Computer/User Node Policy Path Full Policy Name Supported On Registry Settings Comments
Machine Computer Configuration\Windows Settings\Account Policies\Password Policy Enforce password history Windows XP SP2, Windows Server 2003 Password Policy security settings are not registry keys. Notes: For more information about Windows Server 2003 security settings, see the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174, and search for "Security Settings Descriptions."
For more information about Windows XP security settings, see the Windows XP Help, and search for "Security Settings Descriptions."
For information about security features in Windows XP Service Pack 2, see the "Managing Windows XP Service Pack 2 Features Using Group Policy" white paper on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=31974.
For information about the set of security technologies included in Windows XP Service Pack 2, see
"Changes to Functionality in Microsoft Windows XP Service Pack 2" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=29126.
Machine Computer Configuration\Windows Settings\Account Policies\Password Policy Maximum password age Windows XP SP2, Windows Server 2003 Password Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Password Policy Minimum password age Windows XP SP2, Windows Server 2003 Password Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Password Policy Minimum password length Windows XP SP2, Windows Server 2003 Password Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Password Policy Password must meet complexity requirement Windows XP SP2, Windows Server 2003 Password Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Password Policy Store passwords using reversible encryption for all users in the domain Windows XP SP2, Windows Server 2003 Password Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Account Lockout Policy Account lockout duration Windows XP SP2, Windows Server 2003 Account Lockout Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Account Lockout Policy Account lockout threshold Windows XP SP2, Windows Server 2003 Account Lockout Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Account Policies\Account Lockout Policy Reset lockout counter after Windows XP SP2, Windows Server 2003 Account Lockout Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Kerberos Policy Enforce user logon restrictions Windows XP SP2, Windows Server 2003 Kerberos Policy security settings are not registry keys. Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
Machine Computer Configuration\Windows Settings\Local Policies\Kerberos Policy Maximum lifetime for service ticket Windows XP SP2, Windows Server 2003 Kerberos Policy security settings are not registry keys. Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
Machine Computer Configuration\Windows Settings\Local Policies\Kerberos Policy Maximum lifetime for user ticket Windows XP SP2, Windows Server 2003 Kerberos Policy security settings are not registry keys. Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
Machine Computer Configuration\Windows Settings\Local Policies\Kerberos Policy Maximum lifetime for user ticket renewal Windows XP SP2, Windows Server 2003 Kerberos Policy security settings are not registry keys. Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
Machine Computer Configuration\Windows Settings\Local Policies\Kerberos Policy Maximum tolerance for computer clock synchronization Windows XP SP2, Windows Server 2003 Kerberos Policy security settings are not registry keys. Important: Kerberos policies are used for domain user accounts. They determine Kerberos-related settings, such as ticket lifetimes and enforcement. Kerberos policies do not exist in Local Computer Policy.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit account logon events Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit account management Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit directory service access Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit logon events Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit object access Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit policy change Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit privilege use Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit process tracking Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\Audit Policy Audit system events Windows XP SP2, Windows Server 2003 Audit Policy security settings are not registry keys.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Access this computer from the network Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Act as part of the operating system Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Add workstations to a domain Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Adjust memory quotas for a process Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Allow log on locally Windows Server 2003 User Rights security settings are not registry keys See also the Log on locally policy setting in Windows XP SP2, described later in this worksheet.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Allow log on through Terminal Services Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys Important: This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Backup files and directories Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Bypass traverse checking Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Change the system time Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Create a pagefile Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Create a token object Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Create global objects Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Create permanent shared objects Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Debug programs Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Deny access to this computer from the network Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Deny log on as a batch job Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Deny log on as a service Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Deny log on locally Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Deny log on through Terminal Services Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys Important: This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Enable computer and user accounts to be trusted for delegation Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys Note: Misuse of this privilege, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Force shutdown from a remote system Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Generate security audits Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Impersonate a client after authentication Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Increase scheduling authority Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Load and unload device drivers Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Lock pages in memory Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Log on as a batch job Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family, the Task Scheduler automatically grants this right as necessary.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Log on as a service Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Log on locally Windows XP SP2 User Rights security settings are not registry keys Note: See also the corresponding Windows Server 2003 Allow log on locally policy setting, earlier in this worksheet.
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Manage auditing and security log Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Modify firmware environment values Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Perform volume maintenance tasks Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Profile single process Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Profile system performance Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Remove computer from docking station Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Replace a process level token Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Restore files and directories Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Shut down the system Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Synchronize directory service data Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\User Rights Assignment Take ownership of files or other objects Windows XP SP2, Windows Server 2003 User Rights security settings are not registry keys
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Accounts: Administrator account status Windows XP SP2, Windows Server 2003 Not a registry key
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Accounts: Guest account status Windows XP SP2, Windows Server 2003 Not a registry key
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Accounts: Limit local account use of blank passwords to console logon only Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Accounts: Rename administrator account Windows XP SP2, Windows Server 2003 Not a registry key
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Accounts: Rename guest account Windows XP SP2, Windows Server 2003 Not a registry key
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Audit: Audit the accesss of global system objects Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Audit: Audit the use of Backup and Restore privilege Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Audit: Shut down system immediately if unable to log security audits Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
Machine Computer Configuration\Windows Settings\Local Policies\Security Options DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax Windows XP SP2, Windows Server 2003 MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction
Machine Computer Configuration\Windows Settings\Local Policies\Security Options DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax Windows XP SP2, Windows Server 2003 MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Devices: Allow undock without having to log on Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Devices: Allowed to format and eject removable media Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Devices: Prevent users from installing printer drivers Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Devices: Restrict CD-ROM access to locally logged-on user only Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Devices: Restrict floppy access to locally logged-on user only Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Devices: Unsigned driver installation behavior Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Driver Signing\Policy
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain controller: Allow server operators to schedule tasks Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain controller: LDAP server signing requirements Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain controller: Refuse machine account password changes Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain member: Digitally encrypt or sign secure channel data (always) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal Important: In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the memberís domain must be running Windows NT 4.0 Service Pack 6 or higher.
In order to take advantage of this policy on domain controllers, All domain controllers in the same domain, as well as all trusted domains, must be running Windows NT 4.0 Service Pack 6 or higher.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain member: Digitally encrypt secure channel data (when possible) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain member: Digitally sign secure channel data (when possible) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain member: Disable machine account password changes Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain member: Maximum machine account password age Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Domain member: Require strong (Windows 2000 or later) session key Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Do not display last user name Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Do not require CTRL+ALT+DELETE Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Message text for users attempting to logon Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Message title for users attempting to logon Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Number of previous logons to cache (in case domain controller is not available) Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Prompt user to change password before expiration Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Require Domain Controller authentication to unlock workstation Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Require smart card Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption Important: This setting will apply to any computers running Windows 2000 through changes in the registry, but the security setting is not viewable through the Security Configuration Manager tool set.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Interactive logon: Smart card removal behavior Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network client: Digitally sign communications (always) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network client: Digitally sign communications (if server agrees) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network client: Send unencrypted password to third-party SMB servers Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network server: Amount of idle time required before suspending session Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network server: Digitally sign communications (always) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature Important: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network server: Digitally sign communications (if client agrees) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Microsoft network server: Disconnect clients when logon hours expire Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Allow anonymous SID/Name translation Windows XP SP2, Windows Server 2003 Not a registry key
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Do not allow anonymous enumeration of SAM accounts Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Do not allow anonymous enumeration of SAM accounts and shares Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Do not allow storage of credentials or .NET Passports for network authentication Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Let Everyone permissions apply to anonymous users Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Named Pipes that can be accessed anonymously Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Remotely accessible registry paths Windows XP SP2 MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine Important: The Network access: Remotely accessible registry paths security setting that appears on computers running Windows XP corresponds to the Network access: Remotely accessible registry paths and subpaths security policy setting on members of the Windows Server 2003 family.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Remotely accessible registry paths Windows Server 2003 MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine Important: This security setting is not available on earlier versions of Windows. The security setting that appears on computers running Windows XP, Network access: Remotely accessible registry paths corresponds to the Network access: Remotely accessible registry paths and subpaths security option on members of the Windows Server 2003 family.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Remotely accessible registry paths and subpaths Windows Server 2003 MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Restrict anonymous access to Named Pipes and Shares Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Shares that can be accessed anonymously Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network access: Sharing and security model for local accounts Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest Important: This setting only affects computers running Windows XP Professional which are not joined to a domain.
This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network security: Do not store LAN Manager hash value on next password change Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network security: Force logoff when logon hours expire Windows XP SP2, Windows Server 2003 Not a registry key
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network security: LAN Manager authentication level Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. For compatibility information about this setting, see Network security: Lan Manager authentication level (http://go.microsoft.com/fwlink/?LinkId=24278) at the Microsoft website.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network security: LDAP client signing requirements Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setting will not be viewable through the Security Configuration Manager tool set. For more information, search for "Security Setting Descriptions" in the Windows Server 2003 Help.
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Recovery console: Allow automatic administrative logon Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Recovery console: Allow floppy copy and access to all drives and all folders Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Shutdown: Allow system to be shut down without having to log on Windows XP SP2, Windows Server 2003 MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
Machine Computer Configuration\Windows Settings\Local Policies\Security Options Shutdown: Clear virtual memory pagefile Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System Cryptography: Force strong key protection for user keys stored on the computer Windows Server 2003 MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System objects: Default owner for objects created by members of the Administrators group Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System objects: Require case insensitivity for non-Windows subsystems Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links) Windows XP SP2, Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System settings: Optional subsystems Windows Server 2003 MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
Machine Computer Configuration\Windows Settings\Local Policies\Security Options System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies Windows Server 2003 MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Maximum application log size Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Maximum security log size Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Important: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see the "Event Log: Maximum security log size" section in KB 823659 "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://go.microsoft.com/fwlink/?LinkId=35271) at the Microsoft website.††
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Maximum system log size Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Prevent local guests group from accessing application log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Notes: This setting does not appear in the Local Computer Policy object.
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Prevent local guests group from accessing security log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Notes: This setting does not appear in the Local Computer Policy object.
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP.
A user must possess the Manage auditing and security log user right to access the security log.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Prevent local guests group from accessing system log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.††††††††††††††††††††††††††††††††††††††††††
This security setting affects only computers running Windows 2000, Windows Server 2003, and Windows XP.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Retain application log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Notes: This setting does not appear in the Local Computer Policy object.
A user must possess the
Manage auditing and security log user right to access the security log.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Retain security log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Notes: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Retain system log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Retention method for application log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Retention method for security log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Event Log Retention method for system log Windows XP SP2, Windows Server 2003 Event Log security settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Restricted Groups Restricted Groups Windows XP SP2, Windows Server 2003 Restricted Groups policy settings are not registry keys.
Machine Computer Configuration\Windows Settings\Security Settings\System Services System Services Windows XP SP2, Windows Server 2003 System Services policy settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Registry Registry Windows XP SP2, Windows Server 2003 not a registry key Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\File System File System Windows XP SP2, Windows Server 2003 File System policy settings are not registry keys. Note: This setting does not appear in the Local Computer Policy object.
Machine Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies Wireless Network (IEEE 802.11) Policies Windows Server 2003 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ {0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63} (Domain Controller and Target)
Machine Computer Configuration\Windows Settings\Security Settings\Public Key Policies Encrypting File System Windows XP SP2, Windows Server 2003 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates\ for certificates added in a GPO. Note: Group Policy sets a registry key which is checked by EFS during user operations. The key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration
In the case of local computers that are not members of a domain, local policy is not available for disabling EFS. However, a different registry key may be set to disable EFS. If the key is set to a DWORD value of 0x01, EFS will be disabled. Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\EfsConfiguration
Machine Computer Configuration\Windows Settings\Security Settings\Public Key Policies Automatic Certificate Request Settings Windows Server 2003 HKEY_Local_Machine\Software\Policies\Microsoft\SystemCertificates\ACRS
Machine Computer Configuration\Windows Settings\Security Settings\Public Key Policies Trusted Root Certification Authorities Windows Server 2003 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\
Machine Computer Configuration\Windows Settings\Security Settings\Public Key Policies Enterprise Trust Windows Server 2003 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Trust\CTLs\
Machine Computer Configuration\Windows Settings\Security Settings\Public Key Policies Autoenrollment Settings Windows XP SP2, Windows Server 2003 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies After a software restriction policy is applied, software restriction policies use these registry keys to store thesoftware restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer and HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows[1]
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels Disallowed Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store thesoftware restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer This setting is a default rule that, if ON, prevents software from running unless a more specific rule allows the software to run. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174.
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels Unrestricted Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer A default rule that, when ON, allows all software to run unless a specific disallow rule overrides it. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174.
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Certificate Rule Windows XP SP2, Windows Server 2003 Certificate rules for computer software restriction policies are stored in this registry key:
Allowed: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublishers\Certificates\
Disallowed: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Hash Rule Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Internet Zone Rule Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Path Rule Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies Enforcement Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies Designated File Types Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Machine Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies Trusted Publishers Windows XP SP2, Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer
Machine Computer Configuration\Windows Settings\Security Settings\IP Security Policies Client (Respond Only) Windows XP SP2, Windows Server 2003
Machine Computer Configuration\Windows Settings\Security Settings\IP Security Policies Secure Server (Require Security) Windows XP SP2, Windows Server 2003
Machine Computer Configuration\Windows Settings\Security Settings\IP Security Policies Server (Request Security) Windows XP SP2, Windows Server 2003
User User Configuration\Windows Settings\Security Settings\Public Key Policies Enterprise Trust Windows XP SP2, Windows Server 2003 HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Trust\CTLs\
User User Configuration\Windows Settings\Security Settings\Public Key Policies Autoenrollment Settings Windows XP SP2, Windows Server 2003 HKEY_CURRENT_USER\Software\Policies\Microsoft\Cryptography\AutoEnrollment
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies After a software restriction policy is applied, software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer and HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels Disallowed Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows This setting is a default rule that, if ON, prevents software from running unless a more specific rule allows the software to run. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174.
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Security Levels Unrestricted Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows A default rule that, when ON, allows all software to run unless a specific disallow rule overrides it. For more information about software restriction policies, search for "Software Restriction Policies Technical Reference" in the Group Policy Collection of the Windows Server 2003 Technical Reference on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=38997. For more information about using software restriction policies, search for "Software Restriction Policies" in the Windows Server 2003 Help on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=18174.
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Certificate Rule Windows Server 2003 Allowed Certificate rules use key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublishers\Certificates\
Disallowed Certificate rules use key: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates\
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Hash Rule Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Internet Zone Rule Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies\Additional Rules New Path Rule Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies Enforcement Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies Designated File Types Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
User User Configuration\Windows Settings\Security Settings\Software Restriction Policies Trusted Publishers Windows Server 2003 Software restriction policies use these registry keys to store the software restriction policy configuration: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows