| Policy | Security Setting
|
| Accounts: Administrator account status | Not Applicable |
Accounts: Guest account status | Not Applicable |
Accounts: Limit local account use of blank passwords to console logon only
| Enabled |
Accounts: Rename administrator account
| Administrator |
Accounts: Rename guest account
| Guest |
Audit: Audit the access of global system objects
| Enabled |
| Audit: Audit the use of Backup and Restore privilege | Disabled |
| Audit: Shut down system immediately if unable to log security audits | Disabled |
| DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax | Not defined |
| DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax | Not defined |
| Devices: Allow undock without having to log on | Enabled |
| Devices: Allowed to format and eject removable media | Administrators |
| Devices: Prevent users from installing printer drivers | Disabled |
| Devices: Restrict CD-ROM access to locally logged-on user only | Disabled |
| Devices: Restrict floppy access to locally logged-on user only | Disabled |
| Devices: Unsigned driver installation behavior | warn but allow installation
|
| Domain controller: Allow server operators to schedule tasks | Not defined |
| Domain controller: LDAP server signing requirements | Not defined |
| Domain controller: Refuse machine account password changes | Not defined |
| Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
| Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
| Domain member: Digitally sign secure channel data (when possible) | Enabled |
| Domain member: Disable machine account password changes | Disabled |
| Domain member: Maximum machine account password age | 30 days
|
| Domain member: Require strong (Windows 2000 or later) session key | Enabled |
| Interactive logon: Do not display last user name | Disabled |
| Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
| Interactive logon: Message text for users attempting to log on |
|
| Interactive logon: Message title for users attempting to log on |
|
| Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 10 logons
|
| Interactive logon: Prompt user to change password before expiration | 14 days |
| Interactive logon: Require Domain Controller authentication to unlock workstation | Disabled |
| Interactive logon: Require smart card | Not defined |
| Interactive logon: Smart card removal behavior | No Action |
| Microsoft network client: Digitally sign communications (always) | Disabled |
| Microsoft network client: Digitally sign communications (if server agrees) | Enabled |
| Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
| Microsoft network server: Amount of idle time required before suspending session | 15 minutes
|
| Microsoft network server: Digitally sign communications (always) | Disabled |
| Microsoft network server: Digitally sign communications (if client agrees) | Disabled |
| Microsoft network server: Disconnect clients when logon hours expire | Enabled |
| Network access: Allow anonymous SID/Name translation | Disabled |
| Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
| Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
| Network access: Do not allow storage of credentials or .NET Passports for network authentication | Enabled |
| Network access: Let Everyone permissions apply to anonymous users | Disabled |
| Network access: Named Pipes that can be accessed anonymously | (If you are currently Sharing files from your computer, do not change this field, if you do not want to share files on your computer, delete any entries that exist here) |
| Network access: Remotely accessible registry paths |
|
| Network access: Shares that can be accessed anonymously | (If you are currently Sharing files from your computer, do not change this field, if you do not want to share files on your computer, delete any entries that exist here) |
| Network access: Sharing and security model for local accounts | Classic: Local users authenticate as themselves |
| Network security: Do not store LAN Manager hash value on next password change | Enabled |
| Network security: Force logoff when logon hours expire | Disabled |
| Network security: LAN Manager authentication level | Send NTLMv2 response only\refuse LM & NTLM |
| Network security: LDAP client signing requirements | Negotiate signing |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) | Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) | Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption |
| Recovery console: Allow automatic administrative logon | Disabled |
| Recovery console: Allow floppy copy and access to all drives and all folders | Disabled |
| Shutdown: Allow system to be shut down without having to log on | Enabled |
| Shutdown: Clear virtual memory pagefile | Disabled |
| System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Disabled |
| System objects: Default owner for objects created by members of the Administrators group | Object creator |
| System objects: Require case insensitivity for non-Windows subsystems | Enabled |
| System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
