Security options

This section covers:

•	Accounts: Administrator account status
•	Accounts: Guest account status
•	Accounts: Limit local account use of blank passwords to console logon only
•	Accounts: Rename administrator account
•	Accounts: Rename guest account

•	Audit: Audit the access of global system objects
•	Audit: Audit use of Backup and Restore privilege
•	Audit: Shut down system immediately if unable to log security audits

•	Devices: Allowed to format and eject removable media
•	Devices: Allow undock without having to logon
•	Devices: Prevent users from installing printer drivers
•	Devices: Restrict CD-ROM access to locally logged-on user only
•	Devices: Restrict floppy access to locally logged-on user only
•	Devices: Unassigned driver installation behavior

•	Domain controller: Allow server operators to schedule tasks (domain controllers only)
•	Domain controller: Refuse machine account password changes

•	Domain member: Digitally encrypt or sign secure channel data (always)
•	Domain member: Digitally encrypt secure channel data (when possible)
•	Domain member: Digitally sign secure channel data (when possible)
•	Domain member: Maximum age for machine account password
•	Domain member: Require strong (Windows 2000 or later) session key
•	Domain member: Disable machine account password changes

•	Interactive logon: Do not display last user name
•	Interactive logon: Do not require CTRL+ALT+DEL
•	Interactive logon: Message text for users attempting to log on
•	Interactive logon: Message title for users attempting to log on
•	Interactive logon: Number of previous logons to cache (in case domain controller is not available)
•	Interactive logon: Prompt user to change password before expiration
•	Interactive logon: Require domain controller authentication to unlock
•	Interactive logon: Smart card removal behavior

•	Microsoft network client: Digitally sign communications (always)
•	Microsoft network client: Digitally sign communications (if server agrees)
•	Microsoft network client: Send unencrypted password to connect to third-party SMB servers

•	Microsoft network server: Amount of idle time required before suspending a session
•	Microsoft network server: Digitally sign communications (always)
•	Microsoft network server: Digitally sign communications (if client agrees)
•	Microsoft network server: Disconnect clients when logon time expires

•	Network access: Allow anonymous SID/name translation
•	Network access: Do not allow anonymous enumeration of SAM accounts
•	Network access: Do not allow anonymous enumeration of SAM accounts and shares
•	Network access: Do not allow Stored User Names and Passwords to save passwords or credentials for domain authentication
•	Network access: Let Everyone permissions apply to anonymous users
•	Network access: Named pipes that can be accessed anonymously
•	Network access: Remote Remotely accessible registry paths
•	Network access: Shares that can be accessed anonymously
•	Network access: Sharing and security model for local accounts

•	Network security: Do not store Lan Manager level hash values on next password change
•	Network security: Force logoff when logon hours expire
•	Network security: LAN Manager Authentication Level
•	Network security: Minimum session security for NTLM SSP based (including RPC) clients
•	Network security: Minimum session security for NTLM SSP based (including RPC) servers

•	Recovery console: Allow automatic administrative logon
•	Recovery console: Allow floppy copy and access to all drives and all folders

•	Shutdown: Allow system to be shut down without having to log on
•	Shutdown: Clear virtual memory pagefile

•	System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

•	System objects: Default owner for objects created by members of the administrators group
•	System objects: Require case insensitivity for non-Windows subsystems
•	System objects: Strengthen default permissions of global system objects (e.g., Symbolic links)