|
Accounts: Administrator account status |
Determines whether the local administrator account is enabled or disabled. |
Enabled or Disabled
|
|
Accounts: Block Microsoft accounts |
Prevents users from adding new Microsoft accounts to the computer; can also prevent signing in with a Microsoft account. |
Disabled
Users can’t add Microsoft accounts
Users can’t add or sign in with Microsoft accounts |
|
Accounts: Guest account status* |
Determines whether the guest account is enabled or disabled. |
Enabled or Disabled
|
|
Accounts: Limit local account use of blank password to console logon only |
Determines whether local accounts without passwords configured can sign in to the computer by using remote computers. |
Enabled or Disabled |
|
Accounts: Rename administrator account |
Changes the name of the local administrator account. |
Enter a value or Administrator
|
|
Accounts: Rename guest account |
Changes the name of the local guest account. |
Enter a value or Guest
|
|
Audit: Audit the access of global system objects |
Determines whether access to global system objects should be audited. |
Enabled or Disabled
|
|
Audit: Audit the use of backup and restore privileges |
Determines whether to audit the use of all privileges, including backup and restore. |
Enabled or Disabled
|
|
Audit: Force audit policy subcategory settings to override policy categories settings (Windows Vista or later) |
Determines whether the more advanced subcategory auditing should be used. |
Enabled or Disabled |
|
Audit: Shut down system immediately if unable to log security audits** |
Forces the computer to shut down if the security log is full and cannot be written to. |
Enabled or Disabled
|
|
DCOM: Machine access restrictions in security descriptor definition language (SDDL) syntax |
Determines which user accounts or groups can access the DCOM
application locally or remotely; controls attack surface of the
computer for DCOM applications. |
Apply security permissions or leave blank
|
|
DCOM: Machine launch restrictions in security descriptor definition language (SDDL) syntax |
Determines which user accounts or groups can launch DCOM applications on the computer. |
Apply security permissions or leave blank
|
|
Devices: Allow undock without having to log on |
Determines whether a portable computer can be removed from a docking station without needing the user to sign in. |
Enabled or Disabled |
|
Devices: Allowed to format and eject removable devices |
Determines which groups of user accounts can eject and format removable devices. |
Administrators
Administrators and Power Users
Administrators and Interactive Users |
|
Devices: Prevent users from installing printer drivers |
Determines whether user accounts can install printer drivers for remote printers but does not affect local printers or administrators. |
Enabled or Disabled
|
|
Devices: Restrict CD-ROM access to locally logged on users only |
Determines whether the CD-ROM device is available to local and remote users simultaneously. |
Enabled or Disabled |
|
Devices: Restrict floppy access to locally logged on users only |
Determines whether removable floppy media is available for local and remote access simultaneously. |
Enabled or Disabled |
|
Domain controller: Allow server operators to schedule tasks |
Determines whether the server operators group can submit tasks by using the AT scheduling utility. |
Enabled or Disabled |
|
Domain controller: LDAP server signing requirements |
Determines whether an LDAP server requires LDAP clients to negotiate with signing. |
None or Require signing |
|
Domain controller: Refuse machine account password changes |
Determines whether domain controller computers will refuse requests
by domain member computers to change computer account passwords. |
Enabled or Disabled |
|
Domain member: Digitally encrypt or sign secure channel data (always) |
Determines whether secure channel traffic initiated by this computer must be encrypted or signed. |
Enabled or Disabled |
|
Domain member: Digitally encrypt secure channel data (when possible) |
Determines whether this computer will attempt to negotiate encryption for all secure channel traffic it initiates. |
Enabled or Disabled |
|
Domain member: Digitally sign secure channel data (when possible) |
Determines whether this computer will attempt to negotiate signing for all secure channel traffic it initiates. |
Enabled or Disabled |
|
Domain member: Disable machine account password changes |
Determines whether domain member computers will periodically change their passwords. |
Enabled or Disabled
|
|
Domain member: Maximum machine account password age |
Determines the maximum password age for computer accounts within a domain. |
Enter number of days or 30 days
|
|
Domain member: Require strong session key (Windows 2000 or later) |
Determines whether 128-bit key strength is required for secure channel data. |
Enabled or Disabled |
|
Interactive logon: Display user information when session is locked |
Determines what data will be displayed when an account has locked the workstation. |
User display name
Domain and user names
User display name only
Do not display any user information |
|
Interactive logon: Do not display last user name |
Determines whether the user name of the last user to sign in is displayed on the Windows sign-in screen. |
Enabled or Disabled
|
|
Interactive logon: Do not require Ctrl+Alt+Delete |
Determines whether pressing Ctrl+Alt+Delete is required when signing in. |
Enabled or Disabled |
|
Interactive logon: Machine account lockout threshold |
Determines the number of failed sign-in attempts that can cause the
computer to be locked out; only enforced on computers using BitLocker
to encrypt system volumes. |
Enter number of attempts allowed before machine account is locked out |
|
Interactive logon: Machine inactivity limit |
Determines the number of seconds after which a computer is locked. |
Enter number of seconds of inactivity allowed before account is locked |
|
Interactive logon: Message text for users attempting to log on |
Enter the text to display to users signing in interactively. |
Enter a value or Empty
|
|
Interactive logon: Message title for users attempting to log on |
Enter the text to display as the title of the message box displayed to users signing in interactively. |
Enter a value or Empty
|
|
Interactive logon: Number of previous logons to cache |
Determines how many sign-ins to keep locally if a domain controller is unavailable for sign-in. |
Enter a value or 10 logons
|
|
Interactive logon: Prompt user to change password before expiration |
Specifies the number of days to alert the signed-in user before the account password expires. |
Enter a value or 6 days
|
|
Interactive logon: Require domain controller authentication to unlock workstation |
If enabled, sign-in information must be provided to unlock a
computer; for domain accounts, determines whether a domain controller
must be contacted to unlock the account. |
Enabled or Disabled
|
|
Interactive logon: Require smart card |
Determines whether interactive sign-ins require the use of a smart card. |
Enabled or Disabled
|
|
Interactive logon: Smart card removal behavior |
Specifies the action taken when a smart card is removed. |
No action
Lock workstation
Force Sign-out
Disconnect if remote desktop services session |
|
Microsoft network client: Digitally sign communications (always) |
Determines whether the SMB client component requires packet signing. |
Enabled or Disabled
|
|
Microsoft network client: Digitally sign communications (if server agrees) |
Determines whether the SMB client will attempt to negotiate packet signing. |
Enabled or Disabled |
|
Microsoft network client: Send unencrypted password to third-party SMB servers |
If enabled, allows SMB redirector to send plaintext passwords to
non-Microsoft SMB servers that do not support password encryption
during authentication. |
Enabled or Disabled
|
|
Microsoft network server: Amount of idle time required before suspending session |
Specifies the amount of continuous idle time that must pass before an SMB session is suspended for inactivity. |
Enter a value or 15 minutes
|
|
Microsoft network server: Attempt S4U2Self to obtain claim information |
Determines whether clients running prior versions of Windows are allowed to access file shares requiring user claims. |
Default
Enabled
Disabled |
|
Microsoft network server: Digitally sign communications (always) |
Determines whether the SMB server component requires packet signing. |
Enabled or Disabled
|
|
Microsoft network server: Digitally sign communications (if client agrees) |
Determines whether the SMB server will negotiate packet signing if the client requests it. |
Enabled or Disabled
|
|
Microsoft network server: Disconnect clients when logon hours expire |
Determines whether SMB-connected clients should be disconnected outside their sign-in hours. |
Enabled or Disabled |
|
Microsoft network server: Server SPN target name validation level |
Controls the level of validation a computer sharing resource performs on the SPN provided by connecting client computers. |
Off
Accept if provided by client
Required from client |
|
Network access: Allow anonymous SID/Name translation |
Determines whether an anonymous user can request security identifier (SID) attributes for another user account. |
Enabled or Disabled
|
|
Network access: Do not allow anonymous enumeration of SAM accounts |
Determines additional permissions that will be granted for anonymous connections to the computer. |
Enabled or Disabled |
|
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
Determines whether anonymous enumeration of SAM accounts and shares is allowed. |
Enabled or Disabled
|
|
Network access: Do not allow storage of passwords and credentials for network authentication |
Determines whether Credential Manager saves passwords and credentials for later use after it gains domain authentication. |
Enabled or Disabled
|
|
Network access: Let Everyone permissions apply to anonymous users |
If enabled, Everyone SID and permissions are added to the anonymous user at sign-in. |
Enabled or Disabled
|
|
Network access: Named Pipes that can be accessed anonymously |
Determines which communications sessions or pipes will allow anonymous access. |
Enter a value or None
|
|
Network access: Remotely accessible registry paths |
Determines which registry paths/keys can be accessed over the network. |
\System\CurrentControlSet
\Control\ProductOptions
\System\CurrentControlSet
\Control\Server Applications
\Software\Microsoft\Windows NT
\CurrentVersion |
|
Network access: Remotely accessible registry paths and subpaths |
Determines which registry paths and subpaths can be accessed over the network. |
\System\CurrentControlSet
\Control\Print\Printers
\System\CurrentControlSet
\Services\Eventlog
\Software\Microsoft\OLAP Server
\Software\Microsoft\Windows
\NT\CurrentVersion\Print
\Software\Microsoft\Windows
\NT\CurrentVersion\Windows
\System\CurrentControlSet
\Control\ContentIndex
\System\CurrentControlSet
\Control\Terminal Server
\System\CurrentControlSet
\Control\Terminal Server
\UserConfig
\System\CurrentControlSet
\Control\Terminal Server
\DefaultUserConfig
\Software\Microsoft\WindowsNT
\CurrentVersion\Perflib
\System\CurrentControlSet
\Services\SysmonLog |
|
Network access: Restrict anonymous access to Named Pipes and Shares |
Restricts anonymous access to shares and pipes to the settings. |
Enabled or Disabled |
|
Network access: Shares that can be accessed anonymously |
Determines which network shares can be accessed by anonymous users. |
Enter a value or None
|
|
Network access: Sharing and security model for local accounts |
Determines how to authenticate network sign-ins that use local accounts. |
Classic - users authenticate as themselves
Guest only - local users authenticate as Guest |
|
Network security: Allow local system to use computer identity for NTLM |
Allows local system services set to negotiate NTLM authentication to use the local computer identity. |
Enabled or Disabled |
|
Network security: Allow LocalSystem Null session failback |
Allows NTLM to fail back to Null session when used with the LocalSystem account. |
Enabled or Disabled |
|
Network security: Allow PKU2U authentication requests to this computer to use online identities |
Prevents online identities from authenticating to domain-joined machines. |
Enabled or Disabled |
|
Network security: Configure encryption types allowed for Kerberos |
Configures the encryption types used by Kerberos. |
None selected
|
|
Network security: Do not store LAN Manager hash value on next password change |
Determines whether the LAN Manager hash value for the new password is stored following a password change. |
Enabled or Disabled |
|
Network security: Force logoff when logon hours expire |
Determines whether to disconnect user accounts connected to SMB resources outside their sign-in hours. |
Enabled or Disabled |
|
Network security: LAN Manager authentication level |
Determines which challenge/response authentication protocol is used for network sign-ins. |
Send LM & NTLM responses
Send LM & NTLM - use NTLMv2 session security if negotiated
Send NTLM responses only
Send NTLMv2 responses only
Send NTLMv2 responses - refuse LM
Send NTLMv2 responses only - refuse LM and NTLM |
|
Network security: LDAP client signing requirements |
Determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests. |
None
Negotiate Signing
Require Signing |
|
Network security: Minimum session security for NTLM Security Support
Provider–based (including secure Remote Procedure Call) clients |
Allows the client to require negotiation of 128-bit encryption and/or NTLMv2 session security. |
Require NTLMv2 session security
Require 128-bit encryption
|
|
Network security: Minimum session security for NTLM SSP–based (including secure RPC) servers |
Enables the server to require negotiation of 128-bit encryption and/or NTLMv2 session security. |
Require NTLMv2 session security
Require 128-bit encryption
|
|
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication |
Enables you to create an exceptions list of servers that can be used
if the Restrict NTLM: Outgoing NTLM Traffic To Remote Servers setting
is enabled. |
Enter values or None
|
|
Network security: Restrict NTLM: Add server exceptions in this domain |
Enables you to create an exceptions list of servers within a domain in which NTLM can be used. |
Enter values or None
|
|
Network security: Restrict NTLM: Audit incoming NTLM traffic |
Enables you to audit incoming NTLM traffic. |
Disable
Enable auditing for domain accounts
Enable auditing for all accounts |
|
Network Security: Restrict NTLM: Audit NTLM authentication in this domain |
Enables you to audit NTLM authentication in the domain from this domain controller. |
Disable
Enable for domain accounts to domain servers
Enable for domain accounts
Enable for domain servers
Enable all |
|
Network security: Restrict NTLM: Incoming NTLM traffic |
Determines whether incoming NTLM traffic will be restricted. |
Allow all
Deny all domain accounts
Deny all accounts |
|
Network Security: Restrict NTLM: NTLM authentication in this domain |
Determines whether NTLM authentication for this domain will be restricted. |
Disable
Deny for domain accounts to domains servers
Deny for all domain accounts
Deny for all domain servers
Deny all |
|
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers |
Allows you to deny or audit outgoing NTLM traffic from this computer to any remote Windows Server. |
Allow all
Audit all
Deny all |
|
Recovery console: Allow automatic administrative logon |
Determines whether the administrator password must be provided to access the recovery console. |
Enabled or Disabled |
|
Recovery console: Allow floppy copy and access to all drives and all folders. |
Determines whether the SET command is available in the recovery console. |
Enabled or Disabled
|
|
Shutdown: Allow system to be shut down without having to log on |
Determines whether the computer can be shut down without requiring someone to sign in. |
Enabled or Disabled
|
|
Shutdown: Clear virtual memory page file |
Determines whether the virtual memory page file is cleared when the computer shuts down. |
Enabled or Disabled
|
|
System cryptography: Force strong key protection for user keys stored on the computer |
Determines whether private keys require a password. |
User input not required when new keys are stored and used
User is prompted when the key is first used
User must enter password each time a key is used |
|
System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing |
Determines whether SSL should be disabled for SSP communication and whether triple data encryption standard (3DES) and advanced encryption standard (AES) should be used. |
Enabled or Disabled
|
|
System objects: Require case sensitivity for non-Windows subsystems |
Determines whether case sensitivity is enforced for all subsystems. |
Enabled or Disabled |
|
System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) |
Determines the strength of the default discretionary access control list (DACL) for objects. |
Enabled or Disabled |
|
System settings: Optional subsystems |
Determines which optional subsystems can be started to support applications. |
POSIX
|
|
System settings: Use certificate rules on Windows executables for software restriction policies |
Determines whether digital certificates are processed when applications with an .exe file name extension are run. |
Enabled or Disabled
|
|
User account control: Admin Approval mode for the built-in administrator account |
Controls the behavior of Admin Approval mode for the built-in administrator account. |
Enabled or Disabled
|
|
User account control: Allow UIAccess applications to prompt for elevation without using secure desktop |
Controls whether User Interface Accessibility (UIAccess) programs
can automatically disable the secure desktop for elevation prompting by
a standard user. |
Enabled or Disabled
|
|
User account control: Behavior of the elevation prompt for administrators in Admin Approval mode |
Controls the behavior of the elevation prompt for administrators. |
Elevate without prompting
Prompt for credentials on the secure desktop
Prompt for consent on the secure desktop
Prompt for credentials
Prompt for consent
Prompt for consent for non-Windows binaries |
|
User account control: Behavior of the elevation prompt for standard users |
Controls the behavior of the elevation prompt for standard users. |
Automatically deny elevation requests
Prompt for credentials on the secure desktop
Prompt for credentials |
|
User account control: Detect application installations and prompt for elevation |
Controls the behavior of the application installation detection for the computer. |
Enabled or Disabled |
|
User account control: Only elevate executables that are signed and validated |
Enforces public key infrastructure signature checks for any interactive applications requesting elevation of privileges. |
Enabled or Disabled
|
|
User account control: Only elevate UIAccess applications that are installed in secure locations |
Controls whether applications requesting to run with a UIAccess integrity level must reside in a secure location. |
Enabled or Disabled |
|
User account control: Run all administrators in Admin Approval mode |
Controls the behavior of UAC policy settings for the computer. |
Enabled or Disabled |
|
User account control: Switch to the secure desktop when prompting for elevation |
Controls whether the elevation request prompt is displayed on the secure desktop or on the user’s standard desktop. |
Enabled or Disabled |
|
User account control: Virtualize file and registry write failures to per-user location |
Controls whether application write failures are redirected to predetermined registry and file system locations. |
Enabled or Disabled |
