| CZ-PO-WIN-C-WINSRV Hardening FS | |
| Data collected on: 2-9-2025 09:59:04 | |
| Domain | emea.tpg.ads |
| Owner | S-1-5-21-513466819-3096973226-347852806-532605 |
| Created | 29-6-2021 22:20:04 |
| Modified | 4-4-2023 23:02:00 |
| User Revisions | 1 (AD), 1 (SYSVOL) |
| Computer Revisions | 13 (AD), 13 (SYSVOL) |
| Unique ID | {c9289681-2909-401f-a560-c26d96c06d5f} |
| GPO Status | Enabled |
| Location | Enforced | Link Status | Path |
|---|---|---|---|
| Servers | No | Enabled | emea.tpg.ads/CZ/Systems/Servers |
| Name |
|---|
| EMEA\CZ-G-ORG-Servers Hardening FS |
| Name | Allowed Permissions | Inherited |
|---|---|---|
| EMEA\CZ-G-ORG-OU Admins | Edit settings, delete, modify security | No |
| EMEA\CZ-G-ORG-Servers Hardening FS | Read (from Security Filtering) | No |
| EMEA\Domain Admins | Edit settings, delete, modify security | No |
| NT AUTHORITY\Authenticated Users | Read | No |
| NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
| NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
| ROOT\Enterprise Admins | Edit settings, delete, modify security | No |
| S-1-5-21-513466819-3096973226-347852806-532605 | Edit settings, delete, modify security | No |
| Policy | Setting |
|---|---|
| Audit account logon events | Success, Failure |
| Audit account management | Success, Failure |
| Audit directory service access | Success, Failure |
| Audit logon events | Success, Failure |
| Audit object access | Success, Failure |
| Audit policy change | Success, Failure |
| Audit privilege use | Success, Failure |
| Audit process tracking | Success, Failure |
| Audit system events | Success, Failure |
| Policy | Setting |
|---|---|
| Access this computer from the network | BUILTIN\Administrators, NT AUTHORITY\Authenticated Users |
| Adjust memory quotas for a process | BUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
| Allow log on locally | BUILTIN\Administrators |
| Allow log on through Terminal Services | BUILTIN\Administrators |
| Change the system time | BUILTIN\Administrators |
| Create a pagefile | BUILTIN\Administrators |
| Deny access to this computer from the network | NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests |
| Force shutdown from a remote system | BUILTIN\Administrators |
| Generate security audits | NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
| Increase scheduling priority | BUILTIN\Administrators |
| Load and unload device drivers | BUILTIN\Administrators |
| Lock pages in memory | BUILTIN\Administrators |
| Manage auditing and security log | BUILTIN\Administrators |
| Modify firmware environment values | BUILTIN\Administrators |
| Perform volume maintenance tasks | BUILTIN\Administrators |
| Profile single process | BUILTIN\Administrators |
| Profile system performance | BUILTIN\Administrators |
| Remove computer from docking station | BUILTIN\Administrators |
| Restore files and directories | BUILTIN\Administrators |
| Shut down the system | BUILTIN\Administrators |
| Take ownership of files or other objects | BUILTIN\Administrators |
| Policy | Setting |
|---|---|
| Accounts: Limit local account use of blank passwords to console logon only | Enabled |
| Policy | Setting |
|---|---|
| Devices: Allowed to format and eject removable media | Administrators |
| Devices: Prevent users from installing printer drivers | Enabled |
| Policy | Setting |
|---|---|
| Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
| Domain member: Disable machine account password changes | Disabled |
| Domain member: Require strong (Windows 2000 or later) session key | Enabled |
| Policy | Setting |
|---|---|
| Interactive logon: Do not require CTRL+ALT+DEL | Disabled |
| Interactive logon: Don't display last signed-in | Enabled |
| Interactive logon: Number of previous logons to cache (in case domain controller is not available) | 0 logons |
| Interactive logon: Require Domain Controller authentication to unlock workstation | Enabled |
| Policy | Setting |
|---|---|
| Microsoft network client: Digitally sign communications (always) | Enabled |
| Microsoft network client: Digitally sign communications (if server agrees) | Enabled |
| Policy | Setting |
|---|---|
| Microsoft network server: Digitally sign communications (always) | Enabled |
| Microsoft network server: Digitally sign communications (if client agrees) | Enabled |
| Policy | Setting |
|---|---|
| Network access: Allow anonymous SID/Name translation | Disabled |
| Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
| Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
| Network access: Let Everyone permissions apply to anonymous users | Disabled |
| Policy | Setting | ||||
|---|---|---|---|---|---|
| Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
| Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
| Network security: LDAP client signing requirements | Require signing | ||||
| Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
| |||||
| Policy | Setting |
|---|---|
| System cryptography: Force strong key protection for user keys stored on the computer | User is prompted when the key is first used |
| Action | Update |
| Hive | HKEY_LOCAL_MACHINE |
| Key path | SYSTEM\CurrentControlSet\Control\Lsa |
| Value name | restrictanonymous |
| Value type | REG_DWORD |
| Value data | 0x1 (1) |
| Stop processing items on this extension if an error occurs on this item | No |
| Remove this item when it is no longer applied | No |
| Apply once and do not reapply | No |