Tag: Computer Configuration
Deny delegating default credentials
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting you can specify the servers to which the user’s default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows). If you disable or do not configure (by default) this policy setting this policy setting does not specify any server. Note: The “Deny delegating default credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. comThis policy setting can be used in combination with the “Allow delegating default credentials” policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the “Allow delegating default credentials” server list.
Allow delegating saved credentials with NTLM-only server authentication
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user’s saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you do not configure (by default) this policy setting after proper mutual authentication delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined by default the delegation of saved credentials is not permitted to any machine. If you disable this policy setting delegation of saved credentials is not permitted to any machine. Note: The “Allow delegating saved credentials with NTLM-only server authentication” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in humanresources. fabrikam. com
Allow delegating saved credentials
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the servers to which the user’s saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you do not configure (by default) this policy setting after proper mutual authentication delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting delegation of saved credentials is not permitted to any machine. Note: The “Allow delegating saved credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in humanresources. fabrikam. com
Do not display the password reveal button
This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not configure this policy setting the password reveal button will be displayed after a user types a password in the password entry text box. By default the password reveal button is displayed after a user types a password in the password entry text box. To display the password click the password reveal button. The policy applies to all Windows components and applications that use the Windows system controls including Internet Explorer.
Require trusted path for credential entry
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. Note: This policy affects nonlogon authentication tasks only. As a security best practice this policy should be enabled. If you enable this policy setting users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. If you disable or do not configure this policy setting users will enter Windows credentials within the user’s desktop session potentially allowing malicious code access to the user’s Windows credentials.
Enumerate administrator accounts on elevation
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. If you disable this policy setting users will always be required to type a user name and password to elevate.
Restrict delegation of credentials to remote servers
When running in restricted mode participating apps do not expose credentials to remote computers (regardless of the delegation method). Restricted mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated. Participating apps:Remote Desktop ClientIf you enable this policy setting restricted mode is enforced and participating apps will not delegate credentials to remote computers. If you disable or do not configure this policy setting restricted mode is not enforced and participating apps can delegate credentials to remote computers. Note: To disable most credential delegation it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration -> Administrative Templates -> System -> Credentials Delegation).
Deny delegating saved credentials
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting you can specify the servers to which the user’s saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager). If you disable or do not configure (by default) this policy setting this policy setting does not specify any server. Note: The “Deny delegating saved credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. comThis policy setting can be used in combination with the “Allow delegating saved credentials” policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the “Allow delegating saved credentials” server list.
Force a specific Start background
Forces the Start screen to use one of the available backgrounds 1 through 20 and prevents the user from changing it. If this setting is set to zero or not configured then Start uses the default background and users can change it. If this setting is set to a nonzero value then Start uses the specified background and users cannot change it. If the specified background is not supported the default background is used.
Allow delegating fresh credentials with NTLM-only server authentication
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). This policy setting applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify the servers to which the user’s fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application). If you do not configure (by default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*). If you disable this policy setting delegation of fresh credentials is not permitted to any machine. Note: The “Allow delegating fresh credentials with NTLM-only server authentication” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in humanresources. fabrikam. com