MSFT Windows Server 1903 - Domain Controller | |
Data collected on: 9/19/2019 11:30:25 PM |
Domain | contoso.lab |
Owner | CONTOSO\Domain Admins |
Created | 9/19/2019 10:00:22 PM |
Modified | 9/19/2019 11:23:20 PM |
User Revisions | 4 (AD), 4 (SYSVOL) |
Computer Revisions | 11 (AD), 11 (SYSVOL) |
Unique ID | {F1A77A55-EF7C-4A70-BEEC-20C5277A63C2} |
GPO Status | User settings disabled |
Location | Enforced | Link Status | Path |
---|---|---|---|
None |
Name |
---|
NT AUTHORITY\Authenticated Users |
Name | Allowed Permissions | Inherited |
---|---|---|
CONTOSO\Domain Admins | Edit settings, delete, modify security | No |
CONTOSO\Enterprise Admins | Edit settings, delete, modify security | No |
NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
Policy | Setting |
---|---|
Access Credential Manager as a trusted caller | |
Access this computer from the network | BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS |
Act as part of the operating system | |
Allow log on locally | BUILTIN\Administrators |
Allow log on through Terminal Services | BUILTIN\Administrators |
Back up files and directories | BUILTIN\Administrators |
Create a pagefile | BUILTIN\Administrators |
Create a token object | |
Create global objects | BUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Create permanent shared objects | |
Debug programs | BUILTIN\Administrators |
Enable computer and user accounts to be trusted for delegation | BUILTIN\Administrators |
Force shutdown from a remote system | BUILTIN\Administrators |
Impersonate a client after authentication | BUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Load and unload device drivers | BUILTIN\Administrators |
Lock pages in memory | |
Manage auditing and security log | BUILTIN\Administrators |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Restore files and directories | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |
Policy | Setting |
---|---|
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Policy | Setting |
---|---|
Domain controller: LDAP server signing requirements | Require signing |
Domain controller: Refuse machine account password changes | Disabled |
Policy | Setting |
---|---|
Interactive logon: Smart card removal behavior | Lock Workstation |
Policy | Setting |
---|---|
Microsoft network client: Digitally sign communications (always) | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Policy | Setting |
---|---|
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Policy | Setting | ||||
---|---|---|---|---|---|
Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
Network security: LDAP client signing requirements | Negotiate signing | ||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
|
Policy | Setting |
---|---|
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
Policy | Setting |
---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
User Account Control: Detect application installations and prompt for elevation | Enabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Policy | Setting |
---|---|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled |
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled |
Domain member: Disable machine account password changes | Disabled |
Domain member: Maximum machine account password age | 30 days |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Interactive logon: Machine inactivity limit | 900 seconds |
Microsoft network server: Digitally sign communications (always) | Enabled |
Network security: Allow LocalSystem NULL session fallback | Disabled |
Policy | Setting |
---|---|
Policy version | 2.26 |
Disable stateful FTP | Not Configured |
Disable stateful PPTP | Not Configured |
IPsec exempt | Not Configured |
IPsec through NAT | Not Configured |
Preshared key encoding | Not Configured |
SA idle time | Not Configured |
Strong CRL check | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | Not Configured |
Allow unicast responses | Not Configured |
Log dropped packets | Not Configured |
Log successful connections | Not Configured |
Log file path | Not Configured |
Log file maximum size (KB) | Not Configured |
Policy | Setting |
---|---|
Audit Credential Validation | Failure |
Audit Kerberos Authentication Service | Success, Failure |
Audit Kerberos Service Ticket Operations | Failure |
Policy | Setting |
---|---|
Audit Computer Account Management | Success |
Audit Other Account Management Events | Success |
Audit Security Group Management | Success |
Audit User Account Management | Success, Failure |
Policy | Setting |
---|---|
Audit PNP Activity | Success |
Audit Process Creation | Success |
Policy | Setting |
---|---|
Audit Directory Service Access | Failure |
Audit Directory Service Changes | Success |
Policy | Setting |
---|---|
Audit Account Lockout | Failure |
Audit Group Membership | Success |
Audit Logon | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success |
Policy | Setting |
---|---|
Audit Detailed File Share | Failure |
Audit File Share | Success, Failure |
Audit Other Object Access Events | Success, Failure |
Audit Removable Storage | Success, Failure |
Policy | Setting |
---|---|
Audit Audit Policy Change | Success |
Audit Authentication Policy Change | Success |
Audit MPSSVC Rule-Level Policy Change | Success, Failure |
Audit Other Policy Change Events | Failure |
Policy | Setting |
---|---|
Audit Sensitive Privilege Use | Success, Failure |
Policy | Setting |
---|---|
Audit Other System Events | Success, Failure |
Audit Security State Change | Success |
Audit Security System Extension | Success |
Audit System Integrity | Success, Failure |
Policy | Setting |
---|---|
Enforce rules of this type | True |
Action | User | Name | Rule Type | Exceptions |
---|---|---|---|---|
Allow | Everyone | (Default Rule) All signed packaged apps | Publisher | No |
Policy | Setting |
---|---|
Enforce rules of this type | True |
Action | User | Name | Rule Type | Exceptions |
---|---|---|---|---|
Deny | Everyone | Block Google Chrome | Publisher | No |
Deny | Everyone | Block Mozilla Firefox | Publisher | No |
Deny | Everyone | Block Internet Explorer | Publisher | No |
Allow | Everyone | (Default Rule) All files located in the Program Files folder | Path | No |
Allow | Everyone | (Default Rule) All files located in the Windows folder | Path | No |
Allow | BUILTIN\Administrators | (Default Rule) All files | Path | No |
Policy | Setting | Comment |
---|---|---|
Prevent enabling lock screen camera | Enabled | |
Prevent enabling lock screen slide show | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure SMB v1 client driver | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Configure SMB v1 server | Disabled | |||
Enable Structured Exception Handling Overwrite Protection (SEHOP) | Enabled | |||
Extended Protection for LDAP Authentication (Domain Controllers only) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
NetBT NodeType configuration | Enabled | |||
| ||||
Policy | Setting | Comment | ||
WDigest Authentication (disabling may require KB2871997) | Disabled |
Policy | Setting | Comment |
---|---|---|
Turn off multicast name resolution | Enabled |
Policy | Setting | Comment |
---|---|---|
Enable insecure guest logons | Disabled |
Policy | Setting | Comment |
---|---|---|
Windows Defender Firewall: Protect all network connections | Enabled |
Policy | Setting | Comment | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hardened UNC Paths | Enabled | |||||||||||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Encryption Oracle Remediation | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Remote host allows delegation of non-exportable credentials | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Boot-Start Driver Initialization Policy | Enabled | |||
|
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Configure registry policy processing | Enabled | |||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Enumeration policy for external devices incompatible with Kernel DMA Protection | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Disallow Autoplay for non-volume devices | Enabled | |||
Set the default behavior for AutoRun | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure enhanced anti-spoofing | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow drive redirection | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Always prompt for password upon connection | Enabled | |||||
Require secure RPC communication | Enabled | |||||
Set client connection encryption level | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Prevent downloading of enclosures | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow indexing of encrypted files | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure Windows Defender SmartScreen | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Windows Ink Workspace | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow user control over installs | Disabled | |
Always install with elevated privileges | Disabled |
Policy | Setting | Comment |
---|---|---|
Sign-in last interactive user automatically after a system-initiated restart | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn on PowerShell Script Block Logging | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow Digest authentication | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow WinRM from storing RunAs credentials | Enabled |
Setting | State |
---|---|
SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand | 1 |
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting | 2 |
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect | 0 |
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting | 2 |