Account Policies | | | |
Password Policy | | | |
Enforce password history | 0 passwords remembered | Not defined | 1 passwords remembered |
Maximum password age | 42 days | Not defined | 42 days |
Minimum password age | 0 days | Not defined | 0 days |
Minimum password length | 0 characters | Not defined | 0 characters |
Passwords must meet complexity requirements | Disabled | Not defined | Disabled |
Store passwords using reversible encryption for all users in the domain | Disabled | Not defined | Disabled |
Account Lockout Policy | | | |
Account lockout duration | Not defined | Not defined | Not defined |
Account lockout threshold | 0 invalid login attempts | Not defined | 0 invalid login attempts |
Reset account lockout counter after | Not defined | Not defined | Not defined |
Kerberos Policy | (Policy not available) | | |
Enforce user logon restrictions | (Not available) (Local default is Enabled) | Not defined | Enabled |
Maximum lifetime for service ticket | (Not available) (Local default is 60 minutes) | Not defined | 600 minutes |
Maximum lifetime for user ticket | (Not available) (Local default is 7 hours) | Not defined | 10 hours |
Maximum lifetime for user ticket renewal | (Not available) (Local default is 10 days) | Not defined | 7 days |
Maximum tolerance for computer clock synchronization | (Not available) (Local default is 60 minutes) | Not defined | 5 minutes |
Local Policies | | | |
Audit Policy | | | |
Audit account logon events | No auditing | No auditing | Not defined |
Audit account management | No auditing | No auditing | Not defined |
Audit directory service access | No auditing | No auditing | Not defined |
Audit logon events | No auditing | No auditing | Not defined |
Audit object access | No auditing | No auditing | Not defined |
Audit policy changes | No auditing | No auditing | Not defined |
Audit privilege use | No auditing | No auditing | Not defined |
Audit process tracking | No auditing | No auditing | Not defined |
Audit system events | No auditing | No auditing | Not defined |
User Rights Assignment | | | |
Access this computer from the network | Administrators Backup Operators Power Users Users Everyone | Administrators Authenticated Users Everyone IUSR_W2K-machinename IWAM_W2K-machinename | Not defined |
Act as part of the operating system | (Blank) | (Blank) | Not defined |
Add workstations to domain | (Blank) | Authenticated Users | Not defined |
Back up files and directories | Administrators Backup Operators | Administrators Backup Operators Server Operators | Not defined |
Bypass traverse checking | Administrators Backup Operators Power Users Users Everyone | Administrators Authenticated Users Everyone | Not defined |
Change the system time | Administrators Power Users | Administrators Server Operators | Not defined |
Create a pagefile | Administrators | Administrators | Not defined |
Create a token object | (Blank) | (Blank) | Not defined |
Create permanent shared objects | (Blank) | (Blank) | Not defined |
Debug programs | Administrators | Administrators | Not defined |
Deny access to this computer from the network | (Blank) | (Blank) | Not defined |
Deny logon as a batch job | (Blank) | (Blank) | Not defined |
Deny logon as a service | (Blank) | (Blank) | Not defined |
Deny logon locally | (Blank) | (Blank) | Not defined |
Enable computer and user accounts to be trusted for delegation | (Blank) | Administrators | Not defined |
Force shutdown from a remote system | Administrators | Administrators Server Operators | Not defined |
Generate security audits | (Blank) | (Blank) | Not defined |
Increase quotas | Administrators | Administrators | Not defined |
Increase security scheduling priority | Administrators | Administrators | Not defined |
Load and unload device drivers | Administrators | Administrators | Not defined |
Lock pages in memory | (Blank) | (Blank) | Not defined |
Logon as a batch job | (Blank) | IUSR_W2K-machinename IWAM_W2K-machinename | Not defined |
Logon as a service | (Blank) | (Blank) | Not defined |
Log on locally | Administrators Backup Operators Power Users Users Machinename/Guest Machinename/TsInternetUser (Server/Adv. Server only) | Administrators Authenticated Users Backup Operators IUSR_W2K-machinename Print Operators Server Operators TsInternetUser | Not defined |
Manage auditing and security log | Administrators | Administrators | Not defined |
Modify firmware environment values | Administrators | Administrators | Not defined |
Profile single process | Administrators Backup Operators | Administrators | Not defined |
Profile system performance | Administrators | Administrators | Not defined |
Remove computer from docking station | Administrators Backup Operators Users | Administrators | Not defined |
Replace process level token | (Blank) | (Blank) | Not defined |
Restore files and directories | Administrators Backup Operators | Administrators Backup Operators Server Operators | Not defined |
Shut down the computer | Administrators Backup Operators Power Users Users (Professional only) | Account Operators Administrators Backup Operators Print Operators Server Operators | Not defined |
Synchronize directory service data | (Blank) | (Blank) | Not defined |
Take ownership of files and other objects | Administrators | Administrators | Not defined |
Security Options | | | |
Additional restrictions for anonymous connections | None. Rely on default permissions. | Not defined | Not defined |
Allow server operators to schedule tasks (domain controllers only) | Not defined | Not defined | Not defined |
Allow system to be shut down without having to log on | Enabled (Professional Only) Disabled (Server/Adv. Server only) | Not defined | Not defined |
Allowed to eject removable NTFS media | Administrators | Not defined | Not defined |
Amount of idle time required before disconnecting session | 15 minutes | Not defined | Not defined |
Audit the access of global system objects | Disabled | Not defined | Not defined |
Audit use of Backup and Restore privilege | Disabled | Not defined | Not defined |
Automatically log off users when logon time expires | (Option not available on standalone Professional, Server, or Advanced Server) | Not defined | Disabled |
Automatically log off users when logon time expires (local) | Enabled | Not defined | Not defined |
Clear virtual memory pagefile when system shuts down | Disabled | Not defined | Not defined |
Digitally sign client communications (always) | Disabled | Not defined | Not defined |
Digitally sign client communications (when possible) | Enabled | Not defined | Not defined |
Digitally sign server communications (always) | Disabled | Not defined | Not defined |
Digitally sign server communications (when possible) | Disabled | Enabled | Not defined |
Disable CTRL+ALT+DEL requirement for logon | Not Defined (Professional only) Disabled (Server/Adv. Server only) | Not defined | Not defined |
Do not display user name in the logon screen | Disabled | Not defined | Not defined |
LAN Manager Authentication Level | Send LM & NTLM response | Not defined | Not defined |
Message text for users attempting to log on | (Blank) | Not defined | Not defined |
Message title for users attempting to log on | (Blank) | Not defined | Not defined |
Number of previous logons to cache (in case domain controller is not available | 10 logons | Not defined | Not defined |
Prevent system maintenance of computer account passwords | Disabled | Not defined | Not defined |
Prevent users from installing print drivers | Disabled (Professional only) Enabled (Server/Adv. Server only) | Not defined | Not defined |
Prompt user to change password before expiration | 14 days | Not defined | Not defined |
Recovery Console: Allow automatic administrative logon | Disabled | Not defined | Not defined |
Recovery Console: Allow floppy copy and access to all drives and folders | Disabled | Not defined | Not defined |
Rename administrator account | Not defined | Not defined | Not defined |
Rename guest account | Not defined | Not defined | Not defined |
Restrict CD-ROM access to locally logged-on user only | Disabled | Not defined | Not defined |
Restrict floppy access to locally logged-on user only | Disabled | Not defined | Not defined |
Secure channel: Digitally encrypt or sign secure channel data (always) | Disabled | Not defined | Not defined |
Secure channel: Digitally encrypt secure channel data (when possible) | Enabled | Not defined | Not defined |
Secure channel: Digitally sign secure channel data (when possible) | Enabled | Not defined | Not defined |
Secure channel: Require strong (Windows 2000 or later) session key | Disabled | Not defined | Not defined |
Send unencrypted password to connect to third-party SMB servers | Disabled | Not defined | Not defined |
Shut down system immediately if unable to log security audits | Disabled | Not defined | Not defined |
Smart card removal behavior | No action | Not defined | Not defined |
Strengthen default permissions of global system objects (e.g. Symbolic Links) | Enabled | Not defined | Not defined |
Unsigned driver installation behavior | Not defined | Not defined | Not defined |
Unsigned non-driver installation behavior | Not defined | Not defined | Not defined |
Event Log | | | |
Settings for Event Logs | Set in Event Viewer log properties | | |
Maximum application log size | 512 Kb | Not defined | Not defined |
Maximum security log size | 512 Kb | Not defined | Not defined |
Maximum system log size | 512 Kb | Not defined | Not defined |
Restrict guest access to application log | (Not available) | Not defined | Not defined |
Restrict guest access to security log | (Not available) | Not defined | Not defined |
Restrict guest access to system log | (Not available) | Not defined | Not defined |
Retain application log | Overwrite events older than 7 days | Not defined | Not defined |
Retain security log | Overwrite events older than 7 days | Not defined | Not defined |
Retain system log | Overwrite events older than 7 days | Not defined | Not defined |
Retention method for application log | Overwrite events older than 7 days | Not defined | Not defined |
Retention method for security log | Overwrite events older than 7 days | Not defined | Not defined |
Retention method for system log | Overwrite events older than 7 days | Not defined | Not defined |
Shut down the computer when the security audit log is full | (Not available) | Not defined | Not defined |
