Security Settings Inventory steps

Limit Local Account Use of Blank Passwords to Console Login Only

Determines whether local accounts that are not password protected can be used to login from locations other than the physical computer console. If enabled, then local accounts that are not password protected is only able to log on at the computer's keyboard. Does not apply to guest accounts.

Account Lockout Duration

The amount of time, in minutes, that account lockout is enforced. If you set the Account Lockout Duration registry value to 0, the account is permanently locked out until either an administrator or a user who has a delegated account resets the account.

Reset Account Lockout Counter After

You can use the Reset Account Lockout Counter After setting to help mitigate lockout issues that are initiated by users. When you enable this setting, the bad password attempt is removed from the server after the number of minutes that you set.

Account Lockout Threshold

The number of times that the user, computer, service, or program can send a bad password during login authentication before the account is locked out. You can adjust the Account Lockout Threshold value to prevent both brute force and dictionary attacks, but you can set the value too low to capture user error and other non-attack errors. If you set the Account Lockout Threshold value to 0, no account lockouts occur on the domain.

Maximum Password Age

Determines the period of time (in days) that a user can use their password before the computer requires the user to change it. You can set passwords to expire in between 1 and 999 days, or you can specify that passwords never expire by setting the number of days to 0.

Minimum Password Age

Determines the period of time (in days) that a password must be used before the user can change it. You can set the value to between 1 and 999 days, or allow immediate changes by setting the number of days to 0. If you do not set a minimum password age, users can repeatedly cycle through passwords until they are able to use an old favorite password. This could allow users to circumvent established password policy.

Minimum Password Length

Defines the number of characters a password must at least consist of. The value can be set between 0 and 14 characters. Each additional character increases the total possible password permutations. However, if you set the value to 0, blank passwords are not permitted.

Enforce Password History

Check this box to prevent users from repeatedly using the same password. When you use the password history feature, a user is prevented from using passwords that they used in the past, up to the number of passwords that you specify. You can configure Windows to retain between 0 and 24 passwords by using the Password History feature. Microsoft recommends that you set the password history to the maximum value to help ensure the least amount of password reuse by users.

Audit Attempts to Modify Accounts and Change Passwords

Determines whether to audit each event of account management on a computer. Examples of account management events include: a user account or group is created, changed, or deleted; a user account is renamed, disabled, or enabled; a password is set or changed. If activated all successes and failures are audited. Success audits generate an audit entry when any account management event is successful. Failure audits generate an audit entry when any account management event fails.

Force Audit Policy Subcategory to Override Audit Policy Category settings (Vista and later)

Prevents domain-based audit policy from overwriting the more detailed audit policy settings on Windows Vista client computers.

Shut Down System Immediately if Unable to Log Security Audits

Determines whether the system should shut down if it is unable to log security events. If the security log is full and an existing entry cannot be overwritten and this security option is enabled, the following blue screen error occurs: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (if desired), clear the log, and reset this option as desired.

Audit Specific Events

Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. If activated all successes and failures are audited. Success audits generate an audit entry when the process being tracked is a success. Failure audits generate an audit entry when the process being tracked fails.

Audit Access of Global System Objects

Determines whether access of global system objects is audited. When this policy is enabled, it causes system objects such as mutexes, events, semaphores, and DOS Devices to be created with a default system access control list (SACL). If the Audit object access audit policy is also enabled, then access to these system objects is audited.

Audit Attempts to Log On to or Log Off of System

Determines whether to audit each instance of a user logging on or logging off of another computer where this computer was used to validate the account. If activated all successes and failures are audited.

Audit Attempts to Access Defined Objects

Determines whether to audit the event of a user accessing an object (for example, file, folder, registry key, printer, and so forth) which has its own system access control list (SACL) specified.

Audit Attempts to Change Policy Object Rules

Determines whether to audit every incidence of a change to user rights assignment policies, audit policies, or trust policies.

Audit Attempts to Use Privileges

Determines whether to audit each instance of a user exercising a user right.

Audit Use of Backup and Restore Privileges

Determines whether to audit every use of user rights including Backup and Restore.

Audit Events that Affect System Security

Defines whether to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log. If activated all successes and failures are audited. Success audits generate an audit entry when a system event is successfully executed. Failure audits generate an audit entry when a system event is unsuccessfully attempted.

Delete All

Check this box if all entries of a specific name or type in the security settings inventory are to be deleted.

Object Name

The value <OBJECT name=”<value>”> of the entry/entries to be deleted from the .xml file. As there may be several objects with the same name of different types all entries of this name will be deleted if you do not specify the respective type in the field above. It is possible to use the wildcard characters ? for a single letter and * for several letters.

Object Type

The value <OBJECT type=”<value>”> of the entry/entries to be deleted from the .xml file. As there may be several objects of the same type with different names all entries of this type will be deleted if you do not specify the respective name in the field below. It is possible to use the wildcard characters ? for a single letter and * for several letters.

Disable Machine Account Password Changes

Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password.

Maximum Machine Account Password Age

Determines how often a domain member attempts to change its computer account password.

Digitally Encrypt or Sign Secure Channel Data (always)

Determines whether the computer always digitally encrypts or signs secure channel data. If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted. If this policy is disabled, signing and encryption are negotiated with the domain controller. This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing.

Note: If this parameter is enabled, then the Secure channel: Digitally sign secure channel data (when possible) parameter is automatically enabled.

Digitally Encrypt Secure Channel Data (if possible)

Determines whether the computer always digitally encrypts or signs secure channel data. If this policy is enabled, all outgoing secure channel traffic should be encrypted. If this policy is disabled, outgoing secure channel traffic is not encrypted.

Digitally Sign Secure Channel Data (if possible)

Determines whether the computer always digitally encrypts or signs secure channel data. If this policy is enabled, all outgoing secure channel traffic should be signed. If this policy is disabled, no outgoing secure channel traffic is signed.

Require Strong Session Key

Check this box if all outgoing secure channel traffic are to require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the DC. This option should only be enabled if all of the DCs in all trusted domains support strong keys.

Search in Service Path

Check this box if the string is to be looked for in the service directory path.

String to Find

Enter the string which is to identify the desired service(s). This string can be a pattern or a regular expression.

Search in Service Description

Check this box if the string is to be looked for in the service directory path.

Search the Display Name of the Service

Check this box if the string is to be looked for in the description of the service.

Search in Service Name

Check this box if the string is to be looked for in the name of the service.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Collect Windows Firewall Information If Present

Check this box if the step is to collect and display any available information for the installed firewall. This retrieves information for both the Standard and the Domain profile.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Automatic Login

Determines whether the user is automatically logged on after the device is started.

Number of Previous Logins to Cache

Determines the number of times a user can log on to a Windows domain using cached account information. In this policy setting, a value of 0 disables login caching. Any value above 50 only caches 50 login attempts.

Do Not Require Ctrl + Alt + Del

Determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL in order to log on. Not having to press CTRL+ALT+DEL leaves the user susceptible to attacks that attempt to intercept the user's password.

Prompt User to Change Password before Expiration

Defines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password.

Do Not Display Last User Name

Determines whether the name of the last user to login to the computer is displayed in the Windows login screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box. If this policy is disabled, the name of the last user to login is displayed. This policy is defined by default in Local Computer Policy.

Smart Card Removal Behavior

Determines what should happen when the smart card for a logged-on user is removed from the smart card reader. If Lock Workstation is specified, then the workstation is locked when the smart card is removed allowing users to leave the area, take their smart card with them, and still maintain a protected session. If Force Logoff is specified, then the user is automatically logged off when the smart card is removed.

Message Title for Users Attempting to Log on

Allows the specification of a title to appear in the title bar of the window that contains the message text for users attempting to log on. For servers, this policy is enabled but there is no default text specified.

Message Text for Users Attempting to Log on

Specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, such as to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. For servers, this policy is enabled but there is no default text specified.

Require Domain Controller Authentication to Unlock Workstation

Login information must be provided to unlock a locked computer. For domain accounts, determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Include Stopped Services

Check this box if not only running but also all stopped services installed on the device are to be included in the list.

Prevent Local Guest Groups from Accessing Application Log File

Determines if guests are prevented from accessing the application event log, which contains program errors and missing data information. This security setting affects only computers running Windows 2000, Windows XP and Windows Server 2003.

Keep/Overwrite Application Log File

Determines the number of seconds' worth of events to be retained for the application log once the log arrives at its maximum size.

Maximum Application Log File Size

Specifies the maximum size of the application event log, which has a maximum of 4 GB. Log file sizes must be a multiple of 64 KB.

Prevent Local Guest Groups from Accessing Security Log File

Determines if guests are prevented from accessing the security event log. This security setting affects only computers running Windows 2000, Windows XP and Windows Server 2003. A user must possess the Manage auditing and security log user right to access the security log.

Keep/Overwrite Security Log File

Determines the number of seconds' worth of events to be retained for the security log once the log arrives at its maximum size.

Maximum Security Log File Size

Specifies the maximum size of the security event log, which has a maximum size of 4 GB. Log file sizes must be a multiple of 64 KB.

Prevent Local Guest Groups from Accessing System Log File

Determines if guests are prevented from accessing the system event log, which contains startup information, shutdown information, and driver information. This security setting affects only computers running Windows 2000, Windows XP and Windows Server 2003. A user must possess the Manage auditing and security log user right to access the security log.

Keep/Overwrite of System Log File

Determines the number of seconds' worth of events to be retained for the system log once the log arrives at its maximum size.

Maximum System Log File Size

Specifies the maximum size of the system event log, which has a maximum size of 4 GB. Log file sizes must be a multiple of 64 KB.

Digitally Sign Communications (if server agrees)

Check this box to cause the Windows 2000 Server Message Block (SMB) client to perform SMB packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.

Send Unencrypted Password to Third-party SMB Servers

Check this box if the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non-Microsoft SMB servers which do not support password encryption during authentication.

Digitally Sign Communications (always)

Determines whether the computer always digitally signs client communications. The Windows 2000 Server Message Block (SMB) authentication protocol supports mutual authentication, which closes a man-in-the-middle attack, and supports message authentication, which prevents active message attacks. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing use the packet signing protocol during all subsequent sessions.

Digitally Sign Communications (if client agrees)

If this policy is enabled, it causes the Windows 2000 Server Message Block (SMB) server to perform SMB packet signing. This policy is disabled by default on workstation and server platforms in Local Computer Policy. This policy is enabled by default on domain controllers in the Default Domain Controllers Group Policy object (GPO).

Idle Time before Suspending Session

Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. For this policy setting, a value of 0 means to disconnect an idle session as quickly as reasonably possible. The maximum value is 0xFFFFFFFF, which means disabled.

Disconnect Clients When Login Hours Expire

Determines whether to disconnect users that are connected to the local machine outside of their user account's valid login hours. This setting affects the Server Message Block (SMB) component of a Windows 2000 server. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's login hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's login hours have expired.

Digitally Sign Communications (always)

Determines whether the computer always digitally signs client communications. If SMB signing is required on a server, then a client is not able to establish a session unless it is at least enabled for SMB signing. If this policy is disabled, it does not require the SMB client to sign packets. This policy is defined by default in Local Computer Policy , where it is disabled by default.

Do Not Allow Storage of Credentials for Network Authentication

Determines whether Stored User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains domain authentication. If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials. Note: When configuring this security setting, changes do not take effect until you restart Windows.

"Everyone" Permissions to be Applied to Anonymous Users

Determines how network logins using local accounts are authenticated. If this setting is set to Classic , network logins that use local account credentials authenticate by using those credentials. If this setting is set to Guest only , network logins that use local accounts are automatically mapped to the Guest account. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. By using the Guest only model, you can have all users treated equally.

Sharing and Security Model for Local Accounts

Determines how network logins using local accounts are authenticated. If this setting is set to Classic , network logins that use local account credentials authenticate by using those credentials. If this setting is set to Guest only , network logins that use local accounts are automatically mapped to the Guest account. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. By using the Guest only model, you can have all users treated equally.

Do Not Allow Anonymous Enumeration of SAM Accounts

Determines what additional permissions is granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

Do Not Allow Anonymous Enumeration of SAM Accounts and Shares

Determines whether anonymous enumeration of SAM accounts and shares is allowed. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.

LDAP Client Signing Requirements

Determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests.

LAN Manager Authentication Level

Determines which challenge/response authentication protocol is used for network logins.

Do Not Store LAN Manager Hash Value on Next Password Change

Determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Protocol

Select the protocol, either TCP or UDP, for which all open ports are to be found.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Restrict CD-ROM Access to Locally Logged-On User Only

Determines whether a CD-ROM is accessible to both local and remote users simultaneously. If enabled, this policy allows only the interactively logged-on user to access removable CD-ROM media. If no one is logged on interactively, the CD-ROM may be shared over the network. If this policy is disabled, then the local user and remote users can access the CD-ROM simultaneously.

Unsigned Driver Installation Behavior

Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL).

Restrict Floppy Access to Locally Logged-On User Only

Determines whether removable floppy media is accessible to both local and remote users simultaneously. If enabled, this policy allows only the interactively logged-on user to access removable floppy media. If no one is logged on interactively, the floppy media may be shared over the network. If this policy is disabled, then the local user and remote users can access the floppy media simultaneously.

Unsigned Non-driver Installation Behavior

Defines what should happen when an attempt is made to install any non-device driver software that has not been certified.

Prevent Users from Installing Printer Drivers

Determines whether members of the Users group are prevented from installing print drivers. Note: This policy setting does not affect Power Users.

Allow to Format and Eject Removable Media

Determines who is allowed to eject removable NTFS media from the computer. This policy is defined by default in Local Computer Policy. This policy setting can be modified to provide any interactive user with the ability to eject removable NTFS media from the computer.

Allow to undock without Having to Log On

Determines whether a portable computer can be undocked without having to log on. If this policy is enabled, login is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.

Process Path

Check this box if the path to the executable file of the process is to be added to the list.

Process User

Check this box if the name of the user who started the process is to be added to the list.

Allow Automatic Administrative Login

Check this box if the Recovery Console is not to require you to provide a password and automatically logs on to the system.

Allow Floppy Copy and Access to All Drives and All Folders

Command

Select from this drop-down box the command which is to be found for the run level.

Run Level

Select the command which is to be found for the run level.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Default Owner for Objects Created by Members of the Administrator Groups

Determines which users and groups have the authority to run volume maintenance tasks, such as Disk Cleanup and Disk Defragmenter .

Require Case-insensitivity for Non-Windows Subsystems

Determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.

Use FIPS Compliant Algorithms for Encryption, Hashing, and Signing

Determines if the Transport Layer Security/Secure Sockets Layer (TL/SS) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In effect, this means that the provider only supports the Transport Layer Security (TLS) protocol as a client and as a server (if applicable). It uses only the Triple DES encryption algorithm for the TLS traffic encryption, only the Rivest, Shamir, and Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hashing Algorithm 1 (SHA-1) for the TLS hashing requirements. For Encrypting File System Service (EFS), it supports only the Triple Data Encryption Standard (DES) encryption algorithm for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 family and DESX algorithm in Windows XP for encrypting file data. For Terminal Services, it supports only the Triple DES encryption algorithm for encrypting terminal services network communication.

Strengthen Default Permissions of Internal System Objects

Determines the strength of the default discretionary access control list (DACL) for objects.

Clear Virtual Memory Pagefile

Determines whether the virtual memory pagefile should be cleared when the system is shut down. Enabling this security option also causes the hibernation file (hiberfil.sys) to be zeroed out when hibernation is disabled on a laptop system. When this policy is disabled, the virtual memory pagefile is not cleared during system shutdown.

Allow System to be Shut Down without Having to Log On

Determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows login screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows login screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right in order to perform a system shutdown.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

String to Find

Enter the string which is to identify the desired service(s). This string can be a pattern or a regular expression.

Admin approval mode for the built-in administrator account

Only elevate executables that are signed and validated

Enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer's Trusted Publishers certificate

Behavior of elevation prompt for administrators in admin approval mode

Behavior of the elevation prompt for standard users

Detect application installations and prompt for elevation

Run all administrators in admin approval mode

Switch to secure desktop when prompting for elevation

Only elevate UIAccess applications that are installed in secure locations

Enforces the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system. Secure locations are limited to the following directories: ?Program Files (and subfolders) ?WindowsSystem32r- ?Program Files (x86) (and subfolders, in 64-bit versions of Windows only).

Virtualize file and registry write failures to per-user locations

Enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations ( %ProgramFiles%, %Windir%, %Windir%system32, or HKLMSoftware... ).