Docstoc

Certificate Templates of Outstanding Service - Excel

Document Sample
Certificate Templates of Outstanding Service - Excel Powered By Docstoc
					                                                             Default Domain    Default Domain
Policy setting as it appears in the                          Policy            Controller Policy
Group Policy Editor of Windows Server
2003
Computer Configuration
 Software Settings
             Software installation
 Windows Settings
   Scripts (Startup/Shutdown)
   Security Settings
     Account Policies
       Password Policy
             Enforce password history                        24 passwords      Not defined
                                                             remembered
             Maximum password age                            42 days           Not defined
             Minimum password age                            1 days            Not defined
             Minimum password length                         7 characters      Not defined
             Passwords must meet complexity requirements     Enabled           Not defined

            Store password using reversible encyrption for   Disabled          Not defined
            all users in the domain
       Account Lockout Policy
            Account lockout duration                         Not defined       Not defined
            Account lockout threshold                        0 invalid login   Not defined
                                                             attempts
             Reset account lockout counter after             Not defined       Not defined
       Kerberos Policy
             Enforce user logon restrictions                 Enabled           Not defined
             Maximum lifetime for service ticket             600 minutes       Not defined
             Maximum lifetime for user ticket                10 hours          Not defined
             Maximum lifetime for user ticket renewal        7 days            Not defined
             Maximum tolerance for computer clock            5 minutes         Not defined
             synchronization
     Local Policies
       Audit Policy
             Audit account logon events                      Not defined       Success
             Audit account management                        Not defined       Success
             Audit directory service access                  Not defined       Success
             Audit logon events                              Not defined       Success
             Audit object access                             Not defined       No auditing
             Audit policy change                             Not defined       Success
             Audit privilege use                             Not defined       No auditing
             Audit process tracking                          Not defined       No auditing
             Audit system events                             Not defined       Success
       User Rights Assignment
Access this computer from the network             Not defined   Everyone,
(SeNetworkLogonRight)                                           Administrators,
                                                                Authenticated
                                                                Users,
                                                                ENTERPRISE
                                                                DOMAIN
                                                                CONTROLLERS,
                                                                Pre-Windows 2000
                                                                Compatible Access

Act as part of the operating system               Not defined   Not defined
(SeTcbPrivilege)
Add workstations to domain                        Not defined   Authenticated
(SeMachineAccountPrivilege)                                     Users
Adjust memory quotas for a process                Not defined   LOCAL SERVICE,
(SeIncreaseQuotaPrivilege)                                      NETWORK
                                                                SERVICE,
                                                                Administrators
Allow logon locally (SeInteractiveLogonRight)     Not defined   Administrators,
                                                                Backup Operators,
                                                                Account Operators,
                                                                Server Operators,
                                                                Print Operators

Allow logon Through Terminal Services             Not defined   Not defined
(SeRemoteInteractiveLogonRight)

Back up files and directories                     Not defined   Administrators,
(SeBackupPrivilege)                                             Backup Operators,
                                                                Server Operators
Bypass traverse checking                          Not defined   Everyone,
(SeChangeNotifyPrivilege)                                       Administrators,
                                                                Authenticated
                                                                Users, Pre-
                                                                Windows 2000
                                                                Compatible Access

Change the system time                            Not defined   Administrators,
(SeSystemTimePrivilege)                                         Server Operators
Create a pagefile (SeCreatePagefilePrivilege)     Not defined   Administrators
Create a token object (SeCreateTokenPrivilege)    Not defined   Not defined

Create global objects (SeCreateGlobalPrivilege)   Not defined   Not defined

Create permanent shared objects                   Not defined   Not defined
(SeCreatePermanentPrivilege)

Debug programs (SeDebugPrivilege)                 Not defined   Administrators
Deny access to this computer from the network     Not defined   SUPPORT_388945
(SeDenyNetworkLogonRight)                                       a0
Deny logon as a batch job                     Not defined   Not defined
(SeDenyBatchLogonRight)
Deny logon as a service                       Not defined   Not defined
(SeDenyBatchLogonRight)
Deny logon locally                            Not defined   SUPPORT_388945
(SeDenyInteractiveLogonRight)                               a0
Deny log on Through Terminal Services         Not defined   Not defined
(SeDenyRemoteInteractiveLogonRight)
Enable computer and user accounts to be       Not defined   Administrators
trusted for delegation
(SeEnableDelegationPrivilege)
Force shutdown from a remote system           Not defined   Administrators,
(SeRemoteShutdownPrivilege)                                 Server Operators
Generate security audits (SeAuditPrivilege)   Not defined   LOCAL SERVICE,
                                                            NETWORK
                                                            SERVICE
Impersonate a client after authentication     Not defined   Not defined
(SeImpersonatePrivilege)
Increase scheduling priority                  Not defined   Administrators
(SeIncreaseBasePriorityPrivilege)
Load and unload device drivers                Not defined   Administrators,
(SeLoadDriverPrivilege)                                     Print Operators
Lock pages in memory                          Not defined   Not defined
(SeLockMemoryPrivilege)
Log on as a batch job (SeBatchLogonRight)     Not defined   LOCAL SERVICE,
                                                            SUPPORT_388945
                                                            a0
Log on as a service (SeServiceLogonRight)     Not defined   NETWORK
                                                            SERVICE
Manage auditing and security log              Not defined   Administrators
(SeSecurityPrivilege)
Modify firmware environment values            Not defined   Administrators
(SeSystemEnvironmentPrivilege)
Perform Volume Maintenance Tasks              Not defined   Not defined
(SeManageVolumePrivilege)
Profile single process                        Not defined   Administrators
(SeProfileSingleProcessPrivilege)
Profile system performance                    Not defined   Administrators
(SeSystemProfilePrivilege)
Remove computer from docking station          Not defined   Administrators
(SeUndockPrivilege)
Replace a process level token                 Not defined   LOCAL SERVICE,
(SeAssignPrimaryTokenPrivilege)                             NETWORK
                                                            SERVICE
Restore files and directories                 Not defined   Administrators,
(SeRestorePrivilege)                                        Backup Operators,
                                                            Server Operators
Shut down the system (SeShutdownPrivilege)    Not defined   Administrators,
                                                            Backup Operators,
                                                            Server Operators,
                                                            Print Operators
     Synchronize directory service data                    Not defined   Not defined
     (SeSynchAgentPrivilege)
     Take ownership of files or other objects              Not defined   Administrators
     (SeTakeOwnershipPrivilege)
Security Options
     Accounts: Administrator account status                Not defined   Not defined
     Accounts: Guest account status                        Not defined   Not defined
     Accounts: Limit local account use of blank            Not defined   Not defined
     passwords to console logon only
     Accounts: Rename administrator account                Not defined   Not defined
     Accounts: Rename guest account                        Not defined   Not defined
     Audit: Audit the access of global system objects      Not defined   Not defined

      Audit: Audit the use of Backup and Restore           Not defined   Not defined
      privilege
      Audit: Shut down system immediately if unable to     Not defined   Not defined
      log security audits
      Devices: Allow undock without having to log on       Not defined   Not defined

      Devices: Allowed to format and eject removable       Not defined   Not defined
      media
      Devices: Prevent users from installing printer       Not defined   Not defined
      drivers
      Devices: Restrict CD-ROM access to locally           Not defined   Not defined
      logged-on user only
      Devices: Restrict floppy access to locally logged-   Not defined   Not defined
      on user only
      Devices: Unsigned driver installation behavior       Not defined   Not defined

      Domain controller: Allow server operators to         Not defined   Not defined
      schedule tasks
      Domain controller: LDAP server signing               Not defined   None
      requirements
      Domain controller: Refuse machine account            Not defined   Not defined
      password changes
      Domain member: Digitally encrypt or sign secure      Not defined   Enabled
      channel data (always)
      Domain member: Digitally encrypt secure              Not defined   Not defined
      channel data (when possible)
      Domain member: Digitally sign secure channel         Not defined   Not defined
      data (when possible)
      Domain member: Disable machine account               Not defined   Not defined
      password changes
      Domain member: Maximum machine account               Not defined   Not defined
      password age
      Domain member: Require strong (Windows               Not defined   Not defined
      2000 or later) session key
      Interactive logon: Do not display last user name     Not defined   Not defined
Interactive logon: Do not require                    Not defined   Not defined
CTRL+ALT+DEL
Interactive logon: Message text for users            Not defined   Not defined
attempting to log on
Interactive logon: Message title for users           Not defined   Not defined
attempting to log on
Interactive logon: Number of previous logons to      Not defined   Not defined
cache (in case domain controller is not available)

Interactive logon: Prompt user to change             Not defined   Not defined
password before expiration
Interactive logon: Require Domain Controller         Not defined   Not defined
authentication to unlock workstation
Interactive logon: Require smart card                Not defined   Not defined
Interactive logon: Smart card removal behavior       Not defined   Not defined
Microsoft network client: Digitally sign             Not defined   Not defined
communications (always)
Microsoft network client: Digitally sign             Not defined   Not defined
communications (if server agrees)
Microsoft network client: Send unencrypted           Not defined   Not defined
password to third-party SMB servers
Microsoft network server: Amount of idle time        Not defined   Not defined
required before suspending session
Microsoft network server: Digitally sign             Not defined   Enabled
communications (always)
Microsoft network server: Digitally sign             Not defined   Enabled
communications (if client agrees)
Microsoft network server: Disconnect clients         Not defined   Not defined
when logon hours expire
MSS:(AFD DynamicBacklogGrowthDelta)                  Not defined   Not defined
Number of connections to create when additional
connections are necessary for Winsock
applications (10 recommended)
MSS:(AFD EnableDynamicBacklog) Enable                Not defined   Not defined
dynamic backlog for Winsock applications
(recommended)
MSS:(AFD MaximumDynamicBacklog)                      Not defined   Not defined
Maximum number of 'quasi-free' connections for
Winsock applications
MSS:(AFD MinimumDynamicBacklog) Minimum              Not defined   Not defined
number of free connections for Winsock
applications (20 recommended for systems
under attack, 10 otherwise)
MSS:Allow automatic detection of dead network        Not defined   Not defined
gateways (could lead to DoS)
MSS:Allow automatic detection of MTU size            Not defined   Not defined
(possible DoS by an attacker using a small MTU)

MSS:Allow ICMP redirects to override OSPF            Not defined   Not defined
generated routes
MSS:Allow IRDP to detect and configure Default     Not defined   Not defined
Gateway addresses (could lead to DoS)

MSS:Allow the computer to ignore NetBIOS           Not defined   Not defined
name release requests except from WINS
servers
MSS:Disable Autorun for all drives                 Not defined   Not defined
MSS:Enable the computer to stop generating 8.3     Not defined   Not defined
style filenames
MSS:How many dropped connect requests to           Not defined   Not defined
initiate SYN attack protection (5 is
recommended)
MSS:How many times unacknowledged data             Not defined   Not defined
isretransmitted (3 recommended, 5 is default)
MSS:How often keep-alive packets are sent in       Not defined   Not defined
milliseconds (300,000 is recommended)
MSS:IP source routing protection level (protects   Not defined   Not defined
against packet spoofing)


MSS:Percentage threshold for the security event    Not defined   Not defined
logat which the system will generate a warning

MSS:Syn attack protection level (protects          Not defined   Not defined
against DoS)

MSS:SYN-ACK retransmittions when a                 Not defined   Not defined
connection request is not acknowledged




MSS:The time in seconds before the screen          Not defined   Not defined
saver grace period expires (0 recommended)
MSS:Enable Safe DLL search mode                    Not defined   Not defined
(recommended)
Network access: Allow anonymous SID/Name           Not defined   Not defined
translation
Network access: Do not allow anonymous             Not defined   Not defined
enumeration of SAM accounts
Network access: Do not allow anonymous             Not defined   Not defined
enumeration of SAM accounts and shares
Network access: Do not allow storage of            Not defined   Not defined
credentials or .NET Passports for network
authentication
Network access: Let Everyone permissions           Not defined   Not defined
apply to anonymous users
Network access: Named Pipes that can be        Not defined   Not defined
accessed anonymously




Network access: Remotely accessible registry   Not defined   Not defined
paths




Network access: Remotely accessible registry   Not defined   Not defined
paths and subpaths




Network access: Restrict anonymous access to   Not defined   Not defined
Named Pipes and Shares
        Network access: Shares that can be accessed        Not defined   Not defined
        anonymously
        Network access: Sharing and security model for     Not defined   Not defined
        local accounts

        Network security: Do not store LAN Manager         Not defined   Not defined
        hash value on next password change
        Network security: Force logoff when logon hours    Disabled      Not defined
        expire
        Network security: LAN Manager authentication       Not defined   Send NTLM
        level                                                            response only
        Network security: LDAP client signing              Not defined   Not defined
        requirements
        Network security: Minimum session security for     Not defined   Not defined
        NTLM SSP based (including secure RPC) clients

        Network security: Minimum session security for     Not defined   Not defined
        NTLM SSP based (including secure RPC)
        servers
        Recovery console: Allow automatic                  Not defined   Not defined
        administrative logon
        Recovery console: Allow floppy copy and access     Not defined   Not defined
        to all drives and all folders
        Shutdown: Allow system to be shut down without     Not defined   Not defined
        having to log on
        Shutdown: Clear virtual memory pagefile            Not defined   Not defined
        System cryptography: Force strong key              Not defined   Not defined
        protection for user keys stored on the computer

        System cryptography: Use FIPS compliant            Not defined   Not defined
        algorithms for encryption, hashing, and signing

        System objects: Default owner for objects          Not defined   Not defined
        created by members of the Administrators group

        System objects: Require case insensitivity for     Not defined   Not defined
        non-Windows subsystems
        System objects: Strengthen default permissions     Not defined   Not defined
        of internal system objects (e.g. Symbolic Links)

        System settings: Optional subsystems               Not defined   Not defined
        System settings: Use Certificate Rules on          Not defined   Not defined
        Windows Executables for Software Restriction
        Policies
Event Log
  Settings for Event Logs
        Maximum application log size                       Not defined   Not defined
        Maximum security log size                          Not defined   Not defined
        Maximum system log size                            Not defined   Not defined
        Restrict guest access to application log           Not defined   Not defined
            Restrict guest access to security log            Not defined   Not defined
            Restrict guest access to system log              Not defined   Not defined
            Retain application log                           Not defined   Not defined
            Retain security log                              Not defined   Not defined
            Retain system log                                Not defined   Not defined
            Retention method for application log             Not defined   Not defined
            Retention method for security log                Not defined   Not defined
            Retention method for system log                  Not defined   Not defined
   Restricted Groups
   System Services - See next worksheet, System Services
   Registry
   File System
   Public Key Policies
     Encrypted Data Recovery Agents
     Automatic Certificate Request Settings
     Trusted Root Certification Authorities
     Enterprise Trust
   IP Security Policies on Active Directory
            Client (Respond Only)
            Secure Server (Require Security)
            Server (Request Security)
Administrative Templates
 Windows Components
   NetMeeting
            Disable remote Desktop Sharing
   Internet Explorer
            Security Zones: Use only machine settings
            Security Zones: Do not allow users to change
            policies
            Security Zones: Do not allow users to add/delete
            sites
            Make proxy settings per-machine (rather than
            per-user)
            Disable Automatic Install of Internet Explorer
            components
            Disable Periodic Check for Internet Explorer
            software updates
            Disable software update shell notifications on
            program launch
            Disable showing the splash screen
   Application Compatibility
            Turn Off Application Compatibility Engine
            Turn Off Program Compatibility Wizard
            Remove Program Compatibility Property Page
            Turn On Application Help Log Events
            Prevent access to 16-bit applications
   Internet Information Server
            Prevent IIS installation
   Task Scheduler
            Hide Property Pages
       Prevent Task Run or End
       Disable Drag-and-Drop
       Disable New Task Creation
       Disable Task Deletion
       Disable Advanced Menu
       Prohibit Browse
Terminal Services
       Keep-Alive Messages
       Automatic reconnection
       Restrict Terminal Services users to a single
       remote session
       Enforce Removal of Remote Desktop Wallpaper

       Deny log off an administrator logged in to the
       console session
       Limit number of connections
       Limit maximum color depth
       Allow users to connect remotely using Terminal
       Services
       Do not allow local administrators to customize
       permissions
       Remove Windows Security item from Start menu

       Remove Disconnect item from Shut Down dialog

       Set path for TS Roaming Profiles
       TS User Home Directory
       Sets rules for remote control of Terminal
       Services user sessions
       Start a program on connection
 Client/Server data redirection
       Allow Time Zone Redirection
       Do not allow clipboard redirection
       Do not allow smart card device redirection
       Allow audio redirection
       Do not allow COM port redirection
       Do not allow client printer redirection
       Do not allow LPT port redirection
       Do not allow drive redirection
       Do not set default client printer to be default
       printer in a session
 Encryption and Security
       Always prompt client for password upon
       connection
       Set client connection encryption level
 RPC Security Policy
       Secure Server (Require Security)
 Licensing
       License Server Security Group
       Prevent license upgrade
  Temporary folders
       Do not use temp folders per session
       Do not delete temp folder upon exit
  Session Directory
       Terminal Server IP Adress Redirection
       Join Session Directory
       Session Directory Server
       Session Directory Cluster Name
  Sessions
       Set time limit for disconnected sessions
       Set time limit for active sessions
       Set time limit for idle sessions
       Allow reconnection from original client only
       Terminate session when time limits are reached

Windows Installer
      Disable Windows Installer
      Always install with elevated privileges
      Prohibit rollback
      Remove browse dialog box for new source
      Prohibit patching
      Disable IE security prompt for Windows Installer
      scripts
      Enable user control over installs
      Enable user to browse for source while elevated

        Enable user to use media source while elevated

        Enable user to patch elevated products
        Allow admin to install from Terminal Services
        session
        Cache transforms in secure location on
        workstation
        Logging
        Prohibit User Installs
        Turn of creation of System Restore Checkpoints

Windows Messenger
      Do not allow Windows Messenger to be run
      Do not automatically start Windows Messenger
      initially
Windows Media Digital Rights Management
      Prevent Windows Media DRM Internet Access

Windows Media
      Do Not Show First Use Dialog Boxes
      Prevent Desktop Shortcut Creation
      Prevent Quick Launch Toolbar Shortcut Creation

        Prevent Automatic Updates
       Prevent Video Smoothing
 Windows Update
       Configure Automatic Updates
       Specify intranet Microsoft update service location

         Reschedule Automatic Updates scheduled
         installations
         No auto-restart for scheduled Automatic Updates
         installations
System
        Restrict potentially unsafe HTML Help functions
        to specified folders
        Do not display Manage Your Server page at
        logon
        Display Shutdown Event Tracker
        Activate Shutdown Event Tracker System State
        Data feature
        Enable Persistent Time Stamp
        Specify Windows installation file location
        Specify Windows Service Pack installation file
        location
        Remove Boot / Shutdown / Logon / Logoff status
        messages
        Verbose vs normal status messages
        Restrict these programs from being launched
        from Help
        Turn off Autoplay
        Do not automatically encrypt files moved to
        encrypted folders
        Download missing COM components
        Allow Distributed Link Tracking clients to use
        domain resources
 User Profiles
        Do not check for user ownership of Roaming
        Profile Folders
        Delete cached copies of roaming profiles
        Do not detect slow network connections
        Slow network connection timeout for user
        profiles
        Wait for remote user profile
        Prompt user when slow link is detected
        Timeout for dialog boxes
        Log users off when roaming profile fails
        Maximum retries to unload and update user
        profile
        Add the Administrators security group to roaming
        user profiles
        Prevent Roaming Profile changes from
        propagating to the server
        Only allow local user profiles
Scripts
          Run logon scripts synchronously
          Run startup scripts asynchronously
          Run startup scripts visible
          Run shutdown scripts visible
          Maximum wait time for Group Policy scripts
Logon
       Don't display the Getting Started welcome
       screen at logon
       Always use classic logon
       Run these programs at user logon
       Do not process the run once list
       Do not process the legacy run list
       Always wait for the network at computer startup
       and logon
Disk Quotas
       Enforce disk quotas
       Enforce disk quota limit
       Default quota limit and warning level
       Log event when quota limit exceeded
       Log event when quota warning level exceeded
       Apply policy to removable media
Net Logon
       Expected dial-up delay on logon
       Site Name
       Negative DC Discovery Cache Setting
       Initial DC Discovery Retry Setting for
       Background Callers
       Maximum DC Discovery Retry Interval Setting
       for Background Callers
       Final DC Discovery Retry Setting for Background
       Callers
       Positive Periodic DC Cache Refresh for
       Background Callers
       Positive Periodic DC Cache Refresh for Non-
       Background Callers
       Scavenge Interval
       Contact PDC on logon failure
       Log File Debug Output Level
       Maximum Log File Size
       Sysvol share compatibility
       Netlogon share compatibility
  DC Locator DNS Records+E324
       Dynamic Registration of the DC Locator DNS
       Records
       DC Locator DNS records not registered by the
       DCs
       Refresh Interval of the DC Locator DNS Records
        Weight Set in the DC Locator DNS SRV Records

        Priority Set in the DC Locator DNS SRV Records

       TTL Set in the DC Locator DNS Records
       Automated Site Coverage by the DC Locator
       DNS SRV Records
       Sites Covered by the DC Locator DNS SRV
       Records
       Sites Covered by the GC Locator DNS SRV
       Records
       Sites Covered by the Application Directory
       Partition Locator DNS SRV Records
       Location of the DCs hosting a domain with single
       label DNS name
Group Policy
       Turn off background refresh of Group Policy
       Group Policy refresh interval for computers
       Group Policy refresh interval for domain
       controllers
       User Group Policy loopback processing mode
       Allow Cross-Forest User Policy and Roaming
       User Profiles
       Group Policy slow link detection
       Turn off Resultant Set of Policy logging
       Remove users ability to invoke machine policy
       refresh
       Disallow Interactive Users from generating
       Resultant Set of Policy data
       Registry policy processing
       Internet Explorer Maintenance policy processing

        Software Installation policy processing
        Folder Redirection policy processing
        Scripts policy processing
        Security policy processing
        IP Security policy processing
        Wireless policy processing
        EFS recovery policy processing
        Disk Quota policy processing
        Always use local ADM files for Group Policy
        Object Editor
Remote Assistance
        Solicited Remote Assistance
        Offer Remote Assistance
System Restore
        Turn off System Restore
        Turn off Configuration
Error Reporting
        Display Error Notification
        Report Errors
   Advanced Error Reporting settings
        Default application reporting settings
        List of applications to always report errors for
        List of applications to never report errors for
        Report operating system errors
        Report unplanned shutdown events
  Windows File Protection
        Set Windows File Protection scanning
        Hide the file scan progress window
        Limit Windows File Protection cache size
        Specify Windows File Protection cache location

 Remote Procedure Call
          RPC Troubleshooting State Information
          Propagation of extended error information
          Ignore Delegation Failure
          Minimum Idle Connection Timeout for
          RPC/HTTP connections
 Windows Time Service
          Global Configuration Settings
   Time Providers
          Enable Windows NTP Client
          Configure Windows NTP Client
          Enable Windows NTP Server
Network
          Background Intelligent Transfer Service (BITS)
          inactive job timeout
          Sets how often a DFS Client discovers DC's
 DNS Client
          Primary DNS Suffix
          Dynamic Update
          DNS Suffix Search List
          Primary DNS Suffix Devolution
          Register PTR Records
          Registration Refresh Interval
          Replace Addresses In Conflicts
          DNS Servers
          Connection-Specific DNS Suffix
          Register DNS records with connection-specific
          DNS suffix
          TTL Set in the A and PTR records
          Update Security Level
          Update Top Level Domain Zones
 Offline Files
          Allow or Disallow use of the Offline Files feature

           Prohibit user configuration of Offline Files
           Synchronize all offline files when logging on
        Synchronize all offline files before logging off
        Synchronize offline files before suspend
        Default cache size
        Action on server disconnect
        Non-default server disconnect actions
        Remove 'Make Available Offline'
        Prevent use of Offline Files folder
        Files not cached
        Administratively assigned offline files
        Turn off reminder balloons
        Reminder balloon frequency
        Initial reminder balloon lifetime
        Reminder balloon lifetime
        At logoff, delete local copy of user’s offline files

       Event logging level
       Subfolders always available offline
       Encrypt the Offline Files cache
       Prohibit 'Make Available Offline' for these file and
       folders
       Configure Slow link speed
Network Connections
       Prohibit use of Internet Connection Sharing on
       your DNS domain network
       Prohibit use of Internet Connection Firewall on
       your DNS domain network
       Prohibit installation and configuration of Network
       Bridge on your DNS domain network
       IEEE 802.1x Certificate Authority for Machine
       Authentication
QoS Packet Scheduler
       Limit reservable bandwidth
       Limit outstanding packets
       Set timer resolution
 DSCP value of conforming packets
       Best effort service type
       Controlled load service type
       Guaranteed service type
       Network control service type
       Qualitative service type
 DSCP value of non-conforming packets
       Best effort service type
       Controlled load service type
       Guaranteed service type
       Network control service type
       Qualitative service type
 Layer-2 priority value
       Non-conforming packets
       Best effort service type
               Controlled load service type
               Guaranteed service type
               Network control service type
               Qualitative service type
      SNMP
               Communities
               Permitted Managers
               Traps for Public community
    Printers
              Allow printers to be published
              Allow pruning of published printers
              Automatically publish new printers in Active
              Directory
              Check published state
              Computer location
              Custom support URL in the Printers folder's left
              pane
              Directory pruning interval
              Directory pruning priority
              Directory pruning retry
              Disallow installation of printers using kernel-
              mode drivers
              Log directory pruning retry events
              Pre-populate printer search location text
              Printer browsing
              Prune printers that are not automatically
              republished
              Web-based printing
User Configuration
 Software Settings
              Software installation
 Windows Settings
      Programs
   Scripts (Logon/Logoff)
   Security Settings
      Public Key Policies
        Enterprise Trust
   Internet Explorer Maintenance
      Browser User Interface
              Browser Title
              Custom Logo
              Browser Toolbar Buttons
      Connection
              Connection Settings
              Automatic Browser Configuration
              Proxy Settings
              User Agent String
      URLs
              Favorites and Links
              Important URLs
   Security
            Security Zones and Content Ratings
            Authenticode Settings
 Remote Installation Services
 Folder Redirection
   Application Data
   Desktop
   My Documents
     My Pictures
   Start Menu
Administrative Templates
 Windows Components
   NetMeeting
            Enable Automatic Configuration
            Disable Directory services
            Prevent adding Directory servers
            Prevent viewing Web directory
            Set the intranet support Web page
            Set Call Security options
            Prevent changing Call placement method
            Prevent automatic acceptance of Calls
            Allow persisting automatic acceptance of Calls

            Prevent sending files
            Prevent receiving files
            Limit the size of sent files
            Disable Whiteboard
            Disable NetMeeting 2.x Whiteboard
            Disable Chat
      Application Sharing
            Disable application Sharing
            Prevent Sharing
            Prevent Desktop Sharing
            Prevent Sharing Command Prompts
            Prevent Sharing Explorer windows
            Prevent Control
            Prevent Application Sharing in true color
      Audio & Video
            Limit the bandwidth of Audio and Video
            Disable Audio
            Disable full duplex Audio
            Prevent changing DirectSound Audio setting
            Prevent sending Video
            Prevent receiving Video
      Options Page
            Hide the General page
            Disable the Advanced Calling button
            Hide the Security page
            Hide the Audio page
            Hide the Video page
Internet Explorer
        Search: Disable Search Customization
        Search: Disable Find Files via F3 within the
        browser
        Disable external branding of Internet Explorer
        Disable importing and exporting of favorites
        Disable changing Advanced page settings
        Disable changing home page settings
        Use Automatic Detection for dial-up connections

        Disable caching of Auto-Proxy scripts
        Display error message on proxy script download
        failure
        Disable changing Temporary Internet files
        settings
        Disable changing history settings
        Disable changing color settings
        Disable changing link color settings
        Disable changing font settings
        Disable changing language settings
        Disable changing accessibility settings
        Disable Internet Connection wizard
        Disable changing connection settings
        Disable changing proxy settings
        Disable changing Automatic Configuration
        settings
        Disable changing ratings settings
        Disable changing certificate settings
        Disable changing Profile Assistant settings
        Disable AutoComplete for forms
        Do not allow AutoComplete to save passwords

        Disable changing Messaging settings
        Disable changing Calendar and Contact settings

        Disable the Reset Web Settings feature
        Disable changing default browser check
        Identity Manager: Prevent users from using
        Identities
        Configure Outlook Express
        Configure Media Explorer Bar
  Internet Control Panel
        Disable the General page
        Disable the Security page
        Disable the Content page
        Disable the Connections page
        Disable the Programs page
        Disable the Privacy page
        Disable the Advanced page
Offline Pages
      Disable adding channels
      Disable removing channels
      Disable adding schedules for offline pages
      Disable editing schedules for offline pages
      Disable removing schedules for offline pages
      Disable offline page hit logging
      Disable all scheduled offline pages
      Disable channel user interface completely
      Disable downloading of site subscription content

      Disable editing and creating of schedule groups

      Subscription Limits
Browser menus
      File menu: Disable Save As... menu option
      File menu: Disable New menu option
      File menu: Disable Open menu option
      File menu: Disable Save As Web Page
      Complete
      File menu: Disable closing the browser and
      Explorer windows
      View menu: Disable Source menu option
      View menu: Disable Full Screen menu option
      Hide Favorites menu
      Tools menu: Disable Internet Options... menu
      option
      Help menu: Remove 'Tip of the Day' menu
      option
      Help menu: Remove 'For Netscape Users' menu
      option
      Help menu: Remove 'Send Feedback' menu
      option
      Disable Context menu
      Disable Open in New Window menu option
      Disable Save this program to disk option
Toolbars
      Disable customizing browser toolbar buttons
      Disable customizing browser toolbars
      Configure Toolbar Buttons
Persistence Behavior
      File size limits for Local Machine zone
      File size limits for Intranet zone
      File size limits for Trusted Sites zone
      File size limits for Internet zone
      File size limits for Restricted Sites zone
Administrator Approved Controls
      Media Player
      Menu Controls
        Microsoft Agent
        Microsoft Chat
        Microsoft Survey Control
        Shockwave Flash
        NetShow File Transfer Control
        DHTML Edit Control
        Microsoft Scriptlet Component
        Carpoint
        Investor
        MSNBC
Application Compatibility
        Prevent access to 16-bit applications
Help and Support Center
        Do not allow "Did you know" content to appear

Windows Explorer
      Turn on Classic Shell
      Removes the Folder Options menu item from the
      Tools menu
      Remove File menu from Windows Explorer
      Remove "Map Network Drive" and "Disconnect
      Network Drive"
      Remove Search button from Windows Explorer

        Remove Windows Explorer's default context
        menu
        Hides the Manage item on the Windows Explorer
        context menu
        Allow only per user or approved shell extensions

        Do not track Shell shortcuts during roaming
        Hide these specified drives in My Computer
        Prevent access to drives from My Computer
        Remove Hardware tab
        Remove DFS tab
        Remove Security tab
        Remove UI to change menu animation setting
        Remove UI to change keyboard navigation
        indicator setting
        No "Computers Near Me" in My Network Places

        No "Entire Network" in My Network Places
        Maximum number of recent documents
        Do not request alternate credentials
        Request credentials for network installations
        Remove CD Burning features
        Do not move deleted files to the Recycle Bin
        Display confirmation dialog when deleting files
        Maximum allowed Recycle Bin size
        Remove Shared Documents from My Computer

       Turn off caching of thumbnail pictures
       Turn off Windows+X hotkeys
       Remove Publish to Web from File and Folder
       Tasks
       Prevent Internet download for Web Publishing
       and Online Ordering wizards
       Remove Order Prints from Picture Tasks
 Common Open File Dialog
       Items displayed in Places Bar
       Hide the common dialog places bar
       Hide the common dialog back button
       Hide the dropdown list of recent files
Microsoft Management Console
       Restrict the user from entering author mode
       Restrict users to the explicitly permitted list of
       snap-ins
 Restricted/Permitted snap-ins
       Active Directory Users and Computers
       Active Directory Domains and Trusts
       Active Directory Sites and Services
       ADSI Edit
       ActiveX Control
       Certificates
       Certification Authority
       Certificate Templates
       Wireless Monitor
       Component Services
       Computer Management
       Device Manager
       Disk Management
       Disk Defragmenter
       Distributed File System
       Event Viewer
       FAX Service
       FrontPage Server Extensions
       Indexing Service
       .Net Framework Configuration
       Internet Authentication Service (IAS)
       Internet Information Services
       IP Security
       IP Security Policy Management
       IP Security Monitor
       Link to Web Address
       Local Users and Groups
       Performance Logs and Alerts
       QoS Admission Control
       Remote Desktops
    Removable Storage Management
    Routing and Remote Access
    Security Configuration and Analysis
    Security Templates
    Services
    Shared Folders
    System Information
    Telephony
    Terminal Services Configuration
    WMI Control
Extension snap-ins
    AppleTalk Routing
    Authorization Manager
    Certification Authority Policy Settings
    Connection Sharing (NAT)
    DCOM Configuration Extension
    Device Manager
    DHCP Relay Management
    Event Viewer
    Extended View (Web View)
    IAS Logging
    IGMP Routing
    IP Routing
    IPX RIP Routing
    IPX Routing
    IPX SAP Routing
    Logical and Mapped Drives
    OSPF Routing
    Public Key Policies
    RAS Dialin - User Node
    Remote Access
    Removable Storage
    RIP Routing
    Routing
    Shared Folders Ext
    Send Console Message
    Service Dependencies
    SMTP Protocol
    SNMP
    System Properties
Group Policy
    Group Policy Management
    Group Policy Object Editor
    Group Policy Tab for Active Directory Tools
    Resultant Set of Policy snap-in
  Group Policy snap-in extensions
    Administrative Templates (Computers)
    Administrative Templates (Users)
    Folder Redirection
       Internet Explorer Maintenance
       Remote Installation Services
       Scripts (Logon/Logoff)
       Scripts (Startup/Shutdown)
       Security Settings
       Software Installation (Computers)
       Software Installation (Users)
       Wireless network (IEEE 802.11) Policies
     Resultant Set of Policy snap-in
       Administrative Templates (Computers)
       Administrative Templates (Users)
       Folder Redirection
       Internet Explorer Maintenance
       Scripts (Logon/Logoff)
       Scripts (Startup/Shutdown)
       Security Settings
       Software Installation (Computers)
       Software Installation (Users)
Task Scheduler
       Hide Property Pages
       Prevent Task Run or End
       Prohibit Drag-and-Drop
       Prohibit New Task Creation
       Prohibit Task Deletion
       Hide Advanced Properties in Add Scheduled
       Task Wizard
       Prohibit Browse
Terminal Services
       Start a program on connection
       Remote control settings
  Sessions
       Set time limit for disconnected sessions
       Set time limit for active sessions
       Set time limit for idle sessions
       Allow reconnection from original client only
       Terminate session when time limits are reached

Windows Installer
      Always install with elevated privileges
      Search order
      Prohibit rollback
      Prevent removable media source for any install

Windows Messenger
      Do not allow Windows Messenger to be run
      Do not automatically start Windows Messenger
      initially
Windows Update
       Remove access to use all Windows Update
       features
 Windows Media Player
       Prevent CD and DVD Media Information
       Retrieval
       Prevent Music File Media Information Retrieval

    User Interface
          Hide Privacy Tab
          Hide Security Tab
          Set and Lock Skin
          Do Not Show Anchor
    Playback
          Prevent Codec Download
          Allow Screen Saver
    Networking
          Hide Network Tab
          Streaming Media Protocols
          Configure HTTP Proxy
          Configure MMS Proxy
          Configure RTSP Proxy
          Configure Network Buffering
Start Menu & Taskbar
          Remove user's folders from the Start Menu
          Remove links and access to Windows Update
          Remove common program groups from Start
          Menu
          Remove My Documents icon from Start Menu
          Remove Documents menu from Start Menu
          Remove programs on Settings menu
          Remove Network Connections from Start Menu

         Remove Favorites menu from Start Menu
         Remove Search menu from Start Menu
         Remove Help menu from Start Menu
         Remove Run menu from Start Menu
         Remove My Pictures icon from Start Menu
         Remove My Music icon from Start Menu
         Remove My Network Places icon from Start
         Menu
         Add Logoff to the Start Menu
         Remove Logoff on the Start Menu
         Remove and prevent access to the Shut Down
         command
         Remove Drag-and-drop context menus on the
         Start Menu
         Prevent changes to Taskbar and Start Menu
         Settings
         Remove access to the context menus for the
         taskbar
          Do not keep history of recently opened
          documents
          Clear history of recently opened documents on
          exit
          Turn off personalized menus
          Turn off user tracking
          Add "Run in Separate Memory Space" check
          box to Run dialog box
          Do not use the search-based method when
          resolving shell shortcuts
          Do not use the tracking-based method when
          resolving shell shortcuts
          Gray unavailable Windows Installer programs
          Start Menu shortcuts
          Prevent grouping of taskbar items
          Turn off notification area cleanup
          Lock the Taskbar
          Force classic Start Menu
          Remove Balloon Tips on Start Menu items
          Remove pinned programs list from the Start
          Menu
          Remove frequent programs list from the Start
          Menu
          Remove All Programs list from the Start menu
          Remove the "Undock PC" button from the Start
          Menu
          Remove user name from Start Menu
          Remove Clock from the system notification area

          Hide the notification area
          Do not display any custom toolbars in the
          taskbar
          Remove Set Program Access and Defaults from
          Start menu
Desktop
          Hide and disable all items on the desktop
          Remove My Documents icon on the desktop
          Remove My Computer icon on the desktop
          Remove Recycle Bin icon from desktop
          Remove Properties from the My Documents
          context menu
          Remove Properties from the My Computer
          context menu
          Remove Properties from the Recycle Bin context
          menu
          Hide My Network Places icon on desktop
          Hide Internet Explorer icon on desktop
          Do not add shares of recently opened
          documents to My Network Places
            Prohibit user from changing My Documents path

         Prevent adding, dragging, dropping and closing
         the Taskbar's toolbars
         Prohibit adjusting desktop toolbars
         Don't save settings at exit
         Remove the Desktop Cleanup Wizard
 Active Desktop
         Enable Active Desktop
         Disable Active Desktop
         Disable all items
         Prohibit changes
         Prohibit adding items
         Prohibit deleting items
         Prohibit editing items
         Prohibit closing items
         Add/Delete items
         Active Desktop Wallpaper
         Allow only bitmapped wallpaper
 Active Directory
         Maximum size of Active Directory searches
         Enable filter in Find dialog box
         Hide Active Directory folder
Control Panel
         Prohibit access to the Control Panel
         Hide specified Control Panel applets
         Show only specified Control Panel applets
         Force classic Control Panel Style
 Add/Remove Programs
         Remove Add/Remove Programs Programs
         Hide Change or Remove Programs page
         Hide Add New Programs page
         Hide Add/Remove Windows Components page

            Hide the "Add a program from CD-ROM or
            floppy disk" option
            Hide the "Add programs from Microsoft" option

            Hide the "Add programs from your network"
            option
            Go directly to Components Wizard
            Remove Support Information
            Specify default category for Add New Programs

  Display
            Remove Display in Control Panel
            Hide Desktop tab
            Prevent changing wallpaper
            Hide Appearance and Themes tab
         Hide Settings tab
         Hide Screen Saver tab
         Screen Saver
         Screen Saver executable name
         Password protect the screen saver
         Screen Saver timeout
    Desktop Themes
         Remove Theme option
         Prevent selection of windows and buttons styles

             Prohibit selection of font size
             Prohibit Theme color selection
             Load a specific visual style file or force Windows
             Classic
  Printers
          Browse a common web site to find printers
          Browse the network to find printers
          Default Active Directory path when searching for
          printers
          Point and Print Restrictions
          Prevent addition of printers
          Prevent deletion of printers
 Regional Options
          Restrict selection of Windows menus and
          dialogs language
Shared Folders
          Allow shared folders to be published
          Allow DFS roots to be published
Network
 Offline Files
          Prohibit user configuration of Offline Files
          Synchronize all offline files when logging on
          Synchronize all offline files before logging off
          Synchronize offline files before suspend
          Action on server disconnect
          Non-default server disconnect actions
          Remove 'Make Available Offline'
          Prevent use of Offline Files folder
          Administratively assigned offline files
          Turn off reminder balloons
          Reminder balloon frequency
          Initial reminder balloon lifetime
          Reminder balloon lifetime
          Event logging level
          Prohibit 'Make Available Offline' for these file and
          folders
          Do not automatically make redirected folders
          available offline
 Network Connections
         Ability to rename LAN connections or remote
         access connections available to all users
         Prohibit access to properties of components of a
         LAN connection
         Prohibit access to properties of components of a
         remote access connection
         Prohibit TCP/IP advanced configuration
         Prohibit access to the Advanced Settings item on
         the Advanced menu
         Prohibit adding and removing components for a
         LAN or remote access connection
         Prohibit access to properties of a LAN
         connection
         Prohibit Enabling/Disabling components of a
         LAN connection
         Ability to change properties of an all user remote
         access connection
         Prohibit changing properties of a private remote
         access connection
         Prohibit deletion of remote access connections

         Ability to delete all user remote access
         connections
         Prohibit connecting and disconnecting a remote
         access connection
         Ability to Enable/Disable a LAN connection
         Prohibit access to the New Connection Wizard

         Ability to rename LAN connections
         Ability to rename all user remote access
         Prohibit renaming private remote access
         Prohibit access to the Dial-up Preferences item
         Prohibit viewing of status for an active
         Enable Windows 2000 Network Connections
         settings for Administrators
System
         Don't display the Getting Started welcome
         screen at logon
         Century interpretation for Year 2000
         Configure driver search locations
         Code signing for device drivers
         Custom user interface
         Prevent access to the command prompt
         Prevent access to registry editing tools
         Run only allowed Windows applications
         Don't run specified Windows applications
         Turn off Autoplay
         Restrict these programs from being launched
         from Help
         Download missing COM components
        Windows Automatic Updates
User Profiles
        Connect home directory to root of the share
        Limit profile size
        Exclude directories in roaming profile
Scripts
        Run logon scripts synchronously
        Run legacy logon scripts hidden
        Run logon scripts visible
        Run logoff scripts visible
Ctrl+Alt+Del Options
        Remove Task Manager
        Remove Lock Computer
        Remove Change Password
        Remove Logoff
Logon
        Run these programs at user logon
        Do not process the run once list
        Do not process the legacy run list
Group Policy
        Group Policy refresh interval for users
        Group Policy slow link detection
        Group Policy domain controller selection
        Create new Group Policy object links disabled by
        default
        Default name for new Group Policy objects
        Enforce Show Policies Only
        Turn off automatic update of ADM files
        Disallow Interactive Users from generating
        Resultant Set of Policy data
Power Management
        Prompt for password on resume from hibernate /
        suspend
Stand-Alone       DC Effective       Member Server
Server Default    Default Settings   Effective Default
Settings                             Settings




0 passwords       24 passwords       24 passwords
remembered        remembered         remembered
42 days           42 days            42 days
0 days            1 days             1 days
0 characters      7 characters       7 characters
Disabled          Enabled            Enabled

Disabled          Disabled           Disabled


Not applicable    Not defined        Not defined
0 invalid login   0 invalid login    0 invalid login
attempts          attempts           attempts
Not applicable    Not defined        Not defined

Not applicable    Enabled            Not applicable
Not applicable    600 minutes        Not applicable
Not applicable    10 hours           Not applicable
Not applicable    7 days             Not applicable
Not applicable    5 minutes          Not applicable




Success           Success            Success
No auditing       Success            No auditing
No auditing       Success            No auditing
Success           Success            Success
No auditing       No auditing        No auditing
No auditing       Success            No auditing
No auditing       No auditing        No auditing
No auditing       No auditing        No auditing
No auditing       Success            No auditing
Everyone,          Everyone,            Backup Operators,
Administrators,    Administrators,      Power Users,
Users, Power       Authenticated        Users,
Users, Backup      Users,               Administrators,
Operators          ENTERPRISE           Everyone
                   DOMAIN
                   CONTROLLERS,
                   Pre-Windows 2000
                   Compatible Access

Not defined        Not defined          Not defined

Not defined        Authenticated        Not defined
                   Users
LOCAL SERVICE,     LOCAL SERVICE,       Administrators,
NETWORK            NETWORK              NETWORK
SERVICE,           SERVICE,             SERVICE, LOCAL
Administrators     Administrators       SERVICE
Administrators,    Administrators,      Backup Operators,
Users, Power       Backup Operators,    Power Users,
Users, Backup      Account Operators,   Users,
Operators          Server Operators,    Administrators
                   Print Operators

Administrators,    Not defined       Remote Desktop
Remote Desktop                       Users,
Users                                Administrators
Administrators,    Administrators,   Backup Operators,
Backup Operators   Backup Operators, Administrators
                   Server Operators
Everyone,          Everyone,         Backup Operators,
Administrators,    Administrators,   Power Users,
Users, Power       Authenticated     Users,
Users, Backup      Users, Pre-       Administrators,
Operators          Windows 2000      Everyone
                   Compatible Access

Administrators,    Administrators,      Power Users,
Power Users        Server Operators     Administrators
Administrators     Administrators       Administrators
Not defined        Not defined          Not defined

Administrators,    Not defined          SERVICE,
SERVICE                                 Administrators
Not defined        Not defined          Not defined


Administrators Administrators Administrators
SUPPORT_388945 SUPPORT_388945 SUPPORT_388945
a0             a0             a0
Not defined        Not defined        Not defined

Not defined        Not defined        Not defined

SUPPORT_388945 SUPPORT_388945 SUPPORT_388945
a0             a0             a0
Not defined    Not defined    Not defined

Not defined        Administrators     Not defined


Administrators     Administrators,    Administrators
                   Server Operators
LOCAL SERVICE,     LOCAL SERVICE,     NETWORK
NETWORK            NETWORK            SERVICE, LOCAL
SERVICE            SERVICE            SERVICE
Administrators,    Not defined        SERVICE,
SERVICE                               Administrators
Administrators     Administrators     Administrators

Administrators     Administrators,    Administrators
                   Print Operators
Not defined        Not defined        Not defined

LOCAL SERVICE,     LOCAL SERVICE,     SUPPORT_388945
SUPPORT_388945     SUPPORT_388945     a0 , LOCAL
a0                 a0                 SERVICE
NETWORK            NETWORK            NETWORK
SERVICE            SERVICE            SERVICE
Administrators     Administrators     Administrators

Administrators     Administrators     Administrators

Administrators     Not defined        Administrators

Administrators,    Administrators     Power Users,
Power Users                           Administrators
Administrators     Administrators     Administrators

Administrators,    Administrators    Power Users,
Power Users                          Administrators
LOCAL SERVICE,     LOCAL SERVICE, NETWORK
NETWORK            NETWORK           SERVICE, LOCAL
SERVICE            SERVICE           SERVICE
Administrators,    Administrators,   Backup Operators,
Backup Operators   Backup Operators, Administrators
                   Server Operators
Administrators,    Administrators,   Backup Operators,
Power Users,       Backup Operators, Power Users,
Backup Operators   Server Operators, Administrators
                   Print Operators
Not defined      Not defined      Not defined

Administrators   Administrators   Administrators


Enabled          Enabled          Enabled
Disabled         Disabled         Disabled
Enabled          Enabled          Enabled

Administrator    Administrator    Administrator
Guest            Guest            Guest
Disabled         Disabled         Disabled

Disabled         Disabled         Disabled

Disabled         Disabled         Disabled

Enabled          Enabled          Enabled

Administrators   Administrators   Administrators

Enabled          Enabled          Enabled

Disabled         Disabled         Disabled

Disabled         Disabled         Disabled

Warn but allow   Warn but allow   Warn but allow
installation     installation     installation
Not defined      Not defined      Not defined

Not defined      None             Not defined

Not defined      Not defined      Not defined

Enabled          Enabled          Enabled

Enabled          Enabled          Enabled

Enabled          Enabled          Enabled

Disabled         Disabled         Disabled

30 days          30 days          30 days

Disabled         Disabled         Disabled

Disabled         Disabled         Disabled
Disabled      Disabled      Disabled

Not defined   Not defined   Not defined

Not defined   Not defined   Not defined

10 logons     10 logons     10 logons


14 days       14 days       14 days

Disabled      Disabled      Disabled

Disabled      Disabled      Disabled
No Action     No Action     No Action
Disabled      Disabled      Disabled

Enabled       Enabled       Enabled

Disabled      Disabled      Disabled

15 minutes    15 minutes    15 minutes

Disabled      Enabled       Disabled

Disabled      Enabled       Disabled

Enabled       Enabled       Enabled

0             0             0




Disabled      Disabled      Disabled


0             0             0


0             0             0




Disabled      Disabled      Disabled

Enabled       Enabled       Enabled


Enabled       Enabled       Enabled
Disabled               Disabled               Disabled


Enabled                Enabled                Enabled


Disabled               Disabled               Disabled
Disabled               Disabled               Disabled

5                      5                      5


5                      5                      5

7200000                7200000                7200000

No additional          No additional          No additional
protection, source     protection, source     protection, source
routed packets are     routed packets are     routed packets are
allowed                allowed                allowed
0 (not configured)     0 (not configured)     0 (not configured)


No additional          No additional          No additional
protection, use        protection, use        protection, use
default settings       default settings       default settings
3 & 6 seconds, half-   3 & 6 seconds, half-   3 & 6 seconds, half-
open connections       open connections       open connections
dropped after 21       dropped after 21       dropped after 21
seconds                seconds                seconds

5                      5                      5

Disabled               Disabled               Disabled

Disabled               Enabled                Disabled

Enabled                Enabled                Enabled

Disabled               Disabled               Disabled

Disabled               Disabled               Disabled


Disabled               Disabled               Disabled
COMNAP,COMNO            COMNAP,COMNO            COMNAP,COMNO
DE, SQL\QUERY,          DE, SQL\QUERY,          DE, SQL\QUERY,
SPOOLSS,                SPOOLSS,                SPOOLSS,
EPMAPPER,               EPMAPPER,               EPMAPPER,
LOCATOR,TrkWks          LOCATOR,TrkWks          LOCATOR,TrkWks
,TrkSvr                 ,TrkSvr                 ,TrkSvr

System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Prod    trolSet\Control\Prod    trolSet\Control\Prod
uctOptions,             uctOptions,             uctOptions,
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Serv    trolSet\Control\Serv    trolSet\Control\Serv
er Applications,        er Applications,        er Applications,
Software\Microsoft\     Software\Microsoft\     Software\Microsoft\
Windows                 Windows                 Windows
NT\CurrentVersion       NT\CurrentVersion       NT\CurrentVersion
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Print   trolSet\Control\Print   trolSet\Control\Print
\Printers,              \Printers,              \Printers,
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Services\Ev     trolSet\Services\Ev     trolSet\Services\Ev
entlog,                 entlog,                 entlog,
Software\Microsoft\     Software\Microsoft\     Software\Microsoft\
OLAP Server,            OLAP Server,            OLAP Server,
Software\Microsoft\     Software\Microsoft\     Software\Microsoft\
Windows                 Windows                 Windows
NT\CurrentVersion\      NT\CurrentVersion\      NT\CurrentVersion\
Print,                  Print,                  Print,
Software\Microsoft\     Software\Microsoft\     Software\Microsoft\
Windows                 Windows                 Windows
NT\CurrentVersion\      NT\CurrentVersion\      NT\CurrentVersion\
Windows,                Windows,                Windows,
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Cont    trolSet\Control\Cont    trolSet\Control\Cont
entIndex,               entIndex,               entIndex,
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Ter     trolSet\Control\Ter     trolSet\Control\Ter
minal Server,           minal Server,           minal Server,
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Ter     trolSet\Control\Ter     trolSet\Control\Ter
minal                   minal                   minal
Server\UserConfig,      Server\UserConfig,      Server\UserConfig,
System\CurrentCon       System\CurrentCon       System\CurrentCon
trolSet\Control\Ter     trolSet\Control\Ter     trolSet\Control\Ter
minal                   minal                   minal
Server\DefaultUser      Server\DefaultUser      Server\DefaultUser
Configuration,          Configuration,          Configuration,
Software\Microsoft\     Software\Microsoft\     Software\Microsoft\
Windows
Enabled                 Windows
                        Enabled                 Windows
                                                Enabled
COMCFG,DFS$             COMCFG,DFS$             COMCFG,DFS$

Classic - local users   Classic - local users   Classic - local users
authenticate as         authenticate as         authenticate as
themselves              themselves              themselves
Disabled                Disabled                Disabled

Disabled                Disabled                Disabled

Send NTLM               Send NTLM               Send NTLM
response only           response only           response only
Negotiate signing       Negotiate signing       Negotiate signing

No minimum              No minimum              No minimum


No minimum              No minimum              No minimum


Disabled                Disabled                Disabled

Disabled                Disabled                Disabled

Disabled                Disabled                Disabled

Disabled                Disabled                Disabled
Not defined


Disabled                Disabled                Disabled


Administrators          Administrators          Administrators
group                   group                   group

Enabled                 Enabled                 Enabled

Enabled                 Enabled                 Enabled


Posix                   Posix                   Posix
Disabled                Disabled                Disabled




16384 KB                16384 KB                16384 KB
16384 KB                131072 KB               16384 KB
16384 KB                16384 KB                16384 KB
Not defined             Enabled                 Enabled
Not defined   Enabled       Enabled
Not defined   Enabled       Enabled
Not defined   Not defined   Not defined
Not defined   Not defined   Not defined
Not defined   Not defined   Not defined
As needed     As needed     As needed
As needed     As needed     As needed
As needed     As needed     As needed
Full Service Name        Service Name     DC Startup      Member Server
                                          Type            Startup Type

Alerter                  Alerter          Disabled        Disabled
Application Layer        ALG              Manual          Manual
Gateway Service
Application              AppMgmt          Manual          Manual
Management
ASP .NET State           aspnet_state     Not installed   Not installed
Service
Automatic Updates        wuauserv         Automatic       Automatic
Background Intelligent   BITS             Manual          Manual
Transfer Service

Certificate Services     CertSvc          Not installed   Not installed
Client Service for       NWCWorkstation   Not installed   Not installed
NetWare
ClipBook                 ClipSrv          Disabled        Disabled
Cluster Service          ClusSvc          Not installed   Not installed
COM+Event Services       EventSystem      Manual          Manual

COM+ System              COMSysApp        Manual          Manual
Application
Computer Browser         Browser          Automatic       Automatic
Cyrptographic            CryptSvc         Automatic       Automatic
Services
DHCP Client              Dhcp             Automatic       Automatic
DHCP Server              DHCPServer       Automatic       Not installed
Distributed File         Dfs              Automatic       Automatic
System
Distributed Link         TrkWks           Automatic       Automatic
Tracking Client
Distributed Link         TrkSvr           Disabled        Disabled
Tracking Server
Distributed              MSDTC            Automatic       Automatic
Transaction
Coordinator
DNS Client               Dnscache         Automatic       Automatic
DNS Server               DNS              Automatic       Not installed
Error Reporting          ERSvc            Automatic       Automatic
Service
Event Log                Eventlog         Automatic       Automatic
Fax Service              Fax              Not installed   Not installed
File Replication         NtFrs            Automatic       Manual
File Server for          MacFile          Not installed   Not installed
Macintosh
FTP Publishing           MSFtpsvc         Not installed   Not installed
Service
Help and Support         helpsvc          Automatic       Automatic
HTTP SSL                 HTTPFilter       Manual          Manual
Human Interface          HidServ               Disabled        Disabled
Device Access
IAS Jet Database         IASJet                Not installed   Not installed
Access
IIS Admin Service        IISADMIN              Not installed   Not installed
IMAPI CD-Burning         ImapiService          Disabled        Disabled
COM Service
Indexing Service         cisvc                 Disabled        Disabled
Infrared Monitor         Irmon                 Not installed   Not installed
Internet                 IAS                   Not installed   Not installed
Authentication Service

Internet Connection     SharedAccess           Disabled        Disabled
Firewall (ICF)/Internet
Connection Sharing
(ICS)

Intersite Messaging      IsmServ               Automatic       Disabled
IP Version 6 Helper      6to4                  Not installed   Not installed
Service
IPSec Policy Agent       PolicyAgent           Automatic       Automatic
(IPSec Service)
Kerberos Key             Kdc                   Automatic       Disabled
Distribution Center
License Logging          LicenseService        Disabled        Disabled
Service
Logical Disk Manager     dmserver              Automatic       Automatic

Logical Disk Manager dmadmin                   Manual          Manual
Administrative Service


Message Queuing          msmq                  Not installed   Not installed
Message Queuing          mqds                  Not installed   Not installed
Down Level Clients
Message Queuing          Mqtgsvc               Not installed   Not installed
Triggers
Messenger                Messenger             Disabled        Disabled
Microsoft POP3           POP3SVC               Not installed   Not installed
Service
MS Software Shadow       SwPrv                 Manual          Manual
Copy Provider

MSSQL$UDDI               MSSQL$UDDI            Not installed   Not installed
MSSQLServerADHelp        MSSQLServerADHelper   Not installed   Not installed
er
.NET Framework           CORRTSvc              Not installed   Not installed
Support Service
Netlogon                 Netlogon              Automatic       Automatic
NetMeeting Remote mnmsrvc                          Disabled        Disabled
Desktop Sharing
Network Connections Netman                         Manual          Manual

Network DDE             NetDDE                     Disabled        Disabled
Network DDE DSDM        NetDDEdsdm                 Disabled        Disabled
Network Location        NLA                        Manual          Manual
Awareness (NLA)
Network News            NntpSvc                    Not installed   Not installed
Transport Protocol
(NNTP)
NTLM Security           NtLmSsp                    Manual          Manual
Support Provider
Performance Logs        SysmonLog                  Manual          Manual
and Alerts
Plug and Play           PlugPlay                   Automatic       Automatic
Portable Media Serial   WmdmPmSN                   Manual          Manual
Number
Print Server for        MacPrint                   Not installed   Not installed
Macintosh
Print Spooler           Spooler                    Automatic       Automatic
Protected Storage       ProtectedStorage           Automatic       Automatic
Remote Access Auto      RasAuto                    Manual          Manual
Connection Manager

Remote Access       RasMan                         Manual          Manual
Connection Manager
Remote              SrvcSurg                       Not installed   Not installed
Administration
Service
Remote Desktop Help RDSessMgr                      Manual          Manual
Session Manager

Remote Installation     BINLSVC                    Not installed   Not installed
Remote Procedure        RpcSs                      Automatic       Automatic
Call (RPC)
Remote Procedure        RpcLocator                 Automatic       Manual
Call (RPC) Locator
Remote Registry         RemoteRegistry             Automatic       Automatic
Service
Remote Server           AppMgr                     Not installed   Not installed
Manager
Remote Server           Appmon                     Not installed   Not installed
Monitor
Remote Storage          Remote_Storage_User_Link   Not installed   Not installed
Notification
Remote Storage          Remote_Storage_Server      Not installed   Not installed
Server
Removable Storage       NtmsSvc                    Manual          Manual
Resultant Set of         RSoPProv            Manual          Manual
Policy Provider
Routing and Remote       RemoteAccess        Disabled        Disabled
Access
SAP Agent                nwsapagent          Not installed   Not installed
Secondary Logon          seclogon            Automatic       Automatic
Security Accounts        SamSs               Automatic       Automatic
Manager
Server                   lanmanserver        Automatic       Automatic
Shell Hardware           ShellHWDetection    Automatic       Automatic
Detection
Simple Mail Transport    SMTPSVC             Not installed   Not installed
Protocol (SMTP)

Simple TCP/IP            SimpTcp             Not installed   Not installed
Services
Single Instance          Groveler            Not installed   Not installed
Storage Groveler
Smart Card               SCardSvr            Manual          Manual
SNMP Service             SNMP                Not installed   Not installed
SNMP Trap Service        SNMPTRAP            Not installed   Not installed
Special Administration   Sacsvr              Manual          Manual
Console Helper

SQLAgent$* (* UDDI       SQLAgent$WEBDB      Not installed   Not installed
or WebDB)
System Event             SENS                Automatic       Automatic
Notification
Task Scheduler           Schedule            Automatic       Automatic
TCP/IP NetBIOS           LMHosts             Automatic       Automatic
Helper Service
TCP/IP Print Server      LPDSVC              Not installed   Not installed
Telephony                TapiSrv             Manual          Manual
Telnet                   TlntSvr             Disabled        Disabled
Terminal Services        TermService         Manual          Manual
Terminal Services        TermServLicensing   Not installed   Not installed
Licensing
Terminal Services        Tssdis              Disabled        Disabled
Session Directory
Themes                   Themes              Disabled        Disabled
Trivial FTP Daemon       tftpd               Not installed   Not installed
Uninterruptible Power    UPS                 Manual          Manual
Supply
Upload Manager           Uploadmgr           Manual          Manual
Virtual Disk Service     VDS                 Manual          Manual
Volume Shadow Copy       VSS                 Manual          Manual

WebClient                WebClient           Disabled        Disabled
Web Element              elementmgr          Not installed   Not installed
Manager
Windows Audio            AudioSrv                       Disabled        Disabled
Windows Image            StiSvc                         Disabled        Disabled
Acquisition (WIA)
Windows Installer        MSIServer                      Manual          Manual
Windows Internet         WINS                           Not installed   Not installed
Name Service (WINS)

Windows                  winmgmt                        Automatic       Automatic
Management
Instrumentation
Windows                  Wmi                            Manual          Manual
Management
Instrumentation Driver
Extensions
Windows Media            WMServer                       Not installed   Not installed
Services
Windows System           WindowsSystemResourceManager   Not installed   Not installed
Resource Manager
Windows Time             W32Time                        Automatic       Automatic
WinHTTP Web Proxy        WinHttpAutoProxySvc            Manual          Manual
Auto-Discovery
Service
Wireless                 WZCSVC                         Automatic       Automatic
Configuration
WMI Performance          WmiApSrv                       Manual          Manual
Adapter
Workstation              lanmanworkstation              Automatic       Automatic
World Wide Web           W3SVC                          Not installed   Not installed
Publishing Service
Stand-Alone      Logon As
Server Startup
Type
Disabled         Local Service
Manual           Local Service

Manual           Local System

Not installed

Automatic        Local System
Manual           Local System


Not installed
Not installed

Disabled         Local System
Not installed
Manual           Local System

Manual           Local System

Automatic        Local System
Automatic        Local System

Automatic        Network Service
Not installed    Local System
Automatic        Local System

Automatic        Local System

Disabled         Network Service

Automatic        Network Service


Automatic        Local System
Not installed    Local System
Automatic        Local System

Automatic        Local System
Not installed
Manual           Local System
Not installed

Not installed

Automatic        Local System
Manual           Local System
Disabled        Local System

Not installed

Not installed
Disabled        Local System

Disabled        Local System
Not installed
Not installed


Disabled        Local System




Disabled        Local System
Not installed

Automatic       Local System

Disabled        Local System

Disabled        Network Service

Automatic       Local System

Manual          Local System




Not installed
Not installed

Not installed

Disabled        Local System
Not installed

Manual          Local System


Not installed
Not installed

Not installed

Manual          Local System
Disabled        Local System

Manual          Local System

Disabled        Local System
Disabled        Local System
Manual          Local System

Not installed


Manual          Local System

Manual          Network Service

Automatic       Local System
Manual          Local System

Not installed

Automatic       Local System
Automatic       Local System
Manual          Local System


Manual          Local System

Not installed


Manual          Local System


Not installed
Automatic       Local System

Manual          Network Service

Automatic       Local Service

Not installed

Not installed

Not installed

Not installed

Manual          Local System
Manual          Local System

Disabled        Local System

Not installed
Automatic       Local System
Automatic       Local System

Automatic       Local System
Automatic       Local System

Not installed


Not installed

Not installed

Manual          Local Service
Not installed
Not installed
Manual          Local System


Not installed

Automatic       Local System

Automatic       Local System
Automatic       Local Service

Not installed
Manual          Local System
Disabled        Local System
Manual          Local System
Not installed

Disabled        Local System

Disabled        Local System
Not installed
Manual          Local Service

Manual          Local System
Manual          Local System
Manual          Local System

Disabled        Local Service
Not installed
Disabled        Local System
Disabled        Local Service

Manual          Local System
Not installed


Automatic       Local System


Manual          Local System




Not installed

Not installed

Automatic       Local System
Manual          Local Service


Automatic       Local System

Manual          Local System

Automatic       Local System
Not installed
                                                             Default Domain    Stand-Alone
Policy setting as it appears in the                          Policy            Windows XP
Group Policy Editor of Windows XP                                              Default Settings


Computer Configuration
 Software Settings
             Software installation
 Windows Settings
   Scripts (Startup/Shutdown)
   Security Settings
     Account Policies
       Password Policy
             Enforce password history                        24 passwords      0 passwords
                                                             remembered        remembered
             Maximum password age                            42 days           42 days
             Minimum password age                            1 days            0 days
             Minimum password length                         7 characters      0 characters
             Passwords must meet complexity requirements     Enabled           Disabled

            Store password using reversible encyrption for   Disabled          Disabled
            all users in the domain
       Account Lockout Policy
            Account lockout duration                         Not defined       Not applicable
            Account lockout threshold                        0 invalid login   0 invalid login
                                                             attempts          attempts
             Reset account lockout counter after             Not defined       Not applicable
       Kerberos Policy
             Enforce user logon restrictions                 Enabled           Not applicable
             Maximum lifetime for service ticket             600 minutes       Not applicable
             Maximum lifetime for user ticket                10 hours          Not applicable
             Maximum lifetime for user ticket renewal        7 days            Not applicable
             Maximum tolerance for computer clock            5 minutes         Not applicable
             synchronization
     Local Policies
       Audit Policy
             Audit account logon events                      Not defined       No auditing
             Audit account management                        Not defined       No auditing
             Audit directory service access                  Not defined       No auditing
             Audit logon events                              Not defined       No auditing
             Audit object access                             Not defined       No auditing
             Audit policy change                             Not defined       No auditing
             Audit privilege use                             Not defined       No auditing
             Audit process tracking                          Not defined       No auditing
             Audit system events                             Not defined       No auditing
       User Rights Assignment
Access this computer from the network             Not defined   Everyone,
(SeNetworkLogonRight)                                           Administrators,
                                                                Users, Power
                                                                Users, Backup
                                                                Operators
Act as part of the operating system               Not defined   Not defined
(SeTcbPrivilege)
Add workstations to domain                        Not defined   Not defined
(SeMachineAccountPrivilege)
Adjust memory quotas for a process                Not defined   LOCAL SERVICE,
(SeIncreaseQuotaPrivilege)                                      NETWORK
                                                                SERVICE,
                                                                Administrators
Allow logon Through Terminal Services             Not defined   Administrators,
(SeRemoteInteractiveLogonRight)                                 Remote Desktop
                                                                Users
Back up files and directories                     Not defined   Administrators,
(SeBackupPrivilege)                                             Backup Operators
Bypass traverse checking                          Not defined   Everyone,
(SeChangeNotifyPrivilege)                                       Administrators,
                                                                Users, Power
                                                                Users, Backup
                                                                Operators
Change the system time                            Not defined   Administrators,
(SeSystemTimePrivilege)                                         Power Users
Create a pagefile (SeCreatePagefilePrivilege)     Not defined   Administrators
Create a token object (SeCreateTokenPrivilege)    Not defined   Not defined

Create global objects (SeCreateGlobalPrivilege)   Not defined   Not defined

Create permanent shared objects                   Not defined   Not defined
(SeCreatePermanentPrivilege)

Debug programs (SeDebugPrivilege)                 Not defined   Administrators
Deny access to this computer from the network     Not defined   Support_xxxxxxxx,
(SeDenyNetworkLogonRight)                                       Guest
Deny logon as a batch job                         Not defined   Not defined
(SeDenyBatchLogonRight)
Deny logon as a service                           Not defined   Not defined
(SeDenyBatchLogonRight)
Deny logon locally                                Not defined   Support_xxxxxxxx,
(SeDenyInteractiveLogonRight)                                   Guest
Deny log on Through Terminal Services             Not defined   Not defined
(SeDenyRemoteInteractiveLogonRight)
Enable computer and user accounts to be           Not defined   Not defined
trusted for delegation
(SeEnableDelegationPrivilege)
Force shutdown from a remote system               Not defined   Administrators
(SeRemoteShutdownPrivilege)
      Generate security audits (SeAuditPrivilege)       Not defined   LOCAL SERVICE,
                                                                      NETWORK
                                                                      SERVICE
      Increase scheduling priority                      Not defined   Administrators
      (SeIncreaseBasePriorityPrivilege)
      Load and unload device drivers                    Not defined   Administrators
      (SeLoadDriverPrivilege)
      Lock pages in memory                              Not defined   Not defined
      (SeLockMemoryPrivilege)
      Log on as a batch job (SeBatchLogonRight)         Not defined   Support_xxxxxxxx
      Log on as a service (SeServiceLogonRight)         Not defined   NETWORK
                                                                      SERVICE
      Log on locally (SeInteractiveLogonRight)          Not defined   Administrators,
                                                                      Users, Power
                                                                      Users, Backup
                                                                      Operators
      Manage auditing and security log                  Not defined   Administrators
      (SeSecurityPrivilege)
      Modify firmware environment values                Not defined   Administrators
      (SeSystemEnvironmentPrivilege)
      Perform Volume Maintenance Tasks                  Not defined   Administrators
      (SeManageVolumePrivilege)
      Profile single process                            Not defined   Administrators,
      (SeProfileSingleProcessPrivilege)                               Power Users
      Profile system performance                        Not defined   Administrators
      (SeSystemProfilePrivilege)
      Remove computer from docking station              Not defined   Administrators,
      (SeUndockPrivilege)                                             Power Users
      Replace a process level token                     Not defined   LOCAL SERVICE,
      (SeAssignPrimaryTokenPrivilege)                                 NETWORK
                                                                      SERVICE
      Restore files and directories                     Not defined   Administrators,
      (SeRestorePrivilege)                                            Backup Operators
      Shut down the system (SeShutdownPrivilege)        Not defined   Administrators,
                                                                      Power Users,
                                                                      Backup Operators
     Synchronize directory service data                 Not defined   Not defined
     (SeSynchAgentPrivilege)
     Take ownership of files or other objects           Not defined   Administrators
     (SeTakeOwnershipPrivilege)
Security Options
     Accounts: Administrator account status             Not defined   Enabled
     Accounts: Guest account status                     Not defined   Disabled
     Accounts: Limit local account use of blank         Not defined   Enabled
     passwords to console logon only
     Accounts: Rename administrator account             Not defined   Administrator
     Accounts: Rename guest account                     Not defined   Guest
     Audit: Audit the access of global system objects   Not defined   Disabled
Audit: Audit the use of Backup and Restore           Not defined   Disabled
privilege
Audit: Shut down system immediately if unable to     Not defined   Disabled
log security audits
Devices: Allow undock without having to log on       Not defined   Enabled

Devices: Allowed to format and eject removable       Not defined   Administrators
media
Devices: Prevent users from installing printer       Not defined   Disabled
drivers
Devices: Restrict CD-ROM access to locally           Not defined   Disabled
logged-on user only
Devices: Restrict floppy access to locally logged-   Not defined   Disabled
on user only
Devices: Unsigned driver installation behavior       Not defined   Warn but allow
                                                                   installation
Domain controller: Allow server operators to         Not defined   Not defined
schedule tasks
Domain controller: LDAP server signing               Not defined   Not defined
requirements
Domain controller: Refuse machine account            Not defined   Not defined
password changes
Domain member: Digitally encrypt or sign secure      Not defined   Enabled
channel data (always)
Domain member: Digitally encrypt secure              Not defined   Enabled
channel data (when possible)
Domain member: Digitally sign secure channel         Not defined   Enabled
data (when possible)
Domain member: Disable machine account               Not defined   Disabled
password changes
Domain member: Maximum machine account               Not defined   30 days
password age
Domain member: Require strong (Windows               Not defined   Disabled
2000 or later) session key
Interactive logon: Do not display last user name     Not defined   Disabled

Interactive logon: Do not require                    Not defined   Not defined
CTRL+ALT+DEL
Interactive logon: Message text for users            Not defined   Not defined
attempting to log on
Interactive logon: Message title for users           Not defined   Not defined
attempting to log on
Interactive logon: Number of previous logons to      Not defined   10 logons
cache (in case domain controller is not available)

Interactive logon: Prompt user to change             Not defined   14 days
password before expiration
Interactive logon: Require Domain Controller         Not defined   Disabled
authentication to unlock workstation
Interactive logon: Smart card removal behavior       Not defined   No Action
Microsoft network client: Digitally sign          Not defined   Disabled
communications (always)
Microsoft network client: Digitally sign          Not defined   Enabled
communications (if server agrees)
Microsoft network client: Send unencrypted        Not defined   Disabled
password to third-party SMB servers
Microsoft network server: Amount of idle time     Not defined   15 minutes
required before suspending session
Microsoft network server: Digitally sign          Not defined   Disabled
communications (always)
Microsoft network server: Digitally sign          Not defined   Disabled
communications (if client agrees)
Microsoft network server: Disconnect clients      Not defined   Enabled
when logon hours expire
MSS:(AFD DynamicBacklogGrowthDelta)               Not defined   0
Number of connections to create when additional
connections are necessary for Winsock
applications (10 recommended)
MSS:(AFD EnableDynamicBacklog) Enable             Not defined   Disabled
dynamic backlog for Winsock applications
(recommended)
MSS:(AFD MaximumDynamicBacklog)                   Not defined   0
Maximum number of 'quasi-free' connections for
Winsock applications
MSS:(AFD MinimumDynamicBacklog) Minimum           Not defined   0
number of free connections for Winsock
applications (20 recommended for systems
under attack, 10 otherwise)
MSS:Allow automatic detection of dead network     Not defined   Disabled
gateways (could lead to DoS)
MSS:Allow automatic detection of MTU size         Not defined   Enabled
(possible DoS by an attacker using a small MTU)

MSS:Allow ICMP redirects to override OSPF         Not defined   Enabled
generated routes
MSS:Allow IRDP to detect and configure Default    Not defined   Disabled
Gateway addresses (could lead to DoS)

MSS:Allow the computer to ignore NetBIOS          Not defined   Enabled
name release requests except from WINS
servers
MSS:Disable Autorun for all drives                Not defined   Disabled
MSS:Enable the computer to stop generating 8.3    Not defined   Disabled
style filenames
MSS:How many dropped connect requests to          Not defined   5
initiate SYN attack protection (5 is
recommended)
MSS:How many times unacknowledged data            Not defined   5
isretransmitted (3 recommended, 5 is default)
MSS:How often keep-alive packets are sent in      Not defined   7200000
milliseconds (300,000 is recommended)
MSS:IP source routing protection level (protects   Not defined   No additional
against packet spoofing)                                         protection, source
                                                                 routed packets are
                                                                 allowed
MSS:Percentage threshold for the security event    Not defined   0 (not configured)
logat which the system will generate a warning

MSS:Syn attack protection level (protects          Not defined   No additional
against DoS)                                                     protection, use
                                                                 default settings
MSS:SYN-ACK retransmittions when a                 Not defined   3 & 6 seconds, half-
connection request is not acknowledged                           open connections
                                                                 dropped after 21
                                                                 seconds

MSS:The time in seconds before the screen          Not defined   5
saver grace period expires (0 recommended)
MSS:Enable Safe DLL search mode                    Not defined   Disabled
(recommended)
Network access: Allow anonymous SID/Name           Not defined   Disabled
translation
Network access: Do not allow anonymous             Not defined   Enabled
enumeration of SAM accounts
Network access: Do not allow anonymous             Not defined   Disabled
enumeration of SAM accounts and shares
Network access: Do not allow storage of            Not defined   Disabled
credentials or .NET Passports for network
authentication
Network access: Let Everyone permissions           Not defined   Disabled
apply to anonymous users
Network access: Named Pipes that can be            Not defined   COMNAP,COMNO
accessed anonymously                                             DE, SQL\QUERY,
                                                                 SPOOLSS,
                                                                 EPMAPPER,
                                                                 LOCATOR,TrkWks
                                                                 ,TrkSvr
Network access: Remotely accessible registry      Not defined   System\CurrentCon
paths                                                           trolSet\Control\Print
                                                                \Printers,
                                                                System\CurrentCon
                                                                trolSet\Services\Ev
                                                                entlog,
                                                                Software\Microsoft\
                                                                OLAP Server,
                                                                Software\Microsoft\
                                                                Windows
                                                                NT\CurrentVersion\
                                                                Print,
                                                                Software\Microsoft\
                                                                Windows
                                                                NT\CurrentVersion\
                                                                Windows,
                                                                System\CurrentCon
                                                                trolSet\Control\Cont
                                                                entIndex,
                                                                System\CurrentCon
                                                                trolSet\Control\Ter
                                                                minal Server,
                                                                System\CurrentCon
                                                                trolSet\Control\Ter
                                                                minal
                                                                Server\UserConfig,
                                                                System\CurrentCon
                                                                trolSet\Control\Ter
                                                                minal
                                                                Server\DefaultUser
                                                                Configuration,
                                                                Software\Microsoft\
Network access: Shares that can be accessed       Not defined   Windows
                                                                COMCFG,DFS$
anonymously
Network access: Sharing and security model for    Not defined   Guest only - local
local accounts                                                  users authenticate
                                                                as Guest
Network security: Do not store LAN Manager        Not defined   Disabled
hash value on next password change
Network security: Force logoff when logon hours   Disabled      Disabled
expire
Network security: LAN Manager authentication      Not defined   Send LM & NTLM
level                                                           responses
Network security: LDAP client signing             Not defined   Negotiate signing
requirements
Network security: Minimum session security for    Not defined   No minimum
NTLM SSP based (including secure RPC) clients

Network security: Minimum session security for    Not defined   No minimum
NTLM SSP based (including secure RPC)
servers
           Recovery console: Allow automatic                  Not defined   Disabled
           administrative logon
           Recovery console: Allow floppy copy and access     Not defined   Disabled
           to all drives and all folders
           Shutdown: Allow system to be shut down without     Not defined   Enabled
           having to log on
           Shutdown: Clear virtual memory pagefile            Not defined   Disabled
           System cryptography: Use FIPS compliant            Not defined   Disabled
           algorithms for encryption, hashing, and signing

           System objects: Default owner for objects          Not defined   Object creator
           created by members of the Administrators group

           System objects: Require case insensitivity for     Not defined   Enabled
           non-Windows subsystems
           System objects: Strengthen default permissions     Not defined   Enabled
           of internal system objects (e.g. Symbolic Links)

   Event Log
     Settings for Event Logs
           Maximum application log size                       Not defined   512 KB
           Maximum security log size                          Not defined   512 KB
           Maximum system log size                            Not defined   512 KB
           Restrict guest access to application log           Not defined   Enabled
           Restrict guest access to security log              Not defined   Enabled
           Restrict guest access to system log                Not defined   Enabled
           Retain application log                             Not defined   7 days
           Retain security log                                Not defined   7 days
           Retain system log                                  Not defined   7 days
           Retention method for application log               Not defined   Overwrite events
                                                                            older than
           Retention method for security log                  Not defined   Overwrite events
                                                                            older than
           Retention method for system log                    Not defined   Overwrite events
                                                                            older than
   Restricted Groups
   System Services - See next worksheet, System Services
   Registry
   File System
   Public Key Policies
     Encrypted Data Recovery Agents
     Automatic Certificate Request Settings
     Trusted Root Certification Authorities
     Enterprise Trust
   IP Security Policies on Active Directory
            Client (Respond Only)
            Secure Server (Require Security)
            Server (Request Security)
Administrative Templates
 Windows Components
   NetMeeting
        Disable remote Desktop Sharing
Internet Explorer
        Security Zones: Use only machine settings
        Security Zones: Do not allow users to change
        policies
        Security Zones: Do not allow users to add/delete
        sites
        Make proxy settings per-machine (rather than
        per-user)
        Disable Automatic Install of Internet Explorer
        components
        Disable Periodic Check for Internet Explorer
        software updates
        Disable software update shell notifications on
        program launch
        Disable showing the splash screen
Task Scheduler
        Hide Property Pages
        Prevent Task Run or End
        Disable Drag-and-Drop
        Disable New Task Creation
        Disable Task Deletion
        Disable Advanced Menu
        Prohibit Browse
Terminal Services
        Keep-Alive Messages
        Limit users to one remote session
        Enforce Removal of Remote Desktop Wallpaper

        Limit number of connections
        Limit maximum color depth
        Do not allow new client connections
        Do not allow local administrators to customize
        permissions
        Remove Windows Security item from Start menu

        Remove Disconnect item from Shut Down dialog

        Set path for TS Roaming Profiles
        TS User Home Directory
        Remote control settings
        Start a program on connection
  Client/Server data redirection
        Do not allow clipboard redirection
        Do not allow smart card device redirection
        Allow audio redirection
        Do not allow COM port redirection
        Do not allow client printer redirection
        Do not allow LPT port redirection
        Do not allow drive redirection
       Do not set default client printer to be default
       printer in a session
  Encryption and Security
       Always prompt client for password upon
       connection
       Set client connection encryption level
  Licensing
       Prevent license upgrade
  Temporary folders
       Do not use temp folders per session
       Do not delete temp folder upon exit
  Session Directory
       Join Session Directory Active
       Session Directory Server
       Session Directory Cluster Name
  Sessions
       Set time limit for disconnected sessions
       Set time limit for active sessions
       Set time limit for idle sessions
       Allow reconnection from original client only
       Terminate session when time limits are reached

Windows Installer
      Disable Windows Installer
      Always install with elevated privileges
      Prohibit rollback
      Remove browse dialog box for new source
      Prohibit patching
      Disable IE security prompt for Windows Installer
      scripts
      Enable user control over installs
      Enable user to browse for source while elevated

        Enable user to use media source while elevated

        Enable user to patch elevated products
        Allow admin to install from Terminal Services
        session
        Cache transforms in secure location on
        workstation
        Logging
        Prohibit User Installs
        Turn of creation of System Restore Checkpoints

Windows Messenger
      Do not allow Windows Messenger to be run
      Do not automatically start Windows Messenger
      initially
Windows Media
      Do Not Show First Use Dialog Boxes
         Prevent Desktop Shortcut Creation
         Prevent Quick Launch Toolbar Shortcut Creation

       Prevent Automatic Updates
       Prevent Video Smoothing
 Windows Update
       Configure Automatic Updates
       Specify intranet Microsoft update service location

System
         Display Shutdown Event Tracker
         Specify Windows installation file location
         Specify Windows Service Pack installation file
         location
         Remove Boot / Shutdown / Logon / Logoff status
         messages
         Verbose vs normal status messages
         Restrict these programs from being launched
         from Help
         Turn off Autoplay
         Do not automatically encrypt files moved to
         encrypted folders
         Download missing COM components
 User Profiles
         Do not check for user ownership of Roaming
         Profile Folders
         Delete cached copies of roaming profiles
         Do not detect slow network connections
         Slow network connection timeout for user
         profiles
         Wait for remote user profile
         Prompt user when slow link is detected
         Timeout for dialog boxes
         Log users off when roaming profile fails
         Maximum retries to unload and update user
         profile
         Add the Administrators security group to roaming
         user profiles
         Prevent Roaming Profile changes from
         propagating to the server
         Only allow local user profiles
 Scripts
         Run logon scripts synchronously
         Run startup scripts asynchronously
         Run startup scripts visible
         Run shutdown scripts visible
         Maximum wait time for Group Policy scripts
 Logon
         Don't display the Getting Started welcome
         screen at logon
       Always use classic logon
       Run these programs at user logon
       Do not process the run once list
       Do not process the legacy run list
       Always wait for the network at computer startup
       and logon
Disk Quotas
       Enforce disk quotas
       Enforce disk quota limit
       Default quota limit and warning level
       Log event when quota limit exceeded
       Log event when quota warning level exceeded
       Apply policy to removable media
Net Logon
       Expected dial-up delay on logon
       Site Name
       Negative DC Discovery Cache Setting
       Initial DC Discovery Retry Setting for
       Background Callers
       Maximum DC Discovery Retry Interval Setting
       for Background Callers
       Final DC Discovery Retry Setting for Background
       Callers
       Positive Periodic DC Cache Refresh for
       Background Callers
       Positive Periodic DC Cache Refresh for Non-
       Background Callers
       Scavenge Interval
       Contact PDC on logon failure
       Log File Debug Output Level
       Maximum Log File Size
       Sysvol share compatibility
       Netlogon share compatibility
  DC Locator DNS Records+E324
       Dynamic Registration of the DC Locator DNS
       Records
       DC Locator DNS records not registered by the
       DCs
       Refresh Interval of the DC Locator DNS Records

        Weight Set in the DC Locator DNS SRV Records

        Priority Set in the DC Locator DNS SRV Records

        TTL Set in the DC Locator DNS Records
        Automated Site Coverage by the DC Locator
        DNS SRV Records
        Sites Covered by the DC Locator DNS SRV
        Records
       Sites Covered by the GC Locator DNS SRV
       Records
       Sites Covered by the Application Directory
       Partition Locator DNS SRV Records
       Location of the DCs hosting a domain with single
       label DNS name
Group Policy
       Turn off background refresh of Group Policy
       Group Policy refresh interval for computers
       Group Policy refresh interval for domain
       controllers
       User Group Policy loopback processing mode
       Group Policy slow link detection
       Turn off Resultant Set of Policy logging
       Remove users ability to invoke machine policy
       refresh
       Disallow Interactive Users from generating
       Resultant Set of Policy data
       Registry policy processing
       Internet Explorer Maintenance policy processing

        Software Installation policy processing
        Folder Redirection policy processing
        Scripts policy processing
        Security policy processing
        IP Security policy processing
        EFS recovery policy processing
        Disk Quota policy processing
Remote Assistance
        Solicited Remote Assistance
        Offer Remote Assistance
System Restore
        Turn off System Restore
        Turn off Configuration
Error Reporting
        Display Error Notification
        Report Errors
  Advanced Error Reporting settings
        Default application reporting settings
        List of applications to always report errors for
        List of applications to never report errors for
        Report operating system errors
        Report unplanned shutdown events
Windows File Protection
        Set Windows File Protection scanning
        Hide the file scan progress window
        Limit Windows File Protection cache size
        Specify Windows File Protection cache location
 Remote Procedure Call
          RPC Troubleshooting State Information
          Propagation of extended error information
 Windows Time Service
          Global Configuration Settings
   Time Providers
          Enable Windows NTP Client
          Configure Windows NTP Client
          Enable Windows NTP Server
Network
          Background Intelligent Transfer Service (BITS)
          inactive job timeout
          Sets how often a DFS Client discovers DC's
 DNS Client
          Primary DNS Suffix
          Dynamic Update
          DNS Suffix Search List
          Primary DNS Suffix Devolution
          Register PTR Records
          Registration Refresh Interval
          Replace Addresses In Conflicts
          DNS Servers
          Connection-Specific DNS Suffix
          Register DNS records with connection-specific
          DNS suffix
          TTL Set in the A and PTR records
          Update Security Level
          Update Top Level Domain Zones
 Offline Files
          Allow or Disallow use of the Offline Files feature

           Prohibit user configuration of Offline Files
           Synchronize all offline files when logging on
           Synchronize all offline files before logging off
           Synchronize offline files before suspend
           Default cache size
           Action on server disconnect
           Non-default server disconnect actions
           Remove 'Make Available Offline'
           Prevent use of Offline Files folder
           Files not cached
           Administratively assigned offline files
           Turn off reminder balloons
           Reminder balloon frequency
           Initial reminder balloon lifetime
           Reminder balloon lifetime
           At logoff, delete local copy of user’s offline files

           Event logging level
          Subfolders always available offline
          Encrypt the Offline Files cache
          Prohibit 'Make Available Offline' for these file and
          folders
          Configure Slow link speed
  Network Connections
          Prohibit use of Internet Connection Sharing on
          your DNS domain network
          Prohibit use of Internet Connection Firewall on
          your DNS domain network
          Prohibit installation and configuration of Network
          Bridge on your DNS domain network
          IEEE 802.1x Certificate Authority for Machine
          Authentication
  QoS Packet Scheduler
          Limit reservable bandwidth
          Limit outstanding packets
          Set timer resolution
    DSCP value of conforming packets
          Best effort service type
          Controlled load service type
          Guaranteed service type
          Network control service type
          Qualitative service type
    DSCP value of non-conforming packets
          Best effort service type
          Controlled load service type
          Guaranteed service type
          Network control service type
          Qualitative service type
    Layer-2 priority value
          Non-conforming packets
          Best effort service type
          Controlled load service type
          Guaranteed service type
          Network control service type
          Qualitative service type
  SNMP
          Communities
          Permitted Managers
          Traps for Public community
Printers
          Allow printers to be published
          Allow pruning of published printers
          Automatically publish new printers in Active
          Directory
          Check published state
          Computer location
              Custom support URL in the Printers folder's left
              pane
              Directory pruning interval
              Directory pruning priority
              Directory pruning retry
              Disallow installation of printers using kernel-
              mode drivers
              Log directory pruning retry events
              Pre-populate printer search location text
              Printer browsing
              Prune printers that are not automatically
              republished
              Web-based printing
User Configuration
 Software Settings
              Software installation
 Windows Settings
      Programs
   Scripts (Logon/Logoff)
   Security Settings
      Public Key Policies
        Enterprise Trust
   Internet Explorer Maintenance
      Browser User Interface
              Browser Title
              Custom Logo
              Browser Toolbar Buttons
      Connection
              Connection Settings
              Automatic Browser Configuration
              Proxy Settings
              User Agent String
      URLs
              Favorites and Links
              Important URLs
      Security
              Security Zones and Content Ratings
              Authenticode Settings
   Remote Installation Services
   Folder Redirection
      Application Data
      Desktop
      My Documents
        My Pictures
      Start Menu
 Administrative Templates
   Windows Components
      NetMeeting
              Enable Automatic Configuration
              Disable Directory services
        Prevent adding Directory servers
        Prevent viewing Web directory
        Set the intranet support Web page
        Set Call Security options
        Prevent changing Call placement method
        Prevent automatic acceptance of Calls
        Prevent sending files
        Prevent receiving files
        Limit the size of sent files
        Disable Whiteboard
        Disable NetMeeting 2.x Whiteboard
        Disable Chat
  Application Sharing
        Disable application Sharing
        Prevent Sharing
        Prevent Desktop Sharing
        Prevent Sharing Command Prompts
        Prevent Sharing Explorer windows
        Prevent Control
        Prevent Application Sharing in true color
  Audio & Video
        Limit the bandwidth of Audio and Video
        Disable Audio
        Disable full duplex Audio
        Prevent changing DirectSound Audio setting
        Prevent sending Video
        Prevent receiving Video
  Options Page
        Hide the General page
        Disable the Advanced Calling button
        Hide the Security page
        Hide the Audio page
        Hide the Video page
Internet Explorer
        Search: Disable Search Customization
        Search: Disable Find Files via F3 within the
        browser
        Disable external branding of Internet Explorer
        Disable importing and exporting of favorites
        Disable changing Advanced page settings
        Disable changing home page settings
        Use Automatic Detection for dial-up connections

        Disable caching of Auto-Proxy scripts
        Display error message on proxy script download
        failure
        Disable changing Temporary Internet files
        settings
        Disable changing history settings
      Disable changing color settings
      Disable changing link color settings
      Disable changing font settings
      Disable changing language settings
      Disable changing accessibility settings
      Disable Internet Connection wizard
      Disable changing connection settings
      Disable changing proxy settings
      Disable changing Automatic Configuration
      settings
      Disable changing ratings settings
      Disable changing certificate settings
      Disable changing Profile Assistant settings
      Disable AutoComplete for forms
      Do not allow AutoComplete to save passwords

      Disable changing Messaging settings
      Disable changing Calendar and Contact settings

      Disable the Reset Web Settings feature
      Disable changing default browser check
      Identity Manager: Prevent users from using
      Identities
      Configure Outlook Express
      Configure Media Explorer Bar
Internet Control Panel
      Disable the General page
      Disable the Security page
      Disable the Content page
      Disable the Connections page
      Disable the Programs page
      Disable the Privacy page
      Disable the Advanced page
Offline Pages
      Disable adding channels
      Disable removing channels
      Disable adding schedules for offline pages
      Disable editing schedules for offline pages
      Disable removing schedules for offline pages
      Disable offline page hit logging
      Disable all scheduled offline pages
      Disable channel user interface completely
      Disable downloading of site subscription content

      Disable editing and creating of schedule groups

     Subscription Limits
Browser menus
     File menu: Disable Save As... menu option
        File menu: Disable New menu option
        File menu: Disable Open menu option
        File menu: Disable Save As Web Page
        Complete
        File menu: Disable closing the browser and
        Explorer windows
        View menu: Disable Source menu option
        View menu: Disable Full Screen menu option
        Hide Favorites menu
        Tools menu: Disable Internet Options... menu
        option
        Help menu: Remove 'Tip of the Day' menu
        option
        Help menu: Remove 'For Netscape Users' menu
        option
        Help menu: Remove 'Send Feedback' menu
        option
        Disable Context menu
        Disable Open in New Window menu option
        Disable Save this program to disk option
 Toolbars
        Disable customizing browser toolbar buttons
        Disable customizing browser toolbars
        Configure Toolbar Buttons
 Persistence Behavior
        File size limits for Local Machine zone
        File size limits for Intranet zone
        File size limits for Trusted Sites zone
        File size limits for Internet zone
        File size limits for Restricted Sites zone
 Administrator Approved Controls
        Media Player
        Menu Controls
        Microsoft Agent
        Microsoft Chat
        Microsoft Survey Control
        Shockwave Flash
        NetShow File Transfer Control
        DHTML Edit Control
        Microsoft Scriptlet Component
        Carpoint
        Investor
        MSNBC
Application Compatibility
        Prevent access to 16-bit applications
Help and Support Center
        Do not allow "Did you know" content to appear

Windows Explorer
        Turn on Classic Shell
        Removes the Folder Options menu item from the
        Tools menu
        Remove File menu from Windows Explorer
        Remove "Map Network Drive" and "Disconnect
        Network Drive"
        Remove Search button from Windows Explorer

        Remove Windows Explorer's default context
        menu
        Hides the Manage item on the Windows Explorer
        context menu
        Allow only per user or approved shell extensions

        Do not track Shell shortcuts during roaming
        Hide these specified drives in My Computer
        Prevent access to drives from My Computer
        Remove Hardware tab
        Remove DFS tab
        Remove Security tab
        Remove UI to change menu animation setting
        Remove UI to change keyboard navigation
        indicator setting
        No "Computers Near Me" in My Network Places

        No "Entire Network" in My Network Places
        Maximum number of recent documents
        Do not request alternate credentials
        Request credentials for network installations
        Remove CD Burning features
        Do not move deleted files to the Recycle Bin
        Display confirmation dialog when deleting files
        Maximum allowed Recycle Bin size
        Remove Shared Documents from My Computer

       Turn off caching of thumbnail pictures
       Turn off Windows+X hotkeys
       Remove Publish to Web from File and Folder
       Tasks
       Prevent Internet download for Web Publishing
       and Online Ordering wizards
       Remove Order Prints from Picture Tasks
 Common Open File Dialog
       Items displayed in Places Bar
       Hide the common dialog places bar
       Hide the common dialog back button
       Hide the dropdown list of recent files
Microsoft Management Console
       Restrict the user from entering author mode
      Restrict users to the explicitly permitted list of
      snap-ins
Restricted/Permitted snap-ins
      Active Directory Users and Computers
      Active Directory Domains and Trusts
      Active Directory Sites and Services
      ADSI Edit
      ActiveX Control
      Certificates
      Component Services
      Computer Management
      Device Manager
      Disk Management
      Disk Defragmenter
      Distributed File System
      Event Viewer
      FAX Service
      FrontPage Server Extensions
      Indexing Service
      Internet Authentication Service (IAS)
      Internet Information Services
      IP Security
      IP Security Policy Management
      IP Security Monitor
      Link to Web Address
      Local Users and Groups
      Performance Logs and Alerts
      QoS Admission Control
      Remote Desktops
      Removable Storage Management
      Routing and Remote Access
      Security Configuration and Analysis
      Security Templates
      Services
      Shared Folders
      System Information
      Telephony
      Terminal Services Configuration
      WMI Control
 Extension snap-ins
      AppleTalk Routing
      Certification Authority Policy Settings
      Connection Sharing (NAT)
      DCOM Configuration Extension
      Device Manager
      DHCP Relay Management
      Event Viewer
      Extended View (Web View)
      IAS Logging
       IGMP Routing
       IP Routing
       IPX RIP Routing
       IPX Routing
       IPX SAP Routing
       Logical and Mapped Drives
       OSPF Routing
       Public Key Policies
       RAS Dialin - User Node
       Remote Access
       Removable Storage
       RIP Routing
       Routing
       Shared Folders Ext
       Send Console Message
       Service Dependencies
       SMTP Protocol
       SNMP
       System Properties
   Group Policy
       Group Policy Management
       Group Policy Tab for Active Directory Tools
       Resultant Set of Policy snap-in
     Group Policy snap-in extensions
       Administrative Templates (Computers)
       Administrative Templates (Users)
       Folder Redirection
       Internet Explorer Maintenance
       Remote Installation Services
       Scripts (Logon/Logoff)
       Scripts (Startup/Shutdown)
       Security Settings
       Software Installation (Computers)
       Software Installation (Users)
     Resultant Set of Policy snap-in
       Administrative Templates (Computers)
       Administrative Templates (Users)
       Folder Redirection
       Internet Explorer Maintenance
       Scripts (Logon/Logoff)
       Scripts (Startup/Shutdown)
       Security Settings
       Software Installation (Computers)
       Software Installation (Users)
Task Scheduler
       Hide Property Pages
       Prevent Task Run or End
       Prohibit Drag-and-Drop
       Prohibit New Task Creation
        Prohibit Task Deletion
        Remove Advanced Menu
        Prohibit Browse
 Terminal Services
        Start a program on connection
        Remote control settings
   Sessions
        Set time limit for disconnected sessions
        Set time limit for active sessions
        Set time limit for idle sessions
        Allow reconnection from original client only
        Terminate session when time limits are reached

 Windows Installer
       Always install with elevated privileges
       Search order
       Prohibit rollback
       Prevent removable media source for any install

 Windows Messenger
       Do not allow Windows Messenger to be run
       Do not automatically start Windows Messenger
       initially
 Windows Update
       Remove access to use all Windows Update
       features
 Windows Media Player
       Prevent CD and DVD Media Information
       Retrieval
       Prevent Music File Media Information Retrieval

    User Interface
          Hide Privacy Tab
          Hide Security Tab
          Set and Lock Skin
          Do Not Show Anchor
    Playback
          Prevent Codec Download
          Allow Screen Saver
    Networking
          Hide Network Tab
          Streaming Media Protocols
          Configure HTTP Proxy
          Configure MMS Proxy
          Configure RTSP Proxy
          Configure Network Buffering
Start Menu & Taskbar
          Remove user's folders from the Start Menu
          Remove links and access to Windows Update
Remove common program groups from Start
Menu
Remove My Documents icon from Start Menu
Remove Documents menu from Start Menu
Remove programs on Settings menu
Remove Network Connections from Start Menu

Remove Favorites menu from Start Menu
Remove Search menu from Start Menu
Remove Help menu from Start Menu
Remove Run menu from Start Menu
Remove My Pictures icon from Start Menu
Remove My Music icon from Start Menu
Remove My Network Places icon from Start
Menu
Add Logoff to the Start Menu
Remove Logoff on the Start Menu
Remove and prevent access to the Shut Down
command
Remove Drag-and-drop context menus on the
Start Menu
Prevent changes to Taskbar and Start Menu
Settings
Remove access to the context menus for the
taskbar
Do not keep history of recently opened
documents
Clear history of recently opened documents on
exit
Turn off personalized menus
Turn off user tracking
Add "Run in Separate Memory Space" check
box to Run dialog box
Do not use the search-based method when
resolving shell shortcuts
Do not use the tracking-based method when
resolving shell shortcuts
Gray unavailable Windows Installer programs
Start Menu shortcuts
Prevent grouping of taskbar items
Turn off notification area cleanup
Lock the Taskbar
Force classic Start Menu
Remove Balloon Tips on Start Menu items
Remove pinned programs list from the Start
Menu
Remove frequent programs list from the Start
Menu
Remove All Programs list from the Start menu
          Remove and disable the Turn Off Computer
          button
          Remove the "Undock PC" button from the Start
          Menu
          Remove user name from Start Menu
          Remove Clock from the system notification area

          Hide the notification area
          Do not display any custom toolbars in the
          taskbar
Desktop
          Hide and disable all items on the desktop
          Remove My Documents icon on the desktop
          Remove My Computer icon on the desktop
          Remove Recycle Bin icon from desktop
          Remove Properties from the My Documents
          context menu
          Remove Properties from the My Computer
          context menu
          Remove Properties from the Recycle Bin context
          menu
          Hide My Network Places icon on desktop
          Hide Internet Explorer icon on desktop
          Do not add shares of recently opened
          documents to My Network Places
          Prohibit user from changing My Documents path

         Prevent adding, dragging, dropping and closing
         the Taskbar's toolbars
         Prohibit adjusting desktop toolbars
         Don't save settings at exit
         Remove the Desktop Cleanup Wizard
 Active Desktop
         Enable Active Desktop
         Disable Active Desktop
         Disable all items
         Prohibit changes
         Prohibit adding items
         Prohibit deleting items
         Prohibit editing items
         Prohibit closing items
         Add/Delete items
         Active Desktop Wallpaper
         Allow only bitmapped wallpaper
 Active Directory
         Maximum size of Active Directory searches
         Enable filter in Find dialog box
         Hide Active Directory folder
Control Panel
         Prohibit access to the Control Panel
      Hide specified Control Panel applets
      Show only specified Control Panel applets
      Force classic Control Panel Style
Add/Remove Programs
      Remove Add/Remove Programs Programs
      Hide Change or Remove Programs page
      Hide Add New Programs page
      Hide Add/Remove Windows Components page

           Hide the "Add a program from CD-ROM or
           floppy disk" option
           Hide the "Add programs from Microsoft" option

           Hide the "Add programs from your network"
           option
           Go directly to Components Wizard
           Remove Support Information
           Specify default category for Add New Programs

Display
       Remove Display in Control Panel
       Hide Desktop tab
       Prevent changing wallpaper
       Hide Appearance and Themes tab
       Hide Settings tab
       Hide Screen Saver tab
       Screen Saver
       Screen Saver executable name
       Password protect the screen saver
       Screen Saver timeout
  Desktop Themes
       Remove Theme option
       Prevent selection of windows and buttons styles

           Prohibit selection of font size
           Prohibit Theme color selection
           Load a specific visual style file or force Windows
           Classic
Printers
       Browse a common web site to find printers
       Browse the network to find printers
       Default Active Directory path when searching for
       printers
       Point and Print Restrictions
       Prevent addition of printers
       Prevent deletion of printers
Regional Options
       Restrict selection of Windows menus and
       dialogs language
Shared Folders
          Allow shared folders to be published
          Allow DFS roots to be published
Network
 Offline Files
          Prohibit user configuration of Offline Files
          Synchronize all offline files when logging on
          Synchronize all offline files before logging off
          Synchronize offline files before suspend
          Action on server disconnect
          Non-default server disconnect actions
          Remove 'Make Available Offline'
          Prevent use of Offline Files folder
          Administratively assigned offline files
          Turn off reminder balloons
          Reminder balloon frequency
          Initial reminder balloon lifetime
          Reminder balloon lifetime
          Event logging level
          Prohibit 'Make Available Offline' for these file and
          folders
          Do not automatically make redirected folders
          available offline
 Network Connections
          Ability to rename LAN connections or remote
          access connections available to all users
          Prohibit access to properties of components of a
          LAN connection
          Prohibit access to properties of components of a
          remote access connection
          Prohibit TCP/IP advanced configuration
          Prohibit access to the Advanced Settings item on
          the Advanced menu
          Prohibit adding and removing components for a
          LAN or remote access connection
          Prohibit access to properties of a LAN
          connection
          Prohibit Enabling/Disabling components of a
          LAN connection
          Ability to change properties of an all user remote
          access connection
          Prohibit changing properties of a private remote
          access connection
          Prohibit deletion of remote access connections

           Ability to delete all user remote access
           connections
           Prohibit connecting and disconnecting a remote
           access connection
           Ability to Enable/Disable a LAN connection
         Prohibit access to the New Connection Wizard

         Ability to rename LAN connections
         Ability to rename all user remote access
         Prohibit renaming private remote access
         Prohibit access to the Dial-up Preferences item
         Prohibit viewing of status for an active
         Enable Windows 2000 Network Connections
         settings for Administrators
System
         Don't display the Getting Started welcome
         screen at logon
         Century interpretation for Year 2000
         Configure driver search locations
         Code signing for device drivers
         Custom user interface
         Prevent access to the command prompt
         Prevent access to registry editing tools
         Run only allowed Windows applications
         Don't run specified Windows applications
         Turn off Autoplay
         Restrict these programs from being launched
         from Help
         Download missing COM components
         Windows Automatic Updates
 User Profiles
         Connect home directory to root of the share
         Limit profile size
         Exclude directories in roaming profile
 Scripts
         Run logon scripts synchronously
         Run legacy logon scripts hidden
         Run logon scripts visible
         Run logoff scripts visible
 Ctrl+Alt+Del Options
         Remove Task Manager
         Remove Lock Computer
         Remove Change Password
         Remove Logoff
 Logon
         Run these programs at user logon
         Do not process the run once list
         Do not process the legacy run list
 Group Policy
         Group Policy refresh interval for users
         Group Policy slow link detection
         Group Policy domain controller selection
         Create new Group Policy object links disabled by
         default
       Default name for new Group Policy objects
       Enforce Show Policies Only
       Turn off automatic update of ADM files
       Disallow Interactive Users from generating
       Resultant Set of Policy data
Power Management
       Prompt for password on resume from hibernate /
       suspend
Domain Member
Windows XP
Effective Default
Settings




24 passwords
remembered
42 days
1 days
7 characters
Enabled

Disabled


Not defined
0 invalid login
attempts
Not defined

Not applicable
Not applicable
Not applicable
Not applicable
Not applicable




No auditing
No auditing
No auditing
No auditing
No auditing
No auditing
No auditing
No auditing
No auditing
Backup Operators,
Power Users,
Users,
Administrators,
Everyone
Not defined

Not defined

LOCAL SERVICE,
NETWORK
SERVICE,
Administrators
Administrators,
Remote Desktop
Users
Administrators,
Backup Operators
Everyone,
Administrators,
Users, Power
Users, Backup
Operators
Administrators,
Power Users
Administrators
Not defined

Not defined

Not defined


Administrators
Support_xxxxxxxx,
Guest
Not defined

Not defined

Support_xxxxxxxx,
Guest
Not defined

Not defined


Administrators
LOCAL SERVICE,
NETWORK
SERVICE
Administrators

Administrators

Not defined

Support_xxxxxxxx
NETWORK
SERVICE
Administrators,
Users, Power
Users, Backup
Operators
Administrators

Administrators

Administrators

Administrators,
Power Users
Administrators

Administrators,
Power Users
LOCAL SERVICE,
NETWORK
SERVICE
Administrators,
Backup Operators
Administrators,
Power Users,
Backup Operators
Not defined

Administrators


Enabled
Disabled
Enabled

Administrator
Guest
Disabled
Disabled

Disabled

Enabled

Administrators

Disabled

Disabled

Disabled

Warn but allow
installation
Not defined

Not defined

Not defined

Enabled

Enabled

Enabled

Disabled

30 days

Disabled

Disabled

Not defined

Not defined

Not defined

10 logons


14 days

Disabled

No Action
Disabled

Enabled

Disabled

15 minutes

Disabled

Disabled

Enabled

0




Disabled


0


0




Disabled

Enabled


Enabled

Disabled


Enabled


Disabled
Disabled

5


5

7200000
No additional
protection, source
routed packets are
allowed
0 (not configured)


No additional
protection, use
default settings
3 & 6 seconds, half-
open connections
dropped after 21
seconds

5

Disabled

Disabled

Enabled

Disabled

Disabled


Disabled

COMNAP,COMNO
DE, SQL\QUERY,
SPOOLSS,
EPMAPPER,
LOCATOR,TrkWks
,TrkSvr
System\CurrentCon
trolSet\Control\Print
\Printers,
System\CurrentCon
trolSet\Services\Ev
entlog,
Software\Microsoft\
OLAP Server,
Software\Microsoft\
Windows
NT\CurrentVersion\
Print,
Software\Microsoft\
Windows
NT\CurrentVersion\
Windows,
System\CurrentCon
trolSet\Control\Cont
entIndex,
System\CurrentCon
trolSet\Control\Ter
minal Server,
System\CurrentCon
trolSet\Control\Ter
minal
Server\UserConfig,
System\CurrentCon
trolSet\Control\Ter
minal
Server\DefaultUser
Configuration,
Software\Microsoft\
Windows
COMCFG,DFS$

Guest only - local
users authenticate
as Guest
Disabled

Disabled

Send LM & NTLM
responses
Negotiate signing

No minimum


No minimum
Disabled

Disabled

Enabled

Disabled
Disabled


Object creator


Enabled

Enabled




512 KB
512 KB
512 KB
Enabled
Enabled
Enabled
7 days
7 days
7 days
Overwrite events
older than
Overwrite events
older than
Overwrite events
older than
Full Service Name         Service Name                     Domain          Stand-Alone
                                                           Member          Windows XP
                                                           Windows XP      Startup Type
                                                           Startup Type
Alerter                   Alerter                          Manual          Manual
Application Layer         ALG                              Manual          Manual
Gateway Service
Application               AppMgmt                          Manual          Manual
Management
Automatic Updates         wuauserv                         Automatic       Automatic
Background Intelligent    BITS                             Manual          Manual
Transfer Service

ClipBook           ClipSrv                                 Manual          Manual
COM+Event Services EventSystem                             Manual          Manual

COM+ System               COMSysApp                        Manual          Manual
Application
Computer Browser          Browser                          Automatic       Automatic
Cyrptographic             CryptSvc                         Automatic       Automatic
Services
DHCP Client               Dhcp                             Automatic       Automatic
Distributed Link          TrkWks                           Automatic       Automatic
Tracking Client
Distributed               MSDTC                            Manual          Manual
Transaction
Coordinator
DNS Client                Dnscache                         Automatic       Automatic
Error Reporting           ERSvc                            Automatic       Automatic
Service
Event Log                 Eventlog                         Automatic       Automatic
Fast User Switching       FastUserSwitchingCompatibility   Manual          Manual
Compatibility
Help and Support          helpsvc                          Automatic       Automatic
Human Interface           HidServ                          Disabled        Disabled
Device Access
IMAPI CD-Burning          ImapiService                     Manual          Manual
COM Service
Indexing Service          cisvc                            Manual          Manual
Infrared Monitor          Irmon
Internet Connection       SharedAccess                     Manual          Automatic
Firewall (ICF)/Internet
Connection Sharing
(ICS)

Internet Connection                                        Not installed   Not installed
Sharing
IPSec Services       PolicyAgent                           Automatic       Automatic
Logical Disk Manager dmserver                              Automatic       Automatic
Logical Disk Manager dmadmin               Manual      Manual
Administrative Service


Messenger          Messenger               Automatic   Automatic
MS Software Shadow SwPrv                   Manual      Manual
Copy Provider

Netlogon            Netlogon               Automatic   Manual
NetMeeting Remote mnmsrvc                  Manual      Manual
Desktop Sharing
Network Connections Netman                 Manual      Manual

Network DDE             NetDDE             Manual      Manual
Network DDE DSDM        NetDDEdsdm         Manual      Manual
Network Location        NLA                Manual      Manual
Awareness (NLA)
NTLM Security           NtLmSsp            Manual      Manual
Support Provider
Performance Logs        SysmonLog          Manual      Manual
and Alerts
Plug and Play           PlugPlay           Automatic   Automatic
Portable Media Serial   WmdmPmSN           Automatic   Automatic
Number
Print Spooler           Spooler            Automatic   Automatic
Protected Storage       ProtectedStorage   Automatic   Automatic
QoS RSVP                                   Manual      Manual
Remote Access Auto      RasAuto            Manual      Manual
Connection Manager

Remote Access       RasMan                 Manual      Manual
Connection Manager
Remote Desktop Help RDSessMgr              Manual      Manual
Session Manager

Remote Procedure        RpcSs              Automatic   Automatic
Call (RPC)
Remote Procedure        RpcLocator         Manual      Manual
Call (RPC) Locator
Remote Registry         RemoteRegistry     Automatic   Automatic
Service
Removable Storage       NtmsSvc            Manual      Manual
Routing and Remote      RemoteAccess       Disabled    Disabled
Access
Secondary Logon         seclogon           Automatic   Automatic
Security Accounts       SamSs              Automatic   Automatic
Manager
Server                  lanmanserver       Automatic   Automatic
Shell Hardware          ShellHWDetection   Automatic   Automatic
Detection
Smart Card               SCardSvr            Automatic   Automatic
Smart Card Helper                            Manual      Manual
SSDP Discovery                               Manual      Manual
Service
System Event             SENS                Automatic   Automatic
Notification
System Restore                               Automatic   Automatic
Service
Task Scheduler           Schedule            Automatic   Automatic
TCP/IP NetBIOS           LMHosts             Automatic   Automatic
Helper Service
Telephony                TapiSrv             Manual      Manual
Telnet                   TlntSvr             Disabled    Disabled
Terminal Services        TermService         Manual      Manual
Themes                   Themes              Automatic   Automatic
Uninterruptible Power    UPS                 Manual      Manual
Supply
Upload Manager           Uploadmgr           Manual      Manual
Universal Plug and                           Manual      Manual
Play Device Host
Volume Shadow Copy       VSS                 Manual      Manual

WebClient                WebClient           Automatic   Automatic
Windows Audio            AudioSrv            Automatic   Automatic
Windows Image            StiSvc              Manual      Manual
Acquisition (WIA)
Windows Installer        MSIServer           Manual      Manual
Windows                  winmgmt             Automatic   Automatic
Management
Instrumentation
Windows                  Wmi                 Automatic   Manual
Management
Instrumentation Driver
Extensions
Windows Time             W32Time             Automatic   Automatic
Wireless                 WZCSVC              Automatic   Automatic
Configuration
WMI Performance          WmiApSrv            Manual      Manual
Adapter
Workstation              lanmanworkstation   Automatic   Automatic
Logon As




Local Service
Local Service

Local System

Local System
Network Service


Local System
Local System

Local System

Local System
Local System

Network Service
Local System

Network Service


Network Service
Local System

Local System
Local System

Local System
Local System

Local System

Local System

Local System




Local System

Local System
Local System
Local System




Local System
Local System


Local System
Local System

Local System

Local System
Local System
Local System

Local System

Network Service

Local System
Local System

Local System
Local System
Local System
Local System


Local System

Local System


Local System

Network Service

Local Service

Local System
Local System

Local System
Local System

Local System
Local System
Local Service
Local Service
Local Service

Local System

Local System

Local System
Local Service

Local System
Local System
Local System
Local System
Local Service

Local System
Local System

Local System

Local Service
Local System
Local Service

Local System
Local System


Local System




Local System
Local System

Local System

Local System

				
DOCUMENT INFO
Description: Certificate Templates of Outstanding Service document sample