Compute | Policy Path | Full Policy Name | Supported On | Registry Settings | Comments | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Enforce password history | Windows XP SP2, Windows Server 2003 | Password Policy security settings are not registry keys. | Notes:
For more information about Windows Server 2003 security settings, see the
Windows Server 2003 Help on the Microsoft Web site at
http://go.microsoft.com/fwlink/?LinkId=18174, and search for "Security
Settings Descriptions." For more information about Windows XP security settings, see the Windows XP Help, and search for "Security Settings Descriptions." For information about security features in Windows XP Service Pack 2, see the "Managing Windows XP Service Pack 2 Features Using Group Policy" white paper on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=31974. For information about the set of security technologies included in Windows XP Service Pack 2, see "Changes to Functionality in Microsoft Windows XP Service Pack 2" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=29126. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Password Policy | Maximum password age | Windows XP SP2, Windows Server 2003 | Password Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Password Policy | Minimum password age | Windows XP SP2, Windows Server 2003 | Password Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Password Policy | Minimum password length | Windows XP SP2, Windows Server 2003 | Password Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Password Policy | Password must meet complexity requirement | Windows XP SP2, Windows Server 2003 | Password Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Password Policy | Store passwords using reversible encryption for all users in the domain | Windows XP SP2, Windows Server 2003 | Password Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Account lockout duration | Windows XP SP2, Windows Server 2003 | Account Lockout Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Account Lockout Policy | Account lockout threshold | Windows XP SP2, Windows Server 2003 | Account Lockout Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Account Policies\Account Lockout Policy | Reset lockout counter after | Windows XP SP2, Windows Server 2003 | Account Lockout Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Enforce user logon restrictions | Windows XP SP2, Windows Server 2003 | Kerberos Policy security settings are not registry keys. | Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Kerberos Policy | Maximum lifetime for service ticket | Windows XP SP2, Windows Server 2003 | Kerberos Policy security settings are not registry keys. | Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Kerberos Policy | Maximum lifetime for user ticket | Windows XP SP2, Windows Server 2003 | Kerberos Policy security settings are not registry keys. | Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Kerberos Policy | Maximum lifetime for user ticket renewal | Windows XP SP2, Windows Server 2003 | Kerberos Policy security settings are not registry keys. | Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Kerberos Policy | Maximum tolerance for computer clock synchronization | Windows XP SP2, Windows Server 2003 | Kerberos Policy security settings are not registry keys. | Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Audit account logon events | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit account management | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit directory service access | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit logon events | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit object access | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit policy change | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit privilege use | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit process tracking | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Audit Policy | Audit system events | Windows XP SP2, Windows Server 2003 | Audit Policy security settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Access this computer from the network | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Act as part of the operating system | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Add workstations to a domain | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Adjust memory quotas for a process | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Allow log on locally | Windows Server 2003 | User Rights security settings are not registry keys | See also the Log on locally policy setting in Windows XP SP2, described later in this worksheet. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Allow log on through Terminal Services | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | Important: This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Backup files and directories | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Bypass traverse checking | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Change the system time | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Create a pagefile | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Create a token object | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Create global objects | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Create permanent shared objects | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Debug programs | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Deny access to this computer from the network | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Deny log on as a batch job | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Deny log on as a service | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Deny log on locally | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Deny log on through Terminal Services | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | Important: This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Enable computer and user accounts to be trusted for delegation | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | Note: Misuse of this privilege, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Force shutdown from a remote system | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Generate security audits | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Impersonate a client after authentication | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Increase scheduling authority | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Load and unload device drivers | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Lock pages in memory | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Log on as a batch job | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family, the Task Scheduler automatically grants this right as necessary. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Log on as a service | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Log on locally | Windows XP SP2 | User Rights security settings are not registry keys | Note: See also the corresponding Windows Server 2003 Allow log on locally policy setting, earlier in this worksheet. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Manage auditing and security log | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Modify firmware environment values | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Perform volume maintenance tasks | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Profile single process | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Profile system performance | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Remove computer from docking station | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Replace a process level token | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Restore files and directories | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Shut down the system | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Synchronize directory service data | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\User Rights Assignment | Take ownership of files or other objects | Windows XP SP2, Windows Server 2003 | User Rights security settings are not registry keys | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Accounts: Administrator account status | Windows XP SP2, Windows Server 2003 | Not a registry key | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Accounts: Guest account status | Windows XP SP2, Windows Server 2003 | Not a registry key | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Accounts: Limit local account use of blank passwords to console logon o | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Accounts: Rename administrator account | Windows XP SP2, Windows Server 2003 | Not a registry key | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Accounts: Rename guest account | Windows XP SP2, Windows Server 2003 | Not a registry key | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Audit: Audit the accesss of global system objects | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Audit: Audit the use of Backup and Restore privilege | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Audit: Shut down system immediately if unable to log security audits | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | DCOM: Machine Access Restrictions in Security Descriptor Definition Lan | Windows XP SP2, Windows Server 2003 | MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | DCOM: Machine Launch Restrictions in Security Descriptor Definition Lan | Windows XP SP2, Windows Server 2003 | MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Devices: Allow undock without having to log on | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Devices: Allowed to format and eject removable media | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Devices: Prevent users from installing printer drivers | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Devices: Restrict CD-ROM access to locally logged-on user only | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Devices: Restrict floppy access to locally logged-on user only | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Devices: Unsigned driver installation behavior | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Driver Signing\Policy | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain controller: Allow server operators to schedule tasks | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain controller: LDAP server signing requirements | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain controller: Refuse machine account password changes | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain member: Digitally encrypt or sign secure channel data (always) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Pa | Important: In order to take advantage of this policy on member
workstations and servers, all domain controllers that constitute the member’s
domain must be running Windows NT 4.0 Service Pack 6 or higher. In order to take advantage of this policy on domain controllers, All domain controllers in the same domain, as well as all trusted domains, must be running Windows NT 4.0 Service Pack 6 or higher. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain member: Digitally encrypt secure channel data (when possible) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain member: Digitally sign secure channel data (when possible) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain member: Disable machine account password changes | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain member: Maximum machine account password age | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Pa | Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Domain member: Require strong (Windows 2000 or later) session key | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Do not display last user name | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Do not require CTRL+ALT+DELETE | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Message text for users attempting to logon | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Message title for users attempting to logon | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Number of previous logons to cache (in case domain co | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Prompt user to change password before expiration | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Require Domain Controller authentication to unlock work | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersio | Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Require smart card | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\P | Important: This setting will apply to any computers running Windows 2000 through changes in the registry, but the security setting is not viewable through the Security Configuration Manager tool set. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Interactive logon: Smart card removal behavior | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network client: Digitally sign communications (always) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanmanWor | Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network client: Digitally sign communications (if server agrees) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network client: Send unencrypted password to third-party SMB | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network server: Amount of idle time required before suspendin | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network server: Digitally sign communications (always) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManSer | Important: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network server: Digitally sign communications (if client agrees) | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Microsoft network server: Disconnect clients when logon hours expire | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Allow anonymous SID/Name translation | Windows XP SP2, Windows Server 2003 | Not a registry key | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\RestrictA | Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Do not allow anonymous enumeration of SAM accounts | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Do not allow storage of credentials or .NET Passports f | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Let Everyone permissions apply to anonymous users | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Named Pipes that can be accessed anonymously | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Remotely accessible registry paths | Windows XP SP2 | MACHINE\System\CurrentControlSet\Control\SecurePipeS | Important: The Network access: Remotely accessible registry paths security setting that appears on computers running Windows XP corresponds to the Network access: Remotely accessible registry paths and subpaths security policy setting on members of the Windows Server 2003 family. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Remotely accessible registry paths | Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\SecurePipeS | Important: This security setting is not available on earlier versions of Windows. The security setting that appears on computers running Windows XP, Network access: Remotely accessible registry paths corresponds to the Network access: Remotely accessible registry paths and subpaths security option on members of the Windows Server 2003 family. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Remotely accessible registry paths and subpaths | Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\SecurePipeS | Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Restrict anonymous access to Named Pipes and Share | Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Shares that can be accessed anonymously | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network access: Sharing and security model for local accounts | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\ForceGu | Important: This setting only affects computers running Windows XP
Professional which are not joined to a domain. This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network security: Do not store LAN Manager hash value on next passw | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHas | Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility
with authentication to previous versions of Windows, such as Microsoft
Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network security: Force logoff when logon hours expire | Windows XP SP2, Windows Server 2003 | Not a registry key | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network security: LAN Manager authentication level | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\LmComp | Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. For compatibility information about this setting, see Network security: Lan Manager authentication level (http://go.microsoft.com/fwlink/?LinkId=24278) at the Microsoft website. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network security: LDAP client signing requirements | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network security: Minimum session security for NTLM SSP based (includi | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ | Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Network security: Minimum session security for NTLM SSP based (includi | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ | Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Recovery console: Allow automatic administrative logon | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Recovery console: Allow floppy copy and access to all drives and all fol | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Shutdown: Allow system to be shut down without having to log on | Windows XP SP2, Windows Server 2003 | MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | Shutdown: Clear virtual memory pagefile | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System cryptography: Use FIPS compliant algorithms for encryption, hash | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System Cryptography: Force strong key protection for user keys stored | Windows Server 2003 | MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System objects: Default owner for objects created by members of the Ad | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System objects: Require case insensitivity for non-Windows subsystems | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System objects: Strengthen default permissions of internal system object | Windows XP SP2, Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System settings: Optional subsystems | Windows Server 2003 | MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Local Policies\Security Options | System settings: Use Certificate Rules on Windows Executables for Soft | Windows Server 2003 | MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Maximum application log size | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Maximum security log size | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note:
This setting does not appear in the Local Computer Policy object. Important: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see the "Event Log: Maximum security log size" section in KB 823659 "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://go.microsoft.com/fwlink/?LinkId=35271) at the Microsoft website. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Maximum system log size | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Prevent local guests group from accessing application log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Notes:
This setting does not appear in the Local Computer Policy object. This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Prevent local guests group from accessing security log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Notes:
This setting does not appear in the Local Computer Policy object. This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP. A user must possess the Manage auditing and security log user right to access the security log. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Prevent local guests group from accessing system log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This
setting does not appear in the Local Computer Policy object.
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Retain application log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Notes:
This setting does not appear in the Local Computer Policy object. A user must possess the Manage auditing and security log user right to access the security log. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Retain security log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Notes: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Retain system log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Retention method for application log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Retention method for security log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Event Log | Retention method for system log | Windows XP SP2, Windows Server 2003 | Event Log security settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Restricted Groups | Windows XP SP2, Windows Server 2003 | Restricted Groups policy settings are not registry keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | System Services | Windows XP SP2, Windows Server 2003 | System Services policy settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Registry | Windows XP SP2, Windows Server 2003 | not a registry key | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | File System | Windows XP SP2, Windows Server 2003 | File System policy settings are not registry keys. | Note: This setting does not appear in the Local Computer Policy object. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Wireless Network (IEEE 802.11) Policies | Windows Server 2003 | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} (Domain Controller and Target) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Encrypting File System | Windows XP SP2, Windows Server 2003 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\S | Note:
Group Policy sets a registry key which is checked by EFS during user
operations. The key is: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration In the case of local computers that are not members of a domain, local policy is not available for disabling EFS. However, a different registry key may be set to disable EFS. If the key is set to a DWORD value of 0x01, EFS will be disabled. Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Public Key Policies | Automatic Certificate Request Settings | Windows Server 2003 | HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates\ACRS | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Public Key Policies | Trusted Root Certification Authorities | Windows Server 2003 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Public Key Policies | Enterprise Trust | Windows Server 2003 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Trust\CTLs\ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Public Key Policies | Autoenrollment Settings | Windows XP SP2, Windows Server 2003 | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies | After a software restriction policy is applied, software restriction policies use these registry keys to store thesoftware restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer and HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows[1] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels | Disallowed | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to st | This setting is a default rule that, if ON, prevents software from running unless a more specific rule allows the software to run. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels | Unrestricted | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to st | A default rule that, when ON, allows all software to run unless a specific disallow rule overrides it. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Certificate Rule | Windows XP SP2, Windows Server 2003 | Certificate rules for
computer software restriction policies are stored in this registry key:
Allowed: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublishers\Certificates\ Disallowed: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\ |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Hash Rule | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Internet Zone Rule | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Path Rule | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies | Enforcement | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies | Designated File Types | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies | Trusted Publishers | Windows XP SP2, Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows S | Client (Respond Only) | Windows XP SP2, Windows Server 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\IP Security Policies | Secure Server (Require Security) | Windows XP SP2, Windows Server 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Machine | Computer Configuration\Windows Settings\Security Settings\IP Security Policies | Server (Request Security) | Windows XP SP2, Windows Server 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Setting | Enterprise Trust | Windows XP SP2, Windows Server 2003 | HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Trust\CTLs\ | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Public Key Policies | Autoenrollment Settings | Windows XP SP2, Windows Server 2003 | HKEY_CURRENT_USER\Software\Policies\Microsoft\Cryptography\AutoEnrollment | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies | After a software restriction policy is applied, software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer and HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels | Disallowed | Windows Server 2003 | Software restriction policies use these registry keys to st | This setting is a default rule that, if ON, prevents software from running unless a more specific rule allows the software to run. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels | Unrestricted | Windows Server 2003 | Software restriction policies use these registry keys to st | A default rule that, when ON, allows all software to run unless a specific disallow rule overrides it. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Certificate Rule | Windows Server 2003 | Allowed Certificate
rules use key:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublishers\Certificates\ Disallowed Certificate rules use key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\ |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Hash Rule | Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Internet Zone Rule | Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules | New Path Rule | Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies | Enforcement | Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies | Designated File Types | Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
User | User Configuration\Windows Settings\Security Settings\Software Restriction Policies | Trusted Publishers | Windows Server 2003 | Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||