windows2003 securtiy options(DC policy)

Accounts: Administrator account status

 EnabledAccounts: Guest account status DisabledAccounts: Limit local account use of blank passwords to console logon only EnabledAccounts: Rename administrator account administratorAccounts: Rename guest account guestAudit: Audit the access of global system objects DisabledAudit: Audit the use of Backup and Restore privilege DisabledAudit: Shut down system immediately if unable to log security audits DisabledDCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax Not DefinedDCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntaxNot DefinedDevices: Allow undock without having to log on EnabledDevices: Allowed to format and eject removable media AdministratorsDevices: Prevent users from installing printer drivers EnabledDevices: Restrict CD-ROM access to locally logged-on user onlyEnabledDevices: Restrict floppy access to locally logged-on user only EnabledDevices: Unsigned driver installation behavior Do not allow installationDomain controller: Allow server operators to schedule tasks DisabledDomain controller: LDAP server signing requirements NoneDomain controller: Refuse machine account password changes Not DefinedDomain member: Digitally encrypt or sign secure channel data (always) DisabledDomain member: Digitally encrypt secure channel data (when possible) EnabledDomain member: Digitally sign secure channel data (when possible) EnabledDomain member: Disable machine account password changes DisabledDomain member: Maximum machine account password age 30 daysDomain member: Require strong (windows 2000 or later) session key DisabledInteractive logon: Display user information when the session is lockedNot DefinedInteractive logon: Do not display last user nameDisabledInteractive logon: Do not require CTRL+ALT+DEL DisabledInteractive logon: Message text for users attempting to log on Lenovo internal systems can only be used for Lenovo business purposes or purposes approved by Lenovo management!Interactive logon: Message title for users attempting to log on Important Notice!Interactive logon: Number of previous logons to cache (in case domain controller is not available) 10 logonsInteractive logon: Prompt user to change password before expiration 14 daysInteractive logon: Require Domain Controller authentication to unlock workstation DisabledInteractive logon: Require smart card DisabledInteractive logon: Smart card removal behaviorForce LogoffMicrosoft network client: Digitally sign communications (always) DisabledMicrosoft network client: Digitally sign communications (if server agrees) EnabledMicrosoft network client: Send unencrypted password to third-party SMB servers DisabledMicrosoft network server: amount of idle time required before suspending session 15 minutesMicrosoft network server: Diaaly sign communications (always) DisabledMicrosoft network server: DgtaIy sign communications (If client aoees) EnabledMicrosoft network server: Disconnect clients when logon hours expire EnabledNetwork access: Allow anonymos SID/Name translation EnabledNetwork access: Do not allow anonymous enumeration of SAM accosts EnabledNetwork access: Do not allow anonymous enumeration of sAM accosts and shares EnabledNetwork access: Do not allow storage of credertids or NET Passports for network authertication DisabledNetwork access: Let Everyone permissions apply to anonymous users DisabledNetwork access: Named Pipes that can be accessed anonymously COMNAP
COMNODE
SQL/QUERY
SPOOLSS
NETLOGON
LSARPC
SAMR
BROWSER
EPMAPPER
LOCATOR
TrkWks
TrkSvr
CERTNetwork access: Remotely accessible registry paths System/CurrentControlSet/Control/ProductOptions
System/CurrentControlSet/Control/Server Applications
Software/Microsoft/Windows NT/CurrentVersionNetwork access: Remotely accessible registry paths and sub-pathsSystem/CurrentControlSet/Control/Print/Printers
System/CurrentControlSet/Services/Eventlog
Software/Microsoft/OLAP Server
Software/Microsoft/Windows NT/CurrentVersion/Print
Software/Microsoft/Windows NT/CurrentVersion/Windows System/CurrentControlSet/Control/ContentIndex
System/CurrentControlSet/Control/Terminal Server
System/CurrentControlSet/Control/Terminal Server/UserConfig
System/CurrentControlSet/Control/Terminal Server/DefaultUserConfiguration Software/Microsoft/Windows NT/CurrentVersion/Perflib System/CurrentControlSet/Services/Sysmonlog        System/CurrentControlSet/Services/CertSvcNetwork access:Restrict anonymous access to Named Pipes and sharesEnableNetwork access: shares that cmn be accessed anomymously COMCFG,DFs$COMCFG
DFS$Network access: Sharing and security model for local accounts Classic - local users authenticate as themselves Network secuty: Do not store LAN Manager hash vakie on next password change DisabledNetwork secuty: Force logoff when logon hocrs expre EnabledNetwork security: LAN Manager authentication level Send NTLM response onlyNetwork security: LDAP chet sgning requiremerts Negotiate ssgingNetwork security: Minimum session security for NUM ssP based (indu&g secure RPC) dhats No minimumNetwork security: Minimum session security For NUM SsP based (inclu&g secure RPC) servers No minmumRecovery console: Allow automatic administrative logon DisabledRecovery console: Allow floppy copy and access to al drives and al folders Disabledshutdown: Mow system to be sht down withot having to log on Disabledshutdown: Clear virtual meniry pagefile DisabledSystem cryptography:Force strong key protectionfor user keys stored on the computerNot DefinedSystem cryptography: Use FIPS compllant algorttvns for encryption, hashing, and signing DisabledSystem obyects: DeFault owner for objects created by members of the administrators group Administrators groupSystem obmcts: Require case nsensltlvlty for non-wfndows subsystems EnabledSystem objects: Strengthen defaut permissions df Eternal system objects (e.g. Symbolic LEts) EnabledSystem setting:Optional subsystemsPosixSystem setting:Use Certificate Rules on Windows Executables for Software Restriction PoliciesDisabled哦玩