Comparison of Local Policy Settings in STACKIT Windows Server
Last updated on
Some settings of the STACKIT Local Policy (LGPO) for STACKIT Windows Server 2016 and STACKIT Windows Server 2019 deviate from the default Microsoft Local Policy. The following table lists all differences in detail.
| Policy Type | Policy Group / Registry Key | Policy Setting | Default LGPO | STACKIT W2k16 LGPO | STACKIT W2k19 LGPO |
|---|---|---|---|---|---|
| Audit Policy | Account Logon | Credential Validation | Success | Success and Failure | Success and Failure |
| Audit Policy | Account Management | Other Account Management Events | No Auditing | Success and Failure | Success and Failure |
| Audit Policy | Account Management | Security Group Management | Success | Success and Failure | Success and Failure |
| Audit Policy | Account Management | User Account Management | Success | Success and Failure | Success and Failure |
| Audit Policy | Detailed Tracking | PNP Activity | No Auditing | Success | Success |
| Audit Policy | Detailed Tracking | Process Creation | No Auditing | Success | Success |
| Audit Policy | Logon/Logoff | Account Lockout | Success | Success and Failure | Success and Failure |
| Audit Policy | Logon/Logoff | Group Membership | No Auditing | Success | Success |
| Audit Policy | Policy Change | Audit Policy Change | Success | Success and Failure | Success and Failure |
| Audit Policy | Policy Change | Authorization Policy Change | No Auditing | Success | Success |
| Audit Policy | Privilege Use | Sensitive Privilege Use | No Auditing | Success and Failure | Success and Failure |
| Audit Policy | System | IPsec Driver | No Auditing | Success and Failure | Success and Failure |
| Audit Policy | System | Security State Change | Success | Success and Failure | Success and Failure |
| Audit Policy | System | Security System Extension | No Auditing | Success and Failure | Success and Failure |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | AllocateDASD | - | 0 | 0 |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | CachedLogonsCount | 10 | 0 | 0 |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | PasswordExpiryWarning | 5 | 14 | 14 |
| HKLM | Software\Microsoft\Windows NT\CurrentVersion\Winlogon | ScRemoveOption | 0 | 1 | 1 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoAutorun | - | 1 | 1 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | NoDriveTypeAutoRun | - | 255 | 255 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | DontDisplayLastUserName | 0 | 1 | 1 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | FilterAdministratorToken | - | - | 0 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | InactivityTimeoutSecs | - | 900 | 900 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System | MaxDevicePasswordFailedAttempts | - | 10 | 10 |
| HKLM | Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit | ProcessCreationIncludeCmdLine_Enabled | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Internet Explorer\Feeds | DisableEnclosureDownload | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode | Enable | - | ||
| HKLM | Software\Policies\Microsoft\SystemCertificates\AuthRoot | DisableRootAutoUpdate | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows NT\MitigationOptions | MitigationOptions_FontBocking | - | 1E+12 | 1E+12 |
| HKLM | Software\Policies\Microsoft\Windows NT\Printers | DisableWebPnPDownload | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Rpc | RestrictRemoteClients | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | AuthenticationLevel | - | 2 | 2 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | DisablePasswordSaving | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | fDisableCpm | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | fEncryptRPCTraffic | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | fPromptForPassword | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | MinEncryptionLevel | - | 3 | 3 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | SecurityLayer | - | 2 | 2 |
| HKLM | Software\Policies\Microsoft\Windows NT\Terminal Services | UserAuthentication | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\AppCompat | DisableInventory | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\DataCollection | AllowTelemetry | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Application | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Application | MaxSize | - | 32768 | 32768 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Application | Retention | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Security | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Security | MaxSize | - | 196608 | 196608 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Security | Retention | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\Setup | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\System | AutoBackupLogFiles | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\System | MaxSize | - | 32768 | 32768 |
| HKLM | Software\Policies\Microsoft\Windows\EventLog\System | Retention | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Explorer | NoAutoplayfornonVolume | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\Explorer | NoHeapTerminationOnCorruption | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} | NoBackgroundPolicy | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} | NoGPOListChanges | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Installer | AlwaysInstallElevated | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Installer | EnableUserControl | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\LanmanWorkstation | AllowInsecureGuestAuth | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths | \\*\NETLOGON | - | RequireIntegrity=1, RequireMutualAuthentication=1 | RequireIntegrity=1, RequireMutualAuthentication=1 |
| HKLM | Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths | \\*\SYSVOL | - | RequireIntegrity=1, RequireMutualAuthentication=1 | RequireIntegrity=1, RequireMutualAuthentication=1 |
| HKLM | Software\Policies\Microsoft\Windows\Personalization | NoLockScreenSlideshow | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\PowerShell | EnableScripts | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\PowerShell | ExecutionPolicy | - | Unrestricted | Unrestricted |
| HKLM | Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging | EnableScriptBlockLogging | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\SettingSync | DisableSettingSync | - | 2 | 2 |
| HKLM | Software\Policies\Microsoft\Windows\SettingSync | DisableSettingSyncUserOverride | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\System | DontDisplayNetworkSelectionUI | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\Windows\System | EnableSmartScreen | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\System | EnumerateLocalUsers | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | 6to4_State | - | Disabled | Disabled |
| HKLM | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | ISATAP_State | - | Disabled | Disabled |
| HKLM | Software\Policies\Microsoft\Windows\TCPIP\v6Transition | Teredo_State | - | Disabled | Disabled |
| HKLM | Software\Policies\Microsoft\Windows\Windows Search | AllowCortana | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\Windows Search | AllowIndexingEncryptedStoresOrItems | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\WinRM\Client | AllowUnencryptedTraffic | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\Windows\WinRM\Service | DisableRunAs | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall | PolicyVersion | - | 541 | 541 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | AllowLocalIPsecPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | AllowLocalPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DefaultInboundAction | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DefaultOutboundAction | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DisableNotifications | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | DisableUnicastResponsesToMulticastBroadcast | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile | EnableFirewall | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | LogDroppedPackets | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging | LogFileSize | - | 4096 | 4096 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | FPS-ICMP4-ERQ-In | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=1|ICMP4=8:*|Name=@FirewallAPI.dll,-28543|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | FPS-ICMP6-ERQ-In | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|Name=@FirewallAPI.dll,-28545|Desc=@FirewallAPI.dll,-28547|EmbedCtxt=@FirewallAPI.dll,-28502| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | RemoteDesktop-Shadow-In-TCP | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\system32\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=%SystemRoot%\system32\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | RemoteDesktop-UserMode-In-TCP | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=6|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\FirewallRules | RemoteDesktop-UserMode-In-UDP | - | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752| | v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=3389|App=%SystemRoot%\system32\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752| |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | AllowLocalIPsecPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | AllowLocalPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DefaultInboundAction | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DefaultOutboundAction | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DisableNotifications | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | DisableUnicastResponsesToMulticastBroadcast | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile | EnableFirewall | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | LogDroppedPackets | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging | LogFileSize | - | 4096 | 4096 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | AllowLocalIPsecPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | AllowLocalPolicyMerge | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DefaultInboundAction | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DefaultOutboundAction | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DisableNotifications | - | 0 | 0 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | DisableUnicastResponsesToMulticastBroadcast | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile | EnableFirewall | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | LogDroppedPackets | - | 1 | 1 |
| HKLM | Software\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging | LogFileSize | - | 4096 | 4096 |
| HKLM | System\CurrentControlSet\Control\Lsa | FullPrivilegeAuditing | 00 | 0 | 0 |
| HKLM | System\CurrentControlSet\Control\Lsa | LmCompatibilityLevel | - | 5 | 5 |
| HKLM | System\CurrentControlSet\Control\Lsa | RestrictAnonymous | 0 | 1 | 1 |
| HKLM | System\CurrentControlSet\Control\Lsa | SCENoApplyLegacyAuditPolicy | - | 1 | 1 |
| HKLM | System\CurrentControlSet\Control\Lsa | UseMachineId | - | 1 | 1 |
| HKLM | System\CurrentControlSet\Control\Lsa\MSV1_0 | allownullsessionfallback | - | 0 | 0 |
| HKLM | System\CurrentControlSet\Control\Lsa\MSV1_0 | NTLMMinClientSec | 536870912 | 537395200 | 537395200 |
| HKLM | SYSTEM\CurrentControlSet\Control\Print\Providers | EventLog | 3 | - | 1 |
| HKLM | SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest | UseLogonCredential | - | 1 | 1 |
| HKLM | SYSTEM\CurrentControlSet\Policies\EarlyLaunch | DriverLoadPolicy | - | 1 | 1 |
| HKLM | System\CurrentControlSet\Services\LanManServer\Parameters | enablesecuritysignature | 0 | 1 | 1 |
| HKLM | System\CurrentControlSet\Services\LanManServer\Parameters | NullSessionPipes | - | - | |
| HKLM | System\CurrentControlSet\Services\LanManServer\Parameters | requiresecuritysignature | 0 | 1 | 1 |
| HKLM | System\CurrentControlSet\Services\LanmanWorkstation\Parameters | RequireSecuritySignature | 0 | 1 | 1 |
| HKLM | SYSTEM\CurrentControlSet\Services\Netbt\Parameters | NoNameReleaseOnDemand | - | 1 | 1 |
| HKLM | SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | DisableIPSourceRouting | - | 2 | 2 |
| HKLM | SYSTEM\CurrentControlSet\Services\Tcpip\Parameters | EnableICMPRedirect | 1 | 0 | 0 |
| HKLM | SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters | DisableIPSourceRouting | - | 2 | 2 |
| Security Template | Event Audit | AuditSystemEvents | 0 | 3 | 3 |
| Security Template | Privilege Rights | SeBackupPrivilege | *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeChangeNotifyPrivilege | *S-1-1-0, *S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 | *S-1-5-11, *S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-11, *S-1-5-19, *S-1-5-20, *S-1-5-32-544, *S-1-5-32-551 |
| Security Template | Privilege Rights | SeDenyBatchLogonRight | (empty) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeDenyInteractiveLogonRight | (empty) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeDenyNetworkLogonRight | (empty) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeDenyRemoteInteractiveLogonRight | (empty) | *S-1-5-32-546 | *S-1-5-32-546 |
| Security Template | Privilege Rights | SeIncreaseBasePriorityPrivilege | *S-1-5-32-544, *S-1-5-90-0 | - | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeIncreaseWorkingSetPrivilege | *S-1-5-32-545 | *S-1-5-19, *S-1-5-32-544 | *S-1-5-19, *S-1-5-32-544 |
| Security Template | Privilege Rights | SeInteractiveLogonRight | *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeNetworkLogonRight | *S-1-1-0, *S-1-5-32-544, *S-1-5-32-545, *S-1-5-32-551 | *S-1-5-11, *S-1-5-32-544 | *S-1-5-11, *S-1-5-32-544 |
| Security Template | Privilege Rights | SeRestorePrivilege | *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeShutdownPrivilege | *S-1-5-32-544, *S-1-5-32-551 | *S-1-5-32-544 | *S-1-5-32-544 |
| Security Template | Privilege Rights | SeSystemTimePrivilege | - | *S-1-5-19, *S-1-5-32-544 | *S-1-5-19, *S-1-5-32-544 |
| Security Template | System Access | ForceLogoffWhenHourExpire | 0 | 1 | 1 |
| Security Template | System Access | LockoutBadCount | 0 | 5 | 5 |
| Security Template | System Access | LockoutDuration | - | 5 | 5 |
| Security Template | System Access | MinimumPasswordLength | 0 | 14 | 14 |
| Security Template | System Access | ResetLockoutCount | - | 5 | 5 |