Using Security Template Settings
Security templates offer seven categories of security settings. Additionally, in the Security Settings section of computer-related section Group Policy, two additional categories of security settings exist. You use each category to apply specific computer-based security settings. The categories of security settings follow:
Define password policies, account lockout policies, and Kerberos policies
Account policy settings applied at the OU level affect the local Security Accounts Manager (SAM) databases but not the user accounts in Active Directory. The account policies for domain accounts can be configured only at the domain-level Group Policy.
Define audit policy, user rights assignment, and security option settings for computers
Defines the properties of the application, security, and system logs
Define and enforce membership in security groups
Define settings for services installed on a computer
Defines security and auditing permissions for registry keys and their subtrees
Defines NTFS file system security and auditing settings for any files and folders included within this policy
Define settings for enterprise Certification Authority (CA) trust lists, encrypting file system (EFS) data recovery agents, trusted root CAs, and automatic certificate renewal settings
Define the IP Security (IPSec) policy that is assigned to the computer
Account Policies
Account policies define security on domain and local accounts. Account policy settings for domain accounts must be configured at the domain level. When you define individual account policy settings for a specific OU, the account policies apply to local accounts on the computers that are affected by the group policy. Account policies contain three subcategories of configuration:
Password Policy
Account Lockout Policy
Kerberos Policy
Table 11-1 describes the policy settings for each category.
Setting | Subcategory | Description |
Enforce Password History | Password Policy | Determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be set to a number of passwords between 0 and 24. |
Maximum Password Age | Password Policy | Determines the number of days that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. |
Minimum Password Age | Password Policy | Determines the number of days that a password must be used before the user can change it. You can set values to a number of days between 1 and 999, or you can allow changes immediately by setting the number of days to 0. |
Minimum Password Length | Password Policy | Determines the least number of characters a user account s password can contain. You can set values to a number of characters between 1 and 14. Setting this value to 0 will allow users to use a blank password. |
Password Must Meet Complexity Requirements | Password Policy | Determines whether passwords must meet complexity requirements, which require a password to have at least six characters from three of these four sets:
|
Store Password Using Reversible Encryption For All Users In The Domain | Password Policy | Determines whether Windows 2000 will store passwords by using reversible encryption in the account database. |
Account Lockout Threshold | Account Lockout Policy | Determines the number of failed logon attempts that will cause a user account to be locked out. You can set values to a number of failed logon attempts between 1 and 999, or you can specify that the account will never be locked out by setting the value to 0. |
Account Lockout Duration | Account Lockout Policy | Determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The range is 1 99,999 minutes. You can specify that the account will be locked out until an administrator explicitly unlocks it by setting the value to 0. |
Reset Account Lockout After | Account Lockout Policy | Determines the number of minutes that must elapse after a failed logon attempt before the bad logon attempt counter is reset to 0. The range is 1 99,999 minutes. |
Enforce User Logon Restrictions | Kerberos Policy | Determines whether the key distribution center (KDC) validates that the user possesses the Log On Locally or Access The Computer From The Network user rights for every session ticket request. |
Maximum Lifetime For Service Ticket | Kerberos Policy | Determines the maximum number of minutes that a granted session ticket can be used. The setting must be greater than 10 minutes. |
Maximum Lifetime For User Ticket | Kerberos Policy | Determines the maximum number of hours that a user s ticket-granting ticket (TGT) can be used before it is renewed or a new one is requested. |
Maximum Lifetime For User Ticket Renewal | Kerberos Policy | Determines the number of days during which a user s TGT can be renewed. |
Maximum Tolerance For Computer Clock Synchronization | Kerberos Policy | Determines the maximum number of minutes that Kerberos will tolerate between the time on a client s system clock and the time on a server s system clock when issuing and using Kerberos tickets. This is to prevent replay attacks on authentication packets. |
Account policies are discussed in depth in Chapter 3, Securing User Accounts and Passwords, of this book.
Local Policies
Local policies determine security settings on the local computer. These policies are separated into three subcategories:
Audit Policy
User Rights Assignment
Security Options
Table 11-2 describes the policy settings for each category.
Setting | Subcategory | Description |
Audit Account Logon Events | Audit Policy | Determines whether to audit each instance of a user logging on or logging off of another computer that was used to validate the account. |
Audit Account Management Events | Audit Policy | Determines whether to audit each event in which an account is created, modified, or deleted on a computer. |
Audit Directory Service Access | Audit Policy | Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified. |
Audit Logon Events | Audit Policy | Determines whether to audit each instance of a user logging on, logging off, or making a network connection to this computer |
Audit Object Access | Audit Policy | Determines whether to audit the event of a user accessing a file, folder, registry key, or printer object that has its own SACL specified. |
Audit Policy Change | Audit Policy | Determines whether to audit every instance of a change to user rights assignment policies, audit policies, or trust policies. |
Audit Privilege Use | Audit Policy | Determines whether to audit each instance of a user exercising a user right with the exception of the Bypass Traverse Checking, Debug Programs, Create A Token Object, Replace Process Level Token, Generate Security Audits, Backup Files And Directories, and Restore Files And Directories user rights. |
Audit Process Tracking | Audit Policy | Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect access of system objects. |
Audit System Events | Audit Policy | Determines whether to audit when a user restarts or shuts down the computer, or when an event occurs that affects either the system security or the security log. |
Access This Computer From The Network | User Rights Assignment | Determines which users and groups are allowed to connect to the computer over the network. |
Act As Part Of The Operating System | User Rights Assignment | Allows a process to authenticate as any user and therefore gain access to the same resources under the security context of that user. Only low-level authentication services should require this privilege. |
Add Workstations To Domain | User Rights Assignment | Determines which groups or users can add workstations to a domain. This policy is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain with this right. |
Allow Logon Through Terminal Services | User Rights Assignment | Determines which groups or users can log on using Remote Desktop Services. This right applies to Windows XP computers only. |
Back Up Files And Directories | User Rights Assignment | Determines which groups and users can run processes to back up files and folders without regard to NTFS permissions. |
Bypass Traverse Checking | User Rights Assignment | Determines which groups and users can traverse directory trees even though the user might not have permissions on the traversed directory. |
Change The System Time | User Rights Assignment | Determines which groups and users can change the time and date on the system clock of the computer. |
Create A Pagefile | User Rights Assignment | Determines which users and groups can create and change the size of a pagefile. |
Create A Token Object | User Rights Assignment | Determines which accounts can be used by processes to create a token that can then be used to gain access to any local resources when the process uses NtCreateToken() or other token-creation APIs. |
Create Permanent Shared Objects | User Rights Assignment | Determines which accounts can be used by processes to create a directory object in the Windows 2000 Object Manager. By default, only kernel-mode components, which run under the security context of LocalSystem, possess this right. |
Debug Programs | User Rights Assignment | Determines which users can attach a debugger to any process. This privilege provides powerful access to sensitive and critical OS components. |
Deny Access To This Computer From The Network | User Rights Assignment | Determines which users are prevented from accessing a computer over the network. This policy setting supercedes the Access This Computer From The Network policy setting if a user account is subject to both policies. |
Deny Logon As A Batch Job | User Rights Assignment | Determines which accounts are prevented from logging on as a batch job. This policy setting supercedes the Log On As A Batch Job policy setting if a user account is subject to both policies. |
Deny Logon As A Service | User Rights Assignment | Determines which service accounts are prevented from registering a process as a service. This policy setting supercedes the Log On As A Service policy setting if an account is subject to both policies. |
Deny Logon Locally | User Rights Assignment | Determines which users are prevented from logging on at the computer. This policy setting supercedes the Log On Locally policy setting if an account is subject to both policies. |
Deny Logon Through Terminal Services | User Rights Assignment | Determines which groups or users cannot log on using Remote Desktop Services. This right applies to Windows XP computers only. |
Enable Computer And User Accounts To Be Trusted For Delegation | User Rights Assignment | Determines which users can set the Trusted For Delegation setting on a user or computer object. |
Force Shutdown From A Remote System | User Rights Assignment | Determines which users are allowed to shut down a computer from a remote location on the network. |
Generate Security Audits | User Rights Assignment | Determines which accounts a process can use to add entries to the security log. By default, only LocalSystem has this right. |
Increase Quotas | User Rights Assignment | Determines which users or groups can use a process with Write access to another process to increase the processor quota assigned to the other process. This setting has nothing to do with disk quotas. In Windows XP, this setting has been renamed to Adjust Memory Quotas. |
Increase Scheduling Priority | User Rights Assignment | Determines which accounts can use a process with Write access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process by using the Task Manager. |
Load And Unload Device Drivers | User Rights Assignment | Determines which users can dynamically load and unload device drivers. This right is necessary for installing drivers for Plug and Play devices. |
Lock Pages In Memory | User Rights Assignment | This right is obsolete and therefore is never checked. |
Log On As A Batch Job | User Rights Assignment | Determines which groups or users can log on using a batch-queue application such as the Task Scheduler. |
Log On As A Service | User Rights Assignment | Determines which service accounts can register a process as a service. |
Log On Locally | User Rights Assignment | Determines which users can log on at the computer interactively by using the Windows Logon dialog box, Terminal Services, or Internet Information Services (IIS). |
Manage Auditing And Security Log | User Rights Assignment | Determines which users can specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. |
Modify Firmware Environment Values | User Rights Assignment | Determines which groups or users can modify systemwide environment variables. |
Perform Volume Maintenance Tasks | User Rights Assignment | Determines which users and groups have the authority to run volume maintenance tools, such as Disk Cleanup and Disk Defragmenter. This right applies to Windows XP computers only. |
Profile Single Process | User Rights Assignment | Determines which users can use performance monitoring tools to monitor the performance of nonsystem processes. |
Profile System Performance | User Rights Assignment | Determines which users can use performance monitoring tools to monitor the performance of system processes. |
Remove Computer From Docking Station | User Rights Assignment | Determines which users can undock a laptop computer from its docking station. This right applies only to computers that have been upgraded from Microsoft Windows NT. |
Replace A Process Level Token | User Rights Assignment | Determines which user accounts can initiate a process to replace the default token associated with a launched subprocess. Only LocalSystem possesses this right. |
Restore Files And Directories | User Rights Assignment | Determines which groups and users can run processes to restore files and folders without regard to NTFS permissions. Users with this permission can also reassign ownership of files and folders. |
Shut Down The System | User Rights Assignment | Determines which users logged on locally to the computer can shut down the OS. |
Synchronize Directory Service Data | User Rights Assignment | This right is not used in Windows 2000 or Windows XP. |
Take Ownership Of Files Or Other Objects | User Rights Assignment | Determines which users can take ownership of system objects, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
Additional Restrictions For Anonymous Connections | Security Options | Determines the security level on anonymous NetBIOS enumeration by configuring the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\ LSA\RestrictAnonymous registry value. You can change this setting to one of the following:
|
Allow Server Operators To Schedule Tasks (Domain Controllers Only) | Security Options | Determines whether Server Operators are allowed to submit scheduled tasks using the Task Scheduler on domain controllers. |
Allow System To Be Shut Down Without Having To Log On | Security Options | Determines whether a computer can be shut down without the user having to log on to the OS. Unless you have a specific reason for allowing anyone with physical access to the computer to shut down the computer, you should not enable this option. |
Allowed To Eject Removable NTFS Media | Security Options | Determines who is allowed to eject removable NTFS media from the computer. |
Amount Of Idle Time Required Before Disconnecting Session | Security Options | Determines the number of minutes that must pass in a Server Message Block (SMB) session before the session is disconnected because of inactivity. After an SMB connection is disconnected, the user or computer account must be reauthenticated. The default value for this setting is 15 minutes. |
Audit The Access Of Global System Objects | Security Options | Determines whether access of global system objects that have SACLs configured (for example, mutexes and semaphores) will be audited. You should enable this option only if you are troubleshooting OS internal operations. |
Audit Use Of Backup And Restore Privilege | Security Options | Determines whether the Audit Privileged Use audit policy should include use of the Backup/Restore privilege. |
Automatically Log Off Users When Logon Time Expires | Security Options | Determines whether to disconnect users from SMB resources that are connected to the local machine outside the user account s valid logon hours for all computers in the domain. You should enable this setting if you have users whose logon times are restricted. |
Automatically Log Off Users When Logon Time Expires (Local) | Security Options | Determines whether to disconnect users from SMB resources that are connected to the local machine outside the user account s valid logon hours. |
Clear Virtual Memory Pagefile When System Shuts Down | Security Options | Determines whether the virtual memory data stored in the pagefile should be cleared before the computer is shut down. On servers with large amounts of RAM, enabling this setting could result in lengthy shutdown and restart times. |
Digitally Sign Client Communications (Always) | Security Options | Determines whether the computer will always digitally sign SMB communications by using SMB signing when connecting to SMB resources on other computers. |
Digitally Sign Client Communications (When Possible) | Security Options | Determines whether the computer will, when requested, digitally sign SMB communications by using SMB signing. Otherwise, the computer will communicate normally when connecting to SMB resources. |
Digitally Sign Server Communications (Always) | Security Options | Determines whether the computer will require digital signing for connections to local SMB resources from remote computers. Computers that do not digitally sign client communications will not be able to connect to computers with this setting enabled. Enabling this setting on heavily used computers, such as domain controllers, file servers, or print servers, can cause CPU performance degradation. |
Digitally Sign Server Communications (When Possible) | Security Options | Determines whether the computer will request digital signing for connections to local SMB resources from remote computers that digitally sign SMB communications. |
Disable Ctrl+Alt+Del Requirement For Logon | Security Options | Determines whether a user must press Ctrl+Alt+Del to invoke the Windows Logon dialog box. You should enable this setting only if you have users with special accessibility requirements. |
Do Not Display Last User Name In Logon Screen | Security Options | Determines whether the user name of the last logged-on user appears in the Windows Logon dialog box when the next user attempts to log on. Consider enabling this setting on computers in public areas to prevent user account names and their home domain name from being disclosed. |
LAN Manager Authentication Level | Security Options | Determines the value of the HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Control\LSA\ LMCompatibility registry key, which controls how the LAN Manager (LM), NT LAN Manager (NTLM), and NT LAN Manager version 2 (NTLMv2) authentication protocols are used. See Chapter 3 for more information on LM compatibility levels. |
Message Text For Users Attempting To Log On | Security Options | Determines the text in the message box that a user must agree to before the Windows Logon dialog box appears. You must also configure the message title for this option to take effect. You should consult your organization s legal department about what text should be used in this warning. |
Message Title For Users Attempting To Log On | Security Options | Determines the title of the message box that a user must agree to before the Windows Logon dialog box appears. You must also configure the message text for this option to take effect. |
Number Of Previous Logons To Cache (In Case Domain Controller Is Not Available) | Security Options | Determines the number of previous logon sessions to cache as cached credentials. Cached credentials can be used on the computer to log on when no domain controllers are reachable. You can set this to a value between 0 and 50. If you set this option to 0, users will not be able to log on unless a domain controller is available to validate their credentials. Setting the value to 10, which is the default, will cache the logon credentials from the last 10 users to log on to the computer. |
Prevent System Maintenance Of Computer Account Password | Security Options | Determines whether the computer account password should be prevented from being reset every 30 days automatically. Do not enable this setting unless you have a specific technical reason. |
Prevent Users From Installing Printer Drivers | Security Options | Determines whether members of the Users group are prevented from installing print drivers. This setting is enabled by default. |
Prompt User To Change Password Before Expiration | Security Options | Determines how far in advance to warn users that their password will expire. This setting is 14 days by default. |
Recovery Console: Allow Automatic Administrative Logon | Security Options | Determines whether the Recovery Console will require a password or whether it will log on automatically. You should enable this setting only on computers that have strong physical security. |
Recovery Console: Allow Floppy Copy And Access To All Drives And All Folders | Security Options | Determines the behavior of copying files when operating in the Recovery Console. |
Rename Administrator Account | Security Options | Determines whether a different account name will be associated with the security identifier (SID) for the built-in Administrator account. After changing the display name of the Administrator account, you can monitor audit logs to look for attackers attempting to use the new name for this account. If an attacker attempts to use the renamed account, you will know that he has some level of knowledge and skill in compromising networks. In addition to configuring this option, you must also manually change the description of this account. Otherwise, the default description will still be displayed. |
Rename Guest Account | Security Options | Determines whether a different account name will be associated with the SID for the built-in Guest account. In addition to configuring this option, you must also manually change the description of this account. Otherwise, the default description will still be displayed. |
Restrict CD-ROM Access To Locally Logged-On User Only | Security Options | Determines whether users not logged on interactively can access CD-ROM drives on the local computer when an interactive user is using the CD-ROM. |
Restrict Floppy Access To Locally Logged-On User Only | Security Options | Determines whether users not logged on interactively can access floppy drives on the local computer when an interactive user is using the floppy drive. |
Secure Channel: Digitally Encrypt Or Sign Secure Channel Data (Always) | Security Options | Determines whether secure channels require encryption or signing. Secure channels are used by the Netlogon service during authentication. |
Secure Channel: Digitally Encrypt Secure Channel Data (When Possible) | Security Options | Determines whether secure channels will be encrypted if requested. Secure channels are used by the Netlogon service during authentication. |
Secure Channel: Digitally Sign Secure Channel Data (When Possible) | Security Options | Determines whether secure channels will be signed when requested. Secure channels are used by the Netlogon service during authentication. |
Secure Channel: Require Strong (Windows 2000 Or Later) Session Key | Security Options | Determines whether strong (128-bit) session keys are used for encrypting or signing secure channel traffic. |
Send Unencrypted Password To Connect To Third-Party SMB Servers | Security Options | Determines whether the computer is allowed to send passwords in plaintext to SMB servers that do not support encryption. |
Shut Down System Immediately If Unable To Log Security Audits | Security Options | Determines whether the system will stop if security events cannot be logged. If this setting is enabled and security events cannot be logged, the computer will display a stop error (blue screen) and only the built-in Administrator account can log on to reset the Crash OnAuditFail registry value to 1. |
Smart Card Removal Behavior | Security Options | Determines what should happen when the smart card for a logged-on user is removed from the smart card reader. You can set this to No Action, Lock Workstation, or Force Logoff. |
Strengthen Default Permissions Of Global System Objects (e.g. Symbolic Links) | Security Options | Determines the strength of the default discretionary access control lists (DACLs) on system objects such as mutexes and semaphores. |
Unsigned Driver Installation Behavior | Security Options | Determines what should happen when an attempt is made to install a device driver that has not been certified by the Windows Hardware Quality Lab (WHQL). You can set this to Silently Succeed, Warn But Allow Installation, or Do Not Allow Installation. |
Unsigned Non Driver Installation Behavior | Security Options | Determines what should happen when an attempt is made to install any nondevice driver software that has not been certified. You can set this to Silently Succeed, Warn But Allow Installation, or Do Not Allow Installation. |
Accounts: Administrator Account Status | Security Options | Determines whether the built-in Administrator account is enabled or disabled in Windows XP. |
Accounts: Guest Account Status | Security Options | Determines whether the built-in Guest account is enabled or disabled in Windows XP. |
Accounts: Limit Local Account Use Of Blank Passwords To Console Logon Only | Security Options | Determines whether accounts with blank passwords are restricted to console interactive logons in Windows XP. |
Devices: Allow Undock Without Having To Log On | Security Options | Determines whether a laptop computer can be removed from the docking station that has a mechanical release by a Windows XP user who has not logged on. |
Domain Controller: LDAP Server Signing Requirements | Security Options | Determines whether a domain controller will request or require Lightweight Directory Access Protocol (LDAP) packets to be digitally signed. By default, domain controllers do not request LDAP signing. |
Domain Controller: Refuse Machine Account Password Changes | Security Options | Determines whether the computer account password will be changed according to the computer account expiration interval, which is 30 days by default. You might enable this setting if a computer will be disconnected from the network for more than 30 days. |
Interactive Logon: Require Domain Controller Authentication To Unlock Workstation | Security Option | Determine whether accounts are revalidated by a domain controller rather than being validated by using the cached credentials when the computer running Windows XP is unlocked. |
Network Access: Allow Anonymous SID/Name Translation | Security Options | Determines whether an anonymous user can request SID attributes for another user. |
Network Access: Do not Allow Storage Of Credentials Or .NET Passports For Network Authentication | Security Options | Determines whether the passwords or credentials are stored for later use in Windows XP. |
Network Access: Let Everyone Permissions Apply To Anonymous Users | Security Options | Determines which anonymous connections receive rights and permissions assigned to the Everyone group on the computer. |
Network Access: Do Not Allow Storage Of Credentials Or .NET Passports For Network Authentication | Security Options | Determines how network logons that use local accounts are authenticated. If this option is set to Classic, network logons that use local account credentials authenticate by using those credentials. If this option is set to Guest Only, network logons that use local accounts are automatically mapped to the Guest account. This option is available in Windows XP only. |
Network Access: Named Pipes That Can Be Accessed Anonymously | Security Options | Determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. |
Network Access: Remotely Accessible Registry Paths | Security Options | Determines which registry paths will be accessible remotely. |
Network Access: Shares That Can Be Accessed Anonymously | Security Options | Determines which network shares can accessed by anonymous users. |
Network Access: Sharing And Security Model For Local Accounts | Security Options | Determines how network logons that use local accounts are authenticated. If this option is set to Classic, network logons that use local account credentials authenticate by using those credentials. If this option is set to Guest Only, network logons that use local accounts are automatically mapped to the Guest account. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. When you use the Guest Only model, all users will be treated equally. All users authenticate as Guest and receive the same level of access to a given resource, which can be either Read Only or Modify. |
Network Security: Do Not Store LAN Manager Hash Values For Passwords | Security Options | Determines whether LM password hashes are created for user accounts. This setting does not take effect until the next time the user changes her password. |
Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Clients | Security Options | Determines the minimum security standards for NTLM authentication of client connections. |
Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Servers | Security Options | Determines the minimum security standards for NTLM authentication of server connections. |
Network Security: LDAP Client Signing Requirements | Security Options | Determines whether your computer s communications with an LDAP server must be digitally signed. |
System Cryptography: Use FIPS Compliant Algorithms For Encryption, Signing, and Hashing | Security Options | Determines whether 3DES is used for EFS and Transport Layer Security (TLS) in Windows XP. |
System Objects: Default Owner For Objects Created By Members Of The Administrators Group | Security Options | Determines whether the Administrators group or the object creator is the default owner of any system objects that are created. |
System Objects: Require Case Insensitivity For Non-Windows Subsystems | Security Options | Determines whether the POSIX and OS/2 subsystems require case insensitivity for file names. |
System Objects: Strengthen Default Permissions Of Internal System Objects (e.g. Symbolic Links) | Security Options | Determines the strength of the default DACL for objects. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. |
Audit policies are discussed in depth in Chapter 12, Auditing Microsoft Windows Security Events, of this book, and user rights assignments are discussed in depth in Chapter 3.
Event Log
You can control the behavior of Windows 2000 and Windows XP event logs by using security templates. Table 11-3 describes the event log policy settings.
Setting | Description |
Maximum Application Log Size | Determines maximum size of the application log before the retention policy setting takes effect. |
Maximum Security Log Size | Determines maximum size of the security log before the retention policy setting takes effect. |
Maximum System Log Size | Determines maximum size of the system log before the retention policy setting takes effect. |
Prevent Local Guests Group From Accessing Application Log | Determines whether guests can read the application log. |
Prevent Local Guests group from accessing security log | Determines whether guests can read the security log. |
Prevent Local Guests Group From Accessing System Log | Determines whether guests can read the system log. |
Retain Application Log | Determines the number of days worth of events that should be retained for the application log if this log is set to retain events by an age. |
Retain Security Log | Determines the number of days worth of events that should be retained for the security log if this log is set to retain events by an age. |
Retain System Log | Determines the number of days worth of events that should be retained for the system log if this log is set to retain events by an age. |
Retention Method For Application Log | Determines the retention method for the application log. You can set this to Overwrite Events As Needed, Overwrite Events By Days, or Do Not Overwrite Events. This option requires that the log be cleared manually. When the maximum log size is reached, new events will be discarded. |
Retention Method For Security Log | Determines the retention method for the security log. You can set this to Overwrite Events As Needed, Overwrite Events By Days, or Do Not Overwrite Events. This option requires that the log be cleared manually. When the maximum log size is reached, new events will be discarded. |
Retention Method For System Log | Determines the retention method for the system log. You can set this to Overwrite Events As Needed, Overwrite Events By Days, or Do Not Overwrite Events. This option requires that the log be cleared manually. When the maximum log size is reached, new events will be discarded. |
Restricted Groups
Restricted groups enable you to control the Members and Member Of properties security groups. You can control which accounts have membership to a group by defining the Members list. You can define which groups the restricted group is a member of by defining the Member Of list. When the security template is enforced by Group Policy, any current member of a restricted security group that is not on the Members list is removed from the security group. Any user on the Members list who is not currently a member of the restricted group is added to the security group.
System Services
You can use system services policies to configure the default startup behavior of services and the permissions to those services. By using system services policies, you can prevent users and power users from stopping or starting services that they have default rights to. You can also disable services that are not used on your network from starting.
Registry
You can use registry policies to control the DACL and SACL of registry keys. By using registry policies, you can increase security on registry keys, or you can decrease the security, which is sometimes needed to run applications under user security contexts.
File System
You can use file system policies to control the DACL and SACL of NTFS files and folders. By using file system policies, you can increase the security of files and folders, or you can decrease their security, which is sometimes needed to run applications under user security contexts.
Public Key Policies
Public key policies are available only in the computer-related section of Group Policy. You can use public key policies to define settings for the following:
You can specify automatic enrollment and renewal for computer certificates. When auto-enrollment is configured, the specified certificate types are issued automatically to all computers within the scope of the public-key Group Policy. Computer certificates that are issued by auto-enrollment are renewed automatically from the issuing CA. Auto-enrollment does not function unless at least one enterprise CA is online to process certificate requests.
When you install an enterprise root CA or a stand-alone root CA, the certificate of the CA is added automatically to the Trusted Root Certification Authority Group Policy for the domain. You also can add certificates for other root CAs to Trusted Root Certification Authority Group Policy. The root CA certificates that you add become trusted root CAs for computers within the scope of the Group Policy. For example, if you want to use a third-party CA as a root CA in a certification hierarchy, you must add the certificate for the third-party CA to the Trusted Root Certification Authority Group Policy.
You can create CTLs to trust specific CAs and to restrict the uses of certificates issued by the CAs. For example, you might use a CTL to trust certificates that are issued by a commercial CA and restrict the permitted uses for those certificates. You might also use CTLs to control trust on an extranet for certificates that are issued by CAs that are managed by your business partners. You can configure CTLs for computers and for users. Before you can create CTLs, you must have a valid trust list signing certificate, such as the Administrator certificate or the Trust List Signing certificate that have been issued by enterprise CAs.
You can use the Group Policy console to designate alternative EFS recovery agents by adding the EFS recovery agent certificates into public-key Group Policy, which means you must first issue EFS recovery agent certificates to designated recovery agent user accounts on local computers. When you are configuring the EFS recovery settings, you have two choices: You can add recovery agent certificates that are published in Active Directory, or you can add recovery agent certificates from a file located on a disk or in a shared folder that is available on the computer from which you are configuring public-key settings. If you add recovery agent certificates from files, you must first export the appropriate certificates to the disk or shared folder that will be used to add the files during the EFS recovery Group Policy configuration process.
IP Security Policies
You can assign IPSec policy by using the security settings to computers that are members of the domain. By assigning IPSec policies through Group Policy, you can ensure the integrity of the confidentiality of data transmission.