File name: | wsecedit.dll.mui |
Size: | 176640 byte |
MD5: | 77fe51f177c63e3fbab1c232d6ccf2b7 |
SHA1: | 11a1290e058ffeae885b72be132dd7cf9bca1a0d |
SHA256: | 3e76d145d9a74cae6a35cdb9d49bb3e6f25300a718b2ad4651ef1001208ff958 |
Operating systems: | Windows 10 |
Extension: | MUI |
If an error occurred or the following message in Chinese (Simplified) language and you cannot find a solution, than check answer in English. Table below helps to know how correctly this phrase sounds in English.
id | Chinese (Simplified) | English |
---|---|---|
1 | WSecEdit 扩展类 | WSecEdit Extension Class |
2 | 名称 | Name |
3 | 描述 | Description |
4 | 策略 | Policy |
5 | 数据库设置 | Database Setting |
6 | 计算机设置 | Computer Setting |
7 | 安全模板 | Security Template |
8 | 模板 | Templates |
9 | 上次的配置/分析 | Last Configuration/Analysis |
10 | 安全模板被指定用来配置或分析一台计算机。 | Security templates defined to configure or analyze a computer. |
12 | 安全策略 | Security Policy |
13 | 用户权限分配 | User Rights Assignment |
14 | 受限制的组 | Restricted Groups |
15 | 系统服务 | System Services |
16 | 注册表 | Registry |
17 | 文件系统 | File System |
21 | 系统服务设置 | System service settings |
22 | 注册表安全设置 | Registry security settings |
23 | 文件系统安全设置 | File system security settings |
25 | (没有保存) | (not saved) |
26 | 安全设置 | Security Settings |
27 | WSecEdit 安全配置类 | WSecEdit Security Configuration Class |
28 | WSecEdit 安全管理器类 | WSecEdit Security Manager Class |
29 | 确实要删除 %s 吗? | Are you sure you want to delete %s? |
30 | 要删除所有选定的项目吗? | Do you want to delete all selected items? |
31 | 立即分析计算机(&A)... 将当前计算机设置跟数据库中的安全设置进行比较 |
&Analyze Computer Now... Compares the current computer settings against the security settings in the database |
34 | 导出模板(&E)... 导出目前计算机的基本模板 |
&Export Template... Exports the base template for the current computer |
35 | 新加文件(&L)... 将新文件加入这个模板 |
Add Fi&les... Adds new files to this template |
36 | 新加模板搜索路径(&N)... 给安全模板的搜索路径添加一个模板位置(.inf - INF 格式) |
&New Template Search Path... Adds a template location to the Security Templates' search path (.inf - INF format) |
37 | 新加模板(&N)... 创建一个新模板 |
&New Template... Creates a new template |
38 | 删除路径(&R) 从搜索路径删除所选的位置 |
&Remove Path Removes the selected location from the search path |
39 | 刷新(&F) 更新这个位置来显示新加的模板 |
Re&fresh Updates this location to display recently added templates |
40 | 立即配置计算机(&F)... 根据选定的模板配置计算机 |
Con&figure Computer Now... Configures the computer according to the selected template |
42 | Windows 无法从 %s 导入模板 | Windows cannot import the template from %s |
43 | 另存为(&A)... 用新的名称保存模板 |
Save &As... Saves the template with a new name |
44 | 复制(&C) 将选定的模板信息复制到剪贴板上 |
&Copy Copies the selected template information to the Clipboard |
45 | 粘贴(&P) 将剪贴板信息粘贴到模板里 |
&Paste Pastes Clipboard information into the template |
46 | 源 GPO | Source GPO |
47 | 刷新(&R) 刷新数据 |
&Refresh Refreshes data |
48 | 要添加这个对象,需要安全设置 | Security is required to add this object |
49 | Windows 无法导入安全模板 | Windows cannot import the security template |
50 | 密码策略 | Password Policy |
51 | 密码最长使用期限 天 |
Maximum password age days |
52 | 密码最短使用期限 天 |
Minimum password age days |
53 | 密码长度最小值 个字符 |
Minimum password length characters |
54 | 强制密码历史 个记住的密码 |
Enforce password history passwords remembered |
55 | 密码必须符合复杂性要求 | Password must meet complexity requirements |
56 | 用户必须登录才能更改密码 | User must log on to change the password |
57 | 帐户锁定策略 | Account Lockout Policy |
58 | 帐户锁定阈值 次无效登录 |
Account lockout threshold invalid logon attempts |
59 | 重置帐户锁定计数器 分钟之后 |
Reset account lockout counter after minutes |
60 | 帐户锁定时间 分钟 |
Account lockout duration minutes |
61 | 要删除这个模板吗? | Do you want to delete this template? |
62 | 没有加载数据库。 | The database is not loaded. |
63 | 网络安全: 在超过登录时间后强制注销 | Network security: Force logoff when logon hours expire |
65 | 帐户: 重命名系统管理员帐户 | Accounts: Rename administrator account |
67 | 帐户: 重命名来宾帐户 | Accounts: Rename guest account |
68 | 重新加载 从策略数据库重新加载本地和有效策略表 |
Reload Reloads the local and effective policy tables from the policy database |
69 | 组名 | Group Name |
70 | 事件日志 | Event Log |
71 | 系统日志大小最大值 KB |
Maximum system log size kilobytes |
72 | 系统日志保留方法 | Retention method for system log |
73 | 系统日志保留天数 天 |
Retain system log days |
74 | 安全日志最大值 KB |
Maximum security log size kilobytes |
75 | 安全日志的保留方法 | Retention method for security log |
76 | 安全日志保留天数 天 |
Retain security log days |
77 | 应用程序日志大小最大值 KB |
Maximum application log size kilobytes |
78 | 应用程序日志保留方法 | Retention method for application log |
79 | 应用程序日志保留天数 天 |
Retain application log days |
80 | 安全审核日志满后关闭计算机 | Shut down the computer when the security audit log is full |
81 | 审核策略 | Audit Policy |
82 | 事件审核模式 | Event Auditing Mode |
83 | 审核系统事件 | Audit system events |
84 | 审核登录事件 | Audit logon events |
85 | 审核对象访问 | Audit object access |
86 | 审核特权使用 | Audit privilege use |
87 | 审核策略更改 | Audit policy change |
88 | 审核帐户管理 | Audit account management |
89 | 审核进程跟踪 | Audit process tracking |
90 | 安全选项 | Security Options |
92 | 没有定义 | Not Defined |
95 | 无法添加成员 | Cannot add members |
96 | 无法显示安全性 | Cannot display security |
97 | 无法添加用户 | Cannot add users |
98 | 无法添加目录对象 | Cannot add directory object |
99 | 无法添加文件夹 | Cannot add a folder |
100 | -- 成员 | -- Members |
102 | 此文件名包含一些当前系统语言不能识别的字符。请重命名它。 | This file name contains some characters that can not be recognized by current system language. Please rename it. |
103 | 权限 | Permission |
104 | 审核 | Audit |
106 | Windows 无法添加文件。 | Windows cannot add a file. |
107 | 模板名无效。 | The template name is not valid. |
108 | 导出存储的模板时出现错误。 | An error occurred while exporting the stored template. |
109 | Windows 无法添加注册表项 | Windows cannot add a registry key |
110 | 完全控制 | Full Control |
111 | 修改 | Modify |
112 | 读取和执行 | Read and Execute |
113 | 列出文件夹内容 | List Folder Contents |
114 | 读取 | Read |
115 | 写入 | Write |
116 | 遍历文件夹/执行文件 | Traverse Folder/Execute File |
117 | 删除 | Delete |
120 | 无 | None |
124 | 查询数值 | Query Value |
125 | 设置数值 | Set Value |
126 | 创建子项 | Create Subkey |
127 | 枚举子项 | Enumerate Subkeys |
128 | 通知 | Notify |
129 | 创建链接 | Create Link |
130 | 执行 | Execute |
131 | 无法创建线程 | Cannot create a thread |
132 | 无法验证下列帐户: %1 |
The following accounts could not be validated: %1 |
141 | 日志文件名 | Log File Name |
143 | 运行安全分析 | Perform Security Analysis |
144 | 安全策略设置 | Security policy settings |
146 | 安全配置和分析 v1.0 |
Security Configuration and Analysis v1.0 |
147 | 安全配置和分析是用来确保计算机安全和分析安全设置的一个管理工具。可以用其创建或编辑安全模板,应用安全模板,根据模板进行分析,并显示分析结果。 | Security Configuration and Analysis is an administrative tool used to secure a computer and analyze security aspects. You can create or edit a security template, apply the security template, perform analyses based on a template, and display analysis results. |
148 | 上次的分析执行在 |
Last analysis was performed on |
149 | 基本安全配置描述: |
Base security configuration description: |
150 | 计算机是由下列模板配置的。 没有进行分析。 |
The computer was configured by the following template. Analysis was not performed. |
151 | 还没有用安全配置和分析配置或分析过数据库。 | The database has not been configured or analyzed using Security Configuration and Analysis. |
152 | 关于安全配置和分析 | About Security Configuration and Analysis |
153 | 关于上次分析 | About Last Analysis |
154 | 给安全模板添加一个模板位置 | Add a Template Location to Security Templates |
165 | 对象名 | Object Name |
166 | 不一致的数值 | Inconsistent Values |
168 | 打开模板 | Open Template |
169 | 安全模板(.inf)|*.inf|| | Security Template (.inf)|*.inf|| |
170 | inf | inf |
171 | 打开错误日志文件 | Open Error Log File |
172 | log | log |
173 | 日志文件(.log)|*.log|| | Log files (.log)|*.log|| |
193 | Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Template Locations | Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Template Locations |
194 | Windows 无法打开模板文件。 | Windows cannot open template file. |
195 | Windows 无法读取模板信息。 | Windows cannot read template information. |
196 | 在所选的数据库中没有可显示的分析信息。请用“分析”菜单选项,开始使用这个工具。 | There is no analysis information in the selected database to display. Use the Analyze menu option to start using this tool. |
197 | 0 | 0 |
198 | 按需要 | As needed |
199 | 按天数 | By days |
200 | 手动 | Manually |
201 | 已启用 | Enabled |
202 | 已禁用 | Disabled |
203 | 启用 | On |
204 | 关闭 | Off |
210 | 成员 | Members |
211 | 隶属于 | Member Of |
214 | CLASSES_ROOT | CLASSES_ROOT |
215 | MACHINE | MACHINE |
216 | USERS | USERS |
217 | 成功 | Succeeded |
229 | 未知错误 | Unknown error |
232 | \Security\Templates | \Security\Templates |
233 | 从网络访问此计算机 | Access this computer from the network |
234 | 允许本地登录 | Allow log on locally |
235 | 未能保存 | Failed to save |
236 | 保存(&S) 保存模板 |
&Save Save the template |
237 | Software\Microsoft\Windows NT\CurrentVersion\SecEdit | Software\Microsoft\Windows NT\CurrentVersion\SecEdit |
238 | 添加文件夹 | Add Folder |
239 | 添加文件夹(&F)... 将新建文件夹添加到这个模板 |
Add &Folder... Adds a new folder to this template |
240 | 添加项(&K)... 将新建项添加到这个模板 |
Add &Key... Adds a new key to this template |
241 | 添加组(&G)... 将新建组添加到这个模板 |
Add &Group... Adds a new group to this template |
248 | 服务名 | Service Name |
249 | 启动 | Startup |
250 | 已分析 | Analyzed |
251 | 已配置 | Configured |
252 | 自动 | Automatic |
254 | 确定 | OK |
255 | 调查 | Investigate |
256 | 数据库安全设置 | Database Security for |
257 | 上次被分析的安全设置 | Last Analyzed Security for |
262 | 组成员身份 | Group Membership |
263 | 这个组的成员 | Members of this group |
266 | 帐户策略 | Account Policies |
267 | 密码和帐户锁定策略 | Password and account lockout policies |
268 | 本地策略 | Local Policies |
269 | 审核、用户权利和安全选项策略 | Auditing, user rights and security options policies |
271 | 事件日志设置和事件查看器 | Event Log settings and Event Viewer |
272 | 审核目录服务访问 | Audit directory service access |
273 | 审核帐户登录事件 | Audit account logon events |
275 | 限制本地来宾组访问系统日志 | Prevent local guests group from accessing system log |
276 | 防止本地来宾组访问安全日志 | Prevent local guests group from accessing security log |
277 | 防止本地来宾组访问应用程序日志 | Prevent local guests group from accessing application log |
278 | 总是 | Always |
281 | 忽略 | Ignore |
284 | 替换 | Replace |
286 | 作为批处理作业登录 | Log on as a batch job |
287 | 作为服务登录 | Log on as a service |
288 | Active Directory 对象 | Active Directory Objects |
289 | Active Directory 对象的安全管理 | Security management of Active Directory objects |
290 | 添加目录对象(&O) 将一个 Active Directory 对象添加到该模板中 |
Add Directory &Object Adds an Active Directory object to this template |
293 | 列出文件夹/读取数据 | List folder / Read data |
294 | 读取属性 | Read attributes |
295 | 读取扩展属性 | Read extended attributes |
296 | 创建文件/写入数据 | Create files / Write data |
297 | 创建文件夹/附加数据 | Create folders / Append data |
298 | 写入属性 | Write attributes |
299 | 写入扩展属性 | Write extended attributes |
300 | 删除子文件夹及文件 | Delete subfolders and files |
302 | 读取权限 | Read permissions |
303 | 更改权限 | Change permissions |
304 | 取得所有权 | Take ownership |
305 | 同步 | Synchronize |
306 | 读取、写入和执行 | Read, Write and Execute |
307 | 写入和执行 | Write and Execute |
308 | 遍历 / 执行 | Traverse / Execute |
309 | 只有该文件夹 | This folder only |
310 | 此文件夹、子文件夹和文件 | This folder, subfolders and files |
311 | 此文件夹和子文件夹 | This folder and subfolders |
312 | 此文件夹和文件 | This folder and files |
313 | 仅子文件夹和文件 | Subfolders and files only |
314 | 只有子文件夹 | Subfolders only |
315 | 只有文件 | Files only |
316 | 只有该项 | This key only |
317 | 该项及其子项 | This key and subkeys |
318 | 只有子项 | Subkeys only |
321 | 启动、停止和暂停 | Start, stop and pause |
322 | 查询模板 | Query template |
323 | 更改模板 | Change template |
324 | 查询状态 | Query status |
325 | 枚举从属项 | Enumerate dependents |
327 | 停止 | Stop |
328 | 暂停和继续 | Pause and continue |
329 | 询问 | Interrogate |
330 | 用户定义的控制 | User-defined control |
336 | 删除子项 | Delete children |
337 | 列出内容 | List contents |
338 | 自行添加/删除 | Add/remove self |
341 | 只有该容器 | This container only |
342 | 该容器和子容器 | This container and subcontainers |
343 | 只有子容器 | Subcontainers only |
344 | [[本机策略配置]] | [[Local Computer Policy Configuration ]] |
345 | 帐户不锁定。 | Account will not lock out. |
346 | 可以立即更改密码。 | Password can be changed immediately. |
347 | 不要求密码。 | No password required. |
348 | 不保留密码历史。 | Do not keep password history. |
349 | 密码过期时间: | Password will expire in: |
350 | 在以下天数后可以更改密码: | Password can be changed after: |
351 | 密码必须至少是: | Password must be at least: |
352 | 保留密码历史: | Keep password history for: |
353 | 在发生以下情况之后,锁定帐户: | Account will lock out after: |
354 | 帐户锁定时间: | Account is locked out for: |
355 | 覆盖时间超过: | Overwrite events older than: |
356 | 密码不过期。 | Password will not expire. |
357 | 管理员解除锁定之前帐户保持锁定状态。 | Account is locked out until administrator unlocks it. |
359 | 用可还原的加密来储存密码 | Store passwords using reversible encryption |
360 | Kerberos 策略 | Kerberos Policy |
361 | 强制用户登录限制 | Enforce user logon restrictions |
362 | 计算机时钟同步的最大容差 分钟 |
Maximum tolerance for computer clock synchronization minutes |
363 | 服务票证最长寿命 分钟 |
Maximum lifetime for service ticket minutes |
364 | 用户票证最长寿命 个小时 |
Maximum lifetime for user ticket hours |
365 | 用户票证续订最长寿命 天 |
Maximum lifetime for user ticket renewal days |
366 | 添加成员 | Add Member |
368 | 内存不足,无法显示该节 | There is not enough memory to display this section |
369 | 没有关于上次分析的信息 | No information is available about the last analysis |
370 | Windows 无法保存更改过的模板。 | Windows cannot save changed templates. |
372 | 安全配置和分析 | Security Configuration and Analysis |
374 | 导入模板(&I)... 将模板导入这个数据库 |
&Import Template... Import a template into this database |
376 | Windows 无法创建或打开 %s | Windows cannot create or open %s |
377 | 查找错误日志文件 | Locate error log file |
378 | sdb | sdb |
379 | 安全数据库文件(*.sdb)|*.sdb|所有文件(*.*)|*.*|| | Security Database Files (*.sdb)|*.sdb|All Files (*.*)|*.*|| |
380 | 将模板应用到计算机 | Apply Template to Computer |
381 | 记录配置计算机进度的错误日志文件路径 | Error log file path to record the progress of configuring the computer |
382 | 安全性(&S)... | &Security... |
383 | 编辑这个项目的安全性 | Edit security for this item |
384 | Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Configuration | Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Configuration |
385 | 安全性(&S)... 编辑这个项目的安全性 |
&Security... Edit security for this item |
386 | EnvironmentVariables | EnvironmentVariables |
387 | %AppData%|%UserProfile%|%AllUsersProfile%|%ProgramFiles%|%SystemRoot%|%SystemDrive%|%Temp%|%Tmp%| | %AppData%|%UserProfile%|%AllUsersProfile%|%ProgramFiles%|%SystemRoot%|%SystemDrive%|%Temp%|%Tmp%| |
388 | 打开数据库(&P)... 打开一个现有的或新的数据库 |
O&pen Database... Open an existing or new database |
389 | 新建数据库(&N)... 创建并打开一个新数据库 |
&New Database... Create and open a new database |
390 | 设置描述(&P)... 为这个目录中的模板创建描述 |
Set Descri&ption... Create a description for the templates in this directory |
392 | \help\sce.chm | \help\sce.chm |
395 | 所有文件(*.*)|*.*|| | All files (*.*)|*.*|| |
396 | 数据库: %s | Database: %s |
397 | 尝试打开数据库时出现未知错误。 | An unknown error occurred when attempting to open the database. |
398 | 使用数据库之前,你必须对其进行分析。在“数据库”菜单上,请选择运行分析的选项。 | Before you can use the database, you must analyze it. On the Database menu, select the option to run an analysis. |
399 | 试图打开的数据库不存在。在“数据库”菜单上单击“导入模板”。 | The database you are attempting to open does not exist. On the Database menu, click Import Template. |
400 | 数据库已损坏。有关修复数据库的信息,请参阅联机“帮助”。 | The database is corrupt. For information about fixing the database, see online Help. |
401 | 内存不足,无法加载数据库。请关闭一些程序,再试一次。 | There is not enough memory available to load the database. Close some programs and then try again. |
402 | 拒绝访问数据库。除非数据库的权限已更改,否则,你必须是管理员才能使用数据库。 | Access to the database is denied. Unless the permissions on the database have been changed, you must have administrative rights to use it. |
403 | \Security\Database | \Security\Database |
404 | 要将改动存到 %s 吗? | Do you want to save changes to %s? |
405 | 现在有一个待定的导入模板。为了保存该模板,请单击“取消”,在导入另一个模板之前运行分析或配置。要忽略前一个导入的模板,请单击“确定”。 |
There is an existing imported template pending. To save, click Cancel, and then run an analysis or configuration before importing another template. To ignore the previous imported template, click OK. |
406 | 所有已选文件 | All Selected Files |
407 | 拒绝本地登录 | Deny log on locally |
408 | 拒绝从网络访问这台计算机 | Deny access to this computer from the network |
409 | 拒绝以服务身份登录 | Deny log on as a service |
410 | 拒绝作为批处理作业登录 | Deny log on as a batch job |
411 | 添加组 | Add Group |
412 | 组(&G): | &Group: |
413 | 没有分析 | Not Analyzed |
414 | 错误分析 | Error Analyzing |
416 | 建议的设置 | Suggested Setting |
417 | 本地策略 ... 从本地策略设置创建模板文件 |
Local Policy ... Create template file from the local policy settings |
418 | 有效策略 ... 从有效的策略设置创建模板文件 |
Effective Policy ... Create template file from the effective policy settings |
419 | 安全配置和分析 若要打开现有数据库 请右键单击“安全配置和分析”领域项单击“打开数据库” 选择数据库,然后单击“打开”若要创建新的数据库 请右键单击“安全配置和分析”领域项单击“打开数据库” 键入新数据库名称,然后单击“打开” 选择要导入的安全模板,然后单击“打开” | Security Configuration and Analysis To Open an Existing Database Right-click the Security Configuration and Analysis scope item Click Open Database Select a database, and then click Open To Create a New Database Right-click the Security Configuration and Analysis scope item Click Open Database Type a new database name, and then click Open Select a security template to import, and then click Open |
420 | ||
422 | 你试图打开的数据库不存在。 | The database you are attempting to open does not exist. |
423 | 你可以从安全设置菜单命令的导入策略创建新的本地策略数据库。 | You can create a new local policy database by choosing Import Policy from the Security Settings menu commands. |
424 | 拒绝访问数据库。 | Access to database has been denied. |
425 | 查看日志文件(&G) 在选择安全配置和分析节点时,切换日志文件或文件夹树的显示 |
View Lo&g File Toggle display of the log file or folder tree when Security Configuration and Analysis node is selected |
426 | 现在可以用这个数据库中的安全设置配置或分析计算机。若要配置计算机请右键单击“安全配置和分析”领域项选择“立即配置计算机”在对话框中键入要查看的日志文件名,然后单击“确定”注意: 配置结束后,必须执行分析来查看数据库中的信息若要分析计算机安全设置 请右键单击“安全配置和分析”领域项选择“立即分析计算机”在对话框中键入日志文件路径,然后单击“确定”注意: 若要查看配置或分析期间创建的日志文件,请在“安全配置和分析”上下文菜单中选择“查看日志文件”。 | You can now configure or analyze your computer by using the security settings in this database. To Configure Your ComputerRight-click the Security Configuration and Analysis scope itemSelect Configure Computer NowIn the dialog, type the name of the log file you wish to view, and then click OKNOTE: After configuration is complete, you must perform an analysis to view the information in your databaseTo Analyze Your Computer Security Settings Right-click the Security Configuration and Analysis scope itemSelect Analyze Computer NowIn the dialog, type the log file path, and then click OKNOTE: To view the log file created during a configuration or analysis, select View Log File on the Security Configuration and Analysis context menu. |
427 | 读取位置的错误 | Error Reading Location |
429 | 策略设置 | Policy Setting |
430 | 安全向导(&W)... 安全服务器作用向导 |
Secure &Wizard... Secure Server Role Wizard |
431 | Windows 不能导入无效模板 %s | Windows cannot import invalid template %s |
432 | 帐户: 管理员帐户状态 | Accounts: Administrator account status |
433 | 帐户: 来宾帐户状态 | Accounts: Guest account status |
434 | 属性 | Properties |
435 | 用户名无效。没有输入用户名,或用户名包含下列字符: %1 |
The username is not valid. It is empty or it may not contain any of the following characters: %1 |
436 | 没有最小 | No minimum |
437 | 用户和组名称不能包含下列任何字符之一: %1 |
User and group names may not contain any of the following characters: %1 |
438 | 系统找不到指定的路径: %1 |
The system can not find the path specified: %1 |
439 | 文件名不能含有下列字符中的任何一个: %1 |
File name may not contain any of the following characters: %1 |
440 | 必须选择一个启动模式。 | A startup mode must be selected. |
441 | 无法删除对象 "%1"。原因是,一个打开的窗口正在显示其属性。 要删除这个对象,请关闭那个窗口,再选择“删除”。 |
Object "%1" cannot be deleted because an open window is displaying its properties. To delete this object, close that window and select "Delete" again. |
442 | 为 %.17s 配置成员身份... | Configure Membership for %.17s... |
443 | 在此后重置帐户锁定计数器 | Reset account lockout counter after |
444 | 设置描述(&P)... 创建此模板的描述 |
Set Descri&ption... Create a description for this template |
445 | 描述可包含任何以下字符: %1 |
Description may not contain any of the following characters: %1 |
446 | 模板设置 | Template Setting |
449 | 请确定你对此对象有正确的权限。 | Make sure that you have the right permissions to this object. |
450 | 请确定此对象存在。 | Make sure that this object exists. |
451 | 文件夹 %1 无法使用。请选择另一个文件夹。 | The folder %1 cannot be used. Choose another folder. |
452 | 我的电脑 | My Computer |
453 | 文件名太长。 | The file name is too long. |
552 | spolsconcepts.chm::/html/2ff43721-e5fb-4e0c-b1a1-4ee3f414a3b7.htm | spolsconcepts.chm::/html/2ff43721-e5fb-4e0c-b1a1-4ee3f414a3b7.htm |
697 | 文件名不能包含以下任何字符: %1 |
File name may not only contain any of the following characters: %1 |
698 | %1 此文件名是一个保留的设备名。 请选择另一个名称。 |
%1 This file name is a reserved device name. Choose another name. |
699 | 此文件类型不正确。 | The file type is not correct. |
700 | 你必须属于管理员组的成员才能执行所请求的操作。 | You must be a member of the Administrators group to perform the requested operation. |
701 | 此文件名 %1 无效。 用正确的格式重新输入此文件名,如 c:\location\file。%2。 |
The file name %1 is not valid. Reenter the file name in the correct format, such as c:\location\file.%2. |
702 | 没有进行帐户名与安全 ID 之间的映射 | No mapping between account names and security IDs was done |
709 | 要影响到域帐户,必须在默认域策略定义此设置。 | To affect domain accounts, this setting must be defined in default domain policy. |
718 | 本地安全策略 | Local Security Policy |
740 | %1%2 | %1%2 |
741 | %1%2 %3 |
%1%2 %3 |
745 | 特殊 | Special |
753 | 对 SAM 的远程访问的安全设置 | Security Settings for Remote Access to SAM |
754 | 远程访问 | Remote Access |
762 | 中心访问策略 | Central Access Policy |
763 | 应用于文件系统的中心访问策略 | Central Access Policies applied to the file system |
764 | !!未知策略!!: | !!Unknown policy!!: |
765 | %1 %2 | %1 %2 |
1900 | 强制密码历史
此安全设置确定再次使用某个旧密码之前必须与某个用户帐户关联的唯一新密码数。该值必须介于 0 个和 24 个密码之间。 此策略使管理员能够通过确保旧密码不被连续重新使用来增强安全性。 默认值: 在域控制器上为 24。 在独立服务器上为 0。 注意: 在默认情况下,成员计算机沿用各自域控制器的配置。 若要维护密码历史的有效性,还要同时启用密码最短使用期限安全策略设置,不允许在密码更改之后立即再次更改密码。有关密码最短使用期限安全策略设置的信息,请参阅“密码最短使用期限”。 |
Enforce password history
This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age. |
1901 | 密码最长使用期限
此安全设置确定在系统要求用户更改某个密码之前可以使用该密码的期间(以天为单位)。可以将密码设置为在某些天数(介于 1 到 999 之间)后到期,或者将天数设置为 0,指定密码永不过期。如果密码最长使用期限介于 1 和 999 天之间,密码最短使用期限必须小于密码最长使用期限。如果将密码最长使用期限设置为 0,则可以将密码最短使用期限设置为介于 0 和 998 天之间的任何值。 注意: 安全最佳操作是将密码设置为 30 到 90 天后过期,具体取决于你的环境。这样,攻击者用来破解用户密码以及访问网络资源的时间将受到限制。 默认值: 42。 |
Maximum password age
This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days. Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources. Default: 42. |
1902 | 密码最短使用期限
此安全设置确定在用户更改某个密码之前必须使用该密码一段时间(以天为单位)。可以设置一个介于 1 和 998 天之间的值,或者将天数设置为 0,允许立即更改密码。 密码最短使用期限必须小于密码最长使用期限,除非将密码最长使用期限设置为 0,指明密码永不过期。如果将密码最长使用期限设置为 0,则可以将密码最短使用期限设置为介于 0 和 998 之间的任何值。 如果希望“强制密码历史”有效,则需要将密码最短使用期限设置为大于 0 的值。如果没有设置密码最短使用期限,用户则可以循环选择密码,直到获得期望的旧密码。默认设置没有遵从此建议,以便管理员能够为用户指定密码,然后要求用户在登录时更改管理员定义的密码。如果将密码历史设置为 0,用户将不必选择新密码。因此,默认情况下将“强制密码历史”设置为 1。 默认值: 在域控制器上为 1。 在独立服务器上设置为 0。 注意: 在默认情况下,成员计算机沿用各自域控制器的配置。 |
Minimum password age
This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default. Default: 1 on domain controllers. 0 on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. |
1903 | 最短密码长度
此安全设置确定用户帐户密码包含的最少字符数。可以将值设置为介于 1 和 14 个字符之间,或者将字符数设置为 0 以确定不需要密码。 默认值: 在域控制器上为 7。 在独立服务器上为 0。 注意: 在默认情况下,成员计算机沿用各自域控制器的配置。 |
Minimum password length
This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. |
1904 | 密码必须符合复杂性要求。
此安全设置确定密码是否必须符合复杂性要求。 如果启用此策略,密码必须符合下列最低要求: 不能包含用户的帐户名,不能包含用户姓名中超过两个连续字符的部分 至少有六个字符长 包含以下四类字符中的三类字符: 英文大写字母(A 到 Z) 英文小写字母(a 到 z) 10 个基本数字(0 到 9) 非字母字符(例如 !、$、#、%) 在更改或创建密码时执行复杂性要求。 默认值: 在域控制器上启用。 在独立服务器上禁用。 注意: 在默认情况下,成员计算机沿用各自域控制器的配置。 |
Password must meet complexity requirements
This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following four categories: English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %) Complexity requirements are enforced when passwords are changed or created. Default: Enabled on domain controllers. Disabled on stand-alone servers. Note: By default, member computers follow the configuration of their domain controllers. |
1905 | 用可还原的加密来储存密码
此安全设置确定操作系统是否使用可还原的加密来储存密码。 此策略为某些应用程序提供支持,这些应用程序使用的协议需要用户密码来进行身份验证。使用可还原的加密储存密码与储存纯文本密码在本质上是相同的。因此,除非应用程序需求比保护密码信息更重要,否则绝不要启用此策略。 通过远程访问或 Internet 身份验证服务(IAS)使用质询握手身份验证协议(CHAP)验证时需要设置此策略。在 Internet 信息服务(IIS)中使用摘要式身份验证时也需要设置此策略。 默认值: 禁用。 |
Store passwords using reversible encryption
This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information. This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS). Default: Disabled. |
1906 | 帐户锁定时间
此安全设置确定锁定帐户在自动解锁之前保持锁定的分钟数。可用范围从 0 到 99,999 分钟。如果将帐户锁定时间设置为 0,帐户将一直被锁定直到管理员明确解除对它的锁定。 如果定义了帐户锁定阈值,则帐户锁定时间必须大于或等于重置时间。 默认值: 无,因为只有在指定了帐户锁定阈值时,此策略设置才有意义。 |
Account lockout duration
This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. |
1907 | 帐户锁定阈值
此安全设置确定导致用户帐户被锁定的登录尝试失败的次数。在管理员重置锁定帐户或帐户锁定时间期满之前,无法使用该锁定帐户。可以将登录尝试失败次数设置为介于 0 和 999 之间的值。如果将值设置为 0,则永远不会锁定帐户。 在使用 Ctrl+Alt+Del 或密码保护的屏幕保护程序锁定的工作站或成员服务器上的密码尝试失败将计作登录尝试失败。 默认值: 0。 |
Account lockout threshold
This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0. |
1908 | 在此后复位帐户锁定计数器
此安全设置确定在某次登录尝试失败之后将登录尝试失败计数器重置为 0 次错误登录尝试之前需要的时间。可用范围是 1 到 99,999 分钟。 如果定义了帐户锁定阈值,此重置时间必须小于或等于帐户锁定时间。 默认值: 无,因为只有在指定了帐户锁定阈值时,此策略设置才有意义。 |
Reset account lockout counter after
This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. |
1909 | 强制用户登录限制
此安全设置确定 Kerberos V5 密钥分发中心(KDC)是否根据用户帐户的用户权限策略验证会话票证的每个请求。可以根据需要选择是否验证会话票证的每个请求,因为额外步骤耗时且可能降低网络访问服务的速度。 默认值: 启用。 |
Enforce user logon restrictions
This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services. Default: Enabled. |
1910 | 服务票证最长寿命
此安全设置确定授权会话票证可用于访问特定服务的最长时间(以分钟为单位)。该设置必须大于 10 分钟,并且小于或等于用户票证的最长寿命设置。 如果客户端在请求连接到服务器时提供的会话票证过期,服务器将返回错误消息。客户端必须从 Kerberos V5 密钥分发中心(KDC)请求新会话票证。但是,一旦连接通过身份验证,会话票证是否保持有效不再紧要。会话票证仅用于与服务器的新连接进行身份验证。如果用于对连接进行身份验证的会话票证在连接过程中过期,不会中断正在进行的操作。 默认值: 600 分钟(10 小时)。 |
Maximum lifetime for service ticket
This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket. If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection. Default: 600 minutes (10 hours). |
1911 | 用户票证最长寿命
此安全设置确定用户的票证授予票证(TGT)可以使用的最长时间(以小时为单位)。 默认值: 10 小时。 |
Maximum lifetime for user ticket
This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used. Default: 10 hours. |
1912 | 用户票证续订最长寿命
此安全设置确定可以续订用户的票证授予票证(TGT)的期间(以天数为单位)。 默认值: 7 天。 |
Maximum lifetime for user ticket renewal
This security setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed. Default: 7 days. |
1913 | 计算机时钟同步的最大容差
此安全设置确定 Kerberos V5 可以容忍客户端时钟时间与运行 Windows Server 2003 的域控制器(提供 Kerberos 身份验证)的时间之间的最大时间差(以分钟为单位)。 为防止“重播攻击”,Kerberos V5 将时间戳用作其协议定义的一部分。为了时间戳正常工作,客户端和域控制器的时钟需要尽可能地同步。换句话,两台计算机必须设置相同的时间和日期。由于两台计算机的时间通常不同步,因此管理员可以使用此策略为 Kerberos V5 确定客户端时钟与域控制器时钟之间的可接受的最大容差。如果客户端时钟与域控制器时钟之间的差别小于该策略指定的最大时间差别,则在两台计算机之间的会话中使用的时间戳将被认为是可信的。 重要信息 此设置在 Vista 之前的平台上不是永久的。如果在配置此设置后重新启动计算机,该设置将恢复为默认值。 默认值: 5 分钟。 |
Maximum tolerance for computer clock synchronization
This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication. To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic. Important This setting is not persistent on pre Vista platforms. If you configure this setting and then restart the computer, this setting reverts to the default value. Default: 5 minutes. |
1914 | 审核帐户登录事件
此安全设置确定 OS 是否在此计算机每次验证帐户凭据时进行审核。 在计算机对其具有权威性的帐户凭据进行验证时会生成帐户登录事件。域成员和未加入域的计算机对其本地帐户具有权威性;域控制器对该域中的帐户全都具有权威性。凭证验证可能支持本地登录,或者,对于域控制器上的 Active Directory 域帐户的情况,可能支持在另一台计算机上登录。由于凭据验证是无状态的,因此帐户登录事件没有相应的注销事件。 如果定义此策略设置,则管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 客户端版本上的默认值: 凭据验证: 无审核 Kerberos 服务票证操作: 无审核 其他帐户登录事件: 无审核 Kerberos 身份验证服务: 无审核 服务器版本上的默认值: 凭据验证: 成功 Kerberos 服务票证操作: 成功 其他帐户登录事件: 无审核 Kerberos 身份验证服务: 成功 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit account logon events
This security setting determines whether the OS audits each time this computer validates an account’s credentials. Account logon events are generated whenever a computer validates the credentials of an account for which it is authoritative. Domain members and non-domain-joined machines are authoritative for their local accounts; domain controllers are all authoritative for accounts in the domain. Credential validation may be in support of a local logon, or, in the case of an Active Directory domain account on a domain controller, may be in support of a logon to another computer. Credential validation is stateless so there is no corresponding logoff event for account logon events. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). Default values on Client editions: Credential Validation: No Auditing Kerberos Service Ticket Operations: No Auditing Other Account Logon Events: No Auditing Kerberos Authentication Service: No Auditing Default values on Server editions: Credential Validation: Success Kerberos Service Ticket Operations: Success Other Account Logon Events: No Auditing Kerberos Authentication Service: Success Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1915 | 审核帐户管理
此安全设置确定是否审核计算机上的每个帐户管理事件。帐户管理事件示例包括: 创建、更改或删除用户帐户或组。 重命名、禁用或启用用户帐户。 设置或更改密码。 如果定义此策略设置,可以指定是审核成功、审核失败还是根本不审核事件类型。成功审核在任何帐户管理事件成功时生成审核条目。失败审核在任何帐户管理事件失败时生成审核条目。若要将该值设置为“无审核”,请在此策略设置的“属性”对话框中选中“定义这些策略设置”复选框,然后清除“成功”和“失败”复选框。 客户端版本上的默认值: 用户帐户管理: 成功 计算机帐户管理: 无审核 安全组管理: 成功 分发组管理: 无审核 应用程序组管理: 无审核 其他帐户管理事件: 无审核 服务器版本上的默认值: 用户帐户管理: 成功 计算机帐户管理: 成功 安全组管理: 成功 分发组管理: 无审核 应用程序组管理: 无审核 其他帐户管理事件: 无审核 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit account management
This security setting determines whether to audit each event of account management on a computer. Examples of account management events include: A user account or group is created, changed, or deleted. A user account is renamed, disabled, or enabled. A password is set or changed. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes. Default values on Client editions: User Account Management: Success Computer Account Management: No Auditing Security Group Management: Success Distribution Group Management: No Auditing Application Group Management: No Auditing Other Account Management Events: No Auditing Default values on Server editions: User Account Management: Success Computer Account Management: Success Security Group Management: Success Distribution Group Management: No Auditing Application Group Management: No Auditing Other Account Management Events: No Auditing Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1916 | 审核目录服务访问
此安全设置确定 OS 是否对访问 Active Directory 对象的用户尝试进行审核。仅当对象已指定了系统访问控制列表(SACL),并且请求的访问类型(读取、写入或修改)和发出请求的帐户与 SACL 中的设置相匹配时才生成审核。 管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 如果启用了成功审核,则每当任何帐户成功访问指定了匹配 SACL 的 Acitve Directory 对象时都会生成审核条目。 如果启用了失败审核,则每当任何用户尝试访问指定了匹配 SACL 的 Active Directory 对象失败时都会生成审核条目。 客户端版本上的默认值: 目录服务访问: 无审核 目录服务更改: 无审核 目录服务复制: 无审核 详细的目录服务复制: 无审核 服务器版本上的默认值: 目录服务访问: 成功 目录服务更改: 无审核 目录服务复制: 无审核 详细的目录服务复制: 无审核 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit directory service access
This security setting determines whether the OS audits user attempts to access Active Directory objects. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). If Success auditing is enabled, an audit entry is generated each time any account successfully accesses a Directory object that has a matching SACL specified. If Failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a Directory object that has a matching SACL specified. Default values on Client editions: Directory Service Access: No Auditing Directory Service Changes: No Auditing Directory Service Replication: No Auditing Detailed Directory Service Replication: No Auditing Default values on Server editions: Directory Service Access: Success Directory Service Changes: No Auditing Directory Service Replication: No Auditing Detailed Directory Service Replication: No Auditing Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1917 | 审核登录事件
此安全设置确定 OS 是否对尝试登录此计算机或从中注销的用户的每个实例进行审核。 在已登录用户帐户的登录会话终止时,将生成注销事件。如果定义此策略设置,则管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 客户端版本上的默认值: 登录: 成功 注销: 成功 帐户锁定: 成功 IPsec 主模式: 无审核 IPsec 快速模式: 无审核 IPsec 扩展模式: 无审核 特殊登录: 成功 其他登录/注销事件: 无审核 网络策略服务器: 成功,失败 服务器版本上的默认值: 登录: 成功,失败 注销: 成功 帐户锁定: 成功 IPsec 主模式: 无审核 IPsec 快速模式: 无审核 IPsec 扩展模式: 无审核 特殊登录: 成功 其他登录/注销事件: 无审核 网络策略服务器: 成功,失败 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit logon events
This security setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer. Log off events are generated whenever a logged on user account's logon session is terminated. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). Default values on Client editions: Logon: Success Logoff: Success Account Lockout: Success IPsec Main Mode: No Auditing IPsec Quick Mode: No Auditing IPsec Extended Mode: No Auditing Special Logon: Success Other Logon/Logoff Events: No Auditing Network Policy Server: Success, Failure Default values on Server editions: Logon: Success, Failure Logoff: Success Account Lockout: Success IPsec Main Mode: No Auditing IPsec Quick Mode: No Auditing IPsec Extended Mode: No Auditing Special Logon: Success Other Logon/Logoff Events: No Auditing Network Policy Server: Success, Failure Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1918 | 审核对象访问
此安全设置确定 OS 是否对访问非 Active Directory 对象的用户尝试进行审核。仅当对象已指定了系统访问控制列表(SACL),并且请求的访问类型(读取、写入或修改)和发出请求的帐户与 SACL 中的设置相匹配时才生成审核。 管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 如果启用了成功审核,则每当任何帐户成功访问指定了匹配 SACL 的非 Active Directory 对象时都会生成审核条目。 如果启用了失败审核,则每当任何用户尝试访问指定了匹配 SACL 的非 Acitve Directory 对象失败时都会生成审核条目。 请注意,使用文件系统对象“属性”对话框中的“安全性”选项卡,可以在该对象上设置 SACL。 默认值: 无审核。 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit object access
This security setting determines whether the OS audits user attempts to access non-Active Directory objects. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL. The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). If Success auditing is enabled, an audit entry is generated each time any account successfully accesses a non-Directory object that has a matching SACL specified. If Failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a non-Directory object that has a matching SACL specified. Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box. Default: No auditing. Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1919 | 审核策略更改
此安全设置确定 OS 是否对尝试更改用户权限分配策略、审核策略、帐户策略或信任策略的每一个实例进行审核。 管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 如果启用了成功审核,则将在尝试更改用户权限分配策略、审核策略或信任策略成功时生成审核条目。 如果启用了失败审核,则将在无权进行请求的策略更改的帐户尝试更改用户权限分配策略、审核策略或信任策略时生成审核条目。 默认值: 审核策略更改: 成功 身份验证策略更改: 成功 授权策略更改: 无审核 MPSSVC 规则级别策略更改: 无审核 筛选平台策略更改: 无审核 其他策略更改事件: 无审核 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit policy change
This security setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy. The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). If Success auditing is enabled, an audit entry is generated when an attempted change to user rights assignment policy, audit policy, or trust policy is successful. If Failure auditing is enabled, an audit entry is generated when an attempted change to user rights assignment policy, audit policy, or trust policy is attempted by an account that is not authorized to make the requested policy change. Default: Audit Policy Change: Success Authentication Policy Change: Success Authorization Policy Change: No Auditing MPSSVC Rule-Level Policy Change: No Auditing Filtering Platform Policy Change: No Auditing Other Policy Change Events: No Auditing Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1920 | 审核权限使用
此安全设置确定是否审核执行用户权限的用户的每个实例。 如果定义此策略设置,可以指定是审核成功、审核失败还是根本不审核此类型的事件。成功审核在用户权限执行成功时生成审核条目。失败审核在用户权限执行失败时生成审核条目。 若要将该值设置为“无审核”,请在此策略设置的“属性”对话框中选中“定义这些策略设置”复选框,然后清除“成功”和“失败”复选框。 默认值: 无审核。 使用下列用户权限时不生成审核,即使为“审核权限使用”指定了成功审核或失败审核。启用对这些用户权限的审核往往会在安全日志中生成许多事件,这会影响计算机的性能。若要审核下列用户权限,请启用 FullPrivilegeAuditing 注册表项。 绕过遍历检查 调试程序 创建令牌对象 替换进程级令牌 生成安全审核 备份文件和目录 还原文件和目录 警告 错误地编辑注册表可能严重损坏系统。在更改注册表之前,应当备份计算机上的所有重要数据。 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit privilege use
This security setting determines whether to audit each instance of a user exercising a user right. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes. Default: No auditing. Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the FullPrivilegeAuditing registry key. Bypass traverse checking Debug programs Create a token object Replace process level token Generate security audits Back up files and directories Restore files and directories Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1921 | 审核进程跟踪
此安全设置确定 OS 是否审核与进程相关的事件,例如进程创建、进程终止、句柄复制以及间接对象访问。 如果定义此策略设置,则管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 如果启用了成功审核,则每当 OS 执行以上与进程相关的操作之一时都会生成审核条目。 如果启用了失败审核,则每当 OS 执行以上操作之一失败时都会生成审核条目。 默认值: 无审核 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit process tracking
This security setting determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). If Success auditing is enabled, an audit entry is generated each time the OS performs one of these process-related activities. If Failure auditing is enabled, an audit entry is generated each time the OS fails to perform one of these activities. Default: No auditing\r Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1922 | 审核系统事件
此安全设置确定 OS 是否对以下任何事件进行审核: • 尝试更改系统时间 • 尝试安全启动或关闭系统 • 尝试加载可扩展身份验证组件 • 由于审核系统失败而导致已审核事件丢失 • 安全日志大小超过可配置的警告阈值级别。 如果定义此策略设置,则管理员可以指定是仅审核成功、仅审核失败、同时审核成功和失败还是根本不审核这些事件(即既不审核成功也不审核失败)。 如果启用了成功审核,则每当 OS 成功执行以上操作之一时都会生成审核条目。 如果启用了失败审核,则每当 OS 尝试执行以上操作之一失败时都会生成审核条目。 默认值: 安全状态更改 成功 安全系统扩展 无审核 系统完整性 成功,失败 IPsec 驱动程序 无审核 其他系统事件 成功,失败 重要信息: 若要获得对审核策略的更多控制,请使用“高级审核策略配置”节点中的设置。有关高级审核策略配置的详细信息,请参阅 https://go.microsoft.com/fwlink/?LinkId=140969。 |
Audit system events
This security setting determines whether the OS audits any of the following events: • Attempted system time change • Attempted security system startup or shutdown • Attempt to load extensible authentication components • Loss of audited events due to auditing system failure • Security log size exceeding a configurable warning threshold level. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures). If Success auditing is enabled, an audit entry is generated each time the OS performs one of these activities successfully. If Failure auditing is enabled, an audit entry is generated each time the OS attempts and fails to perform one of these activities. Default: Security State Change Success Security System Extension No Auditing System Integrity Success, Failure IPsec Driver No Auditing Other System Events Success, Failure Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969. |
1923 | 从网络访问此计算机
此用户权限确定允许哪些用户和组通过网络连接到计算机。此用户权限不影响远程桌面服务。 注意: 在以前版本的 Windows Server 中,远程桌面服务称为终端服务。 工作站和服务器上的默认值: Administrators Backup Operators Users Everyone 域控制器上的默认值: Administrators Authenticated Users Enterprise Domain Controllers Everyone Pre-Windows 2000 Compatible Access |
Access this computer from the network
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and servers: Administrators Backup Operators Users Everyone Default on domain controllers: Administrators Authenticated Users Enterprise Domain Controllers Everyone Pre-Windows 2000 Compatible Access |
1924 | 作为操作系统的一部分
此用户权限允许某个进程模拟任意用户而无须进行身份验证。因此该进程可以与该用户一样获得对本地资源的访问权限。 需要此权限的进程应该使用已经包括此权限的 LocalSystem 帐户,而不是使用分配了该权限的独立用户帐户。如果你的组织仅使用属于 Windows Server 2003 家族成员的服务器,则不需要将此权限分配给用户。但是,如果你的组织使用运行 Windows 2000 或 Windows NT 4.0 的服务器,则需要分配该权限才能使用以纯文本格式交换密码的应用程序。 警告 分配该用户权限可能存在安全风险。只将该用户权限分配给可信用户。 默认值: 无。 |
Act as part of the operating system
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext. Caution Assigning this user right can be a security risk. Only assign this user right to trusted users. Default: None. |
1925 | 将工作站添加到域
此安全设置确定哪些组或用户可以将工作站添加到域。 此安全设置仅对域控制器有效。默认情况下,任何已经过身份验证的用户都具有此权限并可以在该域中最多创建 10 个计算机帐户。 将计算机帐户添加到域使计算机能够参加基于 Active Directory 的网络。例如,将工作站添加到域使工作站能够识别存在于 Active Directory 中的帐户和组。 默认: 域控制器上已经通过身份验证的用户。 注意: 在 Active Directory 计算机容器上具有创建计算机对象权限的用户也可以在该域中创建计算机帐户。差异在于在该容器上具有权限的用户并不受限于仅创建 10 个计算机帐户。此外,通过将工作站添加到域创建的计算机帐户将域管理员作为计算机帐户的所有者,而通过在计算机容器上的权限创建的计算机帐户将创建者作为计算机帐户的所有者。如果某个用户具有容器上的权限,同时具有将工作站添加到域用户权限,则会基于计算机容器权限而不是基于该用户权限添加该计算机。 |
Add workstations to domain
This security setting determines which groups or users can add workstations to a domain. This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain. Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory. Default: Authenticated Users on domain controllers. Note: Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right. |
1926 | 为进程调整内存配额
此权限确定谁可以更改进程可消耗的最大内存。 此用户权限是在默认域控制器组策略对象(GPO)以及工作站和服务器的本地安全策略中进行定义的。 注意: 此权限对于系统调整非常有用,但它可能被误用,例如,在拒绝服务攻击中。 默认值: Administrators Local Service Network Service。 |
Adjust memory quotas for a process
This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Note: This privilege is useful for system tuning, but it can be misused, for example, in a denial-of-service attack. Default: Administrators Local Service Network Service. |
1927 | 本地登录
确定哪些用户可以登录到该计算机。 重要信息 修改此设置可能会影响与客户端、服务和应用程序的兼容性。有关此设置的兼容性信息,请参阅 Microsoft 网站上的“允许本地登录”(https://go.microsoft.com/fwlink/?LinkId=24268 )。 默认值: • 在工作站和服务器上: Administrators、Backup Operators、Power Users、Users 和 Guest。 • 在域控制器上: Account Operators、Administrators、Backup Operators 和 Print Operators。 |
Log on locally
Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. Default: • On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest. • On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators. |
1928 | 允许通过远程桌面服务登录
此安全设置确定哪些用户或组具有作为远程桌面服务客户端登录的权限。 默认值: 在工作站和服务器上: Administrators、Remote Desktop Users。 在域控制器上: Administrators。 重要信息 此设置对尚未更新到 Service Pack 2 的 Windows 2000 计算机无任何效果。 |
Allow log on through Remote Desktop Services
This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. |
1929 | 备份文件和目录
此用户权限确定哪些用户可以绕过文件和目录、注册表和其他永久对象权限进行系统备份。 特殊情况下,此用户权限类似于向系统上所有文件和文件夹涉及到的用户或组授予下列权限: 遍历文件夹/执行文件 列出文件/读取数据 读取属性 读取扩展属性 读取权限 警告 分配此用户权限可能有安全风险。由于没有办法确定用户是否正在备份数据、窃取数据或复制数据以进行分发,请仅向受信任的用户分配此用户权限。 工作站和服务器上的默认值: Administrators Backup Operators。 域控制器和服务器上的默认值: Administrators Backup Operators Server Operators |
Back up files and directories
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Caution Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. Default on workstations and servers: Administrators Backup Operators. Default on domain controllers:Administrators Backup Operators Server Operators |
1930 | 绕过遍历检查
此用户权限确定哪些用户即使在不具有对已遍历目录的权限时也可以遍历目录树。此权限不允许用户列出目录的内容,仅允许遍历目录。 此用户权限是在默认域控制器组策略对象(GPO)以及工作站和服务器的本地安全策略中进行定义的。 工作站和服务器上的默认值: Administrators Backup Operators Users Everyone Local Service Network Service 域控制器上的默认值: Administrators Authenticated Users Everyone Local Service Network Service Pre-Windows 2000 Compatible Access |
Bypass traverse checking
This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Default on workstations and servers: Administrators Backup Operators Users Everyone Local Service Network Service Default on domain controllers: Administrators Authenticated Users Everyone Local Service Network Service Pre-Windows 2000 Compatible Access |
1931 | 更改系统时间
此用户权限确定哪些用户和组可以更改计算机内部时钟上的日期和时间。分配了此用户权限的用户可以影响事件日志的外观。如果已更改了系统时间,则记录的事件将反映此新时间,而不是事件发生的实际时间。 此用户权限是在默认域控制器组策略对象(GPO)以及工作站和服务器的本地安全策略中进行定义的。 工作站和服务器上的默认值: Administrators Local Service 域控制器上的默认值: Administrators Server Operators Local Service |
Change the system time
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Default on workstations and servers: Administrators Local Service Default on domain controllers: Administrators Server Operators Local Service |
1932 | 创建页面文件
此用户权限确定哪些用户和组可以调用内部应用程序编程接口(API)创建页面文件和更改页面文件的大小。此用户权限供操作系统内部使用,且通常不需要分配给任何用户。 有关如何为某个给定的驱动器指定页面文件大小的信息,请参阅“更改虚拟内存页面文件的大小”。 默认值: Administrators。 |
Create a pagefile
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to specify a paging file size for a given drive, see To change the size of the virtual memory paging file. Default: Administrators. |
1933 | 创建令牌对象
此安全设置确定进程可以使用哪些帐户创建令牌,该令牌接着可以在进程使用内部应用程序编程接口(API)创建访问令牌时用于获取任何本地资源的访问权限。 此用户权限供操作系统内部使用。除非必要,请不要将此用户权限分配给本地系统之外的用户、组或进程。 警告 分配此用户权限可能有安全风险。请不要将此用户权限分配给不希望其接管系统的任何用户、组或进程。 默认值: 无 |
Create a token object
This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. Default: None |
1934 | 创建全局对象
此安全设置确定用户是否可以创建所有会话都可以使用的全局对象。没有此用户权限的用户仍可以创建特定于其自身的会话的对象。可以创建全局对象的用户会影响在其他用户的会话下运行的进程,这样会导致应用程序失败或数据损坏。 警告 分配此用户权限可能有安全风险。请仅向受信任的用户分配此用户权限。 默认值: Administrators Local Service Network Service Service |
Create global objects
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution Assigning this user right can be a security risk. Assign this user right only to trusted users. Default: Administrators Local Service Network Service Service |
1935 | 创建永久共享对象
此用户权限确定进程可以使用哪些帐户利用对象管理器创建目录对象。 此用户权限供操作系统内部使用,且对于扩展对象命名空间的内核模式组件非常有用。因为已经将此用户权限分配给了内核模式下运行的组件,所以就没有必要再专门分配此用户权限。 默认值: 无。 |
Create permanent shared objects
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it. Default: None. |
1936 | 调试程序
此用户权限确定哪些用户可以将调试程序连接到任何进程或连接到内核。不需要将此用户权限分配给正在调试自己的应用程序的开发人员。调试新系统组件的开发人员将需要此用户权限来执行相应操作。此用户权限提供对敏感和关键系统组件的完全访问权限。 警告 分配此用户权限可能有安全风险。请仅向受信任的用户分配此用户权限。 默认值: Administrators |
Debug programs
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution Assigning this user right can be a security risk. Only assign this user right to trusted users. Default: Administrators |
1937 | 拒绝从网络访问此计算机
此安全设置确定要防止哪些用户通过网络访问计算机。如果用户帐户受制于此策略设置和“从网络访问此计算机”策略设置,则前者会取代后者。 默认值: Guest |
Deny access to this computer from the network
This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest |
1938 | 拒绝作为批处理作业登录
此安全设置确定要防止哪些帐户作为批处理作业登录。如果用户帐户受制于此策略设置和“作为批处理作业登录”策略设置,则前者会取代后者。 默认: 无。 |
Deny log on as a batch job
This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. Default: None. |
1939 | 拒绝作为服务登录
此安全设置确定要防止哪些服务帐户将进程注册为服务。如果帐户受制于此策略设置和“作为服务登录”策略设置,则前者会取代后者。 注意: 此安全设置不适用于系统、本地服务或网络服务帐户。 默认值: 无。 |
Deny log on as a service
This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. Note: This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. |
1940 | 拒绝本地登录
此安全设置确定要防止哪些用户在该计算机上登录。如果帐户受制于此策略设置和“允许本地登录”策略设置,则前者会取代后者。 重要信息 如果将此安全策略应用到 Everyone 组,则没有人能够在本地登录。 默认值: 无。 |
Deny log on locally
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to log on locally. Default: None. |
1941 | 拒绝通过远程桌面服务登录
此安全设置确定禁止哪些用户和组作为远程桌面服务客户端登录。 默认值: 无。 重要信息 此设置对尚未更新到 Service Pack 2 的 Windows 2000 计算机无任何效果。 |
Deny log on through Remote Desktop Services
This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. |
1942 | 信任计算机和用户帐户可以执行委派
此安全设置确定哪些用户可以在用户或计算机对象上设置“已为委派信任”设置。 被授予此权限的用户或对象必须具有对用户或计算机对象上的帐户控制标志的写入访问权限。在已为委派信任的计算机上(或用户环境下)运行的服务器进程可以使用客户端委派的凭据访问另一台计算机上的资源,只要该客户端帐户没有设置“帐户无法委派”帐户控制标志。 此用户权限是在默认域控制器组策略对象(GPO)以及工作站和服务器的本地安全策略中进行定义的。 警告 误用此用户权限或误用“已为委派信任”设置会使网络易受使用特洛伊木马程序的复杂攻击,该程序会模拟进入的客户端并使用它们的凭据来获取对网络资源的访问权限。 默认值: 在域控制器上为 Administrators。 |
Enable computer and user accounts to be trusted for delegation
This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Caution Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. Default: Administrators on domain controllers. |
1943 | 从远程系统强制关机
此安全设置确定允许哪些用户从网络上的远程位置关闭计算机。误用此用户权限会导致拒绝服务。 此用户权限是在默认域控制器组策略对象(GPO)以及工作站和服务器的本地安全策略中进行定义的。 默认值: 在工作站和服务器上: Administrators。 在域控制器上: Administrators、Server Operators。 |
Force shutdown from a remote system
This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Default: On workstations and servers: Administrators. On domain controllers: Administrators, Server Operators. |
1944 | 生成安全审核
此安全设置确定进程可以使用哪些帐户将项目添加到安全日志中。安全日志用于跟踪未授权的系统访问。如果启用了“审核: 如果无法记录安全审核,则立即关闭系统”安全策略设置,则误用此用户权限会导致生成许多审核事件,可能隐藏攻击证据或导致拒绝服务。有关详细信息,请参阅“审核: 如果无法记录安全审核,则立即关闭系统” 默认值: Local System Network Service。 |
Generate security audits
This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information see Audit: Shut down system immediately if unable to log security audits Default: Local Service Network Service. |
1945 | 身份验证后模拟客户端
将此权限分配给用户使代表该用户运行的程序能够模拟客户端。此种模拟要求此用户权限可防止未经授权的用户说服客户端连接(例如,通过远程过程调用(RPC)或命名管道)到他们已创建的服务,然后模拟该客户端,这样会将未经授权的用户的权限提升至管理级别或系统级别。 警告 分配此用户权限可能有安全风险。请仅向受信任的用户分配此用户权限。 默认值: Administrators Local Service Network Service Service 注意: 默认情况下,由服务控制管理器启动的服务已将内置 Service 组添加到它们的访问令牌中。由组件对象模型(COM)基础架构启动的且被配置为在特定帐户下运行的 COM 服务器也已将 Service 组添加到它们的访问令牌中。结果,这些服务在启动时就获得此用户权限。 此外,如果下列任何条件存在,用户也可以模拟访问令牌。 正在被模拟的访问令牌专供此用户。 在此登录会话中用户通过使用显式凭据登录到网络创建访问令牌。 请求的级别比 Impersonate 低,如 Anonymous 或 Identify。 因为这些因素,所以用户通常不需要此用户权限。 有关详细信息,请在 Microsoft Platform SDK 中搜索 "SeImpersonatePrivilege"。 警告 如果启用此设置,以前具有 Impersonate 权限的程序可能丢失该权限,并且可能无法运行。 |
Impersonate a client after authentication
Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution Assigning this user right can be a security risk. Only assign this user right to trusted users. Default: Administrators Local Service Network Service Service Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. The access token that is being impersonated is for this user. The user, in this logon session, created the access token by logging on to the network with explicit credentials. The requested level is less than Impersonate, such as Anonymous or Identify. Because of these factors, users do not usually need this user right. For more information, search for "SeImpersonatePrivilege" in the Microsoft Platform SDK. Warning If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run. |
1946 | 提高计划优先级
此安全设置确定哪些帐户可以使用对另一个进程具有 Write Property 访问权限的进程来提高分配给其他进程的执行优先级。具有此权限的用户可以通过任务管理器用户界面更改进程的计划优先级。 默认值: Administrators。 |
Increase scheduling priority
This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Default: Administrators. |
1947 | 加载和卸载设备驱动程序
此用户权限确定哪些用户可以将设备驱动程序或其他代码动态加载到内核模式中以及从中卸载。此用户权限不适用于即插即用设备驱动程序。建议不要将此权限分配给其他用户。 警告 分配此用户权限可能有安全风险。不要将此用户权限分配给不希望其接管系统的任何用户、组或进程。 工作站和服务器上的默认值: Administrators。 域控制器上的默认值: Administrators Print Operators |
Load and unload device drivers
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system. Default on workstations and servers: Administrators. Default on domain controllers: Administrators Print Operators |
1948 | 将页面锁定在内存中
此安全设置确定哪些帐户可以使用进程将数据保持在物理内存中,这样可防止系统将数据分页到磁盘上的虚拟内存中。行使此权限会因降低可用随机存取内存(RAM)的数量而显著影响系统性能。 默认值: 无。 |
Lock pages in memory
This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). Default: None. |
1949 | 作为批处理作业登录
此安全设置使用户能够通过批处理队列实用程序登录,并仅提供用于与旧版本的 Windows 的兼容性。 例如,当用户通过任务计划程序提交作业时,该任务计划程序将用户作为批处理用户而不是作为交互式用户登录。 默认值: Administrators Backup Operators。 |
Log on as a batch job
This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user. Default: Administrators Backup Operators. |
1950 | 作为服务登录
此安全设置可使安全主体作为服务登录。可以将服务配置为在本地系统、本地服务或网络服务帐户下运行,这些帐户具有作为服务登录的内置权限。任何在单独用户帐户下运行的服务都必须分配有该权限。 默认设置: 无。 |
Log on as a service
This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right. Default setting: None. |
1951 | 管理审核和安全日志
此安全设置确定哪些用户可以为各种资源(如文件、Active Directory 对象和注册表项)指定对象访问审核选项。 此安全设置通常不允许用户启用文件和对象访问审核。若要启用此审核,则必须在 Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies 中配置审核对象访问设置。 你可以在事件查看器的安全日志中查看审核过的事件。具有此权限的用户还可以查看和清除安全日志。 默认值: Administrators。 |
Manage auditing and security log
This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log. Default: Administrators. |
1952 | 修改固件环境值
此安全设置确定谁可以修改固件环境值。固件环境变量是在非基于 x86 的计算机的稳定 RAM 中存储的设置。该设置的效果依赖于处理器。 在基于 x86 的计算机中,可以通过分配此用户权限修改的唯一固件环境值是“最近一次的正确配置”设置,此设置应该仅由系统修改。 在基于 Itanium 的计算机中,启动信息存储在稳定 RAM 中。若要运行 bootcfg.exe 和更改系统属性中“启动和恢复”上的默认操作系统设置,必须向用户分配此用户权限。 在所有计算机上安装或升级 Windows 都需要此用户权限。 注意: 此安全设置不影响可以修改显示在系统属性的“高级”选项卡上的系统环境变量和用户环境变量的用户。有关如何修改这些变量的信息,请参阅“添加或更改环境变量的值”。 默认值: Administrators。 |
Modify firmware environment values
This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. For information about how to modify these variables, see To add or change the values of environment variables. Default: Administrators. |
1953 | 执行卷维护任务
此安全设置确定哪些用户和组可以在卷上运行维护任务,如远程碎片整理。 分配此用户权限时请小心。具有此用户权限的用户可以浏览磁盘及将文件扩展到包含其他数据的内存中。当打开扩展的文件时,用户可能能够读取和修改获得的数据。 默认值: Administrators |
Perform volume maintenance tasks
This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. Default: Administrators |
1954 | 配置文件单一进程
此安全设置确定哪些用户可以使用性能监视工具来监视非系统进程的性能。 默认: 管理员、高级用户。 |
Profile single process
This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes. Default: Administrators, Power users. |
1955 | 配置文件系统性能
此安全设置确定哪些用户可以使用性能监视工具来监视系统进程的性能。 默认: Administrators。 |
Profile system performance
This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. Default: Administrators. |
1956 | 从扩展坞上移除计算机
此安全设置确定用户是否可以无需登录而从其扩展坞上移除便携式计算机。 如果启用此策略,则用户必须登录,才能从其扩展坞上移除便携式计算机。如果禁用此策略,则用户可以无需登录而从其扩展坞移除便携式计算机。 默认值: Administrators、Power Users、Users |
Remove computer from docking station
This security setting determines whether a user can undock a portable computer from its docking station without logging on. If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on. Default: Administrators, Power Users, Users |
1957 | 替换进程级令牌
此安全设置确定哪些用户帐户可以调用 CreateProcessAsUser() 应用程序编程接口(API),从而使一个服务能够启动另一个服务。任务计划程序是使用此用户权限的进程的一个示例。有关任务计划程序的信息,请参阅任务计划程序概述。 默认值: Network Service、Local Service。 |
Replace a process level token
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview. Default: Network Service, Local Service. |
1958 | 还原文件和目录
此安全设置确定在还原备份的文件和目录时哪些用户可以绕过文件、目录、注册表和其他永久对象权限,以及确定哪些用户可以将任何有效的安全主体设置为对象的所有者。 特殊情况下,此用户权限类似于向系统上所有文件和文件夹涉及到的用户或组授予下列权限: 遍历文件夹/执行文件 写入 警告 分配此用户权限可能有安全风险。由于具有此用户权限的用户可以覆盖注册表设置、隐藏数据及获得系统对象的所有权,请仅向受信任的用户分配此用户权限。 默认值: 工作站和服务器: Administrators、Backup Operators。 域控制器: Administrators、Backup Operators、Server Operators。 |
Restore files and directories
This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File Write Caution Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users. Default: Workstations and servers: Administrators, Backup Operators. Domain controllers: Administrators, Backup Operators, Server Operators. |
1959 | 关闭系统
此安全设置确定哪些在本地登录到计算机的用户可以使用关机命令关闭操作系统。误用此用户权限会导致拒绝服务。 工作站上的默认值: Administrators、Backup Operators、Users。 服务器上的默认值: Administrators、Backup Operators。 域控制器上的默认值: Administrators、Backup Operators、Server Operators、Print Operators。 |
Shut down the system
This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: Administrators, Backup Operators. Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators. |
1960 | 同步目录服务数据
此安全设置确定哪些用户和组有权同步所有目录服务数据。这也称为 Active Directory 同步。 默认值: 无。 |
Synchronize directory service data
This security setting determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization. Defaults: None. |
1961 | 取得文件或其他对象的所有权
此安全设置确定哪些用户可以取得系统中任何安全对象(包括 Active Directory 对象、文件和文件夹、打印机、注册表项、进程以及线程)的所有权。 警告 分配此用户权限可能有安全风险。由于对象所有者具有对象的完全控制权限,请仅向受信任的用户分配此用户权限。 默认值: Administrators。 |
Take ownership of files or other objects
This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users. Default: Administrators. |
1962 | 帐户: 管理员帐户状态
此安全设置确定是启用还是禁用本地管理员帐户。 注意 如果在管理员帐户被禁用之后试图重新启用它,且如果当前管理员密码不符合密码要求,则无法重新启用该帐户。在这种情况下,Administrators 组的某个备用成员必须重置管理员帐户上的密码。有关如何重置密码的信息,请参阅“重置密码”。 在某些环境下,禁用管理员帐户会成为一个维护问题。 在安全模式启动下,禁用的管理员帐户仅在该计算机未加入域并且没有任何其他本地活动管理员帐户时才可以启用。如果计算机加入了域,将不能启用禁用的管理员。 默认值: 禁用。 |
Accounts: Administrator account status
This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. Default: Disabled. |
1963 | 帐户: 来宾帐户状态
此安全设置确定是启用还是禁用来宾帐户。 默认值: 禁用。 注意: 如果来宾帐户被禁用且安全选项“网络访问: 本地帐户的共享和安全模型”被设置为“仅来宾”,则网络登录(如由 Microsoft 网络服务器(SMB 服务)所执行的网络登录)将失败。 |
Accounts: Guest account status
This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail. |
1964 | 帐户: 使用空密码的本地帐户只允许进行控制台登录
此安全设置确定未进行密码保护的本地帐户是否可以用于从物理计算机控制台之外的位置登录。如果启用此设置,则未进行密码保护的本地帐户将仅能够通过计算机的键盘登录。 默认值: 启用。 警告: 物理上不在安全位置的计算机应该始终对所有本地用户帐户强制实施强密码策略。否则,物理上可访问该计算机的任何人都可以使用没有密码的用户帐户登录。这对于便携式计算机特别重要。 如果向 Everyone 组应用此安全策略,则任何人都无法通过远程桌面服务登录。 注意 此设置不影响使用域帐户的登录。 使用远程交互式登录的应用程序可以绕过此设置。 注意: 在以前版本的 Windows Server 中,远程桌面服务称为终端服务。 |
Accounts: Limit local account use of blank passwords to console logon only
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Enabled. Warning: Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. Notes This setting does not affect logons that use domain accounts. It is possible for applications that use remote interactive logons to bypass this setting. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. |
1965 | 帐户: 重命名管理员帐户
此安全设置确定是否存在另一个帐户名称与帐户 Administrator 的安全标识符(SID)相关联。因为人们都知道重命名 Administrator 帐户会使未授权的人猜测此权限用户名和密码组合的难度稍微大一些。 默认值: Administrator。 |
Accounts: Rename administrator account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Default: Administrator. |
1966 | 帐户: 重命名来宾帐户
此安全设置确定是否存在另一个帐户名称与帐户 "Guest" 的安全标识符(SID)相关联。因为人们都知道重命名 Guest 帐户会使未授权的人猜测此用户名和密码组合的难度稍微大一些。 默认值: Guest。 |
Accounts: Rename guest account
This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. |
1967 | 审核: 对全局系统对象的访问权限进行审核
此安全设置确定是否要审核全局系统对象的访问权限。 如果启用此策略,则它会导致使用默认的系统访问控制列表(SACL)创建系统对象,如互斥、事件、信号和 DOS 设备。仅会为具有名称的对象提供 SACL;不会为没有名称的对象提供 SACL。如果还启用了审核对象访问权限审核策略,则会审核对这些系统对象的访问。 注意: 配置此安全设置时,只有重新启动 Windows,更改才会生效。 默认值: 禁用。 |
Audit: Audit the access of global system objects
This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs are not given to objects without names. If the Audit object access audit policy is also enabled, access to these system objects is audited. Note: When configuring this security setting, changes will not take effect until you restart Windows. Default: Disabled. |
1968 | 审核: 对备份和还原权限的使用进行审核
此安全设置确定当审核权限使用策略生效时是否审核包括备份和还原在内的所有用户权限的使用。启用审核权限使用策略的同时启用此选项,会为备份或还原的每个文件生成一个审核事件。 如果禁用此策略,则即使启用了审核权限使用,也不会审核备份或还原权限的使用。 注意: 在 Windows Vista 之前的 Windows 版本上配置此安全设置时,只有重新启动 Windows,更改才会生效。启用此设置可能会导致大量事件,在备份操作过程中有时每秒会产生数百个事件。 默认值: 禁用。 |
Audit: Audit the use of Backup and Restore privilege
This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or restored. If you disable this policy, then use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled. Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation. Default: Disabled. |
1969 | 审核: 如果无法记录安全审核则立即关闭系统
此安全设置确定无法记录安全事件时系统是否会关机。 启用此安全设置后,如果因任何原因无法记录安全审核,它就会停止系统。通常,当安全审核日志已满且为安全日志指定的保留方法为“不覆盖事件”或“按天数覆盖事件”时,会无法记录事件。 如果安全日志已满且无法覆盖某个现有条目,并且启用了此安全选项,则会出现下列停止错误: STOP: C0000244 {审核失败} 尝试生成安全审核失败。 若要恢复,管理员必须根据需要登录、归档日志(可选)、清除日志以及重置此选项。即使安全日志未满,也要到重置此安全设置之后,非 Administrators 组成员用户才能登录到系统。 注意: 在 Windows Vista 之前的 Windows 版本配置此安全设置时,只有重新启动 Windows,更改才会生效。 默认值: 禁用。 |
Audit: Shut down system immediately if unable to log security audits
This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days. If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears: STOP: C0000244 {Audit Failed} An attempt to generate a security audit failed. To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log is not full. Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Default: Disabled. |
1970 | 设备: 允许在未登录的情况下移除
此安全设置确定是否不必登录就可以移除笔记本电脑。如果启用此策略,则不需要登录,且某个外部硬件弹出按钮可以用于移除计算机。如果禁用此策略,则用户必须登录且具有从扩展坞移除计算机的权限时才能移除计算机。 默认: 启用。 警告 禁用此策略可能会诱使用户尝试使用除外部硬件弹出按钮之外的方法从扩展坞物理移除笔记本电脑。由于这会导致损坏硬件,一般情况下,仅应在物理上安全的笔记本电脑配置上禁用此设置。 |
Devices: Allow undock without having to log on
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. Caution Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. |
1971 | 设备: 允许对可移动媒体进行格式化并弹出
此安全设置确定允许格式化和弹出可移动 NTFS 介质的用户。可以将此功能授予: Administrators Administrators 和 Interactive Users 默认值: 未定义此策略,且只有 Administrators 具有此能力。 |
Devices: Allowed to format and eject removable media
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. |
1972 | 设备: 防止用户在连接共享打印机时安装打印机驱动程序
对于要使用共享打印机进行打印的计算机,该本地计算机上必须安装有该共享打印机的驱动程序。此安全设置确定允许哪些人可以在连接共享打印机时安装打印机驱动程序。如果启用该设置,则只有管理员可以在连接共享打印机时安装打印机驱动程序。如果禁用该设置,则任何用户都可以在连接共享打印机时安装打印机驱动程序。 服务器上的默认值: 启用。 工作站上的默认值: 禁用。 注意 该设置不影响添加本地打印机的能力。 该设置不影响管理员。 |
Devices: Prevent users from installing printer drivers when connecting to shared printers
For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. Default on servers: Enabled. Default on workstations: Disabled Notes This setting does not affect the ability to add a local printer. This setting does not affect Administrators. |
1973 | 设备: 将 CD-ROM 的访问权限仅限于本地登录的用户
该安全设置确定本地用户和远程用户是否可以同时访问 CD-ROM。 如果启用该策略,将仅允许交互式登录的用户访问可移动 CD-ROM 介质。如果启用该策略但没有用户以交互方式登录,则可以通过网络访问 CD-ROM。 默认值: 未定义此策略,且没限制本地登录用户对 CD-ROM 的访问权限。 |
Devices: Restrict CD-ROM access to locally logged-on user only
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network. Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user. |
1974 | 设备: 将软盘的访问权限仅限于本地登录的用户
该安全设置确定本地用户和远程用户是否可以同时访问可移动软盘介质。 如果启用该策略,将仅允许交互式登录的用户访问可移动软盘介质。如果启用该策略但没有用户以交互方式登录,则可以通过网络访问软盘。 默认值: 未定义此策略,且没有限制本地登录用户对软盘驱动器的访问权限。 |
Devices: Restrict floppy access to locally logged-on user only
This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged on interactively, the floppy can be accessed over the network. Default: This policy is not defined and floppy disk drive access is not restricted to the locally logged-on user. |
1975 | 设备: 未签名驱动程序的安装行为
该安全设置确定试图安装未经 Windows 硬件质量实验室(WHQL)测试的设备驱动程序时(通过 Setup API)发生的行为。 其选项包括: 默认继续 允许安装但发出警告 禁止安装 默认: 允许安装但发出警告。 |
Devices: Unsigned driver installation behavior
This security setting determines what happens when an attempt is made to install a device driver (by means of Setup API) that has not been tested by the Windows Hardware Quality Lab (WHQL). The options are: Silently succeed Warn but allow installation Do not allow installation Default: Warn but allow installation. |
1976 | 域控制器: 允许服务器操作者计划任务
该安全设置确定是否允许服务器操作者通过 AT 计划工具提交作业。 注意: 该安全设置仅影响 AT 计划工具;它不影响任务计划程序实用程序。 默认: 未定义该策略,意味着系统将其视为禁用。 |
Domain controller: Allow server operators to schedule tasks
This security setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. Note: This security setting only affects the AT schedule facility; it does not affect the Task Scheduler facility. Default: This policy is not defined, which means that the system treats it as disabled. |
1977 | 域控制器: LDAP 服务器签名要求
该安全设置确定 LDAP 服务器是否需要与 LDAP 客户端协商签名,如下所示: 无: 不需要数据签名,以便与服务器绑定。如果客户端需要数据签名,服务器会支持它。 需要签名: 除非已使用 TLS\SSL,否则必须协商 LDAP 数据签名选项。 默认值: 未定义此策略,与“无”具有相同的效果。 警告 如果将服务器设置为“需要签名”,还必须设置客户端。未设置客户端会导致丢失与服务器的连接。 注意 该设置对 LDAP 简单绑定或通过 SSL 的 LDAP 简单绑定没有任何影响。随 Windows XP Professional 一起提供的 Microsoft LDAP 客户端都不使用 LDAP 简单绑定或通过 SSL 的 LDAP 简单绑定与域控制器对话。 如果需要签名,则 LDAP 简单绑定或通过 SSL 的 LDAP 简单绑定请求会被拒绝。运行 Windows XP Professional 或 Windows Server 2003 家族的 Microsoft LDAP 客户端都不使用 LDAP 简单绑定或通过 SSL 的 LDAP 简单绑定来绑定到目录服务。 |
Domain controller: LDAP server signing requirements
This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows: None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it. Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated. Default: This policy is not defined, which has the same effect as None. Caution If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server. Notes This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a domain controller. If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use LDAP simple bind or LDAP simple bind through SSL to bind to directory service. |
1978 | 域控制器: 拒绝计算机帐户密码更改
该安全设置确定域控制器是否会拒绝成员计算机更改计算机帐户密码的请求。默认情况下,成员计算机每隔 30 天更改一次其计算机帐户密码。如果启用该设置,域控制器将拒绝计算机帐户密码更改请求。 如果启用,该设置将不允许域控制器接受对计算机帐户的密码进行任何更改。 默认值: 未定义此策略,这意味着系统将其视为 Disabled。 |
Domain controller: Refuse machine account password changes
This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password change requests. If it is enabled, this setting does not allow a domain controller to accept any changes to a computer account's password. Default: This policy is not defined, which means that the system treats it as Disabled. |
1979 | 域成员: 对安全通道数据进行数字加密或数字签名(始终)
该安全设置确定是否必须对所有由域成员引发的安全通道流量进行签名或加密。 当计算机加入域时,会创建一个计算机帐户。之后,当系统启动时,会使用该计算机帐户密码为该计算机所在的域创建具有域控制器的安全通道。该安全通道用于执行对 NTLM 通过身份验证、LSA SID/name 查找等操作。 该设置确定所有由域成员引发的安全通道流量是否符合最低的安全要求。特别是,它确定是否必须对所有由域成员引发的安全通道流量进行签名或加密。如果启用该策略,则不会建立安全通道,除非已协商所有安全通道流量的签名或加密。如果禁用该策略,则会与域控制器协商所有安全通道流量的加密和签名,在这种情况下,签名和加密的等级取决于域控制器的版本以及下列两种策略的设置: 域成员: 对安全通道数据进行数字加密(如果可能) 域成员: 对安全通道数据进行数字签名(如果可能) 默认值: Enabled。 注意 如果启用该策略,则会假定已启用策略“域成员: 对安全通道数据进行数字签名(如果可能)”,而不管其当前设置。这样确保域成员会尝试至少协商安全通道流量的签名。 如果启用该策略,则会假定已启用策略“域成员: 对安全通道数据进行数字签名(如果可能)”,而不管其当前设置。这样确保域成员会尝试至少协商安全通道流量的签名。 通过安全通道传输的登录信息始终被加密,而不管是否已协商所有其他安全通道流量的加密。 |
Domain member: Digitally encrypt or sign secure channel data (always)
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: Domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Default: Enabled. Notes: If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. |
1980 | 域成员: 对安全通道数据进行数字加密(如果可能)
该安全设置确定域成员是否为它引发的所有安全通道流量尝试协商加密。 当计算机加入域时,会创建一个计算机帐户。之后,当系统启动时,会使用该计算机帐户密码为该计算机所在的域创建一个具有域控制器的安全通道。该安全通道用于执行对 NTLM 通过身份验证、LSA SID/名称查找等操作。 该设置确定域成员是否为它引发的所有安全通道流量尝试协商加密。如果已启用,域成员会请求对所有安全通道流量进行加密。如果域控制器支持对所有安全通道流量进行加密,则会加密所有安全通道流量。否则,将只加密通过安全通道传输的登录信息。如果禁用该设置,则域成员将不会尝试协商安全通道加密。 默认: 已启用。 重要信息 没有禁用该设置的已知原因。除了不必要地降低安全通道的潜在保密性级别之外,禁用该设置还可能会不必要地降低安全通道的吞吐量,因为只有对安全通道进行了签名或加密,才能使用借助于安全通道的并发 API 调用。 注意: 域控制器也是域成员,它与同一域中的其他域控制器,以及受信任域中的域控制器建立安全通道。 |
Domain member: Digitally encrypt secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. Default: Enabled. Important There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. |
1981 | 域成员: 对安全通道数据进行数字签名(如果可能)
该安全设置确定域成员是否尝试协商对它所引发的所有安全通道流量进行签名。 当计算机加入域时,会创建一个计算机帐户。之后,系统在启动时会使用该计算机帐户密码在域内创建一个具有域控制器的安全通道。该安全通道用于执行 NTLM 身份验证、LSA SID/name 查找等操作。 该设置确定域成员是否尝试协商对它所引发的所有安全通道流量进行签名。如果启用,域成员将会请求所有安全通道流量的签名。如果域控制器支持所有安全通道流量的签名,则会对所有安全通道流量进行签名,从而确保传输过程中不会被篡改。 默认设置: 已启用。 注意: 如果启用策略“域成员: 对安全通道数据进行数字加密或数字签名(始终)”,则会假定已启用该策略,而不管其当前设置。 域控制器也是域成员,它与同一域中的其他域控制器以及受信任域中的域控制器建立安全通道。 |
Domain member: Digitally sign secure channel data (when possible)
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. Default: Enabled. Notes: If the policy Domain member: Digitally encrypt or sign secure channel data (always) is enabled, then this policy is assumed to be enabled regardless of its current setting. Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. |
1982 | 域成员: 计算机帐户密码最长使用期限
该安全设置确定域成员尝试更改其计算机帐户密码的频率。 默认: 30 天。 重要信息 该设置适用于 Windows 2000 计算机,但是无法通过安全配置管理器工具用于这些计算机上。 |
Domain member: Maximum machine account password age
This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. Important This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. |
1983 | 域成员: 需要使用强(Windows 2000 或更高版本)会话密钥
该安全设置确定已加密的安全通道数据是否需要 128 位密钥强度。 计算机加入域后,会创建一个计算机帐户。之后,系统在启动时会使用该计算机帐户密码在域内创建一个具有域控制器的安全通道。该安全通道用于执行 NTLM 身份验证、LSA SID/名称查找等操作。 根据在域控制器(域成员与之通信)上运行的 Windows 版本和下列参数的设置: 域成员: 对安全通道数据进行数字加密或签名(始终) 域成员: 对安全通道数据进行数字加密(如果可能) 将加密通过安全通道传输的部分或全部信息。该策略设置决定已加密的安全通道信息是否需要 128 位密钥强度。 如果启用该设置,除非可以执行 128 位加密,否则不会建立安全通道。如果禁用该设置,则会与域控制器协商密钥强度。 默认设置: 已启用。 重要信息 为了在成员工作站和服务器上利用该策略,必须在构成该成员域的所有域控制器上运行 Windows 2000 或更高版本。 为了在域控制器上利用该策略,必须在同一域中,以及所有受信任域中的所有域控制器上运行 Windows 2000 或更高版本。 |
Domain member: Require strong (Windows 2000 or later) session key
This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on. Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters: Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt secure channel data (when possible) Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted. If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller. Default: Enabled. Important In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later. In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later. |
1984 | 域成员: 禁用计算机帐户密码更改
确定域成员是否定期更改其计算机帐户密码。如果启用该设置,则域成员不会尝试更改其计算机帐户密码。如果禁用该设置,则域成员会尝试按照“域成员: 计算机帐户密码最长使用期限”设置所指定的间隔更改其计算机帐户密码,默认情况下是每隔 30 天。 默认值: 禁用。 注意 不应启用该设置。计算机帐户密码用于在成员和域控制器之间以及域范围内和域控制器本身之间建立安全通道通信。建立之后,安全通道就可以用于传输做出身份验证和授权决策所必须的敏感信息。 不应将该设置用于尝试使用同一计算机帐户支持双引导方案。如果你要双引导加入到同一域中的两种安装,请为这两种安装指定不同的计算机名。 |
Domain member: Disable machine account password changes
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. Default: Disabled. Notes This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. |
1985 | 交互式登录: 不显示上次登录
该安全设置确定 Windows 登录屏幕是否将显示上次登录该台电脑的人员的用户名。 如果启用该策略,将不显示用户名。 如果禁用该策略,将显示用户名。 默认: 禁用。 |
Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. |
1986 | 交互式登录: 无需按 CTRL+ALT+DEL
此安全设置确定在用户登录之前是否需要按 CTRL+ALT+DEL。 如果在计算机上启用了此策略,则用户无需按 CTRL+ALT+DEL 即可登录。不必按 CTRL+ALT+DEL,用户就容易受到试图拦截用户密码的攻击。如果用户在登录前需要按 CTRL+ALT+DEL 则可确保用户在输入其密码时通过可信路径进行通信。 如果禁用此策略,则任何用户在登录到 Windows 前都必须按 CTRL+ALT+DEL。 域计算机上的默认值: 已启用: 至少 Windows 8/已禁用: Windows 7 或更早版本。 独立计算机上的默认值: 已启用。 |
Interactive logon: Do not require CTRL+ALT+DEL
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. Default on stand-alone computers: Enabled. |
1987 | 交互式登录: 试图登录的用户的消息文本
该安全设置指定用户登录时向其显示的文本消息。 该文本通常用于法律原因,例如,警告用户滥用公司信息的后果或其操作可能要经过审核。 默认设置: 无消息。 |
Interactive logon: Message text for users attempting to log on
This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. |
1988 | 交互式登录: 试图登录的用户的消息标题
该安全设置允许在包含“交互式登录: 试图登录的用户的消息文本”的窗口的标题栏中显示标题的说明。 默认: 无消息。 |
Interactive logon: Message title for users attempting to log on
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. |
1989 | 交互式登录: 之前登录到缓存的次数(域控制器不可用时)
每个单独的用户登录信息都会缓存在本地,以便于如果在随后的登录尝试期间域控制器不可用,用户仍然可以登录。系统将存储上一次登录会话中的缓存登录信息。如果域控制器不可用,且未缓存用户的登录信息,则系统会向用户显示如下消息: 目前没有可用的登录服务器,无法处理登录请求。 在该策略设置中,0 值表示禁用登录缓存。任何大于 50 的值都仅缓存 50 次登录尝试。Windows 最多支持 50 个缓存项目,每名用户占用的项目数取决于凭据。例如,Windows 系统中最多可以缓存 50 个唯一密码用户帐户,但只能缓存 25 个智能卡用户帐户,因为它需要同时存储密码信息和智能卡信息。当具有缓存登录信息的用户再次登录时,该用户的个人缓存信息将会被替换。 默认值: Windows Server 2008: 25 所有其他版本: 10 |
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user’s individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10 |
1990 | 交互式登录: 提示用户在密码过期之前更改密码
确定提前多长时间(以天为单位)向用户发出其密码即将过期的警告。借助该提前警告,用户有时间构造足够强大的密码。 默认: 5 天。 |
Interactive logon: Prompt user to change password before expiration
Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. Default: 5 days. |
1991 | 交互式登录: 需要域控制器身份验证以进行解锁
必须提供登录信息以解锁已锁定的计算机。对于域帐户,该安全设置确定是否必须联系域控制器以解锁计算机。如果禁用该设置,则用户可以使用已缓存的凭据解锁计算机。如果启用该设置,则域控制器必须对用于解锁计算机的域帐户进行身份验证。 默认: 禁用。 重要信息 该设置适用于 Windows 2000 计算机,但是无法通过安全配置管理器工具用于这些计算机。 |
Interactive logon: Require Domain Controller authentication to unlock
Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer. Default: Disabled. Important This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. |
1992 | 交互式登录: 需要 Windows Hello 企业版或智能卡
该安全设置需要用户使用 Windows Hello 企业版或智能卡登录到设备。 其选项包括: 启用: 用户只能使用 Windows Hello 企业版或智能卡登录到设备。 禁用或未配置: 用户可以使用任何方式登录到设备。 重要信息 该设置通过更改注册表应用于运行 Windows 2000 的所有计算机,但是,通过安全配置管理器工具集无法查看该安全设置。 Windows 10 v1607 或更低版本不支持 Windows Hello 企业版登录要求。 |
Interactive logon: Require Windows Hello for Business or smart card
This security setting requires users to sign-in to a device using Windows Hello for Business or a smart card. The options are: Enabled: Users can only sign-in to the device using Windows Hello for Business or a smart card. Disabled or not configured: Users can sign-in to the device using any method. Important This setting applies to any computer running Windows 2000 through changes in the registry, but the security setting is not viewable through the Security Configuration Manager tool set. Requiring Windows Hello for Business sign-in is not supported on Windows 10 v1607 or earlier. |
1993 | 交互式登录: 智能卡移除行为
此安全设置确定从智能卡读卡器中移除已登录用户的智能卡时发生的情况。 选项包括: 无操作 锁定工作站 强制注销 如果为远程桌面服务会话,则断开连接 如果单击此策略的“属性”对话框中的“锁定工作站”,则移除智能卡时将锁定该工作站,这允许用户携带其智能卡离开该区域,且仍保持受保护的会话。 如果单击此策略的“属性”对话框中的“强制注销”,则移除智能卡时将自动注销用户。 如果单击“如果为远程桌面服务会话,则断开连接”,则移除智能卡时将断开会话连接,而不注销用户。这使用户可以在稍后插入智能卡并继续会话,或者在配置有智能卡读卡器的其他计算机上插入智能卡并继续会话,而无需再次登录。对于本地会话,此策略的功能与“锁定工作站”相同。 注意: 在以前版本的 Windows Server 中,远程桌面服务称为终端服务。 默认值: 未定义此策略,这表明系统将其视为“无操作”。 在 Windows Vista 及更高版本的操作系统上: 为了使此设置能够生效,必须启动智能卡移除策略服务。 |
Interactive logon: Smart card removal behavior
This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed. If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default: This policy is not defined, which means that the system treats it as No action. On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started. |
1994 | Microsoft 网络客户端: 对通信进行数字签名(始终)
此安全设置确定 SMB 客户端组件是否要求进行数据包签名。 服务器消息块(SMB)协议为 Microsoft 文件和打印共享以及许多其他网络操作(如远程 Windows 管理)提供了基础。为了防止在传输过程中修改 SMB 数据包的中间人攻击,SMB 协议支持对 SMB 数据包进行数字签名。此策略设置确定在允许与 SMB 服务器进行进一步通信前是否必须协商 SMB 数据包签名。 如果启用此设置,只有在 Microsoft 网络服务器同意执行 SMB 数据包签名时,Microsoft 网络客户端才会与该服务器通信。如果禁用此策略,则会在客户端和服务器之间协商 SMB 数据包签名。 默认设置: 禁用。 重要信息 为了使此策略在运行 Windows 2000 的计算机上生效,还必须启用客户端数据包签名。若要启用客户端 SMB 数据包签名,请将 Microsoft 网络客户端设置为: 对通信进行数字签名(如果服务器允许)。 注意 所有 Windows 操作系统都支持客户端 SMB 组件和服务器端 SMB 组件。在 Windows 2000 及更高版本操作系统中,是否启用或要求对客户端和服务器端 SMB 组件进行数据包签名受以下四种策略设置控制: Microsoft 网络客户端: 对通信进行数字签名(始终) - 控制客户端 SMB 组件是否需要数据包签名。 Microsoft 网络客户端: 对通信进行数字签名(如果服务器允许) - 控制客户端 SMB 组件是否启用数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(始终) - 控制服务器端 SMB 组件是否需要数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(如果客户端允许) - 控制服务器端 SMB 组件是否启用数据包签名。 SMB 数据包签名可能会显著降低 SMB 性能,具体取决于方言版本、OS 版本、文件大小、处理器卸载能力,以及应用程序 IO 行为。 有关详细信息,请参考: https://go.microsoft.com/fwlink/?LinkID=787136。 |
Microsoft network client: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled. Important For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. |
1995 | Microsoft 网络客户端: 对通信进行数字签名(如果服务器允许)
此安全设置确定 SMB 客户端是否尝试协商 SMB 数据包签名。 服务器消息块(SMB)协议为 Microsoft 文件和打印共享以及许多其他网络操作(如远程 Windows 管理)提供了基础。为了防止在传输过程中修改 SMB 数据包的中间人攻击,SMB 协议支持对 SMB 数据包进行数字签名。此策略设置确定当连接到 SMB 服务器时 SMB 客户端组件是否尝试协商 SMB 数据包签名。 如果启用此设置,则 Microsoft 网络客户端会要求服务器在设置会话时执行 SMB 数据包签名。如果服务器上启用了数据包签名,则会协商数据包签名。如果禁用此策略,则 SMB 客户端将从不协商 SMB 数据包签名。 默认设置: 启用。 注意 所有 Windows 操作系统都支持客户端 SMB 组件和服务器端 SMB 组件。在 Windows 2000 及更高版本中,是否启用或要求对客户端和服务器端 SMB 组件进行数据包签名受以下四种策略设置控制: Microsoft 网络客户端: 对通信进行数字签名(始终) - 控制客户端 SMB 组件是否需要数据包签名。 Microsoft 网络客户端: 对通信进行数字签名(如果服务器允许) - 控制客户端 SMB 组件是否启用数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(始终) - 控制服务器端 SMB 组件是否需要数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(如果客户端允许) - 控制服务器端 SMB 组件是否启用数据包签名。 如果客户端和服务器端 SMB 签名均已启用且客户端与服务器建立 SMB 1.0 连接,则将尝试 SMB 签名。 SMB 数据包签名可能会显著降低 SMB 性能,具体取决于方言版本、OS 版本、文件大小、处理器卸载能力和应用程序 IO 行为。此设置仅适用于 SMB 1.0 连接。 有关详细信息,请参考: https://go.microsoft.com/fwlink/?LinkID=787136。 |
Microsoft network client: Digitally sign communications (if server agrees)
This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. |
1996 | Microsoft 网络客户端: 发送未加密的密码以连接到第三方 SMB 服务器
如果启用此安全设置,则允许服务器消息块(SMB)重定向程序向不支持在身份验证期间进行密码加密的非 Microsoft SMB 服务器发送纯文本密码。 发送未加密的密码会有安全风险。 默认值: 禁用。 |
Microsoft network client: Send unencrypted password to connect to third-party SMB servers
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled. |
1997 | Microsoft 网络服务器: 暂停会话前所需的空闲时间量
该安全设置确定因处于非活动状态而暂停会话之前服务器消息块(SMB)会话必须经过的连续空闲时间量。 管理员可以使用该策略控制计算机何时暂停非活动的 SMB 会话。如果客户端恢复活动状态,则会自动重新建立会话。 对于该策略设置,0 值表示尽可能快地断开空闲会话连接。最大值为 99999,表示 208 天;该值事实上等于禁用了此策略。 默认设置: 未定义该策略,这表明系统将其视为对于服务器是 15 分钟,对于工作站是未定义。 |
Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy. Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations. |
1998 | Microsoft 网络服务器: 对通信进行数字签名(始终)
此安全设置确定 SMB 服务器组件是否要求进行数据包签名。 服务器消息块(SMB)协议为 Microsoft 文件和打印共享以及许多其他网络操作(如远程 Windows 管理)提供了基础。为了防止在传输过程中修改 SMB 数据包的“中间人”攻击,SMB 协议支持对 SMB 数据包进行数字签名。此策略设置确定在允许与 SMB 客户端进行进一步通信前是否必须协商 SMB 数据包签名。 如果启用此设置,则只有在 Microsoft 网络客户端同意执行 SMB 数据包签名时,Microsoft 网络服务器才会与该客户端通信。如果禁用此设置,则会在客户端和服务器之间协商 SMB 数据包签名。 默认设置: 对成员服务器禁用。 对域控制器启用。 注意 所有 Windows 操作系统都支持客户端 SMB 组件和服务器端 SMB 组件。在 Windows 2000 及更高版本中,是否启用或要求对客户端和服务器端 SMB 组件进行数据包签名受以下四种策略设置控制: Microsoft 网络客户端: 对通信进行数字签名(始终) - 控制客户端 SMB 组件是否需要数据包签名。 Microsoft 网络客户端: 对通信进行数字签名(如果服务器允许) - 控制客户端 SMB 组件是否启用数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(始终) - 控制服务器端 SMB 组件是否需要数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(如果客户端允许) - 控制服务器端 SMB 组件是否启用数据包签名。 同样,如果要求客户端 SMB 签名,则该客户端将无法与未启用数据包签名的服务器建立会话。默认情况下,仅在域控制器上启用服务器端 SMB 签名。 如果启用了服务器端 SMB 签名,则将与已启用客户端 SMB 签名的客户端协商 SMB 数据包签名。 SMB 数据包签名可能会显著降低 SMB 性能,具体取决于方言版本、OS 版本、文件大小、处理器卸载能力和应用程序 IO 行为。 重要信息 为了使此策略在运行 Windows 2000 的计算机上生效,还必须启用服务器端数据包签名。若要启用服务器端 SMB 数据包签名,请设置以下策略: Microsoft 网络服务器: 对通信进行数字签名(如果服务器允许) 对于要与 Windows NT 4.0 客户端协商签名的 Windows 2000 服务器,必须在 Windows 2000 服务器上将以下注册表值设置为 1: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature 有关详细信息,请参考: https://go.microsoft.com/fwlink/?LinkID=787136。 |
Microsoft network server: Digitally sign communications (always)
This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. Important For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. |
1999 | Microsoft 网络服务器: 对通信进行数字签名(如果客户端允许)
此安全设置确定 SMB 服务器是否将与请求 SMB 数据包签名的客户端协商 SMB 数据包签名。 服务器消息块(SMB)协议为 Microsoft 文件和打印共享以及许多其他网络操作(如远程 Windows 管理)提供了基础。为了防止在传输过程中修改 SMB 数据包的中间人攻击,SMB 协议支持对 SMB 数据包进行数字签名。此策略设置确定 SMB 服务器是否将在 SMB 客户端请求 SMB 数据包签名时与其协商 SMB 数据包签名。 如果启用此设置,Microsoft 网络服务器将在客户端请求 SMB 数据包签名时与其协商 SMB 数据包签名。这就意味着,如果已经在客户端上启用了数据包签名,则将协商数据包签名。如果禁用此策略,则 SMB 客户端将从不协商 SMB 数据包签名。 默认设置: 仅在域控制器上启用。 重要信息 对于要与 Windows NT 4.0 客户端协商签名的 Windows 2000 服务器,必须在运行 Windows 2000 的服务器上将以下注册表值设置为 1: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature 注意 所有 Windows 操作系统都支持客户端 SMB 组件和服务器端 SMB 组件。对于 Windows 2000 及更高版本,是否启用或要求对客户端和服务器端 SMB 组件进行数据包签名受以下四种策略设置控制: Microsoft 网络客户端: 对通信进行数字签名(始终) - 控制客户端 SMB 组件是否需要数据包签名。 Microsoft 网络客户端: 对通信进行数字签名(如果服务器允许) - 控制客户端 SMB 组件是否启用数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(始终) - 控制服务器端 SMB 组件是否需要数据包签名。 Microsoft 网络服务器: 对通信进行数字签名(如果客户端允许) - 控制服务器端 SMB 组件是否启用数据包签名。 如果客户端和服务器端 SMB 签名均已启用且客户端与服务器建立 SMB 1.0 连接,则将尝试 SMB 签名。 SMB 数据包签名可能会显著降低 SMB 性能,具体取决于方言版本、OS 版本、文件大小、处理器卸载能力和应用程序 IO 行为。此设置仅适用于 SMB 1.0 连接。 有关详细信息,请参考: https://go.microsoft.com/fwlink/?LinkID=787136。 |
Microsoft network server: Digitally sign communications (if client agrees)
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. Default: Enabled on domain controllers only. Important For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. |
2000 | Microsoft 网络服务器: 登录时间过期后断开与客户端的连接
此安全设置确定在连接到本地计算机的用户超出其用户帐户的有效登录时间时是否断开与用户的连接。此设置会影响服务器消息块(SMB)组件。 如果启用了此策略,一旦客户端的登录时间过期,该策略便会强制断开与 SMB 服务建立的客户端会话。 如果禁用了此策略,即便在客户端登录时间过期后,仍允许维持已建立的客户端会话。 在 Windows Vista 及更高版本操作系统上的默认设置: 启用。 在 Windows XP 上的默认设置: 已禁用 |
Microsoft network server: Disconnect clients when logon hours expire
This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default on Windows Vista and above: Enabled. Default on Windows XP: Disabled |
2001 | 网络访问: 允许匿名 SID/名称转换
此策略设置确定匿名用户是否可以请求另一个用户的安全标识符(SID)属性。 如果启用了此策略,则匿名用户可以请求另一个用户的 SID 属性。知道管理员 SID 的匿名用户可以访问已启用此策略的计算机并可以使用该 SID 获取管理员名称。该设置影响 SID 到名称的转换以及名称到 SID 的转换。 如果禁用该策略设置,则匿名用户无法请求其他用户的 SID 属性。 在工作站和成员服务器上的默认值: 禁用。 在运行 Windows Server 2008 或更高版本的域控制器上的默认值: 禁用。 在运行 Windows Server 2003 R2 或更早版本的域控制器上的默认值: 启用。 |
Network access: Allow anonymous SID/name translation
This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled. |
2002 | 网络访问: 不允许匿名枚举 SAM 帐户
此安全设置确定将哪些附加权限授予连接到计算机的匿名连接。 Windows 允许匿名用户执行某些操作,如枚举域帐户和网络共享的名称。这很方便。例如,当管理员希望将访问权限授予不维护相互信任的受信任域中的用户时。 此安全选项允许将附加限制按如下方式用于匿名连接: 已启用: 不允许枚举 SAM 帐户。此选项在资源的安全权限中将 Everyone 替换为“已通过身份验证的用户”。 已禁用: 无附加限制。依赖于默认权限。 工作站上的默认设置: 已启用。 服务器上的默认设置: 已启用。 重要信息 此策略对域控制器没有影响。 |
Network access: Do not allow anonymous enumeration of SAM accounts
This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. Important This policy has no impact on domain controllers. |
2003 | 网络访问: 不允许 SAM 帐户和共享的匿名枚举
此安全设置确定是否允许 SAM 帐户和共享的匿名枚举。 Windows 允许匿名用户执行某些活动,如枚举域帐户和网络共享的名称。这很方便,例如当管理员希望将访问权限授予不维护相互信任的受信任域中的用户时。如果不希望允许 SAM 帐户和共享的匿名枚举,请启用此策略。 默认设置: 禁用。 |
Network access: Do not allow anonymous enumeration of SAM accounts and shares
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. |
2004 | 网络访问: 不允许存储网络身份验证的密码和凭据
此安全设置确定凭据管理器是否保存通过域身份验证的密码和凭据,以备日后使用。 如果启用此设置,则凭据管理器不会将密码和凭据存储在计算机上。 如果禁用或未配置此策略设置,则凭据管理器会将密码和凭据存储在计算机上,以便以后用于域身份验证。 注意: 配置此安全设置时,所做的更改将在重新启动 Windows 后生效。 默认值: 禁用。 |
Network access: Do not allow storage of passwords and credentials for network authentication
This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication. Note: When configuring this security setting, changes will not take effect until you restart Windows. Default: Disabled. |
2005 | 网络访问: 将 Everyone 权限应用于匿名用户
此安全设置确定将哪些附加权限授予连接到计算机的匿名连接。 Windows 允许匿名用户执行某些活动,如枚举域帐户和网络共享的名称。这很方便,例如当管理员希望将访问权限授予不维护相互信任的受信任域中的用户时。默认情况下,Everyone 安全标识符(SID)会从为匿名连接创建的令牌中删除。因此,授予 Everyone 组的权限不会应用于匿名用户。如果设置此选项,匿名用户仅可以访问其拥有明确权限的资源。 如果启用此策略,会将 Everyone SID 添加到为匿名连接创建的令牌。在这种情况下,匿名用户可以访问 Everyone 组拥有权限的所有资源。 默认设置: 禁用。 |
Network access: Let Everyone permissions apply to anonymous users
This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission. If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions. Default: Disabled. |
2006 | 网络访问: 可匿名访问的命名管道
此安全设置确定哪些通信会话(管道)将具有允许匿名访问的属性和权限。 默认设置: 无。 |
Network access: Named pipes that can be accessed anonymously
This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Default: None. |
2007 | 网络访问: 可远程访问的注册表路径
此安全设置确定哪些注册表项可以通过网络进行访问,而不管 Winreg 注册表项的访问控制列表(ACL)中列出的用户或组是什么。 默认值: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion 警告 编辑注册表不当可能会严重损坏你的系统。在更改注册表之前,应在计算机上备份任何有价值的数据。 注意: 此安全设置在 Windows 的早期版本上不可用。运行 Windows XP 的计算机上出现的该安全设置为“网络访问: 可远程访问的注册表路径”,它对应于在 Windows Server 2003 家族的成员计算机上显示的“网络访问: 可远程访问的注册表路径和子路径”安全选项。有关详细信息,请参阅“网络访问: 可远程访问的注册表路径和子路径”。 默认值: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion |
Network access: Remotely accessible registry paths
This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Note: This security setting is not available on earlier versions of Windows. The security setting that appears on computers running Windows XP, "Network access: Remotely accessible registry paths" corresponds to the "Network access: Remotely accessible registry paths and subpaths" security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion |
2008 | 网络访问: 可远程访问的注册表路径和子路径
此安全设置确定哪些注册表路径和子路径可以通过网络进行访问,而不管 Winreg 注册表项的访问控制列表(ACL)中列出的用户或组是什么。 默认设置: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\Wins 警告 编辑注册表不当可能会严重损坏你的系统。在更改注册表之前,应在计算机上备份任何有价值的数据。 注意: 在 Windows XP 上,此安全设置称为“网络访问: 可远程访问的注册表路径”。如果在加入域的 Windows Server 2003 家族的成员计算机上配置此设置,此设置会被运行 Windows XP 的计算机继承,但是它将显示为“网络访问: 可远程访问的注册表路径”安全选项。有关详细信息,请参阅“网络访问: 可远程访问的注册表路径和子路径”。 |
Network access: Remotely accessible registry paths and subpaths
This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog System\CurrentControlSet\Services\CertSvc System\CurrentControlSet\Services\Wins Caution Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths. |
2009 | 网络访问: 限制对命名管道和共享的匿名访问
启用此安全设置会限制对以下设置的共享和管道的匿名访问: 网络访问: 可匿名访问的命名管道 网络访问: 可匿名访问的共享 默认设置: 启用。 |
Network access: Restrict anonymous access to Named Pipes and Shares
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. |
2010 | 网络访问: 可匿名访问的共享
此安全设置确定匿名用户可以访问哪些网络共享。 默认设置: 未指定。 |
Network access: Shares that can be accessed anonymously
This security setting determines which network shares can accessed by anonymous users. Default: None specified. |
2011 | 网络访问: 本地帐户的共享和安全模型
此安全设置确定如何对使用本地帐户的网络登录进行身份验证。如果将此设置设为“经典”,使用本地帐户凭据的网络登录通过这些凭据进行身份验证。“经典”模型能够对资源的访问权限进行精细的控制。通过使用“经典”模型,你可以针对同一个资源为不同用户授予不同类型的访问权限。 如果将此设置设为“仅来宾”,使用本地帐户的网络登录会自动映射到来宾帐户。使用“仅来宾”模型,所有用户都可得到平等对待。所有用户都以来宾身份进行验证,并且都获得相同的访问权限级别来访问指定的资源,这些权限可以为只读或修改。 在域计算机上的默认值: 经典。 在独立计算机上的默认值: 仅来宾。 重要信息 使用“仅来宾”模型时,所有可以通过网络访问计算机的用户(包括匿名 Internet 用户)都可以访问共享资源。你必须使用 Windows 防火墙或其他类似设备来防止对计算机进行未经授权的访问。同样,使用“经典”模型时,本地帐户必须受密码保护;否则,这些用户帐户可以被任何人用来访问共享的系统资源。 注意: 此设置不会影响通过使用如 Telnet 或远程桌面服务等服务远程执行的交互式登录。 在以前版本的 Windows Server 中,远程桌面服务称为终端服务。 此策略将不会影响运行 Windows 2000 的计算机。 计算机未加入域时,此设置也会将文件资源管理器中的“共享和安全”选项卡修改为与正在使用的共享和安全模型对应的设置。 |
Network access: Sharing and security model for local accounts
This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource. If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify. Default on domain computers: Classic. Default on stand-alone computers: Guest only Important With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services Remote Desktop Services was called Terminal Services in previous versions of Windows Server. This policy will have no impact on computers running Windows 2000. When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that is being used. |
2012 | 网络安全: 在下一次更改密码时不存储 LAN 管理器哈希值
此安全设置确定在下一次更改密码时是否为新密码存储 LAN 管理器(LM)哈希值。相比加密性更强的 Windows NT 哈希,LM 哈希的加密性相对较弱,易于受攻击。由于 LM 哈希存储在本地计算机上的安全数据库中,因此,一旦安全数据库受到攻击,密码便会泄漏。 在 Windows Vista 及更高版本操作系统上的默认设置: 启用。 在Windows XP 上的默认设置: 已禁用。 重要信息 Windows 2000 Service Pack 2 (SP2)或更高版本提供与 Windows 以前的版本(如 Microsoft Windows NT 4.0)兼容的身份验证。 此设置会影响运行 Windows 2000 Server、Windows 2000 Professional、Windows XP 以及 Windows Server 2003 家族的计算机与运行 Windows 95 和 Windows 98 的计算机进行通信的能力。 |
Network security: Do not store LAN Manager hash value on next password change
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked. Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. Important Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. |
2013 | 网络安全: 在超过登录时间后强制注销
此安全设置确定在连接到本地计算机的用户超出其用户帐户的有效登录时间时是否断开与其的连接。此设置会影响服务器消息块(SMB)组件。 启用此策略时,一旦客户端的登录时间过期,该策略便会强制断开与 SMB 服务器建立的客户端会话。 如果禁用此策略,即便在客户端登录时间过期后,仍允许维持已建立的客户端会话。 默认设置: 启用。 注意: 此安全设置与帐户策略的工作方式相同。域帐户只能有一个帐户策略。该帐户策略必须在默认域策略中定义,并且由组成域的域控制器来强制实施。域控制器始终使用默认域策略组策略对象(GPO)中的该帐户策略,即使存在一个应用于包含该域控制器的组织单位的其他帐户策略。默认情况下,加入域的工作站和服务器(例如,成员计算机)也会得到与它们的本地帐户相同的帐户策略。但是,通过为包含成员计算机的组织单位定义一个帐户策略,用于成员计算机的本地帐户策略可以与域帐户策略不同。Kerberos 设置不会应用于成员计算机。 |
Network security: Force logoff when logon hours expire
This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire. If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired. Default: Enabled. Note: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers. |
2014 | 网络安全: LAN 管理器身份验证级别
此安全设置确定网络登录使用的质询/响应身份验证协议。此选项会影响客户端使用的身份验证协议的等级、协商的会话安全的等级以及服务器接受的身份验证的等级,其设置值如下: 发送 LM NTLM 响应: 客户端使用 LM 和 NTLM 身份验证,而决不会使用 NTLMv2 会话安全;域控制器接受 LM、NTLM 和 NTLMv2 身份验证。 发送 LM & NTLM - 如果协商一致,则使用 NTLMv2 会话安全: 客户端使用 LM 和 NTLM 身份验证,并且在服务器支持时使用 NTLMv2 会话安全;域控制器接受 LM、NTLM 和 NTLMv2 身份验证。 仅发送 NTLM 响应: 客户端仅使用 NTLM 身份验证,并且在服务器支持时使用 NTLMv2 会话安全;域控制器接受 LM、NTLM 和 NTLMv2 身份验证。 仅发送 NTLMv2 响应: 客户端仅使用 NTLMv2 身份验证,并且在服务器支持时使用 NTLMv2 会话安全;域控制器接受 LM、NTLM 和 NTLMv2 身份验证。 仅发送 NTLMv2 响应\拒绝 LM: 客户端仅使用 NTLMv2 身份验证,并且在服务器支持时使用 NTLMv2 会话安全;域控制器拒绝 LM (仅接受 NTLM 和 NTLMv2 身份验证)。 仅发送 NTLMv2 响应\拒绝 LM & NTLM: 客户端仅使用 NTLMv2 身份验证,并且在服务器支持时使用 NTLMv2 会话安全;域控制器拒绝 LM 和 NTLM (仅接受 NTLMv2 身份验证)。 重要信息 此设置会影响运行 Windows 2000 Server、Windows 2000 Professional、Windows XP Professional 以及 Windows Server 2003 家族的计算机与运行 Windows NT 4.0 或更早版本的计算机通过网络进行通信的能力。例如,截至本次编写,运行 Windows NT 4.0 SP4 或更早版本的计算机尚不支持 NTLMv2。运行 Windows 95 和 Windows 98 的计算机尚不支持 NTLM。 默认值: Windows 2000 以及 Windows XP: 发送 LM & NTLM 响应 Windows Server 2003: 仅发送 NTLM 响应 Windows Vista、Windows Server 2008、Windows 7 以及 Windows Server 2008 R2: 仅发送 NTLMv2 响应 |
Network security: LAN Manager authentication level
This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). Important This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: Windows 2000 and windows XP: send LM & NTLM responses Windows Server 2003: Send NTLM response only Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only |
2015 | 网络安全: LDAP 客户端签名要求
此安全设置确定代表发出 LDAP BIND 请求的客户端请求的数据签名等级,其设置值如下: 无: 使用调用方指定的选项发出 LDAP BIND 请求。 协商签名: 如果传输层安全性/安全套接字层(TLS\SSL)尚未启动,除了使用调用方指定的选项外,还使用设置的 LDAP 数据签名选项启动 LDAP BIND 请求。如果 TLS\SSL 已经启动,则使用调用方指定的选项启动 LDAP BIND 请求。 需要签名: 这与“协商签名”相同。但是,如果 LDAP 服务器的中间 saslBindInProgress 响应未指明需要 LDAP 通讯签名,则会告知调用方 LDAP BIND 命令请求失败。 警告 如果将服务器设置为“需要签名”,则必须同时设置客户端。未设置客户端会导致失去与服务器的连接。 注意: 此设置对 ldap_simple_bind 或 ldap_simple_bind_s 没有任何影响。没有一个随 Windows XP Professional 提供的 Microsoft LDAP 客户端使用 ldap_simple_bind 或 ldap_simple_bind_s 与域控制器通讯。 默认设置: 协商签名。 |
Network security: LDAP client signing requirements
This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller. Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed. Caution If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server. Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller. Default: Negotiate signing. |
2016 | 网络安全: 基于 NTLM SSP 的(包括安全 RPC)客户端的最小会话安全
此安全设置允许客户端要求协商 128 位加密和/或 NTLMv2 会话安全。这些值取决于 LAN 管理器身份验证级别安全设置值。这些选项包括: 要求 NTLMv2 会话安全: 如果未协商 NTLWv2 协议,则连接将失败。 要求 128 位加密: 如果未协商强加密(128 位),则连接将失败。 默认设置: Windows XP、Windows Vista、Windows 2000 Server、Windows Server 2003 以及 Windows Server 2008: 无要求。 Windows 7 以及 Windows Server 2008 R2: 要求 128 位加密 |
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated. Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption |
2017 | 网络安全: 基于 NTLM SSP 的(包括安全 RPC)服务器的最小会话安全
此安全设置允许服务器要求协商 128 位加密和/或 NTLMv2 会话安全。这些值取决于 LAN 管理器身份验证级别安全设置值。这些选项包括: 要求 NTLMv2 会话安全: 如果未协商消息的完整性,则连接将失败。 要求 128 位加密: 如果未协商强加密(128 位),则连接将失败。 默认设置: Windows XP、Windows Vista、Windows 2000 Server、Windows Server 2003 以及 Windows Server 2008: 无要求。 Windows 7 以及 Windows Server 2008 R2: 要求 128 位加密 |
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated. Default: Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption |
2018 | 恢复控制台: 允许自动管理登录
此安全设置确定授权访问系统之前是否必须提供 Administrator 帐户的密码。如果启用了此选项,恢复控制台不会要求你提供密码,而将自动登录系统。 默认设置: 未定义该策略,不允许自动管理登录。 |
Recovery console: Allow automatic administrative logon
This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not defined and automatic administrative logon is not allowed. |
2019 | 恢复控制台: 允许软盘复制并访问所有驱动器和所有文件夹
启用此安全选项会使得恢复控制台 SET 命令可用,该命令允许你设置以下恢复控制台环境变量: AllowWildCards: 为某些命令(如 DEL 命令)启用通配符支持。 AllowAllPaths: 允许访问计算机上的所有文件和文件夹。 AllowRemovableMedia: 允许将文件复制到可移动媒体,如软盘。 NoCopyPrompt: 覆盖已有的文件时不提示。 默认设置: 未定义该策略,恢复控制台 SET 命令不可用。 |
Recovery console: Allow floppy copy and access to all drives and all folders
Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on the computer. AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk. NoCopyPrompt: Do not prompt when overwriting an existing file. Default: This policy is not defined and the recover console SET command is not available. |
2020 | 关机: 允许系统在未登录的情况下关闭
此安全设置确定是否可以在无需登录 Windows 的情况下关闭计算机。 如果启用了此策略,Windows 登录屏幕上的“关机”命令可用。 如果禁用了此策略,Windows 登录屏幕上不会显示关闭计算机的选项。在这种情况下,用户必须能够成功登录到计算机并具有关闭系统的用户权限,然后才可以执行系统关闭。 在工作站上的默认设置: 已启用。 在服务器上的默认设置: 已禁用。 |
Shutdown: Allow system to be shut down without having to log on
This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. Default on workstations: Enabled. Default on servers: Disabled. |
2021 | 关机: 清除虚拟内存页面文件
此安全设置确定关闭系统时是否清除虚拟内存页面文件。 虚拟内存支持在内存页面未使用时使用系统页面文件将其交换到磁盘。在正在运行的系统上,此页面文件由操作系统以独占方式打开,并且受到很好的保护。但是,配置为允许启动到其他操作系统的系统可能要确保在此系统关闭时清除系统页面文件。这可确保可能会进入页面文件的进程内存中的敏感信息不会被设法通过直接访问页面文件的未经授权用户使用。 启用此策略会在干净关机时清除系统页面文件。启用此安全选项时,如果禁用休眠,休眠文件(hiberfil.sys)也会被清零。 默认值: 禁用。 |
Shutdown: Clear virtual memory pagefile
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. Default: Disabled. |
2022 | 系统加密: 为计算机上存储的用户密钥强制进行强密钥保护
此安全设置确定用户的私钥是否需要密码才能使用。 选项为: 存储和使用新密钥时不需要用户输入 第一次使用密钥时提示用户输入 用户每次使用密钥时必须输入密码 有关详细信息,请参阅“公钥基础结构”。 默认设置: 未定义该策略。 |
System Cryptography: Force strong key protection for user keys stored on the computer
This security setting determines if users' private keys require a password to be used. The options are: User input is not required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public key infrastructure. Default: This policy is not defined. |
2023 | 系统加密: 使用符合 FIPS 140 的加密算法(包括加密算法、哈希算法和签名算法)
对于 Schannel 安全服务提供程序(SSP),此安全设置禁用较弱的安全套接字层(SSL)协议,并仅支持传输层安全性(TLS)协议作为客户端以及作为服务器(如果适用)。如果启用此设置,传输层安全性/安全套接字层(TLS/SSL)安全提供程序将仅使用 FIPS 140 批准的加密算法: 3DES 和 AES 用于加密、RSA 或 ECC 公钥加密用于 TLS 密钥交换和身份验证,而安全哈希算法(SHA1、SHA256、SHA384 和 SHA512)仅用于满足 TLS 哈希要求。 对于加密文件系统服务(EFS),它支持三重数据加密标准(DES)和高级加密标准(AES)加密算法来加密 NTFS 文件系统支持的文件数据。默认情况下,EFS 在 Windows Server 2003 和 Windows Vista 系列中使用带 256 位密钥的高级加密标准(AES)算法而在 Windows XP 中使用 DESX 算法来加密文件数据。有关 EFS 的信息,请参阅“加密文件系统”。 对于远程桌面服务,它仅支持使用三重 DES 加密算法来加密远程桌面服务网络通信。 注意: 在以前版本的 Windows Server 中,远程桌面服务称为终端服务。 对于 BitLocker,需要在生成任何加密密钥之前启用此策略。启用此策略时创建的恢复密码与 Windows 8、Windows Server 2012 及更早的操作系统上的 BitLocker 不兼容。如果将此策略应用于运行 Windows 8.1 和 Windows Server 2012 R2 之前操作系统的计算机,BitLocker 将阻止创建或使用恢复密码;应对这些计算机改用恢复密钥。 默认值: 已禁用。 注意: 联邦信息处理标准(FIPS) 140 是一种专为验证加密软件设计的安全实现。美国政府和其他著名机构要求使用 FIPS 140 验证的软件。 |
System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms
For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements. For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System. For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead. Default: Disabled. Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions. |
2024 | 系统对象: 由 Administrators 组成员所创建对象的默认所有者
描述 此安全设置确定 Administrators 组成员创建对象后,将哪个安全主体(SID)分配为对象所有者。 默认值: Windows XP: 用户 SID Windows 2003 : Administrators 组 |
System objects: Default owner for objects created by members of the Administrators group
Description This security setting determines which security principal (SID) will be assigned the OWNER of objects when the object is created by a member of the Administrators Group. Default: Windows XP: User SID Windows 2003 : Administrators Group |
2025 | 系统对象: 非 Windows 子系统不要求区分大小写
此安全设置确定是否在所有子系统上强制要求不区分大小写。Win32 子系统不区分大小写。但是,内核支持其他子系统区分大小写,如 POSIX。 如果启用此设置,则会强制要求所有目录对象、符号链接以及包括文件对象在内的 IO 对象不区分大小写。禁用此设置则不允许 Win32 子系统变为区分大小写的系统。 默认设置: 启用。 |
System objects: Require case insensitivity for non-Windows subsystems
This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive. Default: Enabled. |
2026 | 系统对象: 增强内部系统对象的默认权限(例如,符号链接)
该安全设置确定对象的默认随机访问控制列表(DACL)的强度。 Active Directory 维护共享系统资源(如 DOS 设备名称、Mutexes 和信号灯等)的全局列表。这样,可以在进程间定位和共享对象。创建每种类型的对象时会生成默认 DACL,指定可以访问这些对象的人员以及授予的权限。 如果启用该策略,则默认的 DACL 功能更强大,允许非管理员的用户读取共享对象,但不允许这些用户修改其他人创建的共享对象。 默认: 启用。 |
System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)
This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create. Default: Enabled. |
2027 | 系统设置: 可选子系统
此安全设置确定可选择启动哪些子系统来支持应用程序。使用此安全设置,可以根据环境的需求指定任意多个支持应用程序的子系统。 默认值: POSIX。 |
System settings: Optional subsystems
This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands. Default: POSIX. |
2028 | 系统设置: 将有关 Windows 可执行文件的证书规则用于软件限制策略
该安全设置确定在用户或进程试图运行以 .exe 为文件扩展名的软件时是否处理数字证书。该安全设置用于启用或禁用证书规则,即一种软件限制策略规则。利用软件限制策略,可以根据与该软件有关的数字证书,创建证书规则来允许或禁止由 Authenticode 签名的软件运行。为了使证书规则生效,必须启用该安全设置。 启用证书规则后,软件限制策略将检查证书吊销列表(CRL)以确保该软件的证书和签名有效。这可能会到在启动签名程序时可能会降低性能。可以禁用该项功能。在“受信任的发布者”属性下,清除“发布者”和“时间戳”复选框。有关详细信息,请参阅“设置受信任的发行者”选项。 默认: 禁用。 |
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security settings is used to enable or disable certificate rules, a type of software restriction policies rule. With software restriction policies, you can create a certificate rule that will allow or disallow software that is signed by Authenticode to run, based on the digital certificate that is associated with the software. In order for certificate rules to take effect, you must enable this security setting. When certificate rules are enabled, software restriction policies will check a certificate revocation list (CRL) to make sure the software's certificate and signature are valid. This may decrease performance when start signed programs. You can disable this feature. On Trusted Publishers Properties, clear the Publisher and Timestamp check boxes. For more information, see Set trusted publisher options. Default: Disabled. |
2029 | 应用程序日志的最大大小
此安全设置指定应用程序事件日志的最大大小,理论上最大为 4 GB。实际上却限制在一个较低值(约 300MB)。 注意 日志文件大小必须是 64 KB 的倍数。如果输入值不是 64 KB 的倍数,则事件查看器会将日志文件大小调整为 64 KB 的倍数。 此设置不会显示在本地计算机策略对象中。 定义的事件日志大小和日志覆盖应该与在设计企业安全规划时确定的商业需求和安全需求相匹配。考虑在站点、域或组织单位级别实现这些事件日志设置,以利用组策略设置。 默认值: Windows Server 2003 家族,16 MB;Windows XP Professional Service Pack 1,8 MB;Windows XP Professional,512 KB。 |
Maximum application log size
This security setting specifies the maximum size of the application event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB). Notes Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB. This setting does not appear in the Local Computer Policy object. Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings. Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB. |
2030 | 安全日志的最大大小
此安全设置指定安全事件日志的最大大小,理论上最大为 4 GB。实际上却限制在一个较低值(约 300MB)。 注意 日志文件大小必须是 64 KB 的倍数。如果输入值不是 64 KB 的倍数,则事件查看器会将日志文件大小调整为 64 KB 的倍数。 此设置不会显示在本地计算机策略对象中。 定义的事件日志大小和日志覆盖应该与在设计企业安全规划时确定的商业需求和安全需求相匹配。考虑在站点、域或组织单位级别执行这些事件日志设置,以利用组策略设置。 默认值: Windows Server 2003 家族,16 MB;Windows XP Professional Service Pack 1,8 MB;Windows XP Professional,512 KB。 |
Maximum security log size
This security setting specifies the maximum size of the security event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB). Notes Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB. This setting does not appear in the Local Computer Policy object. Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings. Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB. |
2031 | 系统日志的最大大小
此安全设置指定系统事件日志的最大大小,理论上最大为 4 GB。实际上却限制在一个较低值(约 300MB)。 注意 日志文件大小必须是 64 KB 的倍数。如果输入值不是 64 KB 的倍数,则事件查看器会将日志文件大小调整为 64 KB 的倍数。 此设置不会显示在本地计算机策略对象中。 定义的事件日志大小和日志覆盖应该与在设计企业安全规划时确定的商业需求和安全需求相匹配。考虑在站点、域或组织单位级别执行这些事件日志设置,以利用组策略设置。 默认值: Windows Server 2003 家族,16 MB;Windows XP Professional Service Pack 1,8 MB;Windows XP Professional,512 KB。 |
Maximum system log size
This security setting specifies the maximum size of the system event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB). Notes Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB. This setting does not appear in the Local Computer Policy object. Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings. Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB. |
2032 | 阻止本地来宾组和匿名登录用户访问应用程序日志
此安全设置确定是否阻止来宾访问应用程序事件日志。 注意 此设置不会显示在本地计算机策略对象中。 此安全设置仅影响运行 Windows 2000 和 Windows XP 的计算机。 默认值: 在 Windows XP 中启用;在 Windows 2000 中禁用 |
Prevent local guests group and ANONYMOUS LOGIN users from accessing application log
This security setting determines if guests are prevented from accessing the application event log. Notes This setting does not appear in the Local Computer Policy object. This security setting affects only computers running Windows 2000 and Windows XP. Default: Enabled for Windows XP, Disabled for Windows 2000 |
2033 | 阻止本地来宾组和匿名登录用户访问安全日志
此安全设置确定是否阻止来宾访问应用程序事件日志。 注意 此设置不会显示在本地计算机策略对象中。 此安全设置仅影响运行 Windows 2000 和 Windows XP 的计算机。 默认值: 在 Windows XP 中启用;在 Windows 2000 中禁用 |
Prevent local guests group and ANONYMOUS LOGIN users from accessing security log
This security setting determines if guests are prevented from accessing the application event log. Notes This setting does not appear in the Local Computer Policy object. This security setting affects only computers running Windows 2000 and Windows XP. Default: Enabled for Windows XP, Disabled for Windows 2000 |
2034 | 阻止本地来宾组和匿名登录用户访问系统日志
此安全设置确定是否阻止来宾访问应用程序事件日志。 注意 此设置不会显示在本地计算机策略对象中。 此安全设置仅影响运行 Windows 2000 和 Windows XP 的计算机。 默认值: 在 Windows XP 中启用;在 Windows 2000 中禁用 |
Prevent local guests group and ANONYMOUS LOGIN users from accessing system log
This security setting determines if guests are prevented from accessing the application event log. Notes This setting does not appear in the Local Computer Policy object. This security setting affects only computers running Windows 2000 and Windows XP. Default: Enabled for Windows XP, Disabled for Windows 2000 |
2035 | 应用程序日志保留天数
如果应用程序日志的保留方法以天为单位,则此安全设置确定应用程序日志事件值得保留的天数。 仅在计划时间间隔存档日志时才设置该值,确保应用程序日志的大小足够大,能够满足该间隔。 注意: 此设置不会显示在本地计算机策略对象中。 默认值: 无。 |
Retain application log
This security setting determines the number of days' worth of events to be retained for the application log if the retention method for the application log is By Days. Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum application log size is large enough to accommodate the interval. Note: This setting does not appear in the Local Computer Policy object. Default: None. |
2036 | 安全日志保留天数
如果安全日志的保留方法以天为单位,则此安全设置确定安全日志事件值得保留的天数。 仅在计划时间间隔存档日志时才设置该值,确保安全日志的大小足够大,能够满足该间隔。 注意 此设置不会显示在本地计算机策略对象中。 用户必须拥有管理审核及安全日志用户权限才能访问安全日志。 默认值: 无。 |
Retain security log
This security setting determines the number of days' worth of events to be retained for the security log if the retention method for the security log is By Days. Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum security log size is large enough to accommodate the interval. Notes This setting does not appear in the Local Computer Policy object. A user must possess the Manage auditing and security log user right to access the security log. Default: None. |
2037 | 系统日志保留天数
如果系统日志的保留方法以天为单位,则该安全设置确定系统日志事件值得保留的天数。 仅在计划时间间隔存档日志时才设置该值,确保系统日志的大小足够大,能够满足该间隔。 注意: 该设置不会显示在本地计算机策略对象中。 默认: 无。 |
Retain system log
This security setting determines the number of days' worth of events to be retained for the system log if the retention method for the system log is By Days. Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum system log size is large enough to accommodate the interval. Note: This setting does not appear in the Local Computer Policy object. Default: None. |
2038 | 应用程序日志保留方法
该安全设置确定应用程序日志的“覆盖”方法。 如果没有存档应用程序日志,则在该策略的“属性”对话框中,选中“定义该策略设置”复选框,然后单击“按需要覆盖事件”。 如果按计划时间间隔存档日志,则在该策略的“属性”对话框中,选中“定义该策略设置”复选框,然后单击“按天数覆盖事件”,在保留应用程序日志设置中指定适当的天数。确保应用程序日志的大小上限足够大,能够满足该间隔。 如果必须在日志中保留所有事件,则在该策略“属性”对话框中,选中“定义该策略设置”复选框,然后单击“不覆盖事件(手动清除日志)”。该选项要求手动清除日志。在这种情况下,当日志大小达到最大值时,将会放弃新事件。 注意: 该设置不会显示在本地计算机策略对象中。 默认: 无。 |
Retention method for application log
This security setting determines the "wrapping" method for the application log. If you do not archive the application log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed. If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the Retain application log setting. Make sure that the Maximum application log size is large enough to accommodate the interval. If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded. Note: This setting does not appear in the Local Computer Policy object. Default: None. |
2039 | 安全日志保留方法
此安全设置确定安全日志的“覆盖”方法。 如果没有存档安全日志,则在该策略的“属性”对话框中,选中“定义该策略设置”复选框,然后单击“按需要覆盖事件”。 如果按计划时间间隔存档日志,则在该策略的“属性”对话框中,选中“定义该策略设置”复选框,然后单击“按天数覆盖事件”,在保留安全日志设置中指定适当的天数。确保安全日志的大小足够大,能够满足该间隔。 如果必须在日志中保留所有事件,则在该策略“属性”对话框中,选中“定义该策略设置”复选框,然后单击“不覆盖事件(手动清除日志)”。该选项要求手动清除日志。在这种情况下,当日志大小达到最大值时,将会放弃新事件。 注意 此设置不会显示在本地计算机策略对象中。 用户必须拥有管理审核及安全日志用户权限才能访问安全日志。 默认值: 无。 |
Retention method for security log
This security setting determines the "wrapping" method for the security log. If you do not archive the security log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed. If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the retain security log setting. Make sure that the Maximum security log size is large enough to accommodate the interval. If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded. Notes This setting does not appear in the Local Computer Policy object. A user must possess the Manage auditing and security log user right to access the security log. Default: None. |
2040 | 系统日志保留方法
此安全设置确定系统日志的“覆盖”方法。 如果没有存档系统日志,则在该策略的“属性”对话框中,选中“定义该策略设置”复选框,然后单击“按需要覆盖事件”。 如果按计划时间间隔存档日志,则在该策略的“属性”对话框中,选中“定义该策略设置”复选框,然后单击“按天数覆盖事件”,在保留系统日志设置中指定适当的天数。确保系统日志的大小足够大,能够满足该间隔。 如果必须在日志中保留所有事件,则在该策略“属性”对话框中,选中“定义该策略设置”复选框,然后单击“不覆盖事件(手动清除日志)”。该选项要求手动清除日志。在这种情况下,当日志大小达到最大值时,将会放弃新事件。 注意: 此设置不会显示在本地计算机策略对象中。 默认值: 无。 |
Retention method for system log
This security setting determines the "wrapping" method for the system log. If you do not archive the system log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed. If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the Retain system log setting. Make sure that the Maximum system log size is large enough to accommodate the interval .If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded Note: This setting does not appear in the Local Computer Policy object. Default: None. |
2041 | 受限制组
该安全设置允许管理员定义安全敏感组(“受限制”组)的两个属性。 这两个属性是“成员”和“隶属于”。“成员”列表定义了属于和不属于受限制组的人。“隶属于”列表指定了该受限制组属于哪些其他组。 在执行受限制组策略时,不在“成员”列表中的任何当前受限制组的成员会被删除。“成员”列表中当前不属于受限制组成员的任何用户会被添加进去。 可以使用受限制组策略来控制组成员身份。使用该策略,可以指定哪些成员是组的一部分。未在策略中指定的任何成员都将在配置或刷新过程中被删除。另外,反向成员身份配置选项确保每个受限制组都仅是“隶属于”列中指定的那些组的一个成员。 例如,可以创建受限制组策略以仅允许指定用户(例如,Alice 和 John) 成为 Administrators 组的成员。在刷新策略时,仅有 Alice 和 John 仍然为 Administrators 组的成员。 有两种方法来应用受限制组策略: 在安全模板中定义策略,该策略将在配置本地计算机时得以应用。 直接在组策略对象(GPO)上定义设置,这表示每次刷新策略时该策略都会生效。安全设置在工作站或服务器上每 90 分钟刷新一次,而在域控制器上每 5 分钟刷新一次。这些设置还每隔 16 小时刷新一次,无论是否有更改。 默认: 未指定。 警告 如果定义了受限制组策略而且刷新了组策略,则不在受限制组策略“成员”列表上的任何当前成员均会被删除。这可以包括默认成员,如管理员。 注意 受限制组应该主要用于配置工作站或成员服务器上的本地组成员身份。 空“成员”列表表示受限制组没有成员;空“隶属于”列表表示未指定受限制组所属的组。 |
Restricted Groups
This security setting allows an administrator to define two properties for security-sensitive groups ("restricted" groups). The two properties are Members and Member Of. The Members list defines who belongs and who does not belong to the restricted group. The Member Of list specifies which other groups the restricted group belongs to. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. There are two ways to apply Restricted Groups policy: Define the policy in a security template, which will be applied during configuration on your local computer. Define the setting on a Group Policy object (GPO) directly, which means that the policy goes into effect with every refresh of policy. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes. Default: None specified. Caution If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Notes Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members; an empty Member Of list means that the groups to which the restricted group belongs are not specified. |
2042 | 系统服务安全设置
允许管理员定义所有系统服务的启动模式(手动、自动或禁用)以及访问权限(启动、停止或暂停)。 默认: 未定义。 注意 该设置不会显示在本地计算机策略对象中。 如果选择将系统服务启动设置为自动,则将执行适当的测试来验证该服务是否能在没有用户干预的情况下启动。 为了优化性能,请将不必要或不使用的服务设置为手动。 |
System Services security settings
Allows an administrator to define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system services. Default: Undefined. Notes This setting does not appear in the Local Computer Policy object. If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention. For performance optimization, set unnecessary or unused services to Manual. |
2043 | 注册表安全设置
允许管理员利用安全配置管理器定义注册表项的访问权限[在随机访问控制列表(DACL)上]和审核设置[在系统访问控制列表(SACL)上]。 默认: 未定义。 注意: 该设置不会显示在本地计算机策略对象中。 |
Registry security settings
Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs)) for registry keys using Security Configuration Manager. Default: Undefined. Note: This setting does not appear in the Local Computer Policy object. |
2044 | 文件系统安全设置
允许管理员利用安全配置管理器定义文件系统对象的访问权限[在随机访问控制列表(DACL)上]和审核设置[在系统访问控制列表(SACL)上]。 默认: 未定义。 注意: 该设置不会显示在本地计算机策略对象中。 |
File System security settings
Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs)) for file system objects using Security Configuration Manager. Default: Undefined. Note: This setting does not appear in the Local Computer Policy object. |
2045 | 审核: 强制审核策略子类别设置(Windows Vista 或更高版本)可替代审核策略类别设置。
Windows Vista 以及 Windows 的更高版本允许审核策略子类别以更精确的方式管理审核策略。在类别级别设置审核策略将替代新的子类别审核策略功能。组策略仅允许在类别级别设置审核策略,并且在新计算机加入域或升级到 Windows Vista (或更高版本)时,现有组策略可能会替代这些新计算机的子类别设置。为了允许使用子类别管理审核策略,而无须更改组策略,Windows Vista 以及更高版本中有一个新的注册表值 SCENoApplyLegacyAuditPolicy,该注册表值阻止了从组策略和本地安全策略管理工具中应用类别级别的审核策略。 如果此处设置的类别级别审核策略与当前正在生成的事件不一致,原因可能是设置了此注册表项。 默认值: 启用 |
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they are joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set. Default: Enabled |
2046 | 用户帐户控制: 对内置管理员帐户使用管理审批模式
此策略设置控制内置管理员帐户的管理审批模式的行为。 选项为: • 启用: 内置管理员帐户使用管理审批模式。默认情况下,需要提升权限的任何操作都将提示用户批准该操作。 • 禁用: (默认设置)内置管理员帐户使用完整管理权限运行所有应用程序。 |
User Account Control: Use Admin Approval Mode for the built-in Administrator account
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: • Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation. • Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege. |
2047 | DCOM: 使用安全描述符定义语言(SDDL)语法的计算机启动限制
此策略设置决定了哪些用户或组能够远程或本地访问 DCOM 应用程序。此设置用于为 DCOM 应用程序控制计算机的攻击面。 可以使用此策略设置对企业中 DCOM 应用程序的特定用户指定对所有计算机的访问权限。指定要授予权限的用户或组时,安全描述符字段中将填入表示这些组和权限的安全描述符定义语言。如果安全描述符为空,则策略设置将在模板中定义,但不强制执行。可以授予用户和组进行本地访问和远程访问的明确的许可或拒绝权限。 由于启用“DCOM: 使用安全描述符定义语言(SDDL)语法的计算机访问限制”语法策略设置而创建的注册表设置优先于(具有更高优先级)此区域中以前的注册表设置。远程过程调用服务(RpcS)将在计算机限制的策略部分中检查新建注册表项,且这些注册表项优先于 OLE 下的现有注册表项。这意味着以前存在的注册表设置不再有效,并且如果对现有设置进行更改,也不会更改用户的计算机访问权限。请在配置用户和组的列表时要格外小心。 此组策略设置的可能值为: 空: 这表示删除策略强制项的本地安全策略方法。此值将删除策略,然后将其设置为未定义状态。设置“空”值的方法为: 使用 ACL 编辑器并清空列表,然后按“确定”。 SDDL: 这是安全描述符定义语言,它表示启用此策略时所指定的组和权限。 未定义: 这是默认值。 注意 如果由于对 Windows 中的 DCOM 进行更改而拒绝授予管理员对 DCOM 应用程序的访问权限, 则管理员可以使用“DCOM: 使用安全描述符定义语言(SDDL)语法的计算机访问限制”策略设置来管理对计算机的 DCOM 访问权限。通过使用此设置,管理员可以指定哪些用户和组能够本地和远程访问计算机上的 DCOM 应用程序。这将对管理员和用户还原 DCOM 应用程序的控制。要完成此操作,请打开“DCOM: 使用安全描述符定义语言(SDDL)语法的计算机访问限制”设置,并单击“编辑安全设置”。指定要包括的组和这些组的计算机访问权限。这将定义设置并设置适当的 SDDL 值。 |
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
This policy setting determines which users or groups can access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this policy setting to specify access permissions to all the computers to particular users for DCOM applications in the enterprise. When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access. The registry settings that are created as a result of enabling the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting take precedence over (have higher priority) the previous registry settings in this area. Remote Procedure Call Services (RpcSs) checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, computer access permissions for users are not changed. Use care in configuring their list of users and groups. The possible values for this policy setting are: Blank: This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it as Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK. SDDL: This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy. Not Defined: This is the default value. Note If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in Windows, the administrator can use the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting to manage DCOM access to the computer. The administrator can specify which users and groups can access the DCOM application on the computer both locally and remotely by using this setting. This will restore control of the DCOM application to the administrator and users. To do this, open the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer access permissions for those groups. This defines the setting and sets the appropriate SDDL value. |
2048 | DCOM: 使用安全描述符定义语言(SDDL)语法的计算机访问限制
此策略设置决定哪些用户或组能够远程或本地启动或激活 DCOM 应用程序。此设置用于为 DCOM 应用程序控制计算机的攻击面。 可以使用此设置授予使用 DCOM 应用程序的用户对所有计算机的访问权限。定义此设置并指定要授予权限的用户或组时,安全描述符字段中将填入表示这些组和权限的安全描述符定义语言。如果安全描述符为空,则策略设置将在模板中定义,但不强制执行。可以授予用户和组进行本地启动、远程启动、本地激活和远程激活的明确的许可或拒绝权限。 作为此策略的结果创建的注册表设置优先于此区域中以前的注册表设置。远程过程调用服务(RpcS)将在计算机限制的策略部分中检查新建注册表项;这些项优先于 OLE 下的现有注册表项。 此组策略设置的可能值为: 空: 这表示删除策略强制项的本地安全策略方法。此值将删除策略,然后将其设置为未定义状态。设置空值的方法为: 使用 ACL 编辑器并清空列表,然后按“确定”。 SDDL: 这是安全描述符定义语言,它表示启用此策略时所指定的组和权限。 未定义: 这是默认值。 注意 如果由于对此版本 Windows 的 DCOM 进行过更改而拒绝授予管理员激活和启动 DCOM 应用程序的访问权限,则可将此策略设置用于对计算机进行控制 DCOM 激活和启动。通过使用“DCOM: 使用安全描述符定义语言(SDDL)语法的计算机启动限制”策略设置,管理员可以指定哪些用户和组能够本地和远程启动和激活计算机上的 DCOM 应用程序。这将对管理员和指定用户还原 DCOM 应用程序的控制。要完成此操作,请打开“DCOM: 使用安全描述符定义语言(SDDL)语法的计算机访问限制”设置,并单击“编辑安全设置”。指定要包括的组和这些组的计算机启动权限。这将定义设置并设置适当的 SDDL 值。 |
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
This policy setting determines which users or groups can launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this setting to grant access to all the computers to users of DCOM applications. When you define this setting, and specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on local launch, remote launch, local activation, and remote activation. The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. Remote Procedure Call Services (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. The possible values for this Group Policy setting are: Blank: This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it to Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK. SDDL: This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy. Not Defined: This is the default value. Note If the administrator is denied access to activate and launch DCOM applications due to the changes made to DCOM in this version of Windows, this policy setting can be used for controlling the DCOM activation and launch to the computer. The administrator can specify which users and groups can launch and activate DCOM applications on the computer both locally and remotely by using the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. |
2049 | 用户帐户控制: 在管理审批模式下管理员的提升提示行为
此策略设置控制管理员的提升提示行为。 选项为: • 无提示提升: 允许有权限的帐户执行需要提升权限的操作,而无需同意或凭据。注意: 仅在大多数受限制的环境中使用该选项。 • 在安全桌面上提示凭据: 当某个操作需要提升权限时,将在安全桌面上提示用户输入有权限的用户名和密码。如果用户输入有效凭据,则该操作将使用用户的最高可用权限继续进行。 • 在安全桌面上同意提示: 当某个操作需要提升权限时,将在安全桌面上提示用户选择“允许”或“拒绝”。如果用户选择“允许”,则该操作将使用用户的最高可用权限继续进行。 • 提示凭据: 当某个操作需要提升权限时,将提示用户输入管理用户名和密码。如果用户输入有效凭据,则该操作将使用适用的权限继续进行。。 • 同意提示: 当某个操作需要提升权限时,将提示用户选择“允许”或“拒绝”。如果用户选择“允许”,则该操作将使用用户的最高可用权限继续进行。 • 非 Windows 二进制文件的同意提示: (默认设置)当非 Microsoft 应用程序的某个操作需要提升权限时,将在安全桌面上提示用户选择“允许”或“拒绝”。如果用户选择“允许”,则该操作将使用用户的最高可用权限继续进行。 |
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
This policy setting controls the behavior of the elevation prompt for administrators. The options are: • Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. • Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. • Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. |
2050 | 用户帐户控制: 标准用户的提升提示行为
此策略设置控制标准用户的提升提示行为。 选项为: • 提示凭据: (默认设置)当某个操作需要提升权限时,将提示用户输入管理用户名和密码。如果用户输入有效凭据,则该操作将使用适用的权限继续进行。 • 自动拒绝提升请求: 当某个操作需要提升权限时,显示可配置的访问被拒绝错误消息。作为标准用户运行桌面的企业可以选择该设置来减少技术支持呼叫次数。 • 在安全桌面上提示凭据: 当某个操作需要提升权限时,将在安全桌面上提示用户输入另一个用户名和密码。如果用户输入有效凭据,则该操作将使用适用的权限继续进行。 |
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users. The options are: • Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. • Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. |
2051 | 用户帐户控制: 检测应用程序安装和提示提升
此策略设置控制计算机的应用程序安装检测行为。 选项为: • 启用: (默认)当检测到某个应用程序安装程序包需要提升权限时,将提示用户输入管理用户名和密码。如果用户输入有效凭据,则该操作将使用适用的权限继续进行。 • 禁用: 未检测到应用程序安装程序包并且提示提升权限。运行标准用户桌面以及使用委派安装技术 [组策略软件安装或系统管理服务器(SMS)] 的企业应该禁用此策略设置。在这种情况下,不必检测安装程序。 |
User Account Control: Detect application installations and prompt for elevation
This policy setting controls the behavior of application installation detection for the computer. The options are: • Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. • Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. |
2052 | 用户帐户控制: 仅提升已签名和验证的可执行文件
此策略设置将强制对请求提升权限的任何交互式应用程序执行公钥基础结构(PKI)签名检查。企业管理员可以通过向本地计算机上的受信任的发布者证书存储中添加证书控制允许运行的应用程序。 选项为: • 启用: 在允许运行给定的可执行文件之前,强制对其执行 PKI 证书路径验证。 • 禁用: (默认设置)在允许运行给定的可执行文件之前,不强制对其执行 PKI 证书路径验证。 |
User Account Control: Only elevate executable files that are signed and validated
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. The options are: • Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run. • Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run. |
2053 | 用户帐户控制: 仅提升安装在安全位置的 UIAccess 应用程序
此策略设置控制请求使用用户界面辅助功能(UIAccess)完整性级别运行的应用程序是否必须位于文件系统上的安全位置。安全位置限于以下目录: - …\Program Files\,包括子文件夹 - …\Windows\system32\ - …\Program Files (x86)\,包括子文件夹(对于 64 位版本的 Windows) 注意: 无论此安全设置为何种状态,Windows 都将对任何请求使用 UIAccess 完整性级别运行的交互式应用程序强制执行公钥基础结构(PKI)签名检查。 选项为: • 启用: (默认设置)如果应用程序驻留在文件系统中的安全位置,则此应用程序将仅使用 UIAccess 完整性来运行。 • 禁用: 即使应用程序不驻留在文件系统中的安全位置,此应用程序也将使用 UIAccess 完整性来运行。 |
User Account Control: Only elevate UIAccess applications that are installed in secure locations
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: • Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. • Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system. |
2054 | 用户帐户控制: 启用管理审批模式
此策略设置控制计算机的所有用户帐户控制(UAC)策略设置行为。如果更改此策略设置,则必须重新启动计算机。 选项为: • 启用: (默认设置)启用管理审批模式。必须启用该策略并且相关的 UAC 策略设置还必须设置正确以允许内置管理员帐户以及是管理员组成员的所有其他用户在管理审批模式下运行。 • 禁用: 禁用管理审批模式以及所有相关 UAC 策略设置。注意: 如果禁用此策略设置,则安全中心将通知你操作系统的总体安全性已降低。 |
User Account Control: Turn on Admin Approval Mode
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: • Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. |
2055 | 用户帐户控制: 提示提升时切换到安全桌面
此策略设置控制提升请求是在交互式用户桌面上提示还是在安全桌面上提示。 选项为: • 启用: (默认设置)无论管理员和标准用户的提示行为策略设置如何,所有提升请求都将转至安全桌面。 • 禁用: 所有提升请求都将转至交互式用户桌面。使用管理员和标准用户的提示行为策略设置。 |
User Account Control: Switch to the secure desktop when prompting for elevation
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: • Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. • Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. |
2056 | 用户帐户控制: 将文件及注册表写入失败虚拟化到每用户位置
此策略设置控制是否将应用程序写入失败重定向到定义的注册表和文件系统位置。此策略设置将缓和以管理员身份运行的应用程序,并将运行时应用程序数据写入 %ProgramFiles%、%Windir%、%Windir%\system32 或 HKLM\Software。 选项为: • 启用: (默认设置)在运行时将应用程序写入失败重定向到文件系统和注册表中定义的用户位置。 • 禁用: 应用程序无法将数据写入受保护的位置。 |
User Account Control: Virtualize file and registry write failures to per-user locations
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. The options are: • Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry. • Disabled: Applications that write data to protected locations fail. |
2057 | 创建符号链接
此权限确定用户是否可以从登录的计算机创建符号链接。 默认: Administrator 警告: 此权限应当仅授予受信任用户。符号链接可能暴露应用程序在设计上无法进行处理的安全漏洞。 注意 此设置可以与符号链接文件系统设置一起使用,后者可使用命令行实用程序进行操作,以便控制计算机上允许的符号链接类型。有关 fsutil 和符号链接的详细信息,请在命令行中键入 "fsutil behavior set symlinkevalution /?"。 |
Create Symbolic Links
This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. |
2058 | 修改对象标签
此权限确定哪些用户帐户可以修改对象(例如文件、注册表项或其他用户所拥有的进程)的完整性标签。在用户帐户下运行的进程可以将该用户所拥有的对象标签修改为没有此权限的更低级别。 默认值: 无 |
Modify an object label
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: None |
2059 | 用户帐户控制: 允许 UIAccess 应用程序在不使用安全桌面的情况下提示提升。
此策略设置控制用户界面辅助功能(UIAccess 或 UIA)程序是否可以自动禁用标准用户用来进行提升提示的安全桌面。 • 启用: UIA 程序(包括 Windows 远程协助)自动禁用进行提升提示的安全桌面。如果你不禁用“用户帐户控制: 提示提升时切换到安全桌面”策略设置,则会在交互式用户桌面而不是安全桌面上出现提示。 • 禁用: (默认设置)安全桌面只能由交互式桌面的用户禁用或者通过禁用“用户帐户控制: 提示提升时切换到安全桌面”策略设置禁用。 |
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. • Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop. • Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. |
2060 | 在备份/还原期间凭据管理器使用此设置。任何帐户都不应该拥有此权限,因为该权限仅分配给 Winlogon。如果将该权限分配给其他实体,则可能会泄露用户保存的凭据。 | This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. |
2061 | 更改时区
该用户权限确定哪些用户和组可以更改计算机用于显示本地时间(计算机的系统时间加上时区偏移)的时区。系统时间本身是绝对的,因此不受时区变化的影响。 该用户权限是在默认域控制器组策略对象(GPO)以及工作站和服务器的本地安全策略中定义的。 默认值: 管理员、用户 |
Change the Time Zone
This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of the workstations and servers. Default: Administrators, Users |
2062 | 增加进程工作集
该权限确定哪些用户帐户可以增加或减小进程的工作集大小。 默认值: 用户 进程的工作集是在物理 RAM 内存中该进程当前可见的内存页面集。这些页面是常驻的,应用程序可以使用它们,而不会触发页面错误。最大和最小工作集大小影响进程的虚拟内存分页行为。 警告: 增加进程的工作集大小会减少系统的其余部分可用的物理内存数量。 |
Increase a process working set
This privilege determines which user accounts can increase or decrease the size of a process’s working set. Default: Users The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. Warning: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system. |
2063 | 网络安全: 限制 NTLM: 到远程服务器的传出 NTLM 流量
此策略设置允许你拒绝或审核从此 Windows 7 或此 Windows Server 2008 R2 计算机到任何 Windows 远程服务器的传出 NTLM 流量。 如果选择“全部允许”或未配置此策略设置,则客户端计算机可以使用 NTLM 身份验证对远程服务器的身份进行身份验证。 如果选择“全部审核”,则客户端计算机将为对远程服务器的每个 NTLM 身份验证请求记录一个事件。这样便可以识别从客户端计算机接收 NTLM 身份验证请求的那些服务器。 如果选择“全部拒绝”,则客户端计算机无法使用 NTLM 身份验证对远程服务器的身份进行身份验证。可以使用“网络安全: 限制 NTLM: 为 NTLM 身份验证添加远程服务器例外”策略设置定义允许客户端使用 NTLM 身份验证的远程服务器列表。 至少在 Windows 7 或 Windows Server 2008 R2 上支持此策略。 注意: 审核和阻止事件记录在该计算机的“应用程序和服务日志/Microsoft/Windows/NTLM”下的“可操作”日志中。 |
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication. If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer. If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. |
2064 | 网络安全: 限制 NTLM: 传入 NTLM 流量
此策略设置允许拒绝或允许传入 NTLM 流量。 如果选择“全部允许”或未配置此策略设置,则服务器将允许所有 NTLM 身份验证请求。 如果选择“拒绝所有域帐户”,则服务器将拒绝使用 NTLM 身份验证请求进行域登录并显示已阻止 NTLM 错误,但允许本地帐户登录。 如果选择“拒绝所有帐户”,则服务器将拒绝来自传入流量的 NTLM 身份验证请求并且显示已阻止 NTLM 错误。 至少在 Windows 7 或 Windows Server 2008 R2 上支持此策略。 注意: 阻止事件记录在该计算机的“应用程序和服务日志/Microsoft/Windows/NTLM”下的“可操作”日志中。 |
Network security: Restrict NTLM: Incoming NTLM traffic
This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon. If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. |
2065 | 网络安全: 限制 NTLM: 此域中的 NTLM 身份验证
此策略设置允许你在该域控制器的某个域中拒绝或允许 NTLM 身份验证。此策略不影响此域控制器的交互式登录。 如果选择“禁用”或未配置此策略设置,则域控制器将允许该域中的所有 NTLM 传递身份验证请求。 如果选择“拒绝域帐户到域服务器”,则域控制器将拒绝到此域中所有服务器的所有使用域帐户的 NTLM 身份验证登录尝试,并且返回已阻止 NTLM 的错误,除非服务器名称在“网络安全: 限制 NTLM: 为此域中的 NTLM 身份验证添加服务器例外”策略设置的例外列表中。 如果选择“拒绝域帐户”,则域控制器将拒绝从域帐户的所有 NTLM 身份验证登录尝试,并且返回已阻止 NTLM 的错误,除非服务器名称在“网络安全: 限制 NTLM: 为此域中的 NTLM 身份验证添加服务器例外”策略设置的例外列表中。 如果选择“拒绝域服务器”,则域控制器将拒绝此域中所有服务器的 NTLM 身份验证请求,并且返回已阻止 NTLM 的错误,除非服务器名称在“网络安全: 限制 NTLM: 为此域中的 NTLM 身份验证添加服务器例外”策略设置的例外列表中。 如果选择“全部拒绝”,则域控制器将拒绝从其服务器的所有 NTLM 传递身份验证请求,因为其帐户返回已阻止 NTLM 的错误,除非服务器名称在“网络安全: 限制 NTLM: 为此域中的 NTLM 身份验证添加服务器例外”策略设置的例外列表中。 至少在 Windows Server 2008 R2 上支持此策略。 注意: 阻止事件记录在该计算机的“应用程序和服务日志/Microsoft/Windows/NTLM”下的“可操作”日志中。 |
Network security: Restrict NTLM: NTLM authentication in this domain
This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. If you select "Disabled" or do not configure this policy setting, the domain controller will allow all NTLM pass-through authentication requests within the domain. If you select "Deny for domain accounts to domain servers" the domain controller will deny all NTLM authentication logon attempts to all servers in the domain that are using domain accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting. If you select "Deny for domain account" the domain controller will deny all NTLM authentication logon attempts from domain accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting. If you select "Deny for domain servers" the domain controller will deny NTLM authentication requests to all servers in the domain and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting. If you select "Deny all," the domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting. This policy is supported on at least Windows Server 2008 R2. Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. |
2066 | 网络安全: 限制 NTLM: 为 NTLM 身份验证添加远程服务器例外
此策略设置允许你创建远程服务器例外列表,在配置“网络安全: 限制 NTLM: 到远程服务器的传出 NTLM 流量”策略设置后,客户端可以使用 NTLM 身份验证。 如果配置此策略设置,则可以定义允许客户端使用 NTLM 身份验证的远程服务器列表。 如果未配置此策略设置,则不会应用任何例外。 此例外列表上服务器的命名格式为完全限定的域名(FQDN)或应用程序(每行列出一个)使用的 NetBIOS 服务器名称。若要确保例外,所有应用程序使用的名称需要位于列表中,若要确保例外精确,应该采用这两种命名格式列出服务器名称。可以在字符串的任意位置使用一个星号(*)作为通配符。 |
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character. |
2067 | 网络安全: 限制 NTLM: 添加此域中的服务器例外
如果已设置“网络安全: 限制 NTLM: 拒绝此域中的 NTLM 身份验证”,则此策略设置让你可以创建此域中允许客户端使用 NTLM 传递身份验证的服务器例外列表。 如果配置此策略设置,则可以定义此域中允许客户端使用 NTLM 身份验证的服务器例外列表。 如果未配置此策略设置,则不会应用任何例外。 此例外列表上服务器的命名格式为完全限定的域名(FQDN)或调用的应用程序(每行列出一个)使用的 NetBIOS 服务器名称。在字符串的开始或结尾可使用一个星号(*)作为通配符。 |
Network security: Restrict NTLM: Add server exceptions in this domain
This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. If you configure this policy setting, you can define a list of servers in this domain to which clients are allowed to use NTLM authentication. If you do not configure this policy setting, no exceptions will be applied. The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wildcard character. |
2068 | 网络安全: 允许 LocalSystem NULL 会话回退
使用 LocalSystem 时,允许 NTLM 回退到 NULL 会话。 在 Windows Vista 以及以前的系统中,默认值为 TRUE,在 Windows 7 中,默认值为 FALSE。 |
Network security: Allow LocalSystem NULL session fallback
Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. |
2069 | 网络安全: 配置 Kerberos 允许的加密类型
此策略设置让你可以设置允许 Kerberos 使用的加密类型。 如果未选择此策略设置,则不允许使用加密类型。此设置可能会影响与客户端计算机或服务和应用程序的兼容性。允许进行多项选择。 至少在 Windows 7 或 Windows Server 2008 R2 上支持此策略。 |
Network security: Configure encryption types allowed for Kerberos
This policy setting allows you to set the encryption types that Kerberos is allowed to use. If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted. This policy is supported on at least Windows 7 or Windows Server 2008 R2. |
2071 | 网络安全: 允许对此计算机的 PKU2U 身份验证请求使用联机标识。
默认情况下,此策略在加入域的计算机上是关闭的。这将防止联机标识对加入域的计算机进行身份验证。 |
Network security: Allow PKU2U authentication requests to this computer to use online identities.
This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. |
2072 | 网络安全: 限制 NTLM: 审核传入 NTLM 流量
此策略设置允许你审核传入 NTLM 流量。 如果选择“禁用”或未配置此策略设置,则服务器将不为传入 NTLM 流量记录事件。 如果选择“为域帐户启用审核”,则服务器将为 NTLM 传递身份验证请求记录事件。在将“网络安全: 限制 NTLM: 传入 NTLM 流量”策略设置设置为“拒绝所有域帐户”选项时,将阻止该请求。 如果选择“为所有帐户启用审核”,则服务器将为所有 NTLM 身份验证请求记录事件。在将“网络安全: 限制 NTLM: 传入 NTLM 流量”策略设置设置为“拒绝所有帐户”选项时,将阻止该请求。 至少在 Windows 7 或 Windows Server 2008 R2 上支持此策略。 注意: 审核事件记录在该计算机的“应用程序和服务日志/Microsoft/Windows/NTLM”下的“可操作”日志中。 |
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
This policy setting allows you to audit incoming NTLM traffic. If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic. If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option. If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. |
2073 | 网络安全: 限制 NTLM: 审核此域中的 NTLM 身份验证
此策略设置允许你审核此域控制器的某个域中的 NTLM 身份验证。 如果选择“禁用”或未配置此策略设置,则域控制器将不为该域中的 NTLM 身份验证记录事件。 如果选择“启用域帐户到域服务器”,则当由于在“网络安全: 限制 NTLM: 此域中的 NTLM 身份验证”策略设置中选择了“拒绝域帐户到域服务器”而拒绝 NTLM 身份验证时,域控制器将为域帐户到域控制器的 NTLM 身份验证登录尝试记录事件。 如果选择“启用域帐户”,则当由于在“网络安全: 限制 NTLM: 此域中的 NTLM 身份验证”策略设置中选择了“拒绝域帐户”而拒绝 NTLM 身份验证时,域控制器将为使用域帐户的 NTLM 身份验证登录尝试记录事件。 如果选择“启用域服务器”,则当由于在“网络安全: 限制 NTLM: 此域中的 NTLM 身份验证”策略设置中选择了“拒绝域服务器”而拒绝 NTLM 身份验证时,域控制器将为该域中所有服务器的 NTLM 身份验证请求记录事件。 如果选择“全部启用”,则域控制器将为来自其服务器的 NTLM 传递身份验证请求,以及由于在“网络安全: 限制 NTLM: 此域中的 NTLM 身份验证”策略设置中选择了“全部拒绝”而被拒绝的帐户记录事件。 至少在 Windows Server 2008 R2 上支持此策略。 注意: 审核事件记录在该计算机的“应用程序和服务日志/Microsoft/Windows/NTLM”下的“可操作”日志中。 |
Network security: Restrict NTLM: Audit NTLM authentication in this domain
This policy setting allows you to audit NTLM authentication in a domain from this domain controller. If you select "Disable" or do not configure this policy setting, the domain controller will not log events for NTLM authentication in this domain. If you select "Enable for domain accounts to domain servers," the domain controller will log events for NTLM authentication logon attempts for domain accounts to domain servers when NTLM authentication would be denied because "Deny for domain accounts to domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. If you select "Enable for domain accounts," the domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because "Deny for domain accounts" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. If you select "Enable for domain servers" the domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because "Deny for domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. If you select "Enable all" the domain controller will log events for NTLM pass-through authentication requests from its servers and for its accounts which would be denied because "Deny all" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting. This policy is supported on at least Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM. |
2074 | 网络安全: 允许本地系统将计算机标识用于 NTLM
此策略设置允许使用协商的本地系统服务在恢复为 NTLM 身份验证时使用计算机标识。 如果启用此策略设置,则作为使用协商的本地系统运行的服务将使用计算机标识。这可能会造成 Windows 操作系统之间的某些身份验证请求失败并且记录一个错误。 如果禁用此策略设置,则作为使用协商的本地系统运行的服务将在恢复为 NTLM 身份验证时进行匿名身份验证。 默认情况下,在 Windows 7 和更高版本上会启用此策略。 默认情况下,在 Windows Vista 上会禁用此策略。 操作系统必须是 Windows Vista 或 Windows Server 2008 以上才支持此策略。 注意: Windows Vista 或 Windows Server 2008 在组策略中没有公开此设置。 |
Network security: Allow Local System to use computer identity for NTLM
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error. If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. By default, this policy is enabled on Windows 7 and above. By default, this policy is disabled on Windows Vista. This policy is supported on at least Windows Vista or Windows Server 2008. Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy. |
2075 | Microsoft 网络服务器: 服务器 SPN 目标名称验证级别
此策略设置控制具有共享文件夹或打印机的计算机(服务器)对客户端计算机使用服务器消息块(SMB)协议创建会话时提供的服务主体名称(SPN)执行的验证级别。 服务器消息块(SMB)协议为文件和打印共享以及其他网络操作(如远程 Windows 管理)提供基础。SMB 协议支持在 SMB 客户端提供的身份验证 BLOB 内对 SMB 服务器服务主体名称(SPN)进行验证,以防止对 SMB 服务器进行的一类攻击,称为 SMB 中继攻击。此设置会影响 SMB1 和 SMB2。 此安全设置确定 SMB 服务器对 SMB 客户端尝试建立到 SMB 服务器的会话时提供的服务主体名称(SPN)执行的验证级别。 选项如下: 关闭 - 不需要 SPN 或 SMB 服务器不需要通过 SMB 客户端验证 SPN。 在由客户端提供时接受 - SMB 服务器将接受并验证 SMB 客户端提供的 SPN,并允许在 SPN 本身与 SMB 服务器的 SPN 列表匹配时建立该会话。如果 SPN 不匹配,则系统将拒绝该 SMB 客户端的会话请求。 客户端需要 - SMB 客户端必须在会话设置中发送 SPN 名称,并且提供的 SPN 名称必须与请求建立连接的 SMB 服务器匹配。如果客户端没有提供任何 SPN,或者提供的 SPN 不匹配,则系统将拒绝会话。 默认: 关闭 所有的 Windows 操作系统都支持客户端 SMB 组件和服务器端 SMB 组件。此设置影响服务器 SMB 行为,应认真评估并测试其实施情况,以防止中断文件和打印服务功能。有关实施和使用此设置来保护 SMB 服务器的其他信息,请访问 Microsoft 网站(https://go.microsoft.com/fwlink/?LinkId=144505)。 |
Microsoft network server: Server SPN target name validation level
This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server. The options are: Off – the SPN is not required or validated by the SMB server from a SMB client. Accept if provided by client – the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s for itself. If the SPN does NOT match, the session request for that SMB client will be denied. Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that is being requested to establish a connection. If no SPN is provided by client, or the SPN provided does not match, the session is denied. Default: Off All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505). |
2076 | Microsoft 网络服务器: 尝试使用 S4U2Self 获取声明信息
此安全设置是为了支持运行 Windows 8 之前的 Windows 版本的客户端(尝试访问需要用户声明的文件共享)。此设置确定本地文件服务器是否将尝试使用 Kerberos Service-For-User-To-Self (S4U2Self)功能从客户端的帐户域获取网络客户端主体的声明。此设置应该设置为仅在以下情况下启用: 文件服务器使用用户声明控制对文件的访问,以及文件服务器将支持其帐户可能位于某个域(其中客户端计算机和域控制器运行的是 Windows 8 之前的 Windows 版本)中的客户端主体。 此设置应该设置为自动(默认值),以便文件服务器可以自动评估用户是否需要声明。仅当存在包含用户声明的本地文件访问策略时,管理员才应该将此设置显式设置为“已启用”。 启用时,此安全设置将促使 Windows 文件服务器检查经过身份验证的网络客户端主体的访问令牌并且确定是否存在声明信息。如果声明不存在,则文件服务器将使用 Kerberos S4U2Self 功能尝试联系客户端帐户域中的 Windows Server 2012 控制器,并且获取客户端主体的启用声明的访问令牌。可能需要已启用声明的令牌来访问已应用了基于声明的访问控制策略的文件或文件夹。 如果禁用此设置,则 Windows 文件服务器将不会尝试获取客户端主体的启用声明的访问令牌。 默认值: 自动。 |
Microsoft network server: Attempt S4U2Self to obtain claim information
This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be set to enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts may be in a domain which has client computers and domain controllers running a version of Windows prior to Windows 8. This setting should be set to automatic (default) so that the file server can automatically evaluate whether claims are needed for the user. An administrator would want to set this setting explicitly to “Enabled” only if there are local file access policies that include user claims. When enabled this security setting will cause the Windows file server to examine the access token of an authenticated network client principal and determine if claim information is present. If claims are not present the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain, and obtain a claims-enabled access token for the client principal. A claims-enabled token may be needed to access files or folders which have claim-based access control policy applied. If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal. Default: Automatic. |
2077 | 帐户: 阻止 Microsoft 帐户
此策略设置阻止用户在此计算机上添加新的 Microsoft 帐户。 如果选择“用户不能添加 Microsoft 帐户”选项,用户将不能在此计算机上创建新的 Microsoft 帐户,不能将本地帐户切换到 Microsoft 帐户,也不能将域帐户连接到 Microsoft 帐户。如果需要在企业中限制使用 Microsoft 帐户,这是首选选项。 如果选择“用户不能添加 Microsoft 帐户或使用该帐户登录”选项,则现有的 Microsoft 帐户用户将不能登录到 Windows。选中此选项后,此计算机上的现有管理员可能无法登录和管理系统。 如果禁用或不配置此策略(推荐),则用户能够将 Microsoft 帐户用于 Windows。 |
Accounts: Block Microsoft accounts
This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system. If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. |
2078 | 交互式登录: 计算机帐户阈值。
仅在已启用 Bitlocker 保护 OS 卷的计算机上强制执行计算机锁定策略。请确保已启用适当的恢复密码备份策略。 此策略设置确定可导致计算机锁定的失败登录尝试次数。锁定计算机后,只能通过在控制台中提供恢复密钥来恢复。你可以将此值设置为介于 1 和 999 次失败登录尝试次数之间。如果将此值设置为 0,计算机将永不锁定。从 1 到 3 之间的值将被解释为 4。 对于已使用 Ctrl+Alt+Delete 或受密码保护的屏幕保护程序锁定的工作站或成员服务器,失败密码尝试次数将计为失败登录尝试次数。 仅在已启用 Bitlocker 保护 OS 卷的计算机上强制执行计算机锁定策略。请确保已启用适当的恢复密码备份策略。 默认值: 0. |
Interactive logon: Machine account threshold.
The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts. The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled. Default: 0. |
2079 | 交互式登录: 计算机非活动限制。
Windows 会意识到登录会话的非活动状态,如果非活动的时间超过非活动限制值,则将运行屏幕保护,从而锁定会话。 默认值: 未强制。 |
Interactive logon: Machine inactivity limit.
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. |
2080 | 获取同一会话中另一个用户的模拟令牌。
为用户分配此特权可允许代表该用户运行的程序获取同一个会话中以交互方式登录的其他用户的模拟令牌,前提是调用方拥有会话用户的模拟令牌。不适用于每个用户可获得单独会话的桌面 Windows 客户端/服务器。 |
Obtain an impersonation token for another user in the same session.
Assigning this privilege to a user allows programs running on behalf of that user to obtain an impersonation token of other users who interactively logged on within the same session provided the caller has an impersonation token of the session user. Not applicable within desktop windows client/server where every user gets a separate session. |
2081 | 网络访问: 限制允许对 SAM 进行远程调用的客户端
使用此策略设置,可以限制到 SAM 的远程 RPC 连接。 如果未选择,则将使用默认的安全描述符。 支持此策略的最低系统是 Windows Server 2016。 |
Network access: Restrict clients allowed to make remote calls to SAM
This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be used. This policy is supported on at least Windows Server 2016. |
2082 | 交互式登录: 登录时不显示用户名
该安全设置确定在输入凭据后和显示电脑桌面前是否在 Windows 登录屏幕显示正在登录该台电脑的人员的用户名。 如果启用该策略,将不显示用户名。 如果禁用该策略,将显示用户名。 默认: 禁用。 |
Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown. If this policy is enabled, the username will not be shown. If this policy is disabled, the username will be shown. Default: Disabled. |
57343 | 你将要更改此服务的安全设置。更改此服务的默认安全设置可能会因依赖此安全设置的这一服务和其他服务之间出现不一致的配置导致出现问题。 要继续吗? |
You are about to change the security settings for this service. Changing the default security for the service could cause problems due to inconsistent configuration between this service and other services that rely on it. Do you want to continue? |
57345 | 将要导入新的模板信息到计算机的本机策略中。这将更改计算机安全设置。你希望继续吗? | You are about to import new template information into the local computer policy for this computer. Doing so will change your computer security settings. Do you want to continue? |
57346 | 正在配置计算机安全 | Configuring Computer Security |
57350 | 当前安全配置数据库: 本地策略数据库 %s | Current Security Configuration Database: Local Policy Database %s |
57351 | 当前安全配置数据库: 专用数据库 %s | Current Security Configuration Database: Private Database %s |
57352 | 产生分析信息 | Generating analysis information |
57353 | 导入失败 | Import Failed |
57354 | 已定义的子项 | Subitems defined |
57355 | 不可用 | Not Available |
57356 | 新建服务 | New Service |
57357 | 配置: | Configuring: |
57358 | 添加文件(&F)... 给该模板添加一个新文件或文件夹 |
Add &File... Adds a new file or folder to this template |
57359 | 将这个文件或文件夹添加到模板: | Add this file or folder to the template: |
57360 | 添加文件或文件夹 | Add a file or folder |
57361 | Microsoft Corporation | Microsoft Corporation |
57362 | 10.0 | 10.0 |
57363 | 安全模板是一个为安全模板文件提供编辑功能的 MMC 管理单元。 | Security Templates is an MMC snap-in that provides editing capabilities for security template files. |
57364 | 安全配置和分析是 MMC 管理单元,它用安全模板文件来提供 Windows 计算机的安全配置和分析。 | Security Configuration and Analysis is an MMC snap-in that provides security configuration and analysis for Windows computers using security template files. |
57365 | 安全设置扩展管理单元扩展组策略管理单元的功能,帮助你为域中的计算机定义安全策略。 | The Security Settings Extension snap-in extends the Group Policy snap-in and helps you define security policies for computers in your domain. |
57366 | 导入策略(&I)... 将模板文件导入该策略对象。 |
&Import Policy... Import a template file into this policy object. |
57367 | 导出策略(&X)... 将模板从该策略对象导出到一个文件。 |
E&xport policy... Export template from this policy to a file. |
57368 | 文件 %s 已经存在。 要覆盖吗? |
File %s already exists. Do you want to overwrite it? |
57370 | 失败 | Failure |
57371 | 无审核 | No auditing |
57372 | Windows 无法更新策略。 | Windows cannot update the policies. |
57373 | Windows 无法复制节 | Windows cannot copy the section |
57374 | 选择要添加的文件 | Select File to Add |
57375 | 打开数据库 | Open database |
57376 | 创建数据库 | Create Database |
57377 | 将策略导出到 | Export Policy To |
57378 | 策略导入来源 | Import Policy From |
57380 | 导入模板 | Import Template |
57381 | 将模板导出到 | Export Template To |
57384 | Windows 无法打开本地策略数据库。 | Windows cannot open the local policy database. |
57385 | 本地策略数据库 | Local Policy Database |
57386 | 无法从安全配置和分析管理单元编辑本地安全设置数据库。请用组策略管理单元编辑本地安全设置。 | The local security settings database cannot be edited from the Security Configuration and Analysis snap-in. Use the Group Policy snap-in to edit the local security settings. |
57387 | \help\75393cf0-f17a-453d-98a9-592b009289c2.chm | \help\75393cf0-f17a-453d-98a9-592b009289c2.chm |
57388 | \help\1da6be45-e97d-4584-bbf9-356d319f20c2.chm | \help\1da6be45-e97d-4584-bbf9-356d319f20c2.chm |
57389 | \help\941b4573-563f-45fd-8a2f-0b8a197a5d2c.chm | \help\941b4573-563f-45fd-8a2f-0b8a197a5d2c.chm |
57390 | \help\sceconcepts.chm::/75393cf0-f17a-453d-98a9-592b009289c2.htm | \help\sceconcepts.chm::/75393cf0-f17a-453d-98a9-592b009289c2.htm |
57391 | \help\scmconcepts.chm::/1da6be45-e97d-4584-bbf9-356d319f20c2.htm | \help\scmconcepts.chm::/1da6be45-e97d-4584-bbf9-356d319f20c2.htm |
57392 | \help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htm | \help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htm |
57394 | 你的计算机上有新的策略设置。要更新有效策略的视图吗? | There are new policy settings on your computer. Do you want to update your view of the effective policy? |
57395 | %s 上的计算机设置 | Computer setting on %s |
57396 | 由于未选择任何模板文件,无法创建该数据库。 要打开现有数据库右键单击“安全配置和分析”领域项。选择“打开数据库” 选择一个数据库,并按“打开” 要创建新数据库 右键单击“安全配置和分析”领域项。 选择“打开数据库”。 键入新的数据库名,按“打开”。 选择要导入的安全配置文件,然后按“打开”。 |
This database couldn't be created because no template file was selected. To Open an Existing DatabaseRight click on the Security Configuration and Analysis scope item. Choose Open Database Choose a database and press OPEN To Create a New Database Right click on the Security Configuration and Analysis scope item. Choose Open Database. Type in a new database name and press OPEN. Choose a security configuration file to import and press OPEN. |
57397 | 用可继承权限替换所有子项上的现有权限(&R) | &Replace existing permissions on all subkeys with inheritable permissions |
57398 | 将继承权限传播到所有子项(&P) | &Propagate inheritable permissions to all subkeys |
57399 | 不允许替代在该项上的权限(&D) | &Do not allow permissions on this key to be replaced |
57400 | 为 %s 配置成员身份 | Configure Membership for %s |
57401 | 票证过期时间: | Ticket expires in: |
57402 | 票证没有过期。 | Ticket doesn't expire. |
57403 | 票证续订过期时间: | Ticket renewal expires in: |
57404 | 票证续订被禁用。 | Ticket renewal is disabled. |
57405 | 最大容差: | Maximum tolerance: |
57407 | 不适用 | Not Applicable |
57410 | 用户和组名 | User and group names |
57411 | 添加用户或组 | Add User or Group |
57412 | 不能断开客户端连接: | Do not disconnect clients: |
57413 | 中断连接如果空闲时间超过: | Disconnect when idle time exceeds: |
57414 | 不要缓存登录次数: | Do not cache logons: |
57415 | 缓存: | Cache: |
57416 | 在密码过期的前几天开始做下列提示: | Begin prompting this many days before password expires: |
57418 | 配置这个项,然后(&C) | &Configure this key then |
57419 | 无法保存全局位置描述 | Could not save global location description |
57420 | 无法保存位置描述 | Could not save location description |
57421 | 重新加载 重新加载安全措施策略 |
Reload Reload the security policy |
57422 | 在重新加载之前将更改保存到 %1 上吗? | Save changes to %1 before reloading it? |
57423 | 本地安全设置 | Local Security Settings |
57424 | WSecEdit 安全性设置类 | WSecEdit Security Settings Class |
57425 | WSecEdit 本地安全性设置类 | WSecEdit Local Security Settings Class |
57428 | 本地安全性设置管理单元帮助你定义在本地系统上的安全性。 | The Local Security Settings snap-in helps you define security on the local system. |
57430 | WSecEdit RSOP 安全性设置类 | WSecEdit RSOP Security Settings Class |
57431 | RSOP 安全性设置扩展管理单元扩展 RSOP 管理单元并帮助你查看在域中的计算机的合成安全性策略。 | The RSOP Security Settings Extension snap-in extends the RSOP snap-in and helps you view resultant security policies for computers in your domain. |
57435 | 应用(&A) | &Apply |
57436 | 无法确定应用到此计算机的组策略安全性设置。 在尝试从本地安全策略数据库(%%windir%%\security\database\secedit.sdb)中检索这些设置时返回的错误为: %s 所有本地安全设置都将被显示,但是不会指出一个给定的安全设置是否由组策略定义。 所有由此用户界面修改的本地安全设置都可能随后被域级的策略替代。 |
The Group Policy security settings that apply to this machine could not be determined. The error returned when trying to retrieve these settings from the local security policy database (%%windir%%\security\database\secedit.sdb) was: %s All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy. Any local security setting modified through this User Interface may subsequently be overridden by domain-level policies. |
57437 | 无法确定应用到此计算机的组策略安全性设置。 在尝试从本地策略数据库(%%windir%%\security\database\secedit.sdb)中检索这些设置时收到的错误为: %s 所有本地安全性设置都将被显示,但是不会指出一个给定的安全性设置是否由组策略定义。 |
The Group Policy security settings that apply to this machine could not be determined. The error received when trying to retrieve these settings from the local policy database (%%windir%%\security\database\secedit.sdb) was: %s All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy. |
57438 | 日志文件: | Log file: |
57439 | 策略名称 | Policy Name |
57440 | 设置 | Setting |
57441 | 策略 %1 被正确应用。 | The policy %1 was correctly applied. |
57442 | 在配置此对象的子对象时出现了一个错误。(或者策略引擎尝试配置一个特定策略设置的子设置时失败。)有关更多信息,请查看 %windir%\security\logs\winlogon.log | There was an error configuring a child of this object. (or The policy engine attempted and failed to configure the child of a specific policy setting.) For more information, see %windir%\security\logs\winlogon.log |
57443 | 策略 %1 产生了下列错误 %2。有关更多信息,请在目标机器上查看 %windir%\security\logs\winlogon.log。 | The policy %1 resulted in the following error %2. For more information, see %windir%\security\logs\winlogon.log on the target machine. |
57444 | 策略 %1 产生了一个无效状态,并被记录。有关更多信息,请在目标机器上查看 %%windir%%\security\logs\winlogon.log。 | The policy %1 resulted in an invalid status and was logged. See %%windir%%\security\logs\winlogon.log on the target machine for more information. |
57445 | 策略引擎没有尝试配置此设置。有关更多信息,请在目标机器上查看 %windir%\security\logs\winlogon.log。 | The policy engine did not attempt to configure the setting. For more information, see %windir%\security\logs\winlogon.log on the target machine. |
57446 | 查看安全设置(&V)... | &View Security... |
57447 | 不能输出模板到 %1。 返回的错误为: %2 |
Couldn't export template to %1. The error returned was: %2 |
57448 | 保存更改到安全数据库吗? | Save changes to Security Database? |
57449 | 拒绝通过远程桌面服务登录 | Deny log on through Remote Desktop Services |
57450 | 允许通过远程桌面服务登录 | Allow log on through Remote Desktop Services |
57451 | 不能添加模板搜索路径 | Couldn't add template search path |
57453 | \Security\Logs | \Security\Logs |
57454 | 此组策略的安全性部分只能在 PDC 模拟器上编辑。 | The security portion of this group policy may only be edited on the PDC Emulator. |
57455 | 此设置与运行 Windows 2000 Service Pack 1 或更早版本的计算机不兼容。只对运行此操作系统更新版本的计算机应用包含此设置的组策略对象。 | This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier. Apply Group Policy objects containing this setting only to computers running a later version of the operating system. |
57456 | 在删除 %1 之前关闭所有属性页 | Close all property pages before deleting %1 |
57457 | 值必须在 %d 和 %d 之间 | Value must be between %d and %d |
57458 | 网络访问: 允许匿名 SID/名称转换 | Network access: Allow anonymous SID/Name translation |
57459 | 管理员必须被授予登陆本地权限。 | Administrators must be granted the logon local right. |
57460 | 你不能拒绝所有用户或管理员本地登陆。 | You cannot deny all users or administrator(s) from logging on locally. |
57461 | 有些帐户不能转换。 | Some accounts cannot be translated. |
57462 | 要应用你的更改或关闭此属性页,请关闭所有辅助窗口。 | To apply your changes or close this property sheet, close all secondary windows. |
57463 | 不能打开该窗口。Windows 不能为属性页创建 UI 线程。 | The window cannot be opened. Windows cannot create a UI thread for the property sheet. |
57464 | \help\lpeconcepts.chm::/29a1325e-50b4-4963-a36e-979caa9ea094.htm | \help\lpeconcepts.chm::/29a1325e-50b4-4963-a36e-979caa9ea094.htm |
57465 | 这是什么? | What's this? |
57466 | sct | sct |
57467 | \help\29a1325e-50b4-4963-a36e-979caa9ea094.chm | \help\29a1325e-50b4-4963-a36e-979caa9ea094.chm |
57468 | 值必须在 %d 和 %d 或 0 之间 | Value must be between %d and %d or 0 |
57469 | 此设置只影响早于 Windows Server 2003 的操作系统。 | This setting affects only operating systems earlier than Windows Server 2003. |
57470 | 修改此设置可能影响与客户端、服务和应用程序的兼容性。 %1 |
Modifying this setting may affect compatibility with clients, services, and applications. %1 |
57471 | 有关详细信息,请参阅%1。 (Q%2!lu!) | For more information, see %1. (Q%2!lu!) |
57472 | 你即将将此设置更改为可能影响与客户端、服务和应用程序的兼容性的值。 %1 你想继续更改吗? |
You are about to change this setting to a value that may affect compatibility with clients, services, and applications. %1 Do you want to continue with the change? |
57473 | 必须向 Administrators 和 SERVICE 授予“身份验证后模拟客户端”的权限 | Administrators and SERVICE must be granted the impersonate client after authentication privilege |
57474 | 如果配置了其他策略以替代类别级别审核策略,则可能不会强制执行此设置。 %1 |
This setting might not be enforced if other policy is configured to override category level audit policy. %1 |
57475 | 有关详细信息,请参阅“安全策略技术参考”中的 %1。 | For more information, see %1 in the Security Policy Technical Reference. |
58000 | 此操作没有说明文字 | No explain text for this action |
58003 | 将在以下时间之后锁定计算机 | Machine will be locked after |
58100 | 管理中心访问策略... 向此模板添加/从此模板删除中心访问策略 |
Manage Central Access Policies... Add/Remove Central Access Policies to this template |
58107 | 此访问策略包括以下策略规则: | This Access Policy includes the following Policy rules: |
58108 | 状态 | Status |
58109 | 正在从 Active Directory 下载中心访问策略... | Downloading central access policies from active directory... |
58110 | 错误: 无法下载中心访问策略 | Error: Central access policies could not be downloaded |
58111 | 就绪... | Ready... |
58113 | 找不到此中心访问策略。此中心访问策略可能已从 Active Directory 中删除,或者包含无效设置。在 Active Directory 管理中心(AD AC)中还原此策略或从配置中删除此策略。 | This central access policy could not be found. It may have been deleted from Active Directory or have invalid settings. Restore this policy in Active Directory Administrative Center (AD AC) or remove it from the configuration. |
59001 | 帐户: 使用空密码的本地帐户只允许进行控制台登录 | Accounts: Limit local account use of blank passwords to console logon only |
59002 | 审核: 对全局系统对象的访问进行审核 | Audit: Audit the access of global system objects |
59003 | 审核: 对备份和还原权限的使用进行审核 | Audit: Audit the use of Backup and Restore privilege |
59004 | 审核: 如果无法记录安全审核则立即关闭系统 | Audit: Shut down system immediately if unable to log security audits |
59005 | 设备: 防止用户安装打印机驱动程序 | Devices: Prevent users from installing printer drivers |
59010 | 设备: 允许在未登录的情况下弹出 | Devices: Allow undock without having to log on |
59011 | 域控制器: 允许服务器操作者计划任务 | Domain controller: Allow server operators to schedule tasks |
59012 | 域控制器: 拒绝计算机帐户密码更改 | Domain controller: Refuse machine account password changes |
59013 | 域控制器: LDAP 服务器签名要求 | Domain controller: LDAP server signing requirements |
59015 | 需要签名 | Require signing |
59016 | 域成员: 禁用计算机帐户密码更改 | Domain member: Disable machine account password changes |
59017 | 域成员: 计算机帐户密码最长使用期限 | Domain member: Maximum machine account password age |
59018 | 域成员: 对安全通道数据进行数字加密或数字签名(始终) | Domain member: Digitally encrypt or sign secure channel data (always) |
59019 | 域成员: 对安全通道数据进行数字加密(如果可能) | Domain member: Digitally encrypt secure channel data (when possible) |
59020 | 域成员: 对安全通道数据进行数字签名(如果可能) | Domain member: Digitally sign secure channel data (when possible) |
59021 | 域成员: 需要强(Windows 2000 或更高版本)会话密钥 | Domain member: Require strong (Windows 2000 or later) session key |
59022 | 交互式登录: 无须按 Ctrl+Alt+Del | Interactive logon: Do not require CTRL+ALT+DEL |
59023 | 交互式登录: 不显示上次登录 | Interactive logon: Don't display last signed-in |
59024 | 交互式登录: 锁定会话时显示用户信息 | Interactive logon: Display user information when the session is locked |
59025 | 用户显示名称、域名和用户名 | User display name, domain and user names |
59026 | 仅用户显示名称 | User display name only |
59027 | 不显示用户信息 | Do not display user information |
59028 | 交互式登录: 试图登录的用户的消息文本 | Interactive logon: Message text for users attempting to log on |
59029 | 交互式登录: 试图登录的用户的消息标题 | Interactive logon: Message title for users attempting to log on |
59030 | 交互式登录: 之前登录到缓存的次数(域控制器不可用时) | Interactive logon: Number of previous logons to cache (in case domain controller is not available) |
59031 | 交互式登录: 提示用户在过期之前更改密码 | Interactive logon: Prompt user to change password before expiration |
59032 | 交互式登录: 需要域控制器身份验证以对工作站进行解锁 | Interactive logon: Require Domain Controller authentication to unlock workstation |
59033 | 交互式登录: 需要 Windows Hello 企业版或智能卡 | Interactive logon: Require Windows Hello for Business or smart card |
59034 | 交互式登录: 智能卡移除行为 | Interactive logon: Smart card removal behavior |
59035 | 无操作 | No Action |
59036 | 锁定工作站 | Lock Workstation |
59037 | 强制注销 | Force Logoff |
59038 | 如果为远程桌面服务会话,则断开连接 | Disconnect if a remote Remote Desktop Services session |
59039 | Microsoft 网络客户端: 对通信进行数字签名(始终) | Microsoft network client: Digitally sign communications (always) |
59040 | Microsoft 网络客户端: 对通信进行数字签名(如果服务器允许) | Microsoft network client: Digitally sign communications (if server agrees) |
59041 | Microsoft 网络客户端: 将未加密的密码发送到第三方 SMB 服务器 | Microsoft network client: Send unencrypted password to third-party SMB servers |
59042 | Microsoft 网络服务器: 暂停会话前所需的空闲时间数量 | Microsoft network server: Amount of idle time required before suspending session |
59043 | Microsoft 网络服务器: 对通信进行数字签名(始终) | Microsoft network server: Digitally sign communications (always) |
59044 | Microsoft 网络服务器: 对通信进行数字签名(如果客户端允许) | Microsoft network server: Digitally sign communications (if client agrees) |
59045 | Microsoft 网络服务器: 登录时间过期后断开与客户端的连接 | Microsoft network server: Disconnect clients when logon hours expire |
59046 | 网络访问: 不允许存储网络身份验证的密码和凭据 | Network access: Do not allow storage of passwords and credentials for network authentication |
59047 | 网络访问: 不允许 SAM 帐户的匿名枚举 | Network access: Do not allow anonymous enumeration of SAM accounts |
59048 | 网络访问: 不允许 SAM 帐户和共享的匿名枚举 | Network access: Do not allow anonymous enumeration of SAM accounts and shares |
59049 | 网络访问: 将 Everyone 权限应用于匿名用户 | Network access: Let Everyone permissions apply to anonymous users |
59050 | 网络访问: 限制对命名管道和共享的匿名访问 | Network access: Restrict anonymous access to Named Pipes and Shares |
59051 | 网络访问: 可匿名访问的命名管道 | Network access: Named Pipes that can be accessed anonymously |
59052 | 网络访问: 可匿名访问的共享 | Network access: Shares that can be accessed anonymously |
59053 | 网络访问: 可远程访问的注册表路径和子路径 | Network access: Remotely accessible registry paths and sub-paths |
59054 | 网络访问: 可远程访问的注册表路径 | Network access: Remotely accessible registry paths |
59055 | 网络访问: 本地帐户的共享和安全模型 | Network access: Sharing and security model for local accounts |
59056 | 经典 - 对本地用户进行身份验证,不改变其本来身份 | Classic - local users authenticate as themselves |
59057 | 仅来宾 - 对本地用户进行身份验证,其身份为来宾 | Guest only - local users authenticate as Guest |
59058 | 网络安全: 在下一次更改密码时不存储 LAN 管理器哈希值 | Network security: Do not store LAN Manager hash value on next password change |
59059 | 网络安全: LAN 管理器身份验证级别 | Network security: LAN Manager authentication level |
59060 | 发送 LM 和 NTLM 响应(& ) | Send LM & NTLM responses |
59061 | 发送 LM 和 NTLM - 如果已协商,则使用 NTLMv2 会话安全(& ) | Send LM & NTLM - use NTLMv2 session security if negotiated |
59062 | 仅发送 NTLM 响应 | Send NTLM response only |
59063 | 仅发送 NTLMv2 响应 | Send NTLMv2 response only |
59064 | 仅发送 NTLMv2 响应。拒绝 LM | Send NTLMv2 response only. Refuse LM |
59065 | 仅发送 NTLMv2 响应。拒绝 LM 和 NTLM(& ) | Send NTLMv2 response only. Refuse LM & NTLM |
59066 | 网络安全: 基于 NTLM SSP 的(包括安全 RPC)客户端的最小会话安全 | Network security: Minimum session security for NTLM SSP based (including secure RPC) clients |
59067 | 网络安全: 基于 NTLM SSP 的(包括安全 RPC)服务器的最小会话安全 | Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
59070 | 要求 NTLMv2 会话安全 | Require NTLMv2 session security |
59071 | 要求 128 位加密 | Require 128-bit encryption |
59072 | 网络安全: LDAP 客户端签名要求 | Network security: LDAP client signing requirements |
59074 | 协商签名 | Negotiate signing |
59076 | 恢复控制台: 允许自动管理登录 | Recovery console: Allow automatic administrative logon |
59077 | 恢复控制台: 允许软盘复制并访问所有驱动器和所有文件夹 | Recovery console: Allow floppy copy and access to all drives and all folders |
59078 | 关机: 允许系统在未登录的情况下关闭 | Shutdown: Allow system to be shut down without having to log on |
59079 | 关机: 清除虚拟内存页面文件 | Shutdown: Clear virtual memory pagefile |
59080 | 系统对象: 加强内部系统对象的默认权限(例如,符号链接) | System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
59081 | 系统对象: 由 Administrators 组成员所创建对象的默认所有者 | System objects: Default owner for objects created by members of the Administrators group |
59082 | Administrators 组 | Administrators group |
59083 | 对象创建者 | Object creator |
59084 | 系统对象: 非 Windows 子系统不要求区分大小写 | System objects: Require case insensitivity for non-Windows subsystems |
59085 | 系统加密: 将 FIPS 兼容算法用于加密、哈希和签名 | System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
59086 | 系统加密: 为计算机上存储的用户密钥强制进行强密钥保护 | System cryptography: Force strong key protection for user keys stored on the computer |
59087 | 存储和使用新密钥时不需要用户输入 | User input is not required when new keys are stored and used |
59088 | 第一次使用密钥时提示用户输入 | User is prompted when the key is first used |
59089 | 用户每次使用密钥时必须输入密码 | User must enter a password each time they use a key |
59090 | 系统设置: 将 Windows 可执行文件中的证书规则用于软件限制策略 | System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
59091 | 系统设置: 可选子系统 | System settings: Optional subsystems |
59092 | 登录 | logons |
59093 | 天 | days |
59094 | 分钟 | minutes |
59095 | 秒 | seconds |
59096 | DCOM: 使用安全描述符定义语言(SDDL)语法的计算机启动限制 | DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax |
59097 | 以安全描述符定义语言(SDDL)语法表示的计算机访问限制 | DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax |
59098 | 设备: 将 CD-ROM 的访问权限仅限于本地登录的用户 | Devices: Restrict CD-ROM access to locally logged-on user only |
59099 | 设备: 允许对可移动媒体进行格式化并弹出 | Devices: Allowed to format and eject removable media |
59100 | 管理员 | Administrators |
59101 | Administrators 和 Power Users | Administrators and Power Users |
59102 | Administrators 和 Interactive Users | Administrators and Interactive Users |
59103 | 设备: 将软盘驱动器的访问权限仅限于本地登录的用户 | Devices: Restrict floppy access to locally logged-on user only |
59104 | 审核: 强制审核策略子类别设置(Windows Vista 或更高版本)替代审核策略类别设置 | Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings |
59105 | 网络安全: 限制 NTLM: 到远程服务器的传出 NTLM 流量 | Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers |
59106 | 允许所有 | Allow all |
59107 | 全部拒绝 | Deny all |
59108 | 网络安全: 限制 NTLM: 传入 NTLM 流量 | Network security: Restrict NTLM: Incoming NTLM traffic |
59110 | 拒绝所有域帐户 | Deny all domain accounts |
59111 | 拒绝所有帐户 | Deny all accounts |
59112 | 网络安全: 限制 NTLM: 此域中的 NTLM 身份验证 | Network security: Restrict NTLM: NTLM authentication in this domain |
59113 | 禁用 | Disable |
59114 | 拒绝域帐户到域服务器 | Deny for domain accounts to domain servers |
59115 | 拒绝域帐户 | Deny for domain accounts |
59116 | 拒绝域服务器 | Deny for domain servers |
59118 | 网络安全: 限制 NTLM: 为 NTLM 身份验证添加远程服务器例外 | Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication |
59119 | 网络安全: 限制 NTLM: 添加此域中的服务器例外 | Network security: Restrict NTLM: Add server exceptions in this domain |
59120 | 网络安全: 允许 LocalSystem NULL 会话回退 | Network security: Allow LocalSystem NULL session fallback |
59121 | 网络安全: 配置 Kerberos 允许的加密类型 | Network security: Configure encryption types allowed for Kerberos |
59122 | DES_CBC_CRC | DES_CBC_CRC |
59123 | DES_CBC_MD5 | DES_CBC_MD5 |
59124 | RC4_HMAC_MD5 | RC4_HMAC_MD5 |
59125 | AES128_HMAC_SHA1 | AES128_HMAC_SHA1 |
59126 | AES256_HMAC_SHA1 | AES256_HMAC_SHA1 |
59127 | 将来的加密类型 | Future encryption types |
59129 | 网络安全: 允许对此计算机的 PKU2U 身份验证请求使用联机标识。
|
Network security: Allow PKU2U authentication requests to this computer to use online identities.
|
59130 | 全部审核 | Audit all |
59131 | 网络安全: 限制 NTLM: 审核传入 NTLM 流量 | Network security: Restrict NTLM: Audit Incoming NTLM Traffic |
59132 | 网络安全: 限制 NTLM: 审核此域中的 NTLM 身份验证 | Network security: Restrict NTLM: Audit NTLM authentication in this domain |
59133 | 网络安全: 允许本地系统将计算机标识用于 NTLM | Network security: Allow Local System to use computer identity for NTLM |
59135 | 启用对域帐户的审核 | Enable auditing for domain accounts |
59136 | 启用对所有帐户的审核 | Enable auditing for all accounts |
59138 | 启用域帐户到域服务器 | Enable for domain accounts to domain servers |
59139 | 启用域帐户 | Enable for domain accounts |
59140 | 启用域服务器 | Enable for domain servers |
59141 | 全部启用 | Enable all |
59142 | Microsoft 网络服务器: 服务器 SPN 目标名称验证级别 | Microsoft network server: Server SPN target name validation level |
59144 | 由客户端提供时接受 | Accept if provided by client |
59145 | 客户端要求 | Required from client |
59146 | Microsoft 网络服务器: 尝试使用 S4U2Self 获取声明信息 | Microsoft network server: Attempt S4U2Self to obtain claim information |
59147 | 默认值 | Default |
59150 | 帐户: 阻止 Microsoft 帐户 | Accounts: Block Microsoft accounts |
59151 | 此策略已禁用 | This policy is disabled |
59152 | 用户不能添加 Microsoft 帐户 | Users can't add Microsoft accounts |
59153 | 用户不能添加 Microsoft 帐户或使用该帐户登录 | Users can't add or log on with Microsoft accounts |
59154 | 交互式登录: 计算机帐户锁定阈值 | Interactive logon: Machine account lockout threshold |
59155 | 交互式登录: 计算机不活动限制 | Interactive logon: Machine inactivity limit |
59156 | 无效登录尝试 | invalid logon attempts |
59157 | 网络访问: 限制允许对 SAM 进行远程调用的客户端 | Network access: Restrict clients allowed to make remote calls to SAM |
59158 | 交互式登录: 登录时不显示用户名 | Interactive logon: Don't display username at sign-in |
File Description: | 安全配置 UI 模块 |
File Version: | 10.0.15063.0 (WinBuild.160101.0800) |
Company Name: | Microsoft Corporation |
Internal Name: | WSECEDIT |
Legal Copyright: | © Microsoft Corporation. All rights reserved. |
Original Filename: | WSecEdit.dll.mui |
Product Name: | Microsoft® Windows® Operating System |
Product Version: | 10.0.15063.0 |
Translation: | 0x804, 1200 |