Service pack and hotfixesCurrent service pack installedSoftware patchesAccount and audit policiesAccount policiesMinimum password lengthMaximum password ageMinimum password agePassword complexityPassword historyStore passwords using reversible encryptionAudit policyAccount lockout policyEvent log settingsApplication log settingsSecurity log settingsSystem log settingsSecurity settingsAllow anonymous SID/Name translationDo not allow anonymous enumeration of SAM accountsDo not allow anonymous enumeration of SAM accounts and sharesAdministrator account statusGuest account statusLimit local account use of blank passwords to console onlyRename administrator accountRename guest accountAudit the access of global system objectsAudit the use of back-up and restore privilegesShut down system immediately if unable to log security eventsAllowed to format and eject removable mediaPrevent users from installing print driversRestrict CD-ROM access to locally logged-on users onlyRestrict floppy disk access to locally logged-on users onlyUnsigned device driver behaviorAllow server operators to schedule tasksLDAP server signing requirementsRefuse Machine account password changesDigitally encrypt or sign secure channel data (always)Digitally encrypt secure channel dataDigitally sign secure channel dataDisable Machine account password changesMaximum Machine account password ageRequire strong (Windows® 2000 or later) session keyDo not display last user name for interactive logonDo not require Ctrl+Alt+DelMessage text for users attempting to log onMessage title for users attempting to log onNumber of previous logons to cacheRequire domain controller authentication to unlock workstationRequire smart cardsSmart card removal behaviorAmount of idle time required before disconnecting session for Microsoft® Network ServerDigitally sign communications for Microsoft® Network Server (always)Digitally sign communications for Microsoft® Network Server (if client agrees)Do not allow storage of credentials or .NET passports for network authenticationLet Everyone permissions apply to anonymous usersNamed pipes that can be accessed anonymouslyRemotely accessible registry pathsRestrict anonymous access to named shares and pipesShares that can be accessed anonymouslySharing and security model for local accountsDo not store LAN Manager hash value on next password changeLAN Manager authentication levelLDAP client signing requirementsMinimum session security for NTLM SSP-based (including secure RPC) clientsAllow automatic administrative logon as part of recovery consoleAllow floppy copy and access to all drives and all folders for recovery consoleAllow system to be shut down without having to log onClear virtual memory page fileDefault owner for objects created by members of the Administrators groupRequire case insensitivity for non-Windows® subsystemsStrengthen default permissions of internal system objectsOptional subsystemsUse certificate rules on Windows® executables for software restriction policies(AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)(AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)(AFDMaximumDynamicBacklog) Maximum number of ‘quasi-free’ connections for Winsock applications(AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)(DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)(EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to denial of service)(EnableICMPRedirect) Allow ICMP redirects to override OSPF-generated routes(EnablePMTUDiscovery) Allow automatic detection of MTU size (possible denial of service by an attacker using a small MTU)(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name-release requests except from WINS servers(PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to denial of service)(SynAttackProtect) Syn attack protection level (protects against denial of service)(TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (three recommended, five is default)(TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (five is recommended)Disable autorun for all drivesEnable safe DLL search modeEnable the server to stop generating 8.3 file namesHow often keep-alive packets are send in millisecondsPercentage threshold at which the security event log will generate an alertThe time in seconds before the screensaver grace period expiresService settingsPermissions on servicesAlerterClipbookFax serviceFile replicationFTP publishing serviceHelp and supportHTTP SSLIIS admin serviceIndexing serviceLicense logging serverMessengerMicrosoft® POP3 serviceNetMeeting remote desktop management serviceNetwork connectionsNetwork news transport protocol (NNTP)Print spoolerRemote access connection managerRemote access auto-connection managerRemote administration serviceRemote desktop help session managerRemote installationRemote procedure call (RPC) locatorRemote registry serviceRemote server managerRemote server monitorRemote storage notificationRemote storage serverSimple mail transfer protocolSimple network management protocol (SNMP) serviceSimple network management protocol (SNMP) trapsTelephonyTelnetTerminal servicesTrivial FTP serviceWireless configurationWorld Wide Web publishing rightsUser rightsAccess this computer from the networkAct as part of the operating systemAdd workstations to the domainAdjust memory quota for a processAllow to log on locallyAllow to log on through terminal servicesBack up files and directoriesBypass traverse trackingChange the system timeCreate a pagefileCreate a token objectCreate global objectsCreate permanent shared objectsDebug programsDeny access to this computer from the network (minimum)Deny logon as a batch jobDeny logon as a serviceDeny logon locallyDeny logon through terminal services (minimum)Enable computer and user accounts to be trusted for delegationForce shutdown from a remote systemGenerate security auditsImpersonate client after authenticationIncrease scheduling priorityLoad and unload device driversLock pages in memoryLog on as a batch jobLog on as a serviceManage audit and security logsModify firmware environment valuesPerform volume maintenance tasksProfile system performanceReplace a process level tokenRestore files and directoriesShut down the systemSynchronise directory service dataTake ownership of file or other objectFile system permissionsRegistry permissionsFile and registry auditing