Updated Security Policy Settings for Windows Vista
This section provides the locations of the security settings that have changed from Windows XP in the local Group Policy object (GPO), their default values, and a discussion of the setting.
Audit: Audit the use of Backup and Restore privilege
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy setting is enabled. Enabling this option when the Audit privilege use policy setting is also enabled generates an audit event for every file that is backed up or restored.
If you disable this policy, the use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled.
Note
For Windows versions prior to Windows Vista, changes will not take effect until you restart the computer. Enabling this setting can cause a large number of events to be generated, sometimes hundreds per second, during a backup operation.
Default value
Disabled
Audit: Shut down system immediately if unable to log security audits
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines whether the system shuts down if it is unable to log security events.
If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days.
If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:
STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.
To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option to the desired state. Until this security setting is reset, only a member of the Administrators group will be able to log on to the system, even if the security log is not full.
Note
For Windows versions prior to Windows Vista, changes will not take effect until you restart the computer.
Default value
Disabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing
Location
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
Discussion
This security setting determines if the Transport Layer Security/Secure Sockets Layer (TLS/SSL) security provider supports only the TLS protocol as a client and as a server (if applicable). If this setting is enabled, the TLS/SSL security provider uses only the Federal Information Processing Standard (FIPS) 140–approved cryptographic algorithms: Triple Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) for encryption, RSA public key algorithm for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.
For Encrypting File System (EFS), this setting supports the 3DES and AES encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the AES algorithm with a 256-bit key in Windows Server 2003 and Windows Vista and the DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.
For Terminal Services, this setting supports only the 3DES encryption algorithm for encrypting Terminal Services network communication. For information about Terminal Services, see Terminal Services Technical Reference (https://go.microsoft.com/fwlink/?LinkID=89673).
For Windows BitLocker Drive Encryption, this policy needs to be enabled before any encryption key is generated. When this policy is enabled, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used instead.
Note
FIPS 140-2 is a security implementation designed for certifying cryptographic software. FIPS 140-2 validated software is required by the U.S. government and requested by other prominent institutions.
Default value
Disabled
Additional resources
For more information about security policy settings, see the following resources:
- Security Policy Settings (https://go.microsoft.com/fwlink/?LinkId=77873)
- Group Policy Collection (https://go.microsoft.com/fwlink/?LinkID=29907)
- Security Configuration and Analysis (https://go.microsoft.com/fwlink/?LinkId=77876)
- Security Templates (https://go.microsoft.com/fwlink/?LinkID=20482)