Security Options

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security options

This section covers:

• Accounts: Administrator account status

• Accounts: Guest account status

• Accounts: Limit local account use of blank passwords to console logon only

• Accounts: Rename administrator account

• Accounts: Rename guest account

• Audit: Audit the access of global system objects

• Audit: Audit the use of Backup and Restore privilege

• Audit: Shut down system immediately if unable to log security audits

• Devices: Allow undock without having to log on

• Devices: Allowed to format and eject removable media

• Devices: Prevent users from installing printer drivers

• Devices: Restrict CD-ROM access to locally logged-on user only

• Devices: Restrict floppy access to locally logged-on user only

• Devices: Unsigned driver installation behavior

• Domain controller: Allow server operators to schedule tasks

• Domain controller: LDAP server signing requirements

• Domain controller: Refuse machine account password changes

• Domain member: Digitally encrypt or sign secure channel data (always)

• Domain member: Digitally encrypt secure channel data (when possible)

• Domain member: Digitally sign secure channel data (when possible)

• Domain member: Maximum machine account password age

• Domain member: Require strong (Windows 2000 or later) session key

• Domain member: Disable machine account password changes

• Interactive logon: Do not display last user name

• Interactive logon: Do not require CTRL+ALT+DEL

• Interactive logon: Message text for users attempting to log on

• Interactive logon: Message title for users attempting to log on

• Interactive logon: Number of previous logons to cache (in case domain controller is not available)

• Interactive logon: Prompt user to change password before expiration

• Interactive logon: Require Domain Controller authentication to unlock

• Interactive logon: Require smart card

• Interactive logon: Smart card removal behavior

• Microsoft network client: Digitally sign communications (always)

• Microsoft network client: Digitally sign communications (if server agrees)

• Microsoft network client: Send unencrypted password to connect to third-party SMB servers

• Microsoft network server: Amount of idle time required before suspending session

• Microsoft network server: Digitally sign communications (always)

• Microsoft network server: Digitally sign communications (if client agrees)

• Microsoft network server: Disconnect clients when logon hours expire

• Network access: Allow anonymous SID/Name translation

• Network access: Do not allow anonymous enumeration of SAM accounts

• Network access: Do not allow anonymous enumeration of SAM accounts and shares

• Network access: Do not allow storage of credentials or .NET Passports for network authentication

• Network access: Let Everyone permissions apply to anonymous users

• Network access: Named pipes that can be accessed anonymously

• Network access: Remotely accessible registry paths

• Network access: Remotely accessible registry paths and subpaths

• Network access: Restrict anonymous access to Named Pipes and Shares

• Network access: Shares that can be accessed anonymously

• Network access: Sharing and security model for local accounts

• Network security: Do not store LAN Manager hash value on next password change

• Network security: Force logoff when logon hours expire

• Network security: LAN Manager authentication level

• Network security: LDAP client signing requirements

• Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

• Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

• Recovery console: Allow automatic administrative logon

• Recovery console: Allow floppy copy and access to all drives and all folders

• Shutdown: Allow system to be shut down without having to log on

• Shutdown: Clear virtual memory pagefile

• System cryptography: Force strong key protection for user keys stored on the computer

• System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

• System objects: Default owner for objects created by members of the Administrators group

• System objects: Require case insensitivity for non-Windows subsystems

• System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)

• System settings: Optional subsystems

• System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies