Appendix A - Windows 2000 Default Security Policy Settings

Windows 2000 Default Security Policy Settings

Security Settings

Local security Policy (Professional and Server/Adv. Server)

Domain Controller Security Policy

Domain Security Policy

Account Policies

     

Password Policy

     

Enforce password history

0 passwords remembered

Not defined

1 passwords remembered

Maximum password age

42 days

Not defined

42 days

Minimum password age

0 days

Not defined

0 days

Minimum password length

0 characters

Not defined

0 characters

Passwords must meet complexity requirements

Disabled

Not defined

Disabled

Store passwords using reversible encryption for all users in the domain

Disabled

Not defined

Disabled

Account Lockout Policy

     

Account lockout duration

Not defined

Not defined

Not defined

Account lockout threshold

0 invalid login attempts

Not defined

0 invalid login attempts

Reset account lockout counter after

Not defined

Not defined

Not defined

Kerberos Policy

(POLICY NOT AVAILABLE)

   

Enforce user logon restrictions

(Not available)

(Local default is Enabled)

Not defined

Enabled

Maximum lifetime for service ticket

(Not available)

(Local default is 60 minutes)

Not defined

600 minutes

Maximum lifetime for user ticket

(Not available)

(Local default is 7 hours)

Not defined

10 hours

Maximum lifetime for user ticket renewal

(Not available)

(Local default is 10 days)

Not defined

7 days

Maximum tolerance for computer clock synchronization

(Not available)

(Local default is 60 minutes)

Not defined

5 minutes

Local Policies

     

Audit Policy

     

Audit account logon events

No auditing

No auditing

Not defined

Audit account management

No auditing

No auditing

Not defined

Audit directory service access

No auditing

No auditing

Not defined

Audit logon events

No auditing

No auditing

Not defined

Audit object access

No auditing

No auditing

Not defined

Audit policy changes

No auditing

No auditing

Not defined

Audit privilege use

No auditing

No auditing

Not defined

Audit process tracking

No auditing

No auditing

Not defined

Audit system events

No auditing

No auditing

Not defined

User Rights Assignment

     

Access this computer from the network

Administrators

Backup Operators

Power Users

Users

Everyone

Administrators

Authenticated Users

Everyone

IUSR_W2K-machinename

IWAM_W2K-machinename

Not defined

Act as part of the operating system

(Blank)

(Blank)

Not defined

Add workstations to domain

(Blank)

Authenticated Users

Not defined

Back up files and directories

Administrators

Backup Operators

Administrators

Backup Operators

Server Operators

Not defined

Bypass traverse checking

Administrators

Backup Operators

Power Users

Users

Everyone

Administrators

Authenticated Users

Everyone

Not defined

Change the system time

Administrators

Power Users

Administrators

Server Operators

Not defined

Create a pagefile

Administrators

Administrators

Not defined

Create a token object

(Blank)

(Blank)

Not defined

Create permanent shared objects

(Blank)

(Blank)

Not defined

Debug programs

Administrators

Administrators

Not defined

Deny access to this computer from the network

(Blank)

(Blank)

Not defined

Deny logon as a batch job

(Blank)

(Blank)

Not defined

Deny logon as a service

(Blank)

(Blank)

Not defined

Deny logon locally

(Blank)

(Blank)

Not defined

Enable computer and user accounts to be trusted for delegation

(Blank)

Administrators

Not defined

Force shutdown from a remote system

Administrators

Administrators

Server Operators

Not defined

Generate security audits

(Blank)

(Blank)

Not defined

Increase quotas

Administrators

Administrators

Not defined

Increase security scheduling priority

Administrators

Administrators

Not defined

Load and unload device drivers

Administrators

Administrators

Not defined

Lock pages in memory

(Blank)

(Blank)

Not defined

Logon as a batch job

(Blank)

IUSR_W2K-machinename

IWAM_W2K-machinename

Not defined

Logon as a service

(Blank)

(Blank)

Not defined

Log on locally

Administrators

Backup Operators

Power Users

Users

Machinename/Guest

Machinename/TsInternetUser (Server/Adv. Server only)

Administrators

Authenticated Users

Backup Operators

IUSR_W2K-machinename

Print Operators

Server Operators

TsInternetUser

Not defined

Manage auditing and security log

Administrators

Administrators

Not defined

Modify firmware environment values

Administrators

Administrators

Not defined

Profile single process

Administrators

Backup Operators

Administrators

Not defined

Profile system performance

Administrators

Administrators

Not defined

Remove computer from docking station

Administrators

Backup Operators

Users

Administrators

Not defined

Replace process level token

(Blank)

(Blank)

Not defined

Restore files and directories

Administrators

Backup Operators

Administrators

Backup Operators

Server Operators

Not defined

Shut down the computer

Administrators

Backup Operators

Power Users

Users (Professional only)

Account Operators

Administrators

Backup Operators

Print Operators

Server Operators

Not defined

Synchronize directory service data

(Blank)

(Blank)

Not defined

Take ownership of files and other objects

Administrators

Administrators

Not defined

Security Options

     

Additional restrictions for anonymous connections

None. Rely on default permissions.

Not defined

Not defined

Allow server operators to schedule tasks (domain controllers only)

Not defined

Not defined

Not defined

Allow system to be shut down without having to log on

Enabled (Professional Only)

Disabled (Server/Adv. Server only)

Not defined

Not defined

Allowed to eject removable NTFS media

Administrators

Not defined

Not defined

Amount of idle time required before disconnecting session

15 minutes

Not defined

Not defined

Audit the access of global system objects

Disabled

Not defined

Not defined

Audit use of Backup and Restore privilege

Disabled

Not defined

Not defined

Automatically log off users when logon time expires

(Option not available on standalone Professional, Server, or Advanced Server)

Not defined

Disabled

Automatically log off users when logon time expires (local)

Enabled

Not defined

Not defined

Clear virtual memory pagefile when system shuts down

Disabled

Not defined

Not defined

Digitally sign client communications (always)

Disabled

Not defined

Not defined

Digitally sign client communications (when possible)

Enabled

Not defined

Not defined

Digitally sign server communications (always)

Disabled

Not defined

Not defined

Digitally sign server communications (when possible)

Disabled

Enabled

Not defined

Disable CTRL+ALT+DEL requirement for logon

Not Defined (Professional only)

Disabled (Server/Adv. Server only)

Not defined

Not defined

Do not display user name in the logon screen

Disabled

Not defined

Not defined

LAN Manager Authentication Level

Send LM & NTLM response

Not defined

Not defined

Message text for users attempting to log on

(Blank)

Not defined

Not defined

Message title for users attempting to log on

(Blank)

Not defined

Not defined

Number of previous logons to cache (in case domain controller is not available

10 logons

Not defined

Not defined

Prevent system maintenance of computer account passwords

Disabled

Not defined

Not defined

Prevent users from installing print drivers

Disabled (Professional only)

Enabled (Server/Adv. Server only)

Not defined

Not defined

Prompt user to change password before expiration

14 days

Not defined

Not defined

Recovery Console: Allow automatic administrative logon

Disabled

Not defined

Not defined

Recovery Console: Allow floppy copy and access to all drives and folders

Disabled

Not defined

Not defined

Rename administrator account

Not defined

Not defined

Not defined

Rename guest account

Not defined

Not defined

Not defined

Restrict CD-ROM access to locally logged-on user only

Disabled

Not defined

Not defined

Restrict floppy access to locally logged-on user only

Disabled

Not defined

Not defined

Secure channel: Digitally encrypt or sign secure channel data (always)

Disabled

Not defined

Not defined

Secure channel: Digitally encrypt secure channel data (when possible)

Enabled

Not defined

Not defined

Secure channel: Digitally sign secure channel data (when possible)

Enabled

Not defined

Not defined

Secure channel: Require strong (Windows 2000 or later) session key

Disabled

Not defined

Not defined

Secure system partition (for RISC platforms only)

(Option not available on standalone Professional, Server, or Advanced Server)

Not defined

Not defined

Send unencrypted password to connect to third-party SMB servers

Disabled

Not defined

Not defined

Shut down system immediately if unable to log security audits

Disabled

Not defined

Not defined

Smart card removal behavior

No action

Not defined

Not defined

Strengthen default permissions of global system objects (e.g. Symbolic Links)

Enabled

Not defined

Not defined

Unsigned driver installation behavior

Not defined

Not defined

Not defined

Unsigned non-driver installation behavior

Not defined

Not defined

Not defined

Event Log

     

Settings for Event Logs

Set in Event Viewer log properties

   

Maximum application log size

512 Kb

Not defined

Not defined

Maximum security log size

512 Kb

Not defined

Not defined

Maximum system log size

512 Kb

Not defined

Not defined

Restrict guest access to application log

(Not available)

Not defined

Not defined

Restrict guest access to security log

(Not available)

Not defined

Not defined

Restrict guest access to system log

(Not available)

Not defined

Not defined

Retain application log

Overwrite events older than 7 days

Not defined

Not defined

Retain security log

Overwrite events older than 7 days

Not defined

Not defined

Retain system log

Overwrite events older than 7 days

Not defined

Not defined

Retention method for application log

Overwrite events older than 7 days

Not defined

Not defined

Retention method for security log

Overwrite events older than 7 days

Not defined

Not defined

Retention method for system log

Overwrite events older than 7 days

Not defined

Not defined

Shut down the computer when the security audit log is full

(Not available)

Not defined

Not defined