Anda di halaman 1dari 47

Location

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Account Policies\Password Policy

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Account Policies\Account Lockout Policy

Local Computer Policy\Computer


Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment
Local Computer Policy\Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
Local Computer Policy\Computer
Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Domain Profile\State

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Domain Profile\Settings

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Domain Profile\Logging

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Private Profile\State

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Private Profile\Settings
Local Computer Policy\Computer
Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Private Profile\Logging

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Public Profile\State

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Public Profile\Settings

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Windows Firewall with Advanced
Security\Windows Firewall with Advanced Security -
Local Group Policy Object\Public Profile\Logging

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Account Logon
Local Computer Policy\Computer
Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Account Management

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Detailed Tracking

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\DS Access

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Logon/Logof
Local Computer Policy\Computer
Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Object Access

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Policy Change

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Privlege Use

Local Computer Policy\Computer


Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\System
Local Computer Policy\Computer
Configuration\Windows Settings\Security
Settings\Advanced Audit Policy Configuration\System
Audit Policies\Global Ojbect Access Auditing

Local Computer Policy\Computer


Configuration\Administrative Templates\Network\Link-
Layer Topology Discovery

Local Computer Policy\Computer


Configuration\Administrative
Templates\Network\Microsoft Peer-to-Peer Networking
Services
Local Computer Policy\Computer
Configuration\Administrative
Templates\Network\Network Connections

Local Computer Policy\Computer


Configuration\Administrative Templates\Network\TCPIP
Settings\IPv6 Transition Technologies

Local Computer Policy\Computer


Configuration\Administrative
Templates\Network\Windows Connect Now

Local Computer Policy\Computer


Configuration\Administrative Templates\Printers
Local Computer Policy\Computer
Configuration\Administrative Templates\System\Device
Installation
Local Computer Policy\Computer
Configuration\Administrative Templates\System\Driver
Installation
Local Computer Policy\Computer
Configuration\Administrative Templates\System\Group
Policy

Local Computer Policy\Computer


Configuration\Administrative
Templates\System\Internet Communications
Management\Internet Communication settings

Local Computer Policy\Computer


Configuration\Administrative Templates\System\Logon

Local Computer Policy\Computer


Configuration\Administrative Templates\System\Power
Management\Sleep Settings
Local Computer Policy\Computer
Configuration\Administrative
Templates\System\Remote Assistance

Local Computer Policy\Computer


Configuration\Administrative
Templates\System\Remote Procedure Call

Local Computer Policy\Computer


Configuration\Administrative
Templates\System\Troubleshooting and
Diagnostics\Microsoft Support Diagnostic Tool

Local Computer Policy\Computer


Configuration\Administrative
Templates\System\Troubleshooting and
Diagnostics\Scripted Diagnostics

Local Computer Policy\Computer


Configuration\Administrative
Templates\System\Troubleshooting and
Diagnostics\Windows Performance PerfTrack

Local Computer Policy\Computer


Configuration\Administrative
Templates\System\Windows Time Service\Time
Providers
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Application Compatibility

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\AutoPlay Policies

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Credential User Interface

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Desktop Gadgets
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Event Log Service\Application
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Event Log Service\Security
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Event Log Service\Setup
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Event Log Service\System

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Game Explorer

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\HomeGroup

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote
Desktop Connection Client

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote
Desktop Session Host\Connections

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote
Desktop Session Host\Device and Resource Redirection

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote
Desktop Session Host\Security
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote
Desktop Session Host\Session Time Limits

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Remote Desktop Services\Remote
Desktop Session Host\Temporary Folders

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\RSS Feeds

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Search

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Anytime Upgrade
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Windows Defender

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Error Reporting

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Explorer
Local Computer Policy\Computer
Configuration\Administrative Templates\Windows
Components\Windows Installer

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Logon Options

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Media Digital Rights
Management

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Media Player

Local Computer Policy\Computer


Configuration\Administrative Templates\Windows
Components\Windows Update
Setting

Enforce password history

Maximum password age


Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption

Account lockout duration

Account lockout threshold


Reset account lockout counter after

Access Credential Manager as a trusted caller

Access this computer from the network


Act as part of the operating system

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services


Back up files and directories

Bypass traverse checking

Change the system time


Change the time zone
Create a pagefile
Create a token object

Create global objects

Create permanent shared objects


Create symbolic links
Debug programs
Deny access to this copmuter from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services

Enable computer and user accounts to be trusted for delegation


Force shutdown from a remote system
Generate security audits

Impersonate a client after authenication

Increase a process working set


Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a serice
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process

Profile system preformance

Remove computer from docking station


Replace a process level token
Restore files and directories
Shut down the system
Take ownership of files or other objects

Accounts: Administrator account status

Accounts: Guest account status


Accounts: Limit local account use of blank passwords to console logon
only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of backup and restore privilege
Audit: Force policy subcatagory settings (Windows Vista or later) to
override audit policy category settings

Audit: Shut down system immediately if unable to log secuirty audits

Devices: Allowed to format and eject removable media


Devices: Prevent users from installing printer drivers

Devices: Restrict CD-ROM access to locally logged-on users only

Devices: Restrict floppy access to locally logged-on user only


Domain member: Digitally encrypt or sign secure channel data
(always)
Domain member: Digitally encrypt secure channel data (when
possible))

Domain mamber: Digitally sign secure channel data (when possible)

Domain member: Disable machine account password changes


Domain member: Maximum machine account password age

Domain mamber: Require strong (Windows 2000 or later) session key

Interactive logon: Do not display last user name


Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attenpting to log on
Interactive logon: Message title for users attenpting to log on
Interactive logon: Number of previous logons to cache (in case
domain controller is not available)

Interactive logon: Prompt user to change password before expiration

Intactive logon: Requrie Domain Controller authentication to unlock


workstation
Interactive logon: Smart card removal behavior

Microsoft network client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server


agrees)
Microsoft network client: Send unencrypted password to third-party
SMB servers
Microsoft network server: Amount of idle time required before
suspending session
Microsoft network server: Digitally communications (always)
Microsoft network server: Digitally sign communications (if client
agrees)

Microsoft network server: Disconnect clients when logon hours expire

Microsoft network server: Server SPN target name validation level

MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

MSS: (DisableIPSourceRouting) IP source routing protection level


(protects against packet spoofing)
MSS: (DisableIPSourceRoutingIPV6) IP source routing protection level
(protects against packet spoofing)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF
generated routes
MSS: (Hidden) Hide Computer From the Browser List (not
recommended except for highly secure environments)
MSS: (KeepAliveTime) How often keep-alive packets are sent in
miliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various
types of network traffic
MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS
name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop
generating 8.3 style filenames (recommended)
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure
Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen
saver grace period expires (0 recommended)
MSS: (TcpMaxDataRetransmissions) How many times
unacknowledged data is retransmitted (3 recommended, 5 is the
default)

MSS: (TcpMaxDataRetransmissionsIPv6) How many times


unacknowledged data is retransmitted (3 recommended, 5 is the
default)
MSS: (Warning Level) Percentage threshold for the security event log
at which the system will generate a warning
Network access: Allow anonymous SID\Name traslation
Network access: Do not allow anonymous enumeration of SAM
accounts
Network access: Do not allow anonymous enumeration of SAM
accounts and shares
Network access: Do not allow storage of passwords and credentials
for network authentication

Network access: Let Eveyone permission apply to anonymous user

Network access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Remotely accessible registry paths and sub-paths

Network access: Restrict anonymous access to Named Pipes and


Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network Security: Allow LocalSystem to use computer identity for
NTLM
Network Security: Allow LocalSystem NULL session fallback
Network Security: Allow PKU2U authentication requests to this
computer to use online identities

Network Security: Configure encryption types allowed for Kerberos

Network Security: Do not store LAN Manager hash value on next


password change
Network Security: Force logof when logon hours expire
Network Security: LAN Manager authentication level
Network Security: LDAP client signing requirements
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) clients
Network Security: Minimum session security for NTLM SPP based
(including secure RPC) servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and
allfolders

Shutdown: Allow system to be shut down without having to log on

Shutdown: Clear virtual memory pagefile


System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing
System objects: Require case insensitivity for non-Windows
subsystems
System objects: Strengthen default permissions of internal system
objects (e.g. Symbolic Links)
User Account Control: Admin Approval Mode for the Built-in
Administrator account
User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard
users
User Account Control: Detect application installation and prompt for
elevation
User Account Control: Only elevate executables that are signed and
validated
User Account Control: Only elevate UIAccess applications that are
installed in secure locations
User Account Control: Run all administators in Admin Approval Mode

User Account Control: Switch to the secure desktop when prompting


for elevation
User Account Control: Virtualize file and registry write failures to per-
user locations

Firewall State

Inbound connections
Outbound connections

Display a notification

Allow unicast response


Apply local firewall rules
Apply local connection security rules

Name

Size limits
Log dropped packets
Log successful connections

Firewall State

Inbound connections
Outbound connections

Display a notification

Allow unicast response


Apply local firewall rules
Apply local connection security rules

Name

Size limits
Log dropped packets
Log successful connections

Firewall State

Inbound connections
Outbound connections

Display a notification

Allow unicast response


Apply local firewall rules
Apply local connection security rules

Name

Size limits
Log dropped packets
Log successful connections

Credential Validation

Kerberos Authenication Service


Kerberos Service Ticket Operation
Other Account Logon Events
Application Group Management

Computer Account Management


Distribution Group Management
Other Account Management Events
Security Group Management
User Account Management

DPAPI Activity

Process Creation
Process Termination
RPC Events

Detailed Directory Service Replication

Directory Service Access


Directory Service Changes
Directory Service Replication

Audit Account Lockout

Ipsec Extended Mode


Ipsec Main Mode
Ipsec Quick Mode
Logof
Logon
Network Policy Server
Other Logon/Logof Events
Special Logon
Application Generated

Certification Services
Audit Detailed File Share

File Share
File System
Filtering Platform Connection
Filtering Platform Packet Drop
Handle Manipulation
Kernel Object
Other Object Access Events
Registry
SAM

Audit Policy Change

Authentication Policy Change


Authorization Policy Change
Filtering Platform Change
MPSSVR Rule-Level Policy Change
Other Policy Change Events

Non Sensitive Privilege Use

Other Privilege Use Events


Sensitive Privilege Use

Ipsec Driver

Other System Events


Security State Changes
Security System Extension
System Integrity
File System

Registry

Turn on Mapper I/O (LLTDIO) Driver

Turn on Responder (RSPNDR) Driver

Turn of Microsoft Peer-to-Peer Networking Services

Prohibit installation and configuration of Network Bridge on your DNS


domain network

Prohibit use of Internet Connection Sharing on your DNS domain


network

Require domain users to elevate when setting a network's location

Route all traffic through the internal network

6to4 State

ISATAP State
Teredo State
IP HTTPS

Configuration of wireless settings using Windows Connect Now

Prohibit Access of the Windows Connect Now wizards


Extend Point and Print connection to search Windows Update and use
alternate cooection if needed

Allow remote access to the PnP interface

Do not send a Windows Error Report when a generic driver is installed


on a device

Prevent creation of a system restore point during device activity that


would normally prompt creation of a restore point
Prevent device metadata retrieval from internet

Specify Search Order for device driver source locations

Turn of Windows Update device driver search prompt

Registry policy processing

Turn of Automatic Root Certificates Update


Turn of downloading of print drivers over HTTP
Turn of Event Viewer "Events.asp" links
Turn of handwriting personalization data sharing
Turn of handwriting recognition error reporting
Turn of Internet Connection Wizard if URL connection is referring to
Microsoft.com
Turn of Internet download for Web publishing and online ordering
wizards
Turn of Internet File Association service
Turn of printing over HTTP

Turn Of Registration if URL Connection is Referring to Microsoft.com


Turn of Search Companion content file updates
Turn of the "Order Prints" picture task
Turn of the "Publish to Web" task for files and folders
Turn of the Windows Messenger Customer Experience Improvement
Program

Turn of Windows Customer Experience Improvement Program


Turn of Windows Error Reporting
Turn of Windows Update device driver searching

Always use classic logon

Requrie a Password When a Computer Wakes (On Battery)


Requrie a Password When a Computer Wakes (Plugged In)
Ofer Remote Assistance
Solicited Remote Assistance
Turn on session logging

Restrictions for Unauthenticated RPC clients


RPC Endpoint Mapper Client Authenication

Microsoft Support Diagnostic Tool: Turn on MSDT interactive


communication with support provider

Troubleshooting: Allow user to access online troubleshooting content


on Microsoft servers from the Troubleshooting Control Panel (via
Windows Online Troubleshooting Service - WOTS)

Enable/Disable PerfTrack

Configure Windows NTP Client

Turn of Program Inventory

Default behavior for AutoRun


Turn of Autoplay
Turn of Autoplay for non-volume devices

Enumerate administrator accounts on elevation

Override the More Gadgets link

Restrict unpacking installation of gadgets that are not digitally signed


Turn Of user-installed desktop gadgets

Maximum Log Size (KB)

Maximum Log Size (KB)

Maximum Log Size (KB)

Maximum Log Size (KB)

Turn of downloading of game information


Turn of game updates

Prevent the computer from joining a homegroup

Do not allow passwords to be saved

Allow users to connect remotely using Remote Desktop Services

Do not allow drive redirection

Always prompt for password upon connection


Set client connection encryption level

Set time limit for active but idle Remote Desktop Services sessions
Set time limit for disconnected sessions

Do not delete temp folder upon exit


Do not use tempoary foldders per session

Turn of downloading of enclosures


Turn on Basic feed authentication over HTTP

Allow indexing of encrypted files


Enable indexing uncached Exchange folders

Prevent Windows Anytime Upgrade from running

Configure Microsoft SpyNet Reporting

Disable Logging
Disable Windows Error Reporting
Display Error Notification
Do not send additional data

Turn of Data Excution Prevention for Explorer

Turn of heap termination on corruption


Turn of shell protocol protected mode

Disable IE security prompt for Windows Installer scripts


Enable user control over installs

Prohibit non-administrators from applying vender signed updates

Report when logon server was not available during user logon

Prevent Windows Media DRM Internet Access

Do Not Show First Use Dialog Boxes


Prevent Automatic Updates

Configure Automatic Updates


DoD Value

24
60
1
14
Enabled
Disabled

0
3, Not 0
60

No One
Administrators
No One

Administrators, Local Service, Network Service

Administrators, Users
No One
Administrators
Administrators, Users, Local Service, Network
Service
Local Service, Admistrators
Local Sevice, Administrators, Users
Administrators
No One
Administrators, SERVICE, Local Service, Network
Service
No One
Administrators
No One
Guests
Guests
No One
Guests
Everyone, Guests if RD is used.

No One
Adminstrators
Network Service, Local Service
Administrators, SERVICE, Local Service, Network
Service
Administrators, Local Service
Administrators
Administrators
No One (blank)
No One (blank)
No One (blank)
Auditor Group
No One (blank)
Administrators
Administrators
Administrators
Administrators
NT Service\WdiServiceHost
Administrators, Users
Network Service, Local Service
Administrators
Administrators, Users
Administrators

Disabled
Disabled

Enabled
ORGANIZATIONAL DEFINED NAME
ORGANIZATIONAL DEFINED NAME
Disabled
Disabled

Enabled

Disabled
Administrators
Enabled

Disabled
Disabled

Enabled
Enabled

Enabled
Disabled
30

Enabled
Enabled
Disabled
DoD Banner
DoD Banner

2 or less

14 days or more

Disabled
Lock workstation

Enabled

Enabled

Disabled

15 Minutes
Enabled

Enabled

Enabled

Accept if provided by client

Disabled
Highest protection, source routing is completely
disabled
Highest protection, source routing is completely
disabled

Disabled

Enabled
300000 or 5 minutes (recommended)
Multicast, broadcast and ISAKMP exempt (best for
Windows XP)

Enabled

Disabled

Disabled

Enabled

90
Disabled

Enabled

Enabled

Enabled

Disabled

None (Blank)
System\CurrentControlSet\Control\ProductOptions,
System\CurrentControlSet\Control\Server
Applications, Software\Microsoft\Windows
NT\CurrentVersion

System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows
NT\CurrentVersion\Print
Software\Microsoft\Windows
NT\CurrentVersion\Windows
System\CurrentControlSet\Cont

Enabled
None (Blank)
Classic local users authenticate as themselves

Enabled
Disabled

Disabled

Enabled: RC4_HMAC_MD5 AES128_HMAC_SHA1


AES256_HMAC_SHA1 Future Encryption Types

Enabled
Enabled

Send NTLMv2 response only. Refuse LM and NTLM


Negotiate Signing
Require NTLMv2 session security,Require 128 bit
encryption
Require NTLMv2 session security,Require 128 bit
encryption
Disabled

Disabled

Enabled
Disabled

Enabled

Enabled

Enabled

Enabled

Prompt for consent on the secure desktop

Prompt for credentials on the secure desktop

Enabled

Disabled

Enabled
Enabled

Enabled

Enabled

On (recommended)
Block (default)
Allow (default)

Yes (default)
No
No
No

Specified
16384
Yes
Yes

On (recommended)
Block (default)
Allow (default)

Yes (default)
No
No
No

Specified
16384
Yes
Yes

On (recommended)
Block (default)
Allow (default)

Yes (default)
No
No
No

Specified
16384
Yes
Yes

Success and Failure


No Auditing
No Auditing
No Auditing
No Auditing
Success and Failure
No Auditing
Success and Failure
Success and Failure
Success and Failure

No Auditing
Success
No Auditing
No Auditing

No Auditing
No Auditing
No Auditing
No Auditing

No Auditing
No Auditing
No Auditing
No Auditing
Success
Success and Failure
No Auditing
No Auditing
Success
No Auditing
No Auditing

No Auditing
No Auditing
Failure
No Auditing
No Auditing
No Auditing
No Auditing
No Auditing
Failure
No Auditing

Success and Failure


Success
No Auditing
No Auditing
No Auditing
No Auditing

No Auditing
No Auditing
Success and Failure

Success and Failure


No Auditing
Success and Failure
Success and Failure
Success and Failure
No Auditing
No Auditing

Disabled
Disabled

Enabled

Enabled

Enabled

Enabled
Enabled: Enabled State

Enabled: Disabled State


Enabled: Disabled State
Enabled: Disabled State
Enabled: Disabled State

Disabled
Enabled

Disabled

Disabled

Enabled

Disabled
Enabled

Enabled: Do not search Windows Update

Enabled

Enabled: Process even if the Group Policy objects


have not changed.

Enabled
Enabled
Disabled
Enabled
Enabled

Enabled

Enabled
Enabled
Enabled

Enabled
Enabled
Enabled
Enabled

Enabled

Enabled
Enabled
Enabled

Enabled

Enabled
Enabled
Disabled
Disabled
Enabled

Enabled: Authenticated
Enabled

Disabled

Disabled

Disabled

Local approved server, not "time.windows.com"

Enabled

Enabled: Do not execute any autorun commands


Enabled - All Drives
Enabled

Disabled

Enabled: About: Blank

Enabled
Enabled

32768

81920

32768

32768

Enabled
Enabled

Enabled

Enabled

Disabled

Enabled

Enabled
Enabled: High

Enabled: 15 minutes
Enabled: 1 minute

Disabled
Disabled

Enabled
Enabled

Disabled
Disabled

Enabled

Disabled

Disabled
Enabled
Disabled
Enabled

Disabled

Disabled
Disabled

Disabled
Disabled

Enabled

Enabled

Enabled

Enabled
Enabled

Disabled or set to local WSUS location


Location

Local ComputerPolicy\User
Configuration\Administrative Templates\Control
Panel\Personalization

Local ComputerPolicy\User
Configuration\Administrative
Templates\System\Internet Communication
Management\Internet Communication settings

Local ComputerPolicy\User
Configuration\Administrative
Templates\System\Power Management

Local ComputerPolicy\User
Configuration\Administrative
Templates\Windows Components\Attachment
Manager

Local Computer Policy\User


Configuration\Administrative
Templates\Windows Components\Network
Sharing
Setting DoD Value

Enable screen saver Enabled


Password protect the screen saver Enabled
Screen saver timeout Enabled: 900

Turn of Help Experience Improvement Program Enabled


Turn of Help Ratings Enabled

Prompt for password on resume from hibernate /


suspend Enabled

Do not preserve zone information in the


attachments Disabled
Hide mechanisms to remove zone information Enabled
Notify antivirus programs when opening
attachments Enabled

Prevent users from sharing files within their profile Enabled


Name Description
The Bluetooth service supports discovery and association of remote
Bluetooth devices. Stopping or disabling this service may cause already
installed Bluetooth devices to fail to operate properly and prevent new
Bluetooth Support Service devices from being discovered or associated.
Enables you to send and receive faxes, utilizing fax resources available on
Fax this computer or on the network.

Makes local computer changes associated with configuration and


maintenance of the homegroup-joined computer. If this service is stopped
or disabled, your computer will not work properly in a homegroup and your
homegroup might not work properly. It is recommended that you keep this
HomeGroup Listener service running.

Performs networking tasks associated with configuration and maintenance


of homegroups. If this service is stopped or disabled, your computer will be
unable to detect other homegroups and your homegroup might not work
HomeGroup Provider properly. It is recommended that you keep this service running.

Media Center Extender Service Allows Media Center Extenders to locate and connect to the computer.
This service is a stub for Windows Parental Control functionality that
Parental Controls existed in Vista. It is provided for backward compatibility only.
SPP Notification Service Provides Software Licensing activation and notification

The Windows biometric service gives client applications the ability to


capture, compare, manipulate, and store biometric data without gaining
direct access to any biometric hardware or samples. The service is hosted in
Windows Biometic Service a privileged SVCHOST process.

This service manages mobile broadband (GSM & CDMA) data


card/embedded module adapters and connections by auto-configuring the
networks. It is strongly recommended that this service be kept running for
WWAN AutoConfig best user experience of mobile broadband devices.
Status Startup Type Log on as SSR Recommendation

Manual Local Service Disabled

Manual Network Service Disabled

Manual Local System Disabled

Started Manual Local Service Disabled

Disabled

Manual Local Service Disabled


Started Manual Local Service Not Configured *Test and get more information

Manual Local System Not Configured *Revisit in 6mos

Manual Local Service Disabled


Games 16006
SimpleTCP Services 16006
Telnet (Client or Server) 16006
TFTP Client 16006
Windows Media Center 16006

Internet Information Services 3347