Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
DoD Windows Server 2008 R2 Member Server STIG Computer v1r29
Data collected on: 4/24/2019 10:53:17 AM
General
Details
Domainsecurity.local
OwnerSECURITY\Domain Admins
Created4/24/2019 10:04:46 AM
Modified4/24/2019 10:05:26 AM
User Revisions1 (AD), 1 (sysvol)
Computer Revisions1 (AD), 1 (sysvol)
Unique ID{C422A4F4-273E-475D-BE71-634ACEF76660}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
None

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
SECURITY\Domain AdminsEdit settings, delete, modify securityNo
SECURITY\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Account Policies/Password Policy
PolicySetting
Enforce password history24 passwords remembered
Maximum password age60 days
Minimum password age1 days
Minimum password length14 characters
Password must meet complexity requirementsEnabled
Store passwords using reversible encryptionDisabled
Account Policies/Account Lockout Policy
PolicySetting
Account lockout duration15 minutes
Account lockout threshold3 invalid logon attempts
Reset account lockout counter after15 minutes
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkBUILTIN\Administrators, NT AUTHORITY\Authenticated Users
Act as part of the operating system
Allow log on locallyBUILTIN\Administrators
Allow log on through Terminal ServicesBUILTIN\Administrators
Back up files and directoriesBUILTIN\Administrators
Change the system timeNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsBUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE
Create permanent shared objects
Create symbolic linksBUILTIN\Administrators
Debug programsBUILTIN\Administrators
Deny access to this computer from the networkADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS, BUILTIN\Guests, NT AUTHORITY\Local account
Deny log on as a batch jobBUILTIN\Guests, ADD YOUR ENTERPRISE ADMINS, ADD YOUR DOMAIN ADMINS
Deny log on as a serviceADD YOUR ENTERPRISE ADMINS, ADD YOUR DOMAIN ADMINS
Deny log on locallyBUILTIN\Guests, ADD YOUR ENTERPRISE ADMINS, ADD YOUR DOMAIN ADMINS
Deny log on through Terminal ServicesADD YOUR DOMAIN ADMINS, ADD YOUR ENTERPRISE ADMINS, BUILTIN\Guests, NT AUTHORITY\Local account
Enable computer and user accounts to be trusted for delegationBUILTIN\Administrators
Force shutdown from a remote systemBUILTIN\Administrators
Generate security auditsNT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Impersonate a client after authenticationBUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\SERVICE
Increase scheduling priorityBUILTIN\Administrators
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Manage auditing and security logBUILTIN\Administrators
Modify an object label
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Profile system performanceBUILTIN\Administrators, NT SERVICE\WdiServiceHost
Replace a process level tokenNT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Restore files and directoriesBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Guest account statusDisabled
Accounts: Rename administrator account"X_Admin"
Accounts: Rename guest account"Visitor"
Devices
PolicySetting
Devices: Allow undock without having to log onDisabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network Security
PolicySetting
Network security: Force logoff when logon hours expireEnabled
Shutdown
PolicySetting
Shutdown: Allow system to be shut down without having to log onDisabled
System Cryptography
PolicySetting
System cryptography: Force strong key protection for user keys stored on the computerUser must enter a password each time they use a key
System Settings
PolicySetting
System settings: Optional subsystems
User Account Control
PolicySetting
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopDisabled
User Account Control: Only elevate executables that are signed and validatedDisabled
Other
PolicySetting
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Audit: Audit the access of global system objectsDisabled
Audit: Audit the use of Backup and Restore privilegeDisabled
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Devices: Allowed to format and eject removable mediaAdministrators
Devices: Prevent users from installing printer driversEnabled
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Maximum machine account password age30 days
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive logon: Do not display last user nameEnabled
Interactive logon: Do not require CTRL+ALT+DELDisabled
Interactive logon: Message text for users attempting to log onYou are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.
Interactive logon: Message title for users attempting to log on"DoD Notice and Consent Banner"
Interactive logon: Number of previous logons to cache (in case domain controller is not available)2 logons
Interactive logon: Prompt user to change password before expiration14 days
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Digitally sign communications (if server agrees)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Microsoft network server: Amount of idle time required before suspending session15 minutes
Microsoft network server: Digitally sign communications (always)Enabled
Microsoft network server: Digitally sign communications (if client agrees)Enabled
Microsoft network server: Disconnect clients when logon hours expireEnabled
Microsoft network server: Server SPN target name validation levelOff
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Do not allow storage of passwords and credentials for network authenticationEnabled
Network access: Let Everyone permissions apply to anonymous usersDisabled
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry pathsSystem\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and sub-pathsSystem\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accountsClassic - local users authenticate as themselves
Network security: Allow Local System to use computer identity for NTLMEnabled
Network security: Allow LocalSystem NULL session fallbackDisabled
Network Security: Allow PKU2U authentication requests to this computer to use online identitiesDisabled
Network security: Configure encryption types allowed for KerberosEnabled
DES_CBC_CRCDisabled
DES_CBC_MD5Disabled
RC4_HMAC_MD5Enabled
AES128_HMAC_SHA1Enabled
AES256_HMAC_SHA1Enabled
Future encryption typesEnabled
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsNegotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingEnabled
System objects: Require case insensitivity for non-Windows subsystemsEnabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent
User Account Control: Behavior of the elevation prompt for standard usersAutomatically deny elevation requests
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Switch to the secure desktop when prompting for elevationEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Public Key Policies/Trusted Root Certification Authorities
Properties
PolicySetting
Allow users to select new root certification authorities (CAs) to trustEnabled
Client computers can trust the following certificate storesThird-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteriaRegistered in Active Directory only
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationSuccess, Failure
Account Management
PolicySetting
Audit Other Account Management EventsSuccess
Audit Security Group ManagementSuccess
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit Process CreationSuccess
Logon/Logoff
PolicySetting
Audit Account LockoutSuccess, Failure
Audit LogoffSuccess
Audit LogonSuccess, Failure
Audit Special LogonSuccess
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess, Failure
Audit Authentication Policy ChangeSuccess
Audit Authorization Policy ChangeSuccess
Privilege Use
PolicySetting
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit IPsec DriverSuccess, Failure
Audit Other System EventsSuccess, Failure
Audit Security State ChangeSuccess
Audit Security System ExtensionSuccess
Audit System IntegritySuccess, Failure
Administrative Templates
Policy definitions (ADMX files) retrieved from the local machine.
MS Security Guide
PolicySettingComment
Apply UAC restrictions to local accounts on network logonsEnabled
Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)Enabled
Configure LanmanWorkstation dependenciesBowser
MRxSmb20
NSI
PolicySettingComment
Configure SMB v1 client driverEnabled
Configure MrxSmb10 driverDisable driver (recommended)
PolicySettingComment
Configure SMB v1 serverDisabled
WDigest Authentication (disabling may require KB2871997)Disabled
MSS (Legacy)
PolicySettingComment
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)Disabled
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingIPv6Highest protection, source routing is completely disabled
PolicySettingComment
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingHighest protection, source routing is completely disabled
PolicySettingComment
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (KeepAliveTime) How often keep-alive packets are sent in millisecondsEnabled
KeepAliveTime300000 or 5 minutes (recommended)
PolicySettingComment
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. Enabled
NoDefaultExemptOnly ISAKMP is exempt (recommended for Windows Server 2003).
PolicySettingComment
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)Disabled
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)Enabled
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)Enabled
ScreenSaverGracePeriod5
PolicySettingComment
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)Enabled
TcpMaxDataRetransmissions3
PolicySettingComment
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)Enabled
TcpMaxDataRetransmissions3
PolicySettingComment
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warningEnabled
WarningLevel90%
Network/Link-Layer Topology Discovery
PolicySettingComment
Turn on Mapper I/O (LLTDIO) driverDisabled
Turn on Responder (RSPNDR) driverDisabled
Network/Microsoft Peer-to-Peer Networking Services
PolicySettingComment
Turn off Microsoft Peer-to-Peer Networking ServicesEnabled
Network/Network Connections
PolicySettingComment
Prohibit installation and configuration of Network Bridge on your DNS domain networkEnabled
Require domain users to elevate when setting a network's locationEnabled
Route all traffic through the internal networkEnabled
Select from the following states:Enabled State
Network/TCPIP Settings/IPv6 Transition Technologies
PolicySettingComment
6to4 StateEnabled
Select from the following states:Disabled State
PolicySettingComment
IP-HTTPS StateEnabled
Enter the IPHTTPS Url:about:blank
Select Interface state from the following options:Disabled State
PolicySettingComment
ISATAP StateEnabled
Select from the following states:Disabled State
PolicySettingComment
Teredo StateEnabled
Select from the following states:Disabled State
Network/Windows Connect Now
PolicySettingComment
Configuration of wireless settings using Windows Connect NowDisabled
Prohibit Access of the Windows Connect Now wizardsEnabled
Printers
PolicySettingComment
Extend Point and Print connection to search Windows UpdateDisabled
System/Device Installation
PolicySettingComment
Allow remote access to the Plug and Play interfaceDisabled
Do not send a Windows error report when a generic driver is installed on a deviceEnabled
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore pointDisabled
Prevent device metadata retrieval from the InternetEnabled
Prevent Windows from sending an error report when a device driver requests additional software during installationEnabled
Specify search order for device driver source locationsEnabled
Select search order:Do not search Windows Update
System/Driver Installation
PolicySettingComment
Turn off Windows Update device driver search promptEnabled
System/Group Policy
PolicySettingComment
Registry policy processingEnabled
Do not apply during periodic background processingDisabled
Process even if the Group Policy objects have not changedEnabled
PolicySettingComment
Turn off background refresh of Group PolicyDisabled
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off downloading of print drivers over HTTPEnabled
Turn off Event Viewer "Events.asp" linksEnabled
Turn off handwriting recognition error reportingEnabled
Turn off Internet download for Web publishing and online ordering wizardsEnabled
Turn off Internet File Association serviceEnabled
Turn off printing over HTTPEnabled
Turn off the "Order Prints" picture taskEnabled
Turn off Windows Customer Experience Improvement ProgramEnabled
Turn off Windows Error ReportingEnabled
Turn off Windows Update device driver searchingEnabled
System/Logon
PolicySettingComment
Always use classic logonEnabled
System/Power Management/Sleep Settings
PolicySettingComment
Require a Password When a Computer Wakes (On Battery)Enabled
Require a Password When a Computer Wakes (Plugged In)Enabled
System/Remote Assistance
PolicySettingComment
Offer Remote AssistanceDisabled
Solicited Remote AssistanceDisabled
Turn on session loggingEnabled
System/Remote Procedure Call
PolicySettingComment
Restrictions for Unauthenticated RPC clientsEnabled
RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
System/Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool
PolicySettingComment
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support ProviderDisabled
System/Troubleshooting and Diagnostics/Scripted Diagnostics
PolicySettingComment
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)Disabled
System/Troubleshooting and Diagnostics/Windows Performance PerfTrack
PolicySettingComment
Enable/Disable PerfTrackDisabled
Windows Components/Application Compatibility
PolicySettingComment
Turn off Program InventoryEnabled
Windows Components/AutoPlay Policies
PolicySettingComment
Default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
PolicySettingComment
Turn off Autoplay for non-volume devicesEnabled
Windows Components/Credential User Interface
PolicySettingComment
Enumerate administrator accounts on elevationDisabled
Windows Components/Event Log Service/Application
PolicySettingComment
Maximum Log Size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Maximum Log Size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/Event Log Service/Setup
PolicySettingComment
Maximum Log Size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/System
PolicySettingComment
Maximum Log Size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Game Explorer
PolicySettingComment
Turn off downloading of game informationEnabled
Turn off game updatesEnabled
Windows Components/HomeGroup
PolicySettingComment
Prevent the computer from joining a homegroupEnabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
PolicySettingComment
Do not allow passwords to be savedEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
PolicySettingComment
Restrict Remote Desktop Services users to a single Remote Desktop Services sessionEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
PolicySettingComment
Do not allow COM port redirectionEnabled
Do not allow drive redirectionEnabled
Do not allow LPT port redirectionEnabled
Do not allow smart card device redirectionDisabled
Do not allow supported Plug and Play device redirectionEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
PolicySettingComment
Redirect only the default client printerEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Always prompt for password upon connectionEnabled
Require secure RPC communicationEnabled
Set client connection encryption levelEnabled
Encryption LevelHigh Level
Choose the encryption level from the drop-down list.
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary folders
PolicySettingComment
Do not delete temp folder upon exitDisabled
Do not use temporary folders per sessionDisabled
Windows Components/RSS Feeds
PolicySettingComment
Prevent downloading of enclosuresEnabled
Windows Components/Windows Anytime Upgrade
PolicySettingComment
Prevent Windows Anytime Upgrade from running.Enabled
Windows Components/Windows Explorer
PolicySettingComment
Turn off Data Execution Prevention for ExplorerDisabled
Turn off heap termination on corruptionDisabled
Turn off shell protocol protected modeDisabled
Windows Components/Windows Installer
PolicySettingComment
Always install with elevated privilegesDisabled
Disable IE security prompt for Windows Installer scriptsDisabled
Enable user control over installsDisabled
Prohibit non-administrators from applying vendor signed updatesEnabled
Windows Components/Windows Media Digital Rights Management
PolicySettingComment
Prevent Windows Media DRM Internet AccessEnabled
Windows Components/Windows Media Player
PolicySettingComment
Do Not Show First Use Dialog BoxesEnabled
Prevent Automatic UpdatesEnabled
Extra Registry Settings
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

SettingState
Software\policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging1
User Configuration (Disabled)
No settings defined.