Security Options

Article
08/31/2016

Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8

This reference topic for the IT professional provides an introduction to the settings under Security Options of the local security policies and links to information about each setting.

The Security Options contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your enterprise.

If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy Object (GPO) hosted in an Active Directory domain, the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy(https://go.microsoft.com/fwlink/?LinkId=55625).

For information about how the security policy snap-in and related technologies work, see Security Policy Settings Technical Overview.

Open the Local Security Policy snap-in (secpol.msc) and navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

Local computer permissions: Membership in the local Administrators group, or equivalent, is the minimum required to modify these policy settings.

For information about setting security policies, see How to Configure Security Policy Settings.

Grouping	Security Policy setting
Accounts	Accounts: Administrator account status Accounts: Block Microsoft accounts Accounts: Guest account status Accounts: Limit local account use of blank passwords to console logon only Accounts: Rename administrator account Accounts: Rename guest account
Audit	Audit: Audit the access of global system objects Audit: Audit the use of Backup and Restore privilege Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Audit: Shut down system immediately if unable to log security audits
DCOM	DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices	Devices: Allow undock without having to log on Devices: Allowed to format and eject removable media Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict floppy access to locally logged-on user only
Domain controller	Domain controller: Allow server operators to schedule tasks Domain controller: LDAP server signing requirements Domain controller: Refuse machine account password changes
Domain member	Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key
Interactive logon	Interactive logon: Display user information when the session is locked Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Machine account lockout threshold Interactive logon: Machine inactivity limit Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Require smart card Interactive logon: Smart card removal behavior
Microsoft network client	Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server	Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Attempt S4U2Self to obtain claim information Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Microsoft network server: Server SPN target name validation level
Network access	Network access: Allow anonymous SID-Name translation Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of passwords and credentials for network authentication Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and subpaths Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts
Network security	Network security: Allow Local System to use computer identity for NTLM Network security: Allow LocalSystem NULL session fallback Network Security: Allow PKU2U authentication requests to this computer to use online identities Network security: Configure encryption types allowed for Kerberos Network security: Do not store LAN Manager hash value on next password change Network security: Force logoff when logon hours expire Network security: LAN Manager authentication level Network security: LDAP client signing requirements Network security: Minimum session security for NTLM SSP based (including secure RPC) clients Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication Network security: Restrict NTLM: Add server exceptions in this domain Network Security: Restrict NTLM: Incoming NTLM Traffic Network Security: Restrict NTLM: NTLM authentication in this domain Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers Network Security: Restrict NTLM: Audit Incoming NTLM Traffic Network Security: Restrict NTLM: Audit NTLM authentication in this domain
Recovery console	Recovery console: Allow automatic administrative logon Recovery console: Allow floppy copy and access to all drives and folders
Shutdown	Shutdown: Allow system to be shut down without having to log on Shutdown: Clear virtual memory pagefile
System cryptography	System cryptography: Force strong key protection for user keys stored on the computer System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects	System objects: Require case insensitivity for non-Windows subsystems System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
System settings	System settings: Optional subsystems System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control	User Account Control: Admin Approval Mode for the Built-in Administrator account User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode User Account Control: Behavior of the elevation prompt for standard users User Account Control: Detect application installations and prompt for elevation User Account Control: Only elevate executables that are signed and validated User Account Control: Only elevate UIAccess applications that are installed in secure locations User Account Control: Run all administrators in Admin Approval Mode User Account Control: Switch to the secure desktop when prompting for elevation User Account Control: Virtualize file and registry write failures to per-user locations

Security Options

Additional resources