Update administer-security-policy-settings.md

Updates markdown for Notes. Created markdown tables in stead of HTML tables. General tidying up.
2025-06-20 12:53:38 +00:00 · 2020-03-11 22:25:16 +01:00
parent 5d664f00d1
commit eb11740d61
1 changed files with 117 additions and 211 deletions
--- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md
@ -20,6 +20,7 @@ ms.date: 04/19/2017
 # Administer security policy settings
 **Applies to**
 - Windows 10
 This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.
@ -32,74 +33,30 @@ Security settings can control:
 - User authentication to a network or device.
 - The resources that users are permitted to access.
-   Whether to record a user’s or group’s actions in the event log.
+- Whether to record a user's or group's actions in the event log.
 - Membership in a group.
 For info about each setting, including descriptions, default settings, and management and security considerations, see [Security policy settings reference](security-policy-settings-reference.md).
 To manage security configurations for multiple computers, you can use one of the following options:
 - Edit specific security settings in a GPO.
 - Use the Security Templates snap-in to create a security template that contains the security policies you want to apply, and then import the security template into a Group Policy Object. A security template is a file that represents a security configuration, and it can be imported to a GPO, or applied to a local device, or it can be used to analyze security.
-## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>What’s changed in how settings are administered?
+## <a href="" id="what-s-changed-in-how-settings-are-administered-"></a>What's changed in how settings are administered
 Over time, new ways to manage security policy settings have been introduced, which include new operating system features and the addition of new settings. The following table lists different means by which security policy settings can be administered.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Tool or feature</th>
 <th align="left">Description and use</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p><a href="#bkmk-secpol" data-raw-source="[Security Policy snap-in](#bkmk-secpol)">Security Policy snap-in</a></p></td>
 <td align="left"><p>Secpol.msc</p>
 <p>MMC snap-in designed to manage only security policy settings.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><a href="#bkmk-secedit" data-raw-source="[Security editor command line tool](#bkmk-secedit)">Security editor command line tool</a></p></td>
 <td align="left"><p>Secedit.exe</p>
 <p>Configures and analyzes system security by comparing your current configuration to specified security templates.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><a href="#bkmk-scm" data-raw-source="[Security Compliance Manager](#bkmk-scm)">Security Compliance Manager</a></p></td>
 <td align="left"><p>Tool download</p>
 <p>A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><a href="#bkmk-scw" data-raw-source="[Security Configuration Wizard](#bkmk-scw)">Security Configuration Wizard</a></p></td>
 <td align="left"><p>Scw.exe</p>
 <p>SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><a href="#bkmk-scmtool" data-raw-source="[Security Configuration Manager tool](#bkmk-scmtool)">Security Configuration Manager tool</a></p></td>
 <td align="left"><p>This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><a href="#bkmk-grouppolicy" data-raw-source="[Group Policy](#bkmk-grouppolicy)">Group Policy</a></p></td>
 <td align="left"><p>Gpmc.msc and Gpedit.msc</p>
 <p>The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Software Restriction Policies</p>
 <p>See <a href="https://technet.microsoft.com/library/hh994606.aspx" data-raw-source="[Administer Software Restriction Policies](https://technet.microsoft.com/library/hh994606.aspx)">Administer Software Restriction Policies</a>.</p></td>
 <td align="left"><p>Gpedit.msc</p>
 <p>Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>AppLocker</p>
 <p>See <a href="/windows/device-security/applocker/administer-applocker" data-raw-source="[Administer AppLocker](/windows/device-security/applocker/administer-applocker)">Administer AppLocker</a>.</p></td>
 <td align="left"><p>Gpedit.msc</p>
 <p>Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.</p></td>
 </tr>
 </tbody>
 </table>
 |Tool or feature |Description and use |
 |---------|---------|
 |[Security Policy snap-in](#using-the-local-security-policy-snap-in)|Secpol.msc <br> MMC snap-in designed to manage only security policy settings.|
 |[Security editor command line tool](#using-the-secedit-command-line-tool) |Secedit.exe <br> Configures and analyzes system security by comparing your current configuration to specified security templates.|
 |[Security Compliance Manager](#using-the-security-compliance-manager)|Tool download <br> A Solution Accelerator that helps you plan, deploy, operate, and manage your security baselines for Windows client and server operating systems, and Microsoft applications.|
 |[Security Configuration Wizard](#using-the-security-configuration-wizard)|Scw.exe <br> SCW is a role-based tool available on servers only: You can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles.|
 |[Security Configuration Manager tool](#working-with-the-security-configuration-manager)|This tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.|
 |[Group Policy](#working-with-group-policy-tools)|Gpmc.msc and Gpedit.msc <br> The Group Policy Management Console uses the Group Policy Object editor to expose the local Security options, which can then be incorporated into Group Policy Objects for distribution throughout the domain. The Local Group Policy Editor performs similar functions on the local device.|
 |Software Restriction Policies <br> See [Administer Software Restriction Policies](https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/administer-software-restriction-policies)|Gpedit.msc <br> Software Restriction Policies (SRP) is a Group Policy-based feature that identifies software programs running on computers in a domain, and it controls the ability of those programs to run.|
 |Administer AppLocker <br> See [Administer AppLocker](/windows/device-security/applocker/administer-applocker)|Gpedit.msc <br> Prevents malicious software (malware) and unsupported applications from affecting computers in your environment, and it prevents users in your organization from installing and using unauthorized applications.|
 ## <a href="" id="bkmk-secpol"></a>Using the Local Security Policy snap-in
@ -124,11 +81,11 @@ The Local Security Policy snap-in is part of the Security Configuration Manager
 The secedit command-line tool works with security templates and provides six primary functions:
 - The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server.
-   The **Analyze** parameter compares the server’s security configuration with the selected template.
+- The **Analyze** parameter compares the server's security configuration with the selected template.
 - The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also.
 - The **Export** parameter allows you to export the settings from a database into a security settings template.
 - The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue.
-   The **Generate Rollback** parameter saves the server’s current security settings into a security template so it can be used to restore most of the server’s security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
+- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template.
 ## <a href="" id="bkmk-scm"></a>Using the Security Compliance Manager
@ -137,9 +94,9 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
 **To administer security policies by using the Security Compliance Manager**
 1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](https://blogs.technet.com/b/secguide/) blog.
-2.  Read the relevant security baseline documentation that is included in this tool.
+1. Read the relevant security baseline documentation that is included in this tool.
-3.  Download and import the relevant security baselines. The installation process steps you through baseline selection.
+1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
-4.  Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
+1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
 ## <a href="" id="bkmk-scw"></a>Using the Security Configuration Wizard
@ -155,7 +112,8 @@ The following are considerations for using SCW:
 - SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles.
 - All apps that use the IP protocol and ports must be running on the server when you run SCW.
 - In some cases, you must be connected to the Internet to use the links in the SCW help.
-  > **Note**  The SCW is available only on Windows Server and only applicable to server installations.
+  > [!NOTE]
  > The SCW is available only on Windows Server and only applicable to server installations.
 The SCW can be accessed through Server Manager or by running scw.exe. The wizard steps you through server security configuration to:
@ -164,52 +122,25 @@ The SCW can be accessed through Server Manager or by running scw.exe. The wizard
 - Apply an existing security policy.
 - Roll back the last applied security policy.
-The Security Policy Wizard configures services and network security based on the server’s role, as well as configures auditing and registry settings.
+The Security Policy Wizard configures services and network security based on the server's role, as well as configures auditing and registry settings.
-For more information about SCW, including procedures, see [Security Configuration Wizard](https://technet.microsoft.com/library/cc754997.aspx).
+For more information about SCW, including procedures, see [Security Configuration Wizard](https://docs.microsoft.com/previous-versions/orphan-topics/ws.11/cc754997(v=ws.11)).
 ## <a href="" id="bkmk-scmtool"></a>Working with the Security Configuration Manager
 The Security Configuration Manager tool set allows you to create, apply, and edit the security for your local device, organizational unit, or domain.
-For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://technet.microsoft.com/library/cc758219(WS.10).aspx).
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc758219(v=ws.10)).
 The following table lists the features of the Security Configuration Manager.
 <table>
 <colgroup>
 <col width="50%" />
 <col width="50%" />
 </colgroup>
 <thead>
 <tr class="header">
 <th align="left">Security Configuration Manager tools</th>
 <th align="left">Description</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p><a href="#bkmk-seccfgana" data-raw-source="[Security Configuration and Analysis](#bkmk-seccfgana)">Security Configuration and Analysis</a></p></td>
 <td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><a href="#bkmk-sectmpl" data-raw-source="[Security templates](#bkmk-sectmpl)">Security templates</a></p></td>
 <td align="left"><p>Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><a href="#bkmk-secextensions" data-raw-source="[Security Settings extension to Group Policy](#bkmk-secextensions)">Security Settings extension to Group Policy</a></p></td>
 <td align="left"><p>Edits individual security settings on a domain, site, or organizational unit.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p><a href="#bkmk-localsecpol" data-raw-source="[Local Security Policy](#bkmk-localsecpol)">Local Security Policy</a></p></td>
 <td align="left"><p>Edits individual security settings on your local computer.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Secedit</p></td>
 <td align="left"><p>Automates security configuration tasks at a command prompt.</p></td>
 </tr>
 </tbody>
 </table>
 |Security Configuration Manager tools  |Description  |
 |---------|---------|
 |[Security Configuration and Analysis](#security-configuration-and-analysis) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
 |[Security templates](#security-templates) |Defines a security policy in a template. These templates can be applied to Group Policy or to your local computer.|
 |[Security Settings extension to Group Policy](#security-settings-extension-to-group-policy) |Edits individual security settings on a domain, site, or organizational unit.|
 |[Local Security Policy](#local-security-policy)|Edits individual security settings on your local computer.|
 |Secedit |Automates security configuration tasks at a command prompt.|
 ### <a href="" id="bkmk-seccfgana"></a>Security Configuration and Analysis
@ -278,26 +209,26 @@ With the local security policy, you can control:
 - Who accesses your device.
 - What resources users are authorized to use on your device.
-   Whether or not a user’s or group's actions are recorded in the event log.
+- Whether or not a user's or group's actions are recorded in the event log.
 If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence.
 1. Organizational unit policy
-2.  Domain policy
+1. Domain policy
-3.  Site policy
+1. Site policy
-4.  Local computer policy
+1. Local computer policy
 If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts.
 ### Using the Security Configuration Manager
-For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://technet.microsoft.com/library/cc784762(WS.10).aspx). This section contains information in this topic about:
+For procedures on how to use the Security Configuration Manager, see [Security Configuration Manager How To](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784762(v=ws.10)). This section contains information in this topic about:
-   [Applying security settings](#bkmk-applysecsettings)
+- [Applying security settings](#applying-security-settings)
-   [Importing and exporting security templates](#bkmk-impexpsectmpl)
+- [Importing and exporting security templates](#importing-and-exporting-security-templates)
-   [Analyzing security and viewing results](#bkmk-anasecviewresults)
+- [Analyzing security and viewing results](#analyzing-security-and-viewing-results)
-   [Resolving security discrepancies](#bkmk-resolvesecdiffs)
+- [Resolving security discrepancies](#resolving-security-discrepancies)
-   [Automating security configuration tasks](#bkmk-autoseccfgtasks)
+- [Automating security configuration tasks](#automating-security-configuration-tasks)
 ### <a href="" id="bkmk-applysecsettings"></a>Applying security settings
@ -311,13 +242,15 @@ Once you have edited the security settings, the settings are refreshed on the co
 For security settings that are defined by more than one policy, the following order of precedence is observed:
 1. Organizational Unit Policy
-2.  Domain Policy
+1. Domain Policy
-3.  Site Policy
+1. Site Policy
-4.  Local computer Policy
+1. Local computer Policy
 For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override
 both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence.
-> **Note**  Use gpresult.exe to find out what policies are applied to a device and in what order.
+
 > [!NOTE]
 > Use gpresult.exe to find out what policies are applied to a device and in what order.  
 For domain accounts, there can be only one account policy that includes password policies, account lockout policies, and Kerberos policies.
 **Persistence in security settings**
@ -350,41 +283,13 @@ Security Configuration and Analysis performs security analysis by comparing the
 Security Configuration and Analysis displays the analysis results by security area, using visual flags to indicate problems. It displays the current system and base configuration settings for each security attribute in the security areas. To change the analysis database settings, right-click the entry, and then click **Properties**.
-<table>
+|Visual flag  |Meaning  |
-<colgroup>
+|---------|---------|
-<col width="50%" />
+|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.|
-<col width="50%" />
+|Green check mark |The entry is defined in the analysis database and on the system and the setting values match.|
-</colgroup>
+|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed. <br> If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.|
-<thead>
+|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.|
-<tr class="header">
+|No highlight |The item is not defined in the analysis database or on the system.|
 <th align="left">Visual flag</th>
 <th align="left">Meaning</th>
 </tr>
 </thead>
 <tbody>
 <tr class="odd">
 <td align="left"><p>Red X</p></td>
 <td align="left"><p>The entry is defined in the analysis database and on the system, but the security setting values do not match.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Green check mark</p></td>
 <td align="left"><p>The entry is defined in the analysis database and on the system and the setting values match.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>Question mark</p></td>
 <td align="left"><p>The entry is not defined in the analysis database and, therefore, was not analyzed.</p>
 <p>If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Exclamation point</p></td>
 <td align="left"><p>This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p>No highlight</p></td>
 <td align="left"><p>The item is not defined in the analysis database or on the system.</p></td>
 </tr>
 </tbody>
 </table>
 If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis.
@ -398,7 +303,8 @@ You can resolve discrepancies between analysis database and system settings by:
 - Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels.  
 - Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system.  
 Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file.  
-You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
+You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies.  
 In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object.
 ### <a href="" id="bkmk-autoseccfgtasks"></a>Automating security configuration tasks