Appendix A - Windows 2000 Default Security Policy Settings
Windows 20000
Default Security Policy Settings
Security Settings |
Local security Policy (Professional and Server/Adv. Server) |
Domain Controller Security Policy |
Domain Security Policy |
---|---|---|---|
Account Policies |
|||
Password Policy |
|||
Enforce password history |
0 passwords remembered |
Not defined |
1 passwords remembered |
Maximum password age |
42 days |
Not defined |
42 days |
Minimum password age |
0 days |
Not defined |
0 days |
Minimum password length |
0 characters |
Not defined |
0 characters |
Passwords must meet complexity requirements |
Disabled |
Not defined |
Disabled |
Store passwords using reversible encryption for all users in the domain |
Disabled |
Not defined |
Disabled |
Account Lockout Policy |
|||
Account lockout duration |
Not defined |
Not defined |
Not defined |
Account lockout threshold |
0 invalid login attempts |
Not defined |
0 invalid login attempts |
Reset account lockout counter after |
Not defined |
Not defined |
Not defined |
Kerberos Policy |
(Policy not available) |
||
Enforce user logon restrictions |
(Not available) (Local default is Enabled) |
Not defined |
Enabled |
Maximum lifetime for service ticket |
(Not available) (Local default is 60 minutes) |
Not defined |
600 minutes |
Maximum lifetime for user ticket |
(Not available) (Local default is 7 hours) |
Not defined |
10 hours |
Maximum lifetime for user ticket renewal |
(Not available) (Local default is 10 days) |
Not defined |
7 days |
Maximum tolerance for computer clock synchronization |
(Not available) (Local default is 60 minutes) |
Not defined |
5 minutes |
Local Policies |
|||
Audit Policy |
|||
Audit account logon events |
No auditing |
No auditing |
Not defined |
Audit account management |
No auditing |
No auditing |
Not defined |
Audit directory service access |
No auditing |
No auditing |
Not defined |
Audit logon events |
No auditing |
No auditing |
Not defined |
Audit object access |
No auditing |
No auditing |
Not defined |
Audit policy changes |
No auditing |
No auditing |
Not defined |
Audit privilege use |
No auditing |
No auditing |
Not defined |
Audit process tracking |
No auditing |
No auditing |
Not defined |
Audit system events |
No auditing |
No auditing |
Not defined |
User Rights Assignment |
|||
Access this computer from the network |
Administrators Backup Operators Power Users Users Everyone |
Administrators Authenticated Users Everyone IUSR_W2K-machinename IWAM_W2K-machinename |
Not defined |
Act as part of the operating system |
(Blank) |
(Blank) |
Not defined |
Add workstations to domain |
(Blank) |
Authenticated Users |
Not defined |
Back up files and directories |
Administrators Backup Operators |
Administrators Backup Operators Server Operators |
Not defined |
Bypass traverse checking |
Administrators Backup Operators Power Users Users Everyone |
Administrators Authenticated Users Everyone |
Not defined |
Change the system time |
Administrators Power Users |
Administrators Server Operators |
Not defined |
Create a pagefile |
Administrators |
Administrators |
Not defined |
Create a token object |
(Blank) |
(Blank) |
Not defined |
Create permanent shared objects |
(Blank) |
(Blank) |
Not defined |
Debug programs |
Administrators |
Administrators |
Not defined |
Deny access to this computer from the network |
(Blank) |
(Blank) |
Not defined |
Deny logon as a batch job |
(Blank) |
(Blank) |
Not defined |
Deny logon as a service |
(Blank) |
(Blank) |
Not defined |
Deny logon locally |
(Blank) |
(Blank) |
Not defined |
Enable computer and user accounts to be trusted for delegation |
(Blank) |
Administrators |
Not defined |
Force shutdown from a remote system |
Administrators |
Administrators Server Operators |
Not defined |
Generate security audits |
(Blank) |
(Blank) |
Not defined |
Increase quotas |
Administrators |
Administrators |
Not defined |
Increase security scheduling priority |
Administrators |
Administrators |
Not defined |
Load and unload device drivers |
Administrators |
Administrators |
Not defined |
Lock pages in memory |
(Blank) |
(Blank) |
Not defined |
Logon as a batch job |
(Blank) |
IUSR_W2K-machinename IWAM_W2K-machinename |
Not defined |
Logon as a service |
(Blank) |
(Blank) |
Not defined |
Log on locally |
Administrators Backup Operators Power Users Users Machinename/Guest Machinename/TsInternetUser (Server/Adv. Server only) |
Administrators Authenticated Users Backup Operators IUSR_W2K-machinename Print Operators Server Operators TsInternetUser |
Not defined |
Manage auditing and security log |
Administrators |
Administrators |
Not defined |
Modify firmware environment values |
Administrators |
Administrators |
Not defined |
Profile single process |
Administrators Backup Operators |
Administrators |
Not defined |
Profile system performance |
Administrators |
Administrators |
Not defined |
Remove computer from docking station |
Administrators Backup Operators Users |
Administrators |
Not defined |
Replace process level token |
(Blank) |
(Blank) |
Not defined |
Restore files and directories |
Administrators Backup Operators |
Administrators Backup Operators Server Operators |
Not defined |
Shut down the computer |
Administrators Backup Operators Power Users Users (Professional only) |
Account Operators Administrators Backup Operators Print Operators Server Operators |
Not defined |
Synchronize directory service data |
(Blank) |
(Blank) |
Not defined |
Take ownership of files and other objects |
Administrators |
Administrators |
Not defined |
Security Options |
|||
Additional restrictions for anonymous connections |
None. Rely on default permissions. |
Not defined |
Not defined |
Allow server operators to schedule tasks (domain controllers only) |
Not defined |
Not defined |
Not defined |
Allow system to be shut down without having to log on |
Enabled (Professional Only) Disabled (Server/Adv. Server only) |
Not defined |
Not defined |
Allowed to eject removable NTFS media |
Administrators |
Not defined |
Not defined |
Amount of idle time required before disconnecting session |
15 minutes |
Not defined |
Not defined |
Audit the access of global system objects |
Disabled |
Not defined |
Not defined |
Audit use of Backup and Restore privilege |
Disabled |
Not defined |
Not defined |
Automatically log off users when logon time expires |
(Option not available on standalone Professional, Server, or Advanced Server) |
Not defined |
Disabled |
Automatically log off users when logon time expires (local) |
Enabled |
Not defined |
Not defined |
Clear virtual memory pagefile when system shuts down |
Disabled |
Not defined |
Not defined |
Digitally sign client communications (always) |
Disabled |
Not defined |
Not defined |
Digitally sign client communications (when possible) |
Enabled |
Not defined |
Not defined |
Digitally sign server communications (always) |
Disabled |
Not defined |
Not defined |
Digitally sign server communications (when possible) |
Disabled |
Enabled |
Not defined |
Disable CTRL+ALT+DEL requirement for logon |
Not Defined (Professional only) Disabled (Server/Adv. Server only) |
Not defined |
Not defined |
Do not display user name in the logon screen |
Disabled |
Not defined |
Not defined |
LAN Manager Authentication Level |
Send LM & NTLM response |
Not defined |
Not defined |
Message text for users attempting to log on |
(Blank) |
Not defined |
Not defined |
Message title for users attempting to log on |
(Blank) |
Not defined |
Not defined |
Number of previous logons to cache (in case domain controller is not available |
10 logons |
Not defined |
Not defined |
Prevent system maintenance of computer account passwords |
Disabled |
Not defined |
Not defined |
Prevent users from installing print drivers |
Disabled (Professional only) Enabled (Server/Adv. Server only) |
Not defined |
Not defined |
Prompt user to change password before expiration |
14 days |
Not defined |
Not defined |
Recovery Console: Allow automatic administrative logon |
Disabled |
Not defined |
Not defined |
Recovery Console: Allow floppy copy and access to all drives and folders |
Disabled |
Not defined |
Not defined |
Rename administrator account |
Not defined |
Not defined |
Not defined |
Rename guest account |
Not defined |
Not defined |
Not defined |
Restrict CD-ROM access to locally logged-on user only |
Disabled |
Not defined |
Not defined |
Restrict floppy access to locally logged-on user only |
Disabled |
Not defined |
Not defined |
Secure channel: Digitally encrypt or sign secure channel data (always) |
Disabled |
Not defined |
Not defined |
Secure channel: Digitally encrypt secure channel data (when possible) |
Enabled |
Not defined |
Not defined |
Secure channel: Digitally sign secure channel data (when possible) |
Enabled |
Not defined |
Not defined |
Secure channel: Require strong (Windows 2000 or later) session key |
Disabled |
Not defined |
Not defined |
Send unencrypted password to connect to third-party SMB servers |
Disabled |
Not defined |
Not defined |
Shut down system immediately if unable to log security audits |
Disabled |
Not defined |
Not defined |
Smart card removal behavior |
No action |
Not defined |
Not defined |
Strengthen default permissions of global system objects (e.g. Symbolic Links) |
Enabled |
Not defined |
Not defined |
Unsigned driver installation behavior |
Not defined |
Not defined |
Not defined |
Unsigned non-driver installation behavior |
Not defined |
Not defined |
Not defined |
Event Log |
|||
Settings for Event Logs |
Set in Event Viewer log properties |
||
Maximum application log size |
512 Kb |
Not defined |
Not defined |
Maximum security log size |
512 Kb |
Not defined |
Not defined |
Maximum system log size |
512 Kb |
Not defined |
Not defined |
Restrict guest access to application log |
(Not available) |
Not defined |
Not defined |
Restrict guest access to security log |
(Not available) |
Not defined |
Not defined |
Restrict guest access to system log |
(Not available) |
Not defined |
Not defined |
Retain application log |
Overwrite events older than 7 days |
Not defined |
Not defined |
Retain security log |
Overwrite events older than 7 days |
Not defined |
Not defined |
Retain system log |
Overwrite events older than 7 days |
Not defined |
Not defined |
Retention method for application log |
Overwrite events older than 7 days |
Not defined |
Not defined |
Retention method for security log |
Overwrite events older than 7 days |
Not defined |
Not defined |
Retention method for system log |
Overwrite events older than 7 days |
Not defined |
Not defined |
Shut down the computer when the security audit log is full |
(Not available) |
Not defined |
Not defined |