| Computer/User Node |
Policy Path |
Full Policy Name |
Registry Settings |
Comments |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Account Policies\Password Policy |
Enforce password history |
Password
Policy security settings are not registry keys. |
For more information
about Windows 2000 Security Settings, see the Windows
2000 Group Policy Reference in the Windows 2000 Server Resource Kit on
the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=16196. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy |
Maximum password age |
Password
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy |
Minimum password age |
Password
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy |
Minimum password length |
Password
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy |
Passwords must meet complexity requirements of the installed
password filter |
Password
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy |
Store password using reversible encryption for all users in
the domain |
Password
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policy |
Account lockout duration |
Account
Lockout Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy |
Account lockout threshold |
Account
Lockout Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy |
Reset account lockout counter after |
Account
Lockout Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Account Policies\Kerberos Policy |
Enforce user logon restrictions |
Kerberos Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy |
Maximum lifetime for service ticket |
Kerberos Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy |
Maximum lifetime for user ticket |
Kerberos Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy |
Maximum lifetime for user ticket renewal |
Kerberos Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy |
Maximum tolerance for computer clock synchronization |
Kerberos Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy |
Audit account logon events |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit account management |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit directory service access |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit logon events |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit object access |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit policy change |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit privilege use |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit process tracking |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
Audit system events |
Audit
Policy security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Local Policies\User Rights Assignment |
Access this computer from the network |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Act as part of the operating system |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Add workstations to domain |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Back up files and directories |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Bypas traverse checking |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Change the system time |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Create a pagefile |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Create a token object |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Create global objects |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Create permanent shared objects |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Debug programs |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Deny access to this computer from the network |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Deny logon as a batch job |
User Rights security settings are not registry keys |
For more information
about User Rights policy settings, see Appendix B of the "Microsoft
Windows 2000 Security Hardening Guide" at
http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/appxb.mspx. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Deny logon as a service |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Deny logon locally |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Enable computer and user accounts to be trusted for delegation |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Force shutdown from a remote system |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Generate security audits |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Impersonate a client after authentication |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Increase quotas |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Increase scheduling priority |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Load and unload device drivers |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Lock pages in memory |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Log on as a batch job
|
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Log on as a service |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Log on locally |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Manage auditing and security log |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Modify firmware environment variables |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Profile single process |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Profile system performance |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Remove computer from docking station |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Replace a process level token |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Restore files and directories |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Shut down the system |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Synchronize directory service data |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Take ownership of files or other objects |
User Rights security settings are not registry keys |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options |
Additional restrictions for anonymous connections |
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous |
|
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Allow server operators to schedule tasks (domain controllers
only) |
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Allow system to be shut down without having to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Allowed to eject removable NTFS media |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateDASD |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Amount of idle time required before disconnecting a session |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Audit the access of global system objects |
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Audit use of Backup and Restore privilege |
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Automatically log off users when logon time expires |
|
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Automatically log off users when logon time expires (local) |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Clear virtual memory pagefile when system shuts down |
MACHINE\System\CurrentControlSet\Control\Session
Manager\Memory Management\ClearPageFileAtShutdown |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Digitally sign client communications (always) |
MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters\RequireSecuritySignature |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Digitally sign client communications (always) |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Digitally sign client communications (when possible) |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Digitally sign server communications (when possible) |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Disable CTRL+ALT+DEL requirement for logon |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Do not display last user name in logon screen |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
LAN Manager authentication level |
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Message text for users attempting to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Message title for users attempting to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Number of previous logons to cache (in case domain controller
is not available) |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Prevent system maintenance of computer account password |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Prevent users from installing printer drivers |
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan
Print Services\Servers\AddPrinterDrivers |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Prompt user to change password before expiration |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Recovery Console: Allow automatic administrative logon |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Recovery Console: Allow floppy copy and access to all drives
and folders |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SetCommand |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Rename administrator account |
Not a registry key |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Rename guest account |
Not a registry key |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Restrict CD-ROM access to locally logged-on user only |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateCDRoms |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Secure channel: Digitally encrypt or sign secure channel data
(always) |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Secure channel: Digitally encrypt secure channel data (when
possible) |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Secure channel: Digitally sign secure channel data (when
possible) |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Secure channel: Require strong (Windows 2000 or later) session
key |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Secure system partition (for RISC platforms only) |
|
Important: This policy was used with Beta versions of Windows 2000 that
ran on RISC platforms. However, the released versions of Windows 2000 do not
run on RISC platforms; therefore, this setting has no effect on Windows 2000. |
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Send unencrypted password to connect to third-party SMB
servers |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Shut down system immediately if unable to log security audits |
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Smart card removal behavior |
MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Strengthen default permissions of global system objects (e.g.
Symbolic links) |
MACHINE\System\CurrentControlSet\Control\Session
Manager\ProtectionMode |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Unsigned driver installation behavior |
MACHINE\Software\Microsoft\Driver Signing\Policy |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
Unsigned non-driver installation behavior |
MACHINE\Software\Microsoft\Non-Driver Signing\Policy |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Event Log\Settings for Event Logs |
Maximum application log size |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Maximum security log size |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Maximum system log size |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Restrict guest access to application log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Restrict guest access to security log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Restrict guest access to system log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Retain application log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Retain security log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Retain system log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Retention method for application log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Retention method for security log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Retention method for system log |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs |
Shut down the computer when the security audit log is full |
Event Log security settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Restricted Groups |
Restricted Groups |
Restricted Groups policy settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\System Services |
System Services |
System Services policy settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Registry |
Registry |
Not a registry key |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\File System |
File System |
File System policy settings are not registry keys. |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\Public Key Policies |
Encrypted Data Recovery Agents |
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\EFS\Certificates |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Public Key Policies |
Automatic Certificate Request Settings |
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ACRS |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Public Key Policies |
Trusted Root
Certification Authorities |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\ |
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\Public Key Policies |
Enterprise Trust |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Trust\CTLs\ |
|
| Machine |
Computer Configuration\Windows Settings\Security
Settings\IP Security Policies |
Client (Respond Only) |
|
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\IP Security Policies |
Secure Server (Require Security) |
|
|
| Machine |
Computer Configuration\Windows Settings\Security Settings\IP Security Policies |
Server (Request Security) |
|
|
| User |
User Configuration\Windows Settings\Security
Settings\Public Key Policies |
Enterprise Trust |
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Trust\CTLs\ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|