Windows-Setup/Group Policies Objects/Default Domain Policy/Security Options.md

# Security Options

Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=gpo

`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`

(**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)

- Accounts: Block Microsoft accounts -> Users can't add or log on with Microsoft accounts
- Accounts: Guest account status -> Disabled
- Devices: Prevent users from installing printer drivers -> Enabled
- Domain controller: LDAP server signing requirements: Require signing
- Domain controller: LDAP server channel binding token requirements: Always
- Domain member: Digitally encrypt or sign secure channel data (always) -> Enabled
- Domain member: Require strong (Windows 2000 or later) session key -> Enabled
- Microsoft network client: Digitally sign communications (always) -> Enabled
- Microsoft network server: Digitally sign communications (always) -> Enabled
- Network access: Allow anonymous SID/Name translation -> Disabled
- Network security: Do not store LAN Manager hash value on next password change -> Enabled
- Network security: Force logoff when logon hours expire -> Disabled
- Network security: LDAP client signing requirements: Require signing
- Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all accounts
- Network security: Restrict NTLM: NTLM authentication in this domain -> Deny all
- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all
- Shutdown: Clear virtual memory pagefile -> Enabled
- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop -> Disabled
- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials on the secure desktop
- User Account Control: Behavior of the elevation prompt for standard users -> Prompt for credentials on the secure desktop
- User Account Control: Only elevate executables that are signed and validated -> Enabled
- User Account Control: Only elevate UIAccess applications that are installed in secure locations -> Enabled
- User Account Control: Run all administrators in Admin Approval Mode
- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled
- User Account Control: Virtualize file and registry write failures to per-user locations -> Enabled
LDAPS Enforcement Signed-off-by: Tommy <contact@tommytran.io> 2024-01-06 06:29:12 -05:00			`# Security Options`
UAC Signed-off-by: Tommy <contact@tommytran.io> 2023-11-06 07:39:03 -05:00
			`Documentation: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/settings-and-configuration?tabs=gpo`

Fix policy path to match AD Signed-off-by: Tommy <contact@tommytran.io> 2024-01-06 06:43:40 -05:00			`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
UAC Signed-off-by: Tommy <contact@tommytran.io> 2023-11-06 07:39:03 -05:00
Move disclaimer up Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 05:42:03 -04:00			`(Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/)`

Add additional security options Signed-off-by: Tommy <contact@tommytran.io> 2024-04-26 02:34:02 -04:00			`- Accounts: Block Microsoft accounts -> Users can't add or log on with Microsoft accounts`
			`- Accounts: Guest account status -> Disabled`
			`- Devices: Prevent users from installing printer drivers -> Enabled`
Move disclaimer up Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 05:42:03 -04:00			`- Domain controller: LDAP server signing requirements: Require signing`
Improvements to LDAPS policies Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:10:03 -04:00			`- Domain controller: LDAP server channel binding token requirements: Always`
Enforce SMB encryption Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:43:57 -04:00			`- Domain member: Digitally encrypt or sign secure channel data (always) -> Enabled`
Add additional security options Signed-off-by: Tommy <contact@tommytran.io> 2024-04-26 02:34:02 -04:00			`- Domain member: Require strong (Windows 2000 or later) session key -> Enabled`
Enforce SMB encryption Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:43:57 -04:00			`- Microsoft network client: Digitally sign communications (always) -> Enabled`
			`- Microsoft network server: Digitally sign communications (always) -> Enabled`
Add additional security options Signed-off-by: Tommy <contact@tommytran.io> 2024-04-26 02:34:02 -04:00			`- Network access: Allow anonymous SID/Name translation -> Disabled`
More security options Signed-off-by: Tommy <contact@tommytran.io> 2024-04-26 04:37:34 -04:00			`- Network security: Do not store LAN Manager hash value on next password change -> Enabled`
			`- Network security: Force logoff when logon hours expire -> Disabled`
Improvements to LDAPS policies Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:10:03 -04:00			`- Network security: LDAP client signing requirements: Require signing`
Disable NTLM Signed-off-by: Tommy <contact@tommytran.io> 2024-04-26 04:34:13 -04:00			`- Network security: Restrict NTLM: Incoming NTLM traffic -> Deny all accounts`
			`- Network security: Restrict NTLM: NTLM authentication in this domain -> Deny all`
			`- Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers -> Deny all`
More security improvements Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:29:42 -04:00			`- Shutdown: Clear virtual memory pagefile -> Enabled`
			`- User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop -> Disabled`
			`- User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials on the secure desktop`
			`- User Account Control: Behavior of the elevation prompt for standard users -> Prompt for credentials on the secure desktop`
Fix formatting Signed-off-by: Tommy <contact@tommytran.io> 2023-11-06 07:45:50 -05:00			`- User Account Control: Only elevate executables that are signed and validated -> Enabled`
More security improvements Signed-off-by: Tommy <contact@tommytran.io> 2024-04-18 04:29:42 -04:00			`- User Account Control: Only elevate UIAccess applications that are installed in secure locations -> Enabled`
			`- User Account Control: Run all administrators in Admin Approval Mode`
			`- User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled`
			`- User Account Control: Virtualize file and registry write failures to per-user locations -> Enabled`