SECURITY AUDIT CHECKLIST FOR WINDOWS ACTIVE DIRECTORY

Transcription

1

2 SL.NO POLICY NAME AUDIT STEPS DEFAULT VALUE OBSERVED VALUE 1 Password Policy 24 passwords Settings\Account Policies\Password Policy\Enforce remembered password hisry 2 Set 'Maximum password age' 60 or fewer days, but not 0 3 Set 'Minimum password age' '1 or more day Type gpedit.msc in run terminal (Shortcut) Settings\Account Policies\Password Policy\Maximum password age Settings\Account Policies\Password Policy\Minimum password age RECOMMENDED Set the following 24 or more password(s). 42 days Set the following 60 or fewer days, but not 0. 0 days Set the following 1 or more day(s). 4 Set 'Minimum password length' '14 or more character 5 Set 'Password must meet complexity requirements' '' 6 Set 'Sre passwords using reversible encryption' Settings\Account Policies\Password Policy\Minimum password length Settings\Account Policies\Password Policy\Password must meet complexity requirements Settings\Account Policies\Password Policy\Sre 0 Characters Set the following 14 or more character(s). Set the following. Set the following Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 1

3 '' passwords using reversible encryption. 7 Set 'Account lockout duration' '15 or more minutes 8 Set 'Account lockout threshold' 10 or fewer invalid logon attempt(s), but not 0 9 Set 'Reset account lockout counter after' '15 or more minute 10 Set 'Access Credential Manager as a trusted caller' 'No One' 11 Set 'Access this computer from the network' 12 Set 'Act as part of the operating system' 'No Settings\Account Policies\Account Lockout Policy\Account lockout duration Settings\Account Policies\Account Lockout Policy\Account lockout threshold Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after Assignment\Access Credential Manager as a trusted caller Assignment\Access this computer from the network Not Defined Set the following 15 or more minute(s). 0 invalid logon attempts Setting this policy 0 does not conform with the benchmark as doing so disables the account lockout threshold 0 Set the following 15 or more minute(s). No one Set the following No One. Everyone, Administrars, Users, Backup Operars No one Set the following Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 2

4 One' Assignment\Act as part of the operating system No One. 13 Set 'Add workstations domain' 'Administrars' Assignment\Add workstations domain Not defined (Authenticated Users for domain controllers) Set the following Administrars. 14 Set 'Adjust memory quotas for a process' 'Administrars, LOCAL SERVICE, NETWORK SERVICE' 15 Set 'Allow log on locally' 'Administrars' Assignment\Adjust memory quotas for a process Assignment\Allow log on locally Administrars, LOCAL SERVICE, NETWORK SERVICE Administrars, Users, Backup Operars Set the following Administrars, LOCAL SERVICE, NETWORK SERVICE Set the following Administrars. 16 Configure 'Allow log on through Remote Deskp Services' Assignment\Allow log on through Remote Deskp Services Administrars, Remote Deskp Users Set the following as described in the description. 17 Set 'Back up files and direcries' 'Administrars' Assignment\Back up files and direcries Administrars, Backup Operars Set the following Administrars. 18 Set 'Change the system time' 'Administrars, LOCAL SERVICE' Assignment\Change the system time Administrars, LOCAL SERVICE Set the following Administrars, LOCAL SERVICE. 19 Set 'Change the time zone' Administrars, LOCAL Set the following Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 3

5 'Administrars, LOCAL SERVICE' Assignment\Change the time zone SERVICE Administrars, LOCAL SERVICE. 20 Set 'Create a pagefile' 'Administrars' 21 Set 'Create a ken object' 'No One' Assignment\Create a pagefile Assignment\Create a ken object Administrars Set the following Administrars. No one Set the following No One. 22 Set 'Create global objects' 'Administrars, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Assignment\Create global objects Administrars, LOCAL SERVICE, NETWORK SERVICE, SERVICE Administrars, LOCAL SERVICE, NETWORK SERVICE, SERVICE. 23 Set 'Create permanent shared objects' 'No One' 24 Set 'Create symbolic links' 'Administrars' Assignment\Create permanent shared objects Assignment\Create symbolic links No one No One. Administrars Set the following Administrars. Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 4

6 25 Set 'Debug programs' 'Administrars' Assignment\Debug programs Administrars Administrars. 26 Set 'Deny access this computer from the network' Assignment\Deny access this computer from the network Guests 27 Set 'Deny log on as a batch job' include 'Guests' Assignment\Deny log on as a batch job Guests No one 28 Set 'Deny log on as a service' include 'Guests' Assignment\Deny log on as a service No one Guests 29 Set 'Deny log on locally' include 'Guests' Assignment\Deny log on locally Guests Set the following include: Guests. 30 Set 'Deny log on through Remote Deskp Services' include 'Guests, Local account' Assignment\Deny log on through Remote Deskp Services No one Set the following UI path include Guests, Local account. 31 Set 'Enable computer and user accounts be trusted for delegation Assignment\Enable computer and user accounts No one Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 5

7 be trusted for delegation 32 Set 'Force shutdown from a remote system' 'Administrars' Assignment\Force shutdown from a remote system Administrars Administrars 33 Set 'Generate security audits' 'LOCAL SERVICE, NETWORK SERVICE' Assignment\Generate security audits LOCAL SERVICE, NETWORK SERVICE 34 Set 'Impersonate a client after authentication' 'Administrars, LOCAL SERVICE, NETWORK SERVICE, SERVICE Assignment\Impersonate a client after authentication Administrars, LOCAL SERVICE, NETWORK SERVICE, SERVICE LOCAL SERVICE, NETWORK SERVICE. Set the following Administrars, LOCAL SERVICE, NETWORK SERVICE, SERVICE. 35 Set 'Increase scheduling priority' 'Administrars' Assignment\Increase scheduling priority Administrars Administrars 36 Set 'Load and unload device drivers' 'Administrars' Assignment\Load and unload device drivers Administrars Administrars Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 6

8 37 Set 'Lock pages in memory' 'No One' Assignment\Lock pages in memory No one No one 38 'Manage auditing and security log' 'Administrars' 39 Set 'Modify firmware environment values' 'Administrars' Assignment\Manage auditing and security log Assignment\Modify firmware environment values Administrars Administrars Administrars Administrars. 40 Set 'Perform volume maintenance tasks' 'Administrars' Assignment\Perform volume maintenance tasks Administrars configuration state, set the following Group Policy setting Administrars. Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 7

9 41 Set 'Resre files and direcries' 'Administrars' Assignment\Resre files and direcries Administrars, Backup Operars configuration state, set the following Group Policy setting Administrars. 42 Set 'Shut down the system' 'Administrars' Assignment\Shut down the system Administrars, Backup Operars configuration state, set the following Group Policy setting Administrars. 43 Set 'Synchronize direcry service data' 'No One' Assignment\Synchronize direcry service data Not defined configuration state, set the following Group Policy setting No One. 44 Set 'Take ownership of files or other objects' Administrars Administrars Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 8

10 'Administrars' Assignment\Take ownership of files or other objects 45 Set 'Accounts: Guest account status' '' Settings\Local Policies\Security Options\Accounts: Guest account status 46 Configure 'Accounts: Rename administrar account' Settings\Local Policies\Security Options\Accounts: Rename administrar account Administrar Administrar 47 Configure 'Accounts: Rename guest account' Settings\Local Policies\Security Options\Accounts: Rename guest account Guest Guest 48 Set 'Audit: Shut down system immediately if unable log security audits' '' This group policy setting is backed by the following registry location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Lsa\crashonauditfail Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable log security audits 49 Set 'Devices: Allowed format and eject removable media' 'Administrars' This group policy setting is backed by the following registry location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windo wsnt\currentversion\winlogon\allocatedasd Administrars Administrars Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 9

11 50 Set 'Domain controller: LDAP server signing requirements' 'Require signing' This group policy setting is backed by the following registry location: HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\NTDS\Parameters\ldapserverintegrity Not defined Not defined Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirements 51 Set 'Domain controller: Refuse machine account password changes' '' This group policy setting is backed by the following registry location: HKEY_LOCAL_MACHINE\System\CurrentCont rolset\services\netlogon\parameters\refuse PasswordChange Not Defined configuration state, set the following Group Policy setting. 52 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' '' This group policy setting is backed by the following registry location: HKEY_LOCAL_MACHINE\System\CurrentCont rolset\services\netlogon\parameters\requir esignorsea l Configuration\Windows Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 10

12 Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) 53 Set 'Domain member: Maximum machine account password age' 30 or fewer days, but not 0 Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age 30 Days 30 Days or fewer 54 Set 'Domain member: Require strong (Windows 2000 or later) session key' '' HKEY_LOCAL_MACHINE\System\CurrentCont rolset\services\netlogon\parameters\requir estrongkey Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key 55 Set 'Interactive logon: Do not require CTRL+ALT+DEL' '' HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Policies\System\Di sablecad Settings\Security Policies\Security Configuration\Windows Settings\Local Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 11

13 Options\Interactive logon: Do not require CTRL+ALT+DEL 56 Set 'Interactive logon: Machine inactivity limit' 900 or fewer second(s), but not 0 HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Policies\System\In activitytimeoutsecs Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit Not Defined 900 Seconds 57 Set 'Interactive logon: Prompt user change password before expiration' 'between 5 and 14 days' HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\scremoveoptio n Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior No Action configuration state, set the following Group Policy setting Lock Workstation. 58 Set 'Microsoft network client: Send unencrypted password third- party SMB servers' '' HKEY_LOCAL_MACHINE\System\CurrentCont rolset\services\lanmanworkstation\parame ters\enableplaintextpassword Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 12

14 Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password third-party SMB servers 59 Enable Aumatic Logon '' HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\AuAdminLog on Not Defined Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AuAdminLogon) Enable Aumatic Logon (not ) 60 IP source routing protection level HKEY_LOCAL_MACHINE\System\CurrentCont rolset\services\tcpip6\parameters\disableip SourceRouting Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against Not Defined Set the following UI path Highest protection, source routing is Completely disabled Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 13

15 packet spoofing) 61 The time in seconds before the screen saver grace period expires HKEY_LOCAL_MACHINE\Software\Microsoft\ WindowsNT\CurrentVersion\Winlogon\Scree nsavergraceperiod Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 ) 5 Seconds 5 Seconds 62 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' '' HKEY_LOCAL_MACHINE\System\CurrentControlSe t\control\lsa\restrictanonymoussam Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts 63 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' '' HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Lsa\RestrictAnonymous Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 14

16 64 Set 'Network access: Let Everyone permissions apply anonymous users' '' HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Lsa\EveryoneIncludesAnonymous Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply anonymous users 65 Set 'Network access: Shares that can be accessed anonymously' 'None' 66 Set 'Network Security: Configure encryption types allowed for Kerberos' 'RC4\AES128\AES256\Futur e types' Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos Not Defined To establish the configuration via GP, set the following UI path :None Not Defined To establish the configuration via GP, set the following UI path RC4\AES128\AES25 6\Future types. 67 Set 'Network security: Do not sre LAN Manager hash value on next password change' Settings\Local Policies\Security Options\Network security: Do not sre LAN Manager hash value on next password change Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 15

17 '' 68 Set 'Network security: Force logoff when logon hours expire' '' Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire 69 Set 'Recovery console: Allow aumatic administrative logon' '' Settings\Local Policies\Security Options\Recovery console: Allow aumatic administrative logon 70 Set 'Recovery console: Allow floppy copy and access all drives and all folders' '' Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access all drives and all folders 71 Set 'Shutdown: Allow system be shut down without having log on' '' 72 Set 'User Account Control: Switch the secure deskp when prompting for elevation' '' Settings\Local Policies\Security Options\Shutdown: Allow system be shut down without having log on Settings\Local Policies\Security Options\User Account Control: Switch the secure deskp when prompting for elevation 73 Set 'Windows Firewall: Domain: Firewall state' 'On Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Firewall state ON ON Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 16

18 74 Set 'Windows Firewall: Domain: Inbound connections' 'Block (default)' Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Inbound connections Block Block 75 Set 'Windows Firewall: Domain: Outbound connections' 'Allow (default)' Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Outbound connections Allow Allow 76 Set 'Windows Firewall: Domain: Display a notification' 'Yes (default)' Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Display a notification Yes Yes 77 Set 'Windows Firewall: Domain: Allow unicast response' 'No' Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Allow unicast response Yes NO 78 Set 'Windows Firewall: Yes Yes Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 17

19 Domain: Apply local firewall rules' 'Yes 79 Set 'Windows Firewall: Domain: Logging: Size limit (KB)' '16,384 KB or greater ' 80 Set 'Windows Firewall: Domain: Logging: Log dropped packets' 'Yes' 81 Set 'Windows Firewall: Domain: Logging: Log successful connections' 'Yes' Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local firewall rules Security\Windows Firewall Properties\Domain Profile\Logging\Windows Firewall: Domain: Logging: Size limit (KB) Security\Windows Firewall Properties\Domain Profile\Logging\Windows Firewall: Domain: Logging: Log dropped packets Security\Windows Firewall Properties\Domain Profile\Logging\Windows Firewall: Domain: Logging: Log successful connections Not Configured To 16,384 KB or greater Not Configured To establish the configuration via GP, set the following UI path Yes. Not Configured To establish the configuration via GP, set the following UI path Yes. 82 Set 'Windows Firewall: On To establish the Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 18

20 Private: Firewall state' 'On 83 Set 'Windows Firewall: Private: Inbound connections' 'Block 84 Set 'Windows Firewall: Private: Logging: Size limit (KB)' '16,384 KB or greater' 85 Set 'Windows Firewall: Public: Firewall state' 'On Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Firewall state Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Inbound connections Security\Windows Firewall Properties\Private Profile\Logging\Windows Firewall: Private: Logging: Size limit (KB) Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Firewall state configuration via GP, set the following UI path On () Block To establish the configuration via GP, set the following UI path Block (default). Not configured To establish the configuration via GP, set the following UI path 16,384 KB or greater ON To establish the configuration via GP, set the following UI path On Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 19

21 86 Set 'Windows Firewall: Public: Inbound connections' 'Block (default)' 87 Set 'Windows Firewall: Public: Outbound connections' 'Allow 88 Set 'Windows Firewall: Public: Logging: Size limit (KB)' '16,384 KB or greater' 89 Set 'Audit Credential Validation' 'Success and Failure' Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Inbound connections Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Outbound connections Security\Windows Firewall Properties\Public Profile\Logging\Windows Firewall: Public: Logging: Size limit (KB) Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Policy: Account (Recommended). Block To establish the configuration via GP, set the following UI path Block (Default). Allow To establish the configuration via GP, set the following UI path Allow (default). Not Configured To establish the configuration via GP, set the following UI path 16,384 KB or greater No Auditing Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 20

22 Logon: Credential Validation Success and Failure. 90 Set 'Audit Account Management' 'Success and Failure' 91 Set 'Audit Other Account Management Events' 'Success and Failure' 92 Set 'Audit Security Group Management' 'Success and Failure' 93 Set 'Audit Process Creation' 'Success' Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Account Management Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Other Account Management Events Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Policy: Account Management: Security Group Management Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Policy: Detailed Tracking: Process Creation Success No Auditing Success No Auditing Success and Failure Success and Failure. Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 21

23 94 Set 'Audit Direcry Service Access' 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Direcry Service Access No Auditing Success 95 Set 'Audit Direcry Service Changes' 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Policy: DS Access: Direcry Service Changes No Auditing Success and Failure 96 Set 'Audit Account Lockout' 'Success' Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Account Lockout Success Success and Failure Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 22

24 97 Set 'Audit Logoff' 'Success' 98 Set 'Audit Logon' 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Logoff Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Logon Success Success Success Success. 99 Set 'Audit Other Logon/Logoff Events' 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Other Logon/Logoff Events No Auditing Success and Failure Success Failure and Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 23

25 100 Set 'Audit Special Logon' 'Success' Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Policy: Logon-Logoff: Special Logon Success 101 Set 'Audit Removable Srage' 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Policy: Object Access: Removable Srage No Auditing Success 102 Set 'Audit Sensitive Privilege Use' 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Policy: Privilege Use: Sensitive Privilege Use No Auditing Success and Failure Success and Failure 103 Set 'Audit IPSec Driver' No Auditing Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 24

26 'Success and Failure' Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Policy: System: IPSec Driver configuration state, set the following Group Policy setting 104 Set 'Turn off Auplay' ':All drives' Templates\Windows Components\AuPlay Policies\Turn off Auplay\Turn off Auplay Not Configured Success and Failure. configuration state, set the following Group Policy setting. 105 Set 'Default Protections for Internet Explorer' '' 106 Set 'Default Protections for Popular Software' '' 107 Set 'Application: Control Event Log behavior when the log file reaches its maximum size' '' 108 Set 'Security: Maximum Log Size (KB)' ':196,608 or greater' Templates\Windows Components\EMET\Default Protections for Internet Explorer Templates\Windows Components\EMET\Default Protections for Popular Explorer Templates\Windows Components\Event Log Service\Application\Control Event Log behavior when the log file reaches its maximum size Templates\Windows Components\Event Log Service\Security\Specify the maximum log file size 20,480 KB Set the Maximum Log Size (KB) option 196,608 Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 25

27 (KB)\Specify the maximum log file size (KB) or greater. 109 'Do not allow passwords be saved' '' 110 'Always prompt for password upon connection' '' 111 Set 'Allow unencrypted traffic' '' 112 Set 'Configure Aumatic Updates' '' 113 Set 'Configure Aumatic Updates: Scheduled install day' '0 - Every day' Templates\Windows Components\Remote Deskp Services\Remote Deskp Connection Client\Do not allow passwords be saved Templates\Windows Components\Remote Deskp Services\Remote Deskp Session Host\Security\Always prompt for password upon connection Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client\Allow unencrypted traffic Templates\Windows Components\Windows Update\Configure Aumatic Updates Templates\Windows Components\Windows Update\Configure Aumatic Updates: Scheduled install day Not Configured Not Configured Download the updates aumatically and notify when they are ready be installed Not Defined Disbaled To establish the configuration via GP, set the following UI path 0 - Every day. Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 26

28 114 Set 'No au-restart with logged on users for scheduled aumatic updates installations' '' 115 Set 'Reschedule Aumatic Updates scheduled installations' ':1 minute' 116 Set 'Enable screen saver' '' 117 Set 'Password protect the screen saver' '' 118 'Screen saver timeout' ':900 seconds or fewer ', but not Set 'Notify antivirus programs when opening attachments' '' Templates\Windows Components\Windows Update\No au-restart with logged on users for scheduled aumatic updates installations Templates\Windows Components\Windows Update\Reschedule Aumatic Updates scheduled installations User Templates\Control Panel\Personalization\Enable screen saver User Templates\Control Panel\Personalization\Password protect the screen saver User Templates\Control Panel\Personalization\Screen saver timeout User Templates\Windows Components\Attachment Manager\Notify antivirus programs when opening attachments Not Configured Not Configured Not Configured To establish the configuration via GP, set the following UI path :1 minute Copyright 2017, Centre For Development of Advanced Computing, Hyderabad Page 27

29