| AE-PO-WIN-SEC-C-CIS_Security_Options | |
| Data collected on: 2-9-2025 09:01:35 | |
| Domain | emea.tpg.ads |
| Owner | EMEA\ygalal.5 |
| Created | 12-2-2017 16:00:42 |
| Modified | 9-2-2023 14:45:58 |
| User Revisions | 3 (AD), 3 (SYSVOL) |
| Computer Revisions | 79 (AD), 79 (SYSVOL) |
| Unique ID | {2025ba8f-993b-4243-8f2d-fe0e45aa26a4} |
| GPO Status | Enabled |
| Location | Enforced | Link Status | Path |
|---|---|---|---|
| DXB | No | Enabled | emea.tpg.ads/AE/Systems/Servers/DXB |
| Name |
|---|
| NT AUTHORITY\Authenticated Users |
| Name | Allowed Permissions | Inherited |
|---|---|---|
| EMEA\Domain Admins | Edit settings, delete, modify security | No |
| EMEA\ygalal.5 | Edit settings, delete, modify security | No |
| NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
| NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
| NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
| ROOT\Enterprise Admins | Edit settings, delete, modify security | No |
| S-1-5-21-513466819-3096973226-347852806-367117 | Edit settings, delete, modify security | No |
| Policy | Setting |
|---|---|
| Enforce password history | 24 passwords remembered |
| Maximum password age | 30 days |
| Minimum password age | 1 days |
| Minimum password length | 12 characters |
| Password must meet complexity requirements | Enabled |
| Store passwords using reversible encryption | Disabled |
| Policy | Setting |
|---|---|
| Account lockout duration | 60 minutes |
| Account lockout threshold | 5 invalid logon attempts |
| Reset account lockout counter after | 60 minutes |
| Policy | Setting |
|---|---|
| Enforce user logon restrictions | Enabled |
| Maximum lifetime for service ticket | 600 minutes |
| Maximum lifetime for user ticket | 10 hours |
| Maximum lifetime for user ticket renewal | 7 days |
| Maximum tolerance for computer clock synchronization | 5 minutes |
| Policy | Setting |
|---|---|
| Accounts: Guest account status | Disabled |
| Accounts: Limit local account use of blank passwords to console logon only | Enabled |
| Accounts: Rename administrator account | "TPLAdmin" |
| Accounts: Rename guest account | "TPUser" |
| Policy | Setting |
|---|---|
| Audit: Shut down system immediately if unable to log security audits | Disabled |
| Policy | Setting |
|---|---|
| Devices: Allowed to format and eject removable media | Administrators |
| Devices: Prevent users from installing printer drivers | Enabled |
| Policy | Setting |
|---|---|
| Domain controller: LDAP server signing requirements | Require signing |
| Domain controller: Refuse machine account password changes | Disabled |
| Policy | Setting |
|---|---|
| Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
| Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
| Domain member: Digitally sign secure channel data (when possible) | Enabled |
| Domain member: Disable machine account password changes | Disabled |
| Domain member: Maximum machine account password age | 30 days |
| Domain member: Require strong (Windows 2000 or later) session key | Enabled |
| Policy | Setting |
|---|---|
| Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
| Interactive logon: Don't display last signed-in | Enabled |
| Interactive logon: Message text for users attempting to log on | This computer system (including all hardware, software, and peripheral equipment) is the property of Teleperformance. Use of this computer system is restricted to official Teleperformance business. Teleperformance reserves the right to monitor use of the computer system at any time. Use of this system constitutes consent to such monitoring. Any unauthorized access, use, or modification of the computer system can result in civil liability and/or criminal penalties |
| Interactive logon: Message title for users attempting to log on | "Warning Banner" |
| Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 0 logons |
| Interactive logon: Prompt user to change password before expiration | 5 days |
| Interactive logon: Smart card removal behavior | Lock Workstation |
| Policy | Setting |
|---|---|
| Microsoft network client: Digitally sign communications (always) | Enabled |
| Microsoft network client: Digitally sign communications (if server agrees) | Enabled |
| Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
| Policy | Setting |
|---|---|
| Microsoft network server: Amount of idle time required before suspending session | 15 minutes |
| Microsoft network server: Digitally sign communications (always) | Enabled |
| Microsoft network server: Digitally sign communications (if client agrees) | Enabled |
| Policy | Setting |
|---|---|
| Network access: Allow anonymous SID/Name translation | Disabled |
| Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
| Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
| Network access: Let Everyone permissions apply to anonymous users | Disabled |
| Network access: Named Pipes that can be accessed anonymously | |
| Network access: Remotely accessible registry paths | System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion |
| Network access: Remotely accessible registry paths and sub-paths | Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog |
| Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
| Network access: Shares that can be accessed anonymously | |
| Network access: Sharing and security model for local accounts | Classic - local users authenticate as themselves |
| Policy | Setting | ||||
|---|---|---|---|---|---|
| Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
| Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
| Network security: LDAP client signing requirements | Negotiate signing | ||||
| Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
| Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
| |||||
| Policy | Setting |
|---|---|
| Recovery console: Allow automatic administrative logon | Disabled |
| Recovery console: Allow floppy copy and access to all drives and all folders | Disabled |
| Policy | Setting |
|---|---|
| Shutdown: Allow system to be shut down without having to log on | Disabled |
| Policy | Setting |
|---|---|
| System objects: Require case insensitivity for non-Windows subsystems | Enabled |
| System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
| Policy | Setting |
|---|---|
| User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
| User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop | Disabled |
| User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
| User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
| User Account Control: Detect application installations and prompt for elevation | Enabled |
| User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
| User Account Control: Run all administrators in Admin Approval Mode | Enabled |
| User Account Control: Switch to the secure desktop when prompting for elevation | Enabled |
| User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
| Policy | Setting | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Accounts: Block Microsoft accounts | Users can't add or log on with Microsoft accounts | ||||||||||||
| Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled | ||||||||||||
| Interactive logon: Machine inactivity limit | 300 seconds | ||||||||||||
| Network security: Allow Local System to use computer identity for NTLM | Enabled | ||||||||||||
| Network security: Allow LocalSystem NULL session fallback | Disabled | ||||||||||||
| Network security: Allow PKU2U authentication requests to this computer to use online identities. | Disabled | ||||||||||||
| Network security: Configure encryption types allowed for Kerberos | Enabled | ||||||||||||
| |||||||||||||