Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
_OE-C-MSSCT-Domain-Controller-2004
Data collected on: 04.10.2021 18:20:30
General
Details
Domainkit.edu
OwnerKIT\Domain Admins
Created28.09.2021 13:41:10
Modified28.09.2021 13:41:10
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions1 (AD), 1 (SYSVOL)
Unique ID{1A72F89B-26EA-4F3E-8981-EE8674F34288}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
BSI-TestNoEnabledkit.edu/KIT/Staff/SCC/Betrieb/CMK/Rechnerkonten/BSI-Test
TCS_GPO_TestNoEnabledkit.edu/KIT/Staff/SCC/Dienste/FMC/Rechnerkonten/TCS_GPO_Test

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
KIT\Domain AdminsEdit settings, delete, modify securityNo
KIT\Domain ComputersReadNo
KIT\Enterprise AdminsEdit settings, delete, modify securityNo
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkBUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Act as part of the operating system
Allow log on locallyBUILTIN\Administrators
Allow log on through Terminal ServicesBUILTIN\Administrators
Back up files and directoriesBUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsBUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Create permanent shared objects
Debug programsBUILTIN\Administrators
Enable computer and user accounts to be trusted for delegationBUILTIN\Administrators
Force shutdown from a remote systemBUILTIN\Administrators
Impersonate a client after authenticationBUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Manage auditing and security logBUILTIN\Administrators
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Restore files and directoriesBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Domain Controller
PolicySetting
Domain controller: LDAP server signing requirementsNone
Interactive Logon
PolicySetting
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsNegotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
System Objects
PolicySetting
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
User Account Control
PolicySetting
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard usersAutomatically deny elevation requests
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Other
PolicySetting
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Domain controller: LDAP server channel binding token requirementsAlways
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive logon: Machine inactivity limit900 seconds
Microsoft network server: Digitally sign communications (always)Enabled
Network security: Allow LocalSystem NULL session fallbackDisabled
System Services
Application Identity (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Windows Firewall with Advanced Security
Global Settings
PolicySetting
Policy version2.26
Disable stateful FTPNot Configured
Disable stateful PPTPNot Configured
IPsec exemptNot Configured
IPsec through NATNot Configured
Preshared key encodingNot Configured
SA idle timeNot Configured
Strong CRL checkNot Configured
Domain Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesNot Configured
Apply local connection security rulesNot Configured
Display notificationsNot Configured
Allow unicast responsesNot Configured
Log dropped packetsNot Configured
Log successful connectionsNot Configured
Log file pathNot Configured
Log file maximum size (KB)Not Configured
Private Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesNot Configured
Apply local connection security rulesNot Configured
Display notificationsNot Configured
Allow unicast responsesNot Configured
Log dropped packetsNot Configured
Log successful connectionsNot Configured
Log file pathNot Configured
Log file maximum size (KB)Not Configured
Public Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesNot Configured
Apply local connection security rulesNot Configured
Display notificationsNot Configured
Allow unicast responsesNot Configured
Log dropped packetsNot Configured
Log successful connectionsNot Configured
Log file pathNot Configured
Log file maximum size (KB)Not Configured
Connection Security Settings
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationFailure
Audit Kerberos Authentication ServiceSuccess, Failure
Audit Kerberos Service Ticket OperationsFailure
Account Management
PolicySetting
Audit Computer Account ManagementSuccess
Audit Other Account Management EventsSuccess
Audit Security Group ManagementSuccess
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit PNP ActivitySuccess
Audit Process CreationSuccess
DS Access
PolicySetting
Audit Directory Service AccessFailure
Audit Directory Service ChangesSuccess
Logon/Logoff
PolicySetting
Audit Account LockoutFailure
Audit Group MembershipSuccess
Audit LogonSuccess, Failure
Audit Other Logon/Logoff EventsSuccess, Failure
Audit Special LogonSuccess
Object Access
PolicySetting
Audit Detailed File ShareFailure
Audit File ShareSuccess, Failure
Audit Other Object Access EventsSuccess, Failure
Audit Removable StorageSuccess, Failure
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess
Audit Authentication Policy ChangeSuccess
Audit MPSSVC Rule-Level Policy ChangeSuccess, Failure
Audit Other Policy Change EventsFailure
Privilege Use
PolicySetting
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit Other System EventsSuccess, Failure
Audit Security State ChangeSuccess
Audit Security System ExtensionSuccess
Audit System IntegritySuccess, Failure
Application Control Policies
Appx Rules
PolicySetting
Enforce rules of this typeTrue

ActionUserNameRule TypeExceptions
AllowEveryone(Default Rule) All signed packaged appsPublisherNo
Dll Rules
No rules of type 'Dll Rules' are defined.
Executable Rules
PolicySetting
Enforce rules of this typeTrue

ActionUserNameRule TypeExceptions
DenyEveryoneBlock Google ChromePublisherNo
DenyEveryoneBlock Mozilla FirefoxPublisherNo
DenyEveryoneBlock Internet ExplorerPublisherNo
AllowEveryone(Default Rule) All files located in the Program Files folderPathNo
AllowEveryone(Default Rule) All files located in the Windows folderPathNo
AllowBUILTIN\Administrators(Default Rule) All filesPathNo
Windows Installer Rules
No rules of type 'Windows Installer Rules' are defined.
Script Rules
No rules of type 'Script Rules' are defined.
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel/Personalization
PolicySettingComment
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
MS Security Guide
PolicySettingComment
Configure SMB v1 client driverEnabled
Configure MrxSmb10 driverDisable driver (recommended)
PolicySettingComment
Configure SMB v1 serverDisabled
Enable Structured Exception Handling Overwrite Protection (SEHOP)Enabled
NetBT NodeType configurationEnabledP-Node empfohlen. Net use * \\,,, vom Client nur noch möglich per FQDN oder wenn der Client das richtige DNS Suffix verwendet. Server anwortet nicht mehr auf NetBIOS. (Ping etc kein Problem). WINS wäre die Lösung ;-)
Configure NetBT NodeTypeH-node
MSS (Legacy)
PolicySettingComment
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingIPv6Highest protection, source routing is completely disabled
PolicySettingComment
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingHighest protection, source routing is completely disabled
PolicySettingComment
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
Network/DNS Client
PolicySettingComment
Turn off multicast name resolutionEnabled
Network/Lanman Workstation
PolicySettingComment
Enable insecure guest logonsDisabled
Network/Network Connections/Windows Defender Firewall/Domain Profile
PolicySettingComment
Windows Defender Firewall: Protect all network connectionsEnabled
Network/Network Provider
PolicySettingComment
Hardened UNC PathsEnabled
Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resource. To secure all access to a share with a particular name, regardless of the server name, specify a server name of '*' (asterisk). For example, "\\*\NETLOGON". To secure all access to all shares hosted on a server, the share name portion of the UNC path may be omitted. For example, "\\SERVER". In the value field, specify one or more of the following options, separated by commas: 'RequireMutualAuthentication=1': Mutual authentication between the client and server is required to ensure the client connects to the correct server. 'RequireIntegrity=1': Communication between the client and server must employ an integrity mechanism to prevent data tampering. 'RequirePrivacy=1': Communication between the client and the server must be encrypted to prevent third parties from observing sensitive data.
Hardened UNC Paths: 
\\*\NETLOGONRequireMutualAuthentication=1,RequireIntegrity=1
\\*\SYSVOLRequireMutualAuthentication=1,RequireIntegrity=1
You should require both Integrity and Mutual Authentication for any UNC paths that host executable programs, script files, or files that control security policies. Consider hosting files that do not require Integrity or Privacy on separate shares from those that absolutely need such security for optimal performance. For additional details on configuring Windows computers to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.
SCM: Pass the Hash Mitigations
PolicySettingComment
WDigest Authentication (disabling may require KB2871997)Disabled
System/Credentials Delegation
PolicySettingComment
Encryption Oracle RemediationEnabled
Protection Level:Force Updated Clients
PolicySettingComment
Remote host allows delegation of non-exportable credentialsEnabled
System/Early Launch Antimalware
PolicySettingComment
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized:Good, unknown and bad but critical
System/Group Policy
PolicySettingComment
Configure registry policy processingEnabled
Do not apply during periodic background processingDisabled
Process even if the Group Policy objects have not changedEnabled
System/Kernel DMA Protection
PolicySettingComment
Enumeration policy for external devices incompatible with Kernel DMA ProtectionEnabled
Enumeration policyBlock all
Windows Components/AutoPlay Policies
PolicySettingComment
Disallow Autoplay for non-volume devicesEnabled
Set the default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/Biometrics/Facial Features
PolicySettingComment
Configure enhanced anti-spoofingEnabled
Windows Components/Event Log Service/Application
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/Event Log Service/System
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
PolicySettingComment
Do not allow passwords to be savedEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
PolicySettingComment
Do not allow drive redirectionNot ConfiguredUnterbindet copy&paste von Dateien - DC? Eventuell
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Always prompt for password upon connectionEnabled
Require secure RPC communicationEnabled
Set client connection encryption levelEnabled
Encryption LevelHigh Level
Choose the encryption level from the drop-down list.
Windows Components/RSS Feeds
PolicySettingComment
Prevent downloading of enclosuresEnabled
Windows Components/Search
PolicySettingComment
Allow indexing of encrypted filesDisabled
Windows Components/Windows Defender SmartScreen/Explorer
PolicySettingComment
Configure Windows Defender SmartScreenEnabled
Pick one of the following settings:Warn and prevent bypass
Windows Components/Windows Ink Workspace
PolicySettingComment
Allow Windows Ink WorkspaceEnabled
Choose one of the following actions 
Windows Components/Windows Installer
PolicySettingComment
Allow user control over installsDisabled
Always install with elevated privilegesDisabled
Windows Components/Windows Logon Options
PolicySettingComment
Sign-in and lock last interactive user automatically after a restartDisabled
Windows Components/Windows PowerShell
PolicySettingComment
Turn on PowerShell Script Block LoggingEnabled
Log script block invocation start / stop events:Disabled
Windows Components/Windows Remote Management (WinRM)/WinRM Client
PolicySettingComment
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow Digest authenticationEnabled
Windows Components/Windows Remote Management (WinRM)/WinRM Service
PolicySettingComment
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow WinRM from storing RunAs credentialsEnabled
User Configuration (Disabled)
No settings defined.