GPO settings Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Accounts: Rename administrator

account Computer Configuration\ Administrative Templates\ System\ Internet Communication Management\ Internet Communication settings\ Turn off Windows Error Reporting Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Interactive logon: Require smart card Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Interactive logon: Smart card removal behavior Computer Configuration\ Windows Settings\ Security Settings\ Account Policies\ Password Policy\ Password must meet complexity requirements Computer Configuration\ Windows Settings\ Security Settings\ Account Policies\ Password Policy\ Minimum password length Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ User Rights Assignment\ Deny access to this computer from the network Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Accounts: Administrator account status

Values

Not Configured Enabled Disabled

Define this policy - Enable - Disable

Define this policy - No Action - Lock Workstation - Force Logoff - Disconnect if a remote Terminal Srevices session Define this policy - Enable - Disable

Define this policy - x characters

Define this policy - Add User or Group - Remove

Define this policy - Enabled (default) - Disabled

Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ User Rights Assignment\ Deny log on as a batch job Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ User Rights Assignment\ Deny log on through Terminal Services Computer Configuration\ Windows Settings\ Security Settings\ System Services\ (All services) Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Accounts: Rename guest account Computer Configuration\ Windows Settings\ Security Settings\ Event Log\ Maximum log size, Retain, Retention method Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Microsoft network client: Digitally sign communications (always) Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Microsoft network client: Digitally sign communications (if server agrees) Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Microsoft network server: Digitally sign communications (always)

Define this policy - Add User or Group - Remove

Define this policy - Add User or Group - Remove

startup mode (manual, automatic, or disabled) permissions (start, stop or pause)

Default disabled

Default enabled

Default: - disabled for member servers - enabled for domain controllers

Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Microsoft network server: Digitally sign communications (if client agrees) Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Domain controller: LDAP server signing requirements Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Network security: LDAP client signing requirements Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit account logon events Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit logon events Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit account management Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit policy change Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit privilege use

Default enabled on DCs

- None - Require signature

- None - Negotiate signing - Require signature

Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit process tracking Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit system events Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit object access Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Audit Policy\ Audit directory service access Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Network security: LAN Manager authentication level Computer Configuration\ Windows Settings\ Security Settings\ Local Policies\ Security Options\ Network security: Do not store LAN Manager hash value on next password change User Configuration\ Windows Settings\ Internet Explorer Maintenance\ Security\ Security Zones and Content Ratings User Configuration\ Windows Settings\ Internet Explorer Maintenance\ Security\ Authenticode Settings Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer\ Pop-up allow list

User Configuration\ Administrative Templates\ Windows Components\ Internet Explorer\ Pop-up allow list Computer Configuration\ Windows Settings\ Security Settings\ Software Restriction Policies User Configuration\ Windows Settings\ Security Settings\ Software Restriction Policies Computer Configuration\ Administrative Templates\ Network\ Offline Files\ Prohibit user configuration of Offline Files Computer Configuration\ Administrative Templates\ Network\ Offline Files\ Encrypt the Offline Files cache User Configuration\ Administrative Templates\ Network\ Offline Files\ Prohibit user configuration of Offline Files Computer Configuration\ Windows Settings\ Security Settings\ Public Key Policies\ Encrypting File System -> Properties -> Allow users to encrypte files using EFS Computer Configuration\ Administrative Templates\ Network\ Network Connections\ Windows Firewall Computer Configuration\ Administrative Templates\ System\ Group Policy\ User Group Policy loopback processing mode Computer Configuration\ Administrative Templates\ Windows Components\ Windows Update\ Configure Automatic Updates Computer Configuration\ Administrative Templates\ Windows Components\ Windows Update\ Specify intranet Microsoft update service location

- Replace - Merge

Computer Configuration\ Administrative Templates\ Windows Components\ Windows Update\ Enable client-side targeting Computer Configuration\ Windows Settings\ Security Settings\ IP Security Policies on Active Directory() Computer Configuration\ Windows Settings\ Security Settings\ Wireless Network (IEEE 802.11) Policies Computer Configuration\ Windows Settings\ Security Settings\ Public Key Policies\ Autoenrollment Settings User Configuration\ Windows Settings\ Security Settings\ Public Key Policies\ Autoenrollment Settings

Remark

Terminal Services are not affected by this user right

To disable the local Administrator account. Under Safe Mode boot, the Administrator account is always enabled, regardless of this setting

eg. Prevent the Administrator account used in scheduled jobs.

SMB signing

SMB signing

SMB signing

SMB signing

LDAP signing

LDAP signing

To log account authentication related events. - On DC, when using domain account - On local, when using local account To audit each logon/logoff

eg. User/Computer account, or group is created/changed/deleted. Password is set/changed.

eg. changes to user rights assignment policies, audit policies, or trust policies

audit each instance of a user exercising a user right

audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log eg. file, folder, registry key, printer access

AD objects, eg. user/computer account, OU

Manage security zones and content ratings for IE

Manage trusted publishers when deciding if the code can be loaded.

Only available in GPO, not available in local policy

Account is sensitive and cannot be delegated