Vergleich der Local Policy in STACKIT Windows Server
Zuletzt aktualisiert am
Einige Einstellungen der StackIT Local Policy (LGPO) für Windows Server 2016 und Windows Server 2019 weichen von der Default Microsoft Local Policy ab. Die folgende Tabelle listet alle Unterschiede im Detail auf.
| Policy-Typ | Policy-Gruppe / Registry-Schlüssel | Policy-Einstellung | Standard LGPO | STACKIT W2k16 LGPO | STACKIT W2k19 LGPO |
|---|---|---|---|---|---|
| Audit Policy | Account Logon | Credential Validation | Success | Success and Failure | Success and Failure |
| Audit Policy | Account Management | Other Account Management Events | No Auditing | Success and Failure | Success and Failure |
| Audit Policy | Account Management | Security Group Management | Success | Success and Failure | Success and Failure |
| Audit Policy | Account Management | User Account Management | Success | Success and Failure | Success and Failure |
| Audit Policy | Detailed Tracking | PNP Activity | No Auditing | Success | Success |
| Audit Policy | Detailed Tracking | Process Creation | No Auditing | Success | Success |
| Audit Policy | Logon/Logoff | Account Lockout | Success | Success and Failure | Success and Failure |
| Audit Policy | Logon/Logoff | Group Membership | No Auditing | Success | Success |
| Audit Policy | Policy Change | Audit Policy Change | Success | Success and Failure | Success and Failure |
| Audit Policy | Policy Change | Authorization Policy Change | No Auditing | Success | Success |
| Audit Policy | Privilege Use | Sensitive Privilege Use | No Auditing | Success and Failure | Success and Failure |
| Audit Policy | System | IPsec Driver | No Auditing | Success and Failure | Success and Failure |
| Audit Policy | System | Security State Change | Success | Success and Failure | Success and Failure |
| Audit Policy | System | Security System Extension | No Auditing | Success and Failure | Success and Failure |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | AllocateDASD | - | 0 | 0 |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | CachedLogonsCount | 10 | 0 | 0 |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | PasswordExpiryWarning | 5 | 14 | 14 |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | ScRemoveOption | 0 | 1 | 1 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoAutorun | - | 1 | 1 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoDriveTypeAutoRun | - | 255 | 255 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | DontDisplayLastUserName | 0 | 1 | 1 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | FilterAdministratorToken | - | - | 0 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | InactivityTimeoutSecs | - | 900 | 900 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | MaxDevicePasswordFailedAttempts | - | 10 | 10 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | ProcessCreationIncludeCmdLine_Enabled | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Internet Explorer\Feeds | DisableEnclosureDownload | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | Enable | - | ||
| HKLM | Software\Policies\Microsoft\SystemCertificates\AuthRoot | DisableRootAutoUpdate | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows NT\MitigationOptions | MitigationOptions_FontBocking | - | 1E+12 | 1E+12 |
| HKLM | Software\Policies\Microsoft\Windows NT\Printers | DisableWebPnPDownload | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Rpc | RestrictRemoteClients | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | AuthenticationLevel | - | 2 | 2 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | DisablePasswordSaving | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | fDisableCpm | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | fEncryptRPCTraffic | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | fPromptForPassword | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | MinEncryptionLevel | - | 3 | 3 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | SecurityLayer | - | 2 | 2 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | UserAuthentication | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\AppCompat | DisableInventory | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\DataCollection | AllowTelemetry | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Application | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Application | MaxSize | - | 32768 | 32768 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Application | Retention | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Security | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Security | MaxSize | - | 196608 | 196608 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Security | Retention | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Setup | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\System | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\System | MaxSize | - | 32768 | 32768 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\System | Retention | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Explorer | NoAutoplayfornonVolume | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\Explorer | NoHeapTerminationOnCorruption | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} | NoBackgroundPolicy | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} | NoGPOListChanges | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Installer | AlwaysInstallElevated | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Installer | EnableUserControl | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\LanmanWorkstation | AllowInsecureGuestAuth | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths | \\*\NETLOGON | - | RequireIntegrity=1, RequireMutualAuthentication=1 | RequireIntegrity=1, RequireMutualAuthentication=1 |
| HKLM | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths | \\*\SYSVOL | - | RequireIntegrity=1, RequireMutualAuthentication=1 | RequireIntegrity=1, RequireMutualAuthentication=1 |
| HKLM | Software\Policies\Microsoft\Windows\Personalization | NoLockScreenSlideshow | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\PowerShell | EnableScripts | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\PowerShell | ExecutionPolicy | - | Unrestricted | Unrestricted |
| HKLM | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | EnableScriptBlockLogging | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\SettingSync | DisableSettingSync | - | 2 | 2 |
| HKLM | Software\Policies\Microsoft\Windows\SettingSync | DisableSettingSyncUserOverride | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\System | DontDisplayNetworkSelectionUI | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\System | EnableSmartScreen | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\System | EnumerateLocalUsers | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | 6to4_State | - | Disabled | Disabled |
| HKLM | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | ISATAP_State | - | Disabled | Disabled |
| HKLM | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | Teredo_State | - | Disabled | Disabled |
| HKLM | Software\Policies\Microsoft\Windows\Windows Search | AllowCortana | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Windows Search | AllowIndexingEncryptedStoresOrItems | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\WinRM\Client | AllowUnencryptedTraffic | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\WinRM\Service | DisableRunAs | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall | PolicyVersion | - | 541 | 541 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | AllowLocalIPsecPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | AllowLocalPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DefaultInboundAction | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DefaultOutboundAction | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DisableNotifications | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DisableUnicastResponsesToMulticastBroadcast | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | EnableFirewall | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | LogDroppedPackets | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | LogFileSize | - | 4096 | 4096 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | FPS-ICMP4-ERQ-In | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | FPS-ICMP6-ERQ-In | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | RemoteDesktop-Shadow-In-TCP | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\system32\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\system32\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | RemoteDesktop-UserMode-In-TCP | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | RemoteDesktop-UserMode-In-UDP | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | AllowLocalIPsecPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | AllowLocalPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DefaultInboundAction | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DefaultOutboundAction | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DisableNotifications | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DisableUnicastResponsesToMulticastBroadcast | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | EnableFirewall | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | LogDroppedPackets | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | LogFileSize | - | 4096 | 4096 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | AllowLocalIPsecPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | AllowLocalPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DefaultInboundAction | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DefaultOutboundAction | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DisableNotifications | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DisableUnicastResponsesToMulticastBroadcast | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | EnableFirewall | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | LogDroppedPackets | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | LogFileSize | - | 4096 | 4096 |
| HKLM | System\CurrentControlSet\Control\Lsa | FullPrivilegeAuditing | 00 | 0 | 0 |
| HKLM | System\CurrentControlSet\Control\Lsa | LmCompatibilityLevel | - | 5 | 5 |
| HKLM | System\CurrentControlSet\Control\Lsa | RestrictAnonymous | 0 | 1 | 1 |
| HKLM | System\CurrentControlSet\Control\Lsa | SCENoApplyLegacyAuditPolicy | - | 1 | 1 |
| HKLM | System\CurrentControlSet\Control\Lsa | UseMachineId | - | 1 | 1 |
| HKLM | System\CurrentControlSet\Control\Lsa\MSV1_0 | allownullsessionfallback | - | 0 | 0 |
| HKLM | System\CurrentControlSet\Control\Lsa\MSV1_0 | NTLMMinClientSec | 536870912 | 537395200 | 537395200 |
| HKLM | SYSTEM\CurrentControlSet\Control\Print\Providers | EventLog | 3 | - | 1 |
| HKLM | SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest | UseLogonCredential | - | 1 | 1 |
| HKLM | SYSTEM\CurrentControlSet\Policies\EarlyLaunch | DriverLoadPolicy | - | 1 | 1 |
| HKLM | System\CurrentControlSet\Services\LanManServer\Parameters | enablesecuritysignature | 0 | 1 | 1 |
| HKLM | System\CurrentControlSet\Services\LanManServer\Parameters | NullSessionPipes | - | - | |
| HKLM | System\CurrentControlSet\Services\LanManServer\Parameters | requiresecuritysignature | 0 | 1 | 1 |
| HKLM | System\CurrentControlSet\Services\LanmanWorkstation\Parameters | RequireSecuritySignature | 0 | 1 | 1 |
| HKLM | SYSTEM\CurrentControlSet\Services\Netbt\Parameters | NoNameReleaseOnDemand | - | 1 | 1 |
| HKLM | SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | DisableIPSourceRouting | - | 2 | 2 |
| HKLM | SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | EnableICMPRedirect | 1 | 0 | 0 |
| HKLM | SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters | DisableIPSourceRouting | - | 2 | 2 |
| Security Template | Event Audit | AuditSystemEvents | 0 | 3 | 3 |
| Security Template | Privilege Rights | SeBackupPrivilege | *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeChangeNotifyPrivilege | *S-1-1-0, *S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 | *S-1-5-11, *S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-11, *S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-32-551 |
| Security Template | Privilege Rights | SeDenyBatchLogonRight | (leer) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeDenyInteractiveLogonRight | (leer) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeDenyNetworkLogonRight | (leer) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeDenyRemoteInteractiveLogonRight | (leer) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeIncreaseBasePriorityPrivilege | *S-1-5-32-544, *S-1-5-90-0 | - | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeIncreaseWorkingSetPrivilege | *S-1-5-32-545 | *S-1-5-19, *S-1-5-32-544 | *S-1-5-19, *S-1-5-32-544 |
| Security Template | Privilege Rights | SeInteractiveLogonRight | *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeNetworkLogonRight | *S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 | *S-1-5-11, *S-1-5-32-544 | *S-1-5-11, *S-1-5-32-544 |
| Security Template | Privilege Rights | SeRestorePrivilege | *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeShutdownPrivilege | *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeSystemTimePrivilege | - | *S-1-5-19, *S-1-5-32-544 | *S-1-5-19, *S-1-5-32-544 |
| Security Template | System Access | ForceLogoffWhenHourExpire | 0 | 1 | 1 |
| Security Template | System Access | LockoutBadCount | 0 | 5 | 5 |
| Security Template | System Access | LockoutDuration | - | 5 | 5 |
| Security Template | System Access | MinimumPasswordLength | 0 | 14 | 14 |
| Security Template | System Access | ResetLockoutCount | - | 5 | 5 |