B.1 Windows Settings

Computer Configuration\Windows Settings

B.1.1 Security Settings

Computer Configuration\Windows Settings\Security Settings

There are seven areas of security settings: Account Policies, Local Policies, Event Log Settings, Restricted Groups, System Services, Registry, and File System. You can add security to any of these areas by defining security settings in a Group Policy object (GPO) that is associated with a domain or an organizational unit (OU).

B.1.1.1 Restricted Groups

Computer Configuration\Windows Settings\Security Settings\Restricted Groups

This is where administrators can define properties for restricted groups (security-sensitive groups). Administrators can define two properties:

Members: Defines who belongs to the restricted group.
Member Of: Defines which other groups the restricted group belongs to.

When a restricted Group Policy is applied, members of a restricted group that are not on the Members list are deleted. Users on the Members list who aren't currently members of the restricted group are added.

B.1.1.2 System Services

Computer Configuration\Windows Settings\Security Settings\System Services

Enabling this policy allows administrators to specify a start-up mode (the choices are manual, automatic, or disabled).

Enabling this policy also allows administrators to specify access permissions for system services (the ability to start, stop, or pause).

B.1.1.3 Registry

Computer Configuration\Windows Settings\Security Settings\Registry

Enabling this policy allows administrators to define access permissions (DACLs) and audit settings (SACLs) for their systems' registry keys. Note that only Group Policy objects associated with domains, OUs, and sites have an available Registry folder.

B.1.1.4 File System

Computer Configuration\Windows Settings\Security Settings\File system

Allows an administrator to define access permissions (DACLs) and audit settings (SACLs) for filesystem objects. Note that only Group Policy objects associated with domains, OUs, and sites have an available File System folder.

B.1.1.5 Account Policies

Computer Configuration\Windows Settings\Security Settings\Account Policies

B.1.1.5.1 Password Policies

Computer Configuration\Windows Settings\Security Settings\Account Policies\
Password Policy

Enforce password history: Enabling this policy allows you to specify the number of unique passwords a user must utilize before a password can be repeated.
Maximum password age: Enabling this policy allows you to specify how long a password can be used on your system before it must by changed by the user. Note that you can set the number of days to 0, which allows users to use passwords indefinitely.
Minimum password age: Enabling this policy allows you to specify the minimum amount of time a password can be used on your system before it must be changed by the user. Note that you can set the number of days to 0, which allows users to change passwords immediately. The number used for the minimum password age must be less than that used for the maximum password age.
Minimum password length: Enabling this policy allows you to specify the minimum amount of characters a user's password may contain. Setting the number to establishes that no password is required. You can set this length for any number in between 1 and 14.
Passwords must meet complexity requirements of the installed password filter: If you enable this policy, all system passwords must meet the requirements of the default password filter (passfilt.dll) included with Windows 2000. These requirements include using passwords that are at least six characters long and barring the use of user's account names in passwords. Note that the .dll supplied by Microsoft can't be modified, but you can write or install your own settings in your own passfilt.dll file.
Store password using reversible encryption for all users in the domain: Controls whether or not Windows 2000 stores passwords using reversible encryption. Most administrators don't choose to enable this policy, as storing passwords using reversible encryption closely resembles clear-text versions of the passwords. Enable this policy only if your application requirements surpass the need for protected password information.
User must log on to change password: Enabling this policy requires users to log on before they can change their password. This policy results in users who can't logon to change their password because it has expired; system administrators then have to make the password change for these users. This policy is disabled by default.

B.1.1.5.2 Account Lockout Policy

Computer Configuration\Windows Settings\Security Settings\Account Policies\
Account Lockout Policy

Account lockout threshold: Enabling this policy allows you to set up the number of failed logons a user must make to be locked out of an account. You can choose a number between 1 and 999. This setting is disabled by default.
Account lockout duration: Enabling this policy allows you set up the number of minutes that an account is actually locked out. You can choose a number between 1 and 99999, or you can specify that the account will be locked until an administrator sets the value to 0. This setting isn't defined by default as it only pertains to systems that have an Account lockout threshold policy set up.
Reset account lockout counter after: Enabling this policy allows you set the number of minutes that must pass before a bad logon attempt counter is reset to bad logons. You can choose a number between 1 and 99999. This setting defined by default as it pertains only to systems that have an Account lockout threshold policy set up.

B.1.1.5.3 Kerberos Policy

Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy

Enforce user logon restrictions: Enabling this policy ensures that the Kerberos Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the target computer. You may choose not to enable this policy because it can slow down network access to services.
Maximum lifetime for service ticket: Enabling this policy allows you to set the maximum number of minutes a user can utilize a granted session ticket to access a particular service. Note that this number must be higher than ten and must be less than or equal to the setting for Maximum lifetime for user ticket.
Maximum lifetime for user ticket: Enabling this policy allows you to set the maximum number of hours a user's ticket-granting ticket (TGT) may be utilized. A new user's ticket can be requested or the ticket can be renewed in the event that it expires. The default for this setting is ten hours.
Maximum lifetime for user ticket renewal: Enabling this policy allows you to set the number of days a user's ticket-granting ticket (TGT) may be renewed. The default for this setting is seven days.
Maximum tolerance for computer clock synchronization: Enabling this policy allows you to set the maximum number of minutes Kerberos allows between a client's clock and the server's clock to still consider the two clocks synchronous. This setting is important because Kerberos uses timestamps that require both clocks to be in synch to work properly.

B.1.1.6 Local Policies

Computer Configuration\Windows Settings\Security Settings\Local Policies

B.1.1.6.1 Audit Policy

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Audit account logon events: Controls a computer's ability to audit each instance of a user logging on or off another computer when the primary computer was used to validate the account. If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all.
Audit account management: Controls a computer's ability to audit each event of account management. An example of an account management event is setting or changing a password. This value is set to No auditing by default.
Audit directory service access: Controls whether or not the system audits the event of a user accessing an Active Directory object that has specified its own system access control list (SACL). This value is set to No auditing by default.
Audit logon events: Controls whether or not the system audits each instance of a user logging on, logging off, or making a network connection to this computer. If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all. This value is set to No auditing by default.
Audit object access: Controls whether or not the system audits each instance of a user logging the event of a user accessing an object -- a file or folder for instance -- that has specified its own system access control list (SACL). If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all. This value is set to No auditing by default.
Audit policy change: Controls whether or not the system audits every incidence of a change to user rights assignment policies, audit policies, or trust policies. If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all. This value is set to No auditing by default.
Audit privilege use: Controls whether or not the system audits each instance of a user exercising a user right. If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all. This value is set to No auditing by default.
Audit process tracking: Controls whether or not the system audits detailed tracking information for events such as program activation, handle duplication, and indirect object access. If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all. This value is set to No auditing by default.
Audit system events: Controls whether or not the system audits when a user restarts or shuts down the computer, or an event has occurred that affects either the system security or the security log. If you choose to define this policy, you have a choice of specifying whether to audit successes, failures, or not to audit the event type at all. This value is set to No auditing by default.

B.1.1.6.2 User Rights Assignment

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Access this computer from the network: Controls which users and groups have permissions to connect to the computer over the network. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Act as part of the operating system: If you enable this policy, a process can authenticate as any user, which allows the process to gain access to the same resources as any user. The LocalSystem account includes this privilege.
Add workstations to domain: Controls the groups or users who can add workstations to a domain. Note that this policy is valid only on domain controllers. By default, all authenticated users have this right.
Back up files and directories: This policy allows you to specify which users can back up the system by circumventing file and directory permissions. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Bypass traverse checking: Controls which users can traverse directory trees, even if users don't have permissions on the traversed directory. Note that users can't list the contents of a directory as a result of this privilege. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Change the system time: This policy allows you to specify which users and groups can change the time and date on the internal clock of the computer. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Create a pagefile: This policy allows you to specify which users and groups can create and change the size of a pagefile. The default setting allows administrators to create pagefiles. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Create a token object: Controls which accounts can be used by processes to create a token that can then be used to gain access to any local resources when the process uses NtCreateToken( ) or other token-creation APIs. Using the LocalSystem account is recommended for processes that require this privilege. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Create permanent shared objects: If you enable this policy, you can specify which accounts can be used by processes to create a directory object in the Windows 2000 object manager. Only the LocalSystem account has this right by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Debug programs: If you enable this policy, you can specify which users can attach a debugger to any process. Note that users with this capability will have powerful access to sensitive and critical operating system components. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Deny access to this computer from the network: If you enable this policy, you can specify which users can't access a computer over the network. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Deny logon as a batch job: If you enable this policy, you can specify which accounts can't log on as a batch job. No users are denied logon as a batch job by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Deny logon as a service: Enabling this policy allows you to specify which service accounts can't register a process as a service. No accounts are denied logon as a service by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Deny logon locally: Enabling this policy allows you to specify which users can't log on at the computer. No accounts are denied the ability to log on locally by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Enable computer and user accounts to be trusted for delegation: Enabling this policy allows you to specify which users can set the Trusted for Delegation setting on a user or computer object. Note that users or objects must have write access to the account control flags on the user or computer object to utilize this privilege. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Force shutdown from a remote system: Enabling this policy allows you to specify which users can shut down a computer from a remote location on the network. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Generate security audits: Enabling this policy allows you to specify the accounts that can be used by a process to add entries to the security log. You can use the security log to trace unauthorized access on your system. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Increase quotas: Enabling this policy allows you to specify which accounts can use a process with write property access to another process to increase the processor quota assigned to the other process. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Increase scheduling priority: Enabling this policy allows you to specify which accounts can use a process with write property access to another process in order to increase the execution priority assigned to the other process. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Load and unload device drivers: Enabling this policy allows you to specify which users can dynamically load and unload device drivers, which is necessary for installing drivers for plug and play devices. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Lock pages in memory: Enabling this policy can adversely affect your system's performance. This policy is obsolete. This policy controls the accounts that can use a process to keep data in physical memory.
Log on as a batch job: If you enable this policy, a user can be logged on through a batch-queue facility. The LocalSystem account is the only account that has this privilege by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Log on as a service: Enabling this policy allows you to specify which service accounts can register a process as a service. No accounts have this privilege by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Log on locally: Enabling this policy allows you to specify which users can log on at the computer. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Manage auditing and security log: Enabling this policy allows you to specify which users can specify object access auditing options for individual resources such as files and Active Directory objects. Only administrators can manage auditing by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Modify firmware environment variables: If you enable this policy, you can specify which users can modify systemwide environment variables. Administrators and LocalSystem accounts have this privilege by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Profile single process: Controls which users can use Windows NT and Windows 2000 performance monitoring tools to monitor the performance of nonsystem processes. Administrators and LocalSystem accounts have this privilege by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Profile system performance: Controls which users can use Windows NT and Windows 2000 performance monitoring tools to monitor the performance of system processes. Administrators and LocalSystem accounts have this privilege by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Remove computer from docking station: Enabling this policy allows you to specify which users can undock a laptop computer from its docking station. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Replace a process level token: Enabling this policy allows you to specify which user accounts can initiate a process to replace the default token associated with a launched subprocess. LocalSystem accounts have this privilege by default. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Restore files and directories: Enabling this policy allows you to specify two settings: which users can restore backed up files and directories by circumventing file and directory permissions, and which users can set any valid security principal as the owner of an object. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Shut down the system: Enabling this policy allows you to specify which users who are logged on locally to the computer can use the Shut Down command to shut down the operating system. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Synchronize directory service data: The initial release of Windows 2000 doesn't use this policy setting.
Take ownership of files or other objects: Enabling this policy allows you to specify which users can take ownership of any secureable object in the system. These objects include Active Directory objects, files and folders, printers, Registry keys, processes, and threads. You can define this user right in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

B.1.1.6.3 Security Options

Computer Configuration\Windows Settings\Security Settings\Local Policies\
Security Options

Additional restrictions for anonymous access: If you enable this policy, you can set additional restrictions for anonymous users. Anonymous users have the same privileges as the Everyone group for a given resource by default.
Allow server operators to schedule tasks (domain controllers only): If you enable this policy, members of the Server Operators group can submit AT schedule jobs on Domain Controllers. The default setting requires Administrator status to submit AT schedule jobs on Domain Controllers.
Allow system to be shut down without having to log on: If you enable this policy, users don't have to log on to Windows to shut down the computer. This policy puts the Shut Down command on the Windows logon screen.
Allowed to eject removable NTFS media: If you enable this policy, any interactive user can eject removable NTFS media from the computer. The default setting requires Administrator status to eject removable NTFS media from the computer.
Amount of idle time required before disconnecting a session: Enabling this policy allows administrators to define when a computer disconnects an inactive Server Message Block session. The default time is 15 minutes before disconnecting.
Audit the access of global system objects: Controls auditing of global system objects. System objects are created with a default system access control list (SACL) if this policy is enabled. Access to these system objects are audited when the Audit object access is also enabled.
Audit use of Backup and Restore Privilege: Controls whether an audit of every use of user rights, including Backup and Restore, occurs. Any instance of user rights being exercised is recorded in the security log when the Audit object access is also enabled.
Automatically log off users when logon time expires (local): Enabling this policy causes a client session with an SMB server to be forcibly disconnected when the client's logon hours have expired. Note that this policy is applied to all computers on the domain.
Automatically log off users when logon time expires (local): Enabling this policy ensures that users are restricted to their valid logon hours. If they try to access or continue accessing the system outside their valid logon hours, they are forcibly disconnected.
Clear virtual memory pagefile when system shuts down: Controls whether or not your system clears the virtual memory pagefile when it shuts down. This policy may be useful to your organization if your system is configured to allow booting to other operating systems.
Digitally sign client communications (always): Controls the computer's ability to digitally sign client communications. Enabling this policy ensures that client communications are always signed. This policy requires the Windows 2000 Server Message Block (SMB) client to perform SMB packet signing.
Digitally sign client communications (when possible): Enabling this policy ensures that the Windows 2000 Server Message Block (SMB) client performs SMB packet signing when communicating with an SMB server that is enabled or required to perform SMB packet signing. This policy is enabled by default. You can find more information about using digital signatures in client/server communications by looking at the Digitally sign client communications (always) policy.
Digitally sign server communications (always): The Windows 2000 Server Message Block (SMB) server must perform SMB packet signing if this policy is enabled. This policy is disabled by default. You can find more information about using digital signatures in client/server communications by looking at the Digitally sign client communications (when possible) policy.
Digitally sign server communications (when possible): This policy will cause the Windows 2000 Server Message Block (SMB) to perform SMB packet signing if this policy is enabled. This policy is disabled by default. You can find more information about using digital signatures in client/server communications by looking at the Digitally sign client communications (always) policy.
Disable CTRL+ALT+DEL requirement for logon: Controls whether or not users must press CTRL+ALT+DEL to log on. Enabling this policy allows customers to log on without pressing CTRL+ALT+DEL but creates a situation where the user's password can be intercepted by hackers.
Do not display last user name in logon screen: Enabling this policy ensures that the last user name accessed will not appear in the logon screen. This policy is disabled by default.
LAN Manager authentication level: Enabling this policy allows you to choose the challenge/response authentication protocol that is used for network logons on your system. You need to review your options carefully, as the protocol you choose affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows.
Message text for users attempting to log on: Enabling this policy allows you to specify a text message that is displayed to users when they log on.
Message title for users attempting to log on: Enabling this policy lets you add the specification of a title that appears in the title bar of the window that contains the Message text for users attempting to log on.
Number of previous logons to cache (in case domain controller is not available): If you enable this policy, you can specify the number of times a user can log on to a system utilizing cached information. Cached information is used if a domain controller isn't available to provide the information. The default setting is 10.
Prevent system maintenance of computer account password: Windows 2000 generates a new password for the computer account once a week by default. If you enable this policy, this functionality is suppressed; new passwords aren't generated automatically.
Prevent users from installing printer drivers: Enabling this policy ensures that users can't install printer drivers. As a result, users can't add printers that don't use printer drivers that are already installed.
Prompt user to change password before expiration: Enabling this policy allows you to specify how far in advance users should be warned to change their password. The default setting is seven days.
Recovery Console: Allow automatic administrative logon: Enabling this policy allows users to log on to the Recovery Console without providing a password. This policy is disabled by default.
Recovery Console: Allow floppy copy and access to all drives and folders: If you enable this policy, the Recovery Console SET command is enabled. This allows you to choose to enable or ignore four Recovery Console environment variables: AllowWildCards, AllowAllPaths, AllowRemovableMedia, and NoCopyPrompt.
Rename administrator account: If you enable this policy, you can associate a different account name with the security identifier (SID) for the account "Administrator." Enabling this policy guards against hackers, who often search for Administrator accounts when damaging systems.
Rename guest account: If you enable this policy, you can associate a different account name with the security identifier (SID) for the account "Guest." Enabling this policy guards against hackers, who often search for Guest accounts when damaging systems.
Restrict CD-ROM access to locally logged-on user only: Enabling this policy makes CD-ROMs accessible first to an interactively logged-on user. If there is no interactively logged-on user, the CD-ROM can be shared across the network. If this policy is disabled, local and remote users can both access the CD-ROM at the same time.
Restrict floppy access to locally logged-on user only: Enabling this policy makes floppy media accessible first to an interactively logged-on user. If there is no interactively logged-on user, the floppy media can be shared across the network. If this policy is disabled, local and remote users can both access the floppy media at the same time.
Secure channel: Digitally encrypt or sign secure channel data (always): Enabling this policy ensures that the system digitally encrypts or signs all outgoing secure channel traffic. Signing and encryption is negotiated if this policy is disabled, which it is by default.
Secure channel: Digitally encrypt secure channel data (when possible): Enabling this policy ensures that the system digitally encrypts all outgoing secure channel traffic whenever possible. No encryption takes place if this policy is disabled. This policy is enabled by default.
Secure channel: Digitally sign secure channel data (when possible): Enabling this policy ensures that the system signs all outgoing secure channel traffic whenever possible. No signing takes place if this policy is disabled. This policy is enabled by default.
Secure channel: Require strong (Windows 2000 or later) session key: Enabling this policy ensures that a strong encryption key is required for all outgoing secure channel traffic. The key strength is negotiated if this policy is disabled. This policy is disabled by default.
Secure system partition (for RISC platforms only): Enabling this policy ensures that administrative access is required to access a RISC-based system partition (which must be FAT) while the operating system is running.
Send unencrypted password to connect to third-party SMB servers: Enabling this policy allows the Server Message Block (SMB) redirector to send clear-text passwords to non-Microsoft SMB servers. These servers don't support password encryption during authentication.
Shut down system immediately if unable to log security audits: Enabling this policy ensures that your system will shut down if a security audit can't be logged. Only an administrator can restart the system in the event that this policy is enabled, and a shut down occurs.
Smart card removal behavior: Enabling this policy allows you to define what happens when the smart card for a logged-on user is removed from the smart-card reader. You can choose from three options: No Action, Lock Workstation, or Force Logoff.
Strengthen default permissions of global system objects (e.g., symbolic links): Controls the strength of the default discretionary access control list (DACL) for objects. If you enable this policy, non-admin users can read shared objects (they can't modify shared objects they didn't create) because the default DACL is stronger. This policy is enabled by default.
Unsigned driver installation behavior: Enabling this policy allows you to specify how your system reacts when an attempt is made to install a device driver (by means of the Windows 2000 device installer) that isn't certified by the Windows Hardware Quality Lab (WHQL). You can choose from three options: Silently succeed, Warn but allow installation, and Do not allow installation. Warn but allow installation is the default setting.
Unsigned non-driver installation behavior: Enabling this policy allows you to specify what should happen when an attempt is made to install any nondevice driver software that isn't certified. You can choose from three options: Silently succeed, Warn but allow installation, and Do not allow installation. Silently succeed is the default setting.

B.1.1.7 Event Log

Computer Configuration\Windows Settings\Security Settings\Event Log

B.1.1.7.1 Settings for Event Logs

Computer Configuration\Windows Settings\Security Settings\Event Log\Settings for Event Logs

Maximum application log size: Enabling this policy allows you to define the maximum size for the application event log. The maximum size is 4 GB, and the default setting is 512 KB. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites, because only these objects contain the necessary Event Log folder.
Maximum security log size: Enabling this policy allows you to define the maximum size for the security event log. The maximum size is 4 GB, and the default setting is 512 KB. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Maximum system log size: Enabling this policy allows you to define the maximum size for the system event log. The maximum size is 4 GB, and the default setting is 512 KB. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Restrict guest access to application log: If you enable this policy, guests can't view the application event log. This policy is disabled by default. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Restrict guest access to security log: If you enable this policy, guests can't view the security event log. This policy is disabled by default. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Restrict guest access to system log: If you enable this policy, guests can't view the system event log. This policy is disabled by default. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Retain application log: Enabling this policy allows you to specify how many days of events should be retained for the application log, if the retention method for the application log is "By Days." The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Retain security log: Enabling this policy allows you to specify how many days of events should be retained for the security log, if the retention method for the application log is "By Days." The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Retain system log: Enabling this policy allows you to specify how many days of events should be retained for the system log, if the retention method for the application log is "By Days." The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Retention method for application log: Enabling this policy allows you to specify which "wrapping" method you use for the application log -- either Overwrite events as needed, Overwrite events by days, or Do not overwrite events. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Retention method for security log: Enabling this policy allows you to specify which "wrapping" method you will use for the security log -- either Overwrite events as needed, Overwrite events by days, or Do not overwrite events. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Retention method for system log: Enabling this policy allows you to specify which "wrapping" method you will use for the system log-- either Overwrite events as needed, Overwrite events by days, or Do not overwrite events. The policy can be enabled only in Group Policy objects associated with domains, OUs, and sites because only these objects contain the necessary Event Log folder.
Shut down the computer when the security audit log is full: The earlier "Shut down system immediately if unable to log security audits" policy should be used instead of this policy.