Hi Guys,
The given configuration is one of the best security options policy settings for Windows server.
Group Policy - Security Options
Administrator Account Status -Disabled
Guest Account Status - Disabled
Limit Local Account Use of Blank Passwords to Console Logon Only - Enabled
Rename Administrator Account – Must be set to something other than Administrator
Rename Guest Account - Must be set to something other than Guest
Audit the Access of Global System Objects -Disabled
Audit the use of Backup and Restore Privilege - Enabled
Force Audit Policy Subcategory Settings to Override Audit Policy Category Settings – Enabled
Shut Down System Immediately if Unable to Log Security Audits - Enabled
Prevent Users from Installing Printer Drivers when connecting to Shared Printers – Enabled
Machine Access Restrictions in Security Descriptor Definition Language (SDDL) – Bespoke for each environment
Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) – Bespoke for each environment
Allowed to Format and Eject Removable Media – Administrators
Prevent Users from Installing Printer Drivers – Enabled
Allow Server Operators to Schedule Tasks - Disabled
Digitally Encrypt or Sign Secure Channel Data (Always) - Enabled
Digitally Encrypt or Sign Secure Channel Data (when possible) - Enabled
Disable Machine Account Password Changes - Disabled
Maximum Machine Account Password Age - 30 days
Require Strong (Windows 2000 or later) Session Key – Enabled
Interactive Logon: Display User Information when the Session is Locked - Enabled
interactive logon: Do Not Display Last User Name - Enabled
Interactive logon: Do Not Require CTRL+ALT+DEL - Disabled
Interactive logon: Message Text for Users Attempting to Log On – For example, ‘By using this computer system you are subject to the 'Computer Systems Policy' of New Net Technologies. The policy is available on the NNT Intranet and should be checked regularly for any updates’
Interactive logon: Message Title for Users Attempting to Log on- For example ‘Warning – Authorized Users Only – Disconnect now if you are not unauthorized to use this system’
Number of Previous Logons to Cache (in case domain controller is not available) – 0
Interactive Logon: Prompt User to Change Password before Expiration – 14 days
Interactive Logon: Require Domain Controller Authentication to Unlock Workstation - Enabled
Microsoft Network Client: Digitally Sign Communications (always) – Enabled
Microsoft Network Server: Digitally Sign Communications (always) - Enabled
Microsoft Network Client: Digitally Sign Communications (if server agrees) - Enabled
Microsoft Network Server: Digitally Sign Communications (if client agrees) – Enabled
Feel free to tune it the way you want.
Thank you,
