7. Server security settings-local security policy settings
Automatic security policy update command: GPUpdate/force (the application group policy automatically takes effect without restarting)
Start Menu—> Administrative Tools—> Local Security Policy
A. Local strategy—> Audit strategy
Review strategy changes, success, failure
Review login event, success, failure
Access to the audit object failed
Audit process tracking No audit
Audit directory service access failed
Use of audit privileges failed
Review system events, success, failure
Review account login event, success, failure
Audit account management, success, failure, B. Local policy—> User permission allocation
Shut down the system: Only the Administrators group and all other ones are deleted.
Reject login through terminal service: Join Guests and User groups
Allow login through terminal service: only join the Administrators group, delete all others
C. Local policy—> Security options
Interactive login: The last username is not displayed. Enable
Network access: Anonymous enumeration of SAM accounts and shares is not allowed Enable
Network access: Not allowed to store credentials for network authentication Enable
Network access: share that can be accessed anonymously and deleted
Network access: All lives that can be accessed anonymously are deleted
Network access: All registry paths that can be accessed remotely are deleted.
Network access: All registry paths and sub-paths that can be accessed remotely are deleted.
Account: Rename the guest account Rename an account
Account: Rename the system administrator account and rename an account
Setting name in UI Enterprise client desktop computer Enterprise client laptop computer High security desktop computer High security laptop computer
Account: Local accounts with blank passwords are only allowed to log in on console
Enabled
Enabled
Enabled
Enabled
Account: Rename the system administrator account
recommend
recommend
recommend
recommend
Account: Rename the guest account
recommend
recommend
recommend
recommend
Device: Allow not to log in to remove
Disabled
Enabled
Disabled
Disabled
Device: Allows formatting and pop-up of removable media
Administrators, Interactive Users
Administrators, Interactive Users
Administrators
Administrators
Equipment: Prevent users from installing printer drivers
Enabled
Disabled
Enabled
Disabled
Device: Only locally logged in users can access CD-ROM
Disabled
Disabled
Enabled
Enabled
Device: Only locally logged in users can access the floppy disk
Enabled
Enabled
Enabled
Enabled
Device: Installation operation of unsigned driver
Add to install but issue a warning
Add to install but issue a warning
No installation
No installation
Domain members: Requires strong (Windows 2000 or above) session key
Enabled
Enabled
Enabled
Enabled
Interactive login: The last username is not displayed
Enabled
Enabled
Enabled
Enabled
Interactive login: No need to press CTRL+ALT+DEL
Disabled
Disabled
Disabled
Disabled
Interactive login: Message text when the user tries to log in
This system is limited to authorized users only. Individuals who attempt to conduct unauthorized access will be prosecuted.
This system is limited to authorized users only. Individuals who attempt to conduct unauthorized access will be prosecuted.
This system is limited to authorized users only. Individuals who attempt to conduct unauthorized access will be prosecuted.
This system is limited to authorized users only. Individuals who attempt to conduct unauthorized access will be prosecuted.
Interactive login: The message title when the user tries to log in
Continuing to use without proper authorization is illegal.
Continuing to use without proper authorization is illegal.
Continuing to use without proper authorization is illegal.
Continuing to use without proper authorization is illegal.
Interactive login: The number of previous logins that can be cached (when the domain controller is not available)
2
2
0
1
Interactive login: Prompt the user to change the password before the password expires.
14 days
14 days
14 days
14 days
Interactive login: Requires domain controller authentication to unlock workstation
Disabled
Disabled
Enabled
Disabled
Interactive login: Smart card removal operation
Lock the workstation
Lock the workstation
Lock the workstation
Lock the workstation
Microsoft Network Customer: Digitally signed communication (if the server agrees)
Enabled
Enabled
Enabled
Enabled
Microsoft Network Customer: Send unencrypted passwords to a third-party SMB server.
Disabled
Disabled
Disabled
Disabled
Microsoft Web Server: The idle time required before hanging the session
15 minutes
15 minutes
15 minutes
15 minutes
Microsoft Network Server: Digitally signed communication (always)
Enabled
Enabled
Enabled
Enabled
Microsoft Network Server: Digitally signed communication (if the customer agrees)
Enabled
Enabled
Enabled
Enabled
Microsoft Network Server: Automatically log out of users when login time is used up.
Enabled
Disabled
Enabled
Disabled
Network access: Allow anonymous SID/name conversion
Disabled
Disabled
Disabled
Disabled
Network access: Anonymous enumeration of SAM accounts and shares is not allowed
Enabled
Enabled
Enabled
Enabled
Network access: Anonymous enumeration of SAM accounts and shares is not allowed
Enabled
Enabled
Enabled
Enabled
Network access: It is not allowed to store credentials or .NET Passports for network authentication
Enabled
Enabled
Enabled
Enabled
Network access: Restrict anonymous access to named pipes and sharing
Enabled
Enabled
Enabled
Enabled
Network access: local account sharing and security mode
Classic – Local users authenticate with their own identity
Classic – Local users authenticate with their own identity
Classic – Local users authenticate with their own identity
Classic – Local users authenticate with their own identity
Network security: Don't store the hash value of LAN Manager next time you change your password
Enabled
Enabled
Enabled
Enabled
Network security: Forced logout after login time has exceeded
Enabled
Disabled
Enabled
Disabled
Network security: LAN Manager Authentication Level
Send only NTLMv2 response
Send only NTLMv2 response
Send only NTLMv2 response\reject LM & NTLM
Send only NTLMv2 response\reject LM & NTLM
Network security: Minimum session security for clients based on NTLM SSP (including security RPC)
No minimum
No minimum
Requires NTLMv2 session security Requires 128-bit encryption
Requires NTLMv2 session security Requires 128-bit encryption
Network security: Minimum session security based on NTLM SSP (including secure RPC) servers
No minimum
No minimum
Requires NTLMv2 session security Requires 128-bit encryption
Requires NTLMv2 session security Requires 128-bit encryption
Recovery console: Allow automatic system management-level login
Disabled
Disabled
Disabled
Disabled
Recovery Console: Allows floppy disk copying and access to all drives and folders
Enabled
Enabled
Disabled
Disabled
Shutdown: Allow shutdown before logging in
Disabled
Disabled
Disabled
Disabled
Shutdown: Clean up virtual memory page files
Disabled
Disabled
Enabled
Enabled
System encryption: Use FIPS-compatible algorithms to encrypt, hash and signature
Disabled
Disabled
Disabled
Disabled
System object: The default owner of the object created by the Administrators group members
Object creator
Object creator
Object creator
Object creator
System settings: Use certificate rules for software restriction policy on Windows executable files
Disabled
Disabled
Disabled
Disabled
Previous page123456789Next pageRead the full text