(0) exportieren Drucken
Alle erweitern

Updated Security Policy Settings for Windows Vista

Letzte Aktualisierung: November 2007

Betrifft: Windows Vista

This section provides the locations of the security settings that have changed from Windows XP in the local Group Policy object (GPO), their default values, and a discussion of the setting.

Audit: Audit the use of Backup and Restore privilege

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy setting is enabled. Enabling this option when the Audit privilege use policy setting is also enabled generates an audit event for every file that is backed up or restored.

If you disable this policy, the use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled.

noteHinweis
For Windows versions prior to Windows Vista, changes will not take effect until you restart the computer. Enabling this setting can cause a large number of events to be generated, sometimes hundreds per second, during a backup operation.

Default value

Disabled

Audit: Shut down system immediately if unable to log security audits

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines whether the system shuts down if it is unable to log security events.

If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days.

If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:

STOP: C0000244 {Audit Failed}

An attempt to generate a security audit failed.

To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option to the desired state. Until this security setting is reset, only a member of the Administrators group will be able to log on to the system, even if the security log is not full.

noteHinweis
For Windows versions prior to Windows Vista, changes will not take effect until you restart the computer.

Default value

Disabled

System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing

Location

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Discussion

This security setting determines if the Transport Layer Security/Secure Sockets Layer (TLS/SSL) security provider supports only the TLS protocol as a client and as a server (if applicable). If this setting is enabled, the TLS/SSL security provider uses only the Federal Information Processing Standard (FIPS) 140–approved cryptographic algorithms: Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) for encryption, RSA public key algorithm for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

For Encrypting File System (EFS), this setting supports the 3DES and AES encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the AES algorithm with a 256-bit key in Windows Server 2003 and Windows Vista and the DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Verschlüsselndes Dateisystem.

For Terminal Services, this setting supports only the 3DES encryption algorithm for encrypting Terminal Services network communication. For information about Terminal Services, see Terminal Services Technical Reference (http://go.microsoft.com/fwlink/?LinkID=89673).

For Windows BitLocker Drive Encryption, this policy needs to be enabled before any encryption key is generated. When this policy is enabled, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used instead.

noteHinweis
FIPS 140-2 is a security implementation designed for certifying cryptographic software. FIPS 140-2 validated software is required by the U.S. government and requested by other prominent institutions.

Default value

Disabled

Additional resources

For more information about security policy settings, see the following resources:

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.

Community-Beiträge

HINZUFÜGEN
Microsoft führt eine Onlineumfrage durch, um Ihre Meinung zur MSDN-Website zu erfahren. Wenn Sie sich zur Teilnahme entscheiden, wird Ihnen die Onlineumfrage angezeigt, sobald Sie die MSDN-Website verlassen.

Möchten Sie an der Umfrage teilnehmen?
Anzeigen:
© 2014 Microsoft