programming4us
programming4us
DESKTOP

Windows 8 : Managing authorization and access rights (part 2) - Local Security Policy console

7/21/2014 9:17:37 PM

Local Security Policy console

In addition to user rights assignment, security settings for Windows can be configured within the Local Security Policy console. Table 2 lists and defines the available security options in Windows 8. To access these options, select the Security Options node within the Local Policies section of the Local Security Policy console. In the table, the default configuration option is in bold type. Settings not configured by default are in regular type. Entries that are not configured by default will show all items for default configuration in regular type.

Note

SECURITY OPTIONS ASSIGNED TO ITEMS

The security options available here are not assigned specifically to user accounts or groups, but they do control access to certain items on the computer.

Here are some terms that you should know that appear in the table:

  • Service principal name (SPN) The name a client uses to identify an instance of a service uniquely

  • NT LAN Manager (NTLM) A suite of protocols that provide authentication, integrity, and confidentiality to computer users

  • Lightweight directory access protocol (LDAP) An application-level protocol for accessing directory service information over an Internet Protocol (IP) network

  • Symbolic links A special file that contains a reference to another file by using an absolute or a relative path

  • BitLocker An encryption method that encrypts entire volumes of information

  • Secure desktop An environment displayed during user account control (UAC) elevation requests that allows only certain applications to run

  • PKU2U A public key authentication mechanism for peer-based authentication between two user accounts

Note

SECURITY ALERT UNINTENDED CONSEQUENCES

Items in Table 2 marked with an asterisk (*) can have unintended consequences if disabled. Items marked with a double asterisk (**) can have unintended consequences, including inaccessible accounts or computers, if enabled. Read the explanations and your organization’s policies thoroughly before modifying these settings.

Table 2. Local security options

Policy

Description

Configuration Options

Accounts: Administrator account status

Determines whether the local administrator account is enabled or disabled.

Enabled or Disabled

Accounts: Block Microsoft accounts

Prevents users from adding new Microsoft accounts to the computer; can also prevent signing in with a Microsoft account.

Disabled

Users can’t add Microsoft accounts

Users can’t add or sign in with Microsoft accounts

Accounts: Guest account status*

Determines whether the guest account is enabled or disabled.

Enabled or Disabled

Accounts: Limit local account use of blank password to console logon only

Determines whether local accounts without passwords configured can sign in to the computer by using remote computers.

Enabled or Disabled

Accounts: Rename administrator account

Changes the name of the local administrator account.

Enter a value or Administrator

Accounts: Rename guest account

Changes the name of the local guest account.

Enter a value or Guest

Audit: Audit the access of global system objects

Determines whether access to global system objects should be audited.

Enabled or Disabled

Audit: Audit the use of backup and restore privileges

Determines whether to audit the use of all privileges, including backup and restore.

Enabled or Disabled

Audit: Force audit policy subcategory settings to override policy categories settings (Windows Vista or later)

Determines whether the more advanced subcategory auditing should be used.

Enabled or Disabled

Audit: Shut down system immediately if unable to log security audits**

Forces the computer to shut down if the security log is full and cannot be written to.

Enabled or Disabled

DCOM: Machine access restrictions in security descriptor definition language (SDDL) syntax

Determines which user accounts or groups can access the DCOM application locally or remotely; controls attack surface of the computer for DCOM applications.

Apply security permissions or leave blank

DCOM: Machine launch restrictions in security descriptor definition language (SDDL) syntax

Determines which user accounts or groups can launch DCOM applications on the computer.

Apply security permissions or leave blank

Devices: Allow undock without having to log on

Determines whether a portable computer can be removed from a docking station without needing the user to sign in.

Enabled or Disabled

Devices: Allowed to format and eject removable devices

Determines which groups of user accounts can eject and format removable devices.

Administrators

Administrators and Power Users

Administrators and Interactive Users

Devices: Prevent users from installing printer drivers

Determines whether user accounts can install printer drivers for remote printers but does not affect local printers or administrators.

Enabled or Disabled

Devices: Restrict CD-ROM access to locally logged on users only

Determines whether the CD-ROM device is available to local and remote users simultaneously.

Enabled or Disabled

Devices: Restrict floppy access to locally logged on users only

Determines whether removable floppy media is available for local and remote access simultaneously.

Enabled or Disabled

Domain controller: Allow server operators to schedule tasks

Determines whether the server operators group can submit tasks by using the AT scheduling utility.

Enabled or Disabled

Domain controller: LDAP server signing requirements

Determines whether an LDAP server requires LDAP clients to negotiate with signing.

None or Require signing

Domain controller: Refuse machine account password changes

Determines whether domain controller computers will refuse requests by domain member computers to change computer account passwords.

Enabled or Disabled

Domain member: Digitally encrypt or sign secure channel data (always)

Determines whether secure channel traffic initiated by this computer must be encrypted or signed.

Enabled or Disabled

Domain member: Digitally encrypt secure channel data (when possible)

Determines whether this computer will attempt to negotiate encryption for all secure channel traffic it initiates.

Enabled or Disabled

Domain member: Digitally sign secure channel data (when possible)

Determines whether this computer will attempt to negotiate signing for all secure channel traffic it initiates.

Enabled or Disabled

Domain member: Disable machine account password changes

Determines whether domain member computers will periodically change their passwords.

Enabled or Disabled

Domain member: Maximum machine account password age

Determines the maximum password age for computer accounts within a domain.

Enter number of days or 30 days

Domain member: Require strong session key (Windows 2000 or later)

Determines whether 128-bit key strength is required for secure channel data.

Enabled or Disabled

Interactive logon: Display user information when session is locked

Determines what data will be displayed when an account has locked the workstation.

User display name

Domain and user names

User display name only

Do not display any user information

Interactive logon: Do not display last user name

Determines whether the user name of the last user to sign in is displayed on the Windows sign-in screen.

Enabled or Disabled

Interactive logon: Do not require Ctrl+Alt+Delete

Determines whether pressing Ctrl+Alt+Delete is required when signing in.

Enabled or Disabled

Interactive logon: Machine account lockout threshold

Determines the number of failed sign-in attempts that can cause the computer to be locked out; only enforced on computers using BitLocker to encrypt system volumes.

Enter number of attempts allowed before machine account is locked out

Interactive logon: Machine inactivity limit

Determines the number of seconds after which a computer is locked.

Enter number of seconds of inactivity allowed before account is locked

Interactive logon: Message text for users attempting to log on

Enter the text to display to users signing in interactively.

Enter a value or Empty

Interactive logon: Message title for users attempting to log on

Enter the text to display as the title of the message box displayed to users signing in interactively.

Enter a value or Empty

Interactive logon: Number of previous logons to cache

Determines how many sign-ins to keep locally if a domain controller is unavailable for sign-in.

Enter a value or 10 logons

Interactive logon: Prompt user to change password before expiration

Specifies the number of days to alert the signed-in user before the account password expires.

Enter a value or 6 days

Interactive logon: Require domain controller authentication to unlock workstation

If enabled, sign-in information must be provided to unlock a computer; for domain accounts, determines whether a domain controller must be contacted to unlock the account.

Enabled or Disabled

Interactive logon: Require smart card

Determines whether interactive sign-ins require the use of a smart card.

Enabled or Disabled

Interactive logon: Smart card removal behavior

Specifies the action taken when a smart card is removed.

No action

Lock workstation

Force Sign-out

Disconnect if remote desktop services session

Microsoft network client: Digitally sign communications (always)

Determines whether the SMB client component requires packet signing.

Enabled or Disabled

Microsoft network client: Digitally sign communications (if server agrees)

Determines whether the SMB client will attempt to negotiate packet signing.

Enabled or Disabled

Microsoft network client: Send unencrypted password to third-party SMB servers

If enabled, allows SMB redirector to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.

Enabled or Disabled

Microsoft network server: Amount of idle time required before suspending session

Specifies the amount of continuous idle time that must pass before an SMB session is suspended for inactivity.

Enter a value or 15 minutes

Microsoft network server: Attempt S4U2Self to obtain claim information

Determines whether clients running prior versions of Windows are allowed to access file shares requiring user claims.

Default

Enabled

Disabled

Microsoft network server: Digitally sign communications (always)

Determines whether the SMB server component requires packet signing.

Enabled or Disabled

Microsoft network server: Digitally sign communications (if client agrees)

Determines whether the SMB server will negotiate packet signing if the client requests it.

Enabled or Disabled

Microsoft network server: Disconnect clients when logon hours expire

Determines whether SMB-connected clients should be disconnected outside their sign-in hours.

Enabled or Disabled

Microsoft network server: Server SPN target name validation level

Controls the level of validation a computer sharing resource performs on the SPN provided by connecting client computers.

Off

Accept if provided by client

Required from client

Network access: Allow anonymous SID/Name translation

Determines whether an anonymous user can request security identifier (SID) attributes for another user account.

Enabled or Disabled

Network access: Do not allow anonymous enumeration of SAM accounts

Determines additional permissions that will be granted for anonymous connections to the computer.

Enabled or Disabled

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Determines whether anonymous enumeration of SAM accounts and shares is allowed.

Enabled or Disabled

Network access: Do not allow storage of passwords and credentials for network authentication

Determines whether Credential Manager saves passwords and credentials for later use after it gains domain authentication.

Enabled or Disabled

Network access: Let Everyone permissions apply to anonymous users

If enabled, Everyone SID and permissions are added to the anonymous user at sign-in.

Enabled or Disabled

Network access: Named Pipes that can be accessed anonymously

Determines which communications sessions or pipes will allow anonymous access.

Enter a value or None

Network access: Remotely accessible registry paths

Determines which registry paths/keys can be accessed over the network.

\System\CurrentControlSet

\Control\ProductOptions

\System\CurrentControlSet

\Control\Server Applications

\Software\Microsoft\Windows NT

\CurrentVersion

Network access: Remotely accessible registry paths and subpaths

Determines which registry paths and subpaths can be accessed over the network.

\System\CurrentControlSet

\Control\Print\Printers

\System\CurrentControlSet

\Services\Eventlog

\Software\Microsoft\OLAP Server

\Software\Microsoft\Windows

\NT\CurrentVersion\Print

\Software\Microsoft\Windows

\NT\CurrentVersion\Windows

\System\CurrentControlSet

\Control\ContentIndex

\System\CurrentControlSet

\Control\Terminal Server

\System\CurrentControlSet

\Control\Terminal Server

\UserConfig

\System\CurrentControlSet

\Control\Terminal Server

\DefaultUserConfig

\Software\Microsoft\WindowsNT

\CurrentVersion\Perflib

\System\CurrentControlSet

\Services\SysmonLog

Network access: Restrict anonymous access to Named Pipes and Shares

Restricts anonymous access to shares and pipes to the settings.

Enabled or Disabled

Network access: Shares that can be accessed anonymously

Determines which network shares can be accessed by anonymous users.

Enter a value or None

Network access: Sharing and security model for local accounts

Determines how to authenticate network sign-ins that use local accounts.

Classic - users authenticate as themselves

Guest only - local users authenticate as Guest

Network security: Allow local system to use computer identity for NTLM

Allows local system services set to negotiate NTLM authentication to use the local computer identity.

Enabled or Disabled

Network security: Allow LocalSystem Null session failback

Allows NTLM to fail back to Null session when used with the LocalSystem account.

Enabled or Disabled

Network security: Allow PKU2U authentication requests to this computer to use online identities

Prevents online identities from authenticating to domain-joined machines.

Enabled or Disabled

Network security: Configure encryption types allowed for Kerberos

Configures the encryption types used by Kerberos.

None selected

Network security: Do not store LAN Manager hash value on next password change

Determines whether the LAN Manager hash value for the new password is stored following a password change.

Enabled or Disabled

Network security: Force logoff when logon hours expire

Determines whether to disconnect user accounts connected to SMB resources outside their sign-in hours.

Enabled or Disabled

Network security: LAN Manager authentication level

Determines which challenge/response authentication protocol is used for network sign-ins.

Send LM & NTLM responses

Send LM & NTLM - use NTLMv2 session security if negotiated

Send NTLM responses only

Send NTLMv2 responses only

Send NTLMv2 responses - refuse LM

Send NTLMv2 responses only - refuse LM and NTLM

Network security: LDAP client signing requirements

Determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests.

None

Negotiate Signing

Require Signing

Network security: Minimum session security for NTLM Security Support Provider–based (including secure Remote Procedure Call) clients

Allows the client to require negotiation of 128-bit encryption and/or NTLMv2 session security.

Require NTLMv2 session security

Require 128-bit encryption

Network security: Minimum session security for NTLM SSP–based (including secure RPC) servers

Enables the server to require negotiation of 128-bit encryption and/or NTLMv2 session security.

Require NTLMv2 session security

Require 128-bit encryption

Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

Enables you to create an exceptions list of servers that can be used if the Restrict NTLM: Outgoing NTLM Traffic To Remote Servers setting is enabled.

Enter values or None

Network security: Restrict NTLM: Add server exceptions in this domain

Enables you to create an exceptions list of servers within a domain in which NTLM can be used.

Enter values or None

Network security: Restrict NTLM: Audit incoming NTLM traffic

Enables you to audit incoming NTLM traffic.

Disable

Enable auditing for domain accounts

Enable auditing for all accounts

Network Security: Restrict NTLM: Audit NTLM authentication in this domain

Enables you to audit NTLM authentication in the domain from this domain controller.

Disable

Enable for domain accounts to domain servers

Enable for domain accounts

Enable for domain servers

Enable all

Network security: Restrict NTLM: Incoming NTLM traffic

Determines whether incoming NTLM traffic will be restricted.

Allow all

Deny all domain accounts

Deny all accounts

Network Security: Restrict NTLM: NTLM authentication in this domain

Determines whether NTLM authentication for this domain will be restricted.

Disable

Deny for domain accounts to domains servers

Deny for all domain accounts

Deny for all domain servers

Deny all

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

Allows you to deny or audit outgoing NTLM traffic from this computer to any remote Windows Server.

Allow all

Audit all

Deny all

Recovery console: Allow automatic administrative logon

Determines whether the administrator password must be provided to access the recovery console.

Enabled or Disabled

Recovery console: Allow floppy copy and access to all drives and all folders.

Determines whether the SET command is available in the recovery console.

Enabled or Disabled

Shutdown: Allow system to be shut down without having to log on

Determines whether the computer can be shut down without requiring someone to sign in.

Enabled or Disabled

Shutdown: Clear virtual memory page file

Determines whether the virtual memory page file is cleared when the computer shuts down.

Enabled or Disabled

System cryptography: Force strong key protection for user keys stored on the computer

Determines whether private keys require a password.

User input not required when new keys are stored and used

User is prompted when the key is first used

User must enter password each time a key is used

System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing

Determines whether SSL should be disabled for SSP communication and whether triple data encryption standard (3DES) and advanced encryption standard (AES) should be used.

Enabled or Disabled

System objects: Require case sensitivity for non-Windows subsystems

Determines whether case sensitivity is enforced for all subsystems.

Enabled or Disabled

System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)

Determines the strength of the default discretionary access control list (DACL) for objects.

Enabled or Disabled

System settings: Optional subsystems

Determines which optional subsystems can be started to support applications.

POSIX

System settings: Use certificate rules on Windows executables for software restriction policies

Determines whether digital certificates are processed when applications with an .exe file name extension are run.

Enabled or Disabled

User account control: Admin Approval mode for the built-in administrator account

Controls the behavior of Admin Approval mode for the built-in administrator account.

Enabled or Disabled

User account control: Allow UIAccess applications to prompt for elevation without using secure desktop

Controls whether User Interface Accessibility (UIAccess) programs can automatically disable the secure desktop for elevation prompting by a standard user.

Enabled or Disabled

User account control: Behavior of the elevation prompt for administrators in Admin Approval mode

Controls the behavior of the elevation prompt for administrators.

Elevate without prompting

Prompt for credentials on the secure desktop

Prompt for consent on the secure desktop

Prompt for credentials

Prompt for consent

Prompt for consent for non-Windows binaries

User account control: Behavior of the elevation prompt for standard users

Controls the behavior of the elevation prompt for standard users.

Automatically deny elevation requests

Prompt for credentials on the secure desktop

Prompt for credentials

User account control: Detect application installations and prompt for elevation

Controls the behavior of the application installation detection for the computer.

Enabled or Disabled

User account control: Only elevate executables that are signed and validated

Enforces public key infrastructure signature checks for any interactive applications requesting elevation of privileges.

Enabled or Disabled

User account control: Only elevate UIAccess applications that are installed in secure locations

Controls whether applications requesting to run with a UIAccess integrity level must reside in a secure location.

Enabled or Disabled

User account control: Run all administrators in Admin Approval mode

Controls the behavior of UAC policy settings for the computer.

Enabled or Disabled

User account control: Switch to the secure desktop when prompting for elevation

Controls whether the elevation request prompt is displayed on the secure desktop or on the user’s standard desktop.

Enabled or Disabled

User account control: Virtualize file and registry write failures to per-user location

Controls whether application write failures are redirected to predetermined registry and file system locations.

Enabled or Disabled

Note

NOT ALL OPTIONS NEED TO BE CONFIGURED

Some of the options available for configuration in Security Options might not need to be configured. For example, if you leave the Guest account disabled, there is no reason to rename it.

Other  
  •  Windows 8 : Determining who’s who through authentication (part 5) - Logging on by using a picture password,Using a personal identification number for authentication
  •  Windows 8 : Determining who’s who through authentication (part 4) - Managing credentials in Windows 8 by using Credential Manager,Configuring a Microsoft account for use with Windows
  •  Windows 8 : Determining who’s who through authentication (part 3) - Smart card authentication, Biometric authentication
  •  Windows 8 : Determining who’s who through authentication (part 2) - User name and password-based authentication
  •  Windows 8 : Determining who’s who through authentication (part 1) - How does Windows authenticate users accessing the system?
  •  Windows Server 2012 : Planning, implementing, and managing Group Policy (part 9) - Configuring WMI filtering
  •  Windows Server 2012 : Planning, implementing, and managing Group Policy (part 8) - Managing GPO links, Configuring security filtering
  •  Windows Server 2012 : Planning, implementing, and managing Group Policy (part 7) - Viewing infrastructure status, Creating GPOs
  •  Windows Server 2012 : Planning, implementing, and managing Group Policy (part 6) - Advanced Audit Policy Configuration
  •  Windows Server 2012 : Planning, implementing, and managing Group Policy (part 5) - User Rights Assignment, Security Options
  •  
    video
     
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us
    programming4us
     
     
    programming4us