MSFT Windows 11 23H2 - Computer | |
Data collected on: 10/31/2023 5:42:54 AM |
Domain | security.local |
Owner | SECURITY\Domain Admins |
Created | 12/12/2019 5:55:34 AM |
Modified | 10/31/2023 5:28:16 AM |
User Revisions | 1 (AD), 1 (SYSVOL) |
Computer Revisions | 33 (AD), 33 (SYSVOL) |
Unique ID | {1B6AAB4D-20DC-4956-9439-DD15694E2B6A} |
GPO Status | User settings disabled |
Location | Enforced | Link Status | Path |
---|---|---|---|
MSFT Clients | No | Enabled | security.local/MSFT Clients |
SCT Windows 11 Client | No | Enabled | security.local/SCT Windows 11 Client |
Name |
---|
NT AUTHORITY\Authenticated Users |
Name | Allowed Permissions | Inherited |
---|---|---|
NT AUTHORITY\Authenticated Users | Read (from Security Filtering) | No |
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS | Read | No |
NT AUTHORITY\SYSTEM | Edit settings, delete, modify security | No |
SECURITY\Domain Admins | Edit settings, delete, modify security | No |
SECURITY\Enterprise Admins | Edit settings, delete, modify security | No |
Policy | Setting |
---|---|
Access Credential Manager as a trusted caller | |
Access this computer from the network | BUILTIN\Administrators, BUILTIN\Remote Desktop Users |
Act as part of the operating system | |
Allow log on locally | BUILTIN\Administrators, BUILTIN\Users |
Back up files and directories | BUILTIN\Administrators |
Create a pagefile | BUILTIN\Administrators |
Create a token object | |
Create global objects | BUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Create permanent shared objects | |
Debug programs | BUILTIN\Administrators |
Deny access to this computer from the network | NT AUTHORITY\Local account |
Deny log on through Terminal Services | NT AUTHORITY\Local account |
Enable computer and user accounts to be trusted for delegation | |
Force shutdown from a remote system | BUILTIN\Administrators |
Impersonate a client after authentication | BUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE |
Load and unload device drivers | BUILTIN\Administrators |
Lock pages in memory | |
Manage auditing and security log | BUILTIN\Administrators |
Modify firmware environment values | BUILTIN\Administrators |
Perform volume maintenance tasks | BUILTIN\Administrators |
Profile single process | BUILTIN\Administrators |
Restore files and directories | BUILTIN\Administrators |
Take ownership of files or other objects | BUILTIN\Administrators |
Policy | Setting |
---|---|
Accounts: Limit local account use of blank passwords to console logon only | Enabled |
Policy | Setting |
---|---|
Interactive logon: Smart card removal behavior | Lock Workstation |
Policy | Setting |
---|---|
Microsoft network client: Digitally sign communications (always) | Enabled |
Microsoft network client: Send unencrypted password to third-party SMB servers | Disabled |
Policy | Setting |
---|---|
Network access: Allow anonymous SID/Name translation | Disabled |
Network access: Do not allow anonymous enumeration of SAM accounts | Enabled |
Network access: Do not allow anonymous enumeration of SAM accounts and shares | Enabled |
Network access: Restrict anonymous access to Named Pipes and Shares | Enabled |
Policy | Setting | ||||
---|---|---|---|---|---|
Network security: Do not store LAN Manager hash value on next password change | Enabled | ||||
Network security: LAN Manager authentication level | Send NTLMv2 response only. Refuse LM & NTLM | ||||
Network security: LDAP client signing requirements | Negotiate signing | ||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients | Enabled | ||||
| |||||
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers | Enabled | ||||
|
Policy | Setting |
---|---|
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) | Enabled |
Policy | Setting |
---|---|
User Account Control: Admin Approval Mode for the Built-in Administrator account | Enabled |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode | Prompt for consent on the secure desktop |
User Account Control: Behavior of the elevation prompt for standard users | Automatically deny elevation requests |
User Account Control: Detect application installations and prompt for elevation | Enabled |
User Account Control: Only elevate UIAccess applications that are installed in secure locations | Enabled |
User Account Control: Run all administrators in Admin Approval Mode | Enabled |
User Account Control: Virtualize file and registry write failures to per-user locations | Enabled |
Policy | Setting |
---|---|
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings | Enabled |
Domain member: Digitally encrypt or sign secure channel data (always) | Enabled |
Domain member: Digitally encrypt secure channel data (when possible) | Enabled |
Domain member: Digitally sign secure channel data (when possible) | Enabled |
Domain member: Require strong (Windows 2000 or later) session key | Enabled |
Interactive logon: Machine inactivity limit | 900 seconds |
Microsoft network server: Digitally sign communications (always) | Enabled |
Network access: Restrict clients allowed to make remote calls to SAM | "O:BAG:BAD:(A;;RC;;;BA)" |
Network security: Allow LocalSystem NULL session fallback | Disabled |
Policy | Setting |
---|---|
Policy version | 2.26 |
Disable stateful FTP | Not Configured |
Disable stateful PPTP | Not Configured |
IPsec exempt | Not Configured |
IPsec through NAT | Not Configured |
Preshared key encoding | Not Configured |
SA idle time | Not Configured |
Strong CRL check | Not Configured |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | No |
Allow unicast responses | Not Configured |
Log dropped packets | Yes |
Log successful connections | Yes |
Log file path | Not Configured |
Log file maximum size (KB) | 16384 |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | Not Configured |
Apply local connection security rules | Not Configured |
Display notifications | No |
Allow unicast responses | Not Configured |
Log dropped packets | Yes |
Log successful connections | Yes |
Log file path | Not Configured |
Log file maximum size (KB) | 16384 |
Policy | Setting |
---|---|
Firewall state | On |
Inbound connections | Block |
Outbound connections | Allow |
Apply local firewall rules | No |
Apply local connection security rules | No |
Display notifications | No |
Allow unicast responses | Not Configured |
Log dropped packets | Yes |
Log successful connections | Yes |
Log file path | Not Configured |
Log file maximum size (KB) | 16384 |
Policy | Setting |
---|---|
Audit Credential Validation | Success, Failure |
Policy | Setting |
---|---|
Audit Security Group Management | Success |
Audit User Account Management | Success, Failure |
Policy | Setting |
---|---|
Audit PNP Activity | Success |
Audit Process Creation | Success |
Policy | Setting |
---|---|
Audit Account Lockout | Failure |
Audit Group Membership | Success |
Audit Logon | Success, Failure |
Audit Other Logon/Logoff Events | Success, Failure |
Audit Special Logon | Success |
Policy | Setting |
---|---|
Audit Detailed File Share | Failure |
Audit File Share | Success, Failure |
Audit Other Object Access Events | Success, Failure |
Audit Removable Storage | Success, Failure |
Policy | Setting |
---|---|
Audit Audit Policy Change | Success |
Audit Authentication Policy Change | Success |
Audit MPSSVC Rule-Level Policy Change | Success, Failure |
Audit Other Policy Change Events | Failure |
Policy | Setting |
---|---|
Audit Sensitive Privilege Use | Success |
Policy | Setting |
---|---|
Audit Other System Events | Success, Failure |
Audit Security State Change | Success |
Audit Security System Extension | Success |
Audit System Integrity | Success, Failure |
Policy | Setting | Comment |
---|---|---|
Prevent enabling lock screen camera | Enabled | |
Prevent enabling lock screen slide show | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Apply UAC restrictions to local accounts on network logons | Enabled | |||
Configure RPC packet level privacy setting for incoming connections | Enabled | |||
Configure SMB v1 client driver | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Configure SMB v1 server | Disabled | |||
Enable Structured Exception Handling Overwrite Protection (SEHOP) | Enabled | |||
NetBT NodeType configuration | Enabled | |||
| ||||
Policy | Setting | Comment | ||
WDigest Authentication (disabling may require KB2871997) | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) | Enabled | |||
| ||||
Policy | Setting | Comment | ||
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | Disabled | |||
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure NetBIOS settings | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn off multicast name resolution | Enabled |
Policy | Setting | Comment |
---|---|---|
Enable insecure guest logons | Disabled |
Policy | Setting | Comment |
---|---|---|
Prohibit use of Internet Connection Sharing on your DNS domain network | Enabled |
Policy | Setting | Comment | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Windows Defender Firewall: Allow logging | Enabled | |||||||||
| ||||||||||
Policy | Setting | Comment | ||||||||
Windows Defender Firewall: Prohibit notifications | Enabled | |||||||||
Windows Defender Firewall: Protect all network connections | Enabled |
Policy | Setting | Comment | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Hardened UNC Paths | Enabled | |||||||||||||||
|
Policy | Setting | Comment |
---|---|---|
Prohibit connection to non-domain networks when connected to domain authenticated network | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services | Disabled |
Policy | Setting | Comment | ||||||
---|---|---|---|---|---|---|---|---|
Configure Redirection Guard | Enabled | |||||||
| ||||||||
Policy | Setting | Comment | ||||||
Configure RPC connection settings | Enabled | |||||||
| ||||||||
Policy | Setting | Comment | ||||||
Configure RPC listener settings | Enabled | |||||||
| ||||||||
Policy | Setting | Comment | ||||||
Configure RPC over TCP port | Enabled | |||||||
| ||||||||
Policy | Setting | Comment | ||||||
Limits print driver installation to Administrators | Enabled | |||||||
Manage processing of Queue-specific files | Enabled | |||||||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Encryption Oracle Remediation | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Remote host allows delegation of non-exportable credentials | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Boot-Start Driver Initialization Policy | Enabled | |||
|
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Configure registry policy processing | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Turn off downloading of print drivers over HTTP | Enabled | |
Turn off Internet download for Web publishing and online ordering wizards | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Enumeration policy for external devices incompatible with Kernel DMA Protection | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure password backup directory | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Enable password backup for DSRM accounts | Enabled | |||
Enable password encryption | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Custom SSPs and APs to be loaded into LSASS | Disabled | |||
Configures LSASS to run as a protected process | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Enumerate local users on domain-joined computers | Disabled | |
Turn on convenience PIN sign-in | Disabled |
Policy | Setting | Comment |
---|---|---|
Require a password when a computer wakes (on battery) | Enabled | |
Require a password when a computer wakes (plugged in) | Enabled |
Policy | Setting | Comment |
---|---|---|
Configure Solicited Remote Assistance | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Restrict Unauthenticated RPC clients | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Let Windows apps activate with voice while the system is locked | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow Microsoft accounts to be optional | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Disallow Autoplay for non-volume devices | Enabled | |||
Set the default behavior for AutoRun | Enabled | |||
| ||||
Policy | Setting | Comment | ||
Turn off Autoplay | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Configure enhanced anti-spoofing | Enabled |
Policy | Setting | Comment |
---|---|---|
Turn off Microsoft consumer experiences | Enabled |
Policy | Setting | Comment |
---|---|---|
Enumerate administrator accounts on elevation | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment | ||
---|---|---|---|---|
Specify the maximum log file size (KB) | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Do not allow passwords to be saved | Enabled |
Policy | Setting | Comment |
---|---|---|
Do not allow drive redirection | Enabled |
Policy | Setting | Comment | ||||
---|---|---|---|---|---|---|
Always prompt for password upon connection | Enabled | |||||
Require secure RPC communication | Enabled | |||||
Set client connection encryption level | Enabled | |||||
|
Policy | Setting | Comment |
---|---|---|
Prevent downloading of enclosures | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow indexing of encrypted files | Disabled |
Policy | Setting | Comment |
---|---|---|
Notify Malicious | Enabled | |
Notify Password Reuse | Enabled | |
Notify Unsafe App | Enabled | |
Service Enabled | Enabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Configure Windows Defender SmartScreen | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Enables or disables Windows Game Recording and Broadcasting | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Allow Windows Ink Workspace | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow user control over installs | Disabled | |
Always install with elevated privileges | Disabled |
Policy | Setting | Comment |
---|---|---|
Enable MPR notifications for the system | Disabled | |
Sign-in and lock last interactive user automatically after a restart | Disabled |
Policy | Setting | Comment | ||
---|---|---|---|---|
Turn on PowerShell Script Block Logging | Enabled | |||
|
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow Digest authentication | Enabled |
Policy | Setting | Comment |
---|---|---|
Allow Basic authentication | Disabled | |
Allow unencrypted traffic | Disabled | |
Disallow WinRM from storing RunAs credentials | Enabled |