DoD Windows 7 Security Settings

Location
Local Computer Policy\Computer

Configuration\Windows Settings\Security
Settings\Account Policies\Password Policy

Settings\Account Policies\Account Lockout Policy

Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Domain Profile\State

Local Group Policy Object\Domain Profile\Settings

Local Group Policy Object\Domain Profile\Logging

Local Group Policy Object\Private Profile\State

Local Group Policy Object\Private Profile\Settings
Local Group Policy Object\Private Profile\Logging

Local Group Policy Object\Public Profile\State

Local Group Policy Object\Public Profile\Settings

Local Group Policy Object\Public Profile\Logging

Settings\Advanced Audit Policy Configuration\System
Audit Policies\Account Logon
Audit Policies\Account Management

Audit Policies\Detailed Tracking

Audit Policies\DS Access

Audit Policies\Logon/Logof
Audit Policies\Object Access

Audit Policies\Policy Change

Audit Policies\Privlege Use

Audit Policies\System
Audit Policies\Global Ojbect Access Auditing

Configuration\Administrative Templates\Network\Link-
Layer Topology Discovery

Configuration\Administrative
Templates\Network\Microsoft Peer-to-Peer Networking
Services
Templates\Network\Network Connections

Configuration\Administrative Templates\Network\TCPIP
Settings\IPv6 Transition Technologies

Templates\Network\Windows Connect Now

Configuration\Administrative Templates\Printers
Configuration\Administrative Templates\System\Device
Installation
Configuration\Administrative Templates\System\Driver
Installation
Configuration\Administrative Templates\System\Group
Policy

Templates\System\Internet Communications
Management\Internet Communication settings

Configuration\Administrative Templates\System\Logon

Configuration\Administrative Templates\System\Power
Management\Sleep Settings
Templates\System\Remote Assistance

Templates\System\Remote Procedure Call

Templates\System\Troubleshooting and
Diagnostics\Microsoft Support Diagnostic Tool

Diagnostics\Scripted Diagnostics

Diagnostics\Windows Performance PerfTrack

Templates\System\Windows Time Service\Time
Providers
Configuration\Administrative Templates\Windows
Components\Application Compatibility

Components\AutoPlay Policies

Components\Credential User Interface

Components\Desktop Gadgets
Components\Event Log Service\Application
Components\Event Log Service\Security
Components\Event Log Service\Setup
Components\Event Log Service\System

Components\Game Explorer

Components\HomeGroup

Components\Remote Desktop Services\Remote
Desktop Connection Client

Desktop Session Host\Connections

Desktop Session Host\Device and Resource Redirection

Desktop Session Host\Security
Desktop Session Host\Session Time Limits

Desktop Session Host\Temporary Folders

Components\RSS Feeds

Components\Search

Components\Windows Anytime Upgrade
Components\Windows Defender

Components\Windows Error Reporting

Components\Windows Explorer
Components\Windows Installer

Components\Windows Logon Options

Components\Windows Media Digital Rights
Management

Components\Windows Media Player

Components\Windows Update
Setting
Enforce password history
Maximum password age

Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
Account lockout duration
Account lockout threshold

Reset account lockout counter after
Access Credential Manager as a trusted caller
Access this computer from the network

Act as part of the operating system
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services

Back up files and directories
Bypass traverse checking
Change the system time

Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects

Create symbolic links
Debug programs
Deny access to this copmuter from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system
Generate security audits
Impersonate a client after authenication
Increase a process working set

Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a serice
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system preformance
Remove computer from docking station

Replace a process level token
Restore files and directories
Shut down the system
Take ownership of files or other objects
Accounts: Administrator account status
Accounts: Guest account status

Accounts: Limit local account use of blank passwords to console logon
only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of backup and restore privilege
Audit: Force policy subcatagory settings (Windows Vista or later) to
override audit policy category settings
Audit: Shut down system immediately if unable to log secuirty audits
Devices: Allowed to format and eject removable media

Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on users only
Devices: Restrict floppy access to locally logged-on user only

Domain member: Digitally encrypt or sign secure channel data
(always)
Domain member: Digitally encrypt secure channel data (when
possible))
Domain mamber: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes

Domain member: Maximum machine account password age
Domain mamber: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name

Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attenpting to log on
Interactive logon: Message title for users attenpting to log on
Interactive logon: Number of previous logons to cache (in case
domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Intactive logon: Requrie Domain Controller authentication to unlock

workstation
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server

agrees)
Microsoft network client: Send unencrypted password to third-party
SMB servers
Microsoft network server: Amount of idle time required before
suspending session
Microsoft network server: Digitally communications (always)
Microsoft network server: Digitally sign communications (if client
agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (DisableIPSourceRouting) IP source routing protection level

(protects against packet spoofing)
MSS: (DisableIPSourceRoutingIPV6) IP source routing protection level
(protects against packet spoofing)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF
generated routes
MSS: (Hidden) Hide Computer From the Browser List (not
recommended except for highly secure environments)
MSS: (KeepAliveTime) How often keep-alive packets are sent in
miliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various
types of network traffic
MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS
name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop
generating 8.3 style filenames (recommended)
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure
Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen
saver grace period expires (0 recommended)
MSS: (TcpMaxDataRetransmissions) How many times
unacknowledged data is retransmitted (3 recommended, 5 is the
default)
MSS: (TcpMaxDataRetransmissionsIPv6) How many times

unacknowledged data is retransmitted (3 recommended, 5 is the
default)
MSS: (Warning Level) Percentage threshold for the security event log
at which the system will generate a warning
Network access: Allow anonymous SID\Name traslation
Network access: Do not allow anonymous enumeration of SAM
accounts
Network access: Do not allow anonymous enumeration of SAM
accounts and shares
Network access: Do not allow storage of passwords and credentials
for network authentication
Network access: Let Eveyone permission apply to anonymous user
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and

Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network Security: Allow LocalSystem to use computer identity for
NTLM
Network Security: Allow LocalSystem NULL session fallback
Network Security: Allow PKU2U authentication requests to this
computer to use online identities
Network Security: Configure encryption types allowed for Kerberos
Network Security: Do not store LAN Manager hash value on next

password change
Network Security: Force logof when logon hours expire
Network Security: LAN Manager authentication level
Network Security: LDAP client signing requirements
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) clients
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and
allfolders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile

System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing
System objects: Require case insensitivity for non-Windows
subsystems
System objects: Strengthen default permissions of internal system
objects (e.g. Symbolic Links)
User Account Control: Admin Approval Mode for the Built-in
Administrator account
User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard
users
User Account Control: Detect application installation and prompt for
elevation
User Account Control: Only elevate executables that are signed and
validated
User Account Control: Only elevate UIAccess applications that are
installed in secure locations
User Account Control: Run all administators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting

for elevation
User Account Control: Virtualize file and registry write failures to per-
user locations
Firewall State
Inbound connections
Outbound connections
Display a notification
Allow unicast response

Apply local firewall rules
Apply local connection security rules
Name
Size limits
Log dropped packets
Log successful connections
Firewall State
Inbound connections

Name
Size limits
Log dropped packets
Firewall State
Inbound connections

Name
Size limits
Log dropped packets
Credential Validation
Kerberos Authenication Service

Kerberos Service Ticket Operation
Other Account Logon Events
Application Group Management
Computer Account Management

Distribution Group Management
Other Account Management Events
Security Group Management
User Account Management
DPAPI Activity
Process Creation
Process Termination
RPC Events
Detailed Directory Service Replication
Directory Service Access

Directory Service Changes
Directory Service Replication
Audit Account Lockout
Ipsec Extended Mode

Ipsec Main Mode
Ipsec Quick Mode
Logof
Logon
Network Policy Server
Other Logon/Logof Events
Special Logon
Application Generated
Certification Services
Audit Detailed File Share
File Share
File System
Filtering Platform Connection
Filtering Platform Packet Drop
Handle Manipulation
Kernel Object
Other Object Access Events
Registry
SAM
Audit Policy Change
Authentication Policy Change

Authorization Policy Change
Filtering Platform Change
MPSSVR Rule-Level Policy Change
Other Policy Change Events
Non Sensitive Privilege Use
Other Privilege Use Events

Sensitive Privilege Use
Ipsec Driver
Other System Events

Security State Changes
Security System Extension
System Integrity
File System
Registry
Turn on Mapper I/O (LLTDIO) Driver
Turn on Responder (RSPNDR) Driver
Turn of Microsoft Peer-to-Peer Networking Services
Prohibit installation and configuration of Network Bridge on your DNS

domain network
Prohibit use of Internet Connection Sharing on your DNS domain

network
Require domain users to elevate when setting a network's location
Route all traffic through the internal network
6to4 State
ISATAP State
Teredo State
IP HTTPS
Configuration of wireless settings using Windows Connect Now
Prohibit Access of the Windows Connect Now wizards

Extend Point and Print connection to search Windows Update and use
alternate cooection if needed
Allow remote access to the PnP interface
Do not send a Windows Error Report when a generic driver is installed

on a device
Prevent creation of a system restore point during device activity that

would normally prompt creation of a restore point
Prevent device metadata retrieval from internet
Specify Search Order for device driver source locations
Turn of Windows Update device driver search prompt
Registry policy processing
Turn of Automatic Root Certificates Update

Turn of downloading of print drivers over HTTP
Turn of Event Viewer "Events.asp" links
Turn of handwriting personalization data sharing
Turn of handwriting recognition error reporting
Turn of Internet Connection Wizard if URL connection is referring to
Microsoft.com
Turn of Internet download for Web publishing and online ordering
wizards
Turn of Internet File Association service
Turn of printing over HTTP
Turn Of Registration if URL Connection is Referring to Microsoft.com

Turn of Search Companion content file updates
Turn of the "Order Prints" picture task
Turn of the "Publish to Web" task for files and folders
Turn of the Windows Messenger Customer Experience Improvement
Program
Turn of Windows Customer Experience Improvement Program

Turn of Windows Error Reporting
Turn of Windows Update device driver searching
Always use classic logon
Requrie a Password When a Computer Wakes (On Battery)

Requrie a Password When a Computer Wakes (Plugged In)
Ofer Remote Assistance
Solicited Remote Assistance
Turn on session logging
Restrictions for Unauthenticated RPC clients

RPC Endpoint Mapper Client Authenication
Microsoft Support Diagnostic Tool: Turn on MSDT interactive

communication with support provider
Troubleshooting: Allow user to access online troubleshooting content

on Microsoft servers from the Troubleshooting Control Panel (via
Windows Online Troubleshooting Service - WOTS)
Enable/Disable PerfTrack
Configure Windows NTP Client
Turn of Program Inventory
Default behavior for AutoRun

Turn of Autoplay
Turn of Autoplay for non-volume devices
Enumerate administrator accounts on elevation
Override the More Gadgets link
Restrict unpacking installation of gadgets that are not digitally signed

Turn Of user-installed desktop gadgets
Maximum Log Size (KB)
Turn of downloading of game information

Turn of game updates
Prevent the computer from joining a homegroup
Do not allow passwords to be saved
Allow users to connect remotely using Remote Desktop Services
Do not allow drive redirection
Always prompt for password upon connection

Set client connection encryption level
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for disconnected sessions
Do not delete temp folder upon exit

Do not use tempoary foldders per session
Turn of downloading of enclosures

Turn on Basic feed authentication over HTTP
Allow indexing of encrypted files

Enable indexing uncached Exchange folders
Prevent Windows Anytime Upgrade from running
Configure Microsoft SpyNet Reporting
Disable Logging
Disable Windows Error Reporting
Display Error Notification
Do not send additional data
Turn of Data Excution Prevention for Explorer
Turn of heap termination on corruption

Turn of shell protocol protected mode
Disable IE security prompt for Windows Installer scripts

Enable user control over installs
Prohibit non-administrators from applying vender signed updates
Report when logon server was not available during user logon
Prevent Windows Media DRM Internet Access
Do Not Show First Use Dialog Boxes

Prevent Automatic Updates
Configure Automatic Updates

DoD Value
24
60
1
14
Enabled
Disabled
0
3, Not 0
60
No One
Administrators
No One
Administrators, Local Service, Network Service
Administrators, Users
No One
Administrators
Administrators, Users, Local Service, Network
Service
Local Service, Admistrators
Local Sevice, Administrators, Users
Administrators
No One
Administrators, SERVICE, Local Service, Network
Service
No One
Administrators
No One
Guests
Guests
No One
Guests
Everyone, Guests if RD is used.
No One
Adminstrators
Network Service, Local Service
Administrators, SERVICE, Local Service, Network
Service
Administrators, Local Service
Administrators
Administrators
No One (blank)
No One (blank)
No One (blank)
Auditor Group
No One (blank)
Administrators
Administrators
Administrators
Administrators
NT Service\WdiServiceHost
Network Service, Local Service
Administrators
Administrators
Disabled
Disabled
Enabled
ORGANIZATIONAL DEFINED NAME
ORGANIZATIONAL DEFINED NAME
Disabled
Disabled
Enabled
Disabled
Administrators
Enabled
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
30
Enabled
Enabled
Disabled
DoD Banner
DoD Banner
2 or less
14 days or more
Disabled
Lock workstation
Enabled
Enabled
Disabled
15 Minutes
Enabled
Enabled
Enabled
Accept if provided by client
Disabled
Highest protection, source routing is completely
disabled
Highest protection, source routing is completely
disabled
Disabled
Enabled
300000 or 5 minutes (recommended)
Multicast, broadcast and ISAKMP exempt (best for
Windows XP)
Enabled
Disabled
Disabled
Enabled
90
Disabled
Enabled
Enabled
Enabled
Disabled
None (Blank)
System\CurrentControlSet\Control\ProductOptions,
System\CurrentControlSet\Control\Server
Applications, Software\Microsoft\Windows
NT\CurrentVersion
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows
NT\CurrentVersion\Print
Software\Microsoft\Windows
NT\CurrentVersion\Windows
System\CurrentControlSet\Cont
Enabled
None (Blank)
Classic local users authenticate as themselves
Enabled
Disabled
Disabled
Enabled: RC4_HMAC_MD5 AES128_HMAC_SHA1

AES256_HMAC_SHA1 Future Encryption Types
Enabled
Enabled
Send NTLMv2 response only. Refuse LM and NTLM

Negotiate Signing
Require NTLMv2 session security,Require 128 bit
encryption
Require NTLMv2 session security,Require 128 bit
encryption
Disabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Prompt for consent on the secure desktop
Prompt for credentials on the secure desktop
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
Specified
16384
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
Specified
16384
Yes
Yes
On (recommended)
Block (default)
Allow (default)
Yes (default)
No
No
No
Specified
16384
Yes
Yes
Success and Failure

No Auditing
No Auditing
No Auditing
No Auditing
Success and Failure
No Auditing
Success and Failure
Success and Failure
Success and Failure
No Auditing
Success
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
Success
Success and Failure
No Auditing
No Auditing
Success
No Auditing
No Auditing
No Auditing
No Auditing
Failure
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
Failure
No Auditing
Success and Failure

Success
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
Success and Failure
Success and Failure

No Auditing
Success and Failure
Success and Failure
Success and Failure
No Auditing
No Auditing
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled: Enabled State
Enabled: Disabled State

Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Enabled
Enabled: Do not search Windows Update
Enabled
Enabled: Process even if the Group Policy objects

have not changed.
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Enabled: Authenticated
Enabled
Disabled
Disabled
Disabled
Local approved server, not "time.windows.com"
Enabled
Enabled: Do not execute any autorun commands

Enabled - All Drives
Enabled
Disabled
Enabled: About: Blank
Enabled
Enabled
32768
81920
32768
32768
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Enabled
Enabled: High
Enabled: 15 minutes
Enabled: 1 minute
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled or set to local WSUS location

Location
Local ComputerPolicy\User
Configuration\Administrative Templates\Control
Panel\Personalization
Templates\System\Internet Communication
Management\Internet Communication settings
Templates\System\Power Management
Templates\Windows Components\Attachment
Manager
Local Computer Policy\User

Templates\Windows Components\Network
Sharing
Setting DoD Value
Enable screen saver Enabled

Password protect the screen saver Enabled
Screen saver timeout Enabled: 900
Turn of Help Experience Improvement Program Enabled

Turn of Help Ratings Enabled
Prompt for password on resume from hibernate /

suspend Enabled
Do not preserve zone information in the

attachments Disabled
Hide mechanisms to remove zone information Enabled
Notify antivirus programs when opening
attachments Enabled
Prevent users from sharing files within their profile Enabled

Name Description
The Bluetooth service supports discovery and association of remote
Bluetooth devices. Stopping or disabling this service may cause already
installed Bluetooth devices to fail to operate properly and prevent new
Bluetooth Support Service devices from being discovered or associated.
Enables you to send and receive faxes, utilizing fax resources available on
Fax this computer or on the network.
Makes local computer changes associated with configuration and

maintenance of the homegroup-joined computer. If this service is stopped
or disabled, your computer will not work properly in a homegroup and your
homegroup might not work properly. It is recommended that you keep this
HomeGroup Listener service running.
Performs networking tasks associated with configuration and maintenance

of homegroups. If this service is stopped or disabled, your computer will be
unable to detect other homegroups and your homegroup might not work
HomeGroup Provider properly. It is recommended that you keep this service running.
Media Center Extender Service Allows Media Center Extenders to locate and connect to the computer.
This service is a stub for Windows Parental Control functionality that
Parental Controls existed in Vista. It is provided for backward compatibility only.
SPP Notification Service Provides Software Licensing activation and notification
The Windows biometric service gives client applications the ability to

capture, compare, manipulate, and store biometric data without gaining
direct access to any biometric hardware or samples. The service is hosted in
Windows Biometic Service a privileged SVCHOST process.
This service manages mobile broadband (GSM & CDMA) data

card/embedded module adapters and connections by auto-configuring the
networks. It is strongly recommended that this service be kept running for
WWAN AutoConfig best user experience of mobile broadband devices.
Status Startup Type Log on as SSR Recommendation
Manual Local Service Disabled
Manual Network Service Disabled
Manual Local System Disabled
Started Manual Local Service Disabled
Disabled

Started Manual Local Service Not Configured *Test and get more information
Manual Local System Not Configured *Revisit in 6mos

Games 16006
SimpleTCP Services 16006
Telnet (Client or Server) 16006
TFTP Client 16006
Windows Media Center 16006
Internet Information Services 3347

DoD Windows 7 Security Settings

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

DoD Windows 7 Security Settings

Hochgeladen von

Copyright:

Verfügbare Formate

Location

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Local Computer Policy\Computer

Enforce password history

Maximum password age

Account lockout duration

Account lockout threshold

Access Credential Manager as a trusted caller

Access this computer from the network

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Bypass traverse checking

Change the system time

Create global objects

Create permanent shared objects