Local Security Policy Settings

Server Security Settings-Local Security Policy Settings

Command for automatic security policy update: gpupdate/force (the Application Group Policy automatically takes effect without restarting)

Choose Start> Administrative Tools> Local Security Policy

A. Local Policies --> Audit policies

Audit Policy Change failed
Login event review successful failed
An error occurred while accessing the Audit object.
Audit Process Tracking not reviewed
Failed to Audit Directory Service Access
Failed to Audit privilege usage
System Event Review successful failed
Account Logon review successful failed
An error occurred while reviewing account management

B. Local Policies --> User permission allocation

Shut down the system: only the Administrators group and all others are deleted.
Refused to log on through the terminal service: added to the guests and user groups
Allow logon through Terminal Services: only join the Administrators group, and delete all others

C. Local Policies --> Security Options

Interactive login: do not display the Last User Name Enabled
Network Access: do not allow enabling of SAM Accounts and shared Anonymous Enumeration
Network Access: do not enable the storage credential for network Identity Authentication
Network Access: All Shares that can be accessed anonymously are deleted.
Network Access: delete all anonymous access attempts
Network Access: delete all registry paths that can be remotely accessed
Network Access: delete all registry paths and sub-paths that can be remotely accessed.
Account: Rename Guest Account Rename an account
Account: rename a System Administrator Account Rename an account

 

Set Name in Ui	Enterprise Client desktop computer	Enterprise Client portable computer	High-security desktop computers	High-security portable computers
Account: A local account with a blank password can only log on to the console	Enabled	Enabled	Enabled	Enabled
Account: Rename the system administrator account	Recommendation	Recommendation	Recommendation	Recommendation
Account: Rename the Guest account	Recommendation	Recommendation	Recommendation	Recommendation
Device: Allow removal without logon	Disabled	Enabled	Disabled	Disabled
Device: Allows formatting and pop-up of removable media	Administrators, Interactive Users	Administrators, Interactive Users	Administrators	Administrators
Device: prevents users from installing printer drivers	Enabled	Disabled	Enabled	Disabled
Device: only locally logged-on users can access the CD-ROM	Disabled	Disabled	Enabled	Enabled
Device: only local login users can access the floppy disk	Enabled	Enabled	Enabled	Enabled
Device: Installation of the unsigned driver	Allow installation but warn	Allow installation but warn	Installation prohibited	Installation prohibited
Domain member: requires strong (Windows 2000 or later) session keys	Enabled	Enabled	Enabled	Enabled
Interactive login: The Last User Name is not displayed	Enabled	Enabled	Enabled	Enabled
Interactive logon: Do not press CTRL + ALT + DEL	Disabled	Disabled	Disabled	Disabled
Interactive logon: Message text when a user attempts to log on	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.	This system is limited to only authorized users. Individuals attempting to perform unauthorized access will be prosecuted.
Interactive logon: Message title when a user attempts to log on	It is illegal to continue using the service without proper authorization.	It is illegal to continue using the service without proper authorization.	It is illegal to continue using the service without proper authorization.	It is illegal to continue using the service without proper authorization.
Interactive logon: Number of previous logons that can be cached (when the domain controller is unavailable)	2	2	0	1
Interactive login: prompt the user to change the password before the password expires	14 days	14 days	14 days	14 days
Interactive login: requires Domain Controller Authentication to unlock the workstation	Disabled	Disabled	Enabled	Disabled
Interactive login: Smart Card Removal	Lock Workstation	Lock Workstation	Lock Workstation	Lock Workstation
Microsoft Network Customer: Digital Signature communication (if the server agrees)	Enabled	Enabled	Enabled	Enabled
Microsoft Network customers: Send unencrypted passwords to third-party SMB servers.	Disabled	Disabled	Disabled	Disabled
Microsoft network server: the free time required to suspend a session	15 minutes	15 minutes	15 minutes	15 minutes
Microsoft network server: Digital Signature communication (always)	Enabled	Enabled	Enabled	Enabled
Microsoft network server: Digital Signature communication (If Customer agrees)	Enabled	Enabled	Enabled	Enabled
Microsoft network server: automatically deregister a user when the logon time is used up	Enabled	Disabled	Enabled	Disabled
Network Access: allows anonymous SID/Name Conversion	Disabled	Disabled	Disabled	Disabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	Enabled	Enabled	Enabled
Network Access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	Enabled	Enabled	Enabled
Network Access: do not allow storing creden for network identity authentication or. NET Passports	Enabled	Enabled	Enabled	Enabled
Network Access: Restrict anonymous access to named pipes and shares	Enabled	Enabled	Enabled	Enabled
Network Access: sharing and security modes of Local Accounts	Classic-Local User Authentication	Classic-Local User Authentication	Classic-Local User Authentication	Classic-Local User Authentication
Network Security: Do not store the hash value of the LAN Manager when the password is changed next time.	Enabled	Enabled	Enabled	Enabled
Network Security: Force logout after the logon time is exceeded	Enabled	Disabled	Enabled	Disabled
Network Security: LAN Manager Authentication Level	Send NTLMv2 response only	Send NTLMv2 response only	Only Send NTLMv2 response/reject lm & NTLM	Only Send NTLMv2 response/reject lm & NTLM
Network Security: Minimum session security for customers based on ntlm ssp (including secure RPC)	No minimum	No minimum	Require NTLMv2 session security requires 128-bit encryption	Require NTLMv2 session security requires 128-bit encryption
Network Security: Minimum Session Security Based on ntlm ssp (including secure RPC) servers	No minimum	No minimum	Require NTLMv2 session security requires 128-bit encryption	Require NTLMv2 session security requires 128-bit encryption
Fault Recovery Console: allows automatic system management-level Logon	Disabled	Disabled	Disabled	Disabled
Recovery Console: Allows disk replication and access to all drives and folders	Enabled	Enabled	Disabled	Disabled
Shutdown: Allow shutdown before Logon	Disabled	Disabled	Disabled	Disabled
Shutdown: Clear Virtual Memory Page files	Disabled	Disabled	Enabled	Enabled
System encryption: FIPS-compatible algorithms are used for encryption, hashing, and signature.	Disabled	Disabled	Disabled	Disabled
System Object: Default owner of the object created by members of administrators (administrators)	Object Creator	Object Creator	Object Creator	Object Creator
System settings: Use Certificate Rules for Windows executable files as Software Restriction Policies	Disabled	Disabled	Disabled