Untitled

Audits
Windows Key + R > secpol.msc > Local Policies > Audit Policy
A.	Enable success/failure for “Account Logon” events
B.	Enable success/failure for “Account Management”
C.	Enable success/failure for “Logon Events”
D.	Enable success/failure for “Policy Change”
Password Policy
 Windows Key + R > secpol.msc > Account Policies
A.	Password Policy tab
a.	Enforce Password History:       10
b.	Max password age:                    60
c.	Min password age:                     1
d.	Min Password Length:               8
e.	Store passwords using reversible encryption: Disabled
f.	Complexity Requirements:      Enabled
1.	8 characters
2.	1x Number
3.	1x Special Character

B.	Account Lockout Policy
a.	   Account lockout threshold: 5
b.	   Other two should be 30 mins

User Right Assignment

a.	Access computer from the network – Make sure only allowed users are there.
b.	Act as part of the Operating System – No objects
c.	Allow logon through Remote Desktop Services – By readme
d.	Deny log on through Remote Desktop Services – By readme
e.	Deny log on locally/from the network – Guest object
f.	Shut down the system – Administrators if server
g.	Target everyone object

Security Options
a.	Autoconfig
i.	File hosted on my google drive
ii.	BEFORE YOU DO THIS, EXPORT PREVIOUS CONFIG.
1.	That way you can fix if you break anything.
2.	Write down any points you do get from the autoconfig, then go back and manually edit them in local
iii.	Local security policy (Top left) > Import > Navigate to .inf file
b.	Accounts
i.	Administrator account status – Disabled
ii.	Guest account status – Disabled
iii.	Limit local account use of blank passwords to console logon only – enabled
iv.	Rename Administrator account – Shrek
v.	Rename Guest account – Donkey
c.	Audit
i.	Shut down system immediately if unable to log security audits – enabled
d.	Devices
i.	Restrict CDROM access to locally logged-on users only – enabled
ii.	Restrict Floppy access to locally logged-on users only – enabled
iii.	Prevent users from installing printer drivers: enabled
e.	Interactive logon
i.	Display user information when the session is locked – Disabled
ii.	Do not display user last name – Enabled
iii.	Do not require CTRL-ALT-DEL – Disabled
iv.	Configure message title/ message text for users attempting to log on
v.	Prompt user to change password before expiration: 5 days
vi.	Machine Inactivity Limit: 60 seconds
f.	Network Client
i.	Digitally sign communications (if server agrees): Enabled
ii.	Send unencrypted password: Disabled
g.	Network Server
i.	Digitally sign communications (if client agrees): Enabled
ii.	Disconnect Clients when logon hours expire: Enabled
iii.	Send unencrypted password to clients: Disabled
iv.	Server SPN Target name validation: Accept if provided by client
h.	Network Access
i.	Do not allow anonymous enumeration of SAM accounts: Enabled
ii.	Do not allow anonymous enumeration of SAM accounts and shares: Enabled
iii.	Let Everyone permissions apply to anonymous users: Disabled
iv.	Named Pipes that can be accessed anonymously: Should be blank
v.	Remotely accessible registry paths: Should be blank
vi.	Remotely accessible registry paths and subpaths: Should be blank
vii.	Shares that can be accessed anonymously: Not defined
viii.	Restrict anonymous access to named pipes and shares: Enabled
ix.	Sharing and security model for local accounts: Classic
x.	Force logoff when logon hours expire: Enabled
i.	Recovery console
i.	Allow automatic administrative logon: disabled
ii.	Allow floppy copy: disabled
j.	Shutdown
i.	Allow system to be shut down without having to log on: Disabled
ii.	Clear virtual memory pagefile: Enabled
k.	User Account Control
i.	Admin Approval Mode for the built-in Administrator account: Enabled
ii.	Detect application installation and prompt for elevation: Enabled
iii.	Only elevate UIAccess applications that are installed in secure locations: Enabled
iv.	Run all administrators in admin approval mode: Enabled
v.	Switch to the secure desktop when prompting for elevation: Enabled