| Policy |
Security Setting
|
| Accounts: Administrator account status |
Not Applicable |
|
Accounts: Guest account status
|
Not Applicable |
Accounts: Limit local account use of blank passwords to console logon only
|
Enabled |
Accounts: Rename administrator account
|
Administrator |
Accounts: Rename guest account
|
Guest |
Audit: Audit the access of global system objects
|
Enabled |
| Audit: Audit the use of Backup and Restore privilege |
Disabled |
| Audit: Shut down system immediately if unable to log security audits |
Disabled |
| DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax |
Not defined |
| DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax |
Not defined |
| Devices: Allow undock without having to log on |
Enabled |
| Devices: Allowed to format and eject removable media |
Administrators |
| Devices: Prevent users from installing printer drivers |
Disabled |
| Devices: Restrict CD-ROM access to locally logged-on user only |
Disabled |
| Devices: Restrict floppy access to locally logged-on user only |
Disabled |
| Devices: Unsigned driver installation behavior |
warn but allow installation
|
| Domain controller: Allow server operators to schedule tasks |
Not defined |
| Domain controller: LDAP server signing requirements |
Not defined |
| Domain controller: Refuse machine account password changes |
Not defined |
| Domain member: Digitally encrypt or sign secure channel data (always) |
Enabled |
| Domain member: Digitally encrypt secure channel data (when possible) |
Enabled |
| Domain member: Digitally sign secure channel data (when possible) |
Enabled |
| Domain member: Disable machine account password changes |
Disabled |
| Domain member: Maximum machine account password age |
30 days
|
| Domain member: Require strong (Windows 2000 or later) session key |
Enabled |
| Interactive logon: Do not display last user name |
Disabled |
| Interactive logon: Do not require CTRL+ALT+DEL |
Disabled |
| Interactive logon: Message text for users attempting to log on |
|
| Interactive logon: Message title for users attempting to log on |
|
| Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
10 logons
|
| Interactive logon: Prompt user to change password before expiration |
14 days |
| Interactive logon: Require Domain Controller authentication to unlock workstation |
Disabled |
| Interactive logon: Require smart card |
Not defined |
| Interactive logon: Smart card removal behavior |
No Action |
| Microsoft network client: Digitally sign communications (always) |
Disabled |
| Microsoft network client: Digitally sign communications (if server agrees) |
Enabled |
| Microsoft network client: Send unencrypted password to third-party SMB servers |
Disabled |
| Microsoft network server: Amount of idle time required before suspending session |
15 minutes
|
| Microsoft network server: Digitally sign communications (always) |
Disabled |
| Microsoft network server: Digitally sign communications (if client agrees) |
Disabled |
| Microsoft network server: Disconnect clients when logon hours expire |
Enabled |
| Network access: Allow anonymous SID/Name translation |
Disabled |
| Network access: Do not allow anonymous enumeration of SAM accounts |
Enabled |
| Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Enabled |
| Network access: Do not allow storage of credentials or .NET Passports for network authentication |
Enabled |
| Network access: Let Everyone permissions apply to anonymous users |
Disabled |
| Network access: Named Pipes that can be accessed anonymously |
(If you are currently Sharing files from your computer, do not change this field, if you do not want to share files on your computer, delete any entries that exist here) |
| Network access: Remotely accessible registry paths |
|
| Network access: Shares that can be accessed anonymously |
(If you are currently Sharing files from your computer, do not change this field, if you do not want to share files on your computer, delete any entries that exist here) |
| Network access: Sharing and security model for local accounts |
Classic: Local users authenticate as themselves |
| Network security: Do not store LAN Manager hash value on next password change |
Enabled |
| Network security: Force logoff when logon hours expire |
Disabled |
| Network security: LAN Manager authentication level |
Send NTLMv2 response only\refuse LM & NTLM |
| Network security: LDAP client signing requirements |
Negotiate signing |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) |
Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption |
| Network security: Minimum session security for NTLM SSP based (including secure RPC) |
Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption |
| Recovery console: Allow automatic administrative logon |
Disabled |
| Recovery console: Allow floppy copy and access to all drives and all folders |
Disabled |
| Shutdown: Allow system to be shut down without having to log on |
Enabled |
| Shutdown: Clear virtual memory pagefile |
Disabled |
| System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
Disabled |
| System objects: Default owner for objects created by members of the Administrators group |
Object creator |
| System objects: Require case insensitivity for non-Windows subsystems |
Enabled |
| System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
Enabled
|
| System settings: Optional subsystems |
|
| System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | Disabled
|
| User Account Control: Admin Approval Mode for the Built-in Administrator account | Default is Disabled - ASG recommends you test your computer with this Enabled. If you have no issues, continue to use this feature Enabled. If you find you have issues. Set this to Disabled so that you get full compatibility with Windows XP version programs.
|
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop. | Disabled
|
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent |
User Account Control: Behavior of the elevation prompt for standard users
| Prompt for credentials |
| User Account Control: Detect application installations and prompt for elevation | Enabled
|
| User Account Control: Only elevate executables that are signed and validated | Disabled
|
| User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled
|
| User Account Control: Run all users, including administrators, as standard users. | Disabled
|
| User Account Control: Switch to the secure desktop when prompting for elevation | Enabled
|
| User Account Control: Virtualizes file and registry write failures to per-user locations | Enabled
|
