Windows Default Security and Services Configuration

Computer ConfigurationSoftware Settings

Software installationWindows Settings

Scripts (Startup/Shutdown)Security Settings

Account PoliciesPassword Policy

Enforce password history

Maximum password ageMinimum password ageMinimum password length

Passwords must meet complexity requirementsStore password using reversible encyrption for all users in the domain

Account Lockout PolicyAccount lockout durationAccount lockout threshold

Reset account lockout counter afterKerberos Policy

Enforce user logon restrictionsMaximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewalMaximum tolerance for computer clock synchronization

Local PoliciesAudit Policy

Audit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege useAudit process trackingAudit system events

User Rights Assignment

Policy setting as it appears in the Group Policy Editor of Windows Server 2003

H37

Kurt Dillard: The user rights below are followed by the name used by many command line tools. This information was provided as a reference for your convenience.

Access this computer from the network (SeNetworkLogonRight)

Act as part of the operating system (SeTcbPrivilege)Add workstations to domain (SeMachineAccountPrivilege)

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Allow logon locally (SeInteractiveLogonRight)

Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)

Back up files and directories (SeBackupPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Change the system time (SeSystemTimePrivilege)

Create a pagefile (SeCreatePagefilePrivilege)

Create a token object (SeCreateTokenPrivilege)Create global objects (SeCreateGlobalPrivilege)

Debug programs (SeDebugPrivilege)

Deny access to this computer from the network (SeDenyNetworkLogonRight)

Create permanent shared objects(SeCreatePermanentPrivilege)

H42

"Log on locally" in Windows XP

Deny logon as a batch job (SeDenyBatchLogonRight)Deny logon as a service (SeDenyBatchLogonRight)Deny logon locally (SeDenyInteractiveLogonRight)

Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight)

Force shutdown from a remote system (SeRemoteShutdownPrivilege)

Generate security audits (SeAuditPrivilege)

Impersonate a client after authentication (SeImpersonatePrivilege)

Increase scheduling priority (SeIncreaseBasePriorityPrivilege)Load and unload device drivers (SeLoadDriverPrivilege)

Lock pages in memory (SeLockMemoryPrivilege)Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)

Manage auditing and security log (SeSecurityPrivilege)Modify firmware environment values (SeSystemEnvironmentPrivilege)Perform Volume Maintenance Tasks (SeManageVolumePrivilege)Profile single process (SeProfileSingleProcessPrivilege)

Profile system performance (SeSystemProfilePrivilege)Remove computer from docking station (SeUndockPrivilege)

Replace a process level token (SeAssignPrimaryTokenPrivilege)

Restore files and directories (SeRestorePrivilege)

Shut down the system (SeShutdownPrivilege)

Synchronize directory service data (SeSynchAgentPrivilege)Take ownership of files or other objects (SeTakeOwnershipPrivilege)

Security OptionsAccounts: Administrator account status

Accounts: Guest account status

Accounts: Limit local account use of blank passwords to console logon only

Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)

H60

Not available in Windows XP

Accounts: Rename administrator account

Accounts: Rename guest account

Audit: Audit the access of global system objectsAudit: Audit the use of Backup and Restore privilegeAudit: Shut down system immediately if unable to log security auditsDCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL)DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)Devices: Allow undock without having to log onDevices: Allowed to format and eject removable mediaDevices: Prevent users from installing printer driversDevices: Restrict CD-ROM access to locally logged-on user onlyDevices: Restrict floppy access to locally logged-on user onlyDevices: Unsigned driver installation behavior

Domain controller: Allow server operators to schedule tasksDomain controller: LDAP server signing requirementsDomain controller: Refuse machine account password changesDomain member: Digitally encrypt or sign secure channel data (always)Domain member: Digitally encrypt secure channel data (when possible)Domain member: Digitally sign secure channel data (when possible)Domain member: Disable machine account password changesDomain member: Maximum machine account password ageDomain member: Require strong (Windows 2000 or later) session key

Interactive logon: Display user information when the session is locked

Interactive logon: Do not display last user name

Interactive logon: Do not require CTRL+ALT+DELInteractive logon: Message text for users attempting to log onInteractive logon: Message title for users attempting to log on

Interactive logon: Prompt user to change password before expirationInteractive logon: Require Domain Controller authentication to unlock workstationInteractive logon: Require smart card

Interactive logon: Smart card removal behavior

Microsoft network client: Digitally sign communications (always)Microsoft network client: Digitally sign communications (if server agrees)Microsoft network client: Send unencrypted password to third-party SMB serversMicrosoft network server: Amount of idle time required before suspending sessionMicrosoft network server: Digitally sign communications (always)

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

H111


Microsoft network server: Digitally sign communications (if client agrees)

Microsoft network server: Disconnect clients when logon hours expireNetwork access: Allow anonymous SID/Name translationNetwork access: Do not allow anonymous enumeration of SAM accountsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares

Network access: Let Everyone permissions apply to anonymous usersNetwork access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Do not allow storage of credentials or .NET Passports for network authentication

Network access: Remotely accessible registry paths and subpaths

Network access: Restrict anonymous access to Named Pipes and SharesNetwork access: Shares that can be accessed anonymouslyNetwork access: Sharing and security model for local accounts

Network security: Do not store LAN Manager hash value on next password changeNetwork security: Force logoff when logon hours expireNetwork security: LAN Manager authentication level

Network security: LDAP client signing requirements

Recovery console: Allow automatic administrative logonRecovery console: Allow floppy copy and access to all drives and all foldersShutdown: Allow system to be shut down without having to log on

Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers

H128


Shutdown: Clear virtual memory pagefile

System cryptography: Force strong key protection for user keys stored on the computerSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

System objects: Default owner for objects created by members of the Administrators group

System objects: Require case insensitivity for non-Windows subsystems

System settings: Optional subsystems

MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)

MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended)

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversMSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)

(ActiveX Signed Controls) RunInvalidSignatures

(RPC Endpoint Mapper) EnableAuthEpResolution

(RPC Endpoint Mapper) RestrictRemoteClients

(WebDAV Redirector) DisableBasicOverClearChannel

(WebDAV Redirector) UseBasicAuth

Event LogSettings for Event Logs

Maximum application log sizeMaximum security log sizeMaximum system log sizeRestrict guest access to application logRestrict guest access to security logRestrict guest access to system logRetain application logRetain security logRetain system logRetention method for application log

Retention method for security log

Retention method for system log

Restricted GroupsSystem Services - See next worksheet, System ServicesRegistryFile SystemPublic Key Policies

Encrypted Data Recovery AgentsAutomatic Certificate Request SettingsTrusted Root Certification AuthoritiesEnterprise Trust

IP Security Policies on Active DirectoryClient (Respond Only)Secure Server (Require Security)Server (Request Security)

MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmittions when a connection request is not acknowledged

MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

H187

Kurt Dillard: All of the remaining group policy settings in this worksheet are not defined by default, however they are included as a convenience to you in case you would like to use this workbook as a template for documenting group policy designs and settings within your organization.

Administrative TemplatesWindows Components

NetMeetingDisable remote Desktop Sharing

Internet ExplorerInternet Control Panel

Security Zones: Use only machine settingsSecurity Zones: Do not allow users to change policiesSecurity Zones: Do not allow users to add/delete sitesMake proxy settings per-machine (rather than per-user)Disable Automatic Install of Internet Explorer componentsDisable Periodic Check for Internet Explorer software updatesDisable software update shell notifications on program launchTurn off Crash DetectionDo not allow users to enable or disable add-onsAllow software to run or install even if the signature is invalidAllow active content from CDs to run on user machinesAllow third-party browser extensions (only under Windows 2003)Check for server certificate revocation (only under Windows 2003)Do not save encrypted pages to disk (only under Windows 2003)Empty Temporary Internet Files folder when browser is closed (only under Windows 2003)

Security FeaturesSecurity PageAdvanced Page

Binary Behavior Security RestrictionInternet Explorer ProcessesProcess ListAll ProcessesAdmin-approved behaviors

MK Protocol Security RestrictionInternet Explorer ProcessesProcess ListAll Processes

Local Machine Zone Lockdown SecurityInternet Explorer ProcessesProcess ListAll Processes

Consistent MIME HandlingInternet Explorer ProcessesProcess ListAll Processes

MIME Sniffing Safety FeaturesInternet Explorer ProcessesProcess ListAll Processes

Protection From Zone ElevationInternet Explorer ProcessesProcess List

All ProcessesRestrict ActiveX Install

Internet Explorer ProcessesProcess ListAll Processes

Restrict File DownloadInternet Explorer ProcessesProcess ListAll Processes

Add-on ManagementInternet Explorer ProcessesProcess ListAll Processes

Network Protocol LockdownInternet Explorer ProcessesProcess ListAll Processes

Restricted Protocols per Security ZoneInternet Information Services

Prevent IIS installationTerminal Services

Deny log off of an administrator logged in to the console sessionDo not allow local administrators to customize permissionsSets rules for remote control of Terminal Services user sessions

Client/Server data redirectionAllow Time Zone RedirectionDo not allow clipboard redirectionAllow audio redirectionDo not allow COM port redirectionDo not allow client printer redirectionDo not allow LPT port redirectionDo not allow drive redirectionDo not set default client printer to be default printer in a session

Encryption and SecurityAlways prompt client for password upon connectionSet client connection encryption level

RPC Security PolicySecure Server (Require Security)

SessionsSet time limit for disconnected sessionsAllow reconnection from original client only

Windows ExplorerTurn off shell protected mode

Windows MessengerDo not allow Windows Messenger to be run

Windows UpdateConfigure Automatic UpdatesSpecify intranet Microsoft update service location

Reschedule Automatic Updates scheduled installationsNo auto-restart for scheduled Automatic Updates installations

SystemDisplay Shutdown Event TrackerSpecify Windows installation file locationSpecify Windows Service Pack installation file locationRemove Boot / Shutdown / Logon / Logoff status messagesVerbose vs normal status messagesRestrict these programs from being launched from HelpTurn off AutoplayDo not automatically encrypt files moved to encrypted foldersDownload missing COM components

User ProfilesDo not check for user ownership of Roaming Profile FoldersDelete cached copies of roaming profilesDo not detect slow network connectionsSlow network connection timeout for user profilesWait for remote user profilePrompt user when slow link is detectedTimeout for dialog boxesLog users off when roaming profile failsMaximum retries to unload and update user profileAdd the Administrators security group to roaming user profilesPrevent Roaming Profile changes from propagating to the serverOnly allow local user profiles

ScriptsTurn off autoplay

LogonDon't display the Getting Started welcome screen at logonDo not process the run once listDo not process the legacy run list

Group PolicyRegistry policy processingInternet Explorer Maintenance policy processingSecurity policy processingIP Security policy processing

Remote AssistanceSolicited Remote AssistanceOffer Remote Assistance

Error ReportingDisplay Error NotificationReport Errors

Distributed COMApplication Compatibility Settings

Allow local activation security check exemptionsDefine Activation Security Check exemptions

User Configuration

Administrative Templates Windows Components

Internet Explorer Disable Changing Advanced page settings Disable Internet Connection Wizard Disable Changing Connection Settings Disable Changing Proxy Settings Disable Changing Automatic Configuration SeDisable Changing Certificate Settings Do not allow AutoComplete to save passwordsConfigure Outlook Express

Internet Control PanelDisable the Security PageDisable the Advanced Page

Offline PagesDisable adding channelsDisable removing channelsDisable adding schedules for offline pagesDisable editing schedules for offline pagesDisable removing schedules for offline pagesDisable offline page hit loggingDisable all scheduled offline pagesDisable channel user interface completelyDisable downloading of site subscription contentDisable editing and creating of schedule groups

Browser menusDisable Save this program to disk option

Persistence BehaviorFile size limits for the Local Machine zoneFile size limits for the Intranet zoneFile size limits for the Trusted Sites zoneFile size limits for the Internet zoneFile size limits for the Restricted Sites zone

Attachment ManagerDefault risk level for file attachmentsInclusion list for high risk file typesInclusion list for moderate risk file typesInclusion list for low file typesTrust logic for file attachmentsDo not preserve zone information in file attachmentsHide mechanisms to remove zone informationNotify antivirus programs when opening attachments

Windows ExplorerRemove Security tabRemove CD Burning features

Control PanelDisplay

Hide Screen Saver tab

Screen SaverScreen Saver executable namePassword protect the screen saverScreen Saver timeout

SystemPrevent access to registry editing tools

Power ManagementPrompt for password on resume from hibernate / suspend

Not defined

42 days Not defined 42 days 42 days 42 days1 day Not defined 0 days 1 day 1 day7 characters Not defined 0 characters 7 characters 7 charactersEnabled Not defined Disabled Enabled EnabledDisabled Not defined Disabled Disabled Disabled

Not defined Not defined Not applicable Not defined Not definedNot defined

Not defined Not defined Not applicable Not defined Not defined

Enabled Not defined Not applicable Enabled Not applicable600 minutes Not defined Not applicable 600 minutes Not applicable10 hours Not defined Not applicable 10 hours Not applicable7 days Not defined Not applicable 7 days Not applicable5 minutes Not defined Not applicable 5 minutes Not applicable

Not defined Success Success Success SuccessNot defined Success No auditing Success No auditingNot defined Success No auditing Success No auditingNot defined Success Success Success SuccessNot defined No auditing No auditing No auditing No auditingNot defined Success No auditing Success No auditingNot defined No auditing No auditing No auditing No auditingNot defined No auditing No auditing No auditing No auditingNot defined Success No auditing Success No auditing

Default Domain Policy

Default Domain Controller Policy

Stand-Alone Server Default Settings

DC Effective Default Settings

Member Server Effective Default Settings

24 passwords remembered




0 invalid login attempts




Not defined

Not defined No one Not defined No one Not definedNot defined Not defined Not defined

Not defined

Not defined

Not defined Not defined Administrators

Not defined

Not defined

Not defined

Not defined Administrators Administrators Administrators Administrators

Not defined No one Not defined No one Not definedNot defined Not defined

Not defined No one Not defined No one Not defined

Not defined Administrators Administrators Administrators Administrators

Not defined

Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access

Everyone, Administrators, Users, Power Users, Backup Operators

Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access

Backup Operators, Power Users, Users, Administrators, Everyone

Authenticated Users

Authenticated Users

LOCAL SERVICE, NETWORK SERVICE, Administrators



Administrators, NETWORK SERVICE, LOCAL SERVICE

Administrators, Backup Operators, Account Operators, Server Operators, Print Operators

Administrators, Users, Power Users, Backup Operators

Administrators, Backup Operators, Account Operators, Server Operators, Print Operators

Backup Operators, Power Users, Users, Administrators

Administrators, Remote Desktop Users

Remote Desktop Users, Administrators

Administrators, Backup Operators, Server Operators

Administrators, Backup Operators


Backup Operators, Administrators

Everyone, Administrators, Authenticated Users, Pre-Windows 2000 Compatible Access


Everyone, Administrators, Authenticated Users, Pre-Windows 2000 Compatible Access


Administrators, Server Operators

Administrators, Power Users


Power Users, Administrators

Administrators, SERVICE

SERVICE, Administrators


SUPPORT_388945a0

SUPPORT_388945a0

SUPPORT_388945a0

SUPPORT_388945a0

Not defined No one Not defined No one Not definedNot defined No one Not defined No one Not definedNot defined

Not defined Not defined Not defined Not defined Not definedNot defined Administrators Not defined Administrators Not defined

Not defined Administrators Administrators

Not defined

Not defined

Not defined Administrators Administrators Administrators AdministratorsNot defined Administrators Administrators

Not defined No one Not defined No one Not definedNot defined

Not defined

Not defined Administrators Administrators Administrators AdministratorsNot defined Administrators Administrators Administrators AdministratorsNot defined Not defined Administrators Administrators AdministratorsNot defined Administrators Administrators

Not defined Administrators Administrators Administrators AdministratorsNot defined Administrators Administrators

Not defined

Not defined

Not defined

Not defined No one Not defined No one Not definedNot defined Administrators Administrators Administrators Administrators

Not defined Not defined Enabled Enabled Enabled

Not defined Not defined Disabled Disabled Disabled


SUPPORT_388945a0

SUPPORT_388945a0

SUPPORT_388945a0

SUPPORT_388945a0



LOCAL SERVICE, NETWORK SERVICE



NETWORK SERVICE, LOCAL SERVICE





Administrators, Print Operators

Administrators, Print Operators

LOCAL SERVICE, SUPPORT_388945a0



SUPPORT_388945a0 , LOCAL SERVICE

NETWORK SERVICE

NETWORK SERVICE

NETWORK SERVICE

NETWORK SERVICE








NETWORK SERVICE, LOCAL SERVICE




Backup Operators, Administrators

Administrators, Backup Operators, Server Operators, Print Operators

Administrators, Power Users, Backup Operators, Users

Administrators, Backup Operators, Server Operators, Print Operators

Backup Operators, Power Users, Administrators, Users

Not defined Not defined Administrator Administrator Administrator

Not defined Not defined Guest Guest Guest

Not defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined Enabled Enabled EnabledNot defined Not defined Administrators Administrators AdministratorsNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined

Not defined Not defined Not defined Not defined Not definedNot defined None Not defined None Not definedNot defined Not defined Not defined Not defined Not definedNot defined Enabled Enabled Enabled EnabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined 30 days 30 days 30 daysNot defined Not defined Disabled Disabled Disabled

Not defined Not defined Not defined Not defined Not defined


Not defined Not defined Disabled Disabled DisabledNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined 10 logons 10 logons 10 logons

Not defined Not defined 14 days 14 days 14 daysNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled Disabled

Not defined Not defined No Action No Action No Action

Not defined Not defined Disabled Disabled DisabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined 15 minutes 15 minutes 15 minutesNot defined Enabled Enabled Enabled Enabled

Warn but allow installation



Not defined Enabled Enabled Enabled Enabled

Not defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Enabled DisabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled Disabled

Not defined Not defined Disabled Disabled DisabledNot defined Not defined

Not defined Not defined

COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr



System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\




Not defined Not defined Enabled Enabled EnabledNot defined Not defined COMCFG,DFS$ COMCFG,DFS$ COMCFG,DFS$Not defined Not defined

Not defined Not defined Disabled Disabled DisabledDisabled Not defined Disabled Disabled DisabledNot defined

Not defined Not defined Negotiate signing Negotiate signing Negotiate signingNot defined Not defined No minimum No minimum No minimum

Not defined Not defined No minimum No minimum No minimum

Not defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled Disabled

System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog



Classic - local users authenticate as themselves



Send NTLM response only





Not defined Not defined Not defined Not defined Not definedNot defined Not defined Disabled Disabled Disabled


Not defined Not defined Enabled Enabled EnabledNot defined Not defined Enabled Enabled Enabled

Not defined Not defined Posix Posix Posix


Not defined Not defined Disabled Disabled DisabledNot defined Not defined Enabled Enabled Enabled







Not defined Not defined 7200000 7200000 7200000

Not defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Enabled Enabled Enabled



Not defined Not defined Enabled Enabled EnabledNot defined Not defined 5 5 5


Administrators group



Medium, source routed packets are ignored when IP forwarding is enabled



2 (enable only if DHCP sends the Perform Router Discovery option)





Not defined Not defined 0 (not configured) 0 (not configured) 0 (not configured)




Not defined Not defined 0 (Disabled) 0 (Disabled) 0 (Disabled)

Not defined Not defined 0 (Disabled) 0 (Disabled) 0 (Disabled)

Not defined Not defined 16384 KB 16384 KB 16384 KBNot defined Not defined 16384 KB 131072 KB 16384 KBNot defined Not defined 16384 KB 16384 KB 16384 KBNot defined Not defined Not defined Enabled EnabledNot defined Not defined Not defined Enabled EnabledNot defined Not defined Not defined Enabled EnabledNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined



2 (3 & 6 seconds, half-open connections dropped after 21 seconds)



Overwrite as needed

Overwrite as needed

Overwrite as needed

Overwrite as needed

Overwrite as needed

Overwrite as needed

Overwrite as needed

Overwrite as needed

Overwrite as needed

Not configured

Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configuredNot configuredNot configuredNot configured

Not configuredNot configuredNot configured




Not configuredNot configured

Not configured





Not configured


Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured


Not configured


Not configured

Not configured



Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configured








Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configured

Not configuredNot configuredNot configuredNot configuredNot configured



Not configured


Not configured

Not configured

Full Service Name Service Name

Alerter Alerter Disabled DisabledAELookupSvc Automatic Automatic

ALG Manual Manual

AppMgmt Manual Manual

aspnet_state Not installed Not installed

Automatic Updates wuauserv Automatic AutomaticBITS Manual Manual

Certificate Services CertSvc Not installed Not installedNWCWorkstation Not installed Not installed

ClipBook ClipSrv Disabled DisabledCluster Service ClusSvc Not installed Not installedCOM+Event System EventSystem Manual Manual

COMSysApp Manual Manual

Computer Browser Browser Automatic AutomaticCryptSvc Automatic Automatic

DcomLaunch Automatic Automatic

DHCP Client Dhcp Automatic AutomaticDHCP Server DHCPServer Automatic Not installed

Dfs Automatic Automatic

TrkWks Automatic Automatic

TrkSvr Disabled Disabled

MSDTC Automatic Automatic

DNS Client Dnscache Automatic AutomaticDNS Server DNS Automatic Not installed

ERSvc Automatic Automatic

Event Log Eventlog Automatic AutomaticFax Service Fax Not installed Not installedFile Replication NtFrs Automatic Manual

MacFile Not installed Not installed

MSFtpsvc Not installed Not installed

DC Startup Type

Member Server Startup Type

Application Experience Lookup Service

Application Layer Gateway ServiceApplication ManagementASP .NET State Service

Background Intelligent Transfer Service

Client Service for NetWare

COM+ System Application

Cyrptographic ServicesDCOM Server Process Launcher

Distributed File SystemDistributed Link Tracking ClientDistributed Link Tracking ServerDistributed Transaction Coordinator

Error Reporting Service

File Server for MacintoshFTP Publishing Service

Help and Support helpsvc Automatic AutomaticHTTP SSL HTTPFilter Manual Manual

HidServ Disabled Disabled

IASJet Not installed Not installed

IIS Admin Service IISADMIN Not installed Not installedImapiService Disabled Disabled

Indexing Service cisvc Disabled DisabledInfrared Monitor Irmon Not installed Not installed

IAS Not installed Not installed

Intersite Messaging IsmServ Automatic Disabled6to4 Not installed Not installed

PolicyAgent Automatic Automatic

Kdc Automatic Disabled

LicenseService Disabled Disabled

Logical Disk Manager dmserver Automatic Automatic

dmadmin Manual Manual

MDM Not installed Not installed

Message Queuing msmq Not installed Not installedmqds Not installed Not installed

Mqtgsvc Not installed Not installed

Messenger Messenger Disabled DisabledPOP3SVC Not installed Not installed

SwPrv Manual Manual

MSSQL$UDDI MSSQL$UDDI Not installed Not installedMSSQLServerADHelper Not installed Not installed

CORRTSvc Not installed Not installed

Netlogon Netlogon Automatic Automaticmnmsrvc Disabled Disabled

Network Connections Netman Manual Manual

Network DDE NetDDE Disabled Disabled

Human Interface Device AccessIAS Jet Database Access

IMAPI CD-Burning COM Service

Internet Authentication Service

IP Version 6 Helper ServiceIPSec Policy Agent (IPSec Service)Kerberos Key Distribution CenterLicense Logging Service

Logical Disk Manager Administrative Service

Machine Debug Manager

Message Queuing Down Level ClientsMessage Queuing Triggers

Microsoft POP3 ServiceMicrosoft Software Shadow Copy Provider

MSSQLServerADHelper.NET Framework Support Service

NetMeeting Remote Desktop Sharing

Network DDE DSDM NetDDEdsdm Disabled DisabledNLA Manual Manual

xmlprov Manual Manual

NntpSvc Not installed Not installed

NtLmSsp Manual Manual

SysmonLog Manual Manual

Plug and Play PlugPlay Automatic AutomaticWmdmPmSN Manual Manual

MacPrint Not installed Not installed

Print Spooler Spooler Automatic AutomaticProtected Storage ProtectedStorage Automatic AutomaticQoS RSVP Service RSVP Not installed Not installed

RasAuto Manual Manual

RasMan Manual Manual

SrvcSurg Not installed Not installed

RDSessMgr Manual Manual

Remote Installation BINLSVC Not installed Not installedRpcSs Automatic Automatic

RpcLocator Automatic Manual

RemoteRegistry Automatic Automatic

AppMgr Not installed Not installed

Appmon Not installed Not installed

Remote_Storage_User_Link Not installed Not installed

Remote_Storage_Server Not installed Not installed

Removable Storage NtmsSvc Manual ManualRSoPProv Manual Manual

RemoteAccess Disabled Disabled

SAP Agent nwsapagent Not installed Not installedSecondary Logon seclogon Automatic Automatic

Network Location Awareness (NLA)Network Provisioning ServiceNetwork News Transfer Protocol (NNTP)

NTLM Security Support ProviderPerformance Logs and Alerts

Portable Media Serial NumberPrint Server for Macintosh

Remote Access Auto Connection Manager

Remote Access Connection ManagerRemote Administration Service

Remote Desktop Help Session Manager

Remote Procedure Call (RPC)Remote Procedure Call (RPC) LocatorRemote Registry ServiceRemote Server ManagerRemote Server MonitorRemote Storage NotificationRemote Storage Server

Resultant Set of Policy ProviderRouting and Remote Access

SamSs Automatic Automatic

Server lanmanserver Automatic AutomaticShellHWDetection Automatic Automatic

SMTPSVC Not installed Not installed

SimpTcp Not installed Not installed

Groveler Not installed Not installed

Smart Card SCardSvr Manual ManualSNMP Service SNMP Not installed Not installedSNMP Trap Service SNMPTRAP Not installed Not installed

Sacsvr Manual Manual

SQLAgent$WEBDB Not installed Not installed

SENS Automatic Automatic

Task Scheduler Schedule Automatic AutomaticLMHosts Automatic Automatic

TCP/IP Print Server LPDSVC Not installed Not installedTelephony TapiSrv Manual ManualTelnet TlntSvr Disabled DisabledTerminal Services TermService Manual Manual

TermServLicensing Not installed Not installed

Tssdis Disabled Disabled

Themes Themes Disabled DisabledTrivial FTP Daemon tftpd Not installed Not installed

UPS Manual Manual

Upload Manager Uploadmgr Manual ManualVirtual Disk Service VDS Manual Manual

VSS Manual Manual

WebClient WebClient Disabled Disabledelementmgr Not installed Not installed

Windows Audio AudioSrv Disabled DisabledSharedAccess Disabled Disabled

StiSvc Disabled Disabled

Windows Installer MSIServer Manual Manual

Security Accounts Manager

Shell Hardware DetectionSimple Mail Transport Protocol (SMTP)

Simple TCP/IP ServicesSingle Instance Storage Groveler

Special Administration Console Helper

SQLAgent$* (* UDDI or WebDB)System Event Notification

TCP/IP NetBIOS Helper Service

Terminal Services LicensingTerminal Services Session Directory

Uninterruptible Power Supply

Volume Shadow Copy

Web Element Manager

Windows Firewall (WF)/Internet Connection Sharing (ICS)

Windows Image Acquisition (WIA)

WINS Not installed Not installed

winmgmt Automatic Automatic

Wmi Manual Manual

WMServer Not installed Not installed

WindowsSystemResourceManager Not installed Not installed

Windows Time W32Time Automatic AutomaticWinHttpAutoProxySvc Manual Manual

WZCSVC Automatic Automatic

WmiApSrv Manual Manual

Workstation lanmanworkstation Automatic AutomaticW3SVC Not installed Not installed

Windows Internet Name Service (WINS)

Windows Management Instrumentation

Windows Management Instrumentation Driver Extensions

Windows Media ServicesWindows System Resource Manager

WinHTTP Web Proxy Auto-Discovery Service

Wireless ConfigurationWMI Performance Adapter

World Wide Web Publishing Service

Logon As

Disabled Local ServiceAutomatic Local System

Manual Local Service

Manual Local System

Not installed

Automatic Local SystemManual Local System

Not installedNot installed

Disabled Local SystemNot installedManual Local SystemManual Local System

Automatic Local SystemAutomatic Local System

Automatic Local System

Automatic Network ServiceNot installed Local SystemAutomatic Local System


Disabled Network Service

Automatic Network Service

Automatic Local SystemNot installed Local SystemAutomatic Local System

Automatic Local SystemNot installedManual Local SystemNot installed

Not installed

Stand-Alone Server Startup Type

Automatic Local SystemManual Local SystemDisabled Local System

Not installed

Not installedDisabled Local System

Disabled Local SystemNot installedNot installed

Disabled Local SystemNot installed


Disabled Local System

Disabled Network Service


Manual Local System

Not installed


Not installed

Disabled Local SystemNot installed

Manual Local System


Not installed

Manual Local SystemDisabled Local System

Manual Local System


Disabled Local SystemManual Local System

Manual Local System

Not installed

Manual Local System

Manual Network Service

Automatic Local SystemManual Local System

Not installed

Automatic Local SystemAutomatic Local SystemNot installedManual Local System

Manual Local System

Not installed

Manual Local System

Not installedAutomatic Local System

Manual Network Service

Automatic Local Service

Not installed

Not installed

Not installed

Not installed

Manual Local SystemManual Local System


Not installedAutomatic Local System


Automatic Local SystemAutomatic Local System

Not installed

Not installed

Not installed

Manual Local ServiceNot installedNot installedManual Local System

Not installed


Automatic Local SystemAutomatic Local Service

Not installedManual Local SystemDisabled Local SystemManual Local SystemNot installed


Disabled Local SystemNot installedManual Local Service

Manual Local SystemManual Local SystemManual Local System

Disabled Local ServiceNot installed

Disabled Local SystemDisabled Local System

Disabled Local Service

Manual Local System

Not installed


Manual Local System

Not installed

Not installed

Automatic Local SystemManual Local Service


Manual Local System

Automatic Local SystemNot installed

Computer ConfigurationSoftware Settings

Software installationWindows Settings

Scripts (Startup/Shutdown)Security Settings

Account PoliciesPassword Policy

Enforce password history

Maximum password ageMinimum password ageMinimum password length

Passwords must meet complexity requirementsStore password using reversible encyrption for all users in the domain

Account Lockout PolicyAccount lockout durationAccount lockout thresholdReset account lockout counter after

Kerberos PolicyEnforce user logon restrictionsMaximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewalMaximum tolerance for computer clock synchronization

Local PoliciesAudit Policy

Audit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege useAudit process trackingAudit system events

User Rights AssignmentAccess this computer from the network (SeNetworkLogonRight)

Act as part of the operating system (SeTcbPrivilege)Add workstations to domain (SeMachineAccountPrivilege)

Policy setting as it appears in the Group Policy Editor of Windows XP

H37

Kurt Dillard: The user rights below are followed by the name used by many command line tools. This information was provided as a reference for your convenience.

Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)

Back up files and directories (SeBackupPrivilege)

Bypass traverse checking (SeChangeNotifyPrivilege)

Change the system time (SeSystemTimePrivilege)

Create a pagefile (SeCreatePagefilePrivilege)

Create a token object (SeCreateTokenPrivilege)Create global objects (SeCreateGlobalPrivilege)

Debug programs (SeDebugPrivilege)

Deny access to this computer from the network (SeDenyNetworkLogonRight)Deny logon as a batch job (SeDenyBatchLogonRight)Deny logon as a service (SeDenyBatchLogonRight)Deny logon locally (SeDenyInteractiveLogonRight)Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight)

Force shutdown from a remote system (SeRemoteShutdownPrivilege)Generate security audits (SeAuditPrivilege)

Increase scheduling priority (SeIncreaseBasePriorityPrivilege)Load and unload device drivers (SeLoadDriverPrivilege)Lock pages in memory (SeLockMemoryPrivilege)Log on as a batch job (SeBatchLogonRight)

Log on as a service (SeServiceLogonRight)Log on locally (SeInteractiveLogonRight)

Manage auditing and security log (SeSecurityPrivilege)Modify firmware environment values (SeSystemEnvironmentPrivilege)Perform Volume Maintenance Tasks (SeManageVolumePrivilege)Profile single process (SeProfileSingleProcessPrivilege)

Profile system performance (SeSystemProfilePrivilege)Remove computer from docking station (SeUndockPrivilege)

Create permanent shared objects(SeCreatePermanentPrivilege)

Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)

Replace a process level token (SeAssignPrimaryTokenPrivilege)

Restore files and directories (SeRestorePrivilege)

Shut down the system (SeShutdownPrivilege)

Synchronize directory service data (SeSynchAgentPrivilege)Take ownership of files or other objects (SeTakeOwnershipPrivilege)

Security OptionsAccounts: Administrator account status

Accounts: Guest account status

Accounts: Limit local account use of blank passwords to console logon only

Accounts: Rename administrator account

Accounts: Rename guest account

Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege

Audit: Shut down system immediately if unable to log security audits

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL)

DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)

Devices: Allow undock without having to log on

Devices: Allowed to format and eject removable media

Devices: Prevent users from installing printer drivers

Devices: Restrict CD-ROM access to locally logged-on user only

Devices: Restrict floppy access to locally logged-on user only

Devices: Unsigned driver installation behavior

Domain controller: Allow server operators to schedule tasks

Domain controller: LDAP server signing requirements

Domain controller: Refuse machine account password changes

Domain member: Digitally encrypt or sign secure channel data (always)

Domain member: Digitally encrypt secure channel data (when possible)

Domain member: Digitally sign secure channel data (when possible)

Domain member: Disable machine account password changes

Domain member: Maximum machine account password age

Domain member: Require strong (Windows 2000 or later) session key

Interactive logon: Do not display last user name

Interactive logon: Do not require CTRL+ALT+DEL

Interactive logon: Message text for users attempting to log on

Interactive logon: Message title for users attempting to log on

Interactive logon: Prompt user to change password before expiration

Interactive logon: Require Domain Controller authentication to unlock workstation

Interactive logon: Require smart card

Interactive logon: Smart card removal behavior

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

Microsoft network client: Send unencrypted password to third-party SMB servers

Microsoft network server: Amount of idle time required before suspending session

Microsoft network server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees)

Microsoft network server: Disconnect clients when logon hours expire

Network access: Allow anonymous SID/Name translation

Network access: Do not allow anonymous enumeration of SAM accounts

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Network access: Let Everyone permissions apply to anonymous users

Network access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Shares that can be accessed anonymously

Network access: Sharing and security model for local accounts

Network security: Do not store LAN Manager hash value on next password change

Network security: Force logoff when logon hours expire

Network security: LAN Manager authentication level

Network access: Do not allow storage of credentials or .NET Passports for network authentication

Network security: LDAP client signing requirements

Recovery console: Allow automatic administrative logon

Recovery console: Allow floppy copy and access to all drives and all folders

Shutdown: Allow system to be shut down without having to log on

Shutdown: Clear virtual memory pagefile

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

System objects: Default owner for objects created by members of the Administrators group

System objects: Require case insensitivity for non-Windows subsystems

MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds

MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended)

MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)

Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)

MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)

MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

(ActiveX Signed Controls) RunInvalidSignatures

(RPC Endpoint Mapper) EnableAuthEpResolution

(RPC Endpoint Mapper) Restrict Remote Clients

(Security Center) AntiVirusDisableNotify

(Security Center) FirewallDisableNotify

(Security Center) UpdatesDisableNotify

(StorageDevicePolicies) WriteProtect

Event LogSettings for Event Logs

Maximum application log sizeMaximum security log sizeMaximum system log sizeRestrict guest access to application logRestrict guest access to security logRestrict guest access to system logRetain application logRetain security logRetain system logRetention method for application log

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)

MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmittions when a connection request is not acknowledged

MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

Retention method for security log

Retention method for system log

Restricted GroupsSystem Services - See next worksheet, System ServicesRegistryFile SystemPublic Key Policies

Encrypted Data Recovery AgentsAutomatic Certificate Request SettingsTrusted Root Certification AuthoritiesEnterprise Trust

IP Security Policies on Active DirectoryClient (Respond Only)Secure Server (Require Security)Server (Request Security)

Administrative TemplatesWindows Components

NetMeetingDisable remote Desktop Sharing

Internet ExplorerInternet Control Panel

Security Zones: Use only machine settingsSecurity Zones: Do not allow users to change policiesSecurity Zones: Do not allow users to add/delete sitesMake proxy settings per-machine (rather than per-user)Disable Automatic Install of Internet Explorer componentsDisable Periodic Check for Internet Explorer software updatesDisable software update shell notifications on program launchTurn off Crash DetectionDo not allow users to enable or disable add-onsAllow software to run or install even if the signature is invalidAllow active content from CDs to run on user machines

Security FeaturesSecurity PageAdvanced Page

Binary Behavior Security RestrictionInternet Explorer ProcessesProcess ListAll ProcessesAdmin-approved behaviors

MK Protocol Security RestrictionInternet Explorer ProcessesProcess ListAll Processes

Local Machine Zone Lockdown SecurityInternet Explorer ProcessesProcess List

H183

Kurt Dillard: All of the remaining group policy settings in this worksheet are not defined by default, however they are included as a convenience to you in case you would like to use this workbook as a template for documenting group policy designs and settings within your organization.

All ProcessesConsistent MIME Handling

Internet Explorer ProcessesProcess ListAll Processes

MIME Sniffing Safety FeaturesInternet Explorer ProcessesProcess ListAll Processes

Protection From Zone ElevationInternet Explorer ProcessesProcess ListAll Processes

Restrict ActiveX InstallInternet Explorer ProcessesProcess ListAll Processes

Restrict File DownloadInternet Explorer ProcessesProcess ListAll Processes

Add-on ManagementInternet Explorer ProcessesProcess ListAll Processes

Network Protocol LockdownInternet Explorer ProcessesProcess ListAll Processes

Restricted Protocols per Security ZoneTerminal Services

Deny log off of an administrator logged in to the console sessionDo not allow local administrators to customize permissionsSets rules for remote control of Terminal Services user sessions

Client/Server data redirectionAllow Time Zone RedirectionDo not allow clipboard redirectionAllow audio redirectionDo not allow COM port redirectionDo not allow client printer redirectionDo not allow LPT port redirectionDo not allow drive redirectionDo not set default client printer to be default printer in a session

Encryption and SecurityAlways prompt client for password upon connectionSet client connection encryption level

RPC Security PolicySecure Server (Require Security)

SessionsSet time limit for disconnected sessionsAllow reconnection from original client only

Windows ExplorerTurn off shell protected mode

Windows MessengerDo not allow Windows Messenger to be run

Windows UpdateConfigure Automatic UpdatesSpecify intranet Microsoft update service locationReschedule Automatic Updates scheduled installationsNo auto-restart for scheduled Automatic Updates installations

SystemDisplay Shutdown Event TrackerSpecify Windows installation file locationSpecify Windows Service Pack installation file locationRemove Boot / Shutdown / Logon / Logoff status messagesVerbose vs normal status messagesRestrict these programs from being launched from HelpTurn off AutoplayDo not automatically encrypt files moved to encrypted foldersDownload missing COM components

User ProfilesDo not check for user ownership of Roaming Profile FoldersDelete cached copies of roaming profilesDo not detect slow network connectionsSlow network connection timeout for user profilesWait for remote user profilePrompt user when slow link is detectedTimeout for dialog boxesLog users off when roaming profile failsMaximum retries to unload and update user profileAdd the Administrators security group to roaming user profilesPrevent Roaming Profile changes from propagating to the serverOnly allow local user profiles

ScriptsTurn off autoplay

LogonDon't display the Getting Started welcome screen at logonDo not process the run once listDo not process the legacy run list

Group PolicyRegistry policy processingInternet Explorer Maintenance policy processingSecurity policy processingIP Security policy processing

Remote AssistanceSolicited Remote Assistance

Offer Remote AssistanceError Reporting

Display Error NotificationReport Errors

Distributed COMApplication Compatibility Settings

Allow local activation security check exemptionsDefine Activation Security Check exemptions

User Configuration Administrative Templates

Windows Components Internet Explorer

Disable Changing Advanced page settings Disable Internet Connection Wizard Disable Changing Connection Settings Disable Changing Proxy Settings Disable Changing Automatic Configuration SeDisable Changing Certificate Settings Do not allow AutoComplete to save passwordsConfigure Outlook Express

Internet Control PanelDisable the Security PageDisable the Advanced Page

Offline PagesDisable adding channelsDisable removing channelsDisable adding schedules for offline pagesDisable editing schedules for offline pagesDisable removing schedules for offline pagesDisable offline page hit loggingDisable all scheduled offline pagesDisable channel user interface completelyDisable downloading of site subscription contentDisable editing and creating of schedule groups

Browser menusDisable Save this program to disk option

Persistence BehaviorFile size limits for the Local Machine zoneFile size limits for the Intranet zoneFile size limits for the Trusted Sites zoneFile size limits for the Internet zoneFile size limits for the Restricted Sites zone

Attachment ManagerDefault risk level for file attachmentsInclusion list for high risk file typesInclusion list for moderate risk file typesInclusion list for low file types

Trust logic for file attachmentsDo not preserve zone information in file attachmentsHide mechanisms to remove zone informationNotify antivirus programs when opening attachments

Windows ExplorerRemove Security tabRemove CD Burning features

Control PanelDisplay

Hide Screen Saver tabScreen SaverScreen Saver executable namePassword protect the screen saverScreen Saver timeout

SystemPrevent access to registry editing tools

Power ManagementPrompt for password on resume from hibernate / suspend

Default Domain Policy

0 passwords remembered 24 passwords remembered

42 days 42 days 42 days1 days 0 days 1 days7 characters 0 characters 7 charactersEnabled Disabled EnabledDisabled Disabled Disabled

Not defined Not applicable Not defined0 invalid login attempts 0 invalid login attempts 0 invalid login attemptsNot defined Not applicable Not defined

Enabled Not applicable Not applicable600 minutes Not applicable Not applicable10 hours Not applicable Not applicable7 days Not applicable Not applicable5 minutes Not applicable Not applicable

Not defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditing

Not defined

Not defined Not defined Not definedNot defined Not defined Not defined

Stand-Alone Windows XP Default Settings

Domain Member Windows XP Effective Default Settings




Not defined

Not defined

Not defined

Not defined

Not defined Administrators, Power Users Administrators, Power Users


Not defined Not defined Not definedNot defined Not Applicable Not ApplicableNot defined Not defined Not defined


Not defined Support_xxxxxxxx, Guest Support_xxxxxxxx, Guest Not defined Not defined Not definedNot defined Not defined Not definedNot defined Support_xxxxxxxx, Guest Support_xxxxxxxx, Guest Not defined Not defined Not definedNot defined Not defined Not defined

Not defined Administrators AdministratorsNot defined

Not defined Administrators AdministratorsNot defined Administrators AdministratorsNot defined Not defined Not definedNot defined Support_xxxxxxxx Support_xxxxxxxx

Not defined NETWORK SERVICE NETWORK SERVICENot defined

Not defined Administrators AdministratorsNot defined Administrators AdministratorsNot defined Administrators AdministratorsNot defined Administrators, Power Users Administrators, Power Users

Not defined Administrators AdministratorsNot defined Administrators, Power Users Administrators, Power Users













Not defined

Not defined

Not defined

Not defined Not defined Not definedNot defined Administrators Administrators

Not defined Enabled Enabled

Not defined Disabled Disabled


Not defined Administrator Administrator

Not defined Guest Guest




Not defined Not defined Not defined







Not defined Warn but allow installation Warn but allow installation














Not defined 30 days 30 days






Not defined 10 logons 10 logons

Not defined 14 days 14 days



Not defined No Action No Action




Not defined 15 minutes 15 minutes









Not defined

Not defined

Not defined COMCFG,DFS$ COMCFG,DFS$

Not defined


Disabled Disabled Disabled

Not defined Send LM & NTLM responses





Guest only - local users authenticate as Guest


Send LM & NTLM responses

Not defined Negotiate signing Negotiate signing

Not defined No minimum No minimum

Not defined No minimum No minimum






Not defined Object creator Object creator






Not defined





Not defined 7200000 7200000







Not defined


Not defined 5 5


Not defined

Not defined 5 5

Not defined 0 (not configured) 0 (not configured)



Not defined 1 1

Not defined 0 0

Not defined 0 0

Not defined 0 0

Not defined 0 0

Not defined 512 KB 512 KBNot defined 512 KB 512 KBNot defined 512 KB 512 KBNot defined Enabled EnabledNot defined Enabled EnabledNot defined Enabled EnabledNot defined 7 days 7 daysNot defined 7 days 7 daysNot defined 7 days 7 daysNot defined Overwrite events as needed Overwrite events as needed





Not defined Overwrite events as needed Overwrite events as needed

Not defined Overwrite events as needed Overwrite events as needed

Not configured

Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured




Not configured











Not configured


Not configured

Not configured


Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configured



Not configured

Not configured





Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured

Not configured






Not configured

Not configured

Full Service Name Service Name

Alerter Alerter Manual ManualALG Manual Manual

AppMgmt Manual Manual

Automatic Updates wuauserv Automatic AutomaticBITS Manual Manual

ClipBook ClipSrv Manual ManualCOM+Event System EventSystem Manual Manual

COMSysApp Manual Manual

Computer Browser Browser Automatic AutomaticCryptSvc Automatic Automatic

DcomLaunch Automatic Automatic

DHCP Client Dhcp Automatic AutomaticTrkWks Automatic Automatic

MSDTC Manual Manual

DNS Client Dnscache Automatic AutomaticERSvc Automatic Automatic

Event Log Eventlog Automatic AutomaticFastUserSwitchingCompatibility Manual Manual

Help and Support helpsvc Automatic AutomaticHidServ Disabled Disabled

ImapiService Manual Manual

Indexing Service cisvc Manual ManualInfrared Monitor Irmon

Not installed Not installed

IPSec Services PolicyAgent Automatic AutomaticLogical Disk Manager dmserver Automatic Automatic

dmadmin Manual Manual

MDM Not installed Not installed

Message Queuing msmq Not installed Not installed

Domain Member Windows XP Startup Type

Stand-Alone Windows XP Startup Type

Application Layer Gateway ServiceApplication Management

Background Intelligent Transfer Service

COM+ System Application

Cyrptographic ServicesDCOM Server Process Launcher

Distributed Link Tracking ClientDistributed Transaction Coordinator

Error Reporting Service

Fast User Switching Compatibility

Human Interface Device AccessIMAPI CD-Burning COM Service

Internet Connection Sharing

Logical Disk Manager Administrative Service

Machine Debug Manager

mqds Not installed Not installed

Mqtgsvc Not installed Not installed

Messenger Messenger Automatic AutomaticSwPrv Manual Manual

Netlogon Netlogon Automatic Manualmnmsrvc Manual Manual

Network Connections Netman Manual Manual

Network DDE NetDDE Manual ManualNetwork DDE DSDM NetDDEdsdm Manual Manual

NLA Manual Manual

xmlprov Manual Manual

NtLmSsp Manual Manual

SysmonLog Manual Manual

Plug and Play PlugPlay Automatic AutomaticWmdmPmSN Automatic Automatic

Print Spooler Spooler Automatic AutomaticProtected Storage ProtectedStorage Automatic AutomaticQoS RSVP RSVP Manual Manual

RasAuto Manual Manual

RasMan Manual Manual

RDSessMgr Manual Manual

RpcSs Automatic Automatic

RpcLocator Manual Manual

RemoteRegistry Automatic Automatic

Removable Storage NtmsSvc Manual ManualRemoteAccess Disabled Disabled

Secondary Logon seclogon Automatic AutomaticSamSs Automatic Automatic

Security Center wscsvc Automatic AutomaticServer lanmanserver Automatic Automatic

ShellHWDetection Automatic Automatic

Message Queuing Down Level ClientsMessage Queuing Triggers

Microsoft Software Shadow Copy Provider

NetMeeting Remote Desktop Sharing

Network Location Awareness (NLA)Network Provisioning ServiceNTLM Security Support ProviderPerformance Logs and Alerts

Portable Media Serial Number

Remote Access Auto Connection Manager

Remote Access Connection ManagerRemote Desktop Help Session Manager

Remote Procedure Call (RPC)Remote Procedure Call (RPC) LocatorRemote Registry Service

Routing and Remote Access

Security Accounts Manager

Shell Hardware Detection

Smart Card SCardSvr Automatic AutomaticSSDPSRV Manual Manual

SENS Automatic Automatic

sr Automatic Automatic

Task Scheduler Schedule Automatic AutomaticLMHosts Automatic Automatic

Telephony TapiSrv Manual ManualTelnet TlntSvr Disabled DisabledTerminal Services TermService Manual ManualThemes Themes Automatic Automatic

UPS Manual Manual

Upload Manager Uploadmgr Manual Manualupnphost Manual Manual

VSS Manual Manual

WebClient WebClient Automatic AutomaticWindows Audio AudioSrv Automatic Automatic

SharedAccess Manual Automatic

StiSvc Manual Manual

Windows Installer MSIServer Manual Manualwinmgmt Automatic Automatic

Wmi Automatic Manual

Windows Time W32Time Automatic AutomaticWZCSVC Automatic Automatic

WmiApSrv Manual Manual

Workstation lanmanworkstation Automatic Automatic

SSDP Discovery ServiceSystem Event NotificationSystem Restore Service

TCP/IP NetBIOS Helper Service

Uninterruptible Power Supply

Universal Plug and Play Device HostVolume Shadow Copy

Windows Connection Firewall (WF)/Internet Connection Sharing (ICS)

Windows Image Acquisition (WIA)

Windows Management Instrumentation

Windows Management Instrumentation Driver Extensions

Wireless Zero ConfigurationWMI Performance Adapter

Logon As

Local ServiceLocal Service

Local System

Local SystemNetwork Service

Local SystemLocal SystemLocal System

Local SystemLocal System

Local System

Network ServiceLocal System

Network Service

Network Service Local System



Local System

Local System

Local System


Local System



Local System


Local System

Local System

Network Service


Local SystemLocal SystemLocal SystemLocal System

Local System

Local System

Local System

Network Service

Local Service




Local ServiceLocal Service

Local System

Local System

Local SystemLocal Service

Local SystemLocal SystemLocal SystemLocal SystemLocal Service


Local System

Local ServiceLocal SystemLocal System

Local Service


Local System


Local System

Local System

Documents

Windows Default Security and Services Configuration