Windows Infrastructure GPOs

Group Policy Management

body { font-size:68%;font-family:Tahoma; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:Tahoma; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:tahoma; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }

Setting Path:

Explanation

No explanation is available for this setting.

Supported On:

Not available

Windows Settings

Security Settings

Local Policies/Security Options

Interactive Logon

Policy	Setting
Interactive logon: Message text for users attempting to log on	Only authorized Stanford users are permitted to use and access this computer and the computer networks and systems of Stanford University. If you are not an authorized user, do not login to this system. Authorized users are advised that files and transmissions on this system may be intercepted, monitored, recorded, copied, reviewed, inspected and disclosed as set forth in Administrative Guide Memorandum 62 (http://adminguide.stanford.edu/62.pdf), ., All use of this system is also subject to Stanford University's rules and regulations, including without limitation the Stanford University Administrative Guide, which is available for your review at http://adminguide.stanford.edu/. You agree not to use this system for any illegal purpose, any purpose that would violate Stanford University rules and regulations, or to make unauthorized use of another party's intellectual property., ., By logging on to this computer, you acknowledge and agree to comply with the above terms., ., Windows administrators will use their administrative accounts to accomplish their responsibilities, respecting the policies noted in http://windows.stanford.edu/Public/Infrastructure/WinPolicyGuide.htm
Interactive logon: Message title for users attempting to log on	"Computer and Network Policy Notice"

Policy

Setting

Interactive logon: Message text for users attempting to log on

Only authorized Stanford users are permitted to use and access this computer and the computer networks and systems of Stanford University. If you are not an authorized user, do not login to this system. Authorized users are advised that files and transmissions on this system may be intercepted, monitored, recorded, copied, reviewed, inspected and disclosed as set forth in Administrative Guide Memorandum 62 (http://adminguide.stanford.edu/62.pdf), ., All use of this system is also subject to Stanford University's rules and regulations, including without limitation the Stanford University Administrative Guide, which is available for your review at http://adminguide.stanford.edu/. You agree not to use this system for any illegal purpose, any purpose that would violate Stanford University rules and regulations, or to make unauthorized use of another party's intellectual property., ., By logging on to this computer, you acknowledge and agree to comply with the above terms., ., Windows administrators will use their administrative accounts to accomplish their responsibilities, respecting the policies noted in http://windows.stanford.edu/Public/Infrastructure/WinPolicyGuide.htm

Interactive logon: Message title for users attempting to log on

"Computer and Network Policy Notice"

Microsoft Network Client

Policy	Setting
Microsoft network client: Send unencrypted password to third-party SMB servers	Disabled

Windows Settings

Security Settings

Account Policies/Password Policy

Policy	Setting
Enforce password history	1 passwords remembered
Maximum password age	0 days
Minimum password age	0 days
Minimum password length	6 characters
Password must meet complexity requirements	Disabled
Store passwords using reversible encryption	Disabled

Account Policies/Account Lockout Policy

Policy	Setting
Account lockout threshold	0 invalid logon attempts

Account Policies/Kerberos Policy

Policy	Setting
Enforce user logon restrictions	Enabled
Maximum lifetime for service ticket	1500 minutes
Maximum lifetime for user ticket	25 hours
Maximum lifetime for user ticket renewal	7 days
Maximum tolerance for computer clock synchronization	5 minutes

Windows Settings

Security Settings

Local Policies/Audit Policy

Policy	Setting
Audit account logon events	Success, Failure
Audit account management	Success, Failure
Audit directory service access	Success, Failure
Audit logon events	Success, Failure
Audit object access	Success, Failure
Audit policy change	Success, Failure
Audit privilege use	Success, Failure
Audit system events	Success, Failure

Local Policies/Security Options

Accounts

Policy	Setting
Accounts: Limit local account use of blank passwords to console logon only	Enabled

Audit

Policy	Setting
Audit: Audit the use of Backup and Restore privilege	Enabled

Domain Member

Policy	Setting
Domain member: Digitally encrypt secure channel data (when possible)	Enabled
Domain member: Digitally sign secure channel data (when possible)	Enabled

Interactive Logon

Policy	Setting
Interactive logon: Do not require CTRL+ALT+DEL	Disabled

Microsoft Network Client

Policy	Setting
Microsoft network client: Digitally sign communications (if server agrees)	Enabled

Microsoft Network Server

Policy	Setting
Microsoft network server: Digitally sign communications (if client agrees)	Enabled

Network Access

Policy	Setting
Network access: Allow anonymous SID/Name translation	Disabled
Network access: Do not allow anonymous enumeration of SAM accounts	Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled

Network Security

Policy

Setting

Network security: LAN Manager authentication level

Send NTLMv2 response only. Refuse LM & NTLM

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Enabled

Require NTLMv2 session security	Enabled
Require 128-bit encryption	Enabled

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Enabled

Require NTLMv2 session security	Enabled
Require 128-bit encryption	Enabled

Shutdown

Policy	Setting
Shutdown: Allow system to be shut down without having to log on	Disabled

System Objects

Policy	Setting
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)	Enabled

Other

Policy

Setting

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

Enabled

Network security: Configure encryption types allowed for Kerberos

Enabled

DES_CBC_CRC	Enabled
DES_CBC_MD5	Enabled
RC4_HMAC_MD5	Enabled
AES128_HMAC_SHA1	Enabled
AES256_HMAC_SHA1	Enabled
Future encryption types	Enabled

Event Log

Policy	Setting
Maximum application log size	20480 kilobytes
Maximum security log size	102400 kilobytes
Maximum system log size	20480 kilobytes
Prevent local guests group from accessing application log	Enabled
Prevent local guests group from accessing security log	Enabled
Prevent local guests group from accessing system log	Enabled
Retain application log	7 days
Retain system log	7 days
Retention method for application log	By days
Retention method for security log	As needed
Retention method for system log	By days

Public Key Policies/Certificate Services Client - Auto-Enrollment Settings

Policy

Setting

Automatic certificate management

Enabled

Option	Setting
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates	Enabled
Update and manage certificates that use certificate templates from Active Directory	Enabled

Public Key Policies/Certificate Path Validation Settings/Stores

Policy	Setting
Allow user trusted root Certificate Authorities (CAs) to be used to validate certificates	Enabled
Allow users to trust peer trust certificates	Enabled
Peer trust certificate purposes:	Client Authentication; Secure Email; Encrypting File System
Root CAs that client computers can trust:	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
For certificate-based authentication of users and computers, along with CAs that are registered in Active Directory, the client computer must use should also use user principal name (UPN) constraint compliant CAs	Disabled

Public Key Policies/Encrypting File System

Properties

Policy	Setting
Allow users to encrypt files using Encrypting File System (EFS)	Enabled
Encrypt the contents of the user's Documents folder	Disabled
Require a smart card for EFS	Disabled
Create caching-capable user key from smart card	Enabled
Enable pagefile encryption	Disabled
Display key backup notifications when user key is created or changed	Disabled
Allow EFS to generate self-signed certificates when a certification authority is not available	Disabled
Key size for self-signed certificates	Disabled
EFS template for automatic certificate requests	EFS
Cache timeout	480
Clear cache when user locks workstation	Disabled

Certificates

Issued To	Issued By	Expiration Date	Intended Purposes
*	*	*	File Recovery

For additional information about individual settings, launch Group Policy Object Editor.

Public Key Policies/Trusted Root Certification Authorities

Properties

Policy	Setting
Allow users to select new root certification authorities (CAs) to trust	Enabled
Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only

Administrative Templates

Network/DNS Client

Policy

Setting

DNS Suffix Search List

Enabled

DNS Suffixes:

stanford.edu,*.stanford.edu (child domain),*.stanford.edu (root domain)

Policy

Setting

Comment

Dynamic Update

Disabled

Primary DNS Suffix

Enabled

Enter a primary DNS suffix:

stanford.edu

Windows Components/BitLocker Drive Encryption

Policy

Setting

Comment

Control Panel Setup: Enable advanced startup options

Enabled

Allow BitLocker without a compatible TPM	Disabled
(requires a startup key on a USB flash drive)

Settings for computers with a TPM:

Configure TPM startup key option:	Allow user to create or skip
Configure TPM startup PIN option:	Allow user to create or skip
IMPORTANT: If you require the startup key,
you must disallow the startup PIN.
If you require the startup PIN,
you must disallow the startup key.
Otherwise, a policy error occurs.

Note: Disallow both startup key and startup key
options to hide the advanced page on computers
with a TPM.

Policy

Setting

Comment

Turn on BitLocker backup to Active Directory Domain Services

Enabled

Require BitLocker backup to AD DS	Enabled

If selected, cannot turn on BitLocker if backup fails
(recommended default).

If not selected, can turn on BitLocker even if backup
fails. Backup is not automatically retried.

Select BitLocker recovery information to store:	Recovery passwords and key packages

A recovery password is a 48-digit number that unlocks
access to a BitLocker-protected volume.
A key package contains a volume's BitLocker encryption
key secured by one or more recovery passwords

Key packages may help perform specialized recovery
when the disk is damaged or corrupted.

Windows Settings

Security Settings

Account Policies/Account Lockout Policy

Policy	Setting
Account lockout duration	0 minutes
Account lockout threshold	5 invalid logon attempts
Reset account lockout counter after	20 minutes

Windows Settings

Security Settings

Local Policies/Audit Policy

Policy	Setting
Audit account logon events	Success, Failure
Audit account management	Success, Failure
Audit directory service access	Success, Failure
Audit logon events	Success, Failure
Audit object access	Success, Failure
Audit policy change	Success, Failure
Audit privilege use	Success, Failure
Audit process tracking	No auditing
Audit system events	Success, Failure

Local Policies/User Rights Assignment

Policy	Setting
Access this computer from the network	Everyone, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system
Allow log on locally	BUILTIN\Administrators
Change the system time	BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE
Create a pagefile	BUILTIN\Administrators
Debug programs	BUILTIN\Administrators
Enable computer and user accounts to be trusted for delegation	BUILTIN\Administrators
Force shutdown from a remote system	BUILTIN\Administrators
Load and unload device drivers	BUILTIN\Administrators
Log on as a batch job	BUILTIN\Administrators
Manage auditing and security log	WIN\Exchange Servers, <DOMAIN>\Exchange Enterprise Servers, BUILTIN\Administrators
Modify firmware environment values	BUILTIN\Administrators
Profile single process	BUILTIN\Administrators
Profile system performance	BUILTIN\Administrators
Remove computer from docking station	BUILTIN\Administrators
Restore files and directories	BUILTIN\Backup Operators, BUILTIN\Administrators
Shut down the system	BUILTIN\Administrators
Take ownership of files or other objects	BUILTIN\Administrators

Local Policies/Security Options

Accounts

Policy	Setting
Accounts: Guest account status	Disabled

Audit

Policy	Setting
Audit: Audit the access of global system objects	Disabled
Audit: Audit the use of Backup and Restore privilege	Enabled

Devices

Policy	Setting
Devices: Restrict CD-ROM access to locally logged-on user only	Enabled
Devices: Restrict floppy access to locally logged-on user only	Enabled

Domain Controller

Policy	Setting
Domain controller: Allow server operators to schedule tasks	Disabled
Domain controller: LDAP server signing requirements	None

Domain Member

Policy	Setting
Domain member: Digitally encrypt or sign secure channel data (always)	Enabled
Domain member: Digitally encrypt secure channel data (when possible)	Enabled
Domain member: Digitally sign secure channel data (when possible)	Enabled

Interactive Logon

Policy	Setting
Interactive logon: Do not require CTRL+ALT+DEL	Disabled

Microsoft Network Client

Policy	Setting
Microsoft network client: Digitally sign communications (always)	Enabled
Microsoft network client: Digitally sign communications (if server agrees)	Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers	Disabled

Microsoft Network Server

Policy	Setting
Microsoft network server: Digitally sign communications (always)	Enabled
Microsoft network server: Digitally sign communications (if client agrees)	Enabled

Network Access

Policy	Setting
Network access: Allow anonymous SID/Name translation	Disabled
Network access: Do not allow anonymous enumeration of SAM accounts	Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled

Network Security

Policy	Setting
Network security: Do not store LAN Manager hash value on next password change	Enabled
Network security: LAN Manager authentication level	Send NTLMv2 response only. Refuse LM & NTLM

Shutdown

Policy	Setting
Shutdown: Allow system to be shut down without having to log on	Disabled

Event Log

Policy	Setting
Maximum application log size	51200 kilobytes
Maximum security log size	1048576 kilobytes
Maximum system log size	51200 kilobytes
Prevent local guests group from accessing application log	Enabled
Prevent local guests group from accessing security log	Enabled
Prevent local guests group from accessing system log	Enabled
Retain application log	10 days
Retain security log	1 days
Retain system log	10 days
Retention method for application log	By days
Retention method for security log	By days
Retention method for system log	By days

Restricted Groups

Group	Members	Member of
BUILTIN\Administrators	...
<DOMAIN>\Domain Admins	...

Public Key Policies/Certificate Services Client - Auto-Enrollment Settings

Policy

Setting

Automatic certificate management

Enabled

Option	Setting
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates	Enabled
Update and manage certificates that use certificate templates from Active Directory	Enabled

Public Key Policies/Automatic Certificate Request Settings

Automatic Certificate Request
Domain Controller

For additional information about individual settings, launch Group Policy Object Editor.

Public Key Policies/Trusted Root Certification Authorities

Properties

Policy	Setting
Allow users to select new root certification authorities (CAs) to trust	Enabled
Client computers can trust the following certificate stores	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria	Registered in Active Directory only

Administrative Templates

Network/DNS Client

Policy

Setting

Comment

Dynamic Update

Enabled

Primary DNS Suffix

Enabled

Enter a primary DNS suffix:

*.stanford.edu (domain DNS name)