MSFT Windows Server 1903 - Member Server | |
Data collected on: 9/19/2019 11:30:25 PM |
Domain | contoso.lab |
Owner | CONTOSO\Domain Admins |
Created | 9/19/2019 10:00:24 PM |
Modified | 9/19/2019 11:24:50 PM |
User Revisions | 4 (AD), 4 (SYSVOL) |
Computer Revisions | 7 (AD), 7 (SYSVOL) |
Unique ID | {FC991569-408F-4E4D-9A38-EF7F68159DB8} |
GPO Status | User settings disabled |
Location | Enforced | Link Status | Path |
---|---|---|---|
None |
Name |
---|
NT AUTHORITY\Authenticated Users |
Name | Allowed Permissions | Inherited |
---|---|---|
CONTOSO\Domain Admins | Edit settings, delete, modify security | No |
CONTOSO\Enterprise Admins | Edit settings, delete, modify security | No |
NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
Policy | Setting |
---|---|
Access Credential Manager as a trusted caller | |
Access this computer from the network | NT AUTHORITY\Authenticated Users, BUILTIN\Administrators |
Act as part of the operating system | |
Allow log on locally | BUILTIN\Administrators |
Back up files and directories | BUILTIN\Administrators |
Create a pagefile | BUILTIN\Administrators |
Create a token object | |
Create global objects | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators |
Create permanent shared objects | |
Debug programs | BUILTIN\Administrators |
Deny access to this computer from the network | NT AUTHORITY\Local account and member of Administrators group |
Deny log on through Terminal Services | NT AUTHORITY\Local account |
Enable computer and user accounts to be trusted for delegation | |
Force shutdown from a remote system | BUILTIN\Administrators |
Impersonate a client after authentication | NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\SERVICE, BUILTIN\Administrators |
Load and unload device drivers | BUILTIN\Administrators |
Lock pages in memory | |
Manage auditing and security log | BUILTIN\Administrators |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Restore files and directories | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |
Policy | Setting |
---|---|
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Policy | Setting |
---|---|
Interactive logon: Smart card removal behavior | Lock Workstation |
Policy | Setting |
---|---|
Microsoft network client: Digitally sign communications (always) | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Policy | Setting |
---|---|
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Policy | Setting | ||||
---|---|---|---|---|---|
Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
Network security: LDAP client signing requirements | Negotiate signing | ||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
|
Policy | Setting |
---|---|
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
Policy | Setting |
---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
User Account Control: Detect application installations and prompt for elevation | Enabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Policy | Setting |
---|---|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled |
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Interactive logon: Machine inactivity limit | 900 seconds |
Microsoft network server: Digitally sign communications (always) | Enabled |
Network access: Restrict clients allowed to make remote calls to SAM | "O:BAG:BAD:(A;;RC;;;BA)" |
Network security: Allow LocalSystem NULL session fallback | Disabled |
Policy | Setting |
---|---|
Policy version | 2.26 |
Disable stateful FTP | Not Configured |
Disable stateful PPTP | Not Configured |
IPsec exempt | Not Configured |
IPsec through NAT | Not Configured |
Preshared key encoding | Not Configured |
SA idle time | Not Configured |
Strong CRL check | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting |
---|---|
Audit Credential Validation | Success, Failure |
Policy | Setting |
---|---|
Audit Security Group Management | Success |
Audit User Account Management | Success, Failure |
Policy | Setting |
---|---|
Audit PNP Activity | Success |
Audit Process Creation | Success |
Policy | Setting |
---|---|
Audit Account Lockout | Failure |
Audit Group Membership | Success |
Audit Logon | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success |
Policy | Setting |
---|---|
Audit Detailed File Share | Failure |
Audit File Share | Success, Failure |
Audit Other Object Access Events | Success, Failure |
Audit Removable Storage | Success, Failure |
Policy | Setting |
---|---|
Audit Audit Policy Change | Success |
Audit Authentication Policy Change | Success |
Audit MPSSVC Rule-Level Policy Change | Success, Failure |
Audit Other Policy Change Events | Failure |
Policy | Setting |
---|---|
Audit Sensitive Privilege Use | Success, Failure |
Policy | Setting |
---|---|
Audit Other System Events | Success, Failure |
Audit Security State Change | Success |
Audit Security System Extension | Success |
Audit System Integrity | Success, Failure |
Policy | Setting | Comment |
---|---|---|
Prevent enabling lock screen camera | Enabled | |
Prevent enabling lock screen slide show | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Apply UAC restrictions to local accounts on network logons | Enabled | |||
Configure SMB v1 client driver | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Configure SMB v1 server | Disabled | |||
Enable Structured Exception Handling Overwrite Protection (SEHOP) | Enabled | |||
NetBT NodeType configuration | Enabled | |||
| ||||
Policy | Setting | Comment | ||
WDigest Authentication (disabling may require KB2871997) | Disabled |
Policy | Setting | Comment |
---|---|---|
Turn off multicast name resolution | Enabled |
Policy | Setting | Comment |
---|---|---|
Enable insecure guest logons | Disabled |
Policy | Setting | Comment |
---|---|---|
Windows Defender Firewall: Protect all network connections | Enabled |
Policy | Setting | Comment | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hardened UNC Paths | Enabled | |||||||||||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Encryption Oracle Remediation | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Remote host allows delegation of non-exportable credentials | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Boot-Start Driver Initialization Policy | Enabled | |||
|
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Configure registry policy processing | Enabled | |||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Enumeration policy for external devices incompatible with Kernel DMA Protection | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Enumerate local users on domain-joined computers | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Restrict Unauthenticated RPC clients | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Disallow Autoplay for non-volume devices | Enabled | |||
Set the default behavior for AutoRun | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure enhanced anti-spoofing | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow drive redirection | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Always prompt for password upon connection | Enabled | |||||
Require secure RPC communication | Enabled | |||||
Set client connection encryption level | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Prevent downloading of enclosures | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow indexing of encrypted files | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure Windows Defender SmartScreen | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Windows Ink Workspace | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow user control over installs | Disabled | |
Always install with elevated privileges | Disabled |
Policy | Setting | Comment |
---|---|---|
Sign-in last interactive user automatically after a system-initiated restart | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn on PowerShell Script Block Logging | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow Digest authentication | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow WinRM from storing RunAs credentials | Enabled |
Setting | State |
---|---|
Software\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled | 1 |
SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand | 1 |
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting | 2 |
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect | 0 |
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting | 2 |