Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help configuring GPO settings manually.


  • Please log in to reply

#1
out4knowledge

out4knowledge

    Member

  • Member
  • PipPip
  • 10 posts
Hello,



I am trying to find the best and most secure Local Security Policy settings to use for Windows Media Center Edition 2005 with SP3. The last time I tried to touch this section by myself, which was about 3 to 4 years ago, and at the time, I knew very little about it. I took a chance one time in changing some settings, and ended up blocking myself from the internet, which eventually resulted in reinstalling my OS completely fresh. This time I am trying to ask anyone on here who has changed these settings before, and know a lot about them. Below I listed the way the computer is used, and what can probably determine the best settings to have.


This computer only has 1 user (Out4Knowledge) with administrator privileges.

This computer has Fast User Switching Compatibility Service disabled.

This computer has Secondary Logon Service disabled.

This computer has ASP.NET State Service disabled.

This computer has Remote Assistance Service disabled.

This computer has Help & Support Service disabled.

This computer has Terminal Service disabled.



Now that I explained some settings about the computer, below you will see the local group policy settings that I have currently set.



Local Security Setting->User Rights Assignments:

Access this computer from the network.................Everyone,ASPNET,Administrators,Users,Power Users,Backup Operators
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process.....................LOCAL SERVICE,NETWORK SERVICE,Administrators
Allow logon through Terminal Services...................Administrators,Remote Desktop Users
Back up files and directories.................................Administrators,Backup Operators
Bypass traverse checking....................................Everyone,Administrators,Users,Power Users,Backup Operators
Change the system time......................................Administrators,Power Users
Create a pagefile.................................................Administrators
Create a token object
Create global objects...........................................Administrators,INTERACTIVE,SERVICE
Create permanent shared objects
Debug programs..................................................Administrators
Deny access to this computer from the network.....SUPPORT_388945a0
Deny logon as a batch job
Deny logon as a service
Deny logon locally...............................................SUPPORT_388945a0,ASPNET,Guest
Deny logon through Terminal Services...................ASPNET
Enable computer and user accounts to be
trusted for delegation
Force shutdown from a remote system...................Administrators
Generate security audits.......................................LOCAL SERVICE,NETWORK SERVICE
Impersonate a client after authentication.................ASPNET,Administrators,SERVICE
Increase scheduling priority...................................Administrators
Load and unload device drivers..............................Administrators
Lock pages in memory
Log on as a batch job...........................................SUPPORT_388945a0,ASPNET,Out4Knowledge
Log on as a service..............................................NETWORK SERVICE,ASPNET
Log on locally......................................................Guest,Administrators,Users,Power Users,Backup Operators
Manage auditing and security log..........................Administrators
Modify firmware environment values.......................Administrators
Perform volume maintenance tasks.......................Administrators
Profile single process...........................................Administrators,Power Users
Profile system performance..................................Administrators
Remove computer from docking station..................Administrators,Users,Power Users
Replace a process level token...............................LOCAL SERVICE,NETWORK SERVICE
Restore files and directories..................................Administrators,Backup Operators
Shut down the system..........................................Administrators,Users,Power Users,Backup Operators
Synchronize directory service data
Take ownership of files or other objects..................Administrators




Local Security Setting->Security Options:

Accounts: Administrator account status...........................................................................Enabled
Accounts: Guest account status......................................................................................Enabled
Accounts: Limit local account use of blank passwords to console logon only.......................Enabled
Accounts: Rename administrator account........................................................................Administrator
Accounts: Rename guest account...................................................................................Guest
Audit: Audit the access of global system objects..............................................................Disabled
Audit: Audit the use of Backup and Restore privilege.........................................................Disabled
Audit: Shut down system immediately if unable to log security audits.................................Disabled
DCOM: Machine Access Restrictions in Security
Descriptor Definition Language (SDDL) syntax..................................................................Not defined
DCOM: Machine Launch Restrictions in Security
Descriptor Definition Language (SDDL) syntax..................................................................Not defined
Devices: Allow undock without having to log on.................................................................Enabled
Devices: Allowed to format and eject removable media.......................................................Administrators
Devices: Prevent users from installing printer drivers..........................................................Disabled
Devices: Restrict CD-ROM access to locally logged-on user only.......................................Disabled
Devices: Restrict floppy access to locally logged-on user only............................................Enabled
Devices: Unsigned driver installation behavior....................................................................Warn but allow installation
Domain controller: Allow server operators to schedule tasks...............................................Not defined
Domain controller: LDAP server signing requirements.........................................................Not defined
Domain controller: Refuse machine account password changes..........................................Not defined
Domain member: Digitally encrypt or sign secure channel data (always)..............................Not defined
Domain member: Digitally encrypt secure channel data (when possible)..............................Not defined
Domain member: Digitally sign secure channel data (when possible)...................................Not defined
Domain member: Disable machine account password changes...........................................Not defined
Domain member: Maximum machine account password age...............................................Not defined
Domain member: Require strong (Windows 2000 or later) session key.................................Not defined
Interactive logon: Display user information when the session is locked.................................Not defined
Interactive logon: Do not display last user name.................................................................Disabled
Interactive logon: Do not require CTRL+ALT+DEL...............................................................Not defined
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on..............................................Not defined
Interactive logon: Number of previous logons to cache
(in case domain controller is not available).........................................................................10 logons
Interactive logon: Prompt user to change password before expiration....................................14 days
Interactive logon: Require Domain Controller authentication to unlock workstation..................Disabled
Interactive logon: Require smart card.................................................................................Not defined
Interactive logon: Smart card removal behavior....................................................................No Action
Microsoft network client: Digitally sign communications (always)..........................................Not defined
Microsoft network client: Digitally sign communications (if server agrees)..............................Not defined
Microsoft network client: Send unencrypted password to third-party SMB servers..................Not defined
Microsoft network server: Amount of idle time required before suspending session.................15 minutes
Microsoft network server: Digitally sign communications (always).........................................Disabled
Microsoft network server: Digitally sign communications (if client agrees)..............................Disabled
Microsoft network server: Disconnect clients when logon hours expire...................................Enabled
Network access: Allow anonymous SID/Name translation....................................................Disabled
Network access: Do not allow anonymous enumeration of SAM accounts.............................Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares............Disabled
Network access: Do not allow storage of credentials or
.NET Passports for network authentication.....Disabled
Network access: Let Everyone permissions apply to anonymous users.................................Disabled
Network access: Named Pipes that can be accessed anonymously.....................................COMNAP,COMNODE,SQL\QUERY,
SPOOLSS,LLSRPC,browser
Network access: Remotely accessible registry paths...................................................System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Network access: Shares that can be accessed anonymously................................................COMCFG,DFS$
Network access: Sharing and security model for local accounts............................................Classic - local users authenticate as themselves
Network security: Do not store LAN Manager hash value on next password change.................Disabled
Network security: Force logoff when logon hours expire.........................................................Disabled
Network security: LAN Manager authentication level.............................................................Send LM & NTLM responses
Network security: LDAP client signing requirements.............................................................Negotiate signing
Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients............................................................................................No minimum
Network security: Minimum session security for NTLM SSP based
(including secure RPC) servers...........................................................................................No minimum
Recovery console: Allow automatic administrative logon........................................................Disabled
Recovery console: Allow floppy copy and access to all drives and all folders...........................Disabled
Shutdown: Allow system to be shut down without having to log on.........................................Enabled
Shutdown: Clear virtual memory pagefile..............................................................................Enabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing......Disabled
System objects: Default owner for objects created by members of the Administrators group.....Object creator
System objects: Require case insensitivity for non-Windows subsystems...............................Enabled
System objects: Strengthen default permissions of internal system objects
(e.g. Symbolic Links).........................................................................................................Enabled




If anyone has changed these settings before, and know about it more than I do, please feel free to post. I would like to know if these are safe to use, or even needed at all. I know a little bit about some settings from my last setup, and haven't touch anything on this PC yet. Please post back if you can help out.



Thanks,


- out4knowledge -
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP