsdetermines onwhich whichuser
domain users accounts
controllers.can dynamicallycan increase load or and decrease the sizedrivers
unload device of a processs
or other code working in toset.
kernel mode. This user right does not apply to Plug
Default: Administrators.
Default:
Log on as a batch jobdetermines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual
This
Default:
Caution security
Users setting
Log on as a service
Administrators
This security setting allows a user toset beoflogged on by means of a batch-queue facility andinisphysical
provided onlymemory.
for compatibilitypages with olderresident
versionsand of Windows.
Default:
The
Localworking
Assigning None.
Service thisset user of aright process can be is the
a security memory
risk. Do pages not assign currently
this user visiblerightto totheany process
user, group, RAM
or process that you Thesedo not want toare take over the available for
system.
Log
This
Network on locally
securityService setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Networkuse Se
For example,
Warning: when athe
Increasing user submits
working setasize job by formeans
a process of the task scheduler,
decreases the amount the task scheduler
of physical memorylogs that user on
available toasthea rest
batch of user rather than as an interactive
the system.
Default
Service
Manage on workstations
auditing and and
security servers:
log Administrators.
Determines
Default setting:which None. users can log on to the computer.
Modify
Default
Note:
This
Default: By an
on
security object
domain
default, setting
Administrators label
controllers:
services determines that are whichstarted users by can
the Service
specify object Controlaccess Manager have options
auditing the built-in Service group
for individual added such
resources, to theiras access tokens.
files, Active Component
Directory objects, Object Mo
and reg
Important
Administrators
Backupfirmware
Modify Operators. environment values
This
Print
In
This privilege
Operators
addition,
security a userdetermines can also which usera accounts
impersonate antoaccess can modify token ifthe
any integrity
of the labelauditing
following of objects,
conditions such asFor
exist. files, registry keys, or
beprocesses owned byobject
otheraccess
users. Proces
Modifying thissetting
settingdoes may not affect allowcompatibilityuser enable
with clients, file and object
services, access
and applications. in For
general.
compatibility such auditing
information toabout enabled, the
this setting, Audit
see Allow setting
log on locally (h
Perform
This securityvolume setting maintenance
determines taskswho can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of n
Default:
The can
You access None
view token
audited thatevents is being in impersonated
the security log is of
forthe thisEventuser.Viewer. A user with this privilege can also view and clear the security log.
Default:
Profile
The single
user, in this process logon session, created the access tokencan by logging on to the network withvolume,
explicit such credentials.
Thisx86-based
On security setting
computers, determines which users and groups runthat maintenance tasks on by a as remote
right is defragmentation.
The
Default:requested
Administrators.level is lessthe than only firmware
Impersonate, environment
such as Anonymous value orcan be modified
Identify. assigning this user the Last Known Good Configuration setting,
Profile
On
Because
This system
OnItanium-based
workstations
security of performance
setting
these computers,
and servers:
determines
factors, users bootwhich
do information
Administrators,
not users
usually can is use
Backup
need stored in
performance
this user nonvolatile
Operators, right. Power RAM.
monitoring Users, Users
tools must
Users,to be assigned
and
monitor Guest.
the this user right
performance of to run bootcfg.exe
nonsystem processes. and to change the Defa
Use
On
Onallcaution
computers,
domain when
controllers: assigning
this user this is
right
Account user required
Operators, right. Users with
toAdministrators,
install orthisupgrade user
Backup right
Windows. can exploreand
Operators, disks and
Print extend files in to memory that contains
Operators. other data. When the exten
Remove
This securitycomputer from
setting determines docking station
which users can use performance monitoring tools toSDK. monitor the performance of system processes.
Default:
For more
Default: Administrators,
information,
Administrators Powerfor
search users.
"SeImpersonatePrivilege" in the Microsoft Platform
Note:
Replace This a security setting
process level does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanc
token
This security setting determines whether a user can undock a portable computer from its docking station without logging on.
Default:
WarningAdministrators.
Restore
Default:
This files and directories
Administrators.
If thissecurity
policy issetting enabled, determines
the user which must log user onaccounts
before removing can call the the CreateProcessAsUser()
portable computer from its application
docking station. programming interface
If this policy (API) so the
is disabled, thatuserone mayservice can star
remove the
If you enable
Shut security
down thesetting this
system setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
This
Default: Network Service, determines LocalUsers, which
Service. users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and di
Default: Administrators, Power Users
Synchronize
This securitythis directory
setting service data
Specifically, userdetermines
right is similar which users who
to granting theare loggedpermissions
following on locally to to thethe computer
user or group can shut down theon
in question operating
all files andsystem
folders using onthetheShut
system: Down command. M
Take
This ownership
security of files
setting determines or other objects
which users and Operators,
groups have the authority to synchronize all directory service data. This is also known as Active Directory syn
Default
Traverse onFolder/Execute
Workstations: Administrators,
File Backup Users.
Accounts:
This
Writesecurity Administrator account status
setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, prin
Defaults:
Default onNone. Servers: Administrators, Backup Operators.
Accounts:
This security Block setting Microsoft determines accounts whether the local Administrator account is enabled or disabled.
Caution
Default on Guest
Accounts: Domain controllers:
account status Administrators, Backup Operators, Server Operators, Print Operators.
This
Notes policy setting prevents users from adding new Microsoft accounts on this computer.
Assigning this user right can be a security risk. Since owners users with of objects
this userhave rightfullcan control
overwrite of them,
registryonlysettings,
assign this hideuser
data, right
andtogain trusted users. of system objects,
ownership
Accounts:
This security Limit settinglocaldetermines
account useif of theblank Guest passwords
account isoption, toenabled
consoleor logon only
disabled.
If
If you
you select
try to the
reenable Users the cant add Microsoft
Administrator account accounts
after it has been users will notand
disabled, be able
if the tocurrent
createAdministrator
ne Microsoft accounts password on thisnot
does computer,
meet the switch
password a local account to
requirements
Default:
Accounts: Administrators.
Rename administrator account
This security
Disabling
Default: the
Disabled. setting
Administrator determines account whether can become local accounts a maintenance that are not issue password
under certain protected can be used to log on from locations other than the physical computer
circumstances.
If you select the Users cant add or log on with Microsoft accounts option, existing Microsoft account users will not be able to log on to Windows. Selecting thi
Accounts:
Workstations
This security Rename and servers:
setting guest
determines account
Administrators,
whether a Backup
differentOperators.
accountwill name
Default:
Under
Note: Enabled.
Safe Mode boot, theisdisabled Administrator account onlyisbe associated
enabledSharing ifwith
the the security
machine identifier (SID)
is non-domain for the
forjoined andaccount
thereisare Administrator.
setno toother
Guestlocal
Renaming
active the w
adminis
If you If
Domain
Audit:
the
disable
Audit
Guest
controllers:
the doaccount
oraccess Administrators,
not configure
of global
disabled this
system
Backup and the
policyobjects
security
Operators,
(recommended), option
Serverusers Network willAccess:
Operators. be able to use Microsoft and Security accounts Modelwith local accounts
Windows. Only, network logo
This security
Default: setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-kn
Administrator.
Default: Disabled.
Audit:
This Audit the
security
Warning: settinguse of Backup and
determines whetherRestore privilege
to audit the access of global system objects.
Default: Guest.
Audit:
This Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
If thissecurity
Computerspolicythat issetting
enabled,
are not determines
it causes
in physically whether
system secure to audit
objects,
locations the
such use asofmutexes,
should allalways
user privileges,
events,
enforcesemaphores including
strong passwordBackup
and DOS anddevices,
policies Restore,
for all to when
be user
local theaccounts.
created Auditwithprivilege
a default use
Otherwise, systempolicy is inwith
access
anyone effect.
control
physi E
Audit:
Windows Shut
If you apply down
thisand
Vista system
securitylater immediately
policy
versions to theof if unableallow
Everyone
Windows to
group,logauditsecurity one audits
no policy willto bebe able
managed to log in onathrough
more Remote
precise wayDesktop
using Services.
audit policy subcategories. Setting audit policy at
If you disableconfiguring
Note: this policy,this thensecurity
use of the Backup or Restore notprivilege is not audited even Windows.
when Audit privilege use is enabled.
using When
DCOM: subcategories
Machine Access without requiringsetting,
Restrictions a change
in Security
changes
toDescriptor
Group will Policy, take
Definition
effect
there is auntil
new you restart
registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPo
This
Notessecurity setting determines whether the system shuts down if it isLanguage
unable to log (SDDL) syntax
security events.
Note: OnDisabled.
Default: Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting
DCOM:
If
This Machine
the category level Launch audit Restrictions
policy set here in Security
is or notgroups Descriptor
consistent withDefinition
the events Language
that are(SDDL) currently syntax
being generated, the cause might to be that this registry key is set.
If thispolicy
This security
setting setting
does setting determines
not is enabled,
affect which
logons it that users
causes usethe domainsystem can
to stop
accounts. access if a DCOM
securityapplication
audit cannot remotely
be logged or locally.
for anyThis reason.setting is used
Typically, an control
event fails the to attack surface
be logged of the
when the
Default:
Devices:
It is possibleDisabled.
Allow for undock
applications without having
that use to
remote log on
interactive logons to bypass this setting.
Default:
This
You policy
can Disabled
use setting
this determines
policy setting which
to specify users or groups
access permissions can launch to allorthe
activate
computers DCOMtoapplications
particular remotely
users for or locally.
DCOM This setting
applications in is used
the to control
enterprise. When theyouattack su
specif
If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:
Devices:
Denysecurity
This Allowed
privileges settingontoboth format local
determines and eject
access was removable
and remote media
access.
Note:
You can Remote
use this Desktopsetting to grant whether
Services access calledtoa all
portable
Terminal
the computerscomputer
Services tocan
inusers be undocked
previousof DCOM versions without having
of Windows
applications. Whento log
Server.you on.define
If this thispolicy is enabled,
setting, and specifylogon the is not required
users and an
or groups thate
STOP: C0000244
Devices:
launch, Prevent
remote {Auditlocal
users
launch, Failed}
from installing
activation, printer
and drivers
remote when
activation. connecting to shared printers
The
This registry
security
Default:
An attempt tosettings
Enabled. setting
generate determines
thata are created
security whoaudit is
asallowed
a resulttoofformat
failed. enabling andthe ejectDCOM:removableMachine NTFS Accessmedia. Restrictions
This capability in Security
can be Descriptor
given to: Definition Language (SDDL) synta
existing
Devices:
To recover, registry
Restrict
an settings
CD-ROM
administrator areaccess
no
must longerlogto effective,
locally
on, and
logged-on
archive the iflogyou
user make
only
(optional), changes
clear to the
the log, existing
and reset settings,
this computer
option as accessUntil
desired. permissions for users are not changed. Uso
For
The aregistry
computer
Administrators settings to print that toarea shared
created printer,
as a result the driverof this forpolicy
that shared printer must
take precedence over be theinstalled
previous on the local settings
registry computer. Thisthis
in this security
security
area. Remote setting
setting is reset,
determines
Procedure no
Callwhousers,
is allo
Services
Caution
Devices:
Administrators
The
Note:possible
This security
On Restrict and
values
setting floppy
Interactive
for thisaccess
determines policy to
Users locally
setting
whether alogged-on
are:
CD-ROM user only thistosecurity
is accessible both local and remote users simultaneously.
Default
The onWindows
possible valuesversions
servers: Enabled.
for this Group prior to Windows
Policy setting Vistaare:configuring setting, changes will not take effect until you restart Windows.
Disabling
Devices:
Default on this
Unsigned policy
workstations: may
driver tempt users
installation
Disabled to try
behavior and physically remove the laptop from its docking station using methods other than the external hardware eject but
This
If security
Default:
Blank. This
This setting
policy
represents is determines
not defined
the local whether
and
security only removable
Administrators
policy way floppy
of deletingmedia
have this are
the accessible
ability.
policy enforcement to both local
key. and
This remote
value users
deletes simultaneously.
the policyisand then sets and it as Notisdefined state.
this
Default:
Blank.policyThisisrepresents
Disabled. enabled, itthe allows
localonly security the interactively
policy way of logged-on
deleting user to access
the policy removable
enforcement key.CD-ROM
This value media.
deletes If this
thepolicy
policy and enabled
then sets itnotoone loggedstate.
Not defined on in
Domain
This controller:
security setting Allow server
determines operators
what happens to schedule
when antasksattempt is made to install a device driver (by means of Setup API) that has not been tested by the Win
If
this
SDDL.
Default: policyThisispolicy
isenabled,
the is notit defined
Security allows only
Descriptor andthe interactively
Definition Language logged-on user to to
is notrepresentation access removable
of locally
the groups floppy
and media.you
privileges If this policywhen
specify is enabled
you enableand no one
this is logged on intera
policy.
SDDL.This
Notes
Domain This is theLDAP
controller: Security serverDescriptor
signing
CD-ROM
Definition
requirements
access
Language restricted
representation the
of the groups logged-on user.
and privileges you specify when you enable this policy.
This
The securityare: setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility.
Notoptions
Default: This policy
Defined. This is is not
the defined
default value. and floppy disk drive access is not restricted to the locally logged-on user.
This
Not
This setting
Defined.
security does This
setting notisdetermines
affect
the defaultthe ability value.
whether to add a localserver printer.requires signing to be negotiated with LDAP clients, as follows:
Note:
Silently
This This security
succeed
setting setting
does not affect Administrators. only affects thethe ATLDAPschedule facility; it does not affect the Task Scheduler facility.
Note
Default: This policy is not defined, which means that the system treats it as disabled.
Warn
Note
None: but allow
Data signing is
If the administrator installation
is denied
not required permission in order to to bind with
access DCOM theapplications
server. If thedue client requests
to the changes datamade signing, to DCOMthe server supportsthe
in Windows, it. administrator can use the DCOM:
Do
If thenotadministrator
Require
application allow toinstallation
signature: is denied
Unless
the administrator access
TLS\SSL and users. istobeing
activate doand
Toused, this,thelaunchLDAPthe
open DCOM
data DCOM: applications
signing optiondue
Machine must
Access to be
the changes made
negotiated.
Restrictions to DCOM
in Security in this version
Descriptor Definition of Language
Windows, this (SDDL)policy setti
syntax
Default:
This restores Warncontrol but allow of theinstallation.
DCOM application to the administrator and specified users. To do this, open the DCOM: Machine Launch Restrictions in Security D
Default: This policy is not defined, which has the same effect as None.
Domain controller: Refuse machine account password changes
Domain
This security member: setting Digitally
determines encrypt or signdomain
whether secure controllers
channel data will(always)
refuse requests from member computers to change computer account passwords. By default,
Domain
This member:
security setting Digitally
determines encrypt secureall
whether channel
secure data
channel (when possible)
traffic initiated
If it is enabled, this setting does not allow a domain controller to accept anyby the domain
changes member must
to a computer account'sbe signed password. or encrypted.
Domain
This member:
security Digitally
setting determines sign secure
whether channel
a domain data (when
member possible)
attempts to that,
negotiate
When
Default: a This
computer policyjoins is not a defined,
domain, a computer
which means account
that theissystem created. After
treats whenencryption
it as Disabled. the systemfor all secure
starts, it useschannel the computer traffic that account it initiates.
password to create a secure
Domain
This member:
security setting Disable
determines machine account
whether a password
domain member changes attempts to negotiate signing for all secure channel traffic that it initiates.
When a computer
This setting determines joins awhether domain, oranot computer
all secure account
channel is created.
traffic initiated After that, by the when domainthe system member starts,
meets it uses
minimum the computer account password
security requirements. to create
Specifically a secure
it determin
Domain
Determines
the Domain member: whether
Controller Maximum
a in
domain
which machine
member
case account
the periodically
level of password
signing changes age encryption
and its computer account
depends on password.
the version Ifstarts,
this
of thesetting
Domain isthe enabled,
Controller theand domain member
the settings ofdoes
the not attempt
following twotop
When
This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, theadomain
a computer joins a domain, a computer account is created. After that, when the system it uses computer account password to create secure
Domain
This
negotiate member:
security secure setting Require
channeldetermines stronghow
encryption. (Windows often a 2000
domain or later)
member session will key
attempt to change its computer account password.
Default:
Domain
This setting Disabled.
member: determines Digitally encrypt
whether orsecure
not thechannel domain data member (when possible)
attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain me
Interactive
Domain
This security logon:
member: setting Do not display
Digitally
determines sign secure last user
whether channelnamedata
128-bit key (when
strength possible)
is required for encrypted secure channel data.
Default:
This
Notessecurity 30 days.
Enabled. setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen.
Default:
Interactive Enabled.
Logon: Display user information
If this policy
Default:
When a Enabled.
computer is enabled, joins athe name
domain, of the lastwhen
a computer user session
to
account successfully is locked on is not displayed in the Logon Screen. .
is created.log After that, when the system starts, it uses the computer account password to create a secure
Important
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and doma
Interactive logon: Do not require CTRL+ALT+DEL
Notes:
If this
This
Notes:
Depending policy
setting is
shoulddisabled, not bethe used name in of
an the
attempt last user
to to
support log on is
dual-boot displayed. scenariosthat thatthe usedomain the same computer account. If youwith want to the
dual-boot
settingstwo of installations tha
This
Interactiveis no on
Theresetting known whatreason
applies version
to Windows for ofdisabling
Windows
2000 is running
computers,
this setting.but on itthe
Besides domain
is not available
unnecessarilycontroller throughreducing the Security
the potential member
Configuration is communicating
confidentiality Manager leveltools of the and
onsecure
these computers.
channel, the parameters
disabling this settin
policylogon:
This Machine account threshold.
If thesecurity setting
Domain determines
member: whether
Digitally encryptpressing or sign CTRL+ALT+DEL
secure channel is data
required before
(always) is aenabled,
user canthen log this
on. policy is assumed to be enabled regardless of its curr
Thethismachine
Default:
If Disabled.
policy islockout
enabled, policy is
theencrypt enforced
policy Domain only onand
member: those machines
Digitally sign that
securehavechannel Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recove
Domain
Interactive
Note: member:
controllers
Domain logon: Digitally
are
Machine
controllers alsoare domain
inactivity ormembers
also Domain sign
limit.
domain secure
members channel
establish data
and establish secure(always) channels
secure withdata
channels other (when
with(when domain possible)
otherpossible) controllers
domain
is assumed
controllersin the same
in
to bedomain
thebesame
enabled asregardless
domain wellas aswell
domainof its current
asits controllers
domain
settin
contro in
If
If this
this policy
Domain policy
member: is
is enabled,
enabledDigitally the
on apolicy
computer,
encrypt secure a user member:
channel is notdata Digitally
required (whensign topossible)secure
press channel
CTRL+ALT+DEL data to log on. Not having is assumed to press to enabled
CTRL+ALT+DEL regardlessleavesofusers current settin
susceptibl
This
Logon security
Interactive information setting
logon: determines
transmitted
Message text overthe number
the
forisusers secure of
attempting failed
channel logonis attempts
always that
encrypted causes the
regardless machine
of whether to be locked
encryption out. of A locked
ALL other out machine
secure channelcan only
traffic be isrecovered
negotiated by o
Some
Windows or all of theinactivity
notices information of athat
logon transmitted
session, and over if to
thethelog on
secure
amount channel
of inactive will be exceeds
time encrypted. theThis policy limit,
inactivity setting then determines
the screen whether
saver will or not run,128-bit
lockingkey thestrength
session.i
If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows (unless they are using a smart card for Windows logon).
Interactive
Failed
This password
If thissecurity
setting logon:
setting
is Message
attempts
enabled, specifiesthen title
against a for
thetext users
workstations
message
secure attempting
channel that is to
or will
member logbe
displayed
not on
servers to users
established that whenhave
unless been
they locked
log
128-bit on. using either
encryption can CTRL+ALT+DELETE
be performed. If this setting or password is disabled,protected then screen
the keysav str
Default: not enforced.
Default on domain-computers:
Interactive logon: Number of Disabled.
previous logons to cache (in case domain controller is not available)
This
The
This
Default security
machine
texton setting
lockout
is stand-alone
often used for allows
policy the
is specification
enforced
legal reasons,
computers: Enabled. only of
on a title
those to appear
machines in the
that title
have bar of
Bitlocker the window
enabled that
for contains
protecting
for example, to warn users about the ramifications of misusing company information or to warn them that their actions the
OS Interactive
volumes. logon:
Please Message
ensure text
that the for users
appropriate attemptrec
Default: Disabled.
Interactive
All previous logon:
users' Prompt
logon user to change
information is password
cached locally beforeso that, expiration
in the event that a domain controller is unavailable during subsequent logon attempts, they are a
Default:
Default: No
No message.
message.
Important
Interactive
Determines logon:
how far Require
in advance Domain Controller
(in days) authentication
users are thatunlock
to
Windows cannot connect to a server to confirm yourwarned logon settings. theirYou password
have been is about logged to expire.
on using With this advance
previously stored warning,
accountthe user has time
information. If you tochanged
constructyou ap
In order
Interactive to take advantage
logon: Require of
smart this cardto unlock a locked computer.and
policy on member workstations servers, all domain controllers that constitute the member's domain must be running Win
Logon
Default: information
14 days. must be provided For domain accounts, this security setting determines whether a domain controller must be c
In
If aorder
domain to takecontrolleradvantage of this policy
is unavailable and on domain
a user's logoncontrollers,
information all domain
is not cached,controllers the in usertheissame prompteddomain with asthis wellmessage:
as all trusted domains must run Windows 200
Interactive
This security logon: Smart card removal behavior
setting requires users to log on to a computer using a smart card.
Default: Disabled.
The system
Microsoft cannotclient:
network log you on now
Digitally signbecausecommunicationsthe domain(always) <DOMAIN_NAME> is not available.
This securityare:
The options setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.
Important
Microsoft
In
Thisthissecurity
policynetworksetting,
setting client:
a value Digitally
determines sign communications
of 0whether
disables logon signing
packet caching. (ifisAny
server
requiredvalue agrees)
above
by the SMB 50 only clientcaches component.50 logon attempts.
The
Enabled:options Users are: can to only log on to the computers,
computer using aissmart card.
This setting
Microsoft applies
network client: Windows
Send 2000
unencrypted password but it not
to attempts
connect toavailable through the Security Configuration Manager tools on these computers.
This
Default:
The security
Disabled.
server25 Users setting
message can determines
log
block on to the
(SMB) whether
computer
protocol the SMB any
using
provides client
themethod.
basis for Microsoft to third-party
negotiate SMBpacket
file SMB
and print
serverssigning.
sharing and many other networking operations, such as remote Windo
No Action
Default: Disabled.
Microsoft
If thisserver network
security setting server: Amountthe
is enabled, of idle
Server timeMessagerequiredBlock before(SMB) suspending redirector a session
The
If
Lock
this
Workstation
setting message
is enabled, block the(SMB) Microsoft protocol network providesclientthe willbasis for Microsoft
not communicate fileisand
with
allowed to send and
print sharing
a Microsoft
plaintext
network server manypasswords other networking
unless
to non-Microsoft SMB
that serveroperations, agrees to perform such servers
asSMB remotethat do not
Windo
packet sig
Force
Microsoft
Important Logoff
network server: Attempt S4U2Self to obtain claim information
This
Sending
this security
Disconnect setting
unencryptedif a Remote determines
passwords
Desktop the aamount
isServicessecurity ofrisk.
continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended
session
If
Default: setting
Disabled. is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled
Microsoft
This security
setting network setting
will server:
apply istotothis
anyDigitally
support computers sign communications
clients running
running a aversion
Windows (always)
of Windows
2000 throughprior changes to Windows
in the 8session.
Consumer
registry, butIfthe Preview
security that are trying
setting is notthe to access
viewable aisfile share that require
Administrators
Default:
If you Lockcan
Disabled.
click use
Workstation policy
in thetowhose control
Properties when dialog computer
box be forinthis suspends
policy, the an workstation
inactive SMB client activity resumes, sessionthrough the Security
automatically reestaCo
server
Default:
Microsoft
Important will support
Enabled.
network client
server: principals
Digitally accounts
sign communications may (if required
client a domain
agrees) which has clientiscomputers locked when andthe smart controllers
domain card is removed, runningallowing a version users to leave
of Windows the
priora
This security setting determines whether packet signing is by the SMB server component.
For
If you this policy
click Force setting,
Logoff a value
inDisconnect
the of 0 meansdialog
Properties to disconnect
boxlogon for the an idle
this policy, sessionthecan as quickly
user as is reasonably
is automatically logged possible.
off when Thesmart
the maximum card isvalue removed. is 99999, which is 208 days;
Microsoft
This
Notes
This
For setting
security network
should
setting server:
be set
determines to automatic
whether clients
(default)
the when
SMB so that
server hours
willfile expire
server
negotiate SMB automatically
packet signing evaluate
with whether
clients thatclaimsrequest areTo it.needed for the user.SMB An administrator wou
The thisserverpolicy messageto take effect
block on
(SMB) computers
protocol running
provides Windows
the basis 2000, client-side
for Microsoft filepacket
and print signingsharing must andalsomany be enabled.
other networking enable client-side
operations, such as packet
remote signing,
Windo
Default:This
Computers
Microsoft networkpolicy
that have is not
this defined,
policy set which
will means
not be that
able tothe system
communicate treats it
with as 15
computers minutes that fordo servers
not haveand undefined
server-side for
packet workstations.
signing enabled. By default, server-sid
If you
This
When
All
The
click
security
enabled
Windows Disconnectthisserver:
setting
operating security aServer
ifsystems
determines Remote
setting SPNDesktop
whether
will
support target
cause
both name
Services
toprovides
disconnect
athe validation
Windows
client-side session,
users SMB level
filewho removal
serverare
component to ofexamine
the
connected and smart
a tothe card
the access
server-side disconnects
local computer
token
SMB the
ofmany
an session
outside
andcomponent. authenticated their
To without
usernetwork
take loggingclient
account's
advantage the user
valid
of off.
logon
principal
SMB packetThis
hours.
and allowsThis
determine
signing, the
setti
both ui
If thisserver
Server-side
which
Microsoft setting
have
message
packet
network is enabled,
claim-based client:
block
signing the(SMB)
can
access
Digitally
be
Microsoft protocol
enabled
control
sign network
policy
on
communications
computers
server
applied.
the willbasis
running
not
(always)
for Microsoft
Windows
communicate
- Controls
file
2000
with
whether
and a andprint
Microsoft
or not
sharing
later
the
by setting
network
client-side
Microsoft
client SMB
other
unless networking
network
that client
component
server: operations,
agrees
requires
Digitally such
sign
to perform
packet
as
signing. SMBremote
communicationspacket Windo sig(
Network
Server-side
The
Note:server access:packet
message Allow anonymous
signing
block can be
(SMB) SID/name
enabled
protocol on translation
computers
provides the running Windows NT 4.0 of Service Pack 3 other
and later by setting the following registry value to 1:
When
Microsoft
If
Remote
thisnetwork
this setting policy Desktop
isclient:
is enabled, enabled,Services
Digitallyit causes
the Microsoft
was
sign called
client Terminal
sessions
communications
network
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature server with (ifbasis
Services
will the for
server
negotiate
file
in agrees)
SMB previousand printer
Service
SMB -packet to besharing
versions
Controls forcibly
whether
signing
and
Windows
as
many
disconnected
or Server.
not
requested the by networking
when
client-side
the client.the client's
SMB operations,
That logon
component
is,
such
hours
if packet has aspacket
remote
expire.
signing has
Windows
signing
been enabled.
adm
enabled
Default:
Network
If thissecurity
Microsoft access:
settingnetwork is Do
disabled, not allow
server: the
Digitally anonymous
Windows sign file enumeration
server
communications will not of SAM
attempt
(always) accounts
to obtain aidentifier
- Controls claim-enabled
whether or access
not attributes
the token
server-side forSMB the component
client principal. requires packet signing.
This
This setting determines if an anonymous user can request security (SID) for another user.
thissecurity
Default:
If
Microsoft
Default:
Server-side
This
policy network
Enabled
setting
ispolicy
disabled,
on
isdetermines
server: notan
domain
defined,
established
Digitally the
controllers signlevel
which of validation
means
client
communications
only.
that the
session isa allowed
SMB
system
(if clientservertreats
to beperforms
agrees) it as
maintainedNo on
- Controls the
action.
95 after
service
orwhether orprincipal
the client's the name
98. logon
not hours
server-side (SPN)have provided
SMB expired.
component by the SMB client when
has packet signing trying
enabledto e
Network
Disabled
This
Default:
If security
server-side for packet
access:
Automatic.member
setting
SMB Do signing
not
signing allow
servers.
determines
cannot
is anonymous
what
required,
be enabled
additional
a client
on computers
enumerationpermissions
will not be ofable
SAM running
willto accounts
be
Windows
granted
establish and
a forshares
anonymous
session
Windows
with that connections
server unless to the
it computer.
has client-side SMB signing enabled. By default,
If
Onthis
The
Enabled policy
options
Windows for is
are:
domainenabled,
Vista a user with
controllers.
and above: For this knowledgesetting to ofwork,
an administrator's
thewill Smart Card SIDRemoval
could contact Policy a computer thatbehas this policy enabled and use the SID to get the admi
Default
Similarly,
Network
Important
Notes on if Windows
client-side
access: Vista:
SMB
Do determines
not allow Enabled.
signing
storage is required,
of credentials that client orenumeration not be
.NET Passports ablefortonetwork
establish a service
session must
authentication with servers started. that do not have packet signing enabled. By defau
This
Default
Windows security
onallows
If server-side setting
Windows
SMB anonymousXP:and
signing Disabled users
ismember whether
enabled, to servers:
perform anonymous
SMB packet certain activities,
signing will be such of SAM accounts
as enumerating
negotiated with clients and
the thatshares
names have is allowed.
of client-side
domain accounts SMB signing and network enabled. shares. This is convenient, fo
Default
No on
validation workstations
- validation ofcan the permissions
SPN will performancenotapply Disabled.
be performed by
Notes
Network
Using
This
Default
For SMB
on
Windows access:
security packet
setting
domain2000 Let Everyone
signing
determines
controllers:
servers degrade
whether
Enabled.
tousers
negotiate Stored
signing User
with to anonymous
up
Names
Windows toSMB15theandNT
SMB on
users
percentPasswords
4.0
server.
clients,file service
saves
the a following transactions.
passwords, registry credentials,
value must orbe .NET
Toset Passports on thefor
to advantage
1 network later
server use
running when it gains2000 dom
All
This
Windows
Windows security allowsoperating
option anonymous systems
allows additional
support
to both
perform
restrictions
acertain
client-side
to be placedactivities, component
such
on- anonymous as and
enumerating server-side
connections the names SMB
as follows: of component.
domain accounts take and of SMB
shares. packet
This isWindows
signing,
convenient, both fo
Microsoft
Network
All
Validate
Windows network
ifaccess:
provided
operating client:
Namedby Digitally
pipes
client
systems - thethat sign
support
SMBcan communications
be
server
both accessed
awill
client-side
validate (always)
anonymously
SMB
theare SPN Controls
componentprovided whether
andby athe or notclient
server-side
SMB the client-side
SMBand component.
allow SMB
a session component
To take to be requires packet
advantage
established of SMB signing.
if it matches
packet signing,
the SMBboth ser
This
If security
it is enabled, setting
thisclient:determines
setting prevents what additional
thecommunications
Stored User Namespermissions and agrees)granted
Passwords for anonymous
from storing connections to the computer.
Notes
Microsoft
Default:
Enabled:Disabled.
Microsoft network
network
Do not allow client: Digitally
Digitally
enumeration
sign
sign of communications
SAM accounts.
(if server
(always)
This option- -Controls
replaces
- Controls
whether
Everyone or notpasswords
whether theorclient-side
not the and credentials.
client-side
SMB SMB component
component requires has
packet packet
signing.signing enabled.
Network
Microsoft
This
Require
Microsoft access:
security network
match
network setting
fromRemotely
server:
determines
client
client: - accessible
Digitally
the
Digitally SMB sign
which
sign registry
communications
communication
client MUST
communications paths send a
(if(always)
sessions
SPN
server name Controls
(pipes)
agrees) in will
session
- whether
have
Controls setup, orwith
attributes
whether notAuthenticated
and the
and
theor server-side
permissions
SPN
not thename
UsersSMB that
provided
client-side
incomponent
the security
allow
SMB MUST anonymous
componentmatch
permissions
requires thehas packet
access.
SMB
forsigning.
packetserver
resources.
that enabled.
signing is beingfo
Windows
Disabled:
Note:
All When
Windows allows
Noconfiguringanonymous
additional
operating this
systems users
restrictions.
security toRely
support perform
setting,
both acertain
on default
changes
client-side activities,
permissions.
will(always)
(ifnot
SMB take such as enumerating
effect
component untiland you restart the Windows.
a server-side names orSMB of the
domain
component. accounts and network shares. This is convenient,
Microsoft
Microsoft
Network
set,
network
network
access:
anonymous
server:
server:
Remotely
users can
Digitally
Digitally
accessible
only access
sign
sign communications
communications
registry
those paths
resources and
client
subpaths
for which
agrees)
-the
Controls - Controls
anonymous whether whether
user or nothas the
been
not
server-side
explicitly SMB To
server-side
given
take
SMB
component
permission.
advantage
componentrequires ofhasSMB
packet packet
packet signing. signing,
signing both
enabled
This
For
If security
more
Microsoft
server-side
Default:
Microsoft None.
No setting
information
network SMBclient:
validation
network determines
about
signing
server: isStored
Digitally which
required,
Digitally User
sign
sign registry
Names
communications
acommunications
client will keys
and not can be be
Passwords,
(always)
able
(if accessed
client see
to-agrees)
Controls
establish over
Stored -a the network,
User
whether
session
Controls Names
orwithnot
whether regardless
and
the
that of unless
Passwords.
orclient-side
server,
not the the users
SMB
server-side or groups
it component
has client-side
SMB listed
requires
component SMB in thepacketaccess
signing
has control
signing.
enabled.
packet signing Bylistenabled
(ACL)
default,
Default
Microsoft
If on
server-side workstations:
network SMB client:
signing Enabled.
Digitally
is enabled, sign accesscommunications
SMB packet signing (if server
willand beagrees)
negotiated - Controls
with clientswhether that orhave
not the client-side
client-side SMB SMB signingcomponent enabled. has packet signing enabled.
Network
If
If server-side
This
thissecurity
Default access:
policy
on SMB
issetting Restrict
enabled,
server:Disabled. signing
determines
theanonymous
isEveryone
required,
which a client
registry
SID towill
is added Named
paths nottoand be
the Pipes
able
subpaths
token to that Shares
establish
can be aaccessed
is created session
forservice with
over
anonymous that
the server
network, unless
connections. regardless itInhasthis client-side
of
case,the users
anonymousSMB signing
or groups users enabled.
listed
are in abletheBy default,
toaccess
access co
Default:
Microsoft
Using
All SMB
Windows
Similarly, Disabled.
ifnetwork
packet
operating
client-side server:
signingsystems
SMB Digitally
cansigningimpose sign
support communications
upboth
is required, to aa 15 client(always)
percent
client-side
that performance
SMB
will - Controls
notcomponent
be ablehittoon whether
and file ora not
a server-side
establish theSMB server-side
transactions.
session withcomponent.
servers SMB component
thatThisdo not setting requires
haveaffects packetthe packet
serversigning.
signing SMB behavior,
enabled. By defau a
Network
Microsoft
When
If server-side access:
network
enabled, SMB Shares
thisserver:
security
signing thatis can be
Digitally
setting
enabled, sign accessed
communications
restricts
SMB anonymously
anonymous
packet signing (if client
access
will be agrees)
to shares
negotiated - and
Controls
pipes
with whether
to
clients the that orhave
settingsnot the for: server-side
client-side SMB SMB
signing component
enabled. has packet signing enabled
Default:
Important Disabled.
System\\CurrentControlSet\\Control\\ProductOptions
If server-side SMB signingsigning can is required, a performance
client will notup beto able
Using
Network SMB packet
access: Sharing and degrade
security model forthat
local accounts 15 to establish
percent on file a session
servicewith that server unless it has client-side SMB signing enabled. By default,
transactions.
This
Network security
access: setting Named determines
System\\CurrentControlSet\\Control\\Server
Similarly, if client-side SMB pipes signing which
that is
can network
required,
be accessedshares
Applications client canwill
anonymously accessed
not be able by anonymous
to establishusers. a session with servers that do not have packet signing enabled. By defau
System\\CurrentControlSet\\Control\\Print\\Printers
This policy has
Software\\Microsoft\\Windows
If server-side SMB no impact
signing onis domain
enabled, controllers.
NT\\CurrentVersionSMB packet signing will bepassword
negotiated with clients that have client-side SMB signing enabled.
Network
Important
This access:
security: Shares
Do not thatstore can LAN beManager
accessed hash
anonymously
valuethat on next change
Usingsecurity setting determines
System\\CurrentControlSet\\Services\\Eventlog
Default:
Default: SMBNone packet
Enabled. specified.signing can impose how network
up to alogons 15 percent use local
performance accounts hit onare fileauthenticated.
service transactions. If this setting is set to Classic, network logons that use local acc
Software\\Microsoft\\OLAP
Network
Caution security: Force logoffServer when logon hours expire
This
For
If this security
this policyis
setting setting
Software\\Microsoft\\Windowstoset
take todetermines
effect on
Guest only, if,network
at the next
computers
NT\\CurrentVersion\\Print running
logons password
thatWindowsusechange,
local 2000, the LANare
server-side
accounts Manager packet
automatically(LM) hash
signing mapped valuealso
must forthe
to the
beGuest new password
enabled. account. To enable Byis stored.
using The
server-side
the LMSMB
Guest hash is relatively
packet
model, can hw
yousigning
Microsoft
Network network LAN
security:
Software\\Microsoft\\Windows server: ManagerDigitally sign communications
authentication
NT\\CurrentVersion\\Windows level your (if server agrees)
This security
Incorrectly setting
editing thedetermines
registry may whether
severely to disconnect
damage users system.who are Before connected
making to the local
changes to computer
the registry, outside
you should their user backaccount's
up any valued valid logon data on hours. This setti
the computer
Default on domain
This security computers:
System\\CurrentControlSet\\Control\\ContentIndex
Note: setting istonot Classic.
available on earlier versions of
Network
Default
For
This on
Windows security:
security 2000LDAP
Windows
setting Vista:
servers client
determines Enabled signing
negotiate
which requirements
signing
challenge/response with Windows NTWindows.
authentication 4.0 clients, The thesecurity
following setting
registry thatvalue
appears must onbe computers
set to 1 on running
the Windows Windows
level 2000
XP,server:
"Network acc
System\\CurrentControlSet\\Control\\Terminal
Default
When
Default:
Default
on
this stand-alone
policy is
on Windows XP: Disabled. enabled,computers: it causes Guest client only
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
Server
sessions with the SMB serverprotocol to be forcibly is used for
disconnectednetwork logons.
when theThis choice
client's logon affectshours theexpire. of authentication pro
System\\CurrentControlSet\\Control\\Terminal
Network security: Minimum session security for Server\\UserConfig
NTLM SSP based (including secure RPC) clients
This
Send security setting determines the level of data signing that is requested onnever
behalfuse of clients issuing LDAP BIND domain requests, as follows:
this LM
Important & NTLM responses:
System\\CurrentControlSet\\Control\\Terminal
If policy is disabled,
System\CurrentControlSet\Control\ProductOptions
Important
Computers that have anpolicy
thisNTLMv2
Clients
established
set will
use
not
LM
client and
communicate
NTLM authentication
Server\\DefaultUserConfiguration
session is allowed
with to be maintained
computers
and
that doand notafter have
NTLMv2
theclient-side
client's session
logon packet
security;
hours have enabled.
signing expired. controllers
Client-side
accept LM, NTLM, and NT
packet
Network
Send LM security:
& NTLM
Software\\Microsoft\\Windows
This security setting Minimum
-
System\CurrentControlSet\Control\Serveruse
allows session security
session
NT\\CurrentVersion\\Perflib
a client to require for
securitythe NTLM
Applications if
negotiation SSP
negotiated: based
ofare (including
Clients
128-bit use LM
encryption secure RPC)
NTLM
and/or servers
authentication and
NTLMv2 session security. These values are use NTLMv2 session security
dependent if thesigning
server
on
can
the LANsuppo be
M
None:
Send
With The
NTLM
the GuestLDAPresponse
onlyBIND model,
System\\CurrentControlSet\\Services\\SysmonLogrequest
only: Clients
any is
userissued
use who with
NTLMcan the
accessoptions
authentication your that only
computer specified
and overuse theby
NTLMv2the
network caller.
session
(including security if
anonymous the server Internetsupports users) it; domain
can access controllers
your sharedaccept LM,
resources NT
Default:
Windows Enabled.
Software\Microsoft\Windows
Negotiate signing:
2000 If Transport
Service Pack NT\CurrentVersion
Layer
(SP2)toSecurity/Secure
2Clients and above offer Sockets
compatibility Layer (TLS\SSL)
with authentication has nottobeen previous started, the LDAP
versions of BINDThese
Windows, request
such isit;initiated
as Microsoft with the LDAP
Windows NT data
4.0. siM
Send
This security
NTLMv2 setting
response allows
System\\CurrentControlSet\\Services\\CertSvc
Require NTLMv2 session only: a server use
require NTLMv2 the negotiation
authentication of 128-bit
only and
encryption
use NTLMv2 and/or session
NTLMv2 security
session if the
security.
server supports values domain
are dependent
controllers on accept
the LAN LM
Require
This
Note:
Send signature:
setting
NTLMv2 canresponse Thisthe
affect is security:
the
ability same of The
computers connection
as Negotiate running will Windows
signing. failHowever,
if NTLMv2 2000 if protocol
the
Server,LDAP is server's
not negotiated.
Windows intermediate
2000 Professional, saslBindInProgress
Windows XP,theandresponse the Windows does not indicate
Server 2003 thatfamily
LDA
Note: This security settingonly\\refuse
System\\CurrentControlSet\\Services\\Wins
Require 128-bit encryption: The connection
behaves asLM: an Clients will fail
account use NTLMv2
if strong
policy. Forencryptionauthentication
domain (128-bit)
accounts, only andcan
is not
there use
negotiated.
be NTLMv2
only one session
account security
policy.ifThe server
account supports
policy must it; domain
be defined controller
in th
Require
Send NTLMv2
NTLMv2 session
response security:
only\\refuse The LM connection
& NTLM: will
Clients fail if
use message
NTLMv2 integrity is
authentication
servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account po not negotiated.
only and use NTLMv2 session security if the server supports it; domain
Caution
Require
This
Caution 128-bit
setting doesencryption.
not affect interactiveThe connection logons willthatfailare if strong
performed encryption remotely (128-bit)
by using is not such negotiated.
services as Telnet or Remote Desktop Services. Remote Desktop Se
Default: No requirements.
Important
If youpolicy
Default:
This setNo
Incorrectly the server
requirements.
will
editing have theto Require
noregistry
impactmay signature,
on computers
severely you must also
running
damage Windows
your set the2000.
system. client.
Before Notmaking
settingchangesthe clienttoresults in a loss
the registry, youofshould connection back with up any thevalued
server.data on the computer
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Network
This policy security:
settingRestrict allows you NTLM: to deny Incoming or audit NTLM outgoing trafficNTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote s
Network
This security: Restrict NTLM: AuditorIncoming NTLM NTLM Traffic traffic.
If youpolicy selectsetting "Allowallows all" or you do not to deny configure allowthisincoming
policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.
Network
This policy security:
setting Restrict
allows NTLM:
you to auditNTLM incomingauthentication NTLM in
traffic.this domain
If
If you you select
select "Allow "Audit all," all" or thedoclientnot configure
computerthis logspolicy an event setting, for each the server NTLMwill allow all NTLM
authentication requestauthentication
to a remote requests.
server. This allows you to identify those servers re
Network
This policy security:
setting Restrict
allows NTLM:
you to denyAuditorNTLM allow authentication
NTLM authentication in this domain within a domain from this domain controller. This policy does not affect interactive logon to
If
If you
you select
select "Disable",
"Deny all or do not
domain configurethe
accounts," thisserverpolicywill setting,
deny the
NTLM server will not log events
authentication requests forforincoming
domain NTLM
logon traffic.
and display anYou NTLM
If
Networkyou select security:"DenyRestrict all," theNTLM: client computer Add remote cannot server authenticate
exceptions identities
for NTLM toauthentication
a remote server by using NTLM authentication. can blocked
use the error,"Network but allow
security: loc
This
If you policy
select setting
"Disabled" allows or you
do to audit
not configure NTLMthis authentication
policy setting, in the a domain
domain from this domain
controller will controller.
allow all NTLM pass-through authentication requests within the domain
If
If you select
youpolicy
select "Enable allauditing for domain accounts", the server will log events for NTLM frompass-through authentication
and displayrequests an NTLMthat woulderror.be blocked when the "
Network
This
This policy is"Deny
security: supported
setting Restrict
allows
accounts,"
on NTLM:
youat to least the
Add
create
server
Windowsserver
an this
will
7 or
exception
deny
exceptions
Windows NTLM
list of
authentication
in remote
this
Server domain 2008 R2.
servers
requests
to whichwill clients
incoming traffic
areevents
allowed toNTLM
use NTLM authentication
blocked
if domain.
the "Network Security: Re
If
If you select "Disable" or do not configure policy setting, the domain controller not log for authentication in this
If you
Network
This
select
youpolicy
select
security:
is
"Deny
"Enable
supported
forauditing
Allow
domainfor
LocalSystem
on atare
accounts
least all Windows
accounts",
NULL
to domain
sessionthe
7this
servers"
server
or Windowsfallback will the logdomain
Server events2008
controller
for all NTLM will authentication
deny all NTLM requests authentication that would logonbe attempts
blockedtowhen all servers
the "Networkin the domainSecurit
This
Note:
If you policy
Audit
configure setting
and block
this allows events
policy you to
setting, create
recorded
you an exception
can on
define a listofofremote
computer
list servers
in theservers in this R2.
"NTLMBlock" domain
to which toclients
Log which
located clients
are under are
allowed theallowed
to Applications
use to useauthentication.
NTLM NTLM
and pass-through
Services authentication if the "
Log/Microsoft/Windows/Secu
If you
If you select
select "Deny "Enable forfor domain
domain accounts
account" the todomain
domaincontroller servers," will the denydomain all controller
NTLM will log events
authentication logon for attempts
NTLM authentication
from domain logon
accounts attempts
and for domain
return an NTLMaccount blo
Network
This
Allow policy security:
isevents
tosupportedAllow Local
onNULLat System
least to computer
Windows use computer7 or Windows identity Server for NTLM 2008 R2.
Note:
If you
If you NTLM
Block
configure
do not
fall
thisback
configure
are
policy to
recorded
this setting,
policy
session
on you this
setting, canwhenno define used
exceptions ainlistwith
the LocalSystem.
"NTLMBlock"
ofwill
servers
be in this
applied.
Logdomainlocated to under
which the clientsApplications
are allowed andtoServices
use NTLM Log/Microsoft/Windows/Security-NTLM
authentication.
If
Network
If you select
youpolicy security:
select "Enable
"DenyAllow forfor domain
PKU2U
domain accounts,"
authentication
servers" the therequests
domain domain controller
toNegotiate
thiswill will log
computer events
to use for NTLM
online authentication
identities. logon attempts that use domain accounts when NTLM
This
Note:
The Audit
default setting
events
isconfigure
TRUE allows
are toLocal
uprecorded Windows System
on this Vista services
computer
and FALSE incontroller
that use
the in "NTLMBlock"
Windows
deny
7.to Log
NTLM
use the
locatedauthentication
computerunder the requests
identity when to
Applications all
reverting
andservers in the
to NTLM
Services domain
authentication.and return
Log/Microsoft/Windows/Security-NTLM an NTLM blocked
If
The you do not this policy setting, no exceptions will be applied.
Network
If
This younaming
select format
security:"Enable for
forservers
Configure domain onservers"
encryption this exception
typesthe list iscontroller
allowed
domain theKerberos
for fully qualified
will log domain
events for name
NTLM (FQDN) or NetBIOS
authentication requestsserver name
toable used in
all servers bythe thedomain
application, when listed
NTLM one per
an authe
If
If you youpolicy
select
enable will"Denybe policy
this turned
all," the offdomain
setting,by defaultservices on
controller domain
running will as joined
deny Local allmachines.
NTLM
System This
pass-through
that would
use disallow willthe
authentication
Negotiate use online
requests identities
the computer from to be
its servers
identity. This to
and authenticate
for its
might cause accountsto theand
some domain
return
authentication joined ma
NTLM
requ
The naming
Recovery format Allow
console: for serversautomatic on this exception list
administrative is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed o
logon
This
If
This youpolicy
selectsetting
is"Enable allows
all" on you
the to
atdomain set Windows
the encryption
controller will log types eventsthat Kerberos
for NTLM ispass-through allowed to use. authentication requests from its servers and for its accounts which would
If youpolicy do not supported
configure this policy least setting, services Server 2008
running R2.
as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonym
Recovery
This console: Allow floppy copy and access to all drives and all folders
If
This
Note: notsecurity
selected,
policy
Blockis
setting
supported determines
the encryption on at least type if the
onwill
password
thisnot
Windows be Server for the
allowed. in 2008
Administrator
This R2.setting may account
affect must be givenwith
compatibility before
client access
computers to theorsystem services is granted. If this option
and applications. is enabled,
Multiple selection th
This
Shutdown: policy isevents
Allow supported
system
are recorded
on
to at least
be shut Windows
down
computer
without 7 or having
Windowsthe "NTLMBlock"
to Server
log on 2008 Log R2. located under the Applications and Services Log/Microsoft/Windows/Security-NTLM
EnablingThis
Default: this policy
security option
is not makes the Recoveryadministrative Console SETlogon command available, which allows you to set the following Recovery Console environment varia
This
Note:policy Audit is supported
events are ondefined
recorded at least on and thisautomatic
Windows computer 7 or Windows
in the "NTLMBlock" Server 2008 is
Lognot
R2. allowed.
located under the Applications and Services Log/Microsoft/Windows/Security-NTLM
Shutdown:
This security Clearsetting virtual memory whether
determines pagefile a computer can be shut down without having to log on to Windows.
AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
System
AllowAllPaths:
This cryptography:
security Allow determines
setting Use FIPS
access 140
to allwhether filescompliant
and the folders cryptographic
virtual on the computer.
memory algorithms,
pagefile including encryption, hashing
is shutand signing algorithms
When this policy
AllowRemovableMedia: is enabled, Allowthe filesShut to be Down copied command to removable is available media, onis cleared
the
such Windows when
as a floppy
the system
logon disk.screen.
down.
System
NoCopyPrompt:
For Cryptography:
thememory
Schannel Do notForce
Security prompt strong
Service when key
Provider protection
overwriting (SSP), for user keys stored disables on the computer
Virtual
When this policy support
is disabled, uses a system
the option pagefile
to shut toan
down
this
swap existing
the
security
pages
computer
file.ofsetting
memory
does not diskthe
to appear when weaker Secure
are not Sockets
theyWindows
on SHA512)
the used.
logon OnLayera running(SSL)system,protocols thisand supports
pagefile is ableonly theexclusi
opened Trans
authentication,
System
unauthorized objects: userand
Default
whoonly the
owner
manages Secure for to Hashing
objects
directly created Algorithm
access bythe (SHA1,
members
pagefile. SHA256,
of the SHA384,
Administrators and group for the TLSscreen.
hashing Inrequirements.
this case, users must be to log on to
This security
Default: This policysettingisdeterminesnot definedif and users' theprivate
recover keys consolerequire SET a password
commandtoisbe notused.
available.
Description
Default on workstations: Enabled.
System
For Encrypting
When
This objects:
security
this policysettingRequire
File
is System
enabled,
determinescaseService
it insensitivity
causes
which (EFS),the
security for
system non-Windows
it supports
principal
pagefile the(SID) Triple
to subsystems
be Data
will
cleared
be Encryption
assigned
upon clean
theStandard
OWNER
shutdown. (DES) andenable
of objects
If you Advanced
when the Encryption
thisobject
security Standard
is created
option, the
by a (AES)
hibernation
member encryption
offile algorith
the(hiberfil.sys
Administr
The
Default options are: Disabled.
on servers:
Default:
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)
This
For
Windows
Default: security
Remote XP:
Disabled. setting
Desktop
User determines
SID Services, itwhether supportscase onlyinsensitivity
the Triple DES is enforced
encryption for algorithm
all subsystems. The Win32
for encrypting Remote subsystem Desktop is case
Services insensitive.
networkHowever, communication. the kernel suppo
User input is not required when new keys are stored and used
System
Windows
This settings:
2003 : Optional
Administrators subsystems Group
If thissecurity
User
Note: isRemote
prompted
setting setting
is when
enabled,
Desktop determines
the
case
Services isthe
keyinsensitivity
was firststrength
usedisTerminal
called of the default
enforced for alldiscretionary
Services directory
in previous access
objects,versions control
symbolic list
links,
of Windows (DACL)
and IO
Server.forobjects,
objects.including file objects. Disabling this setting does n
User
System must enter aUse
settings: password
Certificate each Rules time on they use a key
Windows Executables for Software Restriction Policies
Thismore
Active security
Directory settingmaintainsdetermines a global which subsystems
listinfrastructure.
of shared systemcan optionally be started up to device
supportnames, your applications. With this securityInsetting, you can specify beaslocated
many
For
Default:
For BitLocker, information,
Enabled. this policy seeneeds Public tokey be enabled before anyresources,
encryptionsuch key is asgenerated.
DOS Please note mutexes,
that when and semaphores.
this policy is enabled, this way,
BitLockerobjects willcan prevent the c
User security
This Accountsetting Control: Admin Approval
determines if digital Mode certificatesfor the are Built-inprocessedAdministrator when aaccount
user or process attempts to run software with an .exe file name extension. This sec
Default:
If this policy
Default: POSIX.
This ispolicy
enabled, the
is notthis default
defined. DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify s
effect,
Default:
User you must
Disabled.
Account enable
Control: Behavior security of the setting.
elevation prompt for administrators in Admin Approval Mode
This security setting determines the behavior of Admin Approval mode for the Built-in Administrator account.
Default:
User Enabled.
Account Control: Behavior of
When
Note:
This
The options
certificate
The
security Federalsetting rules are
Information
determines enabled, thethe
Processing elevation
software
behavior Standard prompt
restriction
of the (FIPS)
elevationfor standard
policies 140 will
is acheck
prompt users
security a certificate
implementation
for administrators revocation designedlist (CRL) to makecryptographic
for certifying sure the software's software. certificate
FIPS 140 andvalidated
signatur
This securityare: setting determines the behavior of the elevation prompt for standard users
User
Default: Account
Disabled. Control: Detect application installations and prompt for elevation
The
options
Enabled: Theare:Built-in Administrator will logon in Admin Approval Mode. By default any operation that requires elevation of privilege will prompt the Consent A
The options
User security
Accountsetting are:Control: Only elevate
This determines the executables
behavior of application that are signed and validated
installation detection for the entire system.
Prompt
Disabled: forThe consent:
Built-in AnAdministrator
operation that will requires
logon inelevation
XP compatible of privilege mode will
and prompt
run allthe Consent Admin
applications to selectwith either Permit or Deny. If the Consent Admin sel
User
This Account
Prompt for
securityare: Control:
credentials: Only An elevate
operation UIAccess
that requires
setting will enforce PKI signature checks on any interactive application applicationselevation that of are installed
privilege willin secure
prompt the
thatlocations
user
requests to by
enterdefault
elevationan administrativefull administrative
of privilege. user name
Enterprise
privilege.
and password.can
administrators If the user et
control
The options
User Prompt
Account for credentials:
Control: Run An operation
all users, that
including requires elevation
administrators, of privilege will prompt the Consent Admin to enter their user name and password. If the user en
Default:
This
The
Disabled
security
Automatically
options setting
are: denywill enforce
elevation the requirement
requests: This option thatresults
applications in as an standard
that request
access users.
denied execution
error message with a UIAccess
being returned integrity to thelevel (via a marking
standard user when of UIAccess=true
they try to perform in thei a
Enabled: Application installation packages that require an elevation of privilege to install will be heuristically detected and trigger the configured elevation pro
User
This Account
Elevate
security without Control:
setting prompting: Switch
determines to
This the secure
option
the behavior allows desktop the
of all UAC when
Consent prompting
policies Admin for the tofor elevation
perform
entire system.an operation that requires elevation without consent or credentials. Note: this sc
-Default:
\Program
Enabled: Prompt Files\,
Enforces for including
credentialsPKI subdirectories
therunning (home)
certificate /chain
Automatically validation deny a elevation
ofthat given requests
executable (enterprise)
before it is permitted to run. like Group Policy Software Install (GPSI) or SMS wil
Disabled:
-Default:
User\Windows\system32\
Account Enterprises
Control: Virtualizesstandard file and the users
registry desktops
write request
failures leverage
to per-user delegated
locations installation technologies
This
The security
options Prompt setting
are: for determines
consent whether elevation will prompt on the interactive users desktop or the Secure Desktop.
- \Program
Disabled: Files not
Does (x86)\, enforce including subdirectories
PKI certificate chainfor 64 bit versions
validation before ofgiven
a Windows executable
User
Default:
This Account
Enabled
security Control:
setting (home) Allow
enables UIAccess
/ Disabled
the redirection applications
(enterprise) of legacy to prompt
application for elevation
write failures without usingisthe
to defined
permitted
locations
to run.
secureindesktop. both the registry and file system. This feature mitigates th
The
options
Enabled: are:
Admin Approval Mode and all check other UAC policies are dependent onthat thisrequests
option being enabled. Changing integrity this setting requires a system
Note:
Maximum
Default: Windows application
Disabled enforces log a PKI
size signature on any interactive application execution with UIAccess level regardless of thereboot.
state of thi
This security setting
Virtualization facilitates controls
the whether
running User
ofdefault
pre-Vista Interface (legacy) Accessibility
applications (UIAccess or UIA) programs
that historically failed to run canasautomatically
Standard User. disable the secure desktop
An administrator runningforonly elevation
Windows prom Vi
Enabled:
Disabled: All
Admin elevationApproval requests by will go to the secure desktop
Mode user type and all related UAC policies will be disabled. Note: the Security Center will notify that the overall security of the op
Maximum
The
This options
security security
are:
setting log size
specifies the maximum size of the application event log, which has a theoretical maximum of 4 GB. Practically the limit is lowerUnless (~300MB
If
The you enable
optionsAll this
are: setting, UIA programs including Windows Remote Assistance can automatically disable the secure desktop for elevation prompts. you
Disabled:
Maximum
Default: system
Enabled elevation sizerequests
logspecifies will go to the interactive users desktop
This
security
Enabled:
Notes Ansetting
application the maximum
will only launch with size of the security
UIAccess integrityevent log, which
if it resides in ahas secure a theoretical
location inmaximum the file system. of 4 GB. Practically the limit is lower (~300MB).
If you
Enabled: disable or
Facilitates do not configure
the runtime this setting, of
redirection theapplication
secure desktop write can onlytobe
failures disabled
defined user bylocations
the user for of thebothinteractive
the file system desktop andorregistry.
by disabling the "User Account
Prevent
Default:
This local
Enabled
securityAn guests
setting group
specifies and the ANONYMOUS
maximum LOGIN
size of the users
system from event accessing
log, which application
has a in log
theoretical maximum of 4 GB. Practically the limit is lower (~300MB).
Notes
Disabled:
Log programs
file sizes must application
be a multiple will launch
of 64 KB. with UIAccess
IfWindows
you enterand integrity
a value even if it
that is programs does not
not a multiple reside of 64 KB, a secure location in the file system.
UIA
Prevent
Disabled: local are designed
guests
Applications group towrite
thatand interact
ANONYMOUS
data with
to Computer
protected LOGIN users
locations application
from accessing
will simply on behalf
security
fail application
as they did in of
logevent aEvent
user. This
previous
Viewer will round
setting allowshe UIA logprograms
file size up to a multiple
to bypass the secureof 64 KB. desk
This
Notes security
setting setting
does notdetermines
appear in the if guests
Local are prevented Policy from object.accessing the log. versions of Windows.
Log file
Default:
Event Logsizes
Enabled must
sizeguests and log be a multiple
wrapping of 64
should KB. If
be definedyou enter a
to match value that
the business is not a multiple
and securityof 64 KB, Event
requirements Viewer will
you determined round he log file size up to a multiple of 64 KB.
Prevent
Since
This
Default UIA
settinglocal
security
:For programs
Enableddoes
setting group
must
notdetermines
appear beand able
in ANONYMOUS
the toLocal
if2003
guestsrespond Computer toLOGIN
are prevented prompts Policyusersregarding
from from
object.accessing accessing
security system
the issues,
application logevent
such as the UAC elevation
log. prompt,when designing must
UIA programs your enterprise
be highly trusted. securityInp
Notes
Default:
Log file sizes themust
..\Program Windowsbe a
Files\ Server
multiple
(and of 64
subfolders) family,
KB. If you 16 enter
MB; for
a Windows
value that XPnot
is Professional
a multiple Service
of 64 KB, Pack
Event 1, Viewer
8 MB; for will Windows
round he XP
log Professional,
file size up to 512
a KB. of 64 KB.
multiple
Event
Retain Log size andlog
application log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security p
This
Notes
Default:setting
security
For does
setting
..\Program
the notdetermines
Windows appear
Files (x86)\
Serverin the if(and
guests
2003 Local Computer
are prevented
subfolders,
family, 16 MB; in Policyforfrom
64-bit object.accessing
versions
Windows the application
of Windows
XP Professional only) ServiceeventPack log. 1, 8 MB; for Windows XP Professional, 512 KB.
This setting
..\Windows\System32\
Event Log does
size and not logappear
wrapping in the Local
should beComputer
defined to Policy
match object.the business and security requirements you determined when designing your enterprise security p
Retain
This security
security log
setting determines the number of16 days' worth of events toProfessional
be retained for the application
Notes
Default:
This settingFor does the Windows
notaffects
appear Serverin the 2003 Local family,
Computer MB; for Windows
Policy object. XP Service Pack 1, 8 log MB;iffor theWindows
retentionXP method for the application
Professional, 512 KB. log is By D
This
Retain
The security
system
requirement setting
log to be in a only
protected computers path can runningbe Windows
disabled by 2000
the "Userand Account
WindowsControl: XP. Only elevate UIAccess applications that are installed in secure locatio
This
Set security
this value setting
onlynot if determines
you archive the
theLocalnumber
log atComputer of days' worth
scheduled intervals of events and you to be make retained
sure that for the the security
Maximum logapplication
if the retention log sizemethodis largefor theenoughsecurity log
to accommodateis By Days. the
This
This setting
security does
setting appear
affects in the
only computers running Policy
Windows object. 2000 and Windows XP.
Retention
Default:
Thisthis
While security
this method
Enabled
settingsetting forfordetermines
applies application
Windows to any XP, the
UIAlogDisabled
number
program, for Windows
ofitdays'
will be worth
used 2000ofprimarily
events toinbe retained
certain Windowsfor the system
Remote log security
if the retention
Assistance scenarios. methodThe for
Windowsthe system Remote log Assistance
is By Days. pro
Set
Note: value
This setting only if
does you archive
not appear the log
in the Local at scheduled Computer intervalsPolicy and object.you make sure that the Maximum log size is large enough to accommodate the inte
This
Default:security
Retention method
Enabled setting forforaffects
security
Windows only log
XP, computers
Disabled running
for Windows Windows 2000 2000 and Windows XP.
This
If security
Default:
Set this value
a user None.
requests setting
onlyremote determines
if you archiveassistance the
the log "wrapping"
from atan scheduled method
administrator for
intervals the
andand application
the you remote make log. sure thatsession
assistance the Maximum system log
is established, anysize is largeprompts
elevation enoughappear to accommodate
on the interactive the inte
Notes
Retention
Default:
requires
This security
setting method
Enabled
that the for
setting
does fordetermines
not systemuser
Windows
interactive
appear log
in XP, the
the Disabled
respond
"wrapping"
Local tofor
Computer anWindows
elevation
method Policy for2000
prompt
the
object. on thelog.
security secure desktop. If the interactive user is a standard user, the user does not have the r
If you This
Note: do not archive
setting does thenot application
appearauditing inlog,
theinLocal the Properties
Computer dialog box for this policy, select the Define this policy setting check box, and then click Overwrite eve
A user must
Restricted possess
Groups the Manage and security logPolicy
user right object. to access the security log.
This
Default:
If you
Default:
If security
you archiveNone.
enable
doNone. setting
this
not archive determines
setting, ("User the
Account "wrapping" Control: method
Allow for the
UIAccess system log.
applications to prompt for elevation withoutsetting using check the secure desktop), , requests for elevatio
If you the log the security log,
at scheduled in the Properties
intervals, in the Properties dialog box dialog for boxthis policy,
for this select
policy,the selectDefinethe this
Define policythis policy setting box,
check and then
box, and click
then Overwrite
click Overwrite events
This
If
Thisyou security
do
setting not setting
archive
does not allows
the
change anthe
system administrator
log,
behaviorin the of tothedefine
Properties UAC two
dialog properties
elevation box for
prompt for for
this security-sensitive
policy, select
administrators. the groupsthis
Define ("restricted"
policy groups).
setting check box, and then click Overwrite events
If
If you
you archive
must retain the log all the at scheduled
events in the intervals,
log, in in thethe Properties
Properties dialog dialog box box forforthis this policy,
policy, select
select thethe Define
Define thisthis policy
policy setting
setting check
check box,box,and andthen then click
click DoOverwrite
not overw
The
If youtwo planproperties
archive to the
enable log are at
this Members
scheduled
setting, and
you Member
intervals,
should in
also Of.
the The
review Members
Properties the dialog
effect listof defines
box
the for
"User who
this belongs
policy,
Account and
select
Control: who
the does
Define
Behavior not
this
of belong
policy
the to the
setting
elevation restricted
check
prompt box,
for group.
and
standard The
then Member
click
users" Of listIf
Overwrite
setting.
If you This
Note: mustsettingretain all does thenot events
appear in the in the log,Local in theComputerPropertiesPolicy dialogobject. box for this policy, select the Define this policy setting check box, and then click Do not overw
When
.If you a Restricted
must retain all Groups
the events Policyinisthe enforced,
log, in the anyProperties
current member dialog box of afor restricted
this policy, group that the
select is not
Defineon the thisMembers
policy setting list is check
removed. box,Any anduserthenon theDo
click Members
not overl
Notes
Default: None.
System Services security settings
Registry
Allows ansecurity settingsto define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system se
administrator
File System
Allows security settings
Default:an administrator
Undefined. to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs
Allows
Default:an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs
Notes Undefined.
Default:
Note: Undefined.
This setting does not appear
This setting does not appear in the in the Local
Local Computer
Computer PolicyPolicy
object.object.
If you choose to set system service startup to Automatic, perform
Note: This setting does not appear in the Local Computer Policy object.adequate testing to verify that the services can start without user intervention.
For performance optimization, set unnecessary or unused services to Manual.
Reboot Required Comments
No
No
No
No
No
No
No
No
No
No clients will get the new setting
after a maximum of 8 hours
No clients
but for will
DCsgetto the newthese
assign setting
after
new a maximum
settings a of 8 hours
Gpupdate
No clients
but foriswill
DCs get
to the newthese
assign setting
/force
after required
a maximum or waiting
of 8 hours for
No newusual
the settings
clients will
5 a the
get Gpupdate
minutesnew
whensetting
the
but forisDCs
/force to assign
required or these
waiting
after
new a maximum
SCE settings
engine of 8
assigns
a hours for
all
Gpupdate
No clients
the foriswill
usual
modified
but DCs5get
to the
minutes
settings. new
assignwhensetting
thesethe
/force
after
SCE a required
maximum
engine or waiting
of 8
assigns hours for
all
No new
the settings
usual a Gpupdate
5 minutes when
modified
but forisDCs
/force settings.
to assign
required thesethe
or waiting for
SCE
new engine
settings assigns
a all
Gpupdate
No the usualsettings.
modified 5 minutes when the
/force is required
SCE engine or waiting
assigns all for
No the usualsettings.
modified 5 minutes when the
SCE engine assigns all
No modified settings.
No
No
No
No
No
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Note: In Windows 2000
Server, Windows 2000
No Logoff required
Professional, Windows XP
No Professional,
Note: See also and
thethe
Windows Server
corresponding 2003 family,
Windows
No Logoff
the required
Task
Server Scheduler
2003 Allow log on
automatically
locally policy grants
setting,this rightin
earlier
No Logoff
as required
thisnecessary.
worksheet.
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No Logoff required
No
No
No
No
No
Yes
Yes
No
Yes
No
No
No
No
No For the policy change to take
effect, the spooler service
No needs to be
No stopped/restarted, but the
system does not have to be
No rebooted.
Yes Restart of service might be
sufficient
No
No
No Important: In order to take
advantage of this policy on
No member workstations and
No servers, all domain controllers
that constitute the members
No domain must be running
Windows NT 4.0 Service Pack
No Important:
6 or higher.This setting applies
to
In Windows
order to take2000 computers,
advantage of
No but
this itpolicy
is noton
available
doma through
No the Security Configuration
Manager tools on these
computers.
No
No
No
No
No
No
No
No Important: This setting
applies to Windows 2000
No Important:
computers,This but itsetting
is not will
apply to any
available computers
through the Security
No Only
runningLogOff is
Windows required for
2000 tools
Configuration
W2K, XPchangesand Manager
W2K3
Yes through
on
Important:
these computers.
For in the
computers.
registry, butonIn this
the
policy to
Vista,
security
take effect
start/restart thecomputers
scpolicysvc
Yes setting
running is not viewable
2000,through
will
the workWindows
or LogOff client-
Yes sideSecurity Configuration
packet signing must also
Manager tool set.
be enabled. For more
Yes information, search for
"Security Settings
No Descriptions" in the Windows
Yes Server
Important:2003 ForHelp.
this policy to
take effect on computers
No running Windows 2000,
No server-side packet signing
must also be enabled. For
No more information, search for
"Security Settings
No Descriptions" in the Windows
No Server
Important:2003 Help.
This policy has no
impact on domain controllers.
No For more information, search
No for "Security Settings
Descriptions" in the Windows
No Server 2003 Help.
Yes
No Important: The Network
access: Remotely
No Important:
accessible On Windows
registry paths XP,
this security
security setting
setting that was
appearscalled
Yes "Network access: Remotely
on computers running
Yes accessible
Windows XP registry paths." to
corresponds If
you configureaccess:
the Network this setting on a
No member
Important:
Remotely ofaccessible
the
ThisWindows
setting only
affects
Server computers
registry 2003
paths family
and running
that is
subpaths
No Important:
Windows
joined aXP Windows
topolicy Professional
domain, 2000
this setting
security
Service Pack 2 setting
(SP2) on
and
No which
is are of
inherited
members not
bythejoined
Wi to a with
computers
above offer
domain. compatibility
No authentication
Important:
This policy willThis to previous
setting
have can
no impact
versionstheofability
on computers
affect Windows,
running such as
of computers
Yes Microsoft
running Windows
WindowsWindows
2000. For NT
2000more4.0.
This setting
Server, Windows
information, can
search affect
2000 the
forwill
No Warning:
ability This
of computers settingrunning
Professional,
"Security
apply to Setting
any Windows XP
Descriptions"
computers
No Windows
Warning:
Professional,
in the Win 2000
Thisand Server,
setting
the will
running
Windows Windows
2000 Pr 2000
apply
Windows
through to changes
any computers
Server 2003
in thefamily
to
running
communicate
registry Windows
but with
the security2000 setting
through
computers
will not bechanges
running
viewable in Windows
the
through
registry
NT
the 4.0 but the
and
Security earlier security
over the
Configuration setting
will
netwonot betool
Manager viewable
set. For through
more
the Security search
information, Configuration for
Manager tool set.De
"Security Setting For more
No
No
No
No
No
No
No
No
No
No
No
No Require restart of recovery
console
Require restart of recovery
No console
No Requires logoff
Yes Vista does NOT require reboot
No
Yes Requires reboot with CNG on
Vista; Does not require reboot
No This policyon
with CAPI does notDoes
Vista; exist not
on
Vista
require reboot on XP, 2003
Yes
with CAPI
Yes
Yes
No
No
No
No
No
No
No
Yes
No
No
No
No Note: This setting does not
appear in the Local Computer
No Note:
Policy This setting does not
object.
appear in the Local Computer
No Note: This
Policy setting does not
object.
appear in the
Important: Local Computer
Modifying thisnot
No Notes:
Policy This
object. setting does
setting may affect
appear in the Local Computer
No Notes: This setting
compatibility
Policy object. does not
with clients,
appear
services,
This in and
the setting
security Local Computer
applications.
affects For
No Note: This
compatibility
Policy setting
object. does
information not
about
only
appearcomputers
in the running
Local Computer
No This
this
Notes:security
setting,
Windows This setting
see
setting
2000, affects
the does
"Event
Windows not
Policy
only
Log: object.
computers
Maximum running
sec
appear in the and
Server 2003, Local Computer
Windows
No Notes:
Windows
XP.
Policy This setting
2000, does
Windows
object.setting affects not
This
appear
Serversecurity
in thepossess
2003, Local
and Computer
Windows
No A user
Note:
only must
This setting
computers the
does not
running
Policy
XP.
Manage object.
appear
Windows
A user inauditing
must thepossess
2000, Localand
Computer
Windows the
No Note:
ServerThis
security
Policy setting
log
object.
2003, user
andanddoes
right
Windows tonot
Manage
appear
access inauditing
the the Local
security security
Computer
log.
No XP.
Note:
log This
user setting
right does not
to acces
Policy object.
appear in the Local Computer
No Note: This
Policy object.setting does not
appear in the Local Computer
Policy object.
Note: This setting does not
appear in the Local Computer
Note:
PolicyThis setting does not
object.
appear in the Local Computer
Note: This
Policy setting does not
object.
appear in the Local Computer
Policy object.