Name Allowed Permissions Inherited
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
localdomain\Domain Admins Edit settings, delete, modify security No
localdomain\Domain Computers Read (from Security Filtering) No
localdomain\Domain Controllers Read (from Security Filtering) No
localdomain\Domain Users Read (from Security Filtering) No
localdomain\Enterprise Admins Edit settings, delete, modify security No
Computer Configuration (Enabled)
Windows Settings
Security Settings
Account Policies/Password Policy
Policy Setting
Enforce password history 24 passwords remembered
Maximum password age 90 days
Minimum password age 30 days
Minimum password length 14 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled
Account Policies/Account Lockout Policy
Policy Setting
Account lockout duration 30 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 30 minutes
Account Policies/Kerberos Policy
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 34 days
Maximum tolerance for computer clock synchronization 5 minutes
Local Policies/Audit Policy
Policy Setting
Audit account logon events Success, Failure
Audit account management Failure
Audit directory service access Failure
Audit logon events Success, Failure
Audit object access Failure
Audit policy change Failure
Audit privilege use Failure
Audit process tracking Failure
Audit system events Failure
Local Policies/User Rights Assignment
Policy Setting
Add workstations to domain BUILTIN\Administrators
Deny log on locally time
Take ownership of files or other objects BUILTIN\Administrators
Local Policies/Security Options
Accounts
Policy Setting
Accounts: Administrator account status Enabled
Accounts: Guest account status Disabled
Accounts: Limit local account use of blank passwords to console logon only Enabled
Accounts: Rename guest account "NoGuests"
Audit
Policy Setting
Audit: Audit the access of global system objects Enabled
Audit: Audit the use of Backup and Restore privilege Enabled
Audit: Shut down system immediately if unable to log security audits Disabled
Devices
Policy Setting
Devices: Allow undock without having to log on Disabled
Devices: Allowed to format and eject removable media Administrators
Devices: Prevent users from installing printer drivers Disabled
Devices: Restrict CD-ROM access to locally logged-on user only Enabled
Devices: Restrict floppy access to locally logged-on user only Enabled
Devices: Unsigned driver installation behavior Warn but allow installation
Domain Controller
Policy Setting
Domain controller: Allow server operators to schedule tasks Enabled
Domain controller: LDAP server signing requirements None
Domain controller: Refuse machine account password changes Disabled
Domain Member
Policy Setting
Domain member: Digitally encrypt secure channel data (when possible) Enabled
Domain member: Digitally sign secure channel data (when possible) Enabled
Domain member: Disable machine account password changes Disabled
Domain member: Maximum machine account password age 30 days
Domain member: Require strong (Windows 2000 or later) session key Enabled
Interactive Logon
Policy Setting
Interactive logon: Do not display last user name Enabled
Interactive logon: Do not require CTRL+ALT+DEL Disabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available) 10 logons
Interactive logon: Prompt user to change password before expiration 14 days
Interactive logon: Require Domain Controller authentication to unlock workstation Enabled
Interactive logon: Require smart card Disabled
Interactive logon: Smart card removal behavior No Action
Microsoft Network Client
Policy Setting
Microsoft network client: Digitally sign communications (if server agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers Disabled
Microsoft Network Server
Policy Setting
Microsoft network server: Amount of idle time required before suspending session 30 minutes
Microsoft network server: Digitally sign communications (if client agrees) Enabled
Microsoft network server: Disconnect clients when logon hours expire Enabled
Network Access
Policy Setting
Network access: Allow anonymous SID/Name translation Disabled
Network access: Do not allow anonymous enumeration of SAM accounts Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares Enabled
Network access: Do not allow storage of credentials or .NET Passports for network authentication Enabled
Network access: Let Everyone permissions apply to anonymous users Disabled
Network access: Named Pipes that can be accessed anonymously COMNAP, COMNODE, SPOOLSS, LLSRPC, BROWSER, netlogon, lsarpc, samr
Network access: Shares that can be accessed anonymously COMCFG, DFS$
Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves
Network Security
Policy Setting
Network security: Do not store LAN Manager hash value on next password change Enabled
Network security: Force logoff when logon hours expire Enabled
Network security: LAN Manager authentication level Send NTLMv2 response only
Network security: LDAP client signing requirements Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Enabled
Require message integrity Disabled
Require message confidentiality Disabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Disabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Enabled
Require message integrity Disabled
Require message confidentiality Disabled
Require NTLMv2 session security Enabled
Require 128-bit encryption Disabled
Recovery Console
Policy Setting
Recovery console: Allow automatic administrative logon Disabled
Recovery console: Allow floppy copy and access to all drives and all folders Disabled
Shutdown
Policy Setting
Shutdown: Allow system to be shut down without having to log on Disabled
Shutdown: Clear virtual memory pagefile Enabled
System Cryptography
Policy Setting
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Disabled
System Objects
Policy Setting
System objects: Default owner for objects created by members of the Administrators group Administrators group
System objects: Require case insensitivity for non-Windows subsystems Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) Enabled
Other
Policy Setting
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax "O:BAG:BAD
A;;CCDC;;;AN)(A;;CCDCLC;;;S-1-5-32-562)(A;;CCDCLC;;;WD)"
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax "O:BAG:BAD
A;;CCDCLCSWRP;;;BA)(A;;CCDCSW;;;WD)(A;;CCDCLCSWRP;;;S-1-5-32-562)"
Interactive logon: Display user information when the session is locked Do not display user information
Registry Values
Policy Setting
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection 1
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional Posix
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess 1
Event Log
Policy Setting
Prevent local guests group from accessing application log Enabled
Prevent local guests group from accessing security log Enabled
Prevent local guests group from accessing system log Enabled
System Services
Abel (Startup Mode: Disabled)
Permissions
Type Name Permission
Allow NT AUTHORITY\INTERACTIVE Read
Allow NT AUTHORITY\SYSTEM Full Control
Auditing
Type Name Access
Failure Everyone Full Control
Alerter (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
ClipBook (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Messenger (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Telnet (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Public Key Policies/Autoenrollment Settings
Policy Setting
Enroll certificates automatically Enabled
Renew expired certificates, update pending certificates, and remove revoked certificates Enabled
Update certificates that use certificate templates Enabled
Public Key Policies/Encrypting File System
Properties
Policy Setting
Allow users to encrypt files using Encrypting File System (EFS) Enabled
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Administrative Templates
Network
Policy Setting
Sets how often a DFS Client discovers DC's Enabled
Time in minutes: 15
Network/Background Intelligent Transfer Service
Policy Setting
Maximum network bandwith that BITS uses Enabled
Limit BITS transfer rate (Kbps) to: 25
From 8 AM
to 5 PM
At all other times
Use all available unused bandwidth Disabled
OR
Limit BITS transfer rate (Kbps) to: 50
Policy Setting
Timeout (days) for inactive jobs Enabled
Inactive Job Timeout in Days: 10
Network/Offline Files
Policy Setting
Allow or Disallow use of the Offline Files feature Disabled
Remove 'Make Available Offline' Enabled
Turn off reminder balloons Enabled
System/Error Reporting
Policy Setting
Configure Error Reporting Enabled
Do not display links to any Microsoft provided 'more information' web sites. Enabled
Do not collect additional files Disabled
Do not collect additional machine data Disabled
Force queue mode for application errors Disabled
Corporate upload file path:
Replace instances of the word 'Microsoft' with:
Policy Setting
Display Error Notification Disabled
System/Error Reporting/Advanced Error Reporting settings
Policy Setting
Default application reporting settings Enabled
Default: Report all application errors
Report all errors in Microsoft applications. Enabled
Report all errors in Windows components. Enabled
Policy Setting
Report operating system errors Enabled
System/Group Policy
Policy Setting
Disallow Interactive Users from generating Resultant Set of Policy data Disabled
Group Policy refresh interval for computers Enabled
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 64800 minutes (45 days).
Minutes: 90
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 30
Policy Setting
Group Policy refresh interval for domain controllers Enabled
This setting allows you to customize how often Group Policy is applied
to domain controllers. The range is 0 to 64800 minutes (45 days).
Minutes: 5
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes: 0
Policy Setting
Remove users ability to invoke machine policy refresh Disabled
Scripts policy processing Enabled
Allow processing across a slow network connection Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Disabled
Policy Setting
Security policy processing Enabled
Do not apply during periodic background processing Disabled
Process even if the Group Policy objects have not changed Enabled
Policy Setting
Turn off background refresh of Group Policy Disabled
Turn off Resultant Set of Policy logging Disabled
System/Logon
Policy Setting
Always use classic logon Enabled
Don't display the Getting Started welcome screen at logon Enabled
System/Remote Assistance
Policy Setting
Offer Remote Assistance Disabled
Solicited Remote Assistance Disabled
System/Scripts
Policy Setting
Maximum wait time for Group Policy scripts Enabled
Seconds: 600
Range is 0 to 32000, use 0 for infinite wait time
Policy Setting
Run startup scripts asynchronously Enabled
System/Windows Time Service
Policy Setting
Global Configuration Settings Enabled
Clock Discipline Parameters
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 1280000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 54000
MaxPosPhaseCorrection 54000
PhaseCorrectRate 1
PollAdjustFactor 5
SpikeWatchPeriod 90
UpdateInterval 30000
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 15
MinPollInterval 10
System/Windows Time Service/Time Providers
Policy Setting
Configure Windows NTP Client Enabled
NtpServer pool.ntp.org,0x1
Type NTP
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 0
Policy Setting
Enable Windows NTP Client Enabled
Enable Windows NTP Server Enabled
Windows Components/Internet Explorer
Policy Setting
Add a specific list of search providers to the user's search provider list Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing proxy settings Disabled
Disable Periodic Check for Internet Explorer software updates Enabled
Disable showing the splash screen Enabled
Disable software update shell notifications on program launch Enabled
Prevent participation in the Customer Experience Improvement Program Enabled
Prevent performance of First Run Customize settings Enabled
Select your choice Go directly to home page
Policy Setting
Restrict search providers to a specific list of providers Enabled
Turn off Managing Phishing filter Enabled
Select phishing filter mode Automatic
Windows Components/NetMeeting
Policy Setting
Disable remote Desktop Sharing Enabled
Windows Components/RSS Feeds
Policy Setting
Turn off the feed list Enabled
Windows Components/Terminal Services
Policy Setting
Enforce Removal of Remote Desktop Wallpaper Enabled
Windows Components/Terminal Services/Client/Server data redirection
Policy Setting
Allow audio redirection Enabled
Do not allow client printer redirection Enabled
Do not allow COM port redirection Enabled
Do not allow drive redirection Enabled
Do not allow LPT port redirection Enabled
Do not set default client printer to be default printer in a session Enabled
Windows Components/Terminal Services/Encryption and Security/RPC Security Policy
Policy Setting
Secure Server (Require Security) Enabled
Windows Components/Terminal Services/Sessions
Policy Setting
Set time limit for disconnected sessions Enabled
End a disconnected session 2 days
Policy Setting
Sets a time limit for active but idle Terminal Services sessions Enabled
Idle session limit: 2 days
Policy Setting
Sets a time limit for active Terminal Services sessions Enabled
Active session limit : 2 days
Windows Components/Windows Messenger
Policy Setting
Do not allow Windows Messenger to be run Enabled
Do not automatically start Windows Messenger initially Enabled
User Configuration (Enabled)
Windows Settings
Internet Explorer Maintenance
Browser User Interface/Customized Title Bar
Title Bar Text
Microsoft
