????

Your IP : 216.73.216.152

Current Path : C:/Windows/System32/en-US/

Current File : C:/Windows/System32/en-US/wsecedit.dll.mui

MZ����@��� �!�L�!This program cannot be run in DOS mode.

$��<߱�R���R���R�U�����R�U�P���R�Rich��R�PEL�!�

���@ ��8.rdata�@@.rsrc� �@@�@l
T88�@l$��8.rdata8x.rdata$zzzdbg p,.rsrc$01pLh�.rsrc$02 �Ҭ��AM�$�o�~PtC.zb��m��"���@l��0�H�h�����Bj��k�����(��@��X��p���������������������0��H��`��x������������������� ��8��P��h����������������������(��@��X��p����������������� �� ��0 ��H ��` ��x ��� ��� ��� �� �� �
�
�8
�P
�h
��
��
� �
�
�
���
����
�G�(�@�X�p������� ��
���
�0�H�`�x�����������
�
�8
�P
�h
��
��
�#�
�,�
�-�
�/�
�0�1(�w@�xX�yp�z��{��|��}��~������0��H��`�x������������ �8� P�*h�0��1��h��i��j��k��l�m(�n@�oX�pp�q��r���� � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p � � � � � � � � 0 @ P ` p�:��H;f��=��l@�� C��G��J,�4M�8O���P^�$S��V� X���Y��Z���^���a��eF�di���k���o��`t��x��{t�t|��~t��������d�(���x��J�P�
�\�x�ԋ��h����R�<��D����������@��H���(��������d�$���Х��X�6�����$����b�P�l�����H�T���\���������L���Ծl�@���������������������h�p�����x�`�����`����������H�D���,���T��,�8�`��������\�������V�4�t��L��
�l�l��
�
���>�$����� .�$5�@;���<��t=L��@���AT�B���D��Eb �Df0u�t��`�<vD���PB����p��3,�����|��@ha���Jn�H�n��~�z����P�XJ�hL\��P���V���[�
�(fD�ljv��u� ���� �������X�8���
���p������d������^������z�<��L����R�,�������MUI�����X�n���Ng4���`u�_;��`iW����MUIen-US���Ȁ��Template Security Policy SettingMS Shell DlgP����������P(�����Configure privilege grant list$P#�
0���&Define these policy settings in the template: �P2�g���P�d����Add &User or Group...Po�2����&Remove@ ��)YSysLink@�������PA���Ȁ��Configure Membership for <group>MS Shell DlgP��������Members of this group: �P�F"����@�F����PZA$���A&dd Members...PSZA%���&RemovePp�����This group is a member of: �Pz�F ����@z�F����P�A����Add &Groups...PS�A����R&emove@0���@�������Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Rename administrator account$PF�
0���&Define this policy in the database:��PP�����Px�r���This setting affects the database only. It does not change current computer settings.P$�}���Computer setting:��P.��������Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Edit numeric attribute$PZ�
0���&Define this policy in the database:Pi�L���&Lock out account after:� �Ps-����4P8s
�msctls_updown32Spin1PEv�����failed attemptsP��r���This setting affects the database only. It does not change current computer settings.P)�}���Computer setting P8�K���Lock out account after:��PB�����P������Static���Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Secure systems objects PK�
0���&Define this policy in the database: $PZ�
����&Enabled $Pi�
����Di&sabledP��r���This setting affects the database only. It does not change current computer settings.P)�}���Computer setting:��P3��������Ȁ ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Audit file access$PK�
0���&Define this policy in the database:PZ�t���Audit these attempts:$Pi�
����&Success$Px�
����&FailureP��r���These settings affect the database only. They do not change current computer settings.P)�}���Computer setting:��P3�-������Ȑ�_MS Shell DlgP-J2���OKPcJ2���CancelP�J2���ApplyP�>������� P
s
����Accept current security settings P
"y
����Change to recommended settingsP�
2���&View...P�!2���View/&Edit...PA���Ȁ�Select Registry KeyMS Shell DlgP`���&Registry:�Px&SysTreeView32Tree1P�p���&Selected key:��P�S���P��2���OKP��2���Cancel���Ȁ��Template Security Policy SettingMS Shell DlgP����������P'�����Audit file access$P)�
0���&Define these policy settings in the templateP8� t���Audit these attempts:$PG�
���&Success$PV�
���&Failure@#x�)YSysLink@
x������PA���Ȁ
��Template Security Policy SettingMS Shell DlgP����������P'�����Edit numeric attribute$P$� 0���&Define this policy setting in the templateP3�<���&Lock out account after:� �P=-���4P7=�msctls_updown32Spin2PE@�����failed attemptsPP�
����Static@ Z�(YSysLink@\������PA���Ȁ��Template Security Policy SettingMS Shell DlgP����������P'�����Enable/disable attribute$P#�
0���&Define this policy setting in the template $P2�
����&Enabled $PA�
����Di&sabled@ Q�)YSysLink@ Q������PA���Ȁ�jTemplate Security Policy SettingMS Shell DlgP����������P'�����Rename administrator account$P)�
0���&Define this policy setting in the template��P3�������Ȑ�Save Security TemplatesMS Shell DlgP�a���&Select to save: �P�x'���P��2���YesP��2���No���Ȁ ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Retention method for security log$PF�
0���&Define this policy in the database: $PU�
.���&Overwrite events by days $Pd�
4���O&verwrite events as needed $Ps�5���Do &not overwrite events (clear log manually)P��r���This setting affects the database only. It does not change current computer settings.P$�}���Computer setting:��P.�-������Ȁ��Template Security Policy SettingMS Shell DlgP����������P'�����Retention method for security log$P)�
0���&Define this policy setting in the template P8�
.���&Overwrite events by days PG�
4���O&verwrite events as needed $PV�
5���Do &not overwrite events (clear log manually)@ d�(YSysLink@f������PA���Ȁ �Analysis Security Policy SettingMS Shell DlgP����������P'�����Access this computer from network$P)� 0���&Define this policy in the database:P?Sc���A&ssigned ToPx?? d���Database SettingP�??e���Computer setting�PJ�Z1CHECKLIST_SCECheckListP��r���These settings affect the database only. They do not change current computer settings.P�d����Add &User or Group...PA���Ȁ
��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Directory replicatorP �}���Computer setting:P/�f���Service startup mode:��P9�����P�MP4���&View Security...$Pe�
0���&Define this policy in the database:Pt�/���Select service startup mode: $P��
����A&utomatic P��
����&Manual P��
����Di&sabledP�P3���&Edit Security...P��r���This setting affects the database only. It does not change current computer settings.PA���Ȁ��Template Security Policy SettingMS Shell DlgP����������P'�����Local disk manager$P)�
0���&Define this policy setting in the templateP8�/���Select service startup mode: $PG�
����A&utomatic $PV�
����&Manual $Pe�
����Di&sabledPyP3���&Edit Security...PA���Ȁ��Template Security Policy SettingMS Shell DlgP�����������P'����� $P$�
~���&Configure this file or folder then $Pg����Do &not allow permissions on this file or folder to be replaced $P8�����&Propagate inheritable permissions to all subfolders and files $PM�3���&Replace existing permissions on all subfolders and files with inheritable permissionsP�P7���&Edit Security...$@0������Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Directory replicatorPR��^���$P
Ry
0���&Define this policy in the database: $Pa�
~���&Configure this file or folder then $P�����Do &not allow permissions on this file or folder to be replaced $P&p�����&Propagate inheritable permissions to all subfolders and files $P&��3���&Replace existing permissions on all subfolders and files with inheritable permissionsP�P9���&Edit Security...P$�}���Computer setting:��P.�;���P�B<:���&View Security...PA������Analyzing System SecurityMS Shell DlgP�T���Analyzing:@B�����g@LJ���Account policies@*C�����g@)KK���Local policies@?D�����g@>KL���Restricted groups@TE�����g@SMM���Registry@cF�����g@mdN���File systems@c*G�����g@m)jO���System services@c?H�����f@m>kP���Directory service objects�Pj�Amsctls_progress32Progress1PA���Ȁ�zMS Shell DlgPe_���OKP,�0����Security Configuration & Analysis is an administrative tool to secure a computer and analyze security aspects. You can create or edit a security template, apply the security template, perform analysis based on a template, and display analysis results.P�����Security Configuration & Analysis
v1.0
PA���Ȁ�NConfigure SystemMS Shell Dlg��P�O���P�2P���&Browse ...P
'�R���P�2���&Error log file path:P�92���OKP�92���Cancel��@P��MS Shell DlgPX<���&Members of this groupPcDg���Database SettingP�9e���Computer Setting�P�f"CHECKLIST_SCECheckList�@�f����P�2����A&dd... P��q���D&efine this group in the database:PA���Ȁ�NPerform AnalysisMS Shell DlgP�����&Error log file path:��P�O���P�2P���&Browse ...P)�R���P�92���OKP�92���Cancel���Ȁ�OImport TemplateMS Shell Dlg��P�O���P�2P���&Browse ...P�1h���Error log file pathP%�
N���&Overwrite existing template in databaseP�:2���OKP�:2���Cancel��@D�MS Shell DlgP�N���&Clear this database before importingPA���Ȁ�aSecurity Template DescriptionMS Shell DlgP�i���&Description:D�P�0����P�L2���OKP�L2���Cancel���Ȁ��New Security TemplateMS Shell DlgP��������&Template name:��P�U���P*��������&Description:D�P4�0����P�p2���OKP�p2���Cancel���Ȁ��Local Security SettingMS Shell DlgP����������P'�����Audit file access$@)�
0���&Define these policy settings in the templateP8� t���Audit these attempts:$PG�
���&Success$PV�
���&Failure@#x�)YSysLink@
x������PA���Ȁ��Local Security SettingMS Shell DlgP����������P&�����Enable/disable attribute$@#�
0���&Define this policy setting in the template $P2�
����&Enabled $PA�
����Di&sabled@ Q�)YSysLink@ Q������PA���Ȁ�wLocal Security SettingMS Shell DlgP����������P'�����Edit numeric attribute$@)� 0���&Define this policy setting in the templateP8�<���&Lock out account after:� �PB-���4P7B�msctls_updown32Spin2PEE�����failed attemptsPU�����Static���Ȁ��Local Security SettingMS Shell DlgP����������P'�����Retention method for security log$@)�
0���&Define this policy setting in the template P8�
.���&Overwrite events by days PG�
4���O&verwrite events as needed $PV�
5���Do &not overwrite events (clear log manually)PA���Ȁ�jLocal Security SettingMS Shell DlgP����������P'�����Rename administrator account$@)�
0���&Define this policy setting in the template��P3�������Ȁ��Local Security SettingMS Shell DlgP����������P(�����Configure privilege grant list$@#�
0���&Define these policy settings in the template: �P8�g���P�d����Add &User or Group...Po�2����&Remove@ ��)YSysLink@�������PA�����gConfirm Setting ChangeMS Shell DlgPZR2���&YesP�R2���&NoP"�EYSysLink
P�������Ȁ�rLocal Security SettingMS Shell DlgP����������P&�����Dialog name$@)�
0���&Define this policy setting in the template!P3�=W���@ G�(YSysLink@I������PA���Ȁ�rTemplate Security Policy SettingMS Shell DlgP����������P&�����Dialog name$P)�
0���&Define this policy setting in the template!P3�=W���@ G�(YSysLink@I������PA���Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Dialog$PF�
0���&Define this policy in the database:!PP�PW���Pt�r���This setting affects the database only. It does not change current computer settings.P$�}���Computer setting:��P.��������ȀW�Suggested Value ChangesMS Shell DlgP5Y���Because the value of %s is now %s, the settings for the following items will be changed to the suggested values.�P$FPXSysListView32List1P�|2���OKP|2���&CancelPA���Ȁ��Security Policy SettingMS Shell DlgP����������P&�����Audit file access$P)�
0���&Define these policy settingsP8� t���Audit these attempts:$PG�
���&Success$PV�
���&Failure���Ȁ��Security Policy SettingMS Shell DlgP����������P'�����Enable/disable attribute$P#�
0���&Define this policy setting: $P2�
����&Enabled $PA�
����Di&sabled@ Q�)YSysLink@ Q������PA�������Configure Membership for <group>MS Shell DlgP��������&Members of this group: �P�H"����@�H����P�2$���&Add...P�#2%���&RemovePh�����&This group is a member of: �Pr�H ����@r�H����P�r2����A&dd...P��2����R&emove@0���@�������Ȁ�jSecurity Policy SettingMS Shell DlgP����������P&�����Rename administrator account$P)�
0���&Define this policy setting��P3�������Ȁ
��Security Policy SettingMS Shell DlgP����������P'�����Edit numeric attribute$P$� 0���&Define this policy settingP3�<���&Lock out account after:� �P=-���4P7=�msctls_updown32Spin2PE@�����failed attemptsPP�
����Static@ Z�(YSysLink@ \������PA���Ȁ��Security Policy SettingMS Shell DlgP�����������P'����� $P$�
~���&Configure this file or folder then $Pg����Do &not allow permissions on this file or folder to be replaced $P8�����&Propagate inheritable permissions to all subfolders and files $PM�3���&Replace existing permissions on all subfolders and files with inheritable permissionsP�P7���&Edit Security...$@0������Ȁ��Security Policy SettingMS Shell DlgP����������P(�����Configure privilege grant list$P#�
0���&Define these policy settings: �P2�g���P�d����Add &User or Group...Po�2����&Remove@ ��)YSysLink@�������PA���Ȁ�rSecurity Policy SettingMS Shell DlgP����������P'�����Dialog name$P)�
0���&Define this policy setting!P3�=W���@ G�(YSysLink@ I������PA���Ȁ��Security Policy SettingMS Shell DlgP����������P'�����Retention method for security log$P)�
0���&Define this policy setting P8�
.���&Overwrite events by days PG�
4���O&verwrite events as needed $PV�
5���Do &not overwrite events (clear log manually)@ d�(YSysLink@ f������PA���Ȁ��Security Policy SettingMS Shell DlgP����������P'�����Local disk manager$P)�
0���&Define this policy settingP8�/���Select service startup mode: $PG�
����A&utomatic $PV�
����&Manual $Pe�
����Di&sabledPyP3���&Edit Security...PA���Ȁ��Template Security Policy SettingMS Shell DlgP����������P'�����Multi SZ$P)�
0���&Define this policy setting in the template��P3�@������Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Multi SZ$PF�
0���&Define this policy in the database:��PP�9����P��r���This setting affects the database only. It does not change current computer settings.P$�}���Computer setting:��P.��������Ȁ��Local Policy SettingMS Shell DlgP����������P'�����Multi SZ$@)�
0���&Define this policy setting in the template��P3�@������Ȁ��Security Policy SettingMS Shell DlgP����������P'�����Multi SZ$P)�
0���&Define this policy setting in the template��P3�@������Ȁ��Template Security Policy SettingMS Shell DlgP����������P'�����Audit file access$P)�
0���&Define these policy settings in the templateP3�6�CHECKLIST_SCE���Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����Audit file access$PK�
0���&Define this policy in the database:P��r���These settings affect the database only. They do not change current computer settings.P)�}���Computer setting:��P3�����PV�6�CHECKLIST_SCE���Ȁ��Local Security SettingMS Shell DlgP����������P'�����Audit file access$@)�
0���&Define these policy settings in the templateP3�6�CHECKLIST_SCE���Ȁ��Security Policy SettingMS Shell DlgP����������P'�����Audit file access$P)�
0���&Define these policy settingsP3�6�CHECKLIST_SCE���Ȁ
��Add ObjectMS Shell DlgP�����������P'����� $P$�
~���&Configure this file or folder then $Pg����Do &not allow permissions on this file or folder to be replaced $P8�����&Propagate inheritable permissions to all subfolders and files $PM�3���&Replace existing permissions on all subfolders and files with inheritable permissionsP�P7���&Edit Security...P��2���OKP��2���Cancel$@0�����@�H��PrecedenceMS Shell DlgP������P%�P�SysListView32Py������GPOs higher in the list have the highest priority.P�����P!��,����Pw�'�������Ȁ�wTemplate Security Policy SettingMS Shell DlgP����������P'�����$P)�
0���&Define this policy setting in the templateP8��������If the security descriptor is left blank after defining the policy setting in the template, the policy setting will not be enforced.PU��������&Security descriptor:��P^�����P�]FW���&Edit Security...PA���Ȁ�wTemplate Security Policy SettingMS Shell DlgP����������P'�����$@)�
0���&Define this policy setting in the templateP8��������If the security descriptor is left blank after defining the policy setting in the template, the policy setting will not be enforced.PU��������&Security descriptor:��P^�����P�]FW���&Edit Security...PA���Ȁ�wTemplate Security Policy SettingMS Shell DlgP����������P'�����$P)�
0���&Define this policy settingP8��������If the security descriptor is left blank after defining the policy setting in the template, the policy setting will not be enforced.PU��������&Security descriptor:��P^�����P�]FW���&Edit Security...PA���Ȁ��Analyzed Security Policy SettingMS Shell DlgP����������P'�����$PF�
0���&Define this policy in the database:��PR�����P�QFW���&Edit Security...Px�r���This setting affects the database only. It does not change current computer settings.P$�}���Computer setting:��P.��������Ȁ�ExplainMS Shell Dlg�P�������P�����SysLinkFor more information about security policy and related Windows features, <A>see the Microsoft website</A>.���Ȑ
|�Central Access Policies ConfigurationMS Shell DlgC �P�������P�H2�����&Add >S �P��������P�\2�����< &RemoveD�P�n�����P��������Available Central Access Policies:P���������Applicable Central Access Policies:P�d�������Description:P�2���OKPC�2���CancelWSecEdit Extension ClassNameDescriptionPolicyDatabase SettingComputer SettingSecurity Template TemplatesLast Configuration/Analysis>Security templates defined to configure or analyze a computer.Last Configuration/AnalysisSecurity PolicyUser Rights AssignmentRestricted GroupsSystem ServicesRegistryFile SystemUser rights assignmentsRestricted GroupsSystem service settingsRegistry security settingsFile system security settingsSecurity Templates(not saved)Security Settings%WSecEdit Security Configuration ClassWSecEdit Security Manager Class#Are you sure you want to delete %s?)Do you want to delete all selected items?m&Analyze Computer Now...
Compares the current computer settings against the security settings in the databaseF&Export Template...
Exports the base template for the current computer-Add Fi&les...
Adds new files to this templatep&New Template Search Path...
Adds a template location to the Security Templates' search path (.inf - INF format)'&New Template...
Creates a new template?&Remove Path
Removes the selected location from the search pathBRe&fresh
Updates this location to display recently added templatesUCon&figure Computer Now...
Configures the computer according to the selected template*Windows cannot import the template from %s.Save &As...
Saves the template with a new name?&Copy
Copies the selected template information to the Clipboard5&Paste
Pastes Clipboard information into the template
Source GPO&Refresh
Refreshes dataPA'Security is required to add this object+Windows cannot import the security templatePassword PolicyMaximum password age
daysMinimum password age
days"Minimum password length
characters-Enforce password history
passwords remembered*Password must meet complexity requirements'User must log on to change the passwordAccount Lockout Policy0Account lockout threshold
invalid logon attempts+Reset account lockout counter after
minutes Account lockout duration
minutes$Do you want to delete this template?The database is not loaded.6Network security: Force logoff when logon hours expirePA&Accounts: Rename administrator accountAccounts: Rename guest accountMReload
Reloads the local and effective policy tables from the policy database
Group Name Event Log!Maximum system log size
kilobytesRetention method for system logRetain system log
days#Maximum security log size
kilobytes!Retention method for security logRetain security log
days&Maximum application log size
kilobytes$Retention method for application logRetain application log
daysPA:Shut down the computer when the security audit log is fullAudit PolicyEvent Auditing ModeAudit system eventsAudit logon eventsAudit object accessAudit privilege useAudit policy changeAudit account managementAudit process trackingSecurity OptionsNot DefinedCannot add membersCannot display securityCannot add usersCannot add directory objectCannot add a folder -- MemberspThis file name contains some characters that can not be recognized by current system language. Please rename it.
PermissionAuditWindows cannot add a file.The template name is not valid.6An error occurred while exporting the stored template.!Windows cannot add a registry keyFull ControlModifyRead and ExecuteList Folder ContentsReadWriteTraverse Folder/Execute FileDeleteNoneFull ControlReadWriteQuery Value Set Value
Create SubkeyEnumerate SubkeysNotifyCreate LinkExecuteCannot create a thread2The following accounts could not be validated: %1

Log File NamePerform Security AnalysisSecurity policy settings(Security Configuration and Analysis
v1.0Security Configuration and Analysis is an administrative tool used to secure a computer and analyze security aspects. You can create or edit a security template, apply the security template, perform analyses based on a template, and display analysis results.Last analysis was performed on
)Base security configuration description:
RThe computer was configured by the following template.
Analysis was not performed.[The database has not been configured or analyzed using Security Configuration and Analysis.)About Security Configuration and AnalysisAbout Last Analysis-Add a Template Location to Security TemplatesObject NameInconsistent Values
Open Template Security Template (.inf)|*.inf||infOpen Error Log FilelogLog files (.log)|*.log||GSoftware\Microsoft\Windows NT\CurrentVersion\SecEdit\Template Locations"Windows cannot open template file.)Windows cannot read template information.{There is no analysis information in the selected database to display. Use the Analyze menu option to start using this tool.0 As neededBy daysManuallyEnabledDisabledOnOffNot DefinedPAMembers Member OfCLASSES_ROOTMACHINEUSERS SucceededPA
Unknown error\Security\Templates%Access this computer from the networkAllow log on locallyFailed to save &Save
Save the template4Software\Microsoft\Windows NT\CurrentVersion\SecEdit
Add Folder1Add &Folder...
Adds a new folder to this template+Add &Key...
Adds a new key to this template/Add &Group...
Adds a new group to this templateService NameStartupAnalyzed
Configured AutomaticManualOKInvestigatePADatabase Security for Last Analyzed Security for
Security for Full ControlReadWriteGroup MembershipMembers of this group Member OfMembersAccount Policies%Password and account lockout policiesLocal Policies3Auditing, user rights and security options policies Event Log#Event Log settings and Event ViewerAudit directory service accessAudit account logon events4Prevent local guests group from accessing system log6Prevent local guests group from accessing security log9Prevent local guests group from accessing application logAlwaysIgnoreReplaceLog on as a batch jobLog on as a serviceActive Directory Objects/Security management of Active Directory objectsFAdd Directory &Object
Adds an Active Directory object to this templateReadWriteList folder / Read dataRead attributesRead extended attributesCreate files / Write dataCreate folders / Append dataWrite attributesWrite extended attributesDelete subfolders and filesDeleteRead permissionsChange permissionsPATake ownershipSynchronizeRead, Write and ExecuteWrite and ExecuteTraverse / ExecuteThis folder only!This folder, subfolders and filesThis folder and subfoldersThis folder and filesSubfolders and files onlySubfolders only
Files only
This key onlyThis key and subkeysSubkeys onlyThis key and subkeysSubkeys onlyStart, stop and pauseQuery templateChange templateQuery statusEnumerate dependentsStartStopPause and continueInterrogateUser-defined controlFull controlReadWriteCreate childrenDelete children
List contentsAdd/remove selfRead propertiesWrite propertiesThis container only This container and subcontainersSubcontainers only([[Local Computer Policy Configuration ]]Account will not lock out.$Password can be changed immediately.No password required.Do not keep password history.Password will expire in:Password can be changed after:Password must be at least:PAKeep password history for:Account will lock out after:Account is locked out for:Overwrite events older than:Password will not expire.5Account is locked out until administrator unlocks it.+Store passwords using reversible encryptionKerberos PolicyEnforce user logon restrictions<Maximum tolerance for computer clock synchronization
minutes+Maximum lifetime for service ticket
minutes&Maximum lifetime for user ticket
hours-Maximum lifetime for user ticket renewal
days
Add MemberPA2There is not enough memory to display this section3No information is available about the last analysis&Windows cannot save changed templates.$Are you sure you want to delete %s ?#Security Configuration and AnalysisInvestigate8&Import Template...
Import a template into this database Windows cannot create or open %sLocate error log filesdb;Security Database Files (*.sdb)|*.sdb|All Files (*.*)|*.*||Apply Template to ComputerFError log file path to record the progress of configuring the computer&Security...Edit security for this itemPABSoftware\Microsoft\Windows NT\CurrentVersion\SecEdit\Configuration(&Security...
Edit security for this itemEnvironmentVariablesa%AppData%|%UserProfile%|%AllUsersProfile%|%ProgramFiles%|%SystemRoot%|%SystemDrive%|%Temp%|%Tmp%|2O&pen Database...
Open an existing or new database/&New Database...
Create and open a new databaseLSet Descri&ption...
Create a description for the templates in this directory
\help\sce.chmAll files (*.*)|*.*||Database: %s?An unknown error occurred when attempting to open the database.qBefore you can use the database, you must analyze it. On the Database menu, select the option to run an analysis.eThe database you are attempting to open does not exist. On the Database menu, click Import Template.PATThe database is corrupt. For information about fixing the database, see online Help.cThere is not enough memory available to load the database. Close some programs and then try again.�Access to the database is denied. Unless the permissions on the database have been changed, you must have administrative rights to use it.\Security\Database"Do you want to save changes to %s?�There is an existing imported template pending. To save, click Cancel, and then run an analysis or configuration before importing another template. To ignore the previous imported template, click OK.
All Selected FilesDeny log on locally-Deny access to this computer from the networkDeny log on as a serviceDeny log on as a batch job Add Group&Group:Not AnalyzedError AnalyzingNot DefinedSuggested SettingDLocal Policy ...
Create template file from the local policy settingsLEffective Policy ...
Create template file from the effective policy settings�<H2>Security Configuration and Analysis</H2> <H4>To Open an Existing Database</H4> <OL><LI ALIGN="LEFT" ID="OPEN_DATABASE_1">Right-click the <I>Security Configuration and Analysis</I> scope item <LI ALIGN="LEFT" ID="OPEN_DATABASE_2">Click <B>Open Database</B> <LI ALIGN="LEFT" ID="OPEN_DATABASE_3"> Select a database, and then click <b>Open</b></OL> <H4>To Create a New Database</H4><OL> <LI ALIGN="LEFT" ID="OPEN_DATABASE_4">Right-click the <I>Security Configuration and Analysis </I> scope item <LI ALIGN="LEFT" ID="OPEN_DATABASE_5"> Click <B>Open Database</B> <LI ALIGN="LEFT" ID="OPEN_DATABASE_6"> Type a new database name, and then click <b>Open</b> <LI ALIGN="LEFT" ID="OPEN_DATABASE_7">Select a security template to import, and then click <b>Open</b></OL>A<HTML DIR="ltr" ID="MAIN_HEADER"><BODY><FONT face="arial" size=2></FONT></BODY></HTML>7The database you are attempting to open does not exist.|You can create a new local policy database by choosing <B>Import Policy</B> from the <I>Security Settings</I> menu commands.#Access to database has been denied.vView Lo&g File
Toggle display of the log file or folder tree when Security Configuration and Analysis node is selected7<BR>You can now configure or analyze your computer by using the security settings in this database.<BR> <H4>To Configure Your Computer</H4><OL><LI ALIGN="LEFT" ID="NO_ANALYSIS_1">Right-click the <I>Security Configuration and Analysis</I> scope item<LI ALIGN="LEFT" ID="NO_ANALYSIS_2">Select <B>Configure Computer Now</B><LI ALIGN="LEFT" ID="NO_ANALYSIS_3">In the dialog, type the name of the log file you wish to view, and then click <B>OK</B></OL><B>NOTE:</B> After configuration is complete, you must perform an analysis to view the information in your database<BR><BR><H4>To Analyze Your Computer Security Settings</H4> <OL><LI ALIGN="LEFT" ID="NO_ANALYSIS_4">Right-click the <I>Security Configuration and Analysis</I> scope item<LI ALIGN="LEFT" ID="NO_ANALYSIS_5">Select <B>Analyze Computer Now</B><LI ALIGN="LEFT" ID="NO_ANALYSIS_6">In the dialog, type the log file path, and then click <B>OK</B></OL><BR><B>NOTE:</B> To view the log file created during a configuration or analysis, select <B>View Log File</B> on the <I>Security Configuration and Analysis</I> context menu. <h3> Error Reading Location</h3>Computer SettingPolicy Setting+Secure &Wizard...
Secure Server Role Wizard)Windows cannot import invalid template %sPA&Accounts: Administrator account statusAccounts: Guest account status Properties`The username is not valid. It is empty or it may not contain any of the following characters:
%1
No minimumHUser and group names may not contain any of the following characters:
%1.The system can not find the path specified:
%1=File name may not contain any of the following characters:
%1 A startup mode must be selected.�Object "%1" cannot be deleted because an open window is displaying its properties.
To delete this object, close that window and select "Delete" again.!Configure Membership for %.17s...#Reset account lockout counter after:Set Descri&ption...
Create a description for this template?Description may not contain any of the following characters:
%1Template SettingPolicy SettingPA=Make sure that you have the right permissions to this object."Make sure that this object exists.4The folder %1 cannot be used. Choose another folder.My ComputerThe file name is too long.Aspolsconcepts.chm::/html/2ff43721-e5fb-4e0c-b1a1-4ee3f414a3b7.htmPABFile name may not only contain any of the following characters:
%1A%1
This file name is a reserved device name.
Choose another name.The file type is not correct.TYou must be a member of the Administrators group to perform the requested operation.hThe file name %1 is not valid.
Reenter the file name in the correct format, such as c:\location\file.%2.:No mapping between account names and security IDs was doneQTo affect domain accounts, this setting must be defined in default domain policy.Local Security Policy%1%2%1%2
%3%1%2%1%2Special*Security Settings for Remote Access to SAM
Remote Access$Relax minimum password length limitsMinimum password length audit5Log audit events when new passwords are shorter than:.Security Settings for NETLOGON Secure ChannelsCreate Vulnerable ConnectionsCentral Access Policy2Central Access Policies applied to the file system!!Unknown policy!!:%1 %2PA#Allow Administrator account lockout5Security Settings for trusted computer account ownersTrusted Computer Account OwnersPA"Enforce password history

This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

Default:

24 on domain controllers.

0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.

To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age..Maximum password age

This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources.

Default: 42.�Minimum password age

This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.

Default:

1 on domain controllers.

0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.�Minimum password length

This security setting determines the least number of characters that a password for a user account may contain.

The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting.

If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14.

If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14.

If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128.

Setting the required number of characters to 0 means that no password is required.

Note: By default, member computers follow the configuration of their domain controllers.

Default:

7 on domain controllers.

0 on stand-alone servers.

Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting.

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

PAWPassword must meet complexity requirements

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters

Be at least six characters in length

Contain characters from three of the following four categories:

English uppercase characters (A through Z)

English lowercase characters (a through z)

Base 10 digits (0 through 9)

Non-alphabetic characters (for example, !, $, #, %)

Complexity requirements are enforced when passwords are changed or created.

Default:

Enabled on domain controllers.

Disabled on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.CStore passwords using reversible encryption

This security setting determines whether the operating system stores passwords using reversible encryption.

This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

Default: Disabled.GAccount lockout duration

This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.

If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.ZAccount lockout threshold

This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.

Default: 0.�Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.

If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.zEnforce user logon restrictions

This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.

Default: Enabled.xMaximum lifetime for service ticket

This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.

If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.

Default: 600 minutes (10 hours).�Maximum lifetime for user ticket

This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used.

Default: 10 hours.�Maximum lifetime for user ticket renewal

This security setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed.

Default: 7 days.�Maximum tolerance for computer clock synchronization

This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication.

To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic.

Important

This setting is not persistent on pre Vista platforms. If you configure this setting and then restart the computer, this setting reverts to the default value.

Default: 5 minutes.HAudit account logon events

This security setting determines whether the OS audits each time this computer validates an account s credentials.

Account logon events are generated whenever a computer validates the credentials of an account for which it is authoritative. Domain members and non-domain-joined machines are authoritative for their local accounts; domain controllers are all authoritative for accounts in the domain. Credential validation may be in support of a local logon, or, in the case of an Active Directory domain account on a domain controller, may be in support of a logon to another computer. Credential validation is stateless so there is no corresponding logoff event for account logon events.

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

Default values on Client editions:

Credential Validation: No Auditing

Kerberos Service Ticket Operations: No Auditing

Other Account Logon Events: No Auditing

Kerberos Authentication Service: No Auditing

Default values on Server editions:

Credential Validation: Success

Kerberos Service Ticket Operations: Success

Other Account Logon Events: No Auditing

Kerberos Authentication Service: Success

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.TAudit account management

This security setting determines whether to audit each event of account management on a computer. Examples of account management events include:

A user account or group is created, changed, or deleted.

A user account is renamed, disabled, or enabled.

A password is set or changed.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default values on Client editions:

User Account Management: Success

Computer Account Management: No Auditing

Security Group Management: Success

Distribution Group Management: No Auditing

Application Group Management: No Auditing

Other Account Management Events: No Auditing

Default values on Server editions:

User Account Management: Success

Computer Account Management: Success

Security Group Management: Success

Distribution Group Management: No Auditing

Application Group Management: No Auditing

Other Account Management Events: No Auditing

This security setting determines whether the OS audits user attempts to access Active Directory objects. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.

The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time any account successfully accesses a Directory object that has a matching SACL specified.

If Failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a Directory object that has a matching SACL specified.

Default values on Client editions:

Directory Service Access: No Auditing

Directory Service Changes: No Auditing

Directory Service Replication: No Auditing

Detailed Directory Service Replication: No Auditing

Default values on Server editions:

Directory Service Access: Success

Directory Service Changes: No Auditing Directory

Service Replication: No Auditing

Detailed Directory Service Replication: No Auditing

This security setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.

Log off events are generated whenever a logged on user account's logon session is terminated. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

Default values on Client editions:

Logon: Success

Logoff: Success

Account Lockout: Success

IPsec Main Mode: No Auditing

IPsec Quick Mode: No Auditing

IPsec Extended Mode: No Auditing

Special Logon: Success

Other Logon/Logoff Events: No Auditing

Network Policy Server: Success, Failure

Default values on Server editions:

Logon: Success, Failure

Logoff: Success

Account Lockout: Success

IPsec Main Mode: No Auditing

IPsec Quick Mode: No Auditing

IPsec Extended Mode: No Auditing

Special Logon: Success

Other Logon/Logoff Events: No Auditing

Network Policy Server: Success, Failure

This security setting determines whether the OS audits user attempts to access non-Active Directory objects. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.

The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time any account successfully accesses a non-Directory object that has a matching SACL specified.

If Failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a non-Directory object that has a matching SACL specified.

Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.

Default: No auditing.

This security setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.

The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated when an attempted change to user rights assignment policy, audit policy, or trust policy is successful.

If Failure auditing is enabled, an audit entry is generated when an attempted change to user rights assignment policy, audit policy, or trust policy is attempted by an account that is not authorized to make the requested policy change.

Default:

Audit Policy Change: Success

Authentication Policy Change: Success

Authorization Policy Change: No Auditing

MPSSVC Rule-Level Policy Change: No Auditing

Filtering Platform Policy Change: No Auditing

Other Policy Change Events: No Auditing

This security setting determines whether to audit each instance of a user exercising a user right.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.

To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default: No auditing.

Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the FullPrivilegeAuditing registry key.

Bypass traverse checking

Debug programs

Create a token object

Replace process level token

Generate security audits

Back up files and directories

Restore files and directories

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

This security setting determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access.

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these process-related activities.

If Failure auditing is enabled, an audit entry is generated each time the OS fails to perform one of these activities.

Default: No auditing\r

This security setting determines whether the OS audits any of the following events:

" Attempted system time change

" Attempted security system startup or shutdown

" Attempt to load extensible authentication components

" Loss of audited events due to auditing system failure

" Security log size exceeding a configurable warning threshold level.

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these activities successfully.

If Failure auditing is enabled, an audit entry is generated each time the OS attempts and fails to perform one of these activities.

Default:

Security State Change Success

Security System Extension No Auditing

System Integrity Success, Failure

IPsec Driver No Auditing

Other System Events Success, Failure

This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

Default on workstations and servers:

Administrators

Backup Operators

Users

Everyone

Default on domain controllers:

Administrators

Authenticated Users

Enterprise Domain Controllers

Everyone

Pre-Windows 2000 Compatible AccessUAct as part of the operating system

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default: None.cAdd workstations to domain

This security setting determines which groups or users can add workstations to a domain.

This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.

Default: Authenticated Users on domain controllers.

Note: Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

�Adjust memory quotas for a process

This privilege determines who can change the maximum memory that can be consumed by a process.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Note: This privilege is useful for system tuning, but it can be misused, for example, in a denial-of-service attack.

Default: Administrators

Local Service

Network Service.

Log on locally

Determines which users can log on to the computer.

Important

Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.

Default:

" On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.

" On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators. �Allow log on through Remote Desktop Services

This security setting determines which users or groups have permission to log on as a Remote Desktop Services client.

Default:

On workstation and servers: Administrators, Remote Desktop Users.

On domain controllers: Administrators.

Important

This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.

UBack up files and directories

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

Traverse Folder/Execute File

List Folder/Read Data

Read Attributes

Read Extended Attributes

Read Permissions

Caution

Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.

Default on workstations and servers: Administrators

Backup Operators.

Default on domain controllers:Administrators

Backup Operators

Server Operators

�Bypass traverse checking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:

Administrators

Backup Operators

Users

Everyone

Local Service

Network Service

Default on domain controllers:

Administrators

Authenticated Users

Everyone

Local Service

Network Service

Pre-Windows 2000 Compatible Access

�Change the system time

This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:

Administrators

Local Service

Default on domain controllers:

Administrators

Server Operators

Local Service

�Create a pagefile

This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users.

For information about how to specify a paging file size for a given drive, see To change the size of the virtual memory paging file.

Default: Administrators.

|Create a token object

This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token.

This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System.

Caution

Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.

Default: None

BCreate global objects

This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.

Caution

Assigning this user right can be a security risk. Assign this user right only to trusted users.

Default:

Administrators

Local Service

Network Service

Service�Create permanent shared objects

This user right determines which accounts can be used by processes to create a directory object using the object manager.

This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.

Default: None.PADebug programs

This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default: Administrators0Deny access to this computer from the network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Default: GuestDeny log on as a batch job

This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.

Default: None.

vDeny log on as a service

This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

Note: This security setting does not apply to the System, Local Service, or Network Service accounts.

Default: None.fDeny log on locally

This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

Important

If you apply this security policy to the Everyone group, no one will be able to log on locally.

Default: None.:Deny log on through Remote Desktop Services

This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client.

Default: None.

Important

This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.,Enable computer and user accounts to be trusted for delegation

This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Caution

Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

Default: Administrators on domain controllers.�Force shutdown from a remote system

This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default:

On workstations and servers: Administrators.

On domain controllers: Administrators, Server Operators.XGenerate security audits

This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information see Audit: Shut down system immediately if unable to log security audits

Default: Local Service

Network Service.�Impersonate a client after authentication

Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default:

Administrators

Local Service

Network Service

Service

Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.

In addition, a user can also impersonate an access token if any of the following conditions exist.

The access token that is being impersonated is for this user.

The user, in this logon session, created the access token by logging on to the network with explicit credentials.

The requested level is less than Impersonate, such as Anonymous or Identify.

Because of these factors, users do not usually need this user right.

For more information, search for "SeImpersonatePrivilege" in the Microsoft Platform SDK.

Warning

If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.aIncrease scheduling priority

This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

Default: Administrators.GLoad and unload device drivers

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users.

Caution

Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.

Default on workstations and servers: Administrators.

Default on domain controllers:

Administrators

Print Operators`Lock pages in memory

This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

Default: None.�Log on as a batch job

This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows.

For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

Default: Administrators

Backup Operators.dLog on as a service

This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.

Default setting: None.�Manage auditing and security log

This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured.

You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

Default: Administrators.PASModify firmware environment values

This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.

On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.

On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties.

On all computers, this user right is required to install or upgrade Windows.

Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. For information about how to modify these variables, see To add or change the values of environment variables.

Default: Administrators.�Perform volume maintenance tasks

This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.

Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.

Default: Administrators�Profile single process

This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes.

Default: Administrators, Power users.�Profile system performance

This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.

Default: Administrators.

�Remove computer from docking station

This security setting determines whether a user can undock a portable computer from its docking station without logging on.

If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on.

Default: Administrators, Power Users, Users{Replace a process level token

This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.

Default: Network Service, Local Service.^Restore files and directories

This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object.

Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

Traverse Folder/Execute File

Write

Caution

Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.

Default:

Workstations and servers: Administrators, Backup Operators.

Domain controllers: Administrators, Backup Operators, Server Operators.�Shut down the system

This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

Default on Workstations: Administrators, Backup Operators, Users.

Default on Servers: Administrators, Backup Operators.

Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.�Synchronize directory service data

This security setting determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization.

Defaults: None.�Take ownership of files or other objects

This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Caution

Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.

Default: Administrators.�Accounts: Administrator account status

This security setting determines whether the local Administrator account is enabled or disabled.

Notes

If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.

Disabling the Administrator account can become a maintenance issue under certain circumstances.

Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.

Default: Disabled.}Accounts: Guest account status

This security setting determines if the Guest account is enabled or disabled.

Default: Disabled.

Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.BAccounts: Limit local account use of blank passwords to console logon only

This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.

Default: Enabled.

Warning:

Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.

If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.

Notes

This setting does not affect logons that use domain accounts.

It is possible for applications that use remote interactive logons to bypass this setting.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.{Accounts: Rename administrator account

This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

Default: Administrator.VAccounts: Rename guest account

This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.

Default: Guest.

nAudit: Audit the access of global system objects

This security setting determines whether to audit the access of global system objects.

If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs are not given to objects without names. If the Audit object access audit policy is also enabled, access to these system objects is audited.

Note: When configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.Audit: Audit the use of Backup and Restore privilege

This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or restored.

If you disable this policy, then use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled.

Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation.

Default: Disabled.

�Audit: Shut down system immediately if unable to log security audits

This security setting determines whether the system shuts down if it is unable to log security events.

If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days.

If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:

STOP: C0000244 {Audit Failed}

An attempt to generate a security audit failed.

To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log is not full.

Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.

�Devices: Allow undock without having to log on

This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.

Default: Enabled.

Caution

Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.

@Devices: Allowed to format and eject removable media

This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:

Administrators

Administrators and Interactive Users

Default: This policy is not defined and only Administrators have this ability.

�Devices: Prevent users from installing printer drivers when connecting to shared printers

For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.

Default on servers: Enabled.

Default on workstations: Disabled

Notes

This setting does not affect the ability to add a local printer.

This setting does not affect Administrators.

�Devices: Restrict CD-ROM access to locally logged-on user only

This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.

If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.

Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.

Devices: Restrict floppy access to locally logged-on user only

This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously.

If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged on interactively, the floppy can be accessed over the network.

Default: This policy is not defined and floppy disk drive access is not restricted to the locally logged-on user.

zDevices: Unsigned driver installation behavior

This security setting determines what happens when an attempt is made to install a device driver (by means of Setup API) that has not been tested by the Windows Hardware Quality Lab (WHQL).

The options are:

Silently succeed

Warn but allow installation

Do not allow installation

Default: Warn but allow installation.

�Domain controller: Allow server operators to schedule tasks

This security setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility.

Note: This security setting only affects the AT schedule facility; it does not affect the Task Scheduler facility.

Default: This policy is not defined, which means that the system treats it as disabled.

�Domain controller: LDAP server signing requirements

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.

Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a domain controller.

If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use LDAP simple bind or LDAP simple bind through SSL to bind to directory service.

SDomain controller: Refuse machine account password changes

This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password change requests.

If it is enabled, this setting does not allow a domain controller to accept any changes to a computer account's password.

Default: This policy is not defined, which means that the system treats it as Disabled.

1Domain member: Digitally encrypt or sign secure channel data (always)

This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.

This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:

Domain member: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible)

Default: Enabled.

Notes:

If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.

Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.

sDomain member: Digitally encrypt secure channel data (when possible)

This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.

This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.

Default: Enabled.

Important

There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.

Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

"Domain member: Digitally sign secure channel data (when possible)

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Default: Enabled.

Notes:

If the policy Domain member: Digitally encrypt or sign secure channel data (always) is enabled, then this policy is assumed to be enabled regardless of its current setting.

Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

]Domain member: Maximum machine account password age

This security setting determines how often a domain member will attempt to change its computer account password.

Default: 30 days.

Important

This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.

lDomain member: Require strong (Windows 2000 or later) session key

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.

Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:

Domain member: Digitally encrypt or sign secure channel data (always)

Domain member: Digitally encrypt secure channel data (when possible)

Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.

If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.

Default: Enabled.

Important

In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.

In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.

qDomain member: Disable machine account password changes

Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.

Default: Disabled.

Notes

This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.

This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.KInteractive logon: Don't display last signed-in

This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.

If this policy is enabled, the username will not be shown.

If this policy is disabled, the username will be shown.

Default: Disabled.

�Interactive logon: Do not require CTRL+ALT+DEL

This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.

If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.

If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.

Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.

Default on stand-alone computers: Enabled.

mInteractive logon: Message text for users attempting to log on

This security setting specifies a text message that is displayed to users when they log on.

This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.

Default: No message.

Interactive logon: Message title for users attempting to log on

This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.

Default: No message.

�Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:

There are currently no logon servers available to service the logon request.

In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user s individual cached information is replaced.

Default:

Windows Server 2008: 25

All Other Versions: 10

!Interactive logon: Prompt user to change password before expiration

Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong.

Default: 5 days.

�Interactive logon: Require Domain Controller authentication to unlock

Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer.

Default: Enabled.

Important

This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.

�Interactive logon: Require Windows Hello for Business or smart card

This security setting requires users to sign-in to a device using Windows Hello for Business or a smart card.

The options are:

Enabled: Users can only sign-in to the device using Windows Hello for Business or a smart card.

Disabled or not configured: Users can sign-in to the device using any method.

Important

This setting applies to any computer running Windows 2000 through changes in the registry, but the security setting is not viewable through the Security Configuration Manager tool set.

Requiring Windows Hello for Business sign-in is not supported on Windows 10 v1607 or earlier.

`Interactive logon: Smart card removal behavior

This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

The options are:

No Action

Lock Workstation

Force Logoff

Disconnect if a Remote Desktop Services session

If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.

If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.

If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

Default: This policy is not defined, which means that the system treats it as No action.

On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.

Microsoft network client: Digitally sign communications (always)

This security setting determines whether packet signing is required by the SMB client component.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.

If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.

Default: Disabled.

Important

For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:

Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.

Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.

Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.

Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.

SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.

For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

Microsoft network client: Digitally sign communications (if server agrees)

This security setting determines whether the SMB client attempts to negotiate SMB packet signing.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.

If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.

Default: Enabled.

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:

Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.

Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.

Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.

Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.

If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.

SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.

For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

yMicrosoft network client: Send unencrypted password to connect to third-party SMB servers

If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.

Sending unencrypted passwords is a security risk.

Default: Disabled.Microsoft network server: Amount of idle time required before suspending a session

This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.

Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.

For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.

Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.

�Microsoft network server: Digitally sign communications (always)

This security setting determines whether packet signing is required by the SMB server component.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.

If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.

Default:

Disabled for member servers.

Enabled for domain controllers.

Notes

Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.

Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.

Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.

Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.

Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.

If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.

SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.

Important

For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:

Microsoft network server: Digitally sign communications (if server agrees)

For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:

HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature

For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

+
Microsoft network server: Digitally sign communications (if client agrees)

This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.

If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.

Default: Enabled on domain controllers only.

Important

For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:

Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.

Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.

Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.

Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.

If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.

For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

�Microsoft network server: Disconnect clients when logon hours expire

This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component.

When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire.

If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.

Default on Windows Vista and above: Enabled.

Default on Windows XP: Disabled

ZNetwork access: Allow anonymous SID/name translation

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user.

If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation.

If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user.

Default on workstations and member servers: Disabled.

Default on domain controllers running Windows Server 2008 or later: Disabled.

Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled.�Network access: Do not allow anonymous enumeration of SAM accounts

This security setting determines what additional permissions will be granted for anonymous connections to the computer.

This security option allows additional restrictions to be placed on anonymous connections as follows:

Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.

Disabled: No additional restrictions. Rely on default permissions.

Default on workstations: Enabled.

Default on server:Enabled.

Important

This policy has no impact on domain controllers.

RNetwork access: Do not allow anonymous enumeration of SAM accounts and shares

This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.

Default: Disabled.

�Network access: Do not allow storage of passwords and credentials for network authentication

This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.

If you enable this setting, Credential Manager does not store passwords and credentials on the computer.

If you disable or do not configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.

Note: When configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.

$Network access: Let Everyone permissions apply to anonymous users

This security setting determines what additional permissions are granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.

If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.

Default: Disabled.

�Network access: Named pipes that can be accessed anonymously

This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access.

Default: None.

�Network access: Remotely accessible registry paths

This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.

Default:

System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Server Applications

Software\Microsoft\Windows NT\CurrentVersion

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note: This security setting is not available on earlier versions of Windows. The security setting that appears on computers running Windows XP, "Network access: Remotely accessible registry paths" corresponds to the "Network access: Remotely accessible registry paths and subpaths" security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths.

Default:

System\CurrentControlSet\Control\ProductOptions

System\CurrentControlSet\Control\Server Applications

Software\Microsoft\Windows NT\CurrentVersionNetwork access: Remotely accessible registry paths and subpaths

This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.

Default:

System\CurrentControlSet\Control\Print\Printers

System\CurrentControlSet\Services\Eventlog

Software\Microsoft\OLAP Server

Software\Microsoft\Windows NT\CurrentVersion\Print

Software\Microsoft\Windows NT\CurrentVersion\Windows

System\CurrentControlSet\Control\ContentIndex

System\CurrentControlSet\Control\Terminal Server

System\CurrentControlSet\Control\Terminal Server\UserConfig

System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration

Software\Microsoft\Windows NT\CurrentVersion\Perflib

System\CurrentControlSet\Services\SysmonLog

System\CurrentControlSet\Services\CertSvc

System\CurrentControlSet\Services\Wins

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths.

>Network access: Restrict anonymous access to Named Pipes and Shares

When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:

Network access: Named pipes that can be accessed anonymously

Network access: Shares that can be accessed anonymously

Default: Enabled.

�Network access: Shares that can be accessed anonymously

This security setting determines which network shares can accessed by anonymous users.

Default: None specified.

&Network access: Sharing and security model for local accounts

This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource.

If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify.

Default on domain computers: Classic.

Default on stand-alone computers: Guest only

Important

With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.

Note:

This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services

Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

This policy will have no impact on computers running Windows 2000.

When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that is being used.

�Network security: Do not store LAN Manager hash value on next password change

This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.

Default on Windows Vista and above: Enabled

Default on Windows XP: Disabled.

Important

Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.

�Network security: Force logoff when logon hours expire

When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire.

If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.

Default: Enabled.

Note: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.

�Network security: LAN Manager authentication level

This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:

Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).

Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).

Important

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.

Default:

Windows 2000 and windows XP: send LM & NTLM responses

Windows Server 2003: Send NTLM response only

Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only

Network security: LDAP client signing requirements

This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows:

None: The LDAP BIND request is issued with the options that are specified by the caller.

Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.

Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.

Caution

If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.

Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.

Default: Negotiate signing.

PA�Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:

Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.

Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.

Default:

Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.

Windows 7 and Windows Server 2008 R2: Require 128-bit encryption

�Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:

Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.

Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.

Default:

Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.

Windows 7 and Windows Server 2008 R2: Require 128-bit encryption

�Recovery console: Allow automatic administrative logon

This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.

Default: This policy is not defined and automatic administrative logon is not allowed.

�Recovery console: Allow floppy copy and access to all drives and all folders

Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables:

AllowWildCards: Enable wildcard support for some commands (such as the DEL command).

AllowAllPaths: Allow access to all files and folders on the computer.

AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk.

NoCopyPrompt: Do not prompt when overwriting an existing file.

Default: This policy is not defined and the recover console SET command is not available.

gShutdown: Allow system to be shut down without having to log on

This security setting determines whether a computer can be shut down without having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the Windows logon screen.

When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.

Default on workstations: Enabled.

Default on servers: Disabled.

�Shutdown: Clear virtual memory pagefile

This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.

Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.

When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.

Default: Disabled.

�System Cryptography: Force strong key protection for user keys stored on the computer

This security setting determines if users' private keys require a password to be used.

The options are:

User input is not required when new keys are stored and used

User is prompted when the key is first used

User must enter a password each time they use a key

For more information, see Public key infrastructure.

Default: This policy is not defined.

�System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.

For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.

Default: Disabled.

Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions.

XSystem objects: Default owner for objects created by members of the Administrators group

Description

This security setting determines which security principal (SID) will be assigned the OWNER of objects when the object is created by a member of the Administrators Group.

Default:

Windows XP: User SID

Windows 2003 : Administrators GroupSystem objects: Require case insensitivity for non-Windows subsystems

This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.

If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.

Default: Enabled.

�System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)

This security setting determines the strength of the default discretionary access control list (DACL) for objects.

Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.

If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.

Default: Enabled.

$System settings: Optional subsystems

This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands.

Default: POSIX.

PSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security settings is used to enable or disable certificate rules, a type of software restriction policies rule. With software restriction policies, you can create a certificate rule that will allow or disallow software that is signed by Authenticode to run, based on the digital certificate that is associated with the software. In order for certificate rules to take effect, you must enable this security setting.

When certificate rules are enabled, software restriction policies will check a certificate revocation list (CRL) to make sure the software's certificate and signature are valid. This may decrease performance when start signed programs. You can disable this feature. On Trusted Publishers Properties, clear the Publisher and Timestamp check boxes. For more information, see Set trusted publisher options.

Default: Disabled.

vMaximum application log size

This security setting specifies the maximum size of the application event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).

Notes

Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.

This setting does not appear in the Local Computer Policy object.

Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings.

Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB.

qMaximum security log size

This security setting specifies the maximum size of the security event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).

Notes

Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.

This setting does not appear in the Local Computer Policy object.

Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB.

mMaximum system log size

This security setting specifies the maximum size of the system event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).

Notes

Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.

This setting does not appear in the Local Computer Policy object.

Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB.

�Prevent local guests group and ANONYMOUS LOGIN users from accessing application log

This security setting determines if guests are prevented from accessing the application event log.

Notes

This setting does not appear in the Local Computer Policy object.

This security setting affects only computers running Windows 2000 and Windows XP.

Default: Enabled for Windows XP, Disabled for Windows 2000�Prevent local guests group and ANONYMOUS LOGIN users from accessing security log

This security setting determines if guests are prevented from accessing the application event log.

Notes

This setting does not appear in the Local Computer Policy object.

This security setting affects only computers running Windows 2000 and Windows XP.

Default: Enabled for Windows XP, Disabled for Windows 2000

�Prevent local guests group and ANONYMOUS LOGIN users from accessing system log

This security setting determines if guests are prevented from accessing the application event log.

Notes

This setting does not appear in the Local Computer Policy object.

This security setting affects only computers running Windows 2000 and Windows XP.

Default: Enabled for Windows XP, Disabled for Windows 2000

�Retain application log

This security setting determines the number of days' worth of events to be retained for the application log if the retention method for the application log is By Days.

Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum application log size is large enough to accommodate the interval.

Note: This setting does not appear in the Local Computer Policy object.

Default: None.

Retain security log

This security setting determines the number of days' worth of events to be retained for the security log if the retention method for the security log is By Days.

Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum security log size is large enough to accommodate the interval.

Notes

This setting does not appear in the Local Computer Policy object.

A user must possess the Manage auditing and security log user right to access the security log.

Default: None.

�Retain system log

This security setting determines the number of days' worth of events to be retained for the system log if the retention method for the system log is By Days.

Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum system log size is large enough to accommodate the interval.

Note: This setting does not appear in the Local Computer Policy object.

Default: None.

JRetention method for application log

This security setting determines the "wrapping" method for the application log.

If you do not archive the application log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed.

If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the Retain application log setting. Make sure that the Maximum application log size is large enough to accommodate the interval.

If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded.

Note: This setting does not appear in the Local Computer Policy object.

Default: None.

�Retention method for security log

This security setting determines the "wrapping" method for the security log.

If you do not archive the security log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed.

If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the retain security log setting. Make sure that the Maximum security log size is large enough to accommodate the interval.

Notes

This setting does not appear in the Local Computer Policy object.

A user must possess the Manage auditing and security log user right to access the security log.

Default: None.,Retention method for system log

This security setting determines the "wrapping" method for the system log.

If you do not archive the system log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed.

If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the Retain system log setting. Make sure that the Maximum system log size is large enough to accommodate the interval

.If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded

Note: This setting does not appear in the Local Computer Policy object.

Default: None.
Restricted Groups

This security setting allows an administrator to define two properties for security-sensitive groups ("restricted" groups).

The two properties are Members and Member Of. The Members list defines who belongs and who does not belong to the restricted group. The Member Of list specifies which other groups the restricted group belongs to.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column.

For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.

There are two ways to apply Restricted Groups policy:

Define the policy in a security template, which will be applied during configuration on your local computer.

Define the setting on a Group Policy object (GPO) directly, which means that the policy goes into effect with every refresh of policy. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.

Default: None specified.

Caution

If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.

Notes

Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.

An empty Members list means that the restricted group has no members; an empty Member Of list means that the groups to which the restricted group belongs are not specified.

System Services security settings

Allows an administrator to define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system services.

Default: Undefined.

Notes

This setting does not appear in the Local Computer Policy object.

If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention.

For performance optimization, set unnecessary or unused services to Manual.

\Registry security settings

Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs)) for registry keys using Security Configuration Manager.

Default: Undefined.

Note: This setting does not appear in the Local Computer Policy object.

cFile System security settings

Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs)) for file system objects using Security Configuration Manager.

Default: Undefined.

Note: This setting does not appear in the Local Computer Policy object.

PAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they are joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.

Default: EnabledUser Account Control: Use Admin Approval Mode for the built-in Administrator account

This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.

The options are:

" Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.

" Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.

`DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

This policy setting determines which users or groups can access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications.

You can use this policy setting to specify access permissions to all the computers to particular users for DCOM applications in the enterprise. When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access.

The registry settings that are created as a result of enabling the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting take precedence over (have higher priority) the previous registry settings in this area. Remote Procedure Call Services (RpcSs) checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, computer access permissions for users are not changed. Use care in configuring their list of users and groups.

The possible values for this policy setting are:

Blank: This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it as Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK.

SDDL: This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy.

Not Defined: This is the default value.

Note

If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in Windows, the administrator can use the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting to manage DCOM access to the computer. The administrator can specify which users and groups can access the DCOM application on the computer both locally and remotely by using this setting. This will restore control of the DCOM application to the administrator and users. To do this, open the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer access permissions for those groups. This defines the setting and sets the appropriate SDDL value.

PA4
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

This policy setting determines which users or groups can launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications.

You can use this setting to grant access to all the computers to users of DCOM applications. When you define this setting, and specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on local launch, remote launch, local activation, and remote activation.

The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. Remote Procedure Call Services (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE.

The possible values for this Group Policy setting are:

Blank: This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it to Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK.

SDDL: This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy.

Not Defined: This is the default value.

Note

If the administrator is denied access to activate and launch DCOM applications due to the changes made to DCOM in this version of Windows, this policy setting can be used for controlling the DCOM activation and launch to the computer. The administrator can specify which users and groups can launch and activate DCOM applications on the computer both locally and remotely by using the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer launch permissions for those groups. This defines the setting and sets the appropriate SDDL value.

�User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

This policy setting controls the behavior of the elevation prompt for administrators.

The options are:

" Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.

" Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.

" Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

" Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

" Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

" Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

�User Account Control: Behavior of the elevation prompt for standard users

This policy setting controls the behavior of the elevation prompt for standard users.

The options are:

" Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

" Automatically deny elevation requests: When an operation requires elevation of privilege, an access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.

" Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

FUser Account Control: Detect application installations and prompt for elevation

This policy setting controls the behavior of application installation detection for the computer.

The options are:

" Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

" Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.

�User Account Control: Only elevate executable files that are signed and validated

This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.

The options are:

" Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.

" Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.

�User Account Control: Only elevate UIAccess applications that are installed in secure locations

This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:

- & \Program Files\, including subfolders

- & \Windows\system32\

- & \Program Files (x86)\, including subfolders for 64-bit versions of Windows

Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.

The options are:

" Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.

" Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.

User Account Control: Turn on Admin Approval Mode

This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.

The options are:

" Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

" Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.

+User Account Control: Switch to the secure desktop when prompting for elevation

This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.

The options are:

" Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.

" Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.

sUser Account Control: Virtualize file and registry write failures to per-user locations

This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.

The options are:

" Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.

" Disabled: Applications that write data to protected locations fail.

�Create Symbolic Links

This privilege determines if the user can create a symbolic link from the computer he is logged on to.

Default: Administrator

WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

Note

This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.IModify an object label

This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

Default: NoneZUser Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.

This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.

" Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.

" Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.

�This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.�Change the Time Zone

This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of the workstations and servers.

Default: Administrators, Users_Increase a process working set

This privilege determines which user accounts can increase or decrease the size of a process s working set.

Default: Users

The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

Warning: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.�Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.

If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.

If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.

If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

'Network security: Restrict NTLM: Incoming NTLM traffic

This policy setting allows you to deny or allow incoming NTLM traffic.

If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.

If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.

If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

Network security: Restrict NTLM: NTLM authentication in this domain

This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller.

If you select "Disabled" or do not configure this policy setting, the domain controller will allow all NTLM pass-through authentication requests within the domain.

If you select "Deny for domain accounts to domain servers" the domain controller will deny all NTLM authentication logon attempts to all servers in the domain that are using domain accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

If you select "Deny for domain account" the domain controller will deny all NTLM authentication logon attempts from domain accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

If you select "Deny for domain servers" the domain controller will deny NTLM authentication requests to all servers in the domain and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

If you select "Deny all," the domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

This policy is supported on at least Windows Server 2008 R2.

Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

�Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.

If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.

If you do not configure this policy setting, no exceptions will be applied.

The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.

0Network security: Restrict NTLM: Add server exceptions in this domain

This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set.

If you configure this policy setting, you can define a list of servers in this domain to which clients are allowed to use NTLM authentication.

If you do not configure this policy setting, no exceptions will be applied.

The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wildcard character.

�Network security: Allow LocalSystem NULL session fallback

Allow NTLM to fall back to NULL session when used with LocalSystem.

The default is TRUE up to Windows Vista and FALSE in Windows 7.

�Network security: Configure encryption types allowed for Kerberos

This policy setting allows you to set the encryption types that Kerberos is allowed to use.

If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

�Network security: Allow PKU2U authentication requests to this computer to use online identities.

This policy is disabled by default on Windows Server machines and always disabled on domain controllers. Disabling this policy prevents online identities from authenticating to these machines.

Prior to Windows 10 version 1607, this policy is disabled by default on domain joined machines. This policy is enabled by default on Windows versions beginning with Windows 10 1607.

Network security: Restrict NTLM: Audit Incoming NTLM Traffic

This policy setting allows you to audit incoming NTLM traffic.

If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.

If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.

If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

TNetwork security: Restrict NTLM: Audit NTLM authentication in this domain

This policy setting allows you to audit NTLM authentication in a domain from this domain controller.

If you select "Disable" or do not configure this policy setting, the domain controller will not log events for NTLM authentication in this domain.

If you select "Enable for domain accounts to domain servers," the domain controller will log events for NTLM authentication logon attempts for domain accounts to domain servers when NTLM authentication would be denied because "Deny for domain accounts to domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

If you select "Enable for domain accounts," the domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because "Deny for domain accounts" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

If you select "Enable for domain servers" the domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because "Deny for domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

If you select "Enable all" the domain controller will log events for NTLM pass-through authentication requests from its servers and for its accounts which would be denied because "Deny all" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

This policy is supported on at least Windows Server 2008 R2.

Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

xNetwork security: Allow Local System to use computer identity for NTLM

This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.

If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

By default, this policy is enabled on Windows 7 and above.

By default, this policy is disabled on Windows Vista.

This policy is supported on at least Windows Vista or Windows Server 2008.

Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.

2Microsoft network server: Server SPN target name validation level

This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.

The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2.

This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server.

The options are:

Off the SPN is not required or validated by the SMB server from a SMB client.

Accept if provided by client the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server s list of SPN s for itself. If the SPN does NOT match, the session request for that SMB client will be denied.

Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that is being requested to establish a connection. If no SPN is provided by client, or the SPN provided does not match, the session is denied.

Default: Off

All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505).�Microsoft network server: Attempt S4U2Self to obtain claim information

This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal s claims from the client s account domain. This setting should only be set to enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts may be in a domain which has client computers and domain controllers running a version of Windows prior to Windows 8.

This setting should be set to automatic (default) so that the file server can automatically evaluate whether claims are needed for the user. An administrator would want to set this setting explicitly to Enabled only if there are local file access policies that include user claims.

When enabled this security setting will cause the Windows file server to examine the access token of an authenticated network client principal and determine if claim information is present. If claims are not present the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client s account domain, and obtain a claims-enabled access token for the client principal. A claims-enabled token may be needed to access files or folders which have claim-based access control policy applied.

If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal.

Default: Automatic.Accounts: Block Microsoft accounts

This setting prevents using the Settings app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services.

There are two options if this setting is enabled:

" Users can t add Microsoft accounts means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the Settings app to add new connected accounts (or connect local accounts to Microsoft accounts).

" Users can t add or log on with Microsoft accounts means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through Settings.

This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as Mail, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services).

By default, this setting is Not defined.�Interactive logon: Machine account threshold.

This security setting determines the number of failed logon attempts that causes the machine to reboot. Machines with Bitlocker enabled for protecting OS volumes will be locked out and can only be recovered by providing a recovery key at console. Please ensure that the appropriate recovery policies are enabled.

You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts.

Default: 0.�Interactive logon: Machine inactivity limit.

Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

Default: not enforced.�Obtain an impersonation token for another user in the same session.

Assigning this privilege to a user allows programs running on behalf of that user to obtain an impersonation token of other users who interactively logged on within the same session provided the caller has an impersonation token of the session user. Not applicable within desktop windows client/server where every user gets a separate session.Network access: Restrict clients allowed to make remote calls to SAM

This policy setting allows you to restrict remote rpc connections to SAM.

If not selected, the default security descriptor will be used.

This policy is supported on at least Windows Server 2016.

�Interactive logon: Don't display username at sign-in

This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.

If this policy is enabled, the username will not be shown.

If this policy is disabled, the username will be shown.

Default: Disabled.

AInteractive logon: Display user information when the session is locked

This setting controls whether details such as email address or domain\username appear with the username on the sign-in screen. For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows. Due to a new Privacy setting in Windows 10 version 1607, this setting affects those clients differently.

Changes in Windows 10 version 1607

Beginning with version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details. This functionality is controlled by a new Privacy setting in Settings > Accounts > Sign-in options. The Privacy setting is off by default, which hides the details.

This Group Policy setting controls the same functionality.

This setting has these possible values:

- User display name, domain and user names: For a local logon, the user's full name is displayed. If the user signed in using a Microsoft Account, the user's email address is displayed. For a domain logon, the domain\username is displayed.

- User display name only: The full name of the user who locked the session is displayed.

- Domain and user names only: For a domain logon only, the domain\username is displayed. The privacy setting in Settings > Accounts > Sign-in options is automatically on and grayed out.

- Do not display user information: No names are displayed, but for all versions of Windows before Windows 10, the full names of users will be displayed on the Switch user desktop. Beginning with Windows 10 version 1607, this option is not supported. If this option is chosen, the full name of the user who locked the session is displayed instead. This change makes this setting consistent with the functionality of the new Privacy setting. To have no user information displayed, enable the Group Policy setting Interactive logon: Don't display last signed-in.

- Blank: Default setting. This translates to "Not defined" but it will display the user's full name in the same manner as the option User display name only.

Hotfix for Windows 10 version 1607

Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the User display name, domain and user names option is chosen because the Privacy setting is off. If the Privacy setting is turned on, details will show.

The Privacy setting cannot be changed for clients in bulk. Instead, apply KB 4013429 to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.

Interaction with Block user from showing account details on sign-in

For all versions of Windows 10, only the user display name is shown by default.

If Block user from showing account details on sign-in is set, then only the user display name is shown regardless of any other Group Policy settings. Users will not be able to show details.

If Block user from showing account details on sign-in is not set, then you can set Interactive logon: Display user information when the session is locked to User display name, domain and user names to show additional details such as domain\username. In this case, clients that run Windows 10 version 1607 need KB 4013429 applied. Users will not be able to hide additional details.

Best practices

Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names might contradict your overall security policy.

Depending on your security policy, you might want to enable the Interactive logon: Don't display last signed-in policy.

!Relax minimum password length legacy limits

This setting controls whether the minimum password length setting can be increased beyond the legacy limit of 14.

If this setting is not defined, minimum password length may be configured to a maximum of 14.

If this setting is defined and disabled, minimum password length may be configured to a maximum of 14.

If this setting is defined and enabled, minimum password length may be configured higher than 14.

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

@Minimum password length audit

This security setting determines the minimum password length for which password length audit warning events are issued. This setting may be configured from 1 to 128.

You should only enable and configure this setting when trying to determine the potential impact of increasing the minimum password length setting in your environment.

If this setting is not defined, audit events will not be issued.

If this setting is defined and is less than or equal to the minimum password length setting, audit events will not be issued.

If this setting is defined and is greater than the minimum password length setting, and the length of a new account password is less than this setting, an audit event will be issued.

For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.

Domain controller: LDAP server channel binding token requirements

This security setting determines whether the LDAP server enforces validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections, as follows:

Never: No channel binding validation is performed. This is the behavior of all servers that have not been updated.

When supported: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that do not advertise such support and/or do not use TLS/SSL connections are not impacted. This is an intermediate option that allows for application compatibility.

Always: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that do not do so.

Default: This policy is not defined, which has the same effect as When Supported.

For more details and information on this configuration setting, please see https://go.microsoft.com/fwlink/?linkid=2102405.

Notes: The When Supported option only protects those clients that do support Extended Protection for Authentication; clients that do not may still be vulnerable until they are patched and/or configured. When this policy is set to Always, XP/2k3/Vista/Server 2008 systems will not be able to authenticate over TLS/SSL connections by default until Extended Protection for Authentication is enabled as per: https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/973811

Domain controller: Allow vulnerable Netlogon secure channel connections

This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts.

This policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.

When the Create Vulnerable Connections list (allow list) is configured:

- Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC.

- Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC which is the same as the default (not necessary).

Warning! Enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to risk. This policy should be used as a temporary measure for 3rd party devices as you deploy updates. Once a 3rd party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit https://go.microsoft.com/fwlink/?linkid=2133485.

Default: This policy is not configured. No machines or trust accounts are explicitly exempt from secure RPC with Netlogon secure channel connections enforcement.

This policy is supported on at least Windows Server 2008 R2.

�Allow Administrator account lockout

This security setting determines whether the builtin Administrator account is subject to account lockout policy.�Domain controller: Allow computer account re-use during domain join

This security setting determines whether the domain controller will allow a client identity to attempt to re-use an existing computer account owned by a different identity during domain join.

By default, the following owners are trusted: Administrators and the user performing the domain join.

When this policy is configured with a list of trusted users or groups, the domain controller will allow a client to re-use a computer account that is owned by a member of the specified group or specified identity during domain join.

This policy should be applied to all domain controllers in a domain by enabling the policy on the Domain Controllers OU.

�You are about to change the security settings for this service. Changing the default security for the service could cause problems due to inconsistent configuration between this service and other services that rely on it.

Do you want to continue?PASecurity Templates�You are about to import new template information into the local computer policy for this computer. Doing so will change your computer security settings. Do you want to continue?Configuring Computer SecurityACurrent Security Configuration Database: Local Policy Database %s<Current Security Configuration Database: Private Database %sGenerating analysis information
Import FailedSubitems defined
Not AvailableNew ServiceConfiguring:7Add &File...
Adds a new file or folder to this template(Add this file or folder to the template:Add a file or folderMicrosoft Corporation10.0dSecurity Templates is an MMC snap-in that provides editing capabilities for security template files.�Security Configuration and Analysis is an MMC snap-in that provides security configuration and analysis for Windows computers using security template files.�The Security Settings Extension snap-in extends the Group Policy snap-in and helps you define security policies for computers in your domain.A&Import Policy...
Import a template file into this policy object.=E&xport policy...
Export template from this policy to a file.4File %s already exists.
Do you want to overwrite it?SuccessFailureNo auditing#Windows cannot update the policies.Windows cannot copy the sectionSelect File to Add
Open databaseCreate DatabaseExport Policy ToImport Policy FromImport TemplateExport Template ToSecurity Setting.Windows cannot open the local policy database.Local Policy Database�The local security settings database cannot be edited from the Security Configuration and Analysis snap-in. Use the Group Policy snap-in to edit the local security settings..\help\75393cf0-f17a-453d-98a9-592b009289c2.chm.\help\1da6be45-e97d-4584-bbf9-356d319f20c2.chm.\help\941b4573-563f-45fd-8a2f-0b8a197a5d2c.chm@\help\sceconcepts.chm::/75393cf0-f17a-453d-98a9-592b009289c2.htm@\help\scmconcepts.chm::/1da6be45-e97d-4584-bbf9-356d319f20c2.htmPAC\help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htmhThere are new policy settings on your computer. Do you want to update your view of the effective policy?Computer setting on %s%This database couldn't be created because no template file was selected.
<H4>To Open an Existing Database</H4><OL><LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_1">Right click on the <I>Security Configuration and Analysis</I> scope item. <LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_2">Choose <B>Open Database</B> <LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_3"> Choose a database and press OPEN</OL> <H4>To Create a New Database</H4><OL> <LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_4">Right click on the <I>Security Configuration and Analysis </I> scope item. <LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_5"> Choose <B>Open Database</B>. <LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_6"> Type in a new database name and press OPEN. <LI ALIGN="LEFT" ID="NO_TEMPLATE_GIVEN_7">Choose a security configuration file to import and press OPEN.</OL>I&Replace existing permissions on all subkeys with inheritable permissions1&Propagate inheritable permissions to all subkeys4&Do not allow permissions on this key to be replacedConfigure Membership for %sTicket expires in:Ticket doesn't expire.Ticket renewal expires in:Ticket renewal is disabled.Maximum tolerance:Maximum tolerance:Not Applicable&<This group should contain no members>?<The groups to which this group belongs should not be modified>User and group namesAdd User or GroupDo not disconnect clients:"Disconnect when idle time exceeds:Do not cache logons:Cache:7Begin prompting this many days before password expires:7Begin prompting this many days before password expires:&Configure this key then*Could not save global location description#Could not save location description!Reload
Reload the security policy'Save changes to %1 before reloading it?Local Security Settings WSecEdit Security Settings Class&WSecEdit Local Security Settings ClassC\help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htmC\help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htmRThe Local Security Settings snap-in helps you define security on the local system.C\help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htm%WSecEdit RSOP Security Settings Class�The RSOP Security Settings Extension snap-in extends the RSOP snap-in and helps you view resultant security policies for computers in your domain.&Apply�The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%%windir%%\security\database\secedit.sdb) was: %s
All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
Any local security setting modified through this User Interface may subsequently be overridden by domain-level policies.{The Group Policy security settings that apply to this machine could not be determined.
The error received when trying to retrieve these settings from the local policy database (%%windir%%\security\database\secedit.sdb) was: %s
All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
Log file: Policy NamePASetting$The policy %1 was correctly applied.�There was an error configuring a child of this object. (or The policy engine attempted and failed to configure the child of a specific policy setting.) For more information, see %windir%\security\logs\winlogon.log�The policy %1 resulted in the following error %2. For more information, see %windir%\security\logs\winlogon.log on the target machine.�The policy %1 resulted in an invalid status and was logged. See %%windir%%\security\logs\winlogon.log on the target machine for more information.�The policy engine did not attempt to configure the setting. For more information, see %windir%\security\logs\winlogon.log on the target machine.&View Security...:Couldn't export template to %1.
The error returned was: %2"Save changes to Security Database?+Deny log on through Remote Desktop Services,Allow log on through Remote Desktop Services!Couldn't add template search path\Security\LogsQThe security portion of this group policy may only be edited on the PDC Emulator.�This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier. Apply Group Policy objects containing this setting only to computers running a later version of the operating system.+Close all property pages before deleting %1Value must be between %d and %d4Network access: Allow anonymous SID/Name translation5Administrators must be granted the logon local right.FYou cannot deny all users or administrator(s) from logging on locally.#Some accounts cannot be translated.PTo apply your changes or close this property sheet, close all secondary windows.VThe window cannot be opened. Windows cannot create a UI thread for the property sheet.@\help\lpeconcepts.chm::/29a1325e-50b4-4963-a36e-979caa9ea094.htmWhat's this?sct.\help\29a1325e-50b4-4963-a36e-979caa9ea094.chm$Value must be between %d and %d or 0MThis setting affects only operating systems earlier than Windows Server 2003.\Modifying this setting may affect compatibility with clients, services, and applications.
%1.For more information, see <A>%1</A>. (Q%2!lu!)�You are about to change this setting to a value that may affect compatibility with clients, services, and applications.

Do you want to continue with the change?`Administrators and SERVICE must be granted the impersonate client after authentication privilegelThis setting might not be enforced if other policy is configured to override category level audit policy.
%1OFor more information, see <A>%1</A> in the Security Policy Technical Reference.No explain text for this actionMachine will be locked afterPAUManage Central Access Policies...
Add/Remove Central Access Policies to this template7This Access Policy includes the following Policy rules:Status<Downloading central access policies from active directory...6Error: Central access policies could not be downloadedReady...!!Unknown Policy!!:�This central access policy could not be found. It may have been deleted from Active Directory or have invalid settings. Restore this policy in Active Directory Administrative Center (AD AC) or remove it from the configuration.PAJAccounts: Limit local account use of blank passwords to console logon only0Audit: Audit the access of global system objects4Audit: Audit the use of Backup and Restore privilegeDAudit: Shut down system immediately if unable to log security audits6Devices: Prevent users from installing printer drivers.Devices: Allow undock without having to log on;Domain controller: Allow server operators to schedule tasks:Domain controller: Refuse machine account password changes3Domain controller: LDAP server signing requirementsNoneRequire signing7Domain member: Disable machine account password changes3Domain member: Maximum machine account password ageEDomain member: Digitally encrypt or sign secure channel data (always)DDomain member: Digitally encrypt secure channel data (when possible)ADomain member: Digitally sign secure channel data (when possible)ADomain member: Require strong (Windows 2000 or later) session key.Interactive logon: Do not require CTRL+ALT+DEL/Interactive logon: Don't display last signed-inPAFInteractive logon: Display user information when the session is locked(User display name, domain and user namesUser display name onlyDo not display user information>Interactive logon: Message text for users attempting to log on?Interactive logon: Message title for users attempting to log onbInteractive logon: Number of previous logons to cache (in case domain controller is not available)CInteractive logon: Prompt user to change password before expirationQInteractive logon: Require Domain Controller authentication to unlock workstationCInteractive logon: Require Windows Hello for Business or smart card.Interactive logon: Smart card removal behavior No ActionLock WorkstationForce Logoff6Disconnect if a remote Remote Desktop Services session@Microsoft network client: Digitally sign communications (always)JMicrosoft network client: Digitally sign communications (if server agrees)NMicrosoft network client: Send unencrypted password to third-party SMB serversPMicrosoft network server: Amount of idle time required before suspending session@Microsoft network server: Digitally sign communications (always)JMicrosoft network server: Digitally sign communications (if client agrees)DMicrosoft network server: Disconnect clients when logon hours expire\Network access: Do not allow storage of passwords and credentials for network authenticationBNetwork access: Do not allow anonymous enumeration of SAM accountsMNetwork access: Do not allow anonymous enumeration of SAM accounts and sharesANetwork access: Let Everyone permissions apply to anonymous usersCNetwork access: Restrict anonymous access to Named Pipes and Shares<Network access: Named Pipes that can be accessed anonymously7Network access: Shares that can be accessed anonymously@Network access: Remotely accessible registry paths and sub-paths2Network access: Remotely accessible registry paths=Network access: Sharing and security model for local accountsPA0Classic - local users authenticate as themselves.Guest only - local users authenticate as GuestMNetwork security: Do not store LAN Manager hash value on next password change2Network security: LAN Manager authentication levelSend LM & NTLM responses:Send LM & NTLM - use NTLMv2 session security if negotiatedSend NTLM response onlySend NTLMv2 response only$Send NTLMv2 response only. Refuse LM+Send NTLMv2 response only. Refuse LM & NTLM\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients\Network security: Minimum session security for NTLM SSP based (including secure RPC) serversRequire NTLMv2 session securityRequire 128-bit encryptionPA2Network security: LDAP client signing requirementsNoneNegotiate signingRequire signing6Recovery console: Allow automatic administrative logonLRecovery console: Allow floppy copy and access to all drives and all folders?Shutdown: Allow system to be shut down without having to log on'Shutdown: Clear virtual memory pagefile_System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)XSystem objects: Default owner for objects created by members of the Administrators groupAdministrators groupObject creatorESystem objects: Require case insensitivity for non-Windows subsystemsWSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingUSystem cryptography: Force strong key protection for user keys stored on the computer<User input is not required when new keys are stored and used+User is prompted when the key is first used3User must enter a password each time they use a key_System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies$System settings: Optional subsystemslogonsdaysminutessecondsZDCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntaxZDCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax>Devices: Restrict CD-ROM access to locally logged-on user only4Devices: Allowed to format and eject removable mediaAdministratorsAdministrators and Power Users$Administrators and Interactive Users>Devices: Restrict floppy access to locally logged-on user onlyPArAudit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsHNetwork security: Restrict NTLM: Outgoing NTLM traffic to remote servers Allow allDeny all6Network security: Restrict NTLM: Incoming NTLM traffic Allow allDeny all domain accountsDeny all accountsCNetwork security: Restrict NTLM: NTLM authentication in this domainDisable*Deny for domain accounts to domain serversDeny for domain accountsDeny for domain serversDeny allUNetwork security: Restrict NTLM: Add remote server exceptions for NTLM authenticationENetwork security: Restrict NTLM: Add server exceptions in this domain9Network security: Allow LocalSystem NULL session fallbackANetwork security: Configure encryption types allowed for KerberosDES_CBC_CRCDES_CBC_MD5RC4_HMAC_MD5AES128_HMAC_SHA1AES256_HMAC_SHA1Future encryption typesdNetwork security: Allow PKU2U authentication requests to this computer to use online identities.

Audit all<Network security: Restrict NTLM: Audit Incoming NTLM TrafficINetwork security: Restrict NTLM: Audit NTLM authentication in this domainFNetwork security: Allow Local System to use computer identity for NTLMDisable#Enable auditing for domain accountsPA Enable auditing for all accountsDisable,Enable for domain accounts to domain serversEnable for domain accountsEnable for domain servers
Enable allAMicrosoft network server: Server SPN target name validation levelOffAccept if provided by clientRequired from clientFMicrosoft network server: Attempt S4U2Self to obtain claim informationDefaultEnabledDisabled"Accounts: Block Microsoft accountsThis policy is disabledPA"Users can't add Microsoft accounts1Users can't add or log on with Microsoft accounts4Interactive logon: Machine account lockout threshold+Interactive logon: Machine inactivity limitinvalid logon attemptsDNetwork access: Restrict clients allowed to make remote calls to SAM4Interactive logon: Don't display username at sign-inDomain and user names only
charactersADomain controller: LDAP server channel binding token requirementsNeverWhen supportedAlwaysGDomain controller: Allow vulnerable Netlogon secure channel connectionsCDomain controller: Allow computer account re-use during domain join�4VS_VERSION_INFO��
!|O
!|O?StringFileInfo�040904B0LCompanyNameMicrosoft Corporationj!FileDescriptionSecurity Configuration UI Modulen'FileVersion10.0.20348.2849 (WinBuild.160101.0800)2 InternalNameWSECEDIT�.LegalCopyright� Microsoft Corporation. All rights reserved.JOriginalFilenameWSecEdit.dll.muij%ProductNameMicrosoft� Windows� Operating SystemDProductVersion10.0.20348.2849DVarFileInfo$Translation �PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING