Windows security settings
Policy names may differ between Windows 2003 or 2008 and Windows 2000. When you audit Security Settings, BMC Server Automation displays the name that Windows 2003 and 2008 use for the policy even though Windows 2000 may use a different name for the same policy or the policy may not be available in Windows 2000. (One policy is not available in Windows 2003 and 2008, and in that case BMC Server Automation uses the Windows 2000 name.) An audit does not show inconsistencies even though names may be different between the different versions of Windows. When an audit includes a policy that is not available for a server's operating system, the local and effective settings for that policy are shown as Not defined.
Windows 2003 or 2008 Setting | Windows 2000 Setting |
|---|---|
Accounts: Administrator account status | Not available |
Accounts: Guest account status | Not available |
Accounts: Limit local account use of blank passwords to console logon only | Not available |
Accounts: Rename administrator account | Rename administrator account |
Accounts: Rename guest account | Rename guest account |
Audit: Audit the access of global system objects | Audit the access of global system objects |
Audit: Audit the use of Backup and Restore privilege | Audit the use of Backup and Restore privilege |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Not available |
Audit: Shut down system immediately if unable to log security audits | Shut down system immediately if unable to log security audits |
Devices: Allow undock without having to log on | Not available |
Devices: Allowed to format and eject removable media | Allowed to eject removable NTFS media |
Devices: Prevent users from installing printer drivers | Prevent users from installing printer drivers |
Devices: Restrict CD-ROM access to locally logged-on user only | Restrict CD-ROM access to locally logged-on user only |
Devices: Restrict floppy access to locally logged-on user only | Restrict floppy access to locally logged-on user only |
Devices: Unsigned driver installation behavior | Unsigned driver installation behavior |
Domain controller: Allow server operators to schedule tasks | Domain controller: Allow server operators to schedule tasks (Domain controllers only) |
Domain controller: LDAP server signing requirements | Not available |
Domain controller: Refuse machine account password changes | Not available |
Domain member: Digitally encrypt or sign secure channel data (always) | Secure channel: Digitally encrypt or sign secure channel data (always) |
Domain member: Digitally encrypt secure channel data (when possible) | Secure channel: Digitally encrypt secure channel data (when possible) |
Domain member: Digitally sign secure channel data (when possible) | Secure channel: Digitally sign secure channel data (when possible) |
Domain member: Disable machine account password changes | Prevent system maintenance of computer password |
Domain member: Maximum machine account password age | Not available |
Domain member: Require strong (Windows 2000 or later) session key | Secure channel: Require strong (Windows 2000 or later) session key |
Interactive logon: Display user information when the session is locked | Not available |
Interactive logon: Do not display last user name | Do not display last user name in logon screen |
Interactive logon: Do not require CTRL+ALT+DEL | Disable CTRL+ALT+DEL requirement for logon |
Interactive logon: Message text for users attempting to log on | Message text for users attempting to log on |
Interactive logon: Message title for users attempting to log on | Message title for users attempting to log on |
Interactive logon: Number of previous logons to cache (in case domain controller is not available) | Number of previous logons to cache (in case domain controller is not available) |
Interactive logon: Prompt user to change password before expiration | Prompt user to change password before expiration |
Interactive logon: Require Domain Controller authentication to unlock workstation | Not available |
Interactive logon: Require smart card | Not available |
Interactive logon: Smart card removal behavior | Interactive logon: Smart card removal behavior |
Microsoft network client: Digitally sign communications (always) | Digitally sign client communication (always) |
Microsoft network client: Digitally sign communications (if server agrees) | Digitally sign client communication (when possible) |
Microsoft network client: Send unencrypted password to third-party SMB servers | Send unencrypted password to connect to third-party SMB servers |
Microsoft network server: Amount of idle time required before suspending session | Amount of idle time required before disconnecting session |
Microsoft network server: Digitally sign communications (always) | Digitally sign server communications |
Microsoft network server: Digitally sign communications (if client agrees) | Digitally sign server communication (when possible) |
Microsoft network server: Disconnect clients when logon hours expire | Automatically logoff users when logon time expire (local) |
Network access: Allow anonymous SID/Name translation | Not available |
Network access: Do not allow anonymous enumeration of SAM accounts | Not available |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Note: In Windows the following options are possible:
|
Network access: Do not allow storage of credentials or .NET Passports for network authentication | Not available |
Network access: Let Everyone permissions apply to anonymous users | Not available |
Network access: Named Pipes that can be accessed anonymously | Not available |
Network access: Remotely accessible registry paths and sub-paths | Not available |
Network access: Restrict anonymous access to Named Pipes and Shares | Not available |
Network access: Shares that can be accessed anonymously | Not available |
Network access: Sharing and security model for local accounts | Not available |
Network security: Do not store LAN Manager hash value on next password change | Not available |
Network security: Force logoff when logon hours expire | Automatically log off users when logon time expires |
Network security: LAN Manager authentication level | LAN Manager authentication level |
Network security: LDAP client signing requirements | Not available |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Not available |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Not available |
Recovery console: Allow automatic administrative logon | Recovery console: Allow automatic administrative logon |
Recovery console: Allow floppy copy and access to all drives and all folders | Recovery console: Allow floppy copy and access to all drives and all folders |
Shutdown: Allow system to be shut down without having to log on | Allow system to be shut down without having to log on |
Shutdown: Clear virtual memory page file | Clear virtual memory page file when system shuts down |
System cryptography: Force strong key protection for user keys stored on the computer | Not available |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing | Not available |
System objects: Default owner for objects created by members of the Administrators group | Not available |
System objects: Require case insensitivity for non-Windows subsystems | Not available |
System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) | Strengthen default permissions of global system objects (e.g. Symbolic Links) |
System settings: Optional subsystems | Not available |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies | Not available |
User Account Control: Admin Approval Mode for the Built-in Administrator account | Not available |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Not available |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Not available |
User Account Control: Behavior of the elevation prompt for standard users | Not available |
User Account Control: Detect application installations and prompt for elevation | Not available |
User Account Control: Only elevate executables that are signed and validated | Not available |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Not available |
User Account Control: Run all administrators in Admin Approval Mode | Not available |
User Account Control: Switch to the secure desktop when prompting for elevation | Not available |
User Account Control: Virtualize file and registry write failures to per-user locations | Not available |
User Rights Assignment: Access Credential Manager as a trusted caller | Not available |
User Rights Assignment: Change the time zone | Not available |
User Rights Assignment: Create symbolic links | Not available |
User Rights Assignment: Increase a process working set | Not available |
User Rights Assignment: Modify an object label | Not available |
Not available | Unsigned non-driver installation behavior |