Policy settings as they appear in the Group Policy Object Editor in Windows Vista
Computer Configuration Software Settings Windows Settings Security Settings Account Policies Password Policy (Settings included in Domain Policies) Enforce password history Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store passwords using reversible encyrption
Windows Vista default
EC domain policy
SSLF domain policy
0 passwords remembered 42 days 0 days 0 characters Disabled Disabled
24 passwords remembered 90 days 1 day 8 characters Enabled Disabled
24 passwords remembered 90 days 1 day 12 characters Enabled Disabled
15 minutes 50 invalid logon attempts 15 minutes
15 minutes 10 invalid logon attempts 15 minutes
Account Lockout Policy (Settings included in Domain Policies) Account lockout duration Not applicable Account lockout threshold 0 invalid logon attempts Reset account lockout counter after Not applicable
Policy settings as they appear in the Group Policy Object Editor in Windows Vista Computer Configuration Windows Settings Scripts Startup Security Settings Local Policies Audit Policy Audit account logon events Audit account management Audit directory service access Audit logon events Audit object access Audit policy change Audit privilege use Audit process tracking Audit system events User Rights Assignment Access this computer from the network (SeNetworkLogonRight)
Windows Vista default
EC desktop GPO
EC laptop GPO
SSLF desktop GPO
SSLF laptop GPO
None
\\%userdomain% \NETLOGON\ECVSGAuditPolicy.cmd
\\%userdomain% \NETLOGON\ECVSGAuditPolicy.cmd
\\%userdomain% \NETLOGON\SSLFVSGAuditPolicy.cmd
\\%userdomain% \NETLOGON\SSLFVSGAuditPolicy.cmd
Registry Settings
No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing
Success Success Not defined Success No Auditing Success No Auditing No Auditing Success
Success Success Not defined Success No Auditing Success No Auditing No Auditing Success
Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined
Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined Not defined
Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys. Audit Policy security settings are not registry keys.
Everyone, Administrators, Users, Backup Operators
Administrators, Users
Administrators, Users
Administrators
Administrators
User Rights security settings are not registry keys
Act as part of the operating system (SeTcbPrivilege)
No One
No One
No One
No One
No One
User Rights security settings are not registry keys
Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
LOCAL SERVICE, NETWORK SERVICE, Administrators
Not defined
Not defined
Administrators, Local Administrators, Local User Rights security settings are not registry keys Service, Network Service Service, Network Service
Allow log on locally
Guest, Administrators, Users, Backup Operators
Administrators, Users
Administrators, Users
Administrators, Users
Administrators, Users
User Rights security settings are not registry keys
Allow log on through Terminal Administrators, Remote Services Desktop Users (SeRemoteInteractiveLogonRigh t)
Not defined
Not defined
No One
No One
User Rights security settings are not registry keys
Back up files and directories (SeBackupPrivilege)
Administrators, Backup Operators
Not defined
Not defined
Administrators
Administrators
User Rights security settings are not registry keys
Bypass traverse checking (SeChangeNotifyPrivilege)
Everyone, Not defined Administrators, Users, Backup Operators, Local Service, Network Service
Not defined
Administrators, Users, Local Service, Network Service
Administrators, Users, Local Service, Network Service
User Rights security settings are not registry keys
Change the system time (SeSystemTimePrivilege)
LOCAL SERVICE, Administrators
LOCAL SERVICE, Administrators
LOCAL SERVICE, Administrators
LOCAL SERVICE, Administrators
LOCAL SERVICE, Administrators
User Rights security settings are not registry keys
Change the time zone
LOCAL SERVICE, Administrators, Users
Not defined
Not defined
LOCAL SERVICE, Administrators, Users
LOCAL SERVICE, Administrators, Users
User Rights security settings are not registry keys
Create a pagefile (SeCreatePagefilePrivilege)
Administrators
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Create a token object (SeCreateTokenPrivilege)
No One
Not defined
Not defined
No One
No One
User Rights security settings are not registry keys
Create global objects (SeCreateGlobalPrivilege)
Administrators, SERVICE, Local Service, Network Service
Not defined
Not defined
Administrators, Administrators, User Rights security settings are not registry keys SERVICE, Local Service, SERVICE, Local Service, Network Service Network Service
Create permanent shared objects
No One
Not defined
Not defined
No One
No One
User Rights security settings are not registry keys
Create symbolic links Debug programs (SeDebugPrivilege)
Administrators Administrators
Not defined Administrators
Not defined Administrators
Administrators No One
Administrators No One
User Rights security settings are not registry keys User Rights security settings are not registry keys
Deny access to this computer from the network (SeDenyNetworkLogonRight)
Guest
Guests
Guests
Guests
Guests
User Rights security settings are not registry keys
Deny log on as a batch job (SeDenyBatchLogonRight)
No One
Not defined
Not defined
Guests
Guests
User Rights security settings are not registry keys
Deny log on locally (SeDenyInteractiveLogonRight)
Guest
Guests
Guests
Guests
Guests
User Rights security settings are not registry keys
Deny log on through Terminal Services (SeDenyRemoteInteractiveLogo nRight)
No One
Not Defined
Not Defined
Everyone
Everyone
User Rights security settings are not registry keys
Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
No One
Not defined
Not defined
No One
No One
User Rights security settings are not registry keys
Force shutdown from a remote system (SeRemoteShutdownPrivilege)
Administrators
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Generate security audits (SeAuditPrivilege)
LOCAL SERVICE, NETWORK SERVICE
Local Service, Network Service
Local Service, Network Service
Local Service, Network Service
Local Service, Network Service
User Rights security settings are not registry keys
Impersonate a client after authentication
Administrators, SERVICE, Local Service, Network Service
Not defined
Not defined
Administrators, Administrators, User Rights security settings are not registry keys SERVICE, Local Service, SERVICE, Local Service, Network Service Network Service
Increase a process working set Users Increase scheduling priority Administrators (SeIncreaseBasePriorityPrivilege )
Not defined Administrators
Not defined Administrators
Administrators Administrators
Administrators Administrators
User Rights security settings are not registry keys User Rights security settings are not registry keys
Load and unload device drivers (SeLoadDriverPrivilege)
Administrators
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Lock pages in memory (SeLockMemoryPrivilege)
No One
No One
No One
No One
No One
User Rights security settings are not registry keys
Log on as a batch job (SeBatchLogonRight)
Administrators, Backup Operators
Not defined
Not defined
No One
No One
User Rights security settings are not registry keys
Log on as a service (SeServiceLogonRight)
No One
Not defined
Not defined
No One
No One
User Rights security settings are not registry keys
Manage auditing and security log Administrators (SeSecurityPrivilege)
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Modify firmware environment Administrators values (SeSystemEnvironmentPrivilege)
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Perform Volume Maintenance Tasks (SeManageVolumePrivilege)
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Profile single process Administrators (SeProfileSingleProcessPrivilege )
Not defined
Not defined
Administrators
Administrators
User Rights security settings are not registry keys
Profile system performance (SeSystemProfilePrivilege)
Administrators
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Remove computer from docking station (SeUndockPrivilege)
Administrators, Users
Administrators
Administrators, Users
Administrators, Users
Administrators, Users
Administrators, Users
User Rights security settings are not registry keys
Replace a process level token LOCAL SERVICE, (SeAssignPrimaryTokenPrivilege NETWORK SERVICE )
Local Service, Network Service
Local Service, Network Service
Local Service, Network Service
Local Service, Network Service
User Rights security settings are not registry keys
Restore files and directories (SeRestorePrivilege)
Administrators, Backup Operators
Not defined
Not defined
Administrators
Administrators
User Rights security settings are not registry keys
Shut down the system (SeShutdownPrivilege)
Administrators, Backup Operators, Users
Administrators, Users
Administrators, Users
Administrators, Users
Administrators, Users
User Rights security settings are not registry keys
Take ownership of files or other objects (SeTakeOwnershipPrivilege)
Administrators
Administrators
Administrators
Administrators
Administrators
User Rights security settings are not registry keys
Not defined
Not defined
Disabled
Disabled
Not a Registry Key
Security Options Accounts: Administrator account Disabled status Accounts: Guest account status
Disabled
Disabled
Disabled
Disabled
Disabled
Not a Registry Key
Accounts: Limit local account use of blank passwords to console logon only
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Accounts: Rename administrator Administrator account
Recommended
Recommended
Recommended
Recommended
Not a Registry Key
Accounts: Rename guest account
Guest
Recommended
Recommended
Recommended
Recommended
Not a Registry Key
Audit: Audit the access of global system objects
Disabled
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
Audit: Audit the use of Backup and Restore privilege
Disabled
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Not Defined
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
Audit: Shut down system immediately if unable to log security audits
Disabled
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
Devices: Allow undock without having to log on
Enabled
Not defined
Not defined
Disabled
Disabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
Devices: Allowed to format and eject removable media
Not defined (registry value doesn't exist by default)
Administrators and Interactive Users
Administrators and Interactive Users
Administrators
Administrators
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
Devices: Prevent users from installing printer drivers
Disabled
Enabled
Disabled
Enabled
Disabled
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
Devices: Restrict CD-ROM access to locally logged-on user only
Not defined (registry value doesn't exist by default)
Not defined
Not defined
Disabled
Disabled
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
Devices: Restrict floppy access to locally logged-on user only
Not defined (registry value doesn't exist by default)
Not defined
Not defined
Disabled
Disabled
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
Domain member: Digitally encrypt or sign secure channel data (always)
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
Domain member: Digitally encrypt secure channel data (when possible)
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
Domain member: Digitally sign secure channel data (when possible)
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
Domain member: Disable machine account password changes
Disabled
Disabled
Disabled
Disabled
Disabled
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
Domain member: Maximum machine account password age
30 days
30 days
30 days
30 days
30 days
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
Domain member: Require strong Disabled (Windows 2000 or later) session key
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
Interactive logon: Do not display last user name
Disabled
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
Interactive logon: Do not require CTRL+ALT+DEL
Not defined
Disabled
Disabled
Disabled
Disabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
Interactive logon: Message text for users attempting to log on
Blank
Recommended
Recommended
Recommended
Recommended
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
Interactive logon: Message title for users attempting to log on
Blank
Recommended
Recommended
Recommended
Recommended
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
10 logons
2 logons
2 logons
0 logons
2 logons
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
Interactive logon: Prompt user to 14 days change password before expiration
14 days
14 days
14 days
14 days
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
Interactive logon: Require Disabled Domain Controller authentication to unlock workstation
Enabled
Disabled
Enabled
Disabled
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
Interactive logon: Smart card removal behavior
Lock Workstation
Lock Workstation
Lock Workstation
Lock Workstation
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
Microsoft network client: Digitally Disabled sign communications (always)
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
Microsoft network client: Digitally Enabled sign communications (if server agrees)
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
Microsoft network client: Send unencrypted password to thirdparty SMB servers
Disabled
Disabled
Disabled
Disabled
Disabled
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
Microsoft network server: Amount of idle time required before suspending session
15 minutes
15 Minutes
15 Minutes
15 Minutes
15 Minutes
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
Microsoft network server: Digitally sign communications (always)
Disabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
Microsoft network server: Digitally sign communications (if client agrees)
Disabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
Microsoft network server: Disconnect clients when logon hours expire
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
Not defined
Not defined
Disabled
Disabled
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
No Action
MSS: (AutoAdminLogon) Enable N\A Automatic Logon (not recommended)
Policy settings as they appear in the Group Windows Vista default Policy Object Editor in Windows Vista Computer Configuration MSS: (DisableIPSourceRouting) N\A IP source routing protection level (protects against packet spoofing) MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
EC desktop GPO
EC laptop GPO
SSLF desktop GPO
SSLF laptop GPO
Registry Settings
Not defined
Not defined
Highest Protection, source routing is completely disabled.
Highest Protection, source routing is completely disabled.
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
N\A
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
MSS: (EnableICMPRedirect) N\A Allow ICMP redirects to override OSPF generated routes
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
N\A
Not defined
Not defined
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
MSS: (KeepAliveTime)How often N\A keep-alive packets are sent in milliseconds
Not defined
Not defined
30000 or 5 minutes (recommended)
30000 or 5 minutes (recommended)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
N\A
Multicast, broadcast, and Multicast, broadcast, and Multicast, broadcast, and Multicast, broadcast, and MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt ISAKMP are exempt ISAKMP are exempt ISAKMP are exempt ISAKMP are exempt (Best for Windows XP) (Best for Windows XP) (Best for Windows XP) (Best for Windows XP)
MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)
N\A
255, disable autorun for all drives
255, disable autorun for all drives
255, disable autorun for all drives
255, disable autorun for all drives
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
MSS: N\A (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Not defined
Not defined
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
MSS: N\A (NtfsDisable8dot3NameCreation ) Enable the computer to stop generating 8.3 style filenames (recommended)
Not defined
Not defined
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
MSS: (PerformRouterDiscovery) N\A Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
N\A
Enabled
Enabled
Enabled
Enabled
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
N\A
0
0
0
0
MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Connections timeout sooner if SYN attack is detected
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
N\A
Not defined
Not defined
Connections timeout sooner if SYN attack is detected
MSS: N\A (TCPMaxConnectResponseRetr ansmissions) SYN-ACK retransmissions when a connection request is not acknowledged
Not defined
Not defined
3 & 6 seconds, half-open 3 & 6 seconds, half-open MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions connections dropped connections dropped after 21 seconds after 21 seconds
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
N\A
Not defined
Not defined
3
3
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
N\A
Not defined
Not defined
90
90
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
Network access: Allow anonymous SID/Name translation
Disabled
Disabled
Disabled
Disabled
Disabled
Not a Registry Key
Network access: Do not allow Enabled anonymous enumeration of SAM accounts
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
Network access: Do not allow Disabled anonymous enumeration of SAM accounts and shares
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Disabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
Network access: Let Everyone Disabled permissions apply to anonymous users
Disabled
Disabled
Disabled
Disabled
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
Network access: Named Pipes that can be accessed anonymously
netlogon, lsarpc, samr, browser
Not defined
Not defined
netlogon, lsarpc, samr, browser
netlogon, lsarpc, samr, browser
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
Network access: Remotely accessible registry paths
System\CurrentControlS Not defined et\Control\ProductOption s, System\CurrentControlS et\Control\Server Applications, Software\Microsoft\Wind ows NT\CurrentVersion
Not defined
System\CurrentControlS et\Control\ProductOption s, System\CurrentControlS et\Control\Server Applications, Software\Microsoft\Wind ows NT\CurrentVersion
System\CurrentControlS MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine et\Control\ProductOption s, System\CurrentControlS et\Control\Server Applications, Software\Microsoft\Wind ows NT\CurrentVersion
Network access: Remotely accessible registry paths and sub paths
System\CurrentControlS Not defined et\Control\Print\Printers System\CurrentControlS et\Services\Eventlog Software\Microsoft\OLA P Server Software\Microsoft\Wind ows NT\CurrentVersion\Print Software\Microsoft\Wind ows NT\CurrentVersion\Wind ows System\CurrentControlS et\ContentIndex System\CurrentControlS et\Control\Terminal Server System\CurrentControlS et\Control\Terminal Server\User Config System\CurrentControlS et\Control\Terminal Server\Default User Config Software\Microsoft\Wind ows NT\CurrentVersion\perfli b System\CurrentControlS et\Services\SysmonLog
Not defined
System\CurrentControlS et\Control\Print\Printers System\CurrentControlS et\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Wind ows NT\CurrentVersion\Print Software\Microsoft\Wind ows NT\CurrentVersion\Wind ows System\CurrentControlS et\ContentIndex System\CurrentControlS et\Control\Terminal Server System\CurrentControlS et\Control\Terminal Server\User Config System\CurrentControlS et\Control\Terminal Server\Default User Config Software\Microsoft\Wind ows NT\CurrentVersion\perfli b System\CurrentControlS et\Services\SysmonLog
System\CurrentControlS MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine et\Control\Print\Printers System\CurrentControlS et\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Wind ows NT\CurrentVersion\Print Software\Microsoft\Wind ows NT\CurrentVersion\Wind ows System\CurrentControlS et\ContentIndex System\CurrentControlS et\Control\Terminal Server System\CurrentControlS et\Control\Terminal Server\User Config System\CurrentControlS et\Control\Terminal Server\Default User Config Software\Microsoft\Wind ows NT\CurrentVersion\perfli b System\CurrentControlS et\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and Shares
Enabled
Not defined
Not defined
Enabled
Enabled
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
Network access: Shares that can None be accessed anonymously
Not defined
Not defined
None
None
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
Network access: Sharing and Classic -local users security model for local accounts authenticate as themselves
Classic – local users authenticate as themselves
Classic – local users authenticate as themselves
Classic – local users authenticate as themselves
Classic – local users authenticate as themselves
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
Network security: Do not store LAN Manager hash value on next password change
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Network security: Force logoff when logon hours expire
Disabled
Not defined
Not defined
Not defined
Not defined
Not a Registry Key
Network security: LAN Manager authentication level
Send NTLMv2 response Send NTLMv2 only responses only. Refuse LM
Send NTLMv2 responses only. Refuse LM
Send NTLMv2 response Send NTLMv2 response MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel only. Refuse LM and only. Refuse LM and NTLM NTLM
Network security: LDAP client signing requirements
Negotiate signing
Negotiate signing
Negotiate signing
Negotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
No minimum
Require NTLMv2 session security, Require 128 bit encryption
Require NTLMv2 session security, Require 128 bit encryption
Require NTLMv2 session Require NTLMv2 session MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec security, Require 128 bit security, Require 128 bit encryption encryption
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
No minimum
Require NTLMv2 session security, Require 128 bit encryption
Require NTLMv2 session security, Require 128 bit encryption
Require NTLMv2 session Require NTLMv2 session MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec security, Require 128 bit security, Require 128 bit encryption encryption
Recovery console: Allow automatic administrative logon
Disabled
Disabled
Disabled
Disabled
Disabled
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
Recovery console: Allow floppy copy and access to all drives and all folders
Disabled
Not defined
Not defined
Disabled
Disabled
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
Shutdown: Allow system to be shut down without having to log on
Enabled
Not defined
Not defined
Disabled
Disabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
Shutdown: Clear virtual memory pagefile
Disabled
Negotiate signing
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
Disabled
Disabled
Disabled
Enabled
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
System cryptography: Use FIPS Disabled compliant algorithms for encryption, hashing, and signing
Not defined
Not defined
Disabled
Disabled
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
System objects: Require case insensitivity for non-Windows subsystems
Enabled
Not defined
Not defined
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
User Account Control: Admin Approval Mode for the Built-in Administrator account
Disabled
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
User Account Control: Behavior Prompt for consent of the elevation prompt for administrators in Admin Approval Mode
Prompt for credentials
Prompt for credentials
Prompt for credentials
Prompt for credentials
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
User Account Control: Behavior of the elevation prompt for standard users
Prompt for credentials
Automatically deny elevation requests
Automatically deny elevation requests
Automatically deny elevation requests
Automatically deny elevation requests
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
User Account Control: Detect application installations and prompt for elevation
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
User Account Control: Only elevate executables that are signed and validated
Disabled
Disabled
Disabled
Disabled
Disabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
User Account Control: Run all Enabled administrators in Admin Approval Mode
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
User Account Control: Switch to the secure desktop when prompting for elevation
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
User Account Control: Virtualize file and registry write failures to per-user locations
Enabled
Enabled
Enabled
Enabled
Enabled
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
Maximum application log size
Not applicable (default = 32768 KB 20480)
32768 KB
32768 KB
32768 KB
Event Log security settings are not registry keys.
Maximum DFS log size Maximum Media Log size Maximum security log size
Not applicable Not applicable Not applicable Not applicable Not applicable (default = 81920 KB 20480)
Not applicable Not applicable 81920 KB
Not applicable Not applicable 81920 KB
Not applicable Not applicable 81920 KB
Event Log security settings are not registry keys. Event Log security settings are not registry keys. Event Log security settings are not registry keys.
Maximum system log size
Not applicable (default = 32768 KB 20480)
32768 KB
32768 KB
32768 KB
Event Log security settings are not registry keys.
Prevent local guests group from accessing application log
Not applicable
Not Applicable
Not Applicable
Not Applicable
Not Applicable
Event Log security settings are not registry keys.
Prevent local guests group from accessing system log
Not applicable
Not Applicable
Not Applicable
Not Applicable
Not Applicable
Event Log security settings are not registry keys.
Prevent local guests group from accessing security log
Not applicable
Not Applicable
Not Applicable
Not Applicable
Not Applicable
Event Log security settings are not registry keys.
Retain application log Retain security log Retain system log
Not applicable Not applicable Not applicable
Not Defined Not Defined Not Defined
Not Defined Not Defined Not Defined
Not Defined Not Defined Not Defined
Not Defined Not Defined Not Defined
Event Log security settings are not registry keys. Event Log security settings are not registry keys. Event Log security settings are not registry keys.
Event Log
Policy settings as they appear in the Group Windows Vista default EC desktop GPO Policy Object Editor in Windows Vista Computer Configuration Retention method for application Not applicable (default = As Needed log Overwrite as needed)
EC laptop GPO
SSLF desktop GPO
SSLF laptop GPO
Registry Settings
As Needed
As Needed
As Needed
Event Log security settings are not registry keys.
Retention method for security log Not applicable (default = As Needed Overwrite as needed)
As Needed
As Needed
As Needed
Event Log security settings are not registry keys.
Retention method for system log Not applicable (default = As Needed Overwrite as needed)
As Needed
As Needed
As Needed
Event Log security settings are not registry keys.
Windows Firewall with Advanced Security Windows Firewall with Advanced Security Windows Firewall Properties Domain Profile Tab Firewall state Inbound connections Outbound connections Customized Settings Display a notification Allow unicast response Apply local firewall rules Apply local connection security rules
Not configured Not configured Not configured
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
Not configured Not configured Not configured Not configured
Yes (default) No Yes (default) Yes (default)
Yes (default) No Yes (default) Yes (default)
No No No No
No No No No
MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcast MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge
Not configured Not configured Not configured
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
Not configured Not configured Not configured Not configured
Yes (default) No Yes (default) Yes (default)
Yes (default) No Yes (default) Yes (default)
No No No No
No No No No
MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge
Not configured Not configured Not configured
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
On (recommended) Block (default) Allow (default)
MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
Not configured Not configured Not configured Not configured
No No No No
No No No No
No No No No
No No No No
MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge
Not applicable
Not Recommmended
Not Recommmended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundDestinationUnreachable, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundSourceQuench, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowRedirect, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundEchoRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings! AllowInboundRouterRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundTimeExceeded, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundParameterProblem, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundTimestampRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowInboundMaskRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutboundPacketTooBig
Windows Firewall: Allow inbound Not applicable file and printer sharing exception
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!RemoteAddresses
Windows Firewall: Allow inbound Not applicable remote administration exception
Not Recommmended
Not Recommmended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses
Windows Firewall: Allow inbound Not applicable Remote Desktop exceptions
Enabled
Enabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!RemoteAddresses
Windows Firewall: Allow inbound Not applicable UPnP framework exceptions
Not Recommmended
Not Recommmended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!RemoteAddresses
Windows Firewall: Allow local port exceptions
Not applicable
Disabled
Disabled
Disabled
Disabled
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!AllowUserPrefMerge
Windows Firewall: Allow local program exceptions
Not applicable
Not configured
Not configured
Disabled
Disabled
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!AllowUserPrefMerge
Windows Firewall: Define inbound port exceptions
Not applicable
Not Recommended
Not Recommended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!Enabled
Windows Firewall: Define inbound program exceptions
Not applicable
Recommmended
Recommmended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Enabled
Windows Firewall: Do not allow exceptions
Not applicable
Not Recommmended
Not Recommmended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DoNotAllowExceptions
Windows Firewall: Prohibit notifications
Not applicable
Disabled
Disabled
Enabled
Enabled
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Not applicable
Enabled
Enabled
Enabled
Enabled
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcast
Windows Firewall: Protect all network connections
Not applicable
Enabled
Enabled
Enabled
Enabled
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
Not applicable
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundDestinationUnreachable, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundSourceQuench, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowRedirect, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundEchoRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings! AllowInboundRouterRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundTimeExceeded, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundParameterProblem, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundTimestampRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowInboundMaskRequest, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboundPacketTooBig
Windows Firewall: Allow inbound Not applicable file and printer sharing exception
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!RemoteAddresses
Windows Firewall: Allow inbound Not applicable remote administration exception
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!RemoteAddresses
Windows Firewall: Allow inbound Not applicable Remote Desktop exceptions
Enabled
Enabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!RemoteAddresses
Windows Firewall: Allow inbound Not applicable UPnP framework exceptions
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!Enabled, HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!RemoteAddresses
Windows Firewall: Allow local port exceptions
Not applicable
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!AllowUserPrefMerge
Windows Firewall: Allow local program exceptions
Not applicable
Not Recommended
Not Recommended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!AllowUserPrefMerge
Windows Firewall: Define inbound port exceptions
Not applicable
Not Recommended
Not Recommended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!Enabled
Windows Firewall: Define inbound program exceptions
Not applicable
Recommended
Recommended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!Enabled
Windows Firewall: Do not allow exceptions
Not applicable
Recommended
Recommended
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\DoNotAllowExceptions
Windows Firewall: Prohibit notifications
Not applicable
Disabled
Disabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\DisableNotifications
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Not applicable
Enabled
Enabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\DisableUnicastResponsesToMulticastBroadcast
Windows Firewall: Protect all network connections
Not applicable
Enabled
Enabled
Not configured
Not configured
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall
Do not process the legacy run list
Not applicable
Not Configured
Not Configured
Enabled
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRun
Not applicable
Not Configured
Not Configured
Enabled
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRunOnce
Not applicable
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges
Not applicable Not applicable
Not Configured Not Configured
Not Configured Not Configured
Disabled Disabled
Disabled Disabled
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicited, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicitedFullControl HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowToGetHelp, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowFullControl, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!MaxTicketExpiry, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!MaxTicketExpiryUnits, HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fUseMailto
Not applicable
Enabled: Authenticated
Enabled: Authenticated
Enabled: Authenticated
Enabled: Authenticated
HKLM\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients
Not applicable
Disabled
Disabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution
Not applicable
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
Not applicable
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
Turn off the Windows Messenger Not applicable Customer Experience Improvement Program
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
Turn off Search Companion content file updates
Not applicable
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
Turn off printing over HTTP Turn off downloading of print drivers over HTTP
Not applicable Not applicable
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
Turn off Windows Update device Not applicable driver searching
Disabled
Disabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
Not Configured
Not Configured
Not Configured
Enabled – All Drives
Enabled – All Drives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
Not Configured
Not Configured
Not Configured
Disabled
Disabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
Not Configured
Not Configured
Not Configured
Enabled
Enabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting
Private Profile Tab Firewall state Inbound connections Outbound connections Customized Settings Display a notification Allow unicast response Apply local firewall rules Apply local connection security rules Public Profile Tab Firewall state Inbound connections Outbound connections Customized Settings Display a notification Allow unicast response Apply local firewall rules Apply local connection security rules Administrative Templates Network Network Connections Windows Firewall Domain Profile Windows Firewall: Allow ICMP exceptions
Standard Profile Windows Firewall: Allow ICMP exceptions
System Logon
Do not process the run once list Group Policy Registry policy processing Remote Assistance Offer Remote Assistance Solicited Remote Assistance Remote Procedure Call Restrictions for Unauthenticated RPC clients RPC Endpoint Mapper Client Authentication Internet Communication Management Internet Communication settings Turn off the "Publish to Web" task for files and folders Turn off Internet download for Web publishing and online ordering wizards
Windows Components Autoplay Policies Turn off Autoplay Credential User Interface Enumerate administrator accounts on elevation Require trusted path for credential entry
Internet Explorer Disable Automatic Install of Internet Explorer components
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoJITSetup
Disable Periodic Check for Internet Explorer software updates
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoUpdateCheck
Disable software update shell notifications on program launch
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMSAppLogo5ChannelNotify
Do not allow users to enable or disable add-ons
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
Make proxy settings permachine (rather than per-user)
Not Configured
Enabled
Disabled
Enabled
Disabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxySettingsPerUser
Security Zones: Do not allow users to add/delete sites
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_zones_map_edit
Security Zones: Do not allow users to change policies
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_options_edit
Security Zones: Use only machine settings
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_HKLM_only
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
Not Configured
Disabled
Disabled
Disabled
Disabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!iexplore.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!iexplore.exe
Turn off Crash Detection Internet Control Panel Advanced Page Allow software to run or install even if the signature is invalid
Security Features MK Protocol Security Restriction Internet Explorer Processes (MK Not Configured Protocol) Consistent MIME Handling Settings Internet Explorer Processes (Consistent MIME Handling)
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!iexplore.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!iexplore.exe
MIME Sniffing Safety Features Internet Explorer Processes (MIME Sniffing)
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!iexplore.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!iexplore.exe
Scripted Window Security Restrictions Internet Explorer Processes Not Configured (Scripted Window Security Restrictions)
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!iexplore.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!iexplore.exe
Protection From Zone Elevation Internet Explorer Processes (Zone Elevation Protection)
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!iexplore.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer. exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!iexplore.exe
Restrict ActiveX Install Internet Explorer Processes (Restrict ActiveX Install)
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_AC
Restrict File Download Internet Explorer Processes (Restrict File Download)
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!iexplore.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!iexplore.exe
Add-on Management Deny all add-ons unless specifically allowed in the Addon List
Not Configured
Recommended
Recommended
Recommended
Recommended
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
Not Configured
Recommended
Recommended
Recommended
Recommended
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID
Add-on List NetMeeting
Policy settings as they appear in the Group Windows Vista default Policy Object Editor in Windows Vista Computer Configuration Disable remote Desktop Sharing Not Configured
EC desktop GPO
EC laptop GPO
SSLF desktop GPO
SSLF laptop GPO
Registry Settings
Not Configured
Not Configured
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Conferencing!NoRDS
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving
Not Configured
Not Configured
Not Configured
Disabled
Disabled
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDenyTSConnections
Not Configured
Not Configured
Not Configured
Enabled
Enabled
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPromptForPassword
Not Configured
High
High
High
High
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
Windows Messenger Do not allow Windows Messenger to be run
Not Configured
Enabled
Enabled
Enabled
Enabled
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventRun
Windows Update Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box
Not Configured
Disabled
Disabled
Disabled
Disabled
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows Dialog box
Not Configured
Disabled
Disabled
Disabled
Disabled
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
Configure Automatic Updates
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoUpdate, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AUOptions, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!ScheduledInstallDay, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!ScheduledInstallTime
No auto-restart for scheduled Automatic Updates installations
Not Configured
Disabled
Disabled
Disabled
Disabled
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoRebootWithLoggedOnUsers
Reschedule Automatic Updates scheduled installations
Not Configured
Enabled
Enabled
Enabled
Enabled
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RescheduleWaitTimeEnabled, HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RescheduleWaitTime
Terminal Services Remote Desktop Connection Client Do not allow passwords to be saved Terminal Server Connections Allow users to connect remotely using Terminal Services Device and Resource Redirection Do not allow drive redirection Security Always prompt client for password upon connection Set client connection encryption level
Policy settings as they appear in the Group Policy Object Editor in Windows Vista User Configuration Administrative Templates System Prevent access to registry editing tools Power Management Prompt for password on resume from hibernate/suspend Windows Components Attachment Manager Do not preserve zone information in file attachments Hide mechanisms to remove zone information Notify antivirus programs when opening attachments Internet Explorer Configure Outlook Express Disable "Configuring History" Disable AutoComplete for forms Disable changing Automatic Configuration settings Disable changing certificate settings Disable changing connection settings Disable changing proxy settings Do not allow users to enable or disable add-ons Prevent "fix settings" functionality Prevent deletion of "Temporary Internet Files and Cookies" Turn off "Delete Browsing History" functionality Turn off the Security Settings Check feature Turn on the auto-complete feature for user names and passwords on forms Browser Menus Disable Save this program to disk option Internet Control Panel Disable the Advanced Page Disable the Security Page Prevent ignoring certificate errors Advanced Page Allow Install On Demand (Internet Explorer) Allow software to run or install even if the signature is invalid Automatically check for Internet Explorer updates Check for server certificate revocation Security Page Intranet Sites: Include all network paths (UNCs) Internet Zone Access data sources across domains Allow cut, copy, or paste operations from the clipboard via script Allow drag and drop or copy and paste files Allow font downloads Allow installation of desktop items Allow script-initiated windows without size or position constraints Allow status bar updates via script Automatic prompting for file downloads Download signed ActiveX controls Download unsigned ActiveX controls Initialize and script ActiveX controls not marked as safe Java permissions Launching applications and files in an IFRAME Logon Options Navigate sub-frames across different domains Open file based on content, not file extension Software channel permissions Use Pop-up Blocker Web sites in less privileged Web content zones can navigate into this zone Restricted Sites Zone Access data sources across domains Allow active scripting
EC user GPO SSLF user GPO
Not Configured
Enabled
Enabled
Enabled
Disabled Enabled Enabled
Disabled Enabled Enabled
Enabled Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Disabled
Not Configured Enabled:40 Enabled Enabled Enabled Enabled Enabled Enabled Disabled Enabled Enabled Disabled Disabled
Not Configured Enabled Not Configured Enabled Not Configured Enabled Not Configured Enabled Not Configured Not Configured Not Configured Not Configured
Disabled Disabled Disabled Enabled
Not Configured Disabled Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured
Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Disabled Enabled:Enable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Java Enabled:Disable Enabled:Prompt for user name and password
Not Configured Not Configured Not Configured Not Configured Not Configured
Disabled Enabled:Disable Enabled:High Safety Enabled:Enable Enabled:Disable
Not Configured Enabled:Disable Not Configured Enabled:Disable
Policy settings as they appear in the Group Policy Object Editor in Windows Vista User Configuration Allow binary and script behaviors Allow cut, copy, or paste operations from the clipboard via script Allow drag and drop or copy and paste files Allow file downloads Allow font downloads Allow installation of desktop items Allow META REFRESH Allow script-initiated windows without size or position constraints Allow status bar updates via script Automatic prompting for file downloads Download signed ActiveX controls Download unsigned ActiveX controls Initialize and script ActiveX controls not marked as safe Java permissions Launching applications and files in an IFRAME Logon Options Navigate sub-frames across different domains Open file based on content, not file extension Run .NET Framework-reliant components not signed with Authenticode Run .NET Framework-reliant components signed with Authenticode Run ActiveX controls and plugins Script ActiveX controls marked safe for scripting Scripting of Java applets Software channel permissions Use Pop-up Blocker Web sites in less privileged Web content zones can navigate into this zone Offline Pages Disable adding channels Disable adding schedules for offline pages Disable all scheduled offline pages Disable channel user interface completely Disable downloading of site subscription content Disable editing and creating of schedule groups Disable editing schedules for offline pages Disable offline page hit logging Disable removing channels Disable removing schedules for offline pages Windows Explorer Remove CD Burning features Remove Security Tab
EC user GPO SSLF user GPO Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured
Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Disabled Enabled:Enable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Java Enabled:Disable Enabled:Anonymous Logon Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:Disable Enabled:High Safety Enabled:Enable Enabled:Disable
Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled
Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured Not Configured
Not Configured Not Configured
Enabled Enabled
Audit policy category/subcategory System Security System Extension System Integrity IPsec Driver Other System Events Security State Change Logon/Logoff Logon Logoff Account Lockout IPsec Main Mode IPsec Quick Mode IPsec Extended Mode Special Logon Other Logon/Logoff Events Object Access File System Registry Kernel Object SAM Certification Services Application Generated Handle Manipulation File Share Filtering Platform Packet Drop Filtering Platform Connection Other Object Access Events Privilege Use Sensitive Privilege Use Non Sensitive Privilege Use Other Privilege Use Events Detailed Tracking Process Termination DPAPI Activity RPC Events Process Creation Policy Change Audit Policy Change Authentication Policy Change Authorization Policy Change MPSSVC Rule-Level Policy Change Filtering Platform Policy Change Other Policy Change Events Account Management User Account Management Computer Account Management Security Group Management Distribution Group Management Application Group Management Other Account Management Events DS Access [1] Directory Service Access Directory Service Changes
Vista default
EC computer GPOs SSLF computer GPOs
No auditing Success and Failure No auditing Success and Failure Success
Success and Failure Success and Failure Success and Failure No auditing Success and Failure
Success and Failure Success and Failure Success and Failure No auditing Success and Failure
Success Success Success No auditing No auditing No auditing Success No auditing
Success Success No auditing No auditing No auditing No auditing Success No auditing
Success and Failure Success No auditing No auditing No auditing No auditing Success No auditing
No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing
No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing
Failure Failure No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing No auditing
No auditing No auditing No auditing
No auditing No auditing No auditing
Success and Failure No auditing No auditing
No auditing No auditing No auditing No auditing
No auditing No auditing No auditing Success
No auditing No auditing No auditing Success
Success Success No auditing No auditing No auditing No auditing
Success and Failure Success No auditing No auditing No auditing No auditing
Success and Failure Success No auditing No auditing No auditing No auditing
Success No auditing Success No auditing No auditing No auditing
Success Success Success No auditing No auditing Success
Success and Failure Success and Failure Success and Failure No auditing No auditing Success and Failure
No auditing No auditing
No auditing No auditing
No auditing No auditing
Audit policy category/subcategory Directory Service Replication Detailed Directory Service Replication Account Logon Credential Validation Kerberos Ticket Events [2] Other Account Logon Events
Vista default No auditing No auditing
EC computer GPOs SSLF computer GPOs No auditing No auditing No auditing No auditing
No auditing No auditing No auditing
Success No auditing No auditing
Success and Failure No auditing No auditing
© 2006 Microsoft Corporation. This work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc/2.5/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
[1] These events are only generated on DCs. [2] These events are only generated on DCs.
