ABC
1
PolicySecurity Setting
2
Local Security Policy (secpol.msc) Chart
3

Here is a list of local security policys that should be set. You will defnetelly have to modify this list depending on your image. For example you might have a remote server, or you need to configure specialized privlages.

Please understand why each setting is being set.

I suggest you mess around with secpol.msc so you have at least a general understanding of each setting and when it can be useful.

To get here just do WinKey + R and enter "secpol.msc". Or just search it.

Some stuff you are definitely going to want to configure no matter what:

Password Policy
Account Lockout Policy
Audit Policy

Deny access to computer from the network (Guests)
Deny log on as batch job, service, locally, RDS (Guests, Guests, Guests, Guest & Everyone - depends if standalone or not)
Access this computer from the network (Administrators)
Act as part of the operating system (blank)

Accounts: Block Microsoft accounts (Users can't add or log on with Microsoft accounts)
Network access: Let Everyone permissions apply to anonymous users (Disabled)
Network access: Do not allow anonymous enumeration of SAM accounts and shares (Enabled)
Network access: Allow anonymous SID/Name translation (Disabled)
Interactive logon: Do not require CTRL+ALT+DEL (Disabled)
4
5
6
7
Note: The templates will have "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" set to prompt for consent. (Because it is super annoying)
8
9
Account Policies > Password Policy
10
11
Enforce password history24 passwords remembered
12
Maximum password age90 days
13
Minimum password age15 days
14
Minimum password length8 characters
15
Password must meet complexity requirementsEnabled
16
Store passwords using reversible encryptionDisabled
17
18
Account Policies > Account Lockout Policy
19
20
Account lockout duration 30 minutes
21
Account lockout threshold5 invalid logon attempts
22
Reset account lockout counter after30 minutes
23
24
Local Policies > Audit Policy
25
26
Account logon eventsSuccesses and Failures (non-server), Successes and Failures (server)
27
Account management Successes and Failures (non-server), Successes and Failures (server)
28
Directory service access No auditing (non-server), Successes and Failures (server)
29
Logon events Successes and Failures (non-server), Successes and Failures (server)
30
Object access No auditing (non-server), Successes and Failures (server)
31
Policy change Successes and Failures (non-server), Successes and Failures (server)
32
Privilege use No auditing (non-server), Successes and Failures (server)
33
Process trackingSuccesses and Failures (non-server), Successes and Failures (server)
34
System events Successes and Failures (non-server), Successes and Failures (server)
35
36
Local Policies > User Rights Assignment
37
38
Access Credential Manager as a trusted caller(blank)
39
Access this computer from the networkAdministrators, Authenticated Users (,Remote Desktop Users)
40
Act as part of the operating system(blank)
41
Add workstations to domainAdministrators
42
Adjust memory quotas for a processAdministrators (LOCAL SERVICE, NETWORK SERVICE)
43
Allow log on locallyAdministrators
44
Allow log on through Remote Desktop Services(blank) (Administrators, Remote Desktop Users)
45
Back up files and directoriesAdministrators
46
Bypass traverse checkingAdministrators
47
Change the system timeLOCAL SERVICE,Administrators
48
Change the time zoneLOCAL SERVICE,Administrators
49
Create a pagefileAdministrators
50
Create a token object(blank)
51
Create global objectsSERVICE,NETWORK SERVICE,LOCAL SERVICE,Administrators
52
Create permanent shared objects(blank)
53
Create symbolic linksAdministrators
54
Debug programs(blank)
55
Deny access to this computer from the networkGuests,Guest
56
Deny log on as a batch jobGuests,Guest
57
Deny log on as a serviceGuests,Guest
58
Deny log on locallyGuests,Guest
59
Deny log on through Remote Desktop ServicesGuests,Everyone
60
Enable computer and user accounts to be trusted for delegation(blank)
61
Force shutdown from a remote system(blank)
62
Generate security auditsNETWORK SERVICE,LOCAL SERVICE,Administrators
63
Impersonate a client after authenticationLOCAL SERVICE,NETWORK SERVICE,Administrators,SERVICE
64
Increase a process working set(blank)
65
Increase scheduling priorityAdministrators
66
Load and unload device driversAdministrators
67
Lock pages in memory(blank)
68
Log on as a batch job(blank)
69
Log on as a service(blank)
70
Manage auditing and security logAdministrators
71
Modify an object label(blank)
72
Modify firmware environment valuesAdministrators
73
Perform volume maintenance tasksAdministrators
74
Profile single processAdministrators
75
Profile system performanceAdministrators
76
Remove computer from docking stationAdministrators
77
Replace a process level tokenLOCAL SERVICE,NETWORK SERVICE
78
Restore files and directoriesAdministrators,Backup Operators
79
Shut down the systemAdministrators
80
Synchronize directory service data(blank)
81
Take ownership of files or other objectsAdministrators
82
83
Local Policies > Security Options
84
85
Accounts: Administrator account statusDisabled
86
Accounts: Block Microsoft accountsUsers can't add or log on with Microsoft accounts
87
Accounts: Guest account statusDisabled
88
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
89
Accounts: Rename administrator accountQUENTIN
90
Accounts: Rename guest accountNOOB (you)
91
Audit: Audit the access of global system objectsDisabled
92
Audit: Audit the use of Backup and Restore privilegeDisabled
93
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsDisabled
94
Audit: Shut down system immediately if unable to log security auditsDisabled
95
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax(blank)
96
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax(blank)
97
Devices: Allow undock without having to log onDisabled
98
Devices: Allowed to format and eject removable mediaAdministrators
99
Devices: Prevent users from installing printer driversEnabled
100
Devices: Restrict CD-ROM access to locally logged-on user onlyEnabled
101
Devices: Restrict floppy access to locally logged-on user onlyEnabled
102
Domain controller: Allow server operators to schedule tasksDisabled
103
Domain controller: LDAP server signing requirementsRequire signing
104
Domain controller: Refuse machine account password changesDisabled
105
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
106
Domain member: Digitally encrypt secure channel data (when possible)Enabled
107
Domain member: Digitally sign secure channel data (when possible)Enabled
108
Domain member: Disable machine account password changesDisabled
109
Domain member: Maximum machine account password age90 days
110
Domain member: Require strong (Windows 2000 or later) session keyEnabled
111
Interactive logon: Display user information when the session is lockedUser display name only
112
Interactive logon: Do not display last user nameEnabled (Note: this one can be annoying if you dont know the username of the account you are accessing, make sure you right the main CyPat user now, the one that you access if you enable this policy)
113
Interactive logon: Do not require CTRL+ALT+DELDisabled
114
Interactive logon: Machine account lockout threshold5 invalid logon attempts
115
Interactive logon: Machine inactivity limit300 seconds (this is annyoing set it, see if you get points, turn it off if you don't)
116
Interactive logon: Message text for users attempting to log onI’ll have you know I graduated top of my class in the Navy Seals, and I’ve been involved in numerous secret raids on Al-Quaeda, and I have over 300 confirmed kills. I am trained in gorilla warfare and I’m the top sniper in the entire US armed forces. You are nothing to me but just another target. I will wipe you the fuck out with precision the likes of which has never been seen before on this Earth, mark my fucking words. You think you can get away with saying that shit to me over the Internet? Think again, fucker. As we speak I am contacting my secret network of spies across the USA and your IP is being traced right now so you better prepare for the storm, maggot. The storm that wipes out the pathetic little thing you call your life. You’re fucking dead, kid. I can be anywhere, anytime, and I can kill you in over seven hundred ways, and that’s just with my bare hands. Not only am I extensively trained in unarmed combat, but I have access to the entire arsenal of the United States Marine Corps and I will use it to its full extent to wipe your miserable ass off the face of the continent, you little shit. If only you could have known what unholy retribution your little “clever” comment was about to bring down upon you, maybe you would have held your fucking tongue. But you couldn’t, you didn’t, and now you’re paying the price, you goddamn idiot. I will shit fury all over you and you will drown in it. You’re fucking dead, kiddo.
117
Interactive logon: Message title for users attempting to log onWhat the fuck did you just fucking say about me, you little bitch?
118
Interactive logon: Number of previous logons to cache (in case domain controller is not available)1 logons (2 like max)
119
Interactive logon: Prompt user to change password before expiration14 days
120
Interactive logon: Require Domain Controller authentication to unlock workstationDisabled
121
Interactive logon: Require smart cardDisabled
122
Interactive logon: Smart card removal behaviorNo Action
123
Microsoft network client: Digitally sign communications (always)Enabled
124
Microsoft network client: Digitally sign communications (if server agrees)Enabled
125
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
126
Microsoft network server: Amount of idle time required before suspending session15 minutes
127
Microsoft network server: Attempt S4U2Self to obtain claim informationDefault
128
Microsoft network server: Digitally sign communications (always)Enabled
129
Microsoft network server: Digitally sign communications (if client agrees)Enabled
130
Microsoft network server: Disconnect clients when logon hours expireEnabled
131
Microsoft network server: Server SPN target name validation levelAccept if provided by client
132
Network access: Allow anonymous SID/Name translationDisabled
133
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
134
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
135
Network access: Do not allow storage of passwords and credentials for network authenticationEnabled
136
Network access: Let Everyone permissions apply to anonymous usersDisabled
137
Network access: Named Pipes that can be accessed anonymously(blank)
138
Network access: Remotely accessible registry pathsblank if standalone.
System\CurrentControlSet\Control\ProductionOptions if remote
139
Network access: Remotely accessible registry paths and sub-paths(blank) if standalone
System\CurrentControlSet\Control\Print\Printers
if remote
140
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
141
Network access: Shares that can be accessed anonymously(blank)
142
Network access: Sharing and security model for local accountsClassic - local users authenticate as themselves
143
Network security: Allow Local System to use computer identity for NTLMEnabled
144
Network security: Allow LocalSystem NULL session fallbackDisabled
145
Network security: Allow PKU2U authentication requests to this computer to use online identities.Disabled
146
Network security: Configure encryption types allowed for KerberosRC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1,Future encryption types
147
Network security: Do not store LAN Manager hash value on next password changeEnabled
148
Network security: Force logoff when logon hours expireEnabled
149
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
150
Network security: LDAP client signing requirementsNegotiate signing
151
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsRequire NTLMv2 session security,Require 128-bit encryption
152
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversRequire NTLMv2 session security,Require 128-bit encryption
153
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication(blank)
154
Network security: Restrict NTLM: Add server exceptions in this domain(blank)
155
Network security: Restrict NTLM: Audit Incoming NTLM TrafficEnable auditing for all accounts
156
Network security: Restrict NTLM: Audit NTLM authentication in this domainEnable all
157
Network security: Restrict NTLM: Incoming NTLM trafficDeny all accounts
158
Network security: Restrict NTLM: NTLM authentication in this domainDeny all
159
Network security: Restrict NTLM: Outgoing NTLM traffic to remote serversDeny all
160
Recovery console: Allow automatic administrative logonDisabled
161
Recovery console: Allow floppy copy and access to all drives and all foldersDisabled
162
Shutdown: Allow system to be shut down without having to log onEnabled
163
Shutdown: Clear virtual memory pagefileEnabled
164
System cryptography: Force strong key protection for user keys stored on the computerPrompt for credentials on the secure desktop
165
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingEnabled
166
System objects: Require case insensitivity for non-Windows subsystemsEnabled
167
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
168
System settings: Optional subsystems(blank)
169
System settings: Use Certificate Rules on Windows Executables for Software Restriction PoliciesEnabled
170
User Account Control: Admin Approval Mode for the Built-in Administrator accountDisabled
171
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopDisabled
172
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for credentials on the secure desktop (Note: This is super annyoing so set it first and see if you get points. Or you can set it last. If you don't get points for it just put it to Prompt for consent)
173
User Account Control: Behavior of the elevation prompt for standard usersPrompt for credentials on the secure desktop
174
User Account Control: Detect application installations and prompt for elevationEnabled
175
User Account Control: Only elevate executables that are signed and validatedEnabled
176
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
177
User Account Control: Run all administrators in Admin Approval ModeEnabled
178
User Account Control: Switch to the secure desktop when prompting for elevationEnabled
179
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
180
181
APPLY TO ALL PROFILES (DOMAIN, PRIVATE AND PUBLIC) FOR BELOW FIREWALL SETTINGS
182
183
Windows Firewall with Advanced Security > Firewall State
184
185
Firewall StateOn (recommended)
186
Inbound connectionsBlock (default)
187
Outbound connections Allow (default)
188
189
Windows Firewall with Advanced Security > Settings
190
191
Display a notificationYes
192
Allow unicast response No
193
Apply local firewall rules Yes
194
Apply local connections security rules Yes
195
196
Windows Firewall with Advanced Security > Logging
197
198
NameJust use the default path and name (will auto do it when uncheck "not enabled")
199
Size limits16384 (or just leave default if you like)
200
Log dropped packetsYes
201
Log successful connectionsYes
202
203
Advanced Audit Policies > Local Group Policy Object > Account Logon
204
205
Audit Credential ValidationSuccess and Failure
206
Audit Kerberos Authentication ServiceNo Auditing
207
Audit Kerberos Service Ticket OperationsNo Auditing
208
Audit Other Account Logon EventsNo Auditing
209
210
Advanced Audit Policies > Local Group Policy Object > Account Management
211
212
Audit Application Group ManagementNo Auditing
213
Audit Computer Account ManagementSuccess and Failure
214
Audit Distribution Group ManagementNo Auditing
215
Audit Other Account Management EventsSuccess and Failure
216
Audit Security Group ManagementSuccess and Failure
217
Audit User Account ManagementSuccess and Failure
218
219
Advanced Audit Policies > Local Group Policy Object > Detailed Tracking
220
221
Audit DPAPI ActivityNo Auditing
222
Audit PNP ActivitySuccess and Failure
223
Audit Process CreationSuccess
224
Audit Process TerminationNo Auditing
225
Audit RPC EventsSuccess
226
227
Advanced Audit Policies > Local Group Policy Object > DS Access
228
229
Audit Detailed Directory Service ReplicationNo Auditing
230
Audit Directory Service AccessNo Auditing
231
Audit Directory Service ChangesNo Auditing
232
Audit Directory Service ReplicationNo Auditing
233
234
Advanced Audit Policies > Local Group Policy Object > Logon/Logoff
235
236
Audit Account LockoutFailure
237
Audit User / Device ClaimsSuccess
238
Audit Group MembershipSuccess
239
Audit IPsec Extended ModeNo Auditing
240
Audit IPsec Main ModeNo Auditing
241
Audit IPsec Quick ModeNo Auditing
242
Audit LogoffSuccess
243
Audit LogonSuccess and Failure
244
Audit Network Policy ServerNo Auditing
245
Audit Other Logon/Logoff EventsNo Auditing
246
Audit Special LogonSuccess
247
248
Advanced Audit Policies > Local Group Policy Object > Object Access
249
250
Audit Application GeneratedNo Auditing
251
Audit Certification ServicesNo Auditing
252
Audit Detailed File ShareNo Auditing
253
Audit File ShareNo Auditing
254
Audit File SystemFailure
255
Audit Filtering Platform ConnectionNo Auditing
256
Audit Filtering Platform Packet DropNo Auditing
257
Audit Handle ManipulationNo Auditing
258
Audit Kernel ObjectFailure
259
Audit Other Object Access EventsNo Auditing
260
Audit RegistryFailure
261
Audit Removable StorageSuccess and Failure
262
Audit SAMSuccess and Failure
263
Audit Central Access Policy StagingFailure
264
265
Advanced Audit Policies > Local Group Policy Object > Policy Change
266
267
Audit Audit Policy ChangeSuccess and Failure
268
Audit Authentication Policy ChangeSuccess
269
Audit Authorization Policy ChangeSuccess
270
Audit Filtering Platform Policy ChangeNo Auditing
271
Audit MPSSVC Rule-Level Policy ChangeNo Auditing
272
Audit Other Policy Change EventsSuccess and Failure
273
274
Advanced Audit Policies > Local Group Policy Object > Privilege Use
275
276
Audit Non Sensitive Privilege UseFailure
277
Audit Other Privilege Use EventsNo Auditing
278
Audit Sensitive Privilege UseSuccess and Failure
279
280
Advanced Audit Policies > Local Group Policy Object > System
281
282
Audit IPsec DriverSuccess and Failure
283
Audit Other System EventsNo Auditing
284
Audit Security State ChangeSuccess and Failure
285
Audit Security System ExtensionSuccess and Failure
286
Audit System IntegritySuccess and Failure
287
288
Advanced Audit Policies > Local Group Policy Object > Global Object Access Auditing
289
290
File SystemPrinicipal: Everyone Permissions: All Audit: All
291
RegistryPrinicipal: Everyone Permissions: All Audit: All
292
293
294