Windows-Setup/Group Policies Objects/Default Domain Policy/Security Options.md

# Security Options

Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=gpo

`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`

- Domain controller: LDAP server signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
- Domain controller: LDAP server channel binding token requirements: Always
- Network security: LDAP client signing requirements: Require signing
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
- User Account Control: Only elevate executables that are signed and validated -> Enabled
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
LDAPS Enforcement Signed-off-by: Tommy <contact@tommytran.io> 2024-01-06 06:29:12 -05:00			`# Security Options`
UAC Signed-off-by: Tommy <contact@tommytran.io> 2023-11-06 07:39:03 -05:00
			`Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=gpo`

Fix policy path to match AD Signed-off-by: Tommy <contact@tommytran.io> 2024-01-06 06:43:40 -05:00			`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
UAC Signed-off-by: Tommy <contact@tommytran.io> 2023-11-06 07:39:03 -05:00
Improvements to LDAPS policies Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:10:03 -04:00			`- Domain controller: LDAP server signing requirements: Require signing (Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/)`
			`- Domain controller: LDAP server channel binding token requirements: Always`
			`- Network security: LDAP client signing requirements: Require signing`
Fix formatting Signed-off-by: Tommy <contact@tommytran.io> 2023-11-06 07:45:50 -05:00			`- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials`
			`- User Account Control: Only elevate executables that are signed and validated -> Enabled`
Improvements to LDAPS policies Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:10:03 -04:00			`- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)`