Upload
raj-dixit
View
296
Download
1
Tags:
Embed Size (px)
Citation preview
Computer ConfigurationSoftware Settings
Software installationWindows Settings
Scripts (Startup/Shutdown)Security Settings
Account PoliciesPassword Policy
Enforce password history
Maximum password ageMinimum password ageMinimum password length
Passwords must meet complexity requirementsStore password using reversible encyrption for all users in the domain
Account Lockout PolicyAccount lockout durationAccount lockout threshold
Reset account lockout counter afterKerberos Policy
Enforce user logon restrictionsMaximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewalMaximum tolerance for computer clock synchronization
Local PoliciesAudit Policy
Audit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege useAudit process trackingAudit system events
User Rights Assignment
Policy setting as it appears in the Group Policy Editor of Windows Server 2003
Access this computer from the network (SeNetworkLogonRight)
Act as part of the operating system (SeTcbPrivilege)Add workstations to domain (SeMachineAccountPrivilege)
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Allow logon locally (SeInteractiveLogonRight)
Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)
Back up files and directories (SeBackupPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Change the system time (SeSystemTimePrivilege)
Create a pagefile (SeCreatePagefilePrivilege)
Create a token object (SeCreateTokenPrivilege)Create global objects (SeCreateGlobalPrivilege)
Debug programs (SeDebugPrivilege)
Deny access to this computer from the network (SeDenyNetworkLogonRight)
Create permanent shared objects(SeCreatePermanentPrivilege)
Deny logon as a batch job (SeDenyBatchLogonRight)Deny logon as a service (SeDenyBatchLogonRight)Deny logon locally (SeDenyInteractiveLogonRight)
Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight)
Force shutdown from a remote system (SeRemoteShutdownPrivilege)
Generate security audits (SeAuditPrivilege)
Impersonate a client after authentication (SeImpersonatePrivilege)
Increase scheduling priority (SeIncreaseBasePriorityPrivilege)Load and unload device drivers (SeLoadDriverPrivilege)
Lock pages in memory (SeLockMemoryPrivilege)Log on as a batch job (SeBatchLogonRight)
Log on as a service (SeServiceLogonRight)
Manage auditing and security log (SeSecurityPrivilege)Modify firmware environment values (SeSystemEnvironmentPrivilege)Perform Volume Maintenance Tasks (SeManageVolumePrivilege)Profile single process (SeProfileSingleProcessPrivilege)
Profile system performance (SeSystemProfilePrivilege)Remove computer from docking station (SeUndockPrivilege)
Replace a process level token (SeAssignPrimaryTokenPrivilege)
Restore files and directories (SeRestorePrivilege)
Shut down the system (SeShutdownPrivilege)
Synchronize directory service data (SeSynchAgentPrivilege)Take ownership of files or other objects (SeTakeOwnershipPrivilege)
Security OptionsAccounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objectsAudit: Audit the use of Backup and Restore privilegeAudit: Shut down system immediately if unable to log security auditsDCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL)DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)Devices: Allow undock without having to log onDevices: Allowed to format and eject removable mediaDevices: Prevent users from installing printer driversDevices: Restrict CD-ROM access to locally logged-on user onlyDevices: Restrict floppy access to locally logged-on user onlyDevices: Unsigned driver installation behavior
Domain controller: Allow server operators to schedule tasksDomain controller: LDAP server signing requirementsDomain controller: Refuse machine account password changesDomain member: Digitally encrypt or sign secure channel data (always)Domain member: Digitally encrypt secure channel data (when possible)Domain member: Digitally sign secure channel data (when possible)Domain member: Disable machine account password changesDomain member: Maximum machine account password ageDomain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DELInteractive logon: Message text for users attempting to log onInteractive logon: Message title for users attempting to log on
Interactive logon: Prompt user to change password before expirationInteractive logon: Require Domain Controller authentication to unlock workstationInteractive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)Microsoft network client: Digitally sign communications (if server agrees)Microsoft network client: Send unencrypted password to third-party SMB serversMicrosoft network server: Amount of idle time required before suspending sessionMicrosoft network server: Digitally sign communications (always)
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expireNetwork access: Allow anonymous SID/Name translationNetwork access: Do not allow anonymous enumeration of SAM accountsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous usersNetwork access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and SharesNetwork access: Shares that can be accessed anonymouslyNetwork access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password changeNetwork security: Force logoff when logon hours expireNetwork security: LAN Manager authentication level
Network security: LDAP client signing requirements
Recovery console: Allow automatic administrative logonRecovery console: Allow floppy copy and access to all drives and all foldersShutdown: Allow system to be shut down without having to log on
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computerSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Default owner for objects created by members of the Administrators group
System objects: Require case insensitivity for non-Windows subsystems
System settings: Optional subsystems
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended)
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversMSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
(ActiveX Signed Controls) RunInvalidSignatures
(RPC Endpoint Mapper) EnableAuthEpResolution
(RPC Endpoint Mapper) RestrictRemoteClients
(WebDAV Redirector) DisableBasicOverClearChannel
(WebDAV Redirector) UseBasicAuth
Event LogSettings for Event Logs
Maximum application log sizeMaximum security log sizeMaximum system log sizeRestrict guest access to application logRestrict guest access to security logRestrict guest access to system logRetain application logRetain security logRetain system logRetention method for application log
Retention method for security log
Retention method for system log
Restricted GroupsSystem Services - See next worksheet, System ServicesRegistryFile SystemPublic Key Policies
Encrypted Data Recovery AgentsAutomatic Certificate Request SettingsTrusted Root Certification AuthoritiesEnterprise Trust
IP Security Policies on Active DirectoryClient (Respond Only)Secure Server (Require Security)Server (Request Security)
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmittions when a connection request is not acknowledged
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Administrative TemplatesWindows Components
NetMeetingDisable remote Desktop Sharing
Internet ExplorerInternet Control Panel
Security Zones: Use only machine settingsSecurity Zones: Do not allow users to change policiesSecurity Zones: Do not allow users to add/delete sitesMake proxy settings per-machine (rather than per-user)Disable Automatic Install of Internet Explorer componentsDisable Periodic Check for Internet Explorer software updatesDisable software update shell notifications on program launchTurn off Crash DetectionDo not allow users to enable or disable add-onsAllow software to run or install even if the signature is invalidAllow active content from CDs to run on user machinesAllow third-party browser extensions (only under Windows 2003)Check for server certificate revocation (only under Windows 2003)Do not save encrypted pages to disk (only under Windows 2003)Empty Temporary Internet Files folder when browser is closed (only under Windows 2003)
Security FeaturesSecurity PageAdvanced Page
Binary Behavior Security RestrictionInternet Explorer ProcessesProcess ListAll ProcessesAdmin-approved behaviors
MK Protocol Security RestrictionInternet Explorer ProcessesProcess ListAll Processes
Local Machine Zone Lockdown SecurityInternet Explorer ProcessesProcess ListAll Processes
Consistent MIME HandlingInternet Explorer ProcessesProcess ListAll Processes
MIME Sniffing Safety FeaturesInternet Explorer ProcessesProcess ListAll Processes
Protection From Zone ElevationInternet Explorer ProcessesProcess List
All ProcessesRestrict ActiveX Install
Internet Explorer ProcessesProcess ListAll Processes
Restrict File DownloadInternet Explorer ProcessesProcess ListAll Processes
Add-on ManagementInternet Explorer ProcessesProcess ListAll Processes
Network Protocol LockdownInternet Explorer ProcessesProcess ListAll Processes
Restricted Protocols per Security ZoneInternet Information Services
Prevent IIS installationTerminal Services
Deny log off of an administrator logged in to the console sessionDo not allow local administrators to customize permissionsSets rules for remote control of Terminal Services user sessions
Client/Server data redirectionAllow Time Zone RedirectionDo not allow clipboard redirectionAllow audio redirectionDo not allow COM port redirectionDo not allow client printer redirectionDo not allow LPT port redirectionDo not allow drive redirectionDo not set default client printer to be default printer in a session
Encryption and SecurityAlways prompt client for password upon connectionSet client connection encryption level
RPC Security PolicySecure Server (Require Security)
SessionsSet time limit for disconnected sessionsAllow reconnection from original client only
Windows ExplorerTurn off shell protected mode
Windows MessengerDo not allow Windows Messenger to be run
Windows UpdateConfigure Automatic UpdatesSpecify intranet Microsoft update service location
Reschedule Automatic Updates scheduled installationsNo auto-restart for scheduled Automatic Updates installations
SystemDisplay Shutdown Event TrackerSpecify Windows installation file locationSpecify Windows Service Pack installation file locationRemove Boot / Shutdown / Logon / Logoff status messagesVerbose vs normal status messagesRestrict these programs from being launched from HelpTurn off AutoplayDo not automatically encrypt files moved to encrypted foldersDownload missing COM components
User ProfilesDo not check for user ownership of Roaming Profile FoldersDelete cached copies of roaming profilesDo not detect slow network connectionsSlow network connection timeout for user profilesWait for remote user profilePrompt user when slow link is detectedTimeout for dialog boxesLog users off when roaming profile failsMaximum retries to unload and update user profileAdd the Administrators security group to roaming user profilesPrevent Roaming Profile changes from propagating to the serverOnly allow local user profiles
ScriptsTurn off autoplay
LogonDon't display the Getting Started welcome screen at logonDo not process the run once listDo not process the legacy run list
Group PolicyRegistry policy processingInternet Explorer Maintenance policy processingSecurity policy processingIP Security policy processing
Remote AssistanceSolicited Remote AssistanceOffer Remote Assistance
Error ReportingDisplay Error NotificationReport Errors
Distributed COMApplication Compatibility Settings
Allow local activation security check exemptionsDefine Activation Security Check exemptions
User Configuration
Administrative Templates Windows Components
Internet Explorer Disable Changing Advanced page settings Disable Internet Connection Wizard Disable Changing Connection Settings Disable Changing Proxy Settings Disable Changing Automatic Configuration SeDisable Changing Certificate Settings Do not allow AutoComplete to save passwordsConfigure Outlook Express
Internet Control PanelDisable the Security PageDisable the Advanced Page
Offline PagesDisable adding channelsDisable removing channelsDisable adding schedules for offline pagesDisable editing schedules for offline pagesDisable removing schedules for offline pagesDisable offline page hit loggingDisable all scheduled offline pagesDisable channel user interface completelyDisable downloading of site subscription contentDisable editing and creating of schedule groups
Browser menusDisable Save this program to disk option
Persistence BehaviorFile size limits for the Local Machine zoneFile size limits for the Intranet zoneFile size limits for the Trusted Sites zoneFile size limits for the Internet zoneFile size limits for the Restricted Sites zone
Attachment ManagerDefault risk level for file attachmentsInclusion list for high risk file typesInclusion list for moderate risk file typesInclusion list for low file typesTrust logic for file attachmentsDo not preserve zone information in file attachmentsHide mechanisms to remove zone informationNotify antivirus programs when opening attachments
Windows ExplorerRemove Security tabRemove CD Burning features
Control PanelDisplay
Hide Screen Saver tab
Screen SaverScreen Saver executable namePassword protect the screen saverScreen Saver timeout
SystemPrevent access to registry editing tools
Power ManagementPrompt for password on resume from hibernate / suspend
Not defined
42 days Not defined 42 days 42 days 42 days1 day Not defined 0 days 1 day 1 day7 characters Not defined 0 characters 7 characters 7 charactersEnabled Not defined Disabled Enabled EnabledDisabled Not defined Disabled Disabled Disabled
Not defined Not defined Not applicable Not defined Not definedNot defined
Not defined Not defined Not applicable Not defined Not defined
Enabled Not defined Not applicable Enabled Not applicable600 minutes Not defined Not applicable 600 minutes Not applicable10 hours Not defined Not applicable 10 hours Not applicable7 days Not defined Not applicable 7 days Not applicable5 minutes Not defined Not applicable 5 minutes Not applicable
Not defined Success Success Success SuccessNot defined Success No auditing Success No auditingNot defined Success No auditing Success No auditingNot defined Success Success Success SuccessNot defined No auditing No auditing No auditing No auditingNot defined Success No auditing Success No auditingNot defined No auditing No auditing No auditing No auditingNot defined No auditing No auditing No auditing No auditingNot defined Success No auditing Success No auditing
Default Domain Policy
Default Domain Controller Policy
Stand-Alone Server Default Settings
DC Effective Default Settings
Member Server Effective Default Settings
24 passwords remembered
0 passwords remembered
24 passwords remembered
24 passwords remembered
0 invalid login attempts
0 invalid login attempts
0 invalid login attempts
0 invalid login attempts
Not defined
Not defined No one Not defined No one Not definedNot defined Not defined Not defined
Not defined
Not defined
Not defined Not defined Administrators
Not defined
Not defined
Not defined
Not defined Administrators Administrators Administrators Administrators
Not defined No one Not defined No one Not definedNot defined Not defined
Not defined No one Not defined No one Not defined
Not defined Administrators Administrators Administrators Administrators
Not defined
Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access
Everyone, Administrators, Users, Power Users, Backup Operators
Everyone, Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS, Pre-Windows 2000 Compatible Access
Backup Operators, Power Users, Users, Administrators, Everyone
Authenticated Users
Authenticated Users
LOCAL SERVICE, NETWORK SERVICE, Administrators
LOCAL SERVICE, NETWORK SERVICE, Administrators
LOCAL SERVICE, NETWORK SERVICE, Administrators
Administrators, NETWORK SERVICE, LOCAL SERVICE
Administrators, Backup Operators, Account Operators, Server Operators, Print Operators
Administrators, Users, Power Users, Backup Operators
Administrators, Backup Operators, Account Operators, Server Operators, Print Operators
Backup Operators, Power Users, Users, Administrators
Administrators, Remote Desktop Users
Remote Desktop Users, Administrators
Administrators, Backup Operators, Server Operators
Administrators, Backup Operators
Administrators, Backup Operators, Server Operators
Backup Operators, Administrators
Everyone, Administrators, Authenticated Users, Pre-Windows 2000 Compatible Access
Everyone, Administrators, Users, Power Users, Backup Operators
Everyone, Administrators, Authenticated Users, Pre-Windows 2000 Compatible Access
Backup Operators, Power Users, Users, Administrators, Everyone
Administrators, Server Operators
Administrators, Power Users
Administrators, Server Operators
Power Users, Administrators
Administrators, SERVICE
SERVICE, Administrators
SERVICE, Administrators
SUPPORT_388945a0
SUPPORT_388945a0
SUPPORT_388945a0
SUPPORT_388945a0
Not defined No one Not defined No one Not definedNot defined No one Not defined No one Not definedNot defined
Not defined Not defined Not defined Not defined Not definedNot defined Administrators Not defined Administrators Not defined
Not defined Administrators Administrators
Not defined
Not defined
Not defined Administrators Administrators Administrators AdministratorsNot defined Administrators Administrators
Not defined No one Not defined No one Not definedNot defined
Not defined
Not defined Administrators Administrators Administrators AdministratorsNot defined Administrators Administrators Administrators AdministratorsNot defined Not defined Administrators Administrators AdministratorsNot defined Administrators Administrators
Not defined Administrators Administrators Administrators AdministratorsNot defined Administrators Administrators
Not defined
Not defined
Not defined
Not defined No one Not defined No one Not definedNot defined Administrators Administrators Administrators Administrators
Not defined Not defined Enabled Enabled Enabled
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined Enabled Enabled Enabled
SUPPORT_388945a0
SUPPORT_388945a0
SUPPORT_388945a0
SUPPORT_388945a0
Administrators, Server Operators
Administrators, Server Operators
LOCAL SERVICE, NETWORK SERVICE
LOCAL SERVICE, NETWORK SERVICE
LOCAL SERVICE, NETWORK SERVICE
NETWORK SERVICE, LOCAL SERVICE
Administrators, SERVICE
Administrators, SERVICE
SERVICE, Administrators
SERVICE, Administrators
Administrators, Print Operators
Administrators, Print Operators
LOCAL SERVICE, SUPPORT_388945a0
LOCAL SERVICE, SUPPORT_388945a0
LOCAL SERVICE, SUPPORT_388945a0
SUPPORT_388945a0 , LOCAL SERVICE
NETWORK SERVICE
NETWORK SERVICE
NETWORK SERVICE
NETWORK SERVICE
Administrators, Power Users
Power Users, Administrators
Administrators, Power Users
Power Users, Administrators
LOCAL SERVICE, NETWORK SERVICE
LOCAL SERVICE, NETWORK SERVICE
LOCAL SERVICE, NETWORK SERVICE
NETWORK SERVICE, LOCAL SERVICE
Administrators, Backup Operators, Server Operators
Administrators, Backup Operators
Administrators, Backup Operators, Server Operators
Backup Operators, Administrators
Administrators, Backup Operators, Server Operators, Print Operators
Administrators, Power Users, Backup Operators, Users
Administrators, Backup Operators, Server Operators, Print Operators
Backup Operators, Power Users, Administrators, Users
Not defined Not defined Administrator Administrator Administrator
Not defined Not defined Guest Guest Guest
Not defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined Enabled Enabled EnabledNot defined Not defined Administrators Administrators AdministratorsNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined
Not defined Not defined Not defined Not defined Not definedNot defined None Not defined None Not definedNot defined Not defined Not defined Not defined Not definedNot defined Enabled Enabled Enabled EnabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined 30 days 30 days 30 daysNot defined Not defined Disabled Disabled Disabled
Not defined Not defined Not defined Not defined Not defined
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined Disabled Disabled DisabledNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined 10 logons 10 logons 10 logons
Not defined Not defined 14 days 14 days 14 daysNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled Disabled
Not defined Not defined No Action No Action No Action
Not defined Not defined Disabled Disabled DisabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined 15 minutes 15 minutes 15 minutesNot defined Enabled Enabled Enabled Enabled
Warn but allow installation
Warn but allow installation
Warn but allow installation
Not defined Enabled Enabled Enabled Enabled
Not defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Enabled DisabledNot defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled Disabled
Not defined Not defined Disabled Disabled DisabledNot defined Not defined
Not defined Not defined
COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr
COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr
COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr
System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\
System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\
System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\
Not defined Not defined
Not defined Not defined Enabled Enabled EnabledNot defined Not defined COMCFG,DFS$ COMCFG,DFS$ COMCFG,DFS$Not defined Not defined
Not defined Not defined Disabled Disabled DisabledDisabled Not defined Disabled Disabled DisabledNot defined
Not defined Not defined Negotiate signing Negotiate signing Negotiate signingNot defined Not defined No minimum No minimum No minimum
Not defined Not defined No minimum No minimum No minimum
Not defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Disabled Disabled Disabled
System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
Classic - local users authenticate as themselves
Classic - local users authenticate as themselves
Classic - local users authenticate as themselves
Send NTLM response only
Send NTLM response only
Send NTLM response only
Send NTLM response only
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined Not defined Not defined Not definedNot defined Not defined Disabled Disabled Disabled
Not defined Not defined
Not defined Not defined Enabled Enabled EnabledNot defined Not defined Enabled Enabled Enabled
Not defined Not defined Posix Posix Posix
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined Disabled Disabled DisabledNot defined Not defined Enabled Enabled Enabled
Not defined Not defined Enabled Enabled Enabled
Not defined Not defined
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined Enabled Enabled Enabled
Not defined Not defined Enabled Enabled Enabled
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined 7200000 7200000 7200000
Not defined Not defined Enabled Enabled EnabledNot defined Not defined Disabled Disabled DisabledNot defined Not defined Enabled Enabled Enabled
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined
Not defined Not defined Enabled Enabled EnabledNot defined Not defined 5 5 5
Not defined Not defined Enabled Enabled Enabled
Administrators group
Administrators group
Administrators group
Medium, source routed packets are ignored when IP forwarding is enabled
Medium, source routed packets are ignored when IP forwarding is enabled
Medium, source routed packets are ignored when IP forwarding is enabled
2 (enable only if DHCP sends the Perform Router Discovery option)
2 (enable only if DHCP sends the Perform Router Discovery option)
2 (enable only if DHCP sends the Perform Router Discovery option)
Not defined Not defined
Not defined Not defined 5 5 5
Not defined Not defined 0 (not configured) 0 (not configured) 0 (not configured)
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined Disabled Disabled Disabled
Not defined Not defined 0 0 0
Not defined Not defined 0 (Disabled) 0 (Disabled) 0 (Disabled)
Not defined Not defined 0 (Disabled) 0 (Disabled) 0 (Disabled)
Not defined Not defined 16384 KB 16384 KB 16384 KBNot defined Not defined 16384 KB 131072 KB 16384 KBNot defined Not defined 16384 KB 16384 KB 16384 KBNot defined Not defined Not defined Enabled EnabledNot defined Not defined Not defined Enabled EnabledNot defined Not defined Not defined Enabled EnabledNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined Not defined Not defined Not definedNot defined Not defined
Not defined Not defined
Not defined Not defined
2 (3 & 6 seconds, half-open connections dropped after 21 seconds)
2 (3 & 6 seconds, half-open connections dropped after 21 seconds)
2 (3 & 6 seconds, half-open connections dropped after 21 seconds)
Overwrite as needed
Overwrite as needed
Overwrite as needed
Overwrite as needed
Overwrite as needed
Overwrite as needed
Overwrite as needed
Overwrite as needed
Overwrite as needed
Not configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configured
Not configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configured
Not configuredNot configured
Not configured
Not configured
Not configuredNot configured
Not configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configuredNot configured
Not configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configured
Not configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configured
Not configuredNot configuredNot configuredNot configured
Not configured
Not configured
Full Service Name Service Name
Alerter Alerter Disabled DisabledAELookupSvc Automatic Automatic
ALG Manual Manual
AppMgmt Manual Manual
aspnet_state Not installed Not installed
Automatic Updates wuauserv Automatic AutomaticBITS Manual Manual
Certificate Services CertSvc Not installed Not installedNWCWorkstation Not installed Not installed
ClipBook ClipSrv Disabled DisabledCluster Service ClusSvc Not installed Not installedCOM+Event System EventSystem Manual Manual
COMSysApp Manual Manual
Computer Browser Browser Automatic AutomaticCryptSvc Automatic Automatic
DcomLaunch Automatic Automatic
DHCP Client Dhcp Automatic AutomaticDHCP Server DHCPServer Automatic Not installed
Dfs Automatic Automatic
TrkWks Automatic Automatic
TrkSvr Disabled Disabled
MSDTC Automatic Automatic
DNS Client Dnscache Automatic AutomaticDNS Server DNS Automatic Not installed
ERSvc Automatic Automatic
Event Log Eventlog Automatic AutomaticFax Service Fax Not installed Not installedFile Replication NtFrs Automatic Manual
MacFile Not installed Not installed
MSFtpsvc Not installed Not installed
DC Startup Type
Member Server Startup Type
Application Experience Lookup Service
Application Layer Gateway ServiceApplication ManagementASP .NET State Service
Background Intelligent Transfer Service
Client Service for NetWare
COM+ System Application
Cyrptographic ServicesDCOM Server Process Launcher
Distributed File SystemDistributed Link Tracking ClientDistributed Link Tracking ServerDistributed Transaction Coordinator
Error Reporting Service
File Server for MacintoshFTP Publishing Service
Help and Support helpsvc Automatic AutomaticHTTP SSL HTTPFilter Manual Manual
HidServ Disabled Disabled
IASJet Not installed Not installed
IIS Admin Service IISADMIN Not installed Not installedImapiService Disabled Disabled
Indexing Service cisvc Disabled DisabledInfrared Monitor Irmon Not installed Not installed
IAS Not installed Not installed
Intersite Messaging IsmServ Automatic Disabled6to4 Not installed Not installed
PolicyAgent Automatic Automatic
Kdc Automatic Disabled
LicenseService Disabled Disabled
Logical Disk Manager dmserver Automatic Automatic
dmadmin Manual Manual
MDM Not installed Not installed
Message Queuing msmq Not installed Not installedmqds Not installed Not installed
Mqtgsvc Not installed Not installed
Messenger Messenger Disabled DisabledPOP3SVC Not installed Not installed
SwPrv Manual Manual
MSSQL$UDDI MSSQL$UDDI Not installed Not installedMSSQLServerADHelper Not installed Not installed
CORRTSvc Not installed Not installed
Netlogon Netlogon Automatic Automaticmnmsrvc Disabled Disabled
Network Connections Netman Manual Manual
Network DDE NetDDE Disabled Disabled
Human Interface Device AccessIAS Jet Database Access
IMAPI CD-Burning COM Service
Internet Authentication Service
IP Version 6 Helper ServiceIPSec Policy Agent (IPSec Service)Kerberos Key Distribution CenterLicense Logging Service
Logical Disk Manager Administrative Service
Machine Debug Manager
Message Queuing Down Level ClientsMessage Queuing Triggers
Microsoft POP3 ServiceMicrosoft Software Shadow Copy Provider
MSSQLServerADHelper.NET Framework Support Service
NetMeeting Remote Desktop Sharing
Network DDE DSDM NetDDEdsdm Disabled DisabledNLA Manual Manual
xmlprov Manual Manual
NntpSvc Not installed Not installed
NtLmSsp Manual Manual
SysmonLog Manual Manual
Plug and Play PlugPlay Automatic AutomaticWmdmPmSN Manual Manual
MacPrint Not installed Not installed
Print Spooler Spooler Automatic AutomaticProtected Storage ProtectedStorage Automatic AutomaticQoS RSVP Service RSVP Not installed Not installed
RasAuto Manual Manual
RasMan Manual Manual
SrvcSurg Not installed Not installed
RDSessMgr Manual Manual
Remote Installation BINLSVC Not installed Not installedRpcSs Automatic Automatic
RpcLocator Automatic Manual
RemoteRegistry Automatic Automatic
AppMgr Not installed Not installed
Appmon Not installed Not installed
Remote_Storage_User_Link Not installed Not installed
Remote_Storage_Server Not installed Not installed
Removable Storage NtmsSvc Manual ManualRSoPProv Manual Manual
RemoteAccess Disabled Disabled
SAP Agent nwsapagent Not installed Not installedSecondary Logon seclogon Automatic Automatic
Network Location Awareness (NLA)Network Provisioning ServiceNetwork News Transfer Protocol (NNTP)
NTLM Security Support ProviderPerformance Logs and Alerts
Portable Media Serial NumberPrint Server for Macintosh
Remote Access Auto Connection Manager
Remote Access Connection ManagerRemote Administration Service
Remote Desktop Help Session Manager
Remote Procedure Call (RPC)Remote Procedure Call (RPC) LocatorRemote Registry ServiceRemote Server ManagerRemote Server MonitorRemote Storage NotificationRemote Storage Server
Resultant Set of Policy ProviderRouting and Remote Access
SamSs Automatic Automatic
Server lanmanserver Automatic AutomaticShellHWDetection Automatic Automatic
SMTPSVC Not installed Not installed
SimpTcp Not installed Not installed
Groveler Not installed Not installed
Smart Card SCardSvr Manual ManualSNMP Service SNMP Not installed Not installedSNMP Trap Service SNMPTRAP Not installed Not installed
Sacsvr Manual Manual
SQLAgent$WEBDB Not installed Not installed
SENS Automatic Automatic
Task Scheduler Schedule Automatic AutomaticLMHosts Automatic Automatic
TCP/IP Print Server LPDSVC Not installed Not installedTelephony TapiSrv Manual ManualTelnet TlntSvr Disabled DisabledTerminal Services TermService Manual Manual
TermServLicensing Not installed Not installed
Tssdis Disabled Disabled
Themes Themes Disabled DisabledTrivial FTP Daemon tftpd Not installed Not installed
UPS Manual Manual
Upload Manager Uploadmgr Manual ManualVirtual Disk Service VDS Manual Manual
VSS Manual Manual
WebClient WebClient Disabled Disabledelementmgr Not installed Not installed
Windows Audio AudioSrv Disabled DisabledSharedAccess Disabled Disabled
StiSvc Disabled Disabled
Windows Installer MSIServer Manual Manual
Security Accounts Manager
Shell Hardware DetectionSimple Mail Transport Protocol (SMTP)
Simple TCP/IP ServicesSingle Instance Storage Groveler
Special Administration Console Helper
SQLAgent$* (* UDDI or WebDB)System Event Notification
TCP/IP NetBIOS Helper Service
Terminal Services LicensingTerminal Services Session Directory
Uninterruptible Power Supply
Volume Shadow Copy
Web Element Manager
Windows Firewall (WF)/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
WINS Not installed Not installed
winmgmt Automatic Automatic
Wmi Manual Manual
WMServer Not installed Not installed
WindowsSystemResourceManager Not installed Not installed
Windows Time W32Time Automatic AutomaticWinHttpAutoProxySvc Manual Manual
WZCSVC Automatic Automatic
WmiApSrv Manual Manual
Workstation lanmanworkstation Automatic AutomaticW3SVC Not installed Not installed
Windows Internet Name Service (WINS)
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Windows Media ServicesWindows System Resource Manager
WinHTTP Web Proxy Auto-Discovery Service
Wireless ConfigurationWMI Performance Adapter
World Wide Web Publishing Service
Logon As
Disabled Local ServiceAutomatic Local System
Manual Local Service
Manual Local System
Not installed
Automatic Local SystemManual Local System
Not installedNot installed
Disabled Local SystemNot installedManual Local SystemManual Local System
Automatic Local SystemAutomatic Local System
Automatic Local System
Automatic Network ServiceNot installed Local SystemAutomatic Local System
Automatic Local System
Disabled Network Service
Automatic Network Service
Automatic Local SystemNot installed Local SystemAutomatic Local System
Automatic Local SystemNot installedManual Local SystemNot installed
Not installed
Stand-Alone Server Startup Type
Automatic Local SystemManual Local SystemDisabled Local System
Not installed
Not installedDisabled Local System
Disabled Local SystemNot installedNot installed
Disabled Local SystemNot installed
Automatic Local System
Disabled Local System
Disabled Network Service
Automatic Local System
Manual Local System
Not installed
Not installedNot installed
Not installed
Disabled Local SystemNot installed
Manual Local System
Not installedNot installed
Not installed
Manual Local SystemDisabled Local System
Manual Local System
Disabled Local System
Disabled Local SystemManual Local System
Manual Local System
Not installed
Manual Local System
Manual Network Service
Automatic Local SystemManual Local System
Not installed
Automatic Local SystemAutomatic Local SystemNot installedManual Local System
Manual Local System
Not installed
Manual Local System
Not installedAutomatic Local System
Manual Network Service
Automatic Local Service
Not installed
Not installed
Not installed
Not installed
Manual Local SystemManual Local System
Disabled Local System
Not installedAutomatic Local System
Automatic Local System
Automatic Local SystemAutomatic Local System
Not installed
Not installed
Not installed
Manual Local ServiceNot installedNot installedManual Local System
Not installed
Automatic Local System
Automatic Local SystemAutomatic Local Service
Not installedManual Local SystemDisabled Local SystemManual Local SystemNot installed
Disabled Local System
Disabled Local SystemNot installedManual Local Service
Manual Local SystemManual Local SystemManual Local System
Disabled Local ServiceNot installed
Disabled Local SystemDisabled Local System
Disabled Local Service
Manual Local System
Not installed
Automatic Local System
Manual Local System
Not installed
Not installed
Automatic Local SystemManual Local Service
Automatic Local System
Manual Local System
Automatic Local SystemNot installed
Computer ConfigurationSoftware Settings
Software installationWindows Settings
Scripts (Startup/Shutdown)Security Settings
Account PoliciesPassword Policy
Enforce password history
Maximum password ageMinimum password ageMinimum password length
Passwords must meet complexity requirementsStore password using reversible encyrption for all users in the domain
Account Lockout PolicyAccount lockout durationAccount lockout thresholdReset account lockout counter after
Kerberos PolicyEnforce user logon restrictionsMaximum lifetime for service ticketMaximum lifetime for user ticketMaximum lifetime for user ticket renewalMaximum tolerance for computer clock synchronization
Local PoliciesAudit Policy
Audit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessAudit policy changeAudit privilege useAudit process trackingAudit system events
User Rights AssignmentAccess this computer from the network (SeNetworkLogonRight)
Act as part of the operating system (SeTcbPrivilege)Add workstations to domain (SeMachineAccountPrivilege)
Policy setting as it appears in the Group Policy Editor of Windows XP
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Allow logon Through Terminal Services (SeRemoteInteractiveLogonRight)
Back up files and directories (SeBackupPrivilege)
Bypass traverse checking (SeChangeNotifyPrivilege)
Change the system time (SeSystemTimePrivilege)
Create a pagefile (SeCreatePagefilePrivilege)
Create a token object (SeCreateTokenPrivilege)Create global objects (SeCreateGlobalPrivilege)
Debug programs (SeDebugPrivilege)
Deny access to this computer from the network (SeDenyNetworkLogonRight)Deny logon as a batch job (SeDenyBatchLogonRight)Deny logon as a service (SeDenyBatchLogonRight)Deny logon locally (SeDenyInteractiveLogonRight)Deny log on Through Terminal Services (SeDenyRemoteInteractiveLogonRight)
Force shutdown from a remote system (SeRemoteShutdownPrivilege)Generate security audits (SeAuditPrivilege)
Increase scheduling priority (SeIncreaseBasePriorityPrivilege)Load and unload device drivers (SeLoadDriverPrivilege)Lock pages in memory (SeLockMemoryPrivilege)Log on as a batch job (SeBatchLogonRight)
Log on as a service (SeServiceLogonRight)Log on locally (SeInteractiveLogonRight)
Manage auditing and security log (SeSecurityPrivilege)Modify firmware environment values (SeSystemEnvironmentPrivilege)Perform Volume Maintenance Tasks (SeManageVolumePrivilege)Profile single process (SeProfileSingleProcessPrivilege)
Profile system performance (SeSystemProfilePrivilege)Remove computer from docking station (SeUndockPrivilege)
Create permanent shared objects(SeCreatePermanentPrivilege)
Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
Replace a process level token (SeAssignPrimaryTokenPrivilege)
Restore files and directories (SeRestorePrivilege)
Shut down the system (SeShutdownPrivilege)
Synchronize directory service data (SeSynchAgentPrivilege)Take ownership of files or other objects (SeTakeOwnershipPrivilege)
Security OptionsAccounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL)
DCOM Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Devices: Unsigned driver installation behavior
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network security: LDAP client signing requirements
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Default owner for objects created by members of the Administrators group
System objects: Require case insensitivity for non-Windows subsystems
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended)
MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
(ActiveX Signed Controls) RunInvalidSignatures
(RPC Endpoint Mapper) EnableAuthEpResolution
(RPC Endpoint Mapper) Restrict Remote Clients
(Security Center) AntiVirusDisableNotify
(Security Center) FirewallDisableNotify
(Security Center) UpdatesDisableNotify
(StorageDevicePolicies) WriteProtect
Event LogSettings for Event Logs
Maximum application log sizeMaximum security log sizeMaximum system log sizeRestrict guest access to application logRestrict guest access to security logRestrict guest access to system logRetain application logRetain security logRetain system logRetention method for application log
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmittions when a connection request is not acknowledged
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Retention method for security log
Retention method for system log
Restricted GroupsSystem Services - See next worksheet, System ServicesRegistryFile SystemPublic Key Policies
Encrypted Data Recovery AgentsAutomatic Certificate Request SettingsTrusted Root Certification AuthoritiesEnterprise Trust
IP Security Policies on Active DirectoryClient (Respond Only)Secure Server (Require Security)Server (Request Security)
Administrative TemplatesWindows Components
NetMeetingDisable remote Desktop Sharing
Internet ExplorerInternet Control Panel
Security Zones: Use only machine settingsSecurity Zones: Do not allow users to change policiesSecurity Zones: Do not allow users to add/delete sitesMake proxy settings per-machine (rather than per-user)Disable Automatic Install of Internet Explorer componentsDisable Periodic Check for Internet Explorer software updatesDisable software update shell notifications on program launchTurn off Crash DetectionDo not allow users to enable or disable add-onsAllow software to run or install even if the signature is invalidAllow active content from CDs to run on user machines
Security FeaturesSecurity PageAdvanced Page
Binary Behavior Security RestrictionInternet Explorer ProcessesProcess ListAll ProcessesAdmin-approved behaviors
MK Protocol Security RestrictionInternet Explorer ProcessesProcess ListAll Processes
Local Machine Zone Lockdown SecurityInternet Explorer ProcessesProcess List
All ProcessesConsistent MIME Handling
Internet Explorer ProcessesProcess ListAll Processes
MIME Sniffing Safety FeaturesInternet Explorer ProcessesProcess ListAll Processes
Protection From Zone ElevationInternet Explorer ProcessesProcess ListAll Processes
Restrict ActiveX InstallInternet Explorer ProcessesProcess ListAll Processes
Restrict File DownloadInternet Explorer ProcessesProcess ListAll Processes
Add-on ManagementInternet Explorer ProcessesProcess ListAll Processes
Network Protocol LockdownInternet Explorer ProcessesProcess ListAll Processes
Restricted Protocols per Security ZoneTerminal Services
Deny log off of an administrator logged in to the console sessionDo not allow local administrators to customize permissionsSets rules for remote control of Terminal Services user sessions
Client/Server data redirectionAllow Time Zone RedirectionDo not allow clipboard redirectionAllow audio redirectionDo not allow COM port redirectionDo not allow client printer redirectionDo not allow LPT port redirectionDo not allow drive redirectionDo not set default client printer to be default printer in a session
Encryption and SecurityAlways prompt client for password upon connectionSet client connection encryption level
RPC Security PolicySecure Server (Require Security)
SessionsSet time limit for disconnected sessionsAllow reconnection from original client only
Windows ExplorerTurn off shell protected mode
Windows MessengerDo not allow Windows Messenger to be run
Windows UpdateConfigure Automatic UpdatesSpecify intranet Microsoft update service locationReschedule Automatic Updates scheduled installationsNo auto-restart for scheduled Automatic Updates installations
SystemDisplay Shutdown Event TrackerSpecify Windows installation file locationSpecify Windows Service Pack installation file locationRemove Boot / Shutdown / Logon / Logoff status messagesVerbose vs normal status messagesRestrict these programs from being launched from HelpTurn off AutoplayDo not automatically encrypt files moved to encrypted foldersDownload missing COM components
User ProfilesDo not check for user ownership of Roaming Profile FoldersDelete cached copies of roaming profilesDo not detect slow network connectionsSlow network connection timeout for user profilesWait for remote user profilePrompt user when slow link is detectedTimeout for dialog boxesLog users off when roaming profile failsMaximum retries to unload and update user profileAdd the Administrators security group to roaming user profilesPrevent Roaming Profile changes from propagating to the serverOnly allow local user profiles
ScriptsTurn off autoplay
LogonDon't display the Getting Started welcome screen at logonDo not process the run once listDo not process the legacy run list
Group PolicyRegistry policy processingInternet Explorer Maintenance policy processingSecurity policy processingIP Security policy processing
Remote AssistanceSolicited Remote Assistance
Offer Remote AssistanceError Reporting
Display Error NotificationReport Errors
Distributed COMApplication Compatibility Settings
Allow local activation security check exemptionsDefine Activation Security Check exemptions
User Configuration Administrative Templates
Windows Components Internet Explorer
Disable Changing Advanced page settings Disable Internet Connection Wizard Disable Changing Connection Settings Disable Changing Proxy Settings Disable Changing Automatic Configuration SeDisable Changing Certificate Settings Do not allow AutoComplete to save passwordsConfigure Outlook Express
Internet Control PanelDisable the Security PageDisable the Advanced Page
Offline PagesDisable adding channelsDisable removing channelsDisable adding schedules for offline pagesDisable editing schedules for offline pagesDisable removing schedules for offline pagesDisable offline page hit loggingDisable all scheduled offline pagesDisable channel user interface completelyDisable downloading of site subscription contentDisable editing and creating of schedule groups
Browser menusDisable Save this program to disk option
Persistence BehaviorFile size limits for the Local Machine zoneFile size limits for the Intranet zoneFile size limits for the Trusted Sites zoneFile size limits for the Internet zoneFile size limits for the Restricted Sites zone
Attachment ManagerDefault risk level for file attachmentsInclusion list for high risk file typesInclusion list for moderate risk file typesInclusion list for low file types
Trust logic for file attachmentsDo not preserve zone information in file attachmentsHide mechanisms to remove zone informationNotify antivirus programs when opening attachments
Windows ExplorerRemove Security tabRemove CD Burning features
Control PanelDisplay
Hide Screen Saver tabScreen SaverScreen Saver executable namePassword protect the screen saverScreen Saver timeout
SystemPrevent access to registry editing tools
Power ManagementPrompt for password on resume from hibernate / suspend
Default Domain Policy
0 passwords remembered 24 passwords remembered
42 days 42 days 42 days1 days 0 days 1 days7 characters 0 characters 7 charactersEnabled Disabled EnabledDisabled Disabled Disabled
Not defined Not applicable Not defined0 invalid login attempts 0 invalid login attempts 0 invalid login attemptsNot defined Not applicable Not defined
Enabled Not applicable Not applicable600 minutes Not applicable Not applicable10 hours Not applicable Not applicable7 days Not applicable Not applicable5 minutes Not applicable Not applicable
Not defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditingNot defined No auditing No auditing
Not defined
Not defined Not defined Not definedNot defined Not defined Not defined
Stand-Alone Windows XP Default Settings
Domain Member Windows XP Effective Default Settings
24 passwords remembered
Everyone, Administrators, Users, Power Users, Backup Operators
Backup Operators, Power Users, Users, Administrators, Everyone
Not defined
Not defined
Not defined
Not defined
Not defined Administrators, Power Users Administrators, Power Users
Not defined Administrators Administrators
Not defined Not defined Not definedNot defined Not Applicable Not ApplicableNot defined Not defined Not defined
Not defined Administrators Administrators
Not defined Support_xxxxxxxx, Guest Support_xxxxxxxx, Guest Not defined Not defined Not definedNot defined Not defined Not definedNot defined Support_xxxxxxxx, Guest Support_xxxxxxxx, Guest Not defined Not defined Not definedNot defined Not defined Not defined
Not defined Administrators AdministratorsNot defined
Not defined Administrators AdministratorsNot defined Administrators AdministratorsNot defined Not defined Not definedNot defined Support_xxxxxxxx Support_xxxxxxxx
Not defined NETWORK SERVICE NETWORK SERVICENot defined
Not defined Administrators AdministratorsNot defined Administrators AdministratorsNot defined Administrators AdministratorsNot defined Administrators, Power Users Administrators, Power Users
Not defined Administrators AdministratorsNot defined Administrators, Power Users Administrators, Power Users
LOCAL SERVICE, NETWORK SERVICE, Administrators
LOCAL SERVICE, NETWORK SERVICE, Administrators
Administrators, Remote Desktop Users
Administrators, Remote Desktop Users
Administrators, Backup Operators
Administrators, Backup Operators
Everyone, Administrators, Users, Power Users, Backup Operators
Everyone, Administrators, Users, Power Users, Backup Operators
LOCAL SERVICE, NETWORK SERVICE
LOCAL SERVICE, NETWORK SERVICE
Administrators, Users, Power Users, Backup Operators
Administrators, Users, Power Users, Backup Operators
Not defined
Not defined
Not defined
Not defined Not defined Not definedNot defined Administrators Administrators
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Administrator Administrator
Not defined Guest Guest
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Not defined Not defined
Not defined Not defined Not defined
Not defined Enabled Enabled
Not defined Administrators Administrators
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Warn but allow installation Warn but allow installation
Not defined Not defined Not defined
Not defined Not defined Not defined
Not defined Not defined Not defined
LOCAL SERVICE, NETWORK SERVICE
LOCAL SERVICE, NETWORK SERVICE
Administrators, Backup Operators
Administrators, Backup Operators
Administrators, Power Users, Backup Operators, Users
Administrators, Power Users, Backup Operators, Users
Not defined Enabled Enabled
Not defined Enabled Enabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined 30 days 30 days
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Not defined Not defined
Not defined Not defined Not defined
Not defined Not defined Not defined
Not defined 10 logons 10 logons
Not defined 14 days 14 days
Not defined Disabled Disabled
Not defined Not defined Not defined
Not defined No Action No Action
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined 15 minutes 15 minutes
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined
Not defined
Not defined COMCFG,DFS$ COMCFG,DFS$
Not defined
Not defined Disabled Disabled
Disabled Disabled Disabled
Not defined Send LM & NTLM responses
COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr
COMNAP,COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR,TrkWks,TrkSvr
System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
Guest only - local users authenticate as Guest
Classic - local users authenticate as themselves
Send LM & NTLM responses
Not defined Negotiate signing Negotiate signing
Not defined No minimum No minimum
Not defined No minimum No minimum
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined Object creator Object creator
Not defined Enabled Enabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Enabled Enabled
Not defined
Not defined Disabled Disabled
Not defined Enabled Enabled
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined 7200000 7200000
Not defined Enabled Enabled
Not defined Disabled Disabled
Not defined Enabled Enabled
Medium, source routed packets are ignored when IP forwarding is enabled
Medium, source routed packets are ignored when IP forwarding is enabled
Not defined Disabled Disabled
Not defined
Not defined Disabled Disabled
Not defined 5 5
Not defined Disabled Disabled
Not defined
Not defined 5 5
Not defined 0 (not configured) 0 (not configured)
Not defined Disabled Disabled
Not defined Disabled Disabled
Not defined 1 1
Not defined 0 0
Not defined 0 0
Not defined 0 0
Not defined 0 0
Not defined 512 KB 512 KBNot defined 512 KB 512 KBNot defined 512 KB 512 KBNot defined Enabled EnabledNot defined Enabled EnabledNot defined Enabled EnabledNot defined 7 days 7 daysNot defined 7 days 7 daysNot defined 7 days 7 daysNot defined Overwrite events as needed Overwrite events as needed
2 (enable only if DHCP sends the Perform Router Discovery option)
2 (enable only if DHCP sends the Perform Router Discovery option)
2 (3 & 6 seconds, half-open connections dropped after 21 seconds)
2 (3 & 6 seconds, half-open connections dropped after 21 seconds)
Not defined Overwrite events as needed Overwrite events as needed
Not defined Overwrite events as needed Overwrite events as needed
Not configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configured
Not configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configured
Not configuredNot configured
Not configured
Not configured
Not configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configured
Not configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configured
Not configured
Not configured
Not configuredNot configured
Not configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configuredNot configured
Not configured
Not configuredNot configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configured
Not configuredNot configuredNot configuredNot configured
Not configuredNot configured
Not configuredNot configuredNot configuredNot configuredNot configured
Not configured
Not configured
Full Service Name Service Name
Alerter Alerter Manual ManualALG Manual Manual
AppMgmt Manual Manual
Automatic Updates wuauserv Automatic AutomaticBITS Manual Manual
ClipBook ClipSrv Manual ManualCOM+Event System EventSystem Manual Manual
COMSysApp Manual Manual
Computer Browser Browser Automatic AutomaticCryptSvc Automatic Automatic
DcomLaunch Automatic Automatic
DHCP Client Dhcp Automatic AutomaticTrkWks Automatic Automatic
MSDTC Manual Manual
DNS Client Dnscache Automatic AutomaticERSvc Automatic Automatic
Event Log Eventlog Automatic AutomaticFastUserSwitchingCompatibility Manual Manual
Help and Support helpsvc Automatic AutomaticHidServ Disabled Disabled
ImapiService Manual Manual
Indexing Service cisvc Manual ManualInfrared Monitor Irmon
Not installed Not installed
IPSec Services PolicyAgent Automatic AutomaticLogical Disk Manager dmserver Automatic Automatic
dmadmin Manual Manual
MDM Not installed Not installed
Message Queuing msmq Not installed Not installed
Domain Member Windows XP Startup Type
Stand-Alone Windows XP Startup Type
Application Layer Gateway ServiceApplication Management
Background Intelligent Transfer Service
COM+ System Application
Cyrptographic ServicesDCOM Server Process Launcher
Distributed Link Tracking ClientDistributed Transaction Coordinator
Error Reporting Service
Fast User Switching Compatibility
Human Interface Device AccessIMAPI CD-Burning COM Service
Internet Connection Sharing
Logical Disk Manager Administrative Service
Machine Debug Manager
mqds Not installed Not installed
Mqtgsvc Not installed Not installed
Messenger Messenger Automatic AutomaticSwPrv Manual Manual
Netlogon Netlogon Automatic Manualmnmsrvc Manual Manual
Network Connections Netman Manual Manual
Network DDE NetDDE Manual ManualNetwork DDE DSDM NetDDEdsdm Manual Manual
NLA Manual Manual
xmlprov Manual Manual
NtLmSsp Manual Manual
SysmonLog Manual Manual
Plug and Play PlugPlay Automatic AutomaticWmdmPmSN Automatic Automatic
Print Spooler Spooler Automatic AutomaticProtected Storage ProtectedStorage Automatic AutomaticQoS RSVP RSVP Manual Manual
RasAuto Manual Manual
RasMan Manual Manual
RDSessMgr Manual Manual
RpcSs Automatic Automatic
RpcLocator Manual Manual
RemoteRegistry Automatic Automatic
Removable Storage NtmsSvc Manual ManualRemoteAccess Disabled Disabled
Secondary Logon seclogon Automatic AutomaticSamSs Automatic Automatic
Security Center wscsvc Automatic AutomaticServer lanmanserver Automatic Automatic
ShellHWDetection Automatic Automatic
Message Queuing Down Level ClientsMessage Queuing Triggers
Microsoft Software Shadow Copy Provider
NetMeeting Remote Desktop Sharing
Network Location Awareness (NLA)Network Provisioning ServiceNTLM Security Support ProviderPerformance Logs and Alerts
Portable Media Serial Number
Remote Access Auto Connection Manager
Remote Access Connection ManagerRemote Desktop Help Session Manager
Remote Procedure Call (RPC)Remote Procedure Call (RPC) LocatorRemote Registry Service
Routing and Remote Access
Security Accounts Manager
Shell Hardware Detection
Smart Card SCardSvr Automatic AutomaticSSDPSRV Manual Manual
SENS Automatic Automatic
sr Automatic Automatic
Task Scheduler Schedule Automatic AutomaticLMHosts Automatic Automatic
Telephony TapiSrv Manual ManualTelnet TlntSvr Disabled DisabledTerminal Services TermService Manual ManualThemes Themes Automatic Automatic
UPS Manual Manual
Upload Manager Uploadmgr Manual Manualupnphost Manual Manual
VSS Manual Manual
WebClient WebClient Automatic AutomaticWindows Audio AudioSrv Automatic Automatic
SharedAccess Manual Automatic
StiSvc Manual Manual
Windows Installer MSIServer Manual Manualwinmgmt Automatic Automatic
Wmi Automatic Manual
Windows Time W32Time Automatic AutomaticWZCSVC Automatic Automatic
WmiApSrv Manual Manual
Workstation lanmanworkstation Automatic Automatic
SSDP Discovery ServiceSystem Event NotificationSystem Restore Service
TCP/IP NetBIOS Helper Service
Uninterruptible Power Supply
Universal Plug and Play Device HostVolume Shadow Copy
Windows Connection Firewall (WF)/Internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Wireless Zero ConfigurationWMI Performance Adapter
Logon As
Local ServiceLocal Service
Local System
Local SystemNetwork Service
Local SystemLocal SystemLocal System
Local SystemLocal System
Local System
Network ServiceLocal System
Network Service
Network Service Local System
Local SystemLocal System
Local SystemLocal System
Local System
Local System
Local System
Local SystemLocal System
Local System
Local SystemLocal System
Local SystemLocal System
Local System
Local SystemLocal SystemLocal System
Local System
Local System
Network Service
Local SystemLocal System
Local SystemLocal SystemLocal SystemLocal System
Local System
Local System
Local System
Network Service
Local Service
Local SystemLocal System
Local SystemLocal System
Local SystemLocal SystemLocal System
Local ServiceLocal Service
Local System
Local System
Local SystemLocal Service
Local SystemLocal SystemLocal SystemLocal SystemLocal Service
Local SystemLocal System
Local System
Local ServiceLocal SystemLocal System
Local Service
Local SystemLocal System
Local System
Local SystemLocal System
Local System
Local System