none
Hardening GPO

    Question

  • Hi all, 

    I would like to know what kind of impact do these policies have on applications?

    1)User Configuration\Administrative Templates\Windows Components\Attachment Manager\Hide mechanisms to remove zone information\Set 'Hide mechanisms to remove zone information' to 'Enabled' 

    2)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies\'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

    3)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously\Configure 'Network access: Named Pipes that can be accessed anonymously

    4)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: NTLM authentication in this domain

    5)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares\Network access: Do not allow anonymous enumeration of SAM accounts and shares' 

    6)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status7)Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing

    8)Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level

    Thanks

    Ching An



    Thursday, January 19, 2017 7:23 AM

All replies

  • Hi,

    All the description of these policies could be found in the official articles:

    Hide mechanisms to remove zone information

    This policy setting lets you manage whether users can manually remove the zone information from saved file attachments by clicking
    Unblock on the file’s Properties tab or by clicking to select a check box in the Security Warning dialog box. Removing the zone information lets users open potentially dangerous file attachments that Windows has blocked users from opening. If you enable this policy setting, Windows hides the check box and the Unblock button. If you disable this policy setting, Windows shows the check box and the Unblock button. If you do not configure this policy setting, Windows shows the check box and the Unblock button.

    System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

    This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. This security setting enables or disables certificate rules (which are a type of software restriction policy). With a software restriction policy, you can create a certificate rule that allows or disallows Microsoft Authenticode??-signed software to run, based on the digital certificate that is associated with the software. For certificate rules to work in software restriction policies, you must enable this security setting.

    Network access: Named Pipes that can be accessed anonymously

    This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access.

    Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network.

    Network Security: Restrict NTLM: NTLM authentication in this domain

    This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy setting does not affect interactive logon to this domain controller.

    Network access: Do not allow anonymous enumeration of SAM accounts and shares

    This policy setting determines which additional permissions will be assigned for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to give access to users in a trusted domain that does not maintain a reciprocal trust. However, even with this policy setting enabled, anonymous users will have access to resources with permissions that explicitly include the built-in group, ANONYMOUS LOGON.

    This policy setting has no impact on domain controllers.

    Misuse of this policy setting is a common error that can cause data loss or problems with data access or security.

    Registry policy processing

    Determines when registry policies are updated.

    This policy affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.

    Set client connection encryption level

    Specifies whether to require the use of a specific encryption level to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 20, 2017 2:58 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 10:54 AM
    Moderator