Security Settings Inventory steps


This group of steps is concerned with establishing the Security Settings Inventory for your network. Specific restrictions are noted with the individual steps. The steps specifically concerned with Microsoft Windows Security Center and options also provide explanations as to the default Windows values and what they do.

Account Policy

This step collects the settings of the Account Policy and stores them in the security settings inventory.

Parameter

Description

Limit Local Account Use of Blank Passwords to Console Login Only

Determines whether local accounts that are not password protected can be used to login from locations other than the physical computer console. If enabled, then local accounts that are not password protected is only able to log on at the computer's keyboard. Does not apply to guest accounts.

Account Lockout Duration

The amount of time, in minutes, that account lockout is enforced. If you set the Account Lockout Duration registry value to 0, the account is permanently locked out until either an administrator or a user who has a delegated account resets the account.

Reset Account Lockout Counter After

You can use the Reset Account Lockout Counter After setting to help mitigate lockout issues that are initiated by users. When you enable this setting, the bad password attempt is removed from the server after the number of minutes that you set.

Account Lockout Threshold

The number of times that the user, computer, service, or program can send a bad password during login authentication before the account is locked out. You can adjust the Account Lockout Threshold value to prevent both brute force and dictionary attacks, but you can set the value too low to capture user error and other non-attack errors. If you set the Account Lockout Threshold value to 0, no account lockouts occur on the domain.

Maximum Password Age

Determines the period of time (in days) that a user can use their password before the computer requires the user to change it. You can set passwords to expire in between 1 and 999 days, or you can specify that passwords never expire by setting the number of days to 0.

Minimum Password Age

Determines the period of time (in days) that a password must be used before the user can change it. You can set the value to between 1 and 999 days, or allow immediate changes by setting the number of days to 0. If you do not set a minimum password age, users can repeatedly cycle through passwords until they are able to use an old favorite password. This could allow users to circumvent established password policy.

Minimum Password Length

Defines the number of characters a password must at least consist of. The value can be set between 0 and 14 characters. Each additional character increases the total possible password permutations. However, if you set the value to 0, blank passwords are not permitted.

Enforce Password History

Check this box to prevent users from repeatedly using the same password. When you use the password history feature, a user is prevented from using passwords that they used in the past, up to the number of passwords that you specify. You can configure Windows to retain between 0 and 24 passwords by using the Password History feature. Microsoft recommends that you set the password history to the maximum value to help ensure the least amount of password reuse by users.

Audit Policy

This step collects the settings of the Audit Policy and stores them in the security settings inventory.

Parameter

Description

Audit Attempts to Modify Accounts and Change Passwords

Determines whether to audit each event of account management on a computer. Examples of account management events include: a user account or group is created, changed, or deleted; a user account is renamed, disabled, or enabled; a password is set or changed. If activated all successes and failures are audited. Success audits generate an audit entry when any account management event is successful. Failure audits generate an audit entry when any account management event fails.

Force Audit Policy Subcategory to Override Audit Policy Category settings (Vista and later)

Prevents domain-based audit policy from overwriting the more detailed audit policy settings on Windows Vista client computers.

Shut Down System Immediately if Unable to Log Security Audits

Determines whether the system should shut down if it is unable to log security events. If the security log is full and an existing entry cannot be overwritten and this security option is enabled, the following blue screen error occurs: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (if desired), clear the log, and reset this option as desired.

Audit Specific Events

Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. If activated all successes and failures are audited. Success audits generate an audit entry when the process being tracked is a success. Failure audits generate an audit entry when the process being tracked fails.

Audit Access of Global System Objects

Determines whether access of global system objects is audited. When this policy is enabled, it causes system objects such as mutexes, events, semaphores, and DOS Devices to be created with a default system access control list (SACL). If the Audit object access audit policy is also enabled, then access to these system objects is audited.

Audit Attempts to Log On to or Log Off of System

Determines whether to audit each instance of a user logging on or logging off of another computer where this computer was used to validate the account. If activated all successes and failures are audited.

Audit Attempts to Access Defined Objects

Determines whether to audit the event of a user accessing an object (for example, file, folder, registry key, printer, and so forth) which has its own system access control list (SACL) specified.

Audit Attempts to Change Policy Object Rules

Determines whether to audit every incidence of a change to user rights assignment policies, audit policies, or trust policies.

Audit Attempts to Use Privileges

Determines whether to audit each instance of a user exercising a user right.

Audit Use of Backup and Restore Privileges

Determines whether to audit every use of user rights including Backup and Restore.

Audit Events that Affect System Security

Defines whether to audit when a user restarts or shuts down the computer; or an event has occurred that affects either the system security or the security log. If activated all successes and failures are audited. Success audits generate an audit entry when a system event is successfully executed. Failure audits generate an audit entry when a system event is unsuccessfully attempted.

Clean Security Settings Inventory

This step deletes entries in the inventory for security settings. Be aware that you need access to the SecurityInventory.xml on the device to be cleaned as the values to be entered into the fields of the step are those of the .xml file.

Parameter

Description

Delete All

Check this box if all entries of a specific name or type in the security settings inventory are to be deleted.

Object Name

The value <OBJECT name=”<value>”> of the entry/entries to be deleted from the .xml file. As there may be several objects with the same name of different types all entries of this name will be deleted if you do not specify the respective type in the field above. It is possible to use the wildcard characters ? for a single letter and * for several letters.

Object Type

The value <OBJECT type=”<value>”> of the entry/entries to be deleted from the .xml file. As there may be several objects of the same type with different names all entries of this type will be deleted if you do not specify the respective name in the field below. It is possible to use the wildcard characters ? for a single letter and * for several letters.

Domain Member Policy

This step collects the settings of the Domain Policy and stores them in the security settings inventory.

Parameter

Description

Disable Machine Account Password Changes

Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password.

Maximum Machine Account Password Age

Determines how often a domain member attempts to change its computer account password.

Digitally Encrypt or Sign Secure Channel Data (always)

Determines whether the computer always digitally encrypts or signs secure channel data. If this policy is enabled, all outgoing secure channel traffic must be either signed or encrypted. If this policy is disabled, signing and encryption are negotiated with the domain controller. This option should only be enabled if all of the domain controllers in all the trusted domains support signing and sealing.

Note: If this parameter is enabled, then the Secure channel: Digitally sign secure channel data (when possible) parameter is automatically enabled.

Digitally Encrypt Secure Channel Data (if possible)

Determines whether the computer always digitally encrypts or signs secure channel data. If this policy is enabled, all outgoing secure channel traffic should be encrypted. If this policy is disabled, outgoing secure channel traffic is not encrypted.

Digitally Sign Secure Channel Data (if possible)

Determines whether the computer always digitally encrypts or signs secure channel data. If this policy is enabled, all outgoing secure channel traffic should be signed. If this policy is disabled, no outgoing secure channel traffic is signed.

Require Strong Session Key

Check this box if all outgoing secure channel traffic are to require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the DC. This option should only be enabled if all of the DCs in all trusted domains support strong keys.

Find Service Status

This step uploads a list of status of specific services to the security settings inventory, which may be defined via the step's parameters. This step is only applicable to Windows devices.

Parameter

Description

Search in Service Path

Check this box if the string is to be looked for in the service directory path.

String to Find

Enter the string which is to identify the desired service(s). This string can be a pattern or a regular expression.

Search in Service Description

Check this box if the string is to be looked for in the service directory path.

Search the Display Name of the Service

Check this box if the string is to be looked for in the description of the service.

Search in Service Name

Check this box if the string is to be looked for in the name of the service.

IPTables Parameters

This step collects the list of iptables Firewall filters which are configured on the device and saves those in the security settings inventory. This step is only applicable to Unix environments.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Center Anti-Spyware

This step collects the WMI information concerning the Security Center anti-spyware and stores it in the Security Settings (Windows Vista and later).

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Center Antivirus

This step collects all WMI information concerning the Security Center antivirus software programs and saves it in the Security Settings. This step is applicable only to Windows devices.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Security Center Firewalls

This step collects all WMI information concerning the Security Center firewalls and saves it in the Security Settings. This step is only applicable to Windows devices.

Parameter

Description

Collect Windows Firewall Information If Present

Check this box if the step is to collect and display any available information for the installed firewall. This retrieves information for both the Standard and the Domain profile.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Interactive Login Policy

This step collects the settings of the Interactive Login Policy and stores them in the security settings inventory.

Parameter

Description

Automatic Login

Determines whether the user is automatically logged on after the device is started.

Number of Previous Logins to Cache

Determines the number of times a user can log on to a Windows domain using cached account information. In this policy setting, a value of 0 disables login caching. Any value above 50 only caches 50 login attempts.

Do Not Require Ctrl + Alt + Del

Determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL in order to log on. Not having to press CTRL+ALT+DEL leaves the user susceptible to attacks that attempt to intercept the user's password.

Prompt User to Change Password before Expiration

Defines how far in advance Windows 2000 should warn users that their password is about to expire. By giving the user advanced warning, the user has time to construct a sufficiently strong password.

Do Not Display Last User Name

Determines whether the name of the last user to login to the computer is displayed in the Windows login screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Log On to Windows dialog box. If this policy is disabled, the name of the last user to login is displayed. This policy is defined by default in Local Computer Policy.

Smart Card Removal Behavior

Determines what should happen when the smart card for a logged-on user is removed from the smart card reader. If Lock Workstation is specified, then the workstation is locked when the smart card is removed allowing users to leave the area, take their smart card with them, and still maintain a protected session. If Force Logoff is specified, then the user is automatically logged off when the smart card is removed.

Message Title for Users Attempting to Log on

Allows the specification of a title to appear in the title bar of the window that contains the message text for users attempting to log on. For servers, this policy is enabled but there is no default text specified.

Message Text for Users Attempting to Log on

Specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, such as to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. For servers, this policy is enabled but there is no default text specified.

Require Domain Controller Authentication to Unlock Workstation

Login information must be provided to unlock a locked computer. For domain accounts, determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer.

List of Connected USB Devices

This step collects the list of all USB devices that are connect to the target and saves it in the security settings inventory. This step is applicable only to Windows devices.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

List of Windows Services

This step collects the list of Windows services installed and running on the target and saves it in the security settings inventory. This step is applicable only to Windows devices.

Parameter

Description

Include Stopped Services

Check this box if not only running but also all stopped services installed on the device are to be included in the list.

Log File Policy

This step collects the settings of the Log File Policy and stores them in the security settings inventory.

Parameter

Description

Prevent Local Guest Groups from Accessing Application Log File

Determines if guests are prevented from accessing the application event log, which contains program errors and missing data information. This security setting affects only computers running Windows 2000, Windows XP and Windows Server 2003.

Keep/Overwrite Application Log File

Determines the number of seconds' worth of events to be retained for the application log once the log arrives at its maximum size.

Maximum Application Log File Size

Specifies the maximum size of the application event log, which has a maximum of 4 GB. Log file sizes must be a multiple of 64 KB.

Prevent Local Guest Groups from Accessing Security Log File

Determines if guests are prevented from accessing the security event log. This security setting affects only computers running Windows 2000, Windows XP and Windows Server 2003. A user must possess the Manage auditing and security log user right to access the security log.

Keep/Overwrite Security Log File

Determines the number of seconds' worth of events to be retained for the security log once the log arrives at its maximum size.

Maximum Security Log File Size

Specifies the maximum size of the security event log, which has a maximum size of 4 GB. Log file sizes must be a multiple of 64 KB.

Prevent Local Guest Groups from Accessing System Log File

Determines if guests are prevented from accessing the system event log, which contains startup information, shutdown information, and driver information. This security setting affects only computers running Windows 2000, Windows XP and Windows Server 2003. A user must possess the Manage auditing and security log user right to access the security log.

Keep/Overwrite of System Log File

Determines the number of seconds' worth of events to be retained for the system log once the log arrives at its maximum size.

Maximum System Log File Size

Specifies the maximum size of the system event log, which has a maximum size of 4 GB. Log file sizes must be a multiple of 64 KB.

Microsoft Network Client Policy

This step collects the settings of the Microsoft Network Client Policy and stores them in the security settings inventory.

Parameter

Description

Digitally Sign Communications (if server agrees)

Check this box to cause the Windows 2000 Server Message Block (SMB) client to perform SMB packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing.

Send Unencrypted Password to Third-party SMB Servers

Check this box if the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non-Microsoft SMB servers which do not support password encryption during authentication.

Digitally Sign Communications (always)

Determines whether the computer always digitally signs client communications. The Windows 2000 Server Message Block (SMB) authentication protocol supports mutual authentication, which closes a man-in-the-middle attack, and supports message authentication, which prevents active message attacks. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing use the packet signing protocol during all subsequent sessions.

Microsoft Network Server Policy

This step collects the settings of the Microsoft Network Server Policy and stores them in the security settings inventory.

Parameter

Description

Digitally Sign Communications (if client agrees)

If this policy is enabled, it causes the Windows 2000 Server Message Block (SMB) server to perform SMB packet signing. This policy is disabled by default on workstation and server platforms in Local Computer Policy. This policy is enabled by default on domain controllers in the Default Domain Controllers Group Policy object (GPO).

Idle Time before Suspending Session

Determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is disconnected due to inactivity. For this policy setting, a value of 0 means to disconnect an idle session as quickly as reasonably possible. The maximum value is 0xFFFFFFFF, which means disabled.

Disconnect Clients When Login Hours Expire

Determines whether to disconnect users that are connected to the local machine outside of their user account's valid login hours. This setting affects the Server Message Block (SMB) component of a Windows 2000 server. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's login hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's login hours have expired.

Digitally Sign Communications (always)

Determines whether the computer always digitally signs client communications. If SMB signing is required on a server, then a client is not able to establish a session unless it is at least enabled for SMB signing. If this policy is disabled, it does not require the SMB client to sign packets. This policy is defined by default in Local Computer Policy , where it is disabled by default.

Network Access Policy

This step collects the settings of the Network Access Policy and stores them in the security settings inventory.

Parameter

Description

Do Not Allow Storage of Credentials for Network Authentication

Determines whether Stored User Names and Passwords saves passwords, credentials, or .NET Passports for later use when it gains domain authentication. If it is enabled, this setting prevents the Stored User Names and Passwords from storing passwords and credentials. Note: When configuring this security setting, changes do not take effect until you restart Windows.

"Everyone" Permissions to be Applied to Anonymous Users

Determines how network logins using local accounts are authenticated. If this setting is set to Classic , network logins that use local account credentials authenticate by using those credentials. If this setting is set to Guest only , network logins that use local accounts are automatically mapped to the Guest account. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. By using the Guest only model, you can have all users treated equally.

Sharing and Security Model for Local Accounts

Determines how network logins using local accounts are authenticated. If this setting is set to Classic , network logins that use local account credentials authenticate by using those credentials. If this setting is set to Guest only , network logins that use local accounts are automatically mapped to the Guest account. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. By using the Guest only model, you can have all users treated equally.

Do Not Allow Anonymous Enumeration of SAM Accounts

Determines what additional permissions is granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

Do Not Allow Anonymous Enumeration of SAM Accounts and Shares

Determines whether anonymous enumeration of SAM accounts and shares is allowed. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.

Network Security Policy

This step collects the settings of the Network Security Policy and stores them in the security settings inventory.

Parameter

Description

LDAP Client Signing Requirements

Determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests.

LAN Manager Authentication Level

Determines which challenge/response authentication protocol is used for network logins.

Do Not Store LAN Manager Hash Value on Next Password Change

Determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.

Number of Administrator Accounts

This step finds all administrator accounts that exist on the target device and saves them in the security settings inventory.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Number of Open Windows Sessions

This step collects the number of open Windows Sessions and saves it in the security settings inventory. This step is applicable only to Windows devices.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Open Ports

This step collects the list of open TCP and/or UDP ports and saves it in the security settings inventory.

Parameter

Description

Protocol

Select the protocol, either TCP or UDP, for which all open ports are to be found.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Peripheral Device Policy

This step collects the settings of the Device Policy and stores them in the security settings inventory.

Parameter

Description

Restrict CD-ROM Access to Locally Logged-On User Only

Determines whether a CD-ROM is accessible to both local and remote users simultaneously. If enabled, this policy allows only the interactively logged-on user to access removable CD-ROM media. If no one is logged on interactively, the CD-ROM may be shared over the network. If this policy is disabled, then the local user and remote users can access the CD-ROM simultaneously.

Unsigned Driver Installation Behavior

Determines what should happen when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that has not been certified by the Windows Hardware Quality Lab (WHQL).

Restrict Floppy Access to Locally Logged-On User Only

Determines whether removable floppy media is accessible to both local and remote users simultaneously. If enabled, this policy allows only the interactively logged-on user to access removable floppy media. If no one is logged on interactively, the floppy media may be shared over the network. If this policy is disabled, then the local user and remote users can access the floppy media simultaneously.

Unsigned Non-driver Installation Behavior

Defines what should happen when an attempt is made to install any non-device driver software that has not been certified.

Prevent Users from Installing Printer Drivers

Determines whether members of the Users group are prevented from installing print drivers. Note: This policy setting does not affect Power Users.

Allow to Format and Eject Removable Media

Determines who is allowed to eject removable NTFS media from the computer. This policy is defined by default in Local Computer Policy. This policy setting can be modified to provide any interactive user with the ability to eject removable NTFS media from the computer.

Allow to undock without Having to Log On

Determines whether a portable computer can be undocked without having to log on. If this policy is enabled, login is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.

Process List

This step collects the list of active processes and saves it in the security settings inventory.

Parameter

Description

Process Path

Check this box if the path to the executable file of the process is to be added to the list.

Process User

Check this box if the name of the user who started the process is to be added to the list.

Recovery Console Policy

This step collects the settings of the Recovery Console Policy and stores them in the security settings inventory.

Parameter

Description

Allow Automatic Administrative Login

Check this box if the Recovery Console is not to require you to provide a password and automatically logs on to the system.

Allow Floppy Copy and Access to All Drives and All Folders

Enabling this option enables the Recovery Console SET command, which allows you to set the following Recovery Console environment variables:

  • AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
  • AllowAllPaths: Allow access to all files and folders on the computer.
  • AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk.
  • NoCopyPrompt Do not prompt when overwriting an existing file.

Run Level Commands

This step collects the list of commands executed for a specific run level and saves it in the security settings inventory. It is only applicable to the Unix environment.

Parameter

Description

Command

Select from this drop-down box the command which is to be found for the run level.

Run Level

Select the command which is to be found for the run level.

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Shared Resources

This step collects the list of shared resources and saves it in the security settings inventory.

No parameters need to be defined for this step.

System Policy

This step collects the settings of the System Policy and stores them in the security settings inventory.

Parameter

Description

Default Owner for Objects Created by Members of the Administrator Groups

Determines which users and groups have the authority to run volume maintenance tasks, such as Disk Cleanup and Disk Defragmenter .

Require Case-insensitivity for Non-Windows Subsystems

Determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.

Use FIPS Compliant Algorithms for Encryption, Hashing, and Signing

Determines if the Transport Layer Security/Secure Sockets Layer (TL/SS) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. In effect, this means that the provider only supports the Transport Layer Security (TLS) protocol as a client and as a server (if applicable). It uses only the Triple DES encryption algorithm for the TLS traffic encryption, only the Rivest, Shamir, and Adleman (RSA) public key algorithm for the TLS key exchange and authentication, and only the Secure Hashing Algorithm 1 (SHA-1) for the TLS hashing requirements. For Encrypting File System Service (EFS), it supports only the Triple Data Encryption Standard (DES) encryption algorithm for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 family and DESX algorithm in Windows XP for encrypting file data. For Terminal Services, it supports only the Triple DES encryption algorithm for encrypting terminal services network communication.

Strengthen Default Permissions of Internal System Objects

Determines the strength of the default discretionary access control list (DACL) for objects.

Clear Virtual Memory Pagefile

Determines whether the virtual memory pagefile should be cleared when the system is shut down. Enabling this security option also causes the hibernation file (hiberfil.sys) to be zeroed out when hibernation is disabled on a laptop system. When this policy is disabled, the virtual memory pagefile is not cleared during system shutdown.

Allow System to be Shut Down without Having to Log On

Determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows login screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows login screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right in order to perform a system shutdown.

USB Drivers

This step finds the list of all installed USB drivers of any type and uploads this list to the security settings inventory. This step is only applicable to Windows devices.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

USB Storage Status

This step uploads the status of the USB storage to the security settings inventory. This step is only applicable to Windows devices.

Parameter

Description

Security Settings Inventory Instance Name

Enter the prefix for the instance name for the security settings inventory item, for example, entering Instance here labels the columns Instance0, Instance1, etc.

Unix Service Status

This step collects the status list of services of which the specified name corresponds to the searched parameter and saves it in the security settings inventory. It is only applicable to the Unix environment.

Parameter

Description

String to Find

Enter the string which is to identify the desired service(s). This string can be a pattern or a regular expression.

User Account Control Policy

This step collects the settings of the User Account Control Policy (UAC) and stores them in the security settings inventory. This step is only applicable to Windows Vista editions.

Parameter

Description

Admin approval mode for the built-in administrator account

Defines the behavior of Admin Approval Mode for the built-in administrator account:

  • Enabled: The built-in administrator logs on in Admin Approval Mode. By default, the consent prompt is displayed for any operation that requires elevation of privilege.
  • Disabled: The built-in administrator logs on in XP-compatible mode and run all applications by default with full administrative privilege.

Only elevate executables that are signed and validated

Enforces public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer's Trusted Publishers certificate

Behavior of elevation prompt for administrators in admin approval mode

Determines the behavior of the elevation prompt for administrators:

  • Prompt for consent: An operation that requires elevation of privilege prompts an administrator in Admin Approval Mode to click either Continue or Cancel. If the administrator clicks Continue, the operation continues with the administrator's highest available privilege. This option allows users to enter their user name and password to perform a privileged task.
  • Prompt for credentials: An operation that requires elevation of privilege prompts an administrator in Admin Approval Mode to enter a user name and password. If valid credentials are entered, the operation continues with the applicable privilege.
  • Elevate without prompting: This value allows an administrator in Admin Approval Mode to perform an operation that requires elevation without providing consent or credentials. This is the least secure option.

Behavior of the elevation prompt for standard users

Determines the behavior of the elevation prompt for standard users:

  • Prompt for credentials: An operation that requires elevation of privilege prompts the user to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
  • Automatically deny elevation requests: A standard user receives an access-denied error message when an operation that requires elevation of privilege is attempted. Most enterprises running workstations as standard user configure this policy to reduce help desk calls.

Detect application installations and prompt for elevation

Determines the behavior of application installation detection for the computer:

  • Enabled: Detects application installation packages that require an elevation of privilege to install and displays the configured elevation prompt.
  • Disabled: Enterprises running standard user workstations that use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) automatically disables this setting. In this case, installer detection is unnecessary and thus not required.

Run all administrators in admin approval mode

Determines the behavior of all UAC policies for the entire system:

  • Enabled: Admin Approval Mode and all other UAC policies are dependent on this option being enabled. Changing this setting requires that the computer be restarted.
  • Disabled: The Admin Approval Mode user type and all related UAC policies is disabled. If the Disabled value is selected, the Security Center provides notification that the overall security of the operating system has been reduced.

Switch to secure desktop when prompting for elevation

Determines whether the elevation prompt appears on the interactive user's desktop or the secure desktop:

  • Enabled: All elevation prompts appear on the secure desktop.
  • Disabled: All elevation prompts appear on the interactive user's desktop.

Only elevate UIAccess applications that are installed in secure locations

Enforces the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system. Secure locations are limited to the following directories: ?Program Files (and subfolders) ?WindowsSystem32r- ?Program Files (x86) (and subfolders, in 64-bit versions of Windows only).

Virtualize file and registry write failures to per-user locations

Enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations ( %ProgramFiles%, %Windir%, %Windir%system32, or HKLMSoftware... ).

Windows Patches

This step collects the list of all Windows hotfixes and patches installed on the device and saves it in the security settings inventory. This step is only applicable to Windows devices.

No parameters need to be defined for this step.

Windows Registry Extracts

This step uploads the values, subkeys and their values of a given Windows registry key to the security settings inventory. This step is only applicable to Windows. Please note that the execution of this step is very resource consuming.

No parameters need to be defined for this step.

Windows Start-up Programs

This step collects the list of programs which are started at Windows start-up on the device and saves it in the security settings inventory. This step is applicable only to Windows devices.

No parameters need to be defined for this step.

Windows Update Status

This step verifies the status of Windows Update and uploads its configuration to the security settings inventory. This step is only applicable to Windows devices.

No parameters need to be defined for this step.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Client Management 20.08