Name |
Description |
Accounts: Limit local account use of blank passwords to console logon only |
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. |
Audit: Audit the access of global system objects |
This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs are not given to objects without names. If the Audit object access audit policy is also enabled, access to these system objects is audited. |
Audit: Audit the use of Backup and Restore privilege |
This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or restored.0 - Disabled, 1 - Enabled |
Audit: Force audit policy subcategory settings to override audit policy category settings |
Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they are joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. |
Audit: Shut down system immediately if unable to log security audits |
This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. |
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax |
This policy setting determines which users or groups can access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. |
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax |
This policy setting determines which users or groups can launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications |
Devices: Allow undock without having to log on |
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. |
Devices: Allowed to format and eject removable media |
This security setting determines who is allowed to format and eject removable NTFS media. 0 - Only administrators of the computer, 1 - Only administrators and power users, 2 - Only administrators and the local current user. |
Devices: Prevent users from installing printer drivers |
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. |
Devices: Restrict CD-ROM access to locally logged-on user only |
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. 1- Enabled, 2 - Disabled. |
Devices: Restrict floppy access to locally logged-on user only |
This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. 1- Enabled, 2 - Disabled. |
Devices: Unsigned driver installation behavior |
This security setting determines what happens when an attempt is made to install a device driver (by means of Setup API) that has not been tested by the Windows Hardware Quality Lab (WHQL).The options are: 0 - Silently succeed, 1- Warn but allow installation, 2 - Do not allow installation |
Domain controller: Allow server operators to schedule tasks |
This security setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. |
Domain controller: LDAP server signing requirements |
This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients. |
Domain controller: Refuse machine account password changes |
This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password change requests. |
Domain member: Digitally encrypt or sign secure channel data (always) |
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. |
Domain member: Digitally encrypt secure channel data (when possible) |
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. |
Domain member: Digitally sign secure channel data (when possible) |
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. |
Domain member: Disable machine account password changes |
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. |
Domain member: Require strong (Windows 2000 or later) session key |
This security setting determines whether 128-bit key strength is required for encrypted secure channel data. |
Interactive logon: Do not display last user name |
This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Logon Screen. |
Interactive Logon: Display user information when session is locked |
Interactive Logon: Display user information when session is locked. |
Interactive logon: Do not require CTRL+ALT+DEL |
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. |
Interactive logon: Message text for users attempting to logon |
This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. |
Interactive logon: Message title for users attempting to logon |
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. |
Interactive logon: Prompt user to change password before expiration |
Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. |
Interactive logon: Require Domain Controller authentication to unlock workstation |
Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer. |
Interactive logon: Require smart card |
This security setting requires users to log on to a computer using a smart card. |
Interactive logon: Smart card removal behavior |
This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. 0 - No Action, 1 - Lock workstation, 2 - Force logoff, 3 - Disconnect if a remote Remote Desktop Services session. |
Microsoft network client: Digitally sign communications (always) |
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. |
Microsoft network client: Digitally sign communications (if server agrees) |
This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. |
Microsoft network client: Send unencrypted password to third-party SMB servers |
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. |
Microsoft network server: Amount of idle time required before suspending session |
This security setting determines the amount of continuous idle time (in minutes) that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. |
Microsoft network server: Digitally sign communications (always) |
This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. |
Microsoft network server: Digitally sign communications (if client agrees) |
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. |
Microsoft network server: Disconnect clients when logon hours expire |
This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. |
Microsoft network server: Server SPN target name validation level |
The server message block (SMB) protocol provides the basis for file and printer sharing and many other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. |
Network access: Do not allow anonymous enumeration of SAM accounts |
This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. |
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. |
Network access: Do not allow storage of passwords and credentials for network authentication |
This security setting determines whether Stored User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains domain authentication. If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials. |
Network access: Let Everyone permissions apply to anonymous users |
This security setting determines what additional permissions are granted for anonymous connections to the computer. |
Network access: Named Pipes that can be accessed anonymously |
This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. |
Network access: Remotely accessible registry paths |
This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. |
Network access: Remotely accessible registry paths and sub-paths |
This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. |
Network access: Shares that can be accessed anonymously |
This security setting determines which network shares can accessed by anonymous users. |
Network access: Sharing and security model for local accounts |
This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. |
Network security: Do not store LAN Manager hash value on next password change |
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. |
Network security: LAN Manager authentication level |
This security setting determines which challenge/response authentication protocol is used for network logons. |
Network security: LDAP client signing requirements |
This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests. |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. |
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers |
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. |
Network security: Restrict NTLM: Incoming NTLM traffic |
This policy setting allows you to deny or allow incoming NTLM traffic. |
Network security: Restrict NTLM: Audit Incoming NTLM Traffic |
This policy setting allows you to audit incoming NTLM traffic. |
Network security: Restrict NTLM: NTLM authentication in this domain |
This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. |
Network security: Restrict NTLM: Audit NTLM authentication in this domain |
This policy setting allows you to audit NTLM authentication in a domain from this domain controller. |
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication |
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. |
Network security: Restrict NTLM: Add server exceptions in this domain |
This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. |
Network security: Allow LocalSystem NULL session fallback |
Allow NTLM to fall back to NULL session when used with LocalSystem. |
Network security: Allow PKU2U authentication requests to this computer to use online identities |
This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to authenticate to the domain joined machine in Windows 7. |
Network security: Configure encryption types allowed for Kerberos |
This policy setting allows you to set the encryption types that Kerberos is allowed to use. If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. |
Recovery console: Allow automatic administrative logon |
This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. |
Recovery console: Allow floppy copy and access to all drives and all folders |
Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables. |
Shutdown: Allow system to be shut down without having to log on |
This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. |
Shutdown: Clear virtual memory pagefile |
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements. |
System cryptography: Force strong key protection for user keys stored on the computer |
This security setting determines if users' private keys require a password to be used. |
System objects: Default owner for objects created by members of the Administrators group |
This security setting determines which security principal (SID) will be assigned the OWNER of objects when the object is created by a member of the Administrators Group. |
System objects: Require case insensitivity for non-Windows subsystems |
This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. |
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) |
This security setting determines the strength of the default discretionary access control list (DACL) for objects. |
System settings: Optional subsystems |
This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands. |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security settings is used to enable or disable certificate rules, a type of software restriction policies rule. With software restriction policies, you can create a certificate rule that will allow or disallow software that is signed by Authenticode to run, based on the digital certificate that is associated with the software. In order for certificate rules to take effect, you must enable this security setting. |
User Account Control: Admin Approval Mode for the Built-in Administrator account |
This security setting determines the behavior of Admin Approval mode for the Built-in Administrator account. |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode |
This security setting determines the behavior of the elevation prompt for administrators. |
User Account Control: Behavior of the elevation prompt for standard users |
This security setting determines the behavior of the elevation prompt for standard users. |
User Account Control: Detect application installations and prompt for elevation |
This security setting determines the behavior of application installation detection for the entire system. |
User Account Control: Only elevate executables that are signed and validated |
This security setting will enforce PKI signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control the admin application allowed list thru the population of certificates in the local computers Trusted Publisher Store. |
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
This security setting will enforce the requirement that applications that request execution with a UIAccess integrity level (via a marking of UIAccess=true in their application manifest), must reside in a secure location on the file system. |
User Account Control: Run all administrators in Admin Approval Mode |
This security setting determines the behavior of all UAC policies for the entire system. |
User Account Control: Switch to the secure desktop when prompting for elevation |
This security setting determines whether the elevation request will prompt on the interactive users desktop or the Secure Desktop. |
User Account Control: Virtualize file and registry write failures to per-user locations |
This security setting enables the redirection of legacy application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data back to either %ProgramFiles%, %Windir%; %Windir%\system32 or HKLM\Software\.... |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop |
This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts being used by a standard user. If you enable this setting, UIA programs including Windows Remote Assistance can automatically disable the secure desktop for elevation prompts. Unless you have also disabled elevation prompts, the prompts will appear on the interactive user's desktop instead of the secure desktop. |