Custom Search
|
Accounts: Limit local account use of blank passwords to console logon only |
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse |
Audit: Audit the use of Backup and Restore privilege |
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings |
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
|
Audit: Shut down system immediately if unable to log security audits |
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail |
Devices: Allow undock without having to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon |
Devices: Prevent users from installing printer drivers |
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers |
Devices: Restrict CD-ROM access to locally logged-on user only |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms |
Devices: Restrict floppy access to locally logged-on user only |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies |
Domain member: Digitally encrypt or sign secure channel data (always) |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal |
Domain member: Digitally encrypt secure channel data (when possible) |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel |
Domain member: Digitally sign secure channel data (when possible) |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel |
Domain member: Disable machine account password changes |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange |
Domain member: Require strong (Windows 2000 or later) session key |
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey |
Interactive logon: Do not display last user name |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName |
Interactive logon: Do not require CTRL+ALT+DEL |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD |
Interactive logon: Message text for users attempting to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText |
Interactive logon: Message title for users attempting to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption |
Interactive logon: Require Domain Controller authentication to unlock workstation |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon |
Microsoft network client: Digitally sign communications (always) |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature |
Microsoft network client: Digitally sign communications (if server agrees) |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature |
Microsoft network client: Send unencrypted password to third-party SMB servers |
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword |
Microsoft network server: Digitally sign communications (always) |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature |
Microsoft network server: Digitally sign communications (if client agrees) |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature |
Microsoft network server: Disconnect clients when logon hours expire |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff |
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon |
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting |
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect |
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect |
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) |
MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden |
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds - 30000 or 5 minutes (recommended) |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime |
MSS: (NoDefaultExempt) Configure IPSec exemptions for various
types of network traffic. |
MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt compiled by krkosska - feb 2007 |
MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives
(recommended) |
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun |
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers |
MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand |
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) |
MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation |
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery |
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) |
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode |
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) |
MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod |
MSS: (SynAttackProtect) Syn attack protection level (protects
against DoS) |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect |
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK
retransmissions when a connection request is not acknowledged |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions compiled by krkosska - feb 2007 |
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) |
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions |
MSS: (WarningLevel) Percentage threshold for the security event
log at which the system will generate a warning |
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel |
Network access: Do not allow anonymous enumeration of SAM accounts |
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM |
Network access: Do not allow anonymous enumeration of SAM accounts and shares |
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous |
Network access: Do not allow storage of credentials or .NET Passports for network authentication |
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds |
Network access: Let Everyone permissions apply to anonymous users |
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous |
Network access: Restrict anonymous access to Named Pipes and Shares |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares |
Network access: Shares that can be accessed anonymously |
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares |
Network access: Sharing and security model for local
accounts |
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest |
Network security: Do not store LAN Manager hash value on next password change |
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash |
Recovery console: Allow automatic administrative logon |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel |
Recovery console: Allow floppy copy and access to all drives and all folders |
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand |
Shutdown: Allow system to be shut down without having to log on |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon |
Shutdown: Clear virtual memory pagefile |
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown |
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy |
System objects: Require case insensitivity for non-Windows subsystems |
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive |
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode |
User Account Control: Admin Approval Mode for the Built-in Administrator account |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken |
User Account Control: Detect application installations and prompt for elevation |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection |
User Account Control: Only elevate executables that are signed and validated |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures |
User Account Control: Only elevate UIAccess applications that are installed in secure locations |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths |
User Account Control: Run all administrators in Admin Approval Mode |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA |
User Account Control: Switch to the secure desktop when prompting for elevation |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop |
User Account Control: Virtualize file and registry write failures to per-user locations |
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization |
Do not process the legacy run list |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRun |
Do not process the run once list |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRunOnce |
Turn off the "Publish to Web" task for files and folders |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard |
Turn off Internet download for Web publishing and online ordering wizards |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices |
Turn off the Windows Messenger Customer Experience Improvement Program |
HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP |
Turn off Search Companion content file updates |
HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates |
Turn off printing over HTTP |
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting |
Turn off downloading of print drivers over HTTP |
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload |
Turn off Windows Update device driver searching |
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate |
Do not allow passwords to be saved |
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving |
Custom Search
|