wsecedit.dll.mui 安全性設定 UI 模組 b8b22f0d2b7e11b4106e1e20985d37a2

File info

File name: wsecedit.dll.mui
Size: 183296 byte
MD5: b8b22f0d2b7e11b4106e1e20985d37a2
SHA1: 69f509d1ae9207fa37042283030297d580afda22
SHA256: fe1d227278e522588bfb60c7c104fea6eecaf486192e526a15fb1572d86f2994
Operating systems: Windows 10
Extension: MUI

Translations messages and strings

If an error occurred or the following message in Chinese (Traditional) language and you cannot find a solution, than check answer in English. Table below helps to know how correctly this phrase sounds in English.

id Chinese (Traditional) English
1WSecEdit 延伸模組類別 WSecEdit Extension Class
2名稱 Name
3描述 Description
4原則 Policy
5資料庫設定 Database Setting
6電腦設定 Computer Setting
7安全性範本 Security Template
8範本 Templates
9上次的設定/分析 Last Configuration/Analysis
10安全性範本是定義用來設定或分析電腦。 Security templates defined to configure or analyze a computer.
12安全性原則 Security Policy
13使用者權限指派 User Rights Assignment
14受限群組 Restricted Groups
15系統服務 System Services
16登錄 Registry
17檔案系統 File System
21系統服務設定值 System service settings
22登錄安全性設定值 Registry security settings
23檔案系統安全性設定 File system security settings
25(未儲存) (not saved)
26安全性設定 Security Settings
27WSecEdit 安全性設定類別 WSecEdit Security Configuration Class
28WSecEdit 安全性管理員類別 WSecEdit Security Manager Class
29您確定要刪除 %s 嗎? Are you sure you want to delete %s?
30您要刪除所有選取的項目? Do you want to delete all selected items?
31立即分析電腦(&A)...
根據選取的資料庫安全性設定值來分析電腦
&Analyze Computer Now...
Compares the current computer settings against the security settings in the database
34匯出範本(&E)...
匯出目前電腦的基本範本
&Export Template...
Exports the base template for the current computer
35新增檔案(&L)...
將新檔案加入這個範本
Add Fi&les...
Adds new files to this template
36新增範本搜尋路徑(&N)...
新增範本位置到安全性範本的搜尋路徑 (.inf - INF格式)
&New Template Search Path...
Adds a template location to the Security Templates' search path (.inf - INF format)
37新增範本(&N)...
建立一個新範本
&New Template...
Creates a new template
38移除路徑(&R)
從搜尋路徑中移除所選取的位置
&Remove Path
Removes the selected location from the search path
39重新整理(&F)
更新這個位置以顯示最近新增的範本
Re&fresh
Updates this location to display recently added templates
40立即設定電腦(&F)...
根據選取範本來設定電腦
Con&figure Computer Now...
Configures the computer according to the selected template
42Windows 無法從 %s 匯入範本 Windows cannot import the template from %s
43另存新檔(&A)...
用新名稱儲存範本
Save &As...
Saves the template with a new name
44複製(&C)
將所選取的範本資訊複製到剪貼簿
&Copy
Copies the selected template information to the Clipboard
45貼上(&P)
將剪貼簿資訊貼到範本上
&Paste
Pastes Clipboard information into the template
46來源 GPO Source GPO
47重新整理(&R)
重新整理資料
&Refresh
Refreshes data
48必須要有安全性才能新增這個物件 Security is required to add this object
49Windows 無法匯入安全性範本 Windows cannot import the security template
50密碼原則 Password Policy
51密碼最長使用期限
Maximum password age
days
52密碼最短使用期限
Minimum password age
days
53最小密碼長度
個字元
Minimum password length
characters
54強制執行密碼歷程記錄
記憶的密碼
Enforce password history
passwords remembered
55密碼必須符合複雜性需求 Password must meet complexity requirements
56使用者必須登入才能變更密碼 User must log on to change the password
57帳戶鎖定原則 Account Lockout Policy
58帳戶鎖定閾值
次不正確的登入嘗試
Account lockout threshold
invalid logon attempts
59重設帳戶鎖定計數器的時間間隔
分鐘
Reset account lockout counter after
minutes
60帳戶鎖定時間
分鐘
Account lockout duration
minutes
61您要刪除這個範本嗎? Do you want to delete this template?
62資料庫尚未載入。 The database is not loaded.
63網路安全性: 強制限制登入時數 Network security: Force logoff when logon hours expire
65帳戶: 重新命名系統管理員帳戶 Accounts: Rename administrator account
67帳戶: 重新命名來賓帳戶名稱 Accounts: Rename guest account
68重新載入
從原則資料庫重新載入本機和有效的原則表格
Reload
Reloads the local and effective policy tables from the policy database
69群組名稱 Group Name
70事件記錄檔 Event Log
71系統記錄檔大小最大值
KB
Maximum system log size
kilobytes
72系統記錄檔保持方法 Retention method for system log
73系統記錄檔保留天數
Retain system log
days
74安全性記錄檔大小最大值
KB
Maximum security log size
kilobytes
75安全性記錄檔保持方法 Retention method for security log
76安全性記錄檔保留天數
Retain security log
days
77應用程式記錄檔大小最大值
KB
Maximum application log size
kilobytes
78應用程式記錄保持方法 Retention method for application log
79應用程式記錄檔保留天數
Retain application log
days
80安全性稽核記錄檔已滿時關閉電腦 Shut down the computer when the security audit log is full
81稽核原則 Audit Policy
82事件稽核模式 Event Auditing Mode
83稽核系統事件 Audit system events
84稽核登入事件 Audit logon events
85稽核物件存取 Audit object access
86稽核特殊權限使用 Audit privilege use
87稽核原則變更 Audit policy change
88稽核帳戶管理 Audit account management
89稽核程序追蹤 Audit process tracking
90安全性選項 Security Options
92尚未定義 Not Defined
95無法新增成員 Cannot add members
96無法顯示安全性設定 Cannot display security
97無法新增使用者 Cannot add users
98無法新增目錄物件 Cannot add directory object
99無法新增資料夾 Cannot add a folder
100-- 成員 -- Members
102這個檔名中包含一些目前的系統語言無法辨識的字元。請重新命名。 This file name contains some characters that can not be recognized by current system language. Please rename it.
103權限 Permission
104稽核 Audit
106Windows 無法新增檔案。 Windows cannot add a file.
107範本名稱不正確。 The template name is not valid.
108匯出存放範本時發生錯誤。 An error occurred while exporting the stored template.
109Windows 無法新增登錄機碼。 Windows cannot add a registry key
110完全控制 Full Control
111修改 Modify
112讀取和執行 Read and Execute
113列出資料夾內容 List Folder Contents
114讀取 Read
115寫入 Write
116周遊資料夾/執行檔案 Traverse Folder/Execute File
117刪除 Delete
120 None
124查詢數值 Query Value
125設定數值 Set Value
126建立子機碼 Create Subkey
127列舉子機碼 Enumerate Subkeys
128通知 Notify
129建立連結 Create Link
130執行 Execute
131無法建立執行緒 Cannot create a thread
132無法驗證下列帳戶: %1
The following accounts could not be validated: %1
141記錄檔名稱 Log File Name
143執行安全性分析 Perform Security Analysis
144安全性原則設定 Security policy settings
146安全性設定及分析
v1.0
Security Configuration and Analysis
v1.0
147安全性設定及分析是用來設定電腦安全及分析安全性的系統管理工具。它讓您建立及編輯安全性範本,套用安全性範本,根據範本執行分析及顯示分析結果。 Security Configuration and Analysis is an administrative tool used to secure a computer and analyze security aspects. You can create or edit a security template, apply the security template, perform analyses based on a template, and display analysis results.
148上次分析執行於
Last analysis was performed on
149基本安全性設定檔描述:
Base security configuration description:
150電腦是依照下列範本所設定的。
尚未執行分析。
The computer was configured by the following template.
Analysis was not performed.
151並未使用安全性設定及分析來設定或分析資料庫。 The database has not been configured or analyzed using Security Configuration and Analysis.
152關於安全性設定及分析 About Security Configuration and Analysis
153關於上次分析 About Last Analysis
154將設定檔位置新增到安全性範本 Add a Template Location to Security Templates
165物件名稱 Object Name
166值不一致 Inconsistent Values
168開啟範本 Open Template
169安全性範本 (.inf)|*.inf|| Security Template (.inf)|*.inf||
170inf inf
171開啟記錄檔時發生錯誤 Open Error Log File
172log log
173記錄檔案 (.log)|*.log|| Log files (.log)|*.log||
193Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Template Locations Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Template Locations
194Windows 無法開啟範本檔案。 Windows cannot open template file.
195Windows 無法讀取範本資訊。 Windows cannot read template information.
196您所選取的資料庫中沒有可顯示的分析資訊。請使用 [分析] 功能表來啟動這個工具。 There is no analysis information in the selected database to display. Use the Analyze menu option to start using this tool.
1970 0
198視需要而定 As needed
199好幾天 By days
200手動 Manually
201已啟用 Enabled
202已停用 Disabled
203 On
204 Off
210成員 Members
211成員隸屬 Member Of
214CLASSES_ROOT CLASSES_ROOT
215MACHINE MACHINE
216USERS USERS
217已成功 Succeeded
229不明的錯誤 Unknown error
232\Security\Templates \Security\Templates
233從網路存取這台電腦 Access this computer from the network
234允許本機登入 Allow log on locally
235無法儲存 Failed to save
236儲存(&S)
儲存範本
&Save
Save the template
237Software\Microsoft\Windows NT\CurrentVersion\SecEdit Software\Microsoft\Windows NT\CurrentVersion\SecEdit
238新增資料夾 Add Folder
239新增資料夾(&F)...
將新資料夾加到這個範本
Add &Folder...
Adds a new folder to this template
240新增機碼(&K)...
將新機碼加到這個範本
Add &Key...
Adds a new key to this template
241新增群組(&G)...
將新群組加到這個範本
Add &Group...
Adds a new group to this template
248服務名稱 Service Name
249啟動 Startup
250已分析 Analyzed
251已設定 Configured
252自動 Automatic
254確定 OK
255調查 Investigate
256資料庫安全性 Database Security for
257上次安全性分析 Last Analyzed Security for
258安全性 Security for
262群組成員資格 Group Membership
263這個群組的成員 Members of this group
266帳戶原則 Account Policies
267密碼及帳戶鎖定原則 Password and account lockout policies
268本機原則 Local Policies
269正在稽核使用者權限及安全性選項原則 Auditing, user rights and security options policies
271事件記錄檔設定值及事件檢視器 Event Log settings and Event Viewer
272稽核目錄服務存取 Audit directory service access
273稽核帳戶登入事件 Audit account logon events
275不允許本機來賓存取系統記錄檔 Prevent local guests group from accessing system log
276不允許本機來賓存取安全性記錄檔 Prevent local guests group from accessing security log
277不允許本機來賓存取應用程式記錄檔 Prevent local guests group from accessing application log
278永遠 Always
281略過 Ignore
284取代 Replace
286以批次工作登入 Log on as a batch job
287以服務方式登入 Log on as a service
288Active Directory 物件 Active Directory Objects
289Active Directory 物件的安全性管理 Security management of Active Directory objects
290新增目錄物件(&O)
將 Active Directory 物件加入這個範本
Add Directory &Object
Adds an Active Directory object to this template
293列出資料夾/讀取資料 List folder / Read data
294讀取屬性 Read attributes
295讀取擴充屬性 Read extended attributes
296建立檔案/寫入資料 Create files / Write data
297建立資料夾/附加資料 Create folders / Append data
298寫入屬性 Write attributes
299寫入擴充屬性 Write extended attributes
300刪除子資料夾及檔案 Delete subfolders and files
302讀取權限 Read permissions
303變更權限 Change permissions
304取得擁有權 Take ownership
305同步處理 Synchronize
306讀取、寫入及執行 Read, Write and Execute
307寫入及執行 Write and Execute
308周遊/執行 Traverse / Execute
309只有這個資料夾 This folder only
310這個資料夾、子資料夾及檔案 This folder, subfolders and files
311這個資料夾及子資料夾 This folder and subfolders
312這個資料夾及檔案 This folder and files
313只有子資料夾及檔案 Subfolders and files only
314只有子資料夾 Subfolders only
315僅限檔案 Files only
316只有這個機碼 This key only
317這個機碼及子機碼 This key and subkeys
318只有子機碼 Subkeys only
321開始、停止及暫停 Start, stop and pause
322查詢範本 Query template
323變更範本 Change template
324查詢狀態 Query status
325列舉依存 Enumerate dependents
326開始 Start
327停止 Stop
328暫停及繼續 Pause and continue
329質詢 Interrogate
330使用者定義的控制 User-defined control
335建立子系 Create children
336刪除子系 Delete children
337清單內容 List contents
338新增/移除自己 Add/remove self
339讀取內容 Read properties
340寫入內容 Write properties
341只有這個容器 This container only
342這個容器及子容器 This container and subcontainers
343只有子容器 Subcontainers only
344[[本機電腦原則設定 ]] [[Local Computer Policy Configuration ]]
345帳戶不會被鎖定。 Account will not lock out.
346密碼可以立即變更。 Password can be changed immediately.
347不需要密碼。 No password required.
348不保存密碼的歷程記錄。 Do not keep password history.
349密碼到期日: Password will expire in:
350允許密碼變更於: Password can be changed after:
351密碼最少必須是: Password must be at least:
352密碼記錄的保留期: Keep password history for:
353帳戶將被鎖定在: Account will lock out after:
354帳戶鎖定期間: Account is locked out for:
355覆寫事件舊於: Overwrite events older than:
356密碼永不到期。 Password will not expire.
357帳戶將被鎖定 (直到系統管理員解除鎖定)。 Account is locked out until administrator unlocks it.
359使用可還原的加密來存放密碼 Store passwords using reversible encryption
360Kerberos 原則 Kerberos Policy
361強制執行使用者登入限制 Enforce user logon restrictions
362電腦時鐘同步處理的最大容錯性
分鐘
Maximum tolerance for computer clock synchronization
minutes
363服務票證最長存留期
分鐘
Maximum lifetime for service ticket
minutes
364使用者票證最長存留期
小時
Maximum lifetime for user ticket
hours
365使用者票證更新的最長存留期
Maximum lifetime for user ticket renewal
days
366新增成員 Add Member
368記憶體不足,無法顯示這個區段 There is not enough memory to display this section
369沒有關於上次分析的資訊可用 No information is available about the last analysis
370Windows 無法儲存變更的範本。 Windows cannot save changed templates.
372安全性設定及分析 Security Configuration and Analysis
374匯入範本(&I)...
將範本匯入到此資料庫
&Import Template...
Import a template into this database
376Windows 無法建立或開啟 %s Windows cannot create or open %s
377找出錯誤記錄檔 Locate error log file
378sdb sdb
379安全性資料庫檔案 (*.sdb)|*.sdb|所有檔案 (*.*)|*.*|| Security Database Files (*.sdb)|*.sdb|All Files (*.*)|*.*||
380將範本套用到電腦 Apply Template to Computer
381記錄電腦設定進度的錯誤記錄檔路徑 Error log file path to record the progress of configuring the computer
382安全性(&S)... &Security...
383編輯這個項目的安全性 Edit security for this item
384Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Configuration Software\Microsoft\Windows NT\CurrentVersion\SecEdit\Configuration
385安全性(&S)...
編輯這個項目的安全性
&Security...
Edit security for this item
386EnvironmentVariables EnvironmentVariables
387%AppData%|%UserProfile%|%AllUsersProfile%|%ProgramFiles%|%SystemRoot%|%SystemDrive%|%Temp%|%Tmp%| %AppData%|%UserProfile%|%AllUsersProfile%|%ProgramFiles%|%SystemRoot%|%SystemDrive%|%Temp%|%Tmp%|
388開啟資料庫(&P)...
開啟現存或新的資料庫
O&pen Database...
Open an existing or new database
389新增資料庫(&N)...
建立並開啟新的資料庫
&New Database...
Create and open a new database
390設定描述(&P)...
在此目錄建立範本的描述
Set Descri&ption...
Create a description for the templates in this directory
392\help\sce.chm \help\sce.chm
395所有檔案 (*.*)|*.*|| All files (*.*)|*.*||
396資料庫: %s Database: %s
397嘗試開啟資料庫時發生不明的錯誤。 An unknown error occurred when attempting to open the database.
398您必須先分析才能使用資料庫。從資料庫功能表,選取選項來進行分析。 Before you can use the database, you must analyze it. On the Database menu, select the option to run an analysis.
399您嘗試開啟的資料庫不存在。請從 [資料庫] 功能表按 [匯入範本]。 The database you are attempting to open does not exist. On the Database menu, click Import Template.
400資料庫已經損毀。要修正資料庫請參考線上說明的資訊。 The database is corrupt. For information about fixing the database, see online Help.
401記憶體不足以載入資料庫。請關閉某些應用程式,再試一次。 There is not enough memory available to load the database. Close some programs and then try again.
402資料庫存取被拒。除非資料庫的權限變更了,否則您必須有系統管理權限才能使用資料庫。 Access to the database is denied. Unless the permissions on the database have been changed, you must have administrative rights to use it.
403\Security\Database \Security\Database
404您要將變更儲存到 %s 嗎? Do you want to save changes to %s?
405有現存匯入的範本擱置。若要儲存,請按 [取消],然後在匯入另一個範本前,執行分析或設定。若要略過前一個匯入的範本,請按 [確定]。
There is an existing imported template pending. To save, click Cancel, and then run an analysis or configuration before importing another template. To ignore the previous imported template, click OK.
406所有選取的檔案 All Selected Files
407拒絕本機登入 Deny log on locally
408拒絕從網路存取這台電腦 Deny access to this computer from the network
409拒絕以服務方式登入 Deny log on as a service
410拒絕以批次工作登入 Deny log on as a batch job
411新增群組 Add Group
412群組(&G): &Group:
413尚未分析 Not Analyzed
414分析時發生錯誤 Error Analyzing
416建議的設定值 Suggested Setting
417本機原則 ...
從本機原則設定值建立範本檔案
Local Policy ...
Create template file from the local policy settings
418有效原則 ...
從有效原則設定值建立範本檔案
Effective Policy ...
Create template file from the effective policy settings
419安全性設定及分析 開啟現存資料庫 在 [安全性設定及分析] 領域項目上按一下滑鼠右鍵 按一下 [開啟資料庫] 選取資料庫,然後按一下 [開啟] 建立新資料庫 在 [安全性設定及分析] 領域項目上按一下滑鼠右鍵 按一下 [開啟資料庫] 輸入新的資料庫名稱,然後按一下 [開啟] 選擇要匯入的安全性範本,然後按一下 [開啟] Security Configuration and Analysis To Open an Existing Database Right-click the Security Configuration and Analysis scope item Click Open Database Select a database, and then click Open To Create a New Database Right-click the Security Configuration and Analysis scope item Click Open Database Type a new database name, and then click Open Select a security template to import, and then click Open
420
422您正嘗試開啟的資料庫不存在。 The database you are attempting to open does not exist.
423您可以透過選取安全性設定值功能表命令的匯入原則來建立新的本機原則資料庫。 You can create a new local policy database by choosing Import Policy from the Security Settings menu commands.
424資料庫存取被拒。 Access to database has been denied.
425檢視記錄檔(&G)
在選取 [安全性設定及分析] 節點後,切換記錄檔或資料夾的顯示
View Lo&g File
Toggle display of the log file or folder tree when Security Configuration and Analysis node is selected
426您現在可以利用這個資料庫的安全性設定,分析或設定您的電腦。 設定您的電腦在 [安全性設定及分析] 領域項目上按一下滑鼠右鍵選取 立即設定電腦在該對話方塊中,輸入您要檢視之記錄檔的記錄檔名稱,然後按一下 [確定]注意: 設定完成後,您必須執行分析來檢視您資料庫內的資訊分析您的電腦安全性設定值 在 [安全性設定及分析] 領域項目上按一下滑鼠右鍵選取 [立即分析電腦]在該對話方塊中,輸入記錄檔的路徑,然後按一下 [確定]注意: 若要檢視設定或分析時所建立的記錄檔,請選取 [安全性設定及分析] 內容功能表上的 [檢視記錄檔]。 You can now configure or analyze your computer by using the security settings in this database. To Configure Your ComputerRight-click the Security Configuration and Analysis scope itemSelect Configure Computer NowIn the dialog, type the name of the log file you wish to view, and then click OKNOTE: After configuration is complete, you must perform an analysis to view the information in your databaseTo Analyze Your Computer Security Settings Right-click the Security Configuration and Analysis scope itemSelect Analyze Computer NowIn the dialog, type the log file path, and then click OKNOTE: To view the log file created during a configuration or analysis, select View Log File on the Security Configuration and Analysis context menu.
427 讀取位置發生錯誤 Error Reading Location
429原則設定 Policy Setting
430安全設定精靈(&W)...
安全伺服器角色精靈
Secure &Wizard...
Secure Server Role Wizard
431Windows 無法匯入不正確的範本 %s Windows cannot import invalid template %s
432帳戶: Administrator 帳戶狀態 Accounts: Administrator account status
433帳戶: Guest 帳戶狀態 Accounts: Guest account status
434內容 Properties
435使用者名稱不正確。可能空白或不包含以下任何字元:
%1
The username is not valid. It is empty or it may not contain any of the following characters:
%1
436沒有最小值 No minimum
437使用者及群組名稱可能並未包含任何下列字元:
%1
User and group names may not contain any of the following characters:
%1
438系統找不到指定的路徑:
%1
The system can not find the path specified:
%1
439檔案名稱不能包含任何下列字元:
%1
File name may not contain any of the following characters:
%1
440必須選取一個啟動模式。 A startup mode must be selected.
441無法刪除物件 "%1",因為有個開啟中的視窗正在顯示其內容。
要刪除這個物件的話,關閉該視窗,然後選取 [刪除]。
Object "%1" cannot be deleted because an open window is displaying its properties.
To delete this object, close that window and select "Delete" again.
442設定 %.17s 的成員資格... Configure Membership for %.17s...
443重設帳戶鎖定計數器的時間 Reset account lockout counter after
444設定描述(&P)...
建立這個範本的描述
Set Descri&ption...
Create a description for this template
445描述可能不包含以下任何字元:
%1
Description may not contain any of the following characters:
%1
446範本設定 Template Setting
449請確定您是否有到這個物件的有效權限。 Make sure that you have the right permissions to this object.
450請確定這個物件已經存在。 Make sure that this object exists.
451不可以使用 %1 資料夾。請選擇其他資料夾。 The folder %1 cannot be used. Choose another folder.
452我的電腦 My Computer
453檔案名稱太長。 The file name is too long.
552spolsconcepts.chm::/html/2ff43721-e5fb-4e0c-b1a1-4ee3f414a3b7.htm spolsconcepts.chm::/html/2ff43721-e5fb-4e0c-b1a1-4ee3f414a3b7.htm
697檔案名稱不能只包含任何下列字元:
%1
File name may not only contain any of the following characters:
%1
698%1
此檔名已保留給裝置名稱使用。
請選擇其他名稱。
%1
This file name is a reserved device name.
Choose another name.
699檔案類型不正確。 The file type is not correct.
700您必須是系統管理員群組的成員,才能執行要求的操作。 You must be a member of the Administrators group to perform the requested operation.
701檔名 %1 不正確。
請以正確格式重新輸入檔名,例如 c:\location\file。%2。
The file name %1 is not valid.
Reenter the file name in the correct format, such as c:\location\file.%2.
702帳戶名稱之間無法對應,已經完成安全性識別碼 No mapping between account names and security IDs was done
709為了影響網域帳戶,必須在預設網域原則中定義此設定。 To affect domain accounts, this setting must be defined in default domain policy.
718本機安全性原則 Local Security Policy
740%1%2 %1%2
741%1%2
%3
%1%2
%3
745特殊 Special
753SAM 遠端存取的安全性設定 Security Settings for Remote Access to SAM
754遠端存取 Remote Access
762集中存取原則 Central Access Policy
763套用至檔案系統的集中存取原則 Central Access Policies applied to the file system
764!!不明的原則!!: !!Unknown policy!!:
765%1 %2 %1 %2
1900強制執行密碼歷程記錄

這項安全性設定決定重覆使用舊密碼前,必須與使用者帳戶相關的唯一新密碼數目。此值必須介於 0 和 24 個密碼之間。

這個原則可讓系統管理員藉由確定不再繼續重複使用舊密碼,以增加安全性。

預設值:

在網域控制站上為 24。
在獨立伺服器上為 0。

注意: 依預設,成員電腦會遵循其網域控制站的設定。
為了維護密碼歷程記錄的有效性,請勿允許因為啟用 [密碼最短使用期限] 安全性原則設定而才變更過的密碼,立即再次變更。如需有關「密碼最短使用期限」安全性原則設定的詳細資訊,請參閱「密碼最短使用期限」。
Enforce password history

This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords.

This policy enables administrators to enhance security by ensuring that old passwords are not reused continually.

Default:

24 on domain controllers.
0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.
To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age.
1901密碼最長使用期限

這項安全性設定決定系統要求使用者變更密碼之前,密碼可以使用的期限 (天數)。您可以設定密碼在 1 至 999 天之後到期; 或將天數設為 0,表示密碼永遠不會到期。如果「密碼最長使用期限」介於 1 到 999 天之間,則「密碼最短使用期限」不得超過「密碼最長使用期限」的天數。如果「密碼最長使用期限」設定為 0,則「密碼最短使用期限」可以是介於 0 到 998 天之間的任何數值。

注意: 根據您的環境而定,安全性的最佳作法是讓密碼每 30 至 90 天到期。如此一來,攻擊者破解使用者密碼及存取您的網路資源的時間便很有限。

預設值: 42。
Maximum password age

This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the Minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days.

Note: It is a security best practice to have passwords expire every 30 to 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to crack a user's password and have access to your network resources.

Default: 42.
1902密碼最短使用期限

這項安全性設定決定在使用者變更密碼之前,密碼必須使用的期限 (天數)。您可以設定 1 和 998 天之間的值,或設定天數為 0,以允許立即變更。

「密碼最短使用期限」不得超過「密碼最長使用期限」,除非「密碼最長使用期限」設定為 0,表示密碼永遠不會到期。如果「密碼最長使用期限」設定為 0,則「密碼最短使用期限」可以設定為介於 0 到 998 之間的任何數值。

如果您要讓「強制執行密碼歷程記錄」生效,請將「密碼最短使用期限」設為 0 以上。若沒有設定「密碼最短使用期限」,使用者便可重複使用密碼,直到厭倦為止。預設值並未依循此建議,所以系統管理員可為使用者指定密碼,然後在使用者登入時要求變更系統管理員定義的密碼。如果「密碼歷程記錄」設為 0,使用者便不需選擇新密碼。因此,根據預設,[強制執行密碼歷程記錄] 設定為 1。

預設值:

在網域控制站上為 1。
在獨立伺服器上為 0。

注意: 依預設,成員電腦會遵循其網域控制站的設定。
Minimum password age

This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.

The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.

Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.

Default:

1 on domain controllers.
0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.
1903密碼長度最小值

此安全性設定決定使用者帳戶的密碼可包含的最少字元數。您可以設定介於 1 到 14 個字元之間的值,或是可以將字元數設為 0,如此便不需要密碼。

預設值:

在網域控制站上為 7。
在獨立伺服器上為 0。

注意: 根據預設值,成員電腦會依照所屬網域控制站的設定。
Minimum password length

This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0.

Default:

7 on domain controllers.
0 on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.
1904密碼必須符合複雜性需求

這項安全性設定決定密碼是否必須符合複雜性需求。

如果啟用了此原則,則密碼必須符合下列最小需求:

不包含使用者的帳戶名稱全名中,超過兩個以上的連續字元
長度至少為 6 個字元
包含下列四種字元中的三種:
英文大寫字元 (A 到 Z)
英文小寫字元 (a 到 z)
10 進位數字 (0 到 9)
非英文字母字元 (例如: !、$、#、%)
建立或變更密碼時會強制執行複雜性需求。



預設值:

在網域控制站上為啟用。
在獨立伺服器上為停用。

注意: 根據預設,成員電腦會依循其網域控制站的設定。
Password must meet complexity requirements

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.



Default:

Enabled on domain controllers.
Disabled on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.
1905使用可還原的加密來存放密碼

這項安全性設定決定作業系統是否使用可還原的加密來存放密碼。

此原則支援應用程式使用需要知道使用者密碼來進行驗證的通訊協定。使用可還原的加密來存放密碼,基本上和存放純文字密碼是相同的。基於這個理由,除非應用程式需求比保護密碼資訊重要,否則絕不應該啟用這個原則。

當透過遠端存取或網際網路驗證服務 (IAS) 使用 Challenge-Handshake 驗證通訊協定來驗證時,便需要這項原則。在網際網路資訊服務 (IIS) 中使用摘要式驗證時,也需要這個原則。

預設值: 已停用。
Store passwords using reversible encryption

This security setting determines whether the operating system stores passwords using reversible encryption.

This policy provides support for applications that use protocols that require knowledge of the user's password for authentication purposes. Storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.

This policy is required when using Challenge-Handshake Authentication Protocol (CHAP) authentication through remote access or Internet Authentication Services (IAS). It is also required when using Digest Authentication in Internet Information Services (IIS).

Default: Disabled.
1906帳戶鎖定期間

此安全性設定決定在鎖定帳戶自動解除鎖定之前,還會繼續鎖定的分鐘數。可用的範圍是從 0 分鐘到 99,999 分鐘。如果將帳戶鎖定期間設定為 0,將會繼續鎖定帳戶,直到系統管理員明確將該帳戶解除鎖定。

如果已定義帳戶鎖定閾值,帳戶鎖定期間必須大於或等於重設時間。

預設值: 無,因為只有當指定帳戶鎖定閾值時,此原則設定才有意義。
Account lockout duration

This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it.

If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
1907帳戶鎖定閾值

此安全性設定決定導致使用者帳戶被鎖定的嘗試登入失敗次數。除非由系統管理員重設或該帳戶的鎖定期間已到期,否則無法使用該鎖定帳戶。您可以將失敗的登入嘗試值設定為介於 0 到 999 之間。如果將值設定為 0,將永遠不會鎖定該帳戶。

對使用 CTRL+ALT+DELETE 或受密碼保護的螢幕保護裝置來鎖定的工作站或成員伺服器輸入密碼失敗,也算是失敗的登入嘗試。

預設值: 0。
Account lockout threshold

This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts.

Default: 0.
1908重設帳戶鎖定計數器的時間

此安全性設定決定在登入嘗試失敗之後必須經過幾分鐘,才會將失敗的登入嘗試計數器重設為 0 次失敗。可用的範圍是從 1 分鐘到 99,999 分鐘。

如果已定義帳戶鎖定閾值,此重設時間必須小於或等於帳戶鎖定期間。

預設值: 無,因為只有當指定帳戶鎖定閾值時,此原則設定才有意義。
Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes.

If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration.

Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
1909強制執行使用者登入限制

此安全性設定決定 Kerberos V5 金鑰發佈中心 (KDC) 是否會針對使用者帳戶的使用者權限原則,來驗證工作階段票證的每個要求。驗證工作階段票證的每個要求是選用的,因為額外的步驟需要花一些時間,且可能會減緩從網路存取服務的速度。

預設值: 已啟用。
Enforce user logon restrictions

This security setting determines whether the Kerberos V5 Key Distribution Center (KDC) validates every request for a session ticket against the user rights policy of the user account. Validation of each request for a session ticket is optional, because the extra step takes time and it may slow network access to services.

Default: Enabled.
1910服務票證最長存留期

這項安全性設定決定授與的工作階段票證可用來存取特定服務的最長時間 (分鐘)。此設定必須大於 10 分鐘且不大於「使用者票證最長存留期」的設定。

如果用戶端在要求伺服器連線時出示了到期的工作階段票證,伺服器會傳回一則錯誤訊息。用戶端必須向 Kerberos V5 金鑰發佈中心 (KDC) 要求新工作階段票證。不過,一旦連線驗證完畢後,工作階段票證是否有效便不重要。工作階段票證只用來驗證與伺服器的新連線。如果用來驗證連線的工作階段票證在連線期間到期,進行中的作業不會被中斷。

預設值: 600 分鐘 (10 小時)。
Maximum lifetime for service ticket

This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user ticket.

If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 Key Distribution Center (KDC). Once a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that is used to authenticate the connection expires during the connection.

Default: 600 minutes (10 hours).
1911使用者票證最長存留期

此安全性設定決定使用者的票證授權票證 (TGT) 可使用的最長時間 (小時)。

預設值: 10 小時。
Maximum lifetime for user ticket

This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used.

Default: 10 hours.
1912使用者票證更新的最長存留期

此安全性設定決定使用者的票證授權票證 (TGT) 可能會更新的期間 (天數)。

預設值: 7 天。
Maximum lifetime for user ticket renewal

This security setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) may be renewed.

Default: 7 days.
1913電腦時鐘同步處理的最大容錯性

此安全性設定決定 Kerberos V5 在用戶端時鐘,及執行 Windows Server 2003 並提供 Kerberos 驗證的網域控制站上的時間之間可容許的最大時間差異 (以分鐘計)。

為防止「重新執行攻擊」,Kerberos V5 使用時間戳記做為其通訊協定定義的一部份。為了讓時間戳記能夠正常運作,網域控制站和伺服器的時鐘必須盡可能同步。也就是說,兩台電腦都必須設成相同的時間和日期。由於兩台電腦的時鐘通常是不同步,因此系統管理員可以使用這個原則,建立用戶端時鐘和網域控制站時鐘之間 Kerberos V5 可接受的最大差異。如果用戶端時鐘和網域控制站時鐘之間的差異小於此原則指定的最大時間差異,則兩台電腦之間工作階段中使用的任何時間戳記就會被視為正確的。

重要

在 Vista 之前的平台上,這個設定不是持續有效。如果您設定此設定,然後重新啟動電腦,則此設定會還原到預設值。

預設值: 5 分鐘。
Maximum tolerance for computer clock synchronization

This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller running Windows Server 2003 that provides Kerberos authentication.

To prevent "replay attacks," Kerberos V5 uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both computers must be set to the same time and date. Because the clocks of two computers are often out of sync, administrators can use this policy to establish the maximum acceptable difference to Kerberos V5 between a client clock and domain controller clock. If the difference between a client clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two computers is considered to be authentic.

Important

This setting is not persistent on pre Vista platforms. If you configure this setting and then restart the computer, this setting reverts to the default value.

Default: 5 minutes.
1914稽核帳戶登入事件

此安全性設定決定每次此電腦驗證帳戶的認證時,作業系統是否進行稽核。

只要電腦對權限範圍內的帳戶認證進行驗證時,就會產生登入事件。網域成員與未加入網域的電腦對其本機帳戶都具有權限; 網域控制站對網域中的帳戶都具有權限。認證驗證可支援本機登入,或者,在網域控制站的 Active Directory 網域帳戶案例中,可支援登入其他電腦。認證驗證是無狀態的,因此帳戶登入事件不會有對應的登出事件。

如果定義此原則設定,系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

用戶端版本的預設值:

認證驗證: 沒有稽核
Kerberos 服務票證操作: 沒有稽核
其他帳戶登入事件: 沒有稽核
Kerberos 驗證服務: 沒有稽核

伺服器版本的預設值:

認證驗證: 成功
Kerberos 服務票證操作: 成功
其他帳戶登入事件: 沒有稽核
Kerberos 驗證服務: 成功

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit account logon events

This security setting determines whether the OS audits each time this computer validates an account’s credentials.

Account logon events are generated whenever a computer validates the credentials of an account for which it is authoritative. Domain members and non-domain-joined machines are authoritative for their local accounts; domain controllers are all authoritative for accounts in the domain. Credential validation may be in support of a local logon, or, in the case of an Active Directory domain account on a domain controller, may be in support of a logon to another computer. Credential validation is stateless so there is no corresponding logoff event for account logon events.

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

Default values on Client editions:

Credential Validation: No Auditing
Kerberos Service Ticket Operations: No Auditing
Other Account Logon Events: No Auditing
Kerberos Authentication Service: No Auditing

Default values on Server editions:

Credential Validation: Success
Kerberos Service Ticket Operations: Success
Other Account Logon Events: No Auditing
Kerberos Authentication Service: Success

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1915稽核帳戶管理

這項安全性設定決定是否稽核電腦上每一項帳戶管理事件。帳戶管理事件的範例包括:

建立、變更或刪除使用者帳戶或群組。
重新命名、停用或啟用使用者帳戶。
設定或變更密碼。
若定義了此原則設定,便可以指定是否要稽核成功事件、稽核失敗事件或不稽核事件類型。成功稽核會在任何帳戶管理事件成功時產生一個稽核登錄。失敗稽核則在任何帳戶管理事件失敗時產生稽核登錄。若要將此值設為 [沒有稽核],請在此原則設定的 [內容] 對話方塊中,選取 [定義這些原則設定值] 核取方塊,再清除 [成功] 及 [失敗] 核取方塊。

用戶端版本的預設值:

使用者帳戶管理: 成功
電腦帳戶管理: 沒有稽核
安全性群組管理: 成功
發佈群組管理: 沒有稽核
應用程式群組管理: 沒有稽核
其他帳戶管理事件: 沒有稽核

伺服器版本的預設值:

使用者帳戶管理: 成功
電腦帳戶管理: 成功
安全性群組管理: 成功
發佈群組管理: 沒有稽核
應用程式群組管理: 沒有稽核
其他帳戶管理事件: 沒有稽核

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit account management

This security setting determines whether to audit each event of account management on a computer. Examples of account management events include:

A user account or group is created, changed, or deleted.
A user account is renamed, disabled, or enabled.
A password is set or changed.
If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when any account management event succeeds. Failure audits generate an audit entry when any account management event fails. To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default values on Client editions:

User Account Management: Success
Computer Account Management: No Auditing
Security Group Management: Success
Distribution Group Management: No Auditing
Application Group Management: No Auditing
Other Account Management Events: No Auditing

Default values on Server editions:

User Account Management: Success
Computer Account Management: Success
Security Group Management: Success
Distribution Group Management: No Auditing
Application Group Management: No Auditing
Other Account Management Events: No Auditing

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1916稽核目錄服務存取

此安全性設定決定系統在使用者嘗試存取 Active Directory 物件時是否進行稽核。只有已指定系統存取控制清單 (SACL) 的物件,以及要求的存取類型 (例如寫入、讀取或修改) 和發出要求的帳戶符合 SACL 的設定時,才會產生稽核。

系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

如果啟用 [成功] 稽核,則任何帳戶成功存取已指定相符之 SACL 的 Directory 物件時,就會產生稽核登錄。

如果啟用 [失敗] 稽核,則任何使用者無法成功存取已指定相符之 SACL 的 Directory 物件時,就會產生稽核登錄。

用戶端版本的預設值:

目錄服務存取: 沒有稽核
目錄服務變更: 沒有稽核
目錄服務複寫: 沒有稽核
詳細目錄服務複寫: 沒有稽核

伺服器版本的預設值:

目錄服務存取: 成功
目錄服務變更: 沒有稽核
目錄服務複寫: 沒有稽核
詳細目錄服務複寫: 沒有稽核

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit directory service access

This security setting determines whether the OS audits user attempts to access Active Directory objects. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.

The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time any account successfully accesses a Directory object that has a matching SACL specified.

If Failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a Directory object that has a matching SACL specified.

Default values on Client editions:

Directory Service Access: No Auditing
Directory Service Changes: No Auditing
Directory Service Replication: No Auditing
Detailed Directory Service Replication: No Auditing

Default values on Server editions:

Directory Service Access: Success
Directory Service Changes: No Auditing Directory
Service Replication: No Auditing
Detailed Directory Service Replication: No Auditing

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1917稽核登入事件

此安全性設定決定使用者嘗試登入或登出此電腦時,作業系統是否進行稽核。

只要登入的使用者帳戶登入工作階段終止,便會產生登出事件。如果定義此原則設定,系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

用戶端版本的預設值:

登入: 成功
登出: 成功
帳戶鎖定: 成功
IPsec 主要模式: 沒有稽核
IPsec 快速模式: 沒有稽核
IPsec 延伸模式: 沒有稽核
特殊登入: 成功
其他登入/登出事件: 沒有稽核
網路原則伺服器: 成功、失敗

伺服器版本的預設值:
登入: 成功、失敗
登出: 成功
帳戶鎖定: 成功
IPsec 主要模式: 沒有稽核
IPsec 快速模式: 沒有稽核
IPsec 延伸模式: 沒有稽核
特殊登入: 成功
其他登入/登出事件: 沒有稽核
網路原則伺服器: 成功、失敗

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit logon events

This security setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.

Log off events are generated whenever a logged on user account's logon session is terminated. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

Default values on Client editions:

Logon: Success
Logoff: Success
Account Lockout: Success
IPsec Main Mode: No Auditing
IPsec Quick Mode: No Auditing
IPsec Extended Mode: No Auditing
Special Logon: Success
Other Logon/Logoff Events: No Auditing
Network Policy Server: Success, Failure

Default values on Server editions:
Logon: Success, Failure
Logoff: Success
Account Lockout: Success
IPsec Main Mode: No Auditing
IPsec Quick Mode: No Auditing
IPsec Extended Mode: No Auditing
Special Logon: Success
Other Logon/Logoff Events: No Auditing
Network Policy Server: Success, Failure

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1918稽核物件存取

此安全性設定決定使用者嘗試存取非 Active Directory 物件時,作業系統是否進行稽核。只有已指定系統存取控制清單 (SACL) 的物件,以及要求的存取類型 (例如寫入、讀取或修改) 和發出要求的帳戶符合 SACL 的設定時,才會產生稽核。

系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

如果啟用 [成功] 稽核,則任何帳戶成功存取已指定相符之 SACL 的非 Directory 物件時,就會產生稽核登錄。

如果啟用 [失敗] 稽核,則任何使用者無法成功存取已指定相符之 SACL 的非 Directory 物件時,就會產生稽核登錄。

注意,您可以使用物件 [內容] 對話方塊中的 [安全性] 索引標籤來設定檔案系統物件的 SACL。

預設值: 沒有稽核。

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit object access

This security setting determines whether the OS audits user attempts to access non-Active Directory objects. Audit is only generated for objects that have system access control lists (SACL) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.

The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time any account successfully accesses a non-Directory object that has a matching SACL specified.

If Failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a non-Directory object that has a matching SACL specified.

Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.

Default: No auditing.

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1919稽核原則變更

此安全性設定決定每次嘗試變更使用者權限指派原則、稽核原則、帳戶原則或信任原則時,作業系統是否進行稽核。

系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

如果啟用 [成功] 稽核,則嘗試變更使用者權限指派原則、稽核原則或信任原則成功後,便會產生稽核登錄。

如果啟用 [失敗] 稽核,則未獲授權可變更要求之原則的帳戶在嘗試變更使用者權限指派原則、稽核原則或信任原則時,就會產生稽核登錄。

預設值:

稽核原則變更: 成功
驗證原則變更: 成功
授權原則變更: 沒有稽核
MPSSVC 規則層級原則變更: 沒有稽核
篩選平台原則變更: 沒有稽核
其他原則變更事件: 沒有稽核

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit policy change

This security setting determines whether the OS audits each instance of attempts to change user rights assignment policy, audit policy, account policy, or trust policy.

The administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated when an attempted change to user rights assignment policy, audit policy, or trust policy is successful.

If Failure auditing is enabled, an audit entry is generated when an attempted change to user rights assignment policy, audit policy, or trust policy is attempted by an account that is not authorized to make the requested policy change.

Default:

Audit Policy Change: Success
Authentication Policy Change: Success
Authorization Policy Change: No Auditing
MPSSVC Rule-Level Policy Change: No Auditing
Filtering Platform Policy Change: No Auditing
Other Policy Change Events: No Auditing

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1920稽核特殊權限使用

這項安全性設定決定是否稽核履行使用者權限的每一個使用者執行個體。

如果定義了此原則設定,便可以指定是否要稽核成功事件、稽核失敗事件或完全不稽核這類型的事件。成功稽核會在履行使用者權限成功時產生一個稽核登錄。失敗稽核則在履行使用者權限失敗時產生稽核登錄。

若要將此值設為 [沒有稽核],請在此原則設定的 [內容] 對話方塊中,選取 [定義這些原則設定值] 核取方塊,再清除 [成功] 及 [失敗] 核取方塊。

預設值: [沒有稽核]。

即使成功稽核或失敗稽核指定為 [稽核特殊權限使用],使用下列使用者權限時也不會產生稽核。啟用這些使用者權限的稽核,會在安全性記錄檔中產生許多事件,而妨礙您電腦的效能。若要稽核下列使用者權限,請啟用 FullPrivilegeAuditing 登錄機碼。

略過周遊檢查
程式偵錯
建立權杖物件
更換處理層權杖
產生安全性稽核
備份檔案及目錄
還原檔案及目錄

警告

不正確地編輯登錄將會對系統造成嚴重的損害。在變更登錄前,您應先備份電腦上任何有價值的資料。

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit privilege use

This security setting determines whether to audit each instance of a user exercising a user right.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit this type of event at all. Success audits generate an audit entry when the exercise of a user right succeeds. Failure audits generate an audit entry when the exercise of a user right fails.

To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Default: No auditing.

Audits are not generated for use of the following user rights, even if success audits or failure audits are specified for Audit privilege use. Enabling auditing of these user rights tend to generate many events in the security log which may impede your computer's performance. To audit the following user rights, enable the FullPrivilegeAuditing registry key.

Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1921稽核程序追蹤

此安全性設定決定作業系統是否稽核程序相關事件,例如程序建立、程序終止、控制碼重複和間接物件存取。

如果定義此原則設定,系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

如果啟用 [成功] 稽核,則每次作業系統執行上述程序相關活動時,就會產生稽核登錄。

如果啟用 [失敗] 稽核,則每次作業系統執行上述活動失敗時,就會產生稽核登錄。

預設值: 沒有稽核

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit process tracking

This security setting determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access.

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these process-related activities.

If Failure auditing is enabled, an audit entry is generated each time the OS fails to perform one of these activities.

Default: No auditing\r

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1922稽核系統事件

此安全性設定決定作業系統是否稽核下列任一事件:

• 嘗試變更系統時間
• 嘗試啟動或關閉安全性系統
• 嘗試載入可延伸的驗證元件
• 因為稽核系統失敗而遺失稽核的事件
• 安全性記錄檔大小超過可設定的警告閾值等級。

如果定義此原則設定,系統管理員可以指定只稽核成功事件、只稽核失敗事件,或同時稽核兩者,或是不稽核所有事件 (例如不稽核成功或失敗)。

如果啟用 [成功] 稽核,則每次作業系統成功執行上述活動時,就會產生稽核登錄。

如果啟用 [失敗] 稽核,則每次作業系統嘗試執行上述活動失敗時,就會產生稽核登錄。

預設值:
安全性狀態變更 成功
安全性系統延伸 沒有稽核
系統完整性 成功、失敗
IPsec 驅動程式 沒有稽核
其他系統事件 成功、失敗

重要: 如需更多稽核原則的控制,請使用 [進階稽核原則設定] 節點中的設定。如需 [進階稽核原則設定] 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=140969。
Audit system events

This security setting determines whether the OS audits any of the following events:

• Attempted system time change
• Attempted security system startup or shutdown
• Attempt to load extensible authentication components
• Loss of audited events due to auditing system failure
• Security log size exceeding a configurable warning threshold level.

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these activities successfully.

If Failure auditing is enabled, an audit entry is generated each time the OS attempts and fails to perform one of these activities.

Default:
Security State Change Success
Security System Extension No Auditing
System Integrity Success, Failure
IPsec Driver No Auditing
Other System Events Success, Failure

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see https://go.microsoft.com/fwlink/?LinkId=140969.
1923從網路存取這台電腦

此使用者權限決定允許哪些使用者及群組透過網路連線到這台電腦。遠端桌面服務不受此使用者權限的影響。

注意: 遠端桌面服務在舊版的 Windows Server 中稱為「終端機服務」。

在工作站及伺服器上的預設值:
Administrators
Backup Operators
Users
Everyone

在網域控制站上的預設值:
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
Pre-Windows 2000 Compatible Access
Access this computer from the network

This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

Default on workstations and servers:
Administrators
Backup Operators
Users
Everyone

Default on domain controllers:
Administrators
Authenticated Users
Enterprise Domain Controllers
Everyone
Pre-Windows 2000 Compatible Access
1924當成作業系統的一部分

此使用者權限可讓處理程序模擬任何使用者,而無需驗證。因此處理程序就可以取得與該使用者相同的本機資源存取權。

需要此特殊權限的處理程序應使用 LocalSystem 帳戶 (其已包括此特殊權限),而不應使用其他特別指派此特殊權限的使用者帳戶。如果您的組織僅使用 Windows Server 2003 系列成員的伺服器,則您無需將此特殊權限指派給使用者。不過,如果您的組織使用執行 Windows 2000 或 Windows NT 4.0 的伺服器,則您可能需要指派此特殊權限,以使用以純文字交換密碼的應用程式。

警告

指派此使用者權限可能會危及安全性。請僅將此使用者權限指派給信任的使用者。

預設值: 無。
Act as part of the operating system

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. If your organization only uses servers that are members of the Windows Server 2003 family, you do not need to assign this privilege to your users. However, if your organization uses servers running Windows 2000 or Windows NT 4.0, you might need to assign this privilege to use applications that exchange passwords in plaintext.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default: None.
1925將工作站新增至網域

此安全性設定決定哪些群組或使用者可將工作站新增至網域。

此安全性設定只在網域控制站有效。任何已驗證的使用者預設都有這個權限,而且最多可在網域內建立 10 個電腦帳戶。

將電腦帳戶新增到網域,可讓電腦參與 Active Directory 為主的網路功能。例如,將工作站加入網域,可讓該工作站辨識 Active Directory 中的帳戶和群組。

預設值: 網域控制站上的已驗證使用者。

注意: 在 Active Directory 電腦容器中擁有 [建立電腦物件] 特殊權限的使用者,也可以在網域中建立電腦帳戶。不同的是,容器上具有權限的使用者不會受到只能建立 10 個電腦帳戶的限制。此外,利用 [將工作站新增至網域] 所建立的電腦帳戶將網域系統管理員當作電腦帳戶擁有者,而利用電腦容器權限所建立的電腦帳戶將建立者當作電腦帳戶擁有者。如果使用者擁有容器權限,也擁有 [將工作站新增至網域] 使用者權限,則會根據電腦容器權限來新增電腦,而非根據使用者權限。

Add workstations to domain

This security setting determines which groups or users can add workstations to a domain.

This security setting is valid only on domain controllers. By default, any authenticated user has this right and can create up to 10 computer accounts in the domain.

Adding a computer account to the domain allows the computer to participate in Active Directory-based networking. For example, adding a workstation to a domain enables that workstation to recognize accounts and groups that exist in Active Directory.

Default: Authenticated Users on domain controllers.

Note: Users who have the Create Computer Objects permission on the Active Directory computers container can also create computer accounts in the domain. The distinction is that users with permissions on the container are not restricted to the creation of only 10 computer accounts. In addition, computer accounts that are created by means of Add workstations to domain have Domain Administrators as the owner of the computer account, while computer accounts that are created by means of permissions on the computers container have the creator as the owner of the computer account. If a user has permissions on the container and also has the Add workstations to domain user right, the computer is added, based on the computer container permissions rather than on the user right.

1926調整處理程序的記憶體配額

此特殊權限決定能變更處理程序可使用的最大記憶體的人員。

此使用者權限定義在 [預設網域控制站群組原則] 物件 (GPO) 及工作站、伺服器的本機安全性原則中。

注意: 此特殊權限有助於系統調整,但可能會被濫用,例如拒絕服務的攻擊。

預設值: Administrators
Local Service
Network Service。

Adjust memory quotas for a process

This privilege determines who can change the maximum memory that can be consumed by a process.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Note: This privilege is useful for system tuning, but it can be misused, for example, in a denial-of-service attack.

Default: Administrators
Local Service
Network Service.

1927本機登入

決定哪些使用者可以登入電腦。

重要

修改此設定可能會影響用戶端、服務和應用程式的相容性。如需此設定的相容性資訊,請參閱 Microsoft 網站上的「允許本機登入」(https://go.microsoft.com/fwlink/?LinkId=24268 )。

預設值:

• 在工作站與伺服器上: Administrators、Backup Operators、Power Users、Users 與 Guest。
• 在網域控制站上: Account Operators、Administrators、Backup Operators 和 Print Operators。
Log on locally

Determines which users can log on to the computer.

Important

Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.

Default:

• On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
• On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.
1928允許透過遠端桌面服務登入

此安全性設定決定哪些使用者或群組擁有以遠端桌面服務用戶端登入的權限。

預設值:

在工作站及伺服器上: Administrators、Remote Desktop Users。
在網域控制站上: Administrators。

重要

此設定對於尚未升級至 Service Pack 2 的 Windows 2000 電腦沒有任何影響。

Allow log on through Remote Desktop Services

This security setting determines which users or groups have permission to log on as a Remote Desktop Services client.

Default:

On workstation and servers: Administrators, Remote Desktop Users.
On domain controllers: Administrators.

Important

This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.

1929備份檔案及目錄

此使用者權限決定哪些使用者可以出於備份系統的目的,略過檔案及目錄、登錄及其他持續物件權限。

具體而言,此使用者權限類似於將系統上所有檔案及資料夾的下列權限授與相關的使用者或群組:

周遊資料夾/執行檔案
列出資料夾/讀取資料
讀取屬性
讀取擴充屬性
讀取權限

警告

指派此使用者權限可能會危及安全性。由於沒有方法可確定使用者是否正在備份資料、竊取資料或複製要發行的資料,因此請只將此使用者權限指派給受信任的使用者。

在工作站及伺服器上的預設值: Administrators
Backup Operators。

在網域控制站上的預設值:Administrators
Backup Operators
Server Operators

Back up files and directories

This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.

Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions

Caution

Assigning this user right can be a security risk. Since there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users.

Default on workstations and servers: Administrators
Backup Operators.

Default on domain controllers:Administrators
Backup Operators
Server Operators

1930略過周遊檢查

此使用者權限決定哪些使用者即使沒有周遊目錄的權限,也能夠周遊目錄樹狀結構。此特殊權限不允許使用者列出目錄的內容,而只能周遊目錄。

此使用者權限定義在 [預設網域控制站群組原則] 物件 (GPO) 及工作站、伺服器的本機安全性原則中。

在工作站及伺服器上的預設值:
Administrators
Backup Operators
Users
Everyone
Local Service
Network Service

在網域控制站上的預設值:
Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access

Bypass traverse checking

This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:
Administrators
Backup Operators
Users
Everyone
Local Service
Network Service

Default on domain controllers:
Administrators
Authenticated Users
Everyone
Local Service
Network Service
Pre-Windows 2000 Compatible Access

1931變更系統時間

此使用者權限決定哪些使用者和群組能夠變更電腦內部時鐘的時間和日期。已指派此使用者權限的使用者可決定事件記錄檔的外觀。如果系統時間遭到變更,記錄的事件將會反映出新的時間,而非事件發生的實際時間。

此使用者權限定義在 [預設網域控制站群組原則] 物件 (GPO) 及工作站、伺服器的本機安全性原則中。

在工作站及伺服器上的預設值:
Administrators
Local Service

在網域控制站上的預設值:
Administrators
Server Operators
Local Service

Change the system time

This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default on workstations and servers:
Administrators
Local Service

Default on domain controllers:
Administrators
Server Operators
Local Service

1932建立分頁檔

此使用者權限決定哪些使用者及群組能夠呼叫內部應用程式開發介面 (API) 來建立分頁檔及變更其大小。此使用者權限是由作業系統內部使用且通常不需要指派給任何使用者。

如需有關如何為指定的磁碟機指定分頁檔大小的詳細資訊,請參閱「變更虛擬記憶體分頁檔的大小」。

預設值: Administrators。

Create a pagefile

This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users.

For information about how to specify a paging file size for a given drive, see To change the size of the virtual memory paging file.

Default: Administrators.

1933建立權杖物件

此安全性設定決定處理程序可使用哪些帳戶來建立權杖,然後在處理程序使用內部應用程式開發介面 (API) 來建立存取權杖時,用以取得任何本機資源的存取權。

此使用者權限是由作業系統內部使用。除非有此必要,否則不要將此使用者權限指派給 Local System 以外的使用者、群組或處理程序。

警告

指派此使用者權限可能會危及安全性。不要將此使用者權限指派給不想由其掌控系統的任何使用者、群組或處理程序。
預設值: 無。

Create a token object

This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token.

This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System.

Caution

Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
Default: None

1934建立全域物件

此安全性設定決定使用者是否可以建立所有工作階段可用的全域物件。如果使用者沒有此使用者權限,仍然可以建立自己工作階段專用的物件。可以建立全域物件的使用者可能會影響其他使用者工作階段的程序,因而可能導致應用程式失敗或資料損毀。

警告

指派此使用者權限可能會危及安全性。請只將此使用者權限指派給信任的使用者。

預設值:

Administrators
Local Service
Network Service
Service
Create global objects

This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.

Caution

Assigning this user right can be a security risk. Assign this user right only to trusted users.

Default:

Administrators
Local Service
Network Service
Service
1935建立永久共用物件

此使用者權限決定哪些帳戶處理程序可以使用物件管理員來建立目錄物件。

此使用者權限是由作業系統內部使用,且有助於延伸物件命名空間。因為此使用者權限已經指派給在核心模式下執行的元件,所以不需要特別指派。

預設值: 無。
Create permanent shared objects

This user right determines which accounts can be used by processes to create a directory object using the object manager.

This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kernel mode already have this user right assigned to them, it is not necessary to specifically assign it.

Default: None.
1936偵錯程式

此使用者權限決定哪些使用者可將偵錯工具附加到任何處理程序或核心。不需要將此使用者權限指派給對自行開發的應用程式進行偵錯的開發人員。但開發人員需要此使用者權限,才能對新的系統元件進行偵錯。此使用者權限可對機密且關鍵的作業系統元件提供完整存取權。

警告

指派此使用者權限可能會危及安全性。只將此使用者權限指派給信任的使用者。

預設值: Administrators
Debug programs

This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default: Administrators
1937拒絕從網路存取這台電腦

此安全性設定決定會阻止哪些使用者從網路存取電腦。此原則設定會取代 [從網路存取這台電腦] 原則設定,如果使用者帳戶同時受限於這兩種原則。

預設值: Guest
Deny access to this computer from the network

This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.

Default: Guest
1938拒絕以批次工作登入

此安全性設定決定會阻止哪些帳戶以批次工作登入。此原則設定會取代 [以批次工作登入] 原則設定,如果使用者帳戶同時受限於這兩種原則。

預設值: 無。

Deny log on as a batch job

This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies.

Default: None.

1939拒絕以服務方式登入

此安全性設定決定會阻止哪些服務帳戶以服務方式登錄處理程序。此原則設定會取代 [以服務方式登入] 原則設定,如果帳戶同時受限於這兩種原則。

注意: 此安全性設定不適用於 System、Local Service 或 Network Service 帳戶。

預設值: 無。
Deny log on as a service

This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.

Note: This security setting does not apply to the System, Local Service, or Network Service accounts.

Default: None.
1940拒絕本機登入

此安全性設定決定會阻止哪些使用者登入電腦。此原則設定會取代 [允許本機登入] 原則設定,如果帳戶同時受限於這兩種原則。

重要

如果將此安全性原則套用到 Everyone 群組,將無人能夠登入本機。

預設值: 無。
Deny log on locally

This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.

Important

If you apply this security policy to the Everyone group, no one will be able to log on locally.

Default: None.
1941拒絕透過遠端桌面服務登入

此安全性設定決定會禁止哪些使用者及群組以遠端桌面服務用戶端登入。

預設值: 無。

重要

此設定對於尚未升級至 Service Pack 2 的 Windows 2000 電腦沒有任何影響。
Deny log on through Remote Desktop Services

This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client.

Default: None.

Important

This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
1942讓電腦及使用者帳戶受信賴,以進行委派

此安全性設定決定哪些使用者可以在使用者或電腦物件上設定 [信任委派] 設定。

擁有此特殊權限的使用者或物件,亦須擁有對使用者或電腦物件之帳戶控制旗標的寫入存取權。在被信任以便進行委派的電腦上 (或在使用者環境下),所執行的伺服器處理程序可透過用戶端的委派認證來存取另一台電腦的資源,前提是用戶端帳戶不能有 [無法委派帳戶] 帳戶控制旗標設定。

此使用者權限會定義在 [預設網域控制站群組原則] 物件 (GPO) 及工作站、伺服器的本機安全性原則中。

警告

濫用此使用者權限或 [信任委派] 設定,會造成網路非常容易受到特洛伊木馬程式的攻擊; 此程式會模擬連入用戶端,並使用其認證,取得對網路資源的存取權。

預設值: 在網域控制站上為 Administrators。
Enable computer and user accounts to be trusted for delegation

This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Caution

Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

Default: Administrators on domain controllers.
1943強制從遠端系統進行關閉

此安全性設定決定哪些使用者能夠從網路上的遠端位置將電腦關機。濫用此使用者權限會造成拒絕服務。

此使用者權限定義在 [預設網域控制站群組原則] 物件 (GPO) 及工作站、伺服器的本機安全性原則中。

預設值:

在工作站及伺服器上: Administrators。
在網域控制站上: Administrators、Server Operators。
Force shutdown from a remote system

This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

Default:

On workstations and servers: Administrators.
On domain controllers: Administrators, Server Operators.
1944產生安全性稽核

此安全性設定決定處理程序可使用哪些帳戶將項目新增到安全性記錄。此安全性記錄檔是用來追蹤未經授權的系統存取。如果啟用 [稽核: 當無法記錄安全性稽核時,系統立即關機] 安全性原則設定,濫用此使用者權限會導致產生許多稽核事件、可能會隱藏攻擊的辨識項,或造成拒絕服務。如需其他資訊,請參閱「稽核: 當無法記錄安全性稽核時,系統立即關機」。

預設值: Local Service
Network Service。
Generate security audits

This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service if the Audit: Shut down system immediately if unable to log security audits security policy setting is enabled. For more information see Audit: Shut down system immediately if unable to log security audits

Default: Local Service
Network Service.
1945在驗證後模擬用戶端

將此特殊權限指定給使用者可讓代表該使用者執行的程式模擬用戶端。要求此使用者權限以進行此類模擬,可防止未經授權的使用者說服用戶端連接 (例如,透過遠端程序呼叫 (RPC) 或具名管道) 至他們所建立的服務然後模擬該用戶端,進而避免將未授權使用者的權限提升到管理或系統層級。

警告

指派此使用者權限可能會危及安全性。請僅將此使用者權限指派給信任的使用者。

預設值:

Administrators
Local Service
Network Service
Service

注意: 依預設,由「服務控制管理員」啟動的服務會將內建的 Service 群組加入其存取權杖。由 COM 基礎結構所啟動且設定在特定的帳戶下執行的元件物件模型 (COM) 伺服器在其存取權杖中也新增有 Service 群組。結果是這些服務會在啟動的時候取得此使用者的權利。

此外,使用者也可在有下列任一情況時模擬存取權杖:

要模擬的存取權杖屬於此使用者。
在此登入工作階段中的使用者以明確的認證登入網路來建立存取權杖。
要求的層級比模擬的低,例如「匿名」或「身分識別」。
基於這些因素,使用者通常不需要此使用者權限。

如需相關資訊,請在 Microsoft Platform SDK 中搜尋 "SeImpersonatePrivilege"。

警告

如果您啟用這個設定,先前具有「模擬」特殊權限的應用程式可能會遺失該權限,並且可能無法執行。
Impersonate a client after authentication

Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.

Caution

Assigning this user right can be a security risk. Only assign this user right to trusted users.

Default:

Administrators
Local Service
Network Service
Service

Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started.

In addition, a user can also impersonate an access token if any of the following conditions exist.

The access token that is being impersonated is for this user.
The user, in this logon session, created the access token by logging on to the network with explicit credentials.
The requested level is less than Impersonate, such as Anonymous or Identify.
Because of these factors, users do not usually need this user right.

For more information, search for "SeImpersonatePrivilege" in the Microsoft Platform SDK.

Warning

If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
1946增加排程優先順序

此安全性設定決定哪些帳戶能使用具有寫入內容的處理程序存取其他處理程序,來增加指派給其他處理程序的執行優先順序。具有此特殊權限的使用者能夠透過 [工作管理員] 使用者介面來變更處理程序的排程優先順序。

預設值: Administrators。
Increase scheduling priority

This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.

Default: Administrators.
1947載入及解除載入裝置驅動程式。

此使用者權限決定哪些使用者能在核心模式中動態載入和解除載入裝置驅動程式或其他程式碼。此使用者權限不適用於隨插即用裝置驅動程式。建議您不要將此特殊權限指派給其他使用者。

警告

指派此使用者權限可能會危及安全性。不要將此使用者權限指派給不想由其掌控系統的任何使用者、群組或處理程序。

在工作站及伺服器上的預設值: Administrators。

在網域控制站上的預設值:
Administrators
Print Operators
Load and unload device drivers

This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users.

Caution

Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.

Default on workstations and servers: Administrators.

Default on domain controllers:
Administrators
Print Operators
1948鎖定記憶體中的分頁

此安全性設定決定哪些使用者能使用處理程序來保留實體記憶體中的資料,阻止系統將資料分頁到磁碟上的虛擬記憶體。履行此特殊權限會降低可用的隨機存取記憶體 (RAM) 數量,而對系統效能造成顯著影響。

預設值: 無。
Lock pages in memory

This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).

Default: None.
1949以批次工作登入

此安全性設定允許使用者以批次佇列設備登入,且僅提供與舊版 Windows 相容之用。

例如,當使用者以工作排程器提交工作時,工作排程器會以批次使用者登入該使用者,而不是互動式使用者。


預設值: Administrators
Backup Operators。
Log on as a batch job

This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows.

For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.


Default: Administrators
Backup Operators.
1950以服務方式登入

此安全性設定可以允許安全性主體以服務方式登入。服務可以設定成以 Local System、Local Service 或 Network Service 帳戶執行,這些帳戶具有內建權限可以服務方式登入。任何以個別的使用者帳戶執行的服務都必須被指派此權限。

預設值: 無。
Log on as a service

This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the right.

Default setting: None.
1951管理稽核及安全性記錄檔

此安全設定決定哪些使用者能夠指定個別資源 (例如檔案、Active Directory 物件和登錄機碼) 的物件存取稽核選項。

此安全性設定不允許使用者啟用檔案和物件存取稽核。如需啟用這類稽核,便必須設定 [電腦設定\Windows 設定\安全性設定\本機原則\稽核原則] 中的 [稽核物件存取] 設定。

您可以在事件檢視器的安全性記錄檔中檢視稽核的事件。具有此特殊權限的使用者也可以檢視和清除安全性記錄檔。

預設值: Administrators。
Manage auditing and security log

This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.

This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be enabled, the Audit object access setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies must be configured.

You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.

Default: Administrators.
1952修改韌體環境值

此安全性設定決定何人可以修改韌體環境值。韌體環境變數是存放在非 x86 型電腦之非揮發性 RAM 中的設定。設定的效果需視處理器而定。

在 x86 型電腦上,可以透過指派這個使用者權限而修改的唯一韌體環境值是「上次的正確設定」,而這應該只由系統修改。
在 Itanium 型電腦上,開機資訊是儲存在非揮發性 RAM 中。必須將此使用者權限指派給使用者,使用者才能執行 bootcfg.exe 及變更 [系統內容] 中 [啟動及修復] 上的 [預設作業系統] 設定。
在所有的電腦上,安裝或升級 Windows 都需要此使用者權限。

注意: 這項安全性設定不會影響能修改系統環境變數及使用者環境變數 (位於 [系統內容] 的 [進階] 索引標籤) 的使用者。如需如何修改這些變數的相關資訊,請參閱「新增或變更環境變數值」。

預設值: Administrators。
Modify firmware environment values

This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.

On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system.
On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties.
On all computers, this user right is required to install or upgrade Windows.

Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. For information about how to modify these variables, see To add or change the values of environment variables.

Default: Administrators.
1953執行磁碟區維護工作

此安全性設定決定哪些使用者及群組能在磁碟區上執行維護工作,例如遠端磁碟重組。

指派此使用者權限時要特別小心。具有此使用者權限的使用者可以瀏覽磁碟和將檔案延伸到包含其他資料的記憶體中。當延伸檔案開啟時,使用者能夠讀取和修改取得的資料。

預設值: Administrators
Perform volume maintenance tasks

This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.

Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data.

Default: Administrators
1954監視單一處理程序

此安全性設定決定哪些使用者可使用效能監視工具來監視非系統處理程序的效能。

預設值: Administrators、Power users。
Profile single process

This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes.

Default: Administrators, Power users.
1955監視系統效能

此安全性設定決定哪些使用者可使用效能監視工具來監視系統處理程序的效能。

預設值: Administrators。

Profile system performance

This security setting determines which users can use performance monitoring tools to monitor the performance of system processes.

Default: Administrators.

1956從擴充座移除電腦

此安全性設定決定使用者是否無需登入便可從擴充座卸除可攜式電腦。

如果啟用此原則,使用者必須先登入,才能從擴充座移除可攜式電腦。如果停用此原則,使用者無需登入便可從擴充座移除可攜式電腦。

預設值: Administrators、Power Users 和 Users。
Remove computer from docking station

This security setting determines whether a user can undock a portable computer from its docking station without logging on.

If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable computer from its docking station without logging on.

Default: Administrators, Power Users, Users
1957取代處理程序等級權杖

此安全性設定決定哪些使用者帳戶能夠呼叫 CreateProcessAsUser() 應用程式開發介面 (API),如此一個服務便能夠啟動另一個服務。工作排程器便是使用此使用者權限的處理程序範例。如需工作排程器的詳細資訊,請參閱「工作排程器概觀」。

預設值: Network Service、Local Service。
Replace a process level token

This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overview.

Default: Network Service, Local Service.
1958還原檔案及目錄

此安全性設定決定哪些使用者可以在還原備份檔案及目錄時,略過檔案、目錄、登錄及其他持續物件的權限,並決定哪些使用者可以物件擁有者的身分,設定任何有效的安全性主體。

具體而言,此使用者權限類似於將系統上所有檔案及資料夾的下列權限授予相關的使用者或群組:

周遊資料夾/執行檔案
寫入

警告

指派此使用者權限可能會危及安全性。由於擁有使用者權限的使用者可以覆寫登錄設定、隱藏資料及取得系統物件的所有權,請僅指派這個使用者權限給信任的使用者。

預設值:

工作站與伺服器: Administrators、Backup Operators。
網域控制站: Administrators、Backup Operators、Server Operators。
Restore files and directories

This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object.

Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:

Traverse Folder/Execute File
Write

Caution

Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.

Default:

Workstations and servers: Administrators, Backup Operators.
Domain controllers: Administrators, Backup Operators, Server Operators.
1959關閉系統

此安全性設定決定哪些本機登入電腦的使用者能夠使用 Shutdown 命令將作業系統關機。濫用此使用者權限會造成拒絕服務。

在工作站上的預設值: Administrators、Backup Operators、Users。

在伺服器上的預設值: Administrators、Backup Operators。

在網域控制站上的預設值: Administrators、Backup Operators、Server Operators、Print Operators。
Shut down the system

This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service.

Default on Workstations: Administrators, Backup Operators, Users.

Default on Servers: Administrators, Backup Operators.

Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.
1960同步處理目錄服務資料

此安全性設定決定授權哪些使用者及群組同步處理所有目錄服務資料。這也稱為 Active Directory 同步處理。

預設值: 無。
Synchronize directory service data

This security setting determines which users and groups have the authority to synchronize all directory service data. This is also known as Active Directory synchronization.

Defaults: None.
1961取得檔案或其他物件的擁有權

此安全性設定決定哪些使用者能夠取得系統中任何安全物件的擁有權,包括 Active Directory 物件、檔案及資料夾、印表機、登錄機碼、處理程序和執行緒。

警告

指派此使用者權限可能會危及安全性。由於物件擁有者將會擁有完全控制,請只將此使用者權限指派給信任的使用者。

預設值: Administrators。
Take ownership of files or other objects

This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.

Caution

Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.

Default: Administrators.
1962帳戶: Administrator 帳戶狀態

這項安全性設定決定要啟用或停用本機 Administrator 帳戶。

注意

若在停用 Administrator 帳戶之後嘗試重新啟用此帳戶,而現行 Administrator 密碼不符合密碼需求,您就無法重新啟用此帳戶。在此情況下,必須由 Administrators 群組的替代成員重設 Administrator 帳戶的密碼。如需如何重設密碼的相關資訊,請參閱「重設密碼」。
在某些情況下,停用 Administrator 帳戶可能會成為維護問題。

在安全模式開機時,只有電腦未加入網域且沒有其他本機有效的系統管理員帳戶,才會啟用停用的 Administrator 帳戶。如果電腦已加入網域,將不會啟用停用的系統管理員帳戶。

預設值: 已停用。
Accounts: Administrator account status

This security setting determines whether the local Administrator account is enabled or disabled.

Notes

If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
Disabling the Administrator account can become a maintenance issue under certain circumstances.

Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.

Default: Disabled.
1963帳戶: Guest 帳戶狀態

此安全性設定決定啟用或停用 Guest 帳戶。

預設值: 已停用。

注意: 如果停用 Guest 帳戶,而且 [網路存取: 本機帳戶的共用和安全性模型] 安全性選項是設定為 [僅適用於來賓],則網路登入 (例如,由 Microsoft 網路伺服器 (SMB 服務) 所執行的網路登入) 將會失敗。
Accounts: Guest account status

This security setting determines if the Guest account is enabled or disabled.

Default: Disabled.

Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
1964帳戶: 限制使用空白密碼的本機帳戶僅能登入到主控台

這項安全性設定決定未受密碼保護的本機帳戶,是否可用來從實體電腦主控台以外的位置登入。如果已啟用,那麼未受密碼保護的本機帳戶將只能藉由電腦鍵盤登入。

預設值: 已啟用。


警告:

不是位於實際安全位置的電腦,應一直針對所有本機使用者帳戶強制執行強式密碼原則。否則,每位實際存取電腦的使用者皆可使用沒有密碼的使用者帳戶登入。這對可攜式電腦來說尤其重要。
如果您將此安全性原則套用到 Everyone 群組,則任何人都不能透過遠端桌面服務登入。

附註

這個設定對於使用網域帳戶的登入沒有影響。
應用程式若使用遠端互動式登入,則可以跳過這個設定。

注意: 遠端桌面服務在舊版的 Windows Server 中稱為「終端機服務」。
Accounts: Limit local account use of blank passwords to console logon only

This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.

Default: Enabled.


Warning:

Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers.
If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services.

Notes

This setting does not affect logons that use domain accounts.
It is possible for applications that use remote interactive logons to bypass this setting.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
1965帳戶: 重新命名系統管理員帳戶

此安全性設定決定不同的帳戶名稱是否與 Administrator 帳戶的安全性識別碼 (SID) 相關聯。重新命名已知的 Administrator 帳戶會使未經授權的人員較不容易猜出有此特殊權限的使用者名稱和密碼組合。

預設值: Administrator。
Accounts: Rename administrator account

This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

Default: Administrator.
1966帳戶: 重新命名來賓帳戶名稱

此安全性設定決定不同的帳戶名稱是否與 "Guest" 帳戶的安全性識別碼 (SID) 相關聯。重新命名已知的 Guest 帳戶會使未經授權的人員較不容易猜出此使用者名稱和密碼組合。

預設值: Guest。

Accounts: Rename guest account

This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination.

Default: Guest.

1967稽核: 稽核通用系統物件的存取

此安全性設定決定是否稽核通用系統物件的存取。

如果啟用此原則,會導致系統物件 (如 Mutex (互斥)、事件、信號和 DOS 裝置在建立時便含有預設的系統存取控制清單 (SACL)。只有具名的物件會被指定 SACL; SACL 不會指定給沒有名稱的物件。如果也啟用 [稽核物件存取] 稽核原則,則會稽核這些系統物件的存取。

注意: 設定此安全性設定時,在重新啟動 Windows 之後,所做的變更才會生效。

預設值: 已停用。
Audit: Audit the access of global system objects

This security setting determines whether to audit the access of global system objects.

If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs are not given to objects without names. If the Audit object access audit policy is also enabled, access to these system objects is audited.

Note: When configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.
1968稽核: 稽核備份與還原權限的使用

此安全性設定決定在 [稽核特殊權限使用] 原則生效時,是否稽核所有使用者權限的使用,包括備份與還原。在 [稽核特殊權限使用] 啟用時同時啟用此選項,將會對備份或還原的每個檔案產生一個稽核事件。

如果停用此原則,即使啟用 [稽核特殊權限使用],也不會稽核備份或還原權限的使用。

注意: 在 Windows Vista 之前的 Windows 版本中設定此安全性設定,所做的變更在您重新啟動 Windows 之後才會生效。在備份時啟用此設定可能會造成大量事件,有時每秒會有數百個。

預設值: 已停用。

Audit: Audit the use of Backup and Restore privilege

This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or restored.

If you disable this policy, then use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled.

Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows. Enabling this setting can cause a LOT of events, sometimes hundreds per second, during a backup operation.

Default: Disabled.

1969稽核: 當無法記錄安全性稽核時,系統立即關機

這項安全性設定決定系統在無法記錄安全性事件時,是否要立即關機。

如果啟用了這項安全性設定,只要無法記錄安全稽核,系統便會停止。基本上,當安全性稽核記錄檔已滿,且安全性記錄檔的保持方法設為 [不要覆寫事件] 或 [依日期覆寫事件],便無法再記錄事件。

如果安全性記錄檔已滿且無法覆寫現有項目,但已啟用此安全性選項,則會出現下列停止錯誤:

STOP: C0000244 {Audit Failed}
嘗試產生安全性稽核時發生失敗。
若要修復,系統管理員必須登入、備份記錄檔 (可省略)、清除記錄檔,再依需要重設此選項。直到這項安全性設定重設之前,除了 Administrators 群組的成員之外,任何使用者都無法登入此系統,即使安全性記錄檔未滿。

注意: 在 Windows Vista 之前的 Windows 版本設定此安全性設定時,變更要等到重新啟動 Windows 之後才會生效。

預設值: 已停用。

Audit: Shut down system immediately if unable to log security audits

This security setting determines whether the system shuts down if it is unable to log security events.

If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the retention method that is specified for the security log is either Do Not Overwrite Events or Overwrite Events by Days.

If the security log is full and an existing entry cannot be overwritten, and this security option is enabled, the following Stop error appears:

STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.
To recover, an administrator must log on, archive the log (optional), clear the log, and reset this option as desired. Until this security setting is reset, no users, other than a member of the Administrators group will be able to log on to the system, even if the security log is not full.

Note: On Windows versions prior to Windows Vista configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.

1970裝置: 允許卸除而不須登入

這項安全性設定決定是否可卸除可攜式電腦而不須登入。如果已啟用此原則,則不須登入即可使用外部硬體的退出按鈕來卸除電腦。如果停用此原則,那麼使用者必須登入且擁有 [從擴充座移除電腦] 特殊權限才能卸除電腦。

預設值: 已啟用。

警告

停用此原則可能會讓使用者使用外部硬體退出按鈕以外的方法,嘗試並實際從擴充座移除膝上型電腦。由於這樣可能會造成硬體的損壞,因此一般說來,這項設定只能在實際上很安全的膝上型電腦上停用。

Devices: Allow undock without having to log on

This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer.

Default: Enabled.

Caution

Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable.

1971裝置: 允許格式化以及退出抽取式媒體

此安全性設定決定允許哪些人格式化和退出抽取式 NTFS 媒體。此功能可指定給:

Administrators
Administrators 以及 Interactive Users

預設值: 這個原則尚未定義且只有 Administrators 有這項能力。

Devices: Allowed to format and eject removable media

This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to:

Administrators
Administrators and Interactive Users

Default: This policy is not defined and only Administrators have this ability.

1972裝置: 當連線至共用印表機時防止使用者安裝印表機驅動程式

要讓電腦列印至共用的印表機,必須在本機電腦上安裝共用印表機的驅動程式。此安全性設定決定誰可以在連線至共用的印表機時安裝印表機驅動程式。如果啟用此設定,只有 Administrators 可以在連線至共用印表機時安裝印表機驅動程式。如果停用此設定,任何使用者在連線至共用的印表機時,都可以安裝印表機驅動程式。

伺服器預設值: 已啟用
工作站預設值: 已停用


注意

此設定不會影響新增本機印表機的能力。
此設定不會影響 Administrators。
Devices: Prevent users from installing printer drivers when connecting to shared printers

For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer.

Default on servers: Enabled.
Default on workstations: Disabled


Notes

This setting does not affect the ability to add a local printer.
This setting does not affect Administrators.
1973裝置: CD-ROM 存取只限於登入本機的使用者

此安全性設定決定本機使用者和遠端使用者是否能同時存取 CD-ROM。

如果啟用此原則,便只允許以互動方式登入的使用者存取抽取式 CD-ROM 媒體。如果啟用此原則但無人以互動方式登入,便能從網路存取該 CD-ROM。

預設值: 未定義此原則,且 CD-ROM 取並未僅限於本機登入的使用者。

Devices: Restrict CD-ROM access to locally logged-on user only

This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously.

If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can be accessed over the network.

Default: This policy is not defined and CD-ROM access is not restricted to the locally logged-on user.

1974裝置: 軟碟機存取只限於登入本機的使用者

此安全性設定決定本機使用者和遠端使用者是否能同時存取抽取式軟碟機媒體。

如果啟用此原則,便只允許以互動方式登入的使用者存取抽取式軟碟機媒體。如果啟用此原則但無人以互動方式登入,便能從網路存取該軟碟機。

預設值: 未定義此原則,且軟碟機存取並未僅限於本機登入的使用者。

Devices: Restrict floppy access to locally logged-on user only

This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously.

If this policy is enabled, it allows only the interactively logged-on user to access removable floppy media. If this policy is enabled and no one is logged on interactively, the floppy can be accessed over the network.

Default: This policy is not defined and floppy disk drive access is not restricted to the locally logged-on user.

1975裝置: 未簽署的驅動程式安裝操作

此安全性設定決定嘗試要安裝裝置驅動程式 (利用安裝程式 API) 時要執行的動作,而該驅動程式尚未經過 Windows 硬體品管部門 (WHQL) 的測試。

選項如下:

以無訊息方式安裝
發出警告但允許安裝
不允許安裝
預設值: 發出警告但允許安裝。

Devices: Unsigned driver installation behavior

This security setting determines what happens when an attempt is made to install a device driver (by means of Setup API) that has not been tested by the Windows Hardware Quality Lab (WHQL).

The options are:

Silently succeed
Warn but allow installation
Do not allow installation
Default: Warn but allow installation.

1976網域控制站: 允許伺服器操作者排程工作

此安全性設定決定是否允許 Server Operators 以 AT 排程設備提交工作。

注意: 此安全性設定只會影響到 AT 排程設備; 但不會影響到工作排程器設備。
預設值: 未定義此原則,這表示系統會將其視為停用。

Domain controller: Allow server operators to schedule tasks

This security setting determines if Server Operators are allowed to submit jobs by means of the AT schedule facility.

Note: This security setting only affects the AT schedule facility; it does not affect the Task Scheduler facility.
Default: This policy is not defined, which means that the system treats it as disabled.

1977網域控制站: LDAP 伺服器簽章要求

這項安全性設定決定 LDAP 伺服器是否需要與 LDAP 用戶端交涉簽章,如下所示:

無: 不需要資料簽章即可與伺服器連結。如果用戶端要求資料簽章,伺服器可提供支援。
要求簽章: 除非使用 TLS\SSL,否則必須交涉 LDAP 資料簽章選項。

預設值: 未定義此原則,相當於設定為 [無]。

警告

如果您將伺服器設定為 [要求簽章],那麼您也必須設定用戶端。如果未設定用戶端,會造成與伺服器的連線中斷。

注意

此設定對於 LDAP 簡單繫結或透過 SSL 進行的 LDAP 簡單繫結沒有任何影響。Windows XP Professional 隨附的所有 Microsoft LDAP 用戶端均不使用 LDAP 簡單繫結或透過 SSL 進行的 LDAP 簡單繫結與網域控制站通訊。
如果需要簽章,則將拒絕 LDAP 簡單繫結和透過 SSL 進行的 LDAP 簡單繫結。執行 Windows XP Professional 或 Windows Server 2003 系列的所有 Microsoft LDAP 用戶端均不使用 LDAP 簡單繫結或透過 SSL 進行的 LDAP 簡單繫結與目錄服務繫結。

Domain controller: LDAP server signing requirements

This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:

None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.

Default: This policy is not defined, which has the same effect as None.

Caution

If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.

Notes

This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a domain controller.
If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. No Microsoft LDAP clients running Windows XP Professional or the Windows Server 2003 family use LDAP simple bind or LDAP simple bind through SSL to bind to directory service.

1978網域控制站: 拒絕電腦帳戶密碼變更

此安全性設定決定網域控制站是否會拒絕成員電腦變更電腦帳戶密碼的要求。根據預設值,成員電腦每 30 天就會變更電腦帳戶密碼一次。如果啟用,網域控制站將會拒絕電腦帳戶密碼的變更要求。

如果啟用,此設定便不允許網域控制站接受對電腦帳戶的密碼所做的任何變更。

預設值: 未定義此原則,這表示系統會將它視為 [已停用]。

Domain controller: Refuse machine account password changes

This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the domain controller will refuse computer account password change requests.

If it is enabled, this setting does not allow a domain controller to accept any changes to a computer account's password.

Default: This policy is not defined, which means that the system treats it as Disabled.

1979網域成員: 安全通道資料加以數位加密或簽章 (自動)

這項安全性設定決定,網域成員啟動的所有安全通道傳輸是否必須經過簽章或加密。

當電腦加入網域時,會建立電腦帳戶。隨後,啟動系統時,系統會使用電腦帳戶密碼為其網域建立一個與網域控制站的安全通道。此安全通道用來執行諸如 NTLM 通過驗證及 LSA SID/名稱查詢的操作。

這項設定決定網域成員啟動的所有安全通道傳輸是否符合最低安全性需求。特別是,它決定了網域成員啟動的所有安全通道傳輸是否必須經過簽章或加密。如果已啟用這項原則,那麼將不會建立安全通道,除非已交涉所有安全通道傳輸的簽章或加密。如果停用了這項原則,那麼所有安全通道傳輸的加密和簽章都會與網域控制站進行交涉,在此情況下,簽章和加密的等級是根據網域控制站的版本以及下列兩項原則的設定而定:

網域成員: 安全通道資料加以數位加密 (可能的話)
網域成員: 安全通道資料加以數位簽章 (自動)

預設值: 啟用。

注意

如果啟用了此原則,則原則 [網域成員: 安全通道資料加以數位簽章 (可能的話)] 假設已被啟用,而不考慮其目前的設定。這會確保網域成員至少嘗試交涉安全通道傳輸的簽章。
如果啟用了此原則,則原則 [網域成員: 安全通道資料加以數位簽章 (可能的話)] 假設已被啟用,而不考慮其目前的設定。這會確保網域成員至少嘗試交涉安全通道傳輸的簽章。
透過安全通道傳輸的登入資訊一定會經過加密,無論「所有」其他安全通道傳輸的加密是否已進行交涉。

Domain member: Digitally encrypt or sign secure channel data (always)

This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.

This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:

Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)

Default: Enabled.

Notes:

If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.

1980網域成員: 安全通道資料加以數位加密 (可能的話)

這項安全性設定決定,網域成員是否嘗試為其所啟動的所有安全通道傳輸交涉加密。

當電腦加入網域時,會建立電腦帳戶。隨後,啟動系統時,系統會使用電腦帳戶密碼為其網域建立一個與網域控制站的安全通道。此安全通道用來執行諸如 NTLM 通過驗證、LSA SID/名稱查詢之類的操作。

這項設定決定網域成員是否嘗試為其所啟動的所有安全通道傳輸交涉加密。如果已啟用,則網域成員將要求所有安全通道傳輸的加密。如果網域控制站支援所有安全通道傳輸的加密,則所有安全通道傳輸都會經過加密。否則,只有透過安全通道傳輸的登入資訊才會經過加密。如果停用這項設定,則網域成員不會嘗試交涉安全通道加密。

預設值: 已啟用。

重要

正常情況下,不應該停用此設定。除了不必要地減少安全通道可能的機密等級,停用此設定還可能不必要地減少安全通道輸送量,因為只有當安全通道已簽署或加密時,使用安全通道的並行 API 呼叫才可行。

注意: 網域控制站也是網域成員,並會與同一網域中的其他網域控制站及受信任網域中的網域控制站建立安全通道。

Domain member: Digitally encrypt secure channel data (when possible)

This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.

This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.

Default: Enabled.

Important

There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.

Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

1981網域成員: 安全通道資料加以數位簽章 (自動)

這項安全性設定決定,網域成員是否嘗試為其所啟動的所有安全通道傳輸交涉簽章。

當電腦加入網域時,會建立電腦帳戶。隨後,啟動系統時,系統會使用電腦帳戶密碼為其網域建立一個與網域控制站的安全通道。此安全通道用來執行諸如 NTLM 通過驗證及 LSA SID/名稱查詢的操作。

這項設定決定網域成員是否嘗試為其所啟動的所有安全通道傳輸交涉簽章。如果已啟用,則網域成員將要求所有安全通道傳輸的簽章。如果網域控制站支援所有安全通道傳輸的簽章,則所有安全通道傳輸都會經過簽章,如此能確保它不會在傳送時遭到篡改。

預設值: 已啟用。

注意:

如果啟用了原則 [網域成員: 安全通道資料加以數位加密或簽章 (自動)],則會假設這項原則為啟用狀態,無論目前設定為何。
網域控制站也是網域成員,並會與同一網域中的其他網域控制站及受信任網域中的網域控制站建立安全通道。

Domain member: Digitally sign secure channel data (when possible)

This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.

This setting determines whether or not the domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit.

Default: Enabled.

Notes:

If the policy Domain member: Digitally encrypt or sign secure channel data (always) is enabled, then this policy is assumed to be enabled regardless of its current setting.
Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.

1982網域成員: 最長電腦帳戶密碼有效期

此安全性設定決定網域成員嘗試變更其電腦帳戶密碼的頻率。

預設值: 30 天。

重要

此設定適用於 Windows 2000 電腦,但無法在這些電腦上的「安全性設定管理員」工具取得。

Domain member: Maximum machine account password age

This security setting determines how often a domain member will attempt to change its computer account password.

Default: 30 days.

Important

This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.

1983網域成員: 要求增強式 (Windows 2000 或更新) 工作階段金鑰

這項安全性設定決定加密的安全通道資料是否需要 128 位元的金鑰長度。

當電腦加入網域時,會建立電腦帳戶。之後啟動系統時,系統會使用電腦帳戶密碼在該網域內建立一個具有網域控制站的安全通道。此安全通道用來執行諸如 NTLM 通過驗證或 LSA SID/名稱查詢之類的操作。

根據網域成員進行通訊的網域控制站上所執行的 Windows 版本,以及參數設定:

網域成員: 安全通道資料加以數位加密或簽章 (自動)
網域成員: 安全通道資料加以數位加密 (可能的話)
透過安全通道傳輸的某些或所有資訊都會經過加密。這項原則設定決定加密的安全通道資訊是否需要 128 位元的金鑰長度。

如果已啟用這項設定,除非能執行 128 位元加密,否則不會建立安全通道。如果停用這項設定,則會與網域控制站交涉金鑰長度。

預設值: 已啟用。

重要

為了在成員工作站和伺服器上利用這項原則的優點,所有建構成員網域的網域控制站都必須執行 Windows 2000 或更新的版本。
為了在網域控制站上利用這項原則的優點,相同網域以及所有受信任網域上的所有網域控制站都必須執行 Windows 2000 或更新的版本。

Domain member: Require strong (Windows 2000 or later) session key

This security setting determines whether 128-bit key strength is required for encrypted secure channel data.

When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller within the domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup, and so on.

Depending on what version of Windows is running on the domain controller that the domain member is communicating with and the settings of the parameters:

Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Some or all of the information that is transmitted over the secure channel will be encrypted. This policy setting determines whether or not 128-bit key strength is required for the secure channel information that is encrypted.

If this setting is enabled, then the secure channel will not be established unless 128-bit encryption can be performed. If this setting is disabled, then the key strength is negotiated with the domain controller.

Default: Enabled.

Important

In order to take advantage of this policy on member workstations and servers, all domain controllers that constitute the member's domain must be running Windows 2000 or later.
In order to take advantage of this policy on domain controllers, all domain controllers in the same domain as well as all trusted domains must run Windows 2000 or later.

1984網域成員: 停用電腦帳戶密碼變更

決定是否定期變更網域成員的電腦帳戶密碼。如果啟用了此設定,網域成員便不會嘗試變更其電腦帳戶密碼。如果停用了此設定,網域成員會嘗試依 [網域成員: 最長電腦帳戶密碼有效期] 的設定,來變更電腦帳戶密碼,預設為每隔 30 天。

預設值: 已停用。

注意

這項安全性設定不應啟用。電腦帳戶密碼是用於建立成員和網域控制站,以及網域內網域控制站之間的安全通道通訊。一旦建立,便會使用安全通道來傳輸建立驗證和授權決策所需的敏感資訊。
在嘗試支援使用相同電腦帳戶的雙重開機情況下,不應使用此設定。如果您要對連結相同網域的兩個安裝執行雙重開機,請指定不同電腦名稱給這兩個安裝。
Domain member: Disable machine account password changes

Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.

Default: Disabled.

Notes

This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
1985互動式登入: 不要顯示上次登入
此安全性設定可決定 Windows 登入畫面是否顯示上次登入此電腦之人員的使用者名稱。
若啟用此原則,則不會顯示使用者名稱。

若停用此原則,則會顯示使用者名稱。

預設: 停用。


Interactive logon: Don't display last signed-in
This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC.
If this policy is enabled, the username will not be shown.

If this policy is disabled, the username will be shown.

Default: Disabled.


1986互動式登入: 不要求按 CTRL+ALT+DEL 鍵

此安全性設定決定使用者是否需要按 CTRL+ALT+DEL 才能登入。

若在電腦上啟用此原則,使用者不需要按 CTRL+ALT+DEL 便可登入。不需要按 CTRL+ALT+DEL 會讓使用者容易受到嘗試攔截使用者密碼的入侵。要求使用者登入前需要按 CTRL+ALT+DEL 可確保使用者輸入密碼時,以受信任的路徑進行通訊。

若停用此原則,則任何使用者都需要按 CTRL+ALT+DEL 才能登入 Windows。

在網域電腦上的預設值: 啟用: 至少需要 Windows 8/停用: Windows 7 或更舊版本。
在獨立電腦上的預設值: 啟用。

Interactive logon: Do not require CTRL+ALT+DEL

This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on.

If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords.

If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows.

Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier.
Default on stand-alone computers: Enabled.

1987互動式登入: 給登入使用者的訊息本文

這項安全性設定指定使用者登入時顯示的文字訊息。

此文字通常在合法動機下使用,例如,對誤用公司資訊的使用者提出警告,或警告使用者他們的動作可能會被稽核。

預設值: 無訊息。

Interactive logon: Message text for users attempting to log on

This security setting specifies a text message that is displayed to users when they log on.

This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.

Default: No message.

1988互動式登入: 給登入使用者的訊息標題

此安全性設定允許在包含 [互動式登入: 給登入使用者的訊息本文] 的視窗標題列顯示指定的標題。

預設值: 無訊息。

Interactive logon: Message title for users attempting to log on

This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on.

Default: No message.

1989互動式登入: 網域控制站無法使用時,要快取的先前登入次數

每個唯一使用者的登入資訊會存放於本機快取,因此,若網域控制站在後續登入嘗試期間無法使用,他們仍然可以登入。快取的登入資訊是從先前的登入工作階段儲存。若網域控制站無法使用且未快取使用者的登入資訊,則會以下列訊息提示使用者:

目前無可用的登入伺服器來服務登入請求。

在此原則設定中,0 值會停用登入快取。超過 50 的任何值只會快取 50 個登入嘗試。Windows 最多支援 50 個快取項目,而每一使用者耗用的項目數目取決於認證。舉例來說,在 Windows 系統中最多可以快取 50 個唯一密碼使用者帳戶,但只能快取 25 個智慧卡使用者帳戶,因為會同時儲存密碼資訊與智慧卡資訊。當擁有快取登入資訊的使用者再次登入時,會取代該使用者個人的快取資訊。

預設值:

Windows Server 2008: 25

所有其他版本: 10

Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message:

There are currently no logon servers available to service the logon request.

In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user’s individual cached information is replaced.

Default:

Windows Server 2008: 25

All Other Versions: 10

1990互動式登入: 在密碼到期前提示使用者變更密碼

決定在使用者的密碼即將到期時,要提前多久 (天數) 事先警告使用者。有了這個事先警告,使用者便有時間建構一個強式密碼。

預設值: 5 天。

Interactive logon: Prompt user to change password before expiration

Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong.

Default: 5 days.

1991互動式登入: 要求網域控制站驗證以解除鎖定

必須提供登入資訊才能夠將鎖定的電腦解除鎖定。對於網域帳戶而言,此安全性設定決定是否必須與網域控制站連絡,才能將電腦解除鎖定。如果停用此設定,使用者便可以使用快取的認證來將電腦解除鎖定。如果啟用此設定,網域控制站便必須驗證用以解除鎖定電腦的網域帳戶。

預設值: 已停用。

重要

此設定適用於 Windows 2000 電腦,但無法在這些電腦上的「安全性設定管理員」工具取得。

Interactive logon: Require Domain Controller authentication to unlock

Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, a domain controller must authenticate the domain account that is being used to unlock the computer.

Default: Disabled.

Important

This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers.

1992互動式登入: 要求必須使用 Windows Hello 企業版或智慧卡

此安全性設定可要求使用者必須使用 Windows Hello 企業版或智慧卡來登入裝置。

選項如下:

啟用: 使用者只能使用 Windows Hello 企業版或智慧卡來登入裝置。
停用或未設定: 使用者可以使用任何方法來登入裝置。

重要

此設定透過登錄中的變更套用到執行 Windows 2000 的電腦,但該安全性設定無法透過「安全性設定管理員」工具組來檢視。

Windows 10 v1607 或更新版本上不支援要求必須使用 Windows Hello 企業版來登入。

Interactive logon: Require Windows Hello for Business or smart card

This security setting requires users to sign-in to a device using Windows Hello for Business or a smart card.

The options are:

Enabled: Users can only sign-in to the device using Windows Hello for Business or a smart card.
Disabled or not configured: Users can sign-in to the device using any method.

Important

This setting applies to any computer running Windows 2000 through changes in the registry, but the security setting is not viewable through the Security Configuration Manager tool set.

Requiring Windows Hello for Business sign-in is not supported on Windows 10 v1607 or earlier.

1993互動式登入: 智慧卡移除操作

此安全性設定決定當登入使用者的智慧卡從智慧卡讀卡機移除時要執行的動作。

選項如下:

無動作
鎖定工作站
強制登出
如果是遠端桌面服務工作階段則中斷連線

如果在此原則的 [內容] 對話方塊中按下 [鎖定工作站],便會在智慧卡移除時鎖定工作站,讓使用者帶著他們的智慧卡離開,同時繼續保護工作階段。

如果在此原則的 [內容] 對話方塊中按下 [強制登出],便會在智慧卡移除時,自動將使用者登出。

如果按一下 [如果是遠端桌面服務工作階段則中斷連線],便會在智慧卡移除時中斷工作階段的連線,而不會將使用者登出。這能讓使用者稍後插入智慧卡並繼續該工作階段,或是在另一部配備智慧卡讀卡機的電腦繼續,無須再登入一次。如果工作階段是本機,則此原則的功能與 [鎖定工作站] 相同。

注意: 遠端桌面服務在舊版的 Windows Server 中稱為「終端機服務」。

預設值: 未定義此原則,這表示系統會將它視為 [無動作]。

在 Windows Vista 和更新的版本中: 若要讓此設定生效,必須啟動智慧卡移除原則服務。

Interactive logon: Smart card removal behavior

This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

The options are:

No Action
Lock Workstation
Force Logoff
Disconnect if a Remote Desktop Services session

If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.

If you click Force Logoff in the Properties dialog box for this policy, the user is automatically logged off when the smart card is removed.

If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

Default: This policy is not defined, which means that the system treats it as No action.

On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.

1994Microsoft 網路用戶端: 為通訊加上數位簽章 (一律)

此安全性設定決定 SMB 用戶端元件是否要求封包簽署。

伺服器訊息區 (SMB) 通訊協定為 Microsoft 檔案及列印共用與許多其他網路作業 (例如遠端 Windows 系統管理) 提供基礎。為防止會修改傳輸中 SMB 封包的攔截式攻擊,SMB 通訊協定支援 SMB 封包的數位簽署。此原則設定決定允許和 SMB 伺服器進一步通訊之前,SMB 封包簽署是否必須經過交涉。

若啟用此設定,Microsoft 網路用戶端將不會和 Microsoft 網路伺服器通訊,除非該伺服器同意執行 SMB 封包簽署。若停用此原則,會在用戶端與伺服器之間交涉 SMB 封包簽署。

預設值: 已停用。

重要

為使此原則在執行 Windows 2000 的電腦上生效,必須也啟用用戶端封包簽署。若要啟用用戶端 SMB 封包簽署,請設定「Microsoft 網路用戶端: 為通訊加上數位簽章 (若伺服器同意)」。

注意

所有 Windows 作業系統都支援用戶端 SMB 元件與伺服器端 SMB 元件。在 Windows 2000 與更新版本的作業系統上,啟用或要求用戶端與伺服器端 SMB 元件的封包簽署是由下列四個原則設定所控制:
Microsoft 網路用戶端: 為通訊加上數位簽章 (一律) - 控制用戶端 SMB 元件是否要求封包簽署。
Microsoft 網路元件: 為通訊加上數位簽章 (若伺服器同意) - 控制用戶端 SMB 元件是否啟用封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (一律) - 控制伺服器端 SMB 元件是否要求封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (若用戶端同意) - 控制伺服器端 SMB 元件是否啟用封包簽署。
視方言版本、OS 版本、檔案大小、處理器卸載功能與應用程式 IO 行為而定,SMB 封包簽署會使 SMB 效能大幅降低。
如需詳細資訊,請參閱: https://go.microsoft.com/fwlink/?LinkID=787136。

Microsoft network client: Digitally sign communications (always)

This security setting determines whether packet signing is required by the SMB client component.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.

If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.

Default: Disabled.

Important

For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees).

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

1995Microsoft 網路用戶端: 為通訊加上數位簽章 (若伺服器同意)

此安全性設定決定 SMB 用戶端是否嘗試交涉 SMB 封包簽署。

伺服器訊息區 (SMB) 通訊協定是 Microsoft 檔案及列印共用與許多其他網路作業 (例如遠端 Windows 系統管理) 的基礎。為防止會修改傳輸中 SMB 封包的攔截式攻擊,SMB 通訊協定支援 SMB 封包的數位簽署。此原則設定決定 SMB 用戶端元件連線至 SMB 伺服器時,是否嘗試交涉 SMB 封包簽署。

若啟用此設定,Microsoft 網路用戶端將於建立工作階段時要求伺服器執行 SMB 封包簽署。若已在伺服器上啟用封包簽署,將會交涉封包簽署。若停用此原則,SMB 用戶端將不會交涉 SMB 封包簽署。

預設值: 已啟用。

注意

所有 Windows 作業系統都支援用戶端 SMB 元件與伺服器端 SMB 元件。在 Windows 2000 與更新版本的作業系統上,啟用或要求用戶端與伺服器端 SMB 元件的封包簽署是由下列四個原則設定所控制:
Microsoft 網路用戶端: 為通訊加上數位簽章 (一律) - 控制用戶端 SMB 元件是否要求封包簽署。
Microsoft 網路用戶端: 為通訊加上數位簽章 (若伺服器同意) - 控制用戶端 SMB 元件是否啟用封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (一律) - 控制伺服器端 SMB 元件是否要求封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (若用戶端同意) - 控制伺服器端 SMB 元件是否啟用封包簽署。
若用戶端與伺服器端 SMB 簽署兩者已啟用,且用戶端建立與伺服器之間的 SMB 1.0 連線,將會嘗試 SMB 簽署。
視方言版本、OS 版本、檔案大小、處理器卸載功能與應用程式 IO 行為而定,SMB 封包簽署會使 SMB 效能大幅降低。此設定只適用於 SMB 1.0 連線。
如需詳細資訊,請參閱: https://go.microsoft.com/fwlink/?LinkID=787136。

Microsoft network client: Digitally sign communications (if server agrees)

This security setting determines whether the SMB client attempts to negotiate SMB packet signing.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server.

If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.

Default: Enabled.

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

1996Microsoft 網路用戶端: 傳送未加密的密碼到其他廠商的 SMB 伺服器

如果啟用此安全性設定,便允許伺服器訊息區 (SMB) 重新導向器在驗證期間將純文字密碼傳送給不支援密碼加密的非 Microsoft SMB 伺服器。

傳送未經加密的密碼會有安全性風險。

預設值: 已停用。
Microsoft network client: Send unencrypted password to connect to third-party SMB servers

If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication.

Sending unencrypted passwords is a security risk.

Default: Disabled.
1997Microsoft 網路伺服器: 暫停工作階段前,要求的閒置時間

此安全性設定決定伺服器訊息區 (SMB) 工作階段的連續閒置時間長度超過多少時,工作階段會因為處於非使用狀態而暫停。

系統管理員可使用此原則,控制電腦於何時暫停非使用中的 SMB 工作階段。若用戶端活動繼續,則會自動重新建立工作階段。

對於此原則設定,零值表示在合理的時間範圍內儘速中斷工作階段的連線。最大值是 99999,即 208 天; 實際上,此值會停用此原則。

預設值: 未定義此原則,這表示系統會將它視為 15 分鐘 (伺服器) 或未定義 (工作站)。

Microsoft network server: Amount of idle time required before suspending a session

This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.

Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.

For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.

Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.

1998Microsoft 網路伺服器: 為通訊加上數位簽章 (一律)

此安全性設定決定 SMB 伺服器元件是否要求封包簽署。

伺服器訊息區 (SMB) 通訊協定是 Microsoft 檔案及列印共用與許多其他網路作業 (例如遠端 Windows 系統管理) 的基礎。為防止會修改傳輸中 SMB 封包的攔截式攻擊,SMB 通訊協定支援 SMB 封包的數位簽署。此原則設定決定允許和 SMB 用戶端進一步通訊之前,SMB 封包簽署是否必須經過交涉。

若啟用此設定,Microsoft 網路伺服器將不會和 Microsoft 網路用戶端通訊,除非該用戶端同意執行 SMB 封包簽署。若停用此設定,會在用戶端與伺服器之間交涉 SMB 封包簽署。

預設值:

針對成員伺服器停用。
針對網域控制站停用。

注意

所有 Windows 作業系統都支援用戶端 SMB 元件與伺服器端 SMB 元件。在 Windows 2000 與更新版本的作業系統上,啟用或要求用戶端與伺服器端 SMB 元件的封包簽署是由下列四個原則設定所控制:
Microsoft 網路用戶端: 為通訊加上數位簽章 (一律) - 控制用戶端 SMB 元件是否要求封包簽署。
Microsoft 網路用戶端: 為通訊加上數位簽章 (若伺服器同意) - 控制用戶端 SMB 元件是否啟用封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (一律) - 控制伺服器端 SMB 元件是否要求封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (若用戶端同意) - 控制伺服器端 SMB 元件是否啟用封包簽署。
同樣的,若用戶端 SMB 簽署是必要的,該用戶端將無法和未啟用封包簽署的伺服器建立工作階段。根據預設值,伺服器端 SMB 簽署只會在網域控制站上啟用。
若啟用伺服器端 SMB 簽署,則將與啟用用戶端 SMB 簽署的用戶端交涉 SMB 封包簽署。
視方言版本、OS 版本、檔案大小、處理器卸載功能與應用程式 IO 行為而定,SMB 封包簽署會使 SMB 效能大幅降低。

重要

為使此原則在執行 Windows 2000 的電腦上生效,必須也啟用伺服器端封包簽署。若要啟用伺服器端 SMB 封包簽署,請設定下列原則:
Microsoft 網路伺服器: 為通訊加上數位簽章 (若伺服器同意)

為了讓 Windows 2000 伺服器能與 Windows NT 4.0 用戶端交涉簽署,必須將 Windows 2000 伺服器上的下列登錄值設定為 1:
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
如需詳細資訊,請參閱: https://go.microsoft.com/fwlink/?LinkID=787136。

Microsoft network server: Digitally sign communications (always)

This security setting determines whether packet signing is required by the SMB server component.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-middle" attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted.

If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.

Default:

Disabled for member servers.
Enabled for domain controllers.

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers.
If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors.

Important

For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy:
Microsoft network server: Digitally sign communications (if server agrees)

For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server:
HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

1999Microsoft 網路伺服器: 為通訊加上數位簽章 (若用戶端同意)

此安全性設定決定 SMB 伺服器是否將和要求 SMB 封包簽署的用戶端交涉。

伺服器訊息區 (SMB) 通訊協定是 Microsoft 檔案及列印共用與許多其他網路作業 (例如遠端 Windows 系統管理) 的基礎。為防止會修改傳輸中 SMB 封包的攔截式攻擊,SMB 通訊協定支援 SMB 封包的數位簽署。此原則設定決定 SMB 伺服器是否將在 SMB 用戶端要求 SMB 封包簽署時進行交涉。

若啟用此設定,Microsoft 網路伺服器將在用戶端要求 SMB 封包簽署時進行交涉。也就是說,若已在用戶端啟用封包簽署,將會交涉封包簽署。若停用此原則,SMB 用戶端將不會交涉 SMB 封包簽署。

預設值: 只在網域控制站上啟用。

重要

為了讓 Windows 2000 伺服器能與 Windows NT 4.0 用戶端交涉簽署,必須將執行 Windows 2000 的伺服器中的下列登錄值設定為 1: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature

注意

所有 Windows 作業系統都支援用戶端 SMB 元件與伺服器端 SMB 元件。對於 Windows 2000 與更新版本的作業系統,啟用或要求用戶端與伺服器端 SMB 元件的封包簽署是由下列四個原則設定所控制:
Microsoft 網路用戶端: 為通訊加上數位簽章 (一律) - 控制用戶端 SMB 元件是否要求封包簽署。
Microsoft 網路用戶端: 為通訊加上數位簽章 (若伺服器同意) - 控制用戶端 SMB 元件是否啟用封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (一律) - 控制伺服器端 SMB 元件是否要求封包簽署。
Microsoft 網路伺服器: 為通訊加上數位簽章 (若用戶端同意) - 控制伺服器端 SMB 元件是否啟用封包簽署。
若用戶端與伺服器端 SMB 簽署兩者已啟用,且用戶端建立與伺服器之間的 SMB 1.0 連線,將會嘗試 SMB 簽署。
視方言版本、OS 版本、檔案大小、處理器卸載功能與應用程式 IO 行為而定,SMB 封包簽署會使 SMB 效能大幅降低。此設定只適用於 SMB 1.0 連線。
如需詳細資訊,請參閱: https://go.microsoft.com/fwlink/?LinkID=787136。

Microsoft network server: Digitally sign communications (if client agrees)

This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it.

The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it.

If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing.

Default: Enabled on domain controllers only.

Important

For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature

Notes

All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted.
SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections.
For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136.

2000Microsoft 網路伺服器: 當登入時數到期時,中斷用戶端連線

此安全性設定決定是否要在超出使用者帳戶的有效登入時數時,將連線到本機電腦的使用者中斷連線。此設定會影響到伺服器訊息區 (SMB) 元件。

啟用此原則時,便會在用戶端的登入時數到期之後,強迫將搭配 SMB 服務的用戶端工作階段中斷連線。

如果停用此原則,便允許在用戶端的登入時數到期之後,繼續維持建立的用戶端工作階段。

Windows Vista 及更新版本上的預設值: 啟用。
Windows XP 上的預設值: 停用

Microsoft network server: Disconnect clients when logon hours expire

This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component.

When this policy is enabled, it causes client sessions with the SMB Service to be forcibly disconnected when the client's logon hours expire.

If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.

Default on Windows Vista and above: Enabled.
Default on Windows XP: Disabled

2001網路存取: 允許匿名 SID/名稱轉譯

此原則設定決定匿名使用者是否可以要求其他使用者的安全性識別碼 (SID) 屬性。

如果啟用此原則,匿名使用者可以要求其他使用者的 SID 屬性。知道系統管理員 SID 的匿名使用者可以連絡已啟用此原則的電腦,且能使用該 SID 來取得系統管理員的名稱。此設定會影響 SID 轉譯為名稱以及名稱轉譯為 SID。

如果已停用此原則設定,匿名使用者將無法為其他使用者要求 SID 屬性。

工作站與成員伺服器的預設值: 已停用。
執行 Windows Server 2008 或更新版本的網域控制站預設值: 已停用。
執行 Windows Server 2003 R2 或更舊版本的網域控制站預設值: 已啟用。
Network access: Allow anonymous SID/name translation

This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user.

If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation.

If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user.

Default on workstations and member servers: Disabled.
Default on domain controllers running Windows Server 2008 or later: Disabled.
Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled.
2002網路存取: 不允許 SAM 帳戶的匿名列舉

此安全性設定決定將授與電腦匿名連線哪些其他權限。

Windows 允許匿名使用者執行特定活動,例如列舉網域帳戶和網路共用的名稱。當系統管理員想要授與使用者在受信任網域上的存取權限,而該網域不會保持交互信任時,此功能相當方便。

此安全性選項允許在匿名連線中設定其他限制,如下:

已啟用: 不允許列舉 SAM 帳戶。此選項會將資源之安全性權限中的 Everyone 取代為 Authenticated Users。
已停用: 沒有其他限制。視預設權限而定。

在工作站上的預設值: 已啟用。
在伺服器上的預設值: 已啟用。

重要

此原則對網域控制站沒有影響。

Network access: Do not allow anonymous enumeration of SAM accounts

This security setting determines what additional permissions will be granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust.

This security option allows additional restrictions to be placed on anonymous connections as follows:

Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Disabled: No additional restrictions. Rely on default permissions.

Default on workstations: Enabled.
Default on server:Enabled.

Important

This policy has no impact on domain controllers.

2003網路存取: 不允許 SAM 帳戶和共用的匿名列舉

此安全性設定決定是否允許 SAM 帳戶和共用的匿名列舉。

Windows 允許匿名使用者執行特定活動,例如列舉網域帳戶和網路共用的名稱。當系統管理員想要授與使用者在受信任網域上的存取權,而該網域不會保持交互信任時,此功能相當方便。如果不想要允許 SAM 帳戶和共用的匿名列舉,請啟用此原則。

預設值: 已停用。

Network access: Do not allow anonymous enumeration of SAM accounts and shares

This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.

Default: Disabled.

2004網路存取: 不允許存放網路驗證的密碼與認證

此安全性設定決定認證管理員取得網域驗證時,是否儲存密碼與認證,以供稍後使用。

如果啟用此設定,認證管理員不會在電腦上儲存密碼與認證。
如果您停用或未設定此原則設定,認證管理員將會在此電腦上存放密碼與認證,以供稍後用於網域驗證。

注意: 設定此安全性設定時,您必須重新啟動 Windows,變更才會生效。

預設值: 已停用。

Network access: Do not allow storage of passwords and credentials for network authentication

This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication.

If you enable this setting, Credential Manager does not store passwords and credentials on the computer.
If you disable or do not configure this policy setting, Credential Manager will store passwords and credentials on this computer for later use for domain authentication.

Note: When configuring this security setting, changes will not take effect until you restart Windows.

Default: Disabled.

2005網路存取: 讓 Everyone 權限套用到匿名使用者

此安全性設定決定將授與電腦匿名連線哪些其他權限。

Windows 允許匿名使用者執行特定活動,例如列舉網域帳戶和網路共用的名稱。當系統管理員想要授與使用者在受信任網域上的存取權限,而該網域不會保持交互信任時,此功能相當方便。根據預設值,會從為匿名連線建立的權杖中移除 Everyone 安全性識別碼 (SID)。因此,授與 Everyone 群組的權限不會套用至匿名使用者。若設定此選項,匿名使用者只能存取他們已明確取得權限的資源。

若啟用此原則,Everyone SID 會新增至為匿名連線建立的權杖。在此情況下,匿名使用者可存取 Everyone 群組已取得權限的任何資源。

預設值: 已停用。

Network access: Let Everyone permissions apply to anonymous users

This security setting determines what additional permissions are granted for anonymous connections to the computer.

Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. By Default, the Everyone security identifier (SID) is removed from the token created for anonymous connections. Therefore, permissions granted to the Everyone group do not apply to anonymous users. If this option is set, anonymous users can only access those resources for which the anonymous user has been explicitly given permission.

If this policy is enabled, the Everyone SID is added to the token that is created for anonymous connections. In this case, anonymous users are able to access any resource for which the Everyone group has been given permissions.

Default: Disabled.

2006網路存取: 可以匿名存取的具名管道

此安全性設定決定哪個通訊工作階段 (管道) 將擁有允許匿名存取的屬性和權限。

預設值: 無。

Network access: Named pipes that can be accessed anonymously

This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access.

Default: None.

2007網路存取: 可遠端存取的登錄路徑

此安全性設定決定哪些登錄機碼可經由網路存取 (不管 winreg 登錄機碼中存取控制清單 (ACL) 所列的使用者或群組為何)。

預設值:

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion

警告

不正確地編輯登錄將會對系統造成嚴重的損害。在變更登錄前,您應先備份電腦上任何有價值的資料。
注意: 此安全性設定無法在舊版 Windows 中使用。執行 Windows XP 的電腦中出現的安全性設定「網路存取: 可遠端存取的登錄路徑」對應到 Windows Server 2003 系列成員中的「網路存取: 可遠端存取的登錄路徑及子路徑」安全性選項。如需詳細資訊,請參閱「網路存取: 可遠端存取的登錄路徑及子路徑」。
預設值:

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths

This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.

Default:

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
Note: This security setting is not available on earlier versions of Windows. The security setting that appears on computers running Windows XP, "Network access: Remotely accessible registry paths" corresponds to the "Network access: Remotely accessible registry paths and subpaths" security option on members of the Windows Server 2003 family. For more information, see Network access: Remotely accessible registry paths and subpaths.
Default:

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
2008網路存取: 可遠端存取的登錄路徑及子路徑

此安全性設定決定哪些登錄路徑及子路徑可經由網路存取 (不管 winreg 登錄機碼中存取控制清單 (ACL) 所列的使用者或群組為何)。

預設值:

System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Services\CertSvc
System\CurrentControlSet\Services\Wins

警告

不正確地編輯登錄將會對系統造成嚴重的損害。在變更登錄前,您應先備份電腦上任何有價值的資料。

注意: 在 Windows XP 中,此安全性設定稱為「網路存取: 可遠端存取的登錄路徑」。如果您在加入網域的 Windows Server 2003 系列成員中設定此設定,則執行Windows XP 的電腦會繼承此設定,但將以「網路存取: 可遠端存取的登錄路徑」安全性選項顯示。如需詳細資訊,請參閱「網路存取: 可遠端存取的登錄路徑及子路徑。」
Network access: Remotely accessible registry paths and subpaths

This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key.

Default:

System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Services\CertSvc
System\CurrentControlSet\Services\Wins

Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure this setting on a member of the Windows Server 2003 family that is joined to a domain, this setting is inherited by computers running Windows XP, but will appear as the "Network access: Remotely accessible registry paths" security option. For more information, see Network access: Remotely accessible registry paths and subpaths.
2009網路存取: 限制匿名存取具名管道和共用

啟用時,此安全性設定會將共用和管道的匿名存取限制為以下設定:

網路存取: 可以匿名存取的具名管道
網路存取: 可以匿名存取的共用
預設值: 已啟用。

Network access: Restrict anonymous access to Named Pipes and Shares

When enabled, this security setting restricts anonymous access to shares and pipes to the settings for:

Network access: Named pipes that can be accessed anonymously
Network access: Shares that can be accessed anonymously
Default: Enabled.

2010網路存取: 可以匿名存取的共用

此安全性設定決定匿名使用者能夠存取哪個網路共用。

預設值: 沒有指定。

Network access: Shares that can be accessed anonymously

This security setting determines which network shares can accessed by anonymous users.

Default: None specified.

2011網路存取: 本機帳戶的共用和安全性模型

此安全性設定決定如何驗證使用本機帳戶的網路登入。若此設定設為「傳統」,則使用本機帳戶認證的網路登入會使用那些認證進行驗證。「傳統」模式可有效控制對資源的存取。使用「傳統」模式,您可針對相同資源授與不同類型的存取權限給不同的使用者。
若此設定設為「僅適用於來賓」,則使用本機帳戶的網路登入會自動對應到 Guest 帳戶。使用「僅適用於來賓」模式,可以等同方式對待所有使用者。所有使用者均驗證為 Guest,且收到的特定資源存取權限等級相同,即可能是「唯讀」或「修改」。

在網域電腦上的預設值: 傳統。
在獨立電腦上的預設值: 僅適用於來賓

重要

使用「僅適用於來賓」模式,可經由網路存取您電腦的所有使用者 (包括匿名網際網路使用者) 都能存取您的共用資源。您必須使用 Windows 防火牆或其他類似裝置來保護您的電腦免於未經授權存取的侵害。同樣的,使用「傳統」模式,必須使用密碼保護本機帳戶,否則任何人都可使用那些使用者帳戶存取共用系統資源。

注意:

此設定不影響使用如 Telnet 服務或遠端桌面服務從遠端執行的互動式登入

遠端桌面服務在舊版的 Windows Server 中稱為「終端機服務」。

此原則不影響執行 Windows 2000 的電腦。
當電腦未加入網域時,此設定也會修改檔案總管中的 [共用] 和 [安全性] 索引標籤,以和正在使用的共用和安全性模型對應。

Network access: Sharing and security model for local accounts

This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Classic model, you can grant different types of access to different users for the same resource.
If this setting is set to Guest only, network logons that use local accounts are automatically mapped to the Guest account. By using the Guest model, you can have all users treated equally. All users authenticate as Guest, and they all receive the same level of access to a given resource, which can be either Read-only or Modify.

Default on domain computers: Classic.
Default on stand-alone computers: Guest only

Important

With the Guest only model, any user who can access your computer over the network (including anonymous Internet users) can access your shared resources. You must use the Windows Firewall or another similar device to protect your computer from unauthorized access. Similarly, with the Classic model, local accounts must be password protected; otherwise, those user accounts can be used by anyone to access shared system resources.

Note:

This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services

Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

This policy will have no impact on computers running Windows 2000.
When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in File Explorer to correspond to the sharing and security model that is being used.

2012網路安全性: 下次密碼變更時不儲存 LAN Manager 雜湊數值

此安全性設定決定在下次密碼變更時,是否要儲存新密碼的 LAN Manager 雜湊數值。和密碼編譯較強的 Windows NT 雜湊相比,LM 雜湊相對較不安全,並且容易遭到攻擊。因為 LM 雜湊儲存於本機電腦的安全性資料庫中,若安全性資料庫遭到攻擊,密碼可能就會被破解。


Windows Vista 及更新版本上的預設值: 啟用
Windows XP 上的預設值: 停用。

重要

Windows 2000 Service Pack 2 (SP2) 及更新版本提供與舊版 Windows (如 Microsoft Windows NT 4.0) 驗證的相容性。
此設定會影響執行 Windows 2000 Server、Windows 2000 Professional、Windows XP 及 Windows Server 2003 系列的電腦與執行 Windows 95 和 Windows 98 的電腦通訊的能力。

Network security: Do not store LAN Manager hash value on next password change

This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.


Default on Windows Vista and above: Enabled
Default on Windows XP: Disabled.

Important

Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0.
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98.

2013網路安全性: 強制限制登入時數

此安全性設定決定使用者連線至本機電腦若超過其使用者帳戶有效的登入時數時,是否要中斷連線。此設定會影響伺服器訊息區 (SMB) 元件。

啟用此原則時,若用戶端登入時數到期,會強制中斷用戶端工作階段與 SMB 伺服器的連線。

若停用此原則,當用戶端登錄時數到期之後,可以允許保留已建立的用戶端工作階段。

預設值: 已啟用。

注意: 此安全性設定作用和帳戶原則相同。對於網域帳戶,只能有一個帳戶原則。帳戶原則必須定義在「預設網域原則」中,並由組成網域的網域控制站強制執行。即使包含網域控制站的組織單位套用了不同的帳戶原則,網域控制站始終會從「預設網域原則群組原則」物件 (GPO) 提取帳戶原則。根據預設值,加入網域的工作站和伺服器 (如成員電腦) 也會收到其本機帳戶相同的帳戶原則。不過,若為包含成員電腦的組織單位定義帳戶原則,成員電腦的本機帳戶原則就會和網域帳戶原則不同。Kerberos 設定不會套用到成員電腦。

Network security: Force logoff when logon hours expire

This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component.

When this policy is enabled, it causes client sessions with the SMB server to be forcibly disconnected when the client's logon hours expire.

If this policy is disabled, an established client session is allowed to be maintained after the client's logon hours have expired.

Default: Enabled.

Note: This security setting behaves as an account policy. For domain accounts, there can be only one account policy. The account policy must be defined in the Default Domain Policy, and it is enforced by the domain controllers that make up the domain. A domain controller always pulls the account policy from the Default Domain Policy Group Policy object (GPO), even if there is a different account policy applied to the organizational unit that contains the domain controller. By default, workstations and servers that are joined to a domain (for example, member computers) also receive the same account policy for their local accounts. However, local account policies for member computers can be different from the domain account policy by defining an account policy for the organizational unit that contains the member computers. Kerberos settings are not applied to member computers.

2014網路安全性: LAN Manager 驗證等級

此安全性設定決定使用哪種 Challenge/Response 驗證通訊協定登入網路。此選擇會影響用戶端使用的驗證通訊協定層級、交涉的工作階段安全性層級,以及伺服器接受的驗證等級,如下:

傳送 LM 和 NTLM 回應: 用戶端使用 LM 和 NTLM 驗證,絕不使用 NTLMv2 工作階段安全性; 網域控制站接受 LM、NTLM 及 NTLMv2 驗證。

傳送 LM 和 NTLM - 如有交涉,使用 NTLMv2 工作階段安全性: 用戶端使用 LM 和 NTLM 驗證,而且若伺服器支援,則會使用 NTLMv2 工作階段安全性; 網域控制站接受 LM、NTLM 以及 NTLMv2 驗證。

只傳送 NTLM 回應: 用戶端只使用 NTLM 驗證,而且若伺服器支援,則會使用 NTLMv2 工作階段安全性; 網域控制站接受 LM、NTLM 及 NTLMv2 驗證。

只傳送 NTLMv2 回應: 用戶端只使用 NTLMv2 驗證,而且若伺服器支援,則會使用 NTLMv2 工作階段安全性; 網域控制站接受 LM、NTLM 及 NTLMv2 驗證。

只傳送 NTLMv2 回應\拒絕 LM: 用戶端只使用 NTLMv2 驗證,而且若伺服器支援,則會使用 NTLMv2 工作階段安全性; 網域控制站拒絕 LM (只接受 NTLM 與 NTLMv2 驗證)。

只傳送 NTLMv2 回應\拒絕 LM 和 NTLM: 用戶端只使用 NTLMv2 驗證,而且若伺服器支援,則會使用 NTLMv2 工作階段安全性; 網域控制站拒絕 LM 和 NTLM (只接受 NTLMv2 驗證)。

重要

此設定會影響執行 Windows 2000 Server、Windows 2000 Professional、Windows XP Professional 及 Windows Server 2003 系列之電腦和執行 Windows NT 4.0 或更舊版本的電腦經由網路通訊的能力。例如,目前執行 Windows NT 4.0 SP4 或更舊版本的電腦並不支援 NTLMv2。執行 Windows 95 和 Windows 98 的電腦不支援 NTLM。

預設值:

Windows 2000 與 windows XP: 傳送 LM 和 NTLM 回應

Windows Server 2003: 只傳送 NTLM 回應

Windows Vista、Windows Server 2008、Windows 7 和 Windows Server 2008 R2: 只傳送 NTLMv2 回應

Network security: LAN Manager authentication level

This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows:

Send LM & NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send LM & NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication.

Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication).

Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).

Important

This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM.

Default:

Windows 2000 and windows XP: send LM & NTLM responses

Windows Server 2003: Send NTLM response only

Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only

2015網路安全性: LDAP 用戶端簽章要求

此安全性設定決定代表發出 LDAP BIND 要求之用戶端所要求的資料簽章層級,如下:

無: LDAP BIND 要求隨呼叫者指定的選項發出。
交涉簽章: 若未啟動傳輸層安全性/安全通訊端層 (TLS\SSL),會隨呼叫者指定的選項以外的 LDAP 資料簽章選項初始化 LDAP BIND 要求。若已啟動 TLS\SSL,會隨呼叫者指定的選項初始化 LDAP BIND 要求。
要求簽章: 這和交涉簽章相同。不過,若 LDAP 伺服器的中繼 saslBindInProgress 回應未指示 LDAP 流量簽章為必要的,則會告知呼叫者 LDAP BIND 命令要求失敗。

警告

如果您將伺服器設定為 [要求簽章],那麼您也必須設定用戶端。如果未設定用戶端,會造成與伺服器的連線中斷。

注意: 此設定對於 ldap_simple_bind 或 ldap_simple_bind_s 沒有任何影響。Windows XP Professional 隨附的所有 Microsoft LDAP 用戶端均不使用 ldap_simple_bind 或 ldap_simple_bind_s 與網域控制站通訊。

預設值: 交涉簽章。

Network security: LDAP client signing requirements

This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows:

None: The LDAP BIND request is issued with the options that are specified by the caller.
Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Require signature: This is the same as Negotiate signing. However, if the LDAP server's intermediate saslBindInProgress response does not indicate that LDAP traffic signing is required, the caller is told that the LDAP BIND command request failed.

Caution

If you set the server to Require signature, you must also set the client. Not setting the client results in a loss of connection with the server.

Note: This setting does not have any impact on ldap_simple_bind or ldap_simple_bind_s. No Microsoft LDAP clients that are shipped with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to talk to a domain controller.

Default: Negotiate signing.

2016網路安全性: NTLM SSP 為主的 (包含安全 RPC) 用戶端的最小工作階段安全性

此安全性設定允許用戶端要求 128 位元加密和/或 NTLMv2 工作階段安全性的交涉。這些值依存於 LAN Manager 驗證等級安全性設定值。選項如下:

要求 NTLMv2 工作階段安全性: 若未交涉 NTLMv2 通訊協定,連線將會失敗。
要求 128 位元加密: 若未交涉增強式加密 (128 位元),連線將會失敗。

預設值:

Windows XP、Windows Vista、Windows Server 2000、Windows Server 2003 和 Windows Server 2008: 沒有要求。

Windows 7 與 Windows Server 2008 R2: 要求 128 位元加密

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:

Require NTLMv2 session security: The connection will fail if NTLMv2 protocol is not negotiated.
Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.

Default:

Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.

Windows 7 and Windows Server 2008 R2: Require 128-bit encryption

2017網路安全性: NTLM SSP 為主的 (包含安全 RPC) 伺服器的最小工作階段安全性

此安全性設定允許伺服器要求 128 位元加密和/或 NTLMv2 工作階段安全性的交涉。這些值依存於 LAN Manager 驗證等級安全性設定值。選項如下:

要求 NTLMv2 工作階段安全性: 若未交涉訊息完整性,連線將會失敗。
要求 128 位元加密。若未交涉增強式加密 (128 位元),連線將會失敗。

預設值:

Windows XP、Windows Vista、Windows Server 2000、Windows Server 2003 和 Windows Server 2008: 沒有要求。

Windows 7 與 Windows Server 2008 R2: 要求 128 位元加密

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:

Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
Require 128-bit encryption. The connection will fail if strong encryption (128-bit) is not negotiated.

Default:

Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.

Windows 7 and Windows Server 2008 R2: Require 128-bit encryption

2018修復主控台: 允許自動系統管理登入

此安全性設定決定是否必須在授與系統存取權之前提供 Administrator 帳戶的密碼。如果啟用此選項,修復主控台不需要您提供密碼,且將會自動登入系統。

預設值: 未定義此原則,且將不會允許自動系統管理登入。

Recovery console: Allow automatic administrative logon

This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system.

Default: This policy is not defined and automatic administrative logon is not allowed.

2019修復主控台: 允許軟碟複製以及存取所有磁碟和所有資料夾

啟用此安全性選項便可以使用修復主控台 SET 命令,此命令可讓您設定下列修復主控台環境變數:

AllowWildCards: 對某些命令啟用萬用字元支援 (例如 DEL 命令)。
AllowAllPaths: 允許存取電腦上的所有檔案和資料夾。
AllowRemovableMedia: 允許將檔案複製到抽取式媒體,例如磁片。
NoCopyPrompt: 不要提示正在覆寫現有的檔案。

預設值: 未定義此原則,且修復主控台 SET 命令無法使用。

Recovery console: Allow floppy copy and access to all drives and all folders

Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables:

AllowWildCards: Enable wildcard support for some commands (such as the DEL command).
AllowAllPaths: Allow access to all files and folders on the computer.
AllowRemovableMedia: Allow files to be copied to removable media, such as a floppy disk.
NoCopyPrompt: Do not prompt when overwriting an existing file.

Default: This policy is not defined and the recover console SET command is not available.

2020關機: 允許不登入就將系統關機

此安全性設定決定是否無需登入 Windows 便能夠將電腦關機。

啟用此原則時,Windows 登入畫面上可以使用 [關機] 命令。

停用此原則時,Windows 登入畫面上不會顯示將電腦關機的選項。在這種情況下,使用者必須要能順利登入電腦,取得關閉系統使用者權限之後,才能執行系統關機操作。

在工作站上的預設值: 啟用。
在伺服器上的預設值: 停用。

Shutdown: Allow system to be shut down without having to log on

This security setting determines whether a computer can be shut down without having to log on to Windows.

When this policy is enabled, the Shut Down command is available on the Windows logon screen.

When this policy is disabled, the option to shut down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the computer successfully and have the Shut down the system user right before they can perform a system shutdown.

Default on workstations: Enabled.
Default on servers: Disabled.

2021關機: 清除虛擬記憶體分頁檔

此安全性設定決定系統關機時是否清除虛擬記憶體分頁檔。

虛擬記憶體支援使用系統分頁檔交換不使用的記憶體分頁至磁碟。在執行的系統上,此分頁檔由作業系統獨佔開啟,並且受到保護。不過,未設定允許以其他作業系統開機的系統,可能必須確定系統分頁檔在此系統關機時已刪除完畢。這樣可確保可能進入分頁檔的處理程序記憶體中的敏感資料,不會被直接存取分頁檔的未經授權使用者使用。

當啟用此原則時,在正常關機時會清除系統分頁檔。若您啟用此安全性選項,當停用休眠時,也會清除休眠檔案 (hiberfil.sys)。

預設值: 已停用。

Shutdown: Clear virtual memory pagefile

This security setting determines whether the virtual memory pagefile is cleared when the system is shut down.

Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile.

When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled.

Default: Disabled.

2022系統密碼編譯: 對使用者儲存在電腦上的金鑰強制使用增強式金鑰保護

此安全性設定決定是否需要密碼才能使用使用者的私密金鑰。

選項如下:

當新金鑰被儲存及使用時,不要求使用者的輸入
金鑰第一次使用時提示使用者輸入
使用者必須在每次使用金鑰時輸入密碼
如需詳細資訊,請參閱「公開金鑰基礎結構」。

預設值: 這個原則尚未定義。

System Cryptography: Force strong key protection for user keys stored on the computer

This security setting determines if users' private keys require a password to be used.

The options are:

User input is not required when new keys are stored and used
User is prompted when the key is first used
User must enter a password each time they use a key
For more information, see Public key infrastructure.

Default: This policy is not defined.

2023系統密碼編譯: 使用 FIPS 140 相容密碼編譯演算法,包括加密、雜湊與簽署演算法

對於 Schannel Security Service Provider (SSP),此安全性設定會停用強度較低的安全通訊端層 (SSL) 通訊協定,而且只支援傳輸層安全性 (TLS) 通訊協定做為用戶端與伺服器 (如果適用)。如果啟用此設定,傳輸層安全性/安全通訊端層 (TLS/SSL) 安全性提供者只會使用 FIPS 140 核准的密碼編譯演算法: 3DES 與 AES 用於加密、RSA 或 ECC 公開金鑰密碼編譯用於 TLS 金鑰交換與驗證,而且只有安全雜湊演算法 (SHA1、SHA256、SHA384 與 SHA512) 用於 TLS 雜湊需求。

對於加密檔案系統服務 (EFS),它支援使用三重資料加密標準 (DES) 與進階加密標準 (AES) 加密演算法來加密 NTFS 檔案系統支援的檔案資料。根據預設值,EFS 在 Windows Server 2003 與 Windows Vista 系列產品中使用進階加密標準 (AES) 演算法搭配 256 位元金鑰來加密檔案資料,而在 Windows XP 中使用 DESX 演算法來加密檔案資料。如需 EFS 的相關資訊,請參閱<加密檔案系統>。

對於遠端桌面服務,它只支援使用三重 DES 加密演算法來加密遠端桌面服務網路通訊。

注意: 遠端桌面服務在舊版的 Windows Server 中稱為「終端機服務」。

對於 BitLocker,在產生任何加密金鑰之前,必須先啟用此原則。啟用此原則時建立的修復密碼與 Windows 8、Windows Server 2012 與較舊之作業系統上的 BitLocker 不相容。若將此原則套用到執行 Windows 8.1 與 Windows Server 2012 R2 之前之作業系統的電腦,BitLocker 會使得您建立或使用修復密碼; 您應該改為為那些電腦使用修復金鑰。

預設值: 已停用。

注意: 美國聯邦資訊處理標準 (FIPS) 140 是針對認證密碼編譯軟體所設計的安全性實作。FIPS 140 驗證的軟體是美國政府和其他著名機構所要求的。

System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.

For Encrypting File System Service (EFS), it supports the Triple Data Encryption Standard (DES) and Advanced Encryption Standard (AES) encryption algorithms for encrypting file data supported by the NTFS file system. By default, EFS uses the Advanced Encryption Standard (AES) algorithm with a 256-bit key in the Windows Server 2003 and Windows Vista family and DESX algorithm in Windows XP for encrypting file data. For information about EFS, see Encrypting File System.

For Remote Desktop Services, it supports only the Triple DES encryption algorithm for encrypting Remote Desktop Services network communication.

Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.

For BitLocker, this policy needs to be enabled before any encryption key is generated. Recovery passwords created when this policy is enabled are incompatible with BitLocker on Windows 8, Windows Server 2012, and earlier operating systems. If this policy is applied to computers running operating systems prior to Windows 8.1 and Windows Server 2012 R2, BitLocker will prevent the creation or use of recovery passwords; recovery keys should be used for those computers instead.

Default: Disabled.

Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptographic software. FIPS 140 validated software is required by the U.S. Government and requested by other prominent institutions.

2024系統物件: Administrators 群組成員所建立物件的預設擁有者
描述
此安全性設定決定當 Administrators 群組的成員建立物件時,會將物件的擁有者指派給哪些安全性主體 (SID)。
預設值:
Windows XP: 使用者 SID
Windows 2003 : Administrators 群組
System objects: Default owner for objects created by members of the Administrators group
Description
This security setting determines which security principal (SID) will be assigned the OWNER of objects when the object is created by a member of the Administrators Group.
Default:
Windows XP: User SID
Windows 2003 : Administrators Group
2025系統物件: 要求不區分大小寫用於非 Windows 子系統

此安全性設定決定是否要強制所有子系統區分大小寫。Win32 子系統不會區分大小寫。但是如 POSIX 等其他子系統的核心支援區分大小寫。

如果啟用此設定,便會強制所有目錄物件、符號連結及 IO 物件 (包括檔案物件在內) 區分大小寫。停用此設定就不允許 Win32 子系統區分大小寫。

預設值: 已啟用。

System objects: Require case insensitivity for non-Windows subsystems

This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.

If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.

Default: Enabled.

2026系統物件: 加強內部系統物件的預設權限 (例如: 符號連結)

此安全性設定決定物件的預設判別存取控制清單 (DACL) 的強度。

Active Directory 維護共用系統資源 (例如 DOS 裝置名稱、Mutex 及信號) 的全域清單。如此,便可在程序之間找到和共用物件。每種類型的物件都會建立一個預設的 DACL,它指定誰可以存取物件和所授與的權限為何。

若啟用此原則,預設的 DACL 較強,允許非系統管理員的使用者讀取共用物件,但不允許這些使用者修改不是他們建立的共用物件。

預設值: 已啟用。

System objects: Strengthen default permissions of internal system objects (e.g., Symbolic Links)

This security setting determines the strength of the default discretionary access control list (DACL) for objects.

Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted.

If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.

Default: Enabled.

2027系統設定: 選擇性的子系統

此安全性設定決定可選擇性啟動哪些子系統以支援您的應用程式。使用此安全性設定,可依您的環境需求指定任意數目的子系統以支援您的應用程式。

預設值: POSIX。

System settings: Optional subsystems

This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands.

Default: POSIX.

2028系統設定: 於軟體限制原則對 Windows 可執行檔使用憑證規則

此設定決定當使用者或處理程序嘗試執行副檔名為 .exe 的軟體時,是否要處理數位憑證。此安全性設定可用來啟用或停用憑證規則 (一種軟體限制原則規則)。使用軟體限制原則,您可以建立憑證規則,以允許或禁止由 Authenticode 簽署的軟體以該軟體關聯的數位憑證為基礎來執行。為使憑證規則生效,您必須啟用此安全性設定。

當啟用憑證規則時,軟體限制原則會檢查憑證撤銷清單 (CRL),以確認軟體的憑證和簽署正確。這在簽署的程式啟動時會降低效能。您可以停用此功能。在 [受信任的發行者內容] 中,清除 [發行者] 和 [時間戳記] 核取方塊。如需詳細資訊,請參閱<設定受信任的發行者選項>。

預設值: 已停用。

System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security settings is used to enable or disable certificate rules, a type of software restriction policies rule. With software restriction policies, you can create a certificate rule that will allow or disallow software that is signed by Authenticode to run, based on the digital certificate that is associated with the software. In order for certificate rules to take effect, you must enable this security setting.

When certificate rules are enabled, software restriction policies will check a certificate revocation list (CRL) to make sure the software's certificate and signature are valid. This may decrease performance when start signed programs. You can disable this feature. On Trusted Publishers Properties, clear the Publisher and Timestamp check boxes. For more information, see Set trusted publisher options.

Default: Disabled.

2029應用程式記錄檔大小最大值

此安全性設定指定應用程式事件記錄檔的大小上限,理論上最大值為 4 GB。實際上限制更低 (~300MB)。

注意

記錄檔大小必須是 64 KB 的倍數。若您輸入的值不是 64 KB 的倍數,事件檢視器會將記錄檔大小捨入為 64 KB 的倍數。
此設定不會顯示在本機電腦原則物件中。
在設計您企業的安全性計劃時,事件記錄檔大小和記錄檔換行應定義為符合您所決定的商務及安全性需求。為利用「群組原則」設定,請考慮在站台、網域或組織單位層級實作這些事件記錄檔設定。
預設值: Windows Server 2003 系列為 16 MB; Windows XP Professional Service Pack 1 為 8 MB; Windows XP Professional 為 512 KB。

Maximum application log size

This security setting specifies the maximum size of the application event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).

Notes

Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.
This setting does not appear in the Local Computer Policy object.
Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings.
Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB.

2030安全性記錄檔大小最大值

此安全性設定指定安全性事件記錄檔的大小上限,理論上最大值為 4 GB。實際上限制更低 (~300MB)。

注意

記錄檔大小必須是 64 KB 的倍數。若您輸入的值不是 64 KB 的倍數,事件檢視器會將記錄檔大小捨入為 64 KB 的倍數。
此設定不會顯示在本機電腦原則物件中。
在設計您企業的安全性計劃時,事件記錄檔大小和記錄檔換行應定義為符合您所決定的商務及安全性需求。為利用「群組原則」設定,請考慮在站台、網域或組織單位層級實作這些事件記錄檔設定。
預設值: Windows Server 2003 系列為 16 MB; Windows XP Professional Service Pack 1 為 8 MB; Windows XP Professional 為 512 KB。

Maximum security log size

This security setting specifies the maximum size of the security event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).

Notes

Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.
This setting does not appear in the Local Computer Policy object.
Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings.
Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB.

2031系統記錄檔大小最大值

此安全性設定指定系統事件記錄檔的大小上限,理論上最大值為 4 GB。實際上限制更低 (~300MB)。

注意

記錄檔大小必須是 64 KB 的倍數。若您輸入的值不是 64 KB 的倍數,事件檢視器會將記錄檔大小捨入為 64 KB 的倍數。
此設定不會顯示在本機電腦原則物件中。
在設計您企業的安全性計劃時,事件記錄檔大小和記錄檔換行應定義為符合您所決定的商務及安全性需求。為利用「群組原則」設定,請考慮在站台、網域或組織單位層級實作這些事件記錄檔設定。
預設值: Windows Server 2003 系列為 16 MB; Windows XP Professional Service Pack 1 為 8 MB; Windows XP Professional 為 512 KB。

Maximum system log size

This security setting specifies the maximum size of the system event log, which has a theoretical maximum of 4 GB. Practically the limit is lower (~300MB).

Notes

Log file sizes must be a multiple of 64 KB. If you enter a value that is not a multiple of 64 KB, Event Viewer will round he log file size up to a multiple of 64 KB.
This setting does not appear in the Local Computer Policy object.
Event Log size and log wrapping should be defined to match the business and security requirements you determined when designing your enterprise security plan. Consider implementing these Event Log settings at the site, domain, or organizational unit level, to take advantage of Group Policy settings.
Default: For the Windows Server 2003 family, 16 MB; for Windows XP Professional Service Pack 1, 8 MB; for Windows XP Professional, 512 KB.

2032禁止本機來賓群組與匿名登入使用者存取應用程式記錄檔

此安全性設定決定是否阻止來賓存取應用程式事件記錄檔。

注意

此設定不會顯示在本機電腦原則物件中。

此安全性設定只會影響執行 Windows 2000 及 Windows XP 的電腦。

預設值: Windows XP 為 [已啟用],Windows 2000 為 [已停用]。
Prevent local guests group and ANONYMOUS LOGIN users from accessing application log

This security setting determines if guests are prevented from accessing the application event log.

Notes

This setting does not appear in the Local Computer Policy object.

This security setting affects only computers running Windows 2000 and Windows XP.

Default: Enabled for Windows XP, Disabled for Windows 2000
2033禁止本機來賓群組與匿名登入使用者存取安全性記錄檔

此安全性設定決定是否禁止來賓存取應用程式事件記錄檔。

注意

此設定不會顯示在本機電腦原則物件中。

此安全性設定只會影響執行 Windows 2000 及 Windows XP 的電腦。

預設值: Windows XP 為 [已啟用],Windows 2000 為 [已停用]。
Prevent local guests group and ANONYMOUS LOGIN users from accessing security log

This security setting determines if guests are prevented from accessing the application event log.

Notes

This setting does not appear in the Local Computer Policy object.

This security setting affects only computers running Windows 2000 and Windows XP.

Default: Enabled for Windows XP, Disabled for Windows 2000
2034禁止本機來賓群組與匿名登入使用者存取系統記錄檔

此安全性設定決定是否禁止來賓存取應用程式事件記錄檔。

注意

此設定不會顯示在本機電腦原則物件中。

此安全性設定只會影響執行 Windows 2000 及 Windows XP 的電腦。

預設值: Windows XP 為 [已啟用],Windows 2000 為 [已停用]。
Prevent local guests group and ANONYMOUS LOGIN users from accessing system log

This security setting determines if guests are prevented from accessing the application event log.

Notes

This setting does not appear in the Local Computer Policy object.

This security setting affects only computers running Windows 2000 and Windows XP.

Default: Enabled for Windows XP, Disabled for Windows 2000
2035保持應用程式記錄檔

此安全性設定決定應用程式記錄檔要保留事件的天數,如果應用程式記錄保持方法是「依日期」。

只有當您會以排定的間隔封存記錄檔,並確定應用程式記錄檔大小最大值足以滿足此間隔時,才設定這個值。

注意: 此設定不會顯示在本機電腦原則物件中。
預設值: 無。

Retain application log

This security setting determines the number of days' worth of events to be retained for the application log if the retention method for the application log is By Days.

Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum application log size is large enough to accommodate the interval.

Note: This setting does not appear in the Local Computer Policy object.
Default: None.

2036保持安全性記錄檔

此安全性設定可以決定安全性記錄檔要保留事件的天數,如果安全性記錄檔保持方法是「依日期」。

只有當您會以排定的間隔封存記錄檔,並確定安全性記錄檔大小最大值足以滿足此間隔時,才設定這個值。

注意
此設定不會顯示在本機電腦原則物件中。
使用者必須擁有管理稽核及安全性記錄檔使用者權限才能存取安全性記錄檔。
預設值: 無。

Retain security log

This security setting determines the number of days' worth of events to be retained for the security log if the retention method for the security log is By Days.

Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum security log size is large enough to accommodate the interval.

Notes
This setting does not appear in the Local Computer Policy object.
A user must possess the Manage auditing and security log user right to access the security log.
Default: None.

2037保持系統記錄檔

此安全性設定決定系統記錄檔要保留事件的天數,如果系統記錄保持方法是「依日期」。

只有當您會以排定的間隔封存記錄檔,並確定系統記錄檔大小最大值足以滿足此間隔時,才設定這個值。

注意: 本機電腦原則物件中不會顯示此設定。
預設值: 無。

Retain system log

This security setting determines the number of days' worth of events to be retained for the system log if the retention method for the system log is By Days.

Set this value only if you archive the log at scheduled intervals and you make sure that the Maximum system log size is large enough to accommodate the interval.

Note: This setting does not appear in the Local Computer Policy object.
Default: None.

2038應用程式記錄檔保持方法

此安全性設定決定應用程式記錄檔的「封存」方法。

如果您不要封存應用程式記錄檔,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [視需要覆寫事件]。

如果您在排定的間隔封存記錄檔,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [依日期覆寫事件],並在 [應用程式記錄保留天數] 設定中指定適當的天數。請確認應用程式記錄檔大小最大值足以滿足此間隔。

如果您必須保留記錄檔中的所有事件,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [不要覆寫事件 (以手動方式清除記錄)]。此選項需要手動清除記錄檔。在這個狀況下,當達到記錄檔大小最大值時,就會捨棄新事件。

注意: 此設定不會顯示在本機電腦原則物件中。

預設值: 無。

Retention method for application log

This security setting determines the "wrapping" method for the application log.

If you do not archive the application log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed.

If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the Retain application log setting. Make sure that the Maximum application log size is large enough to accommodate the interval.

If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded.

Note: This setting does not appear in the Local Computer Policy object.

Default: None.

2039安全性記錄檔保持方法

此安全性設定決定安全性記錄檔的「封存」方法。

如果您不要封存安全性記錄檔,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [視需要覆寫事件]。

如果您在排定的間隔封存記錄檔,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [依日期覆寫事件],並在 [安全性記錄檔保留天數] 設定中指定適當的天數。請確認安全性記錄檔大小最大值足以滿足此間隔。

如果您必須保留記錄檔中的所有事件,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [不要覆寫事件 (以手動方式清除記錄)]。此選項需要手動清除記錄檔。在這個狀況下,當達到記錄檔大小最大值時,就會捨棄新事件。

注意

此設定不會顯示在本機電腦原則物件中。

使用者必須擁有管理稽核及安全性記錄檔使用者權限才能存取安全性記錄檔。

預設值: 無。
Retention method for security log

This security setting determines the "wrapping" method for the security log.

If you do not archive the security log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed.

If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the retain security log setting. Make sure that the Maximum security log size is large enough to accommodate the interval.

If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded.

Notes

This setting does not appear in the Local Computer Policy object.

A user must possess the Manage auditing and security log user right to access the security log.

Default: None.
2040系統記錄檔保持方法

此安全性設定決定系統記錄檔的「封存」方法。

如果您不要封存系統記錄檔,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [視需要覆寫事件]。

如果您在排定的間隔封存記錄檔,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [依日期覆寫事件],並在 [系統記錄保留天數] 設定中指定適當的天數。請確認系統記錄檔大小最大值足以滿足此間隔。

如果您必須保留記錄檔中的所有事件,請在此原則的 [內容] 對話方塊選取 [定義這個原則設定] 核取方塊,然後按一下 [不要覆寫事件 (以手動方式清除記錄)]。此選項需要手動清除記錄檔。在這個狀況下,當達到記錄檔大小最大值時,就會捨棄新事件。

注意: 此設定不會顯示在本機電腦原則物件中。

預設值: 無。
Retention method for system log

This security setting determines the "wrapping" method for the system log.

If you do not archive the system log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events as needed.

If you archive the log at scheduled intervals, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Overwrite events by days and specify the appropriate number of days in the Retain system log setting. Make sure that the Maximum system log size is large enough to accommodate the interval

.If you must retain all the events in the log, in the Properties dialog box for this policy, select the Define this policy setting check box, and then click Do not overwrite events (clear log manually). This option requires that the log be cleared manually. In this case, when the maximum log size is reached, new events are discarded

Note: This setting does not appear in the Local Computer Policy object.

Default: None.
2041受限群組

此安全性設定允許系統管理員定義安全性群組 (受限群組) 的兩種內容。

這兩種內容為「成員」和「成員隸屬」。[成員] 清單定義屬於受限群組的人員。[成員隸屬] 清單指定受限群組還屬於其他哪些群組。

當強制執行受限群組原則時,會移除不在 [成員] 清單中的受限群組的目前成員,並新增 [成員] 清單中目前不是受限群組成員的所有使用者。

您可以使用受限群組原則來控制群組成員資格。使用此原則,您可以指定群組的成員。原則中未指定的所有成員,在設定或重新整理期間會被移除。此外,[反向成員資格設定] 選項可確保每個受限群組僅屬於 [成員隸屬] 欄位指定之群組的成員。

例如,您可以建立受限群組原則,只允許指定使用者 (如 Alice 和 John) 屬於 Administrators 群組的成員。當重新整理原則時,只有 Alice 和 John 仍然是 Administrators 群組的成員。

有兩種方法可以套用受限群組原則:

在安全性範本中定義原則,這樣將在設定期間套用至您的本機電腦。
直接在群組原則物件 (GPO) 上定義設定,這表示每次重新整理原則時就會生效。在工作站或伺服器上,安全性設定每 90 分鐘會重新整理一次; 在網域控制站則是每 5 分鐘一次。不論是否有所變更,每隔 16 個小時也會重新整理一次設定。
預設值: 沒有指定。

警告

如果已定義受限群組原則,並已重新整理群組原則,就會移除目前不在受限群組原則成員清單中的所有成員。這可能包括預設成員,例如系統管理員。

注意

受限群組主要應該用來設定工作站或成員伺服器上本機群組的成員資格。
空的 [成員] 清單表示受限群組沒有成員; 空的 [成員隸屬] 清單表示未指定受限群組所屬之群組。

Restricted Groups

This security setting allows an administrator to define two properties for security-sensitive groups ("restricted" groups).

The two properties are Members and Member Of. The Members list defines who belongs and who does not belong to the restricted group. The Member Of list specifies which other groups the restricted group belongs to.

When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column.

For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.

There are two ways to apply Restricted Groups policy:

Define the policy in a security template, which will be applied during configuration on your local computer.
Define the setting on a Group Policy object (GPO) directly, which means that the policy goes into effect with every refresh of policy. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
Default: None specified.

Caution

If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.

Notes

Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.
An empty Members list means that the restricted group has no members; an empty Member Of list means that the groups to which the restricted group belongs are not specified.

2042系統服務安全性設定值

允許系統管理員定義所有系統服務的啟動模式 (手動、自動或已停用) 以及存取權限 (啟動、停止或暫停)。

預設值: 未定義。

注意

本機電腦原則物件中不會顯示此設定。
如果選擇將系統服務啟動設定為 [自動],請執行適當測試以確定服務不需要使用者操作便能夠啟動。
為了要最佳化效能,請將不需要或不使用的服務設定為 [手動]。

System Services security settings

Allows an administrator to define the startup mode (manual, automatic, or disabled) as well as the access permissions (Start, Stop, or Pause) for all system services.

Default: Undefined.

Notes

This setting does not appear in the Local Computer Policy object.
If you choose to set system service startup to Automatic, perform adequate testing to verify that the services can start without user intervention.
For performance optimization, set unnecessary or unused services to Manual.

2043登錄安全性設定值

允許系統管理員使用安全性設定管理員,來定義登錄機碼的存取權限 (在判別存取控制清單 (DACL) 上) 和稽核設定 (在系統存取控制清單 (SACL) 上)。

預設值: 未定義。

注意: 本機電腦原則物件中不會顯示此設定。

Registry security settings

Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs)) for registry keys using Security Configuration Manager.

Default: Undefined.

Note: This setting does not appear in the Local Computer Policy object.

2044檔案系統安全性設定值

允許系統管理員使用安全性設定管理員,來定義檔案系統物件的存取權限 (在判別存取控制清單 (DACL) 上) 和稽核設定 (在系統存取控制清單 (SACL) 上)。

預設值: 未定義。

注意: 本機電腦原則物件中不會顯示此設定。
File System security settings

Allows an administrator to define access permissions (on discretionary access control lists (DACLs)) and audit settings (on system access control lists (SACLs)) for file system objects using Security Configuration Manager.

Default: Undefined.

Note: This setting does not appear in the Local Computer Policy object.
2045稽核: 強制執行稽核原則子類別設定 (Windows Vista 或更新版本) 以覆寫稽核原則類別設定。

Windows Vista 及更新版本的 Windows 允許使用稽核原則子類別,以更精確的方式來管理稽核原則。在類別層級設定稽核原則,將會覆寫新的子類別稽核原則功能。群組原則只允許稽核原則可以在類別層級設定,而且因為新機器會加入網域或者升級至 Windows Vista 或更新的版本,所以現有的群組原則可以覆寫新機器的子類別設定。為了讓稽核原則不需變更群組原則即可使用子類別來管理,在 Windows Vista 與更新版本中有新的登錄值 SCENoApplyLegacyAuditPolicy,可防止將類別層級稽核原則套用到群組原則及 [本機安全性原則] 系統管理工具。

如果在這裡設定的類別層級稽核原則與目前產生的事件不一致,其原因可能是已設定此登錄機碼。

預設值: 啟用
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they are joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.

Default: Enabled
2046使用者帳戶控制: 使用內建的 Administrator 帳戶的管理員核准模式

此原則設定會控制內建的 Administrator 帳戶的管理員核准模式行為。

選項如下:

• 已啟用: 內建的 Administrator 帳戶使用管理員核准模式。根據預設,任何需要提升權限的操作都會提示使用者核准操作。

• 已停用: (預設值) 內建的 Administrator 帳戶將以完整的系統管理權限執行所有應用程式。
User Account Control: Use Admin Approval Mode for the built-in Administrator account

This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account.

The options are:

• Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the operation.

• Disabled: (Default) The built-in Administrator account runs all applications with full administrative privilege.
2047DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦存取限制

此原則設定會決定哪些使用者或群組可以從遠端或本機存取 DCOM 應用程式。此設定是用來控制電腦 DCOM 應用程式的攻擊面。

您可以使用此原則設定來指定特定使用者對於企業中所有電腦之 DCOM 應用程式的存取權限。當您指定要授與權限的使用者或群組時,會使用那些群組和權限的 Security Descriptor Definition Language 表示法來填寫安全性描述元欄位。如果安全性描述元仍為空白,原則設定會在範本中定義,但不會強制執行。您可以將 [本機存取] 和 [遠端存取] 的 [允許] 或 [拒絕] 權限明確地授與使用者和群組。

由於啟用 [DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦存取限制] 而建立之登錄設定的優先順序會高於此區域中先前的登錄設定。遠端程序呼叫服務 (RpcSs) 會檢查新登錄機碼之 [Policies] 區段的電腦限制,而且這些登錄項目的優先順序高於 OLE 下的現有登錄機碼。這表示先前的登錄設定已不再有效,而且如果您變更現有的設定,將不會變更使用者的電腦存取權限。設定其使用者和群組清單時請特別小心。

此原則設定的可能值如下:

空白: 這代表刪除原則強制機碼的本機安全性原則方式。此值會刪除原則,然後將它設定為 [未定義] 狀態。若要設定 [空白] 值,您可以使用 ACL 編輯器並清空該清單,然後按一下 [確定]。

SDDL: 這是當您啟用此原則時,您指定之群組與權限的 Security Descriptor Definition Language 表示法。

未定義: 這是預設值。

注意:
若系統管理員由於 Windows 中的 DCOM 變更,而未被授與存取 DCOM 應用程式的權限,系統管理員可以使用 [DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦存取限制] 原則設定來管理電腦的 DCOM 存取權。系統管理員可以使用此設定,指定哪些使用者和群組可以從遠端或本機存取電腦上的 DCOM 應用程式。這樣可還原系統管理員和使用者對於 DCOM 應用程式的控制。若要執行此動作,請開啟 [DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦存取限制] 設定,然後按一下 [編輯安全性]。指定您要包含的群組,以及這些群組的電腦存取權限。這樣可定義設定,並設定適當的 SDDL 值。



DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

This policy setting determines which users or groups can access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications.

You can use this policy setting to specify access permissions to all the computers to particular users for DCOM applications in the enterprise. When you specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on both local access and remote access.

The registry settings that are created as a result of enabling the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting take precedence over (have higher priority) the previous registry settings in this area. Remote Procedure Call Services (RpcSs) checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, computer access permissions for users are not changed. Use care in configuring their list of users and groups.

The possible values for this policy setting are:

Blank: This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it as Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK.

SDDL: This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy.

Not Defined: This is the default value.

Note
If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in Windows, the administrator can use the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting to manage DCOM access to the computer. The administrator can specify which users and groups can access the DCOM application on the computer both locally and remotely by using this setting. This will restore control of the DCOM application to the administrator and users. To do this, open the DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer access permissions for those groups. This defines the setting and sets the appropriate SDDL value.



2048DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦啟動限制

此原則設定會決定哪些使用者或群組可從遠端或本機啟動或啟用 DCOM 應用程式。此設定是用來控制電腦 DCOM 應用程式的攻擊面。

您可以使用此設定來授與使用者對於所有電腦中 DCOM 應用程式的存取權。當您定義此設定並指定要授與權限的使用者或群組時,會使用那些群組和權限的 Security Descriptor Definition Language 表示法來填寫安全性描述元欄位。如果安全性描述元仍為空白,原則設定會在範本中定義,但不會強制執行。您可以將 [本機啟動]、[遠端啟動]、[本機啟用] 和 [遠端啟用] 的 [允許] 或 [拒絕] 權限明確地授與使用者和群組。

因而建立之登錄設定的優先順序會高於此區域中先前的登錄設定。遠端程序呼叫服務 (RpcSs) 會檢查新登錄機碼之 [Policies] 區段的電腦限制; 這些登錄項目的優先順序高於 OLE 下的現有登錄機碼。

此群組原則設定的可能值如下:

空白: 這代表刪除原則強制機碼的本機安全性原則方式。此值會刪除原則,然後將它設定為 [未定義] 狀態。若要設定 [空白] 值,您可以使用 ACL 編輯器並清空該清單,然後按一下 [確定]。

SDDL: 這是當您啟用此原則時,您指定之群組與權限的 Security Descriptor Definition Language 表示法。

未定義: 這是預設值。

注意:
若系統管理員由於此版本 Windows 之 DCOM 的變更,而未被授與啟動和啟用 DCOM 應用程式的權限,系統管理員可以使用此原則設定來控制電腦的 DCOM 啟動和啟用。系統管理員可以使用 [DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦啟動限制] 原則設定,指定哪些使用者和群組可以從本機和遠端啟動和啟用電腦上的 DCOM 應用程式。這樣可還原系統管理員和指定之使用者對於 DCOM 應用程式的控制。若要執行此動作,請開啟 [DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦啟動限制] 設定,然後按一下 [編輯安全性]。指定您要包含的群組,以及這些群組的電腦啟動權限。這樣可定義設定,並設定適當的 SDDL 值。


DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

This policy setting determines which users or groups can launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications.

You can use this setting to grant access to all the computers to users of DCOM applications. When you define this setting, and specify the users or groups that are to be given permission, the security descriptor field is populated with the Security Descriptor Definition Language representation of those groups and privileges. If the security descriptor is left blank, the policy setting is defined in the template, but it is not enforced. Users and groups can be given explicit Allow or Deny privileges on local launch, remote launch, local activation, and remote activation.

The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. Remote Procedure Call Services (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE.

The possible values for this Group Policy setting are:

Blank: This represents the local security policy way of deleting the policy enforcement key. This value deletes the policy and then sets it to Not defined state. The Blank value is set by using the ACL editor and emptying the list, and then pressing OK.

SDDL: This is the Security Descriptor Definition Language representation of the groups and privileges you specify when you enable this policy.

Not Defined: This is the default value.

Note
If the administrator is denied access to activate and launch DCOM applications due to the changes made to DCOM in this version of Windows, this policy setting can be used for controlling the DCOM activation and launch to the computer. The administrator can specify which users and groups can launch and activate DCOM applications on the computer both locally and remotely by using the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax setting, and click Edit Security. Specify the groups you want to include and the computer launch permissions for those groups. This defines the setting and sets the appropriate SDDL value.


2049使用者帳戶控制: 在管理員核准模式,系統管理員之提升權限提示的行為

此原則設定會控制系統管理員之提升權限提示的行為

選項如下:

• 提升權限而不提示: 允許具有特殊權限的帳戶執行需要提升權限的操作,而不需同意或是認證。注意: 請只在最嚴謹的環境中使用此選項。

• 在安全桌面提示輸入認證: 當操作需要提升權限時,會在安全桌面提示使用者輸入具有特殊權限的使用者名稱與密碼。如果使用者輸入有效的認證,操作會以使用者的最高可用權限繼續。

• 在安全桌面提示要求同意: 當操作需要提升權限時,會在安全桌面提示使用者選取 [允許] 或是 [拒絕]。如果使用者選取 [允許],操作會以使用者的最高可用權限繼續。

• 認證提示: 當操作需要提升權限時,會提示使用者輸入系統管理使用者名稱與密碼。如果使用者輸入有效的認證,操作會以適用的權限繼續。

• 同意提示: 當操作需要提升權限時,會提示使用者選取 [允許] 或是 [拒絕]。如果使用者選取 [允許],操作會以使用者的最高可用權限繼續。

• 非 Windows 二進位檔案的同意提示: (預設值) 當非 Microsoft 應用程式的操作需要提升權限時,會在安全桌面提示使用者選取 [允許] 或是 [拒絕]。如果使用者選取 [允許],操作會以使用者的最高可用權限繼續。

User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

This policy setting controls the behavior of the elevation prompt for administrators.

The options are:

• Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constrained environments.

• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.

• Prompt for consent on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

• Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

• Prompt for consent: When an operation requires elevation of privilege, the user is prompted to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

• Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.

2050使用者帳戶控制: 標準使用者之提高權限提示的行為
此原則設定會控制標準使用者之提高權限提示的行為

選項如下:

• 提示輸入認證: (預設值) 當操作需要提升權限時,會提示使用者輸入系統管理使用者名稱與密碼。若使用者輸入有效的認證,該操作會以適用的權限繼續執行。

• 自動拒絕提升權限要求: 當操作需要提升權限時,會顯示可設定的拒絕存取錯誤訊息。以標準使用者身分執行桌上型電腦的企業可能會選擇此設定,以降低需要尋求支援部門協助的機會。

• 在安全桌面提示輸入認證: 當操作需要提升權限時,會在安全桌面提示使用者輸入不同的使用者名稱與密碼。如果使用者輸入有效的認證,操作會以適用的權限繼續執行。

User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.

The options are:

• Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

• Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.

• Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

2051使用者帳戶控制: 偵測應用程式安裝,並提示提升權限

此原則設定會控制電腦的應用程式安裝偵測行為。

選項如下:

• 已啟用: (預設值),當偵測到應用程式安裝封裝需要提升權限時,會提示使用者輸入系統管理使用者名稱與密碼。如果使用者輸入有效的認證,操作會以適用的權限繼續。

• 已停用: 未偵測到應用程式安裝封裝,也未提示提升權限。執行標準使用者桌面並利用委派安裝技術 (例如,群組原則軟體安裝或 Systems Management Server (SMS)) 的企業,應該停用此原則設定。在此情況下,不需要進行安裝程式偵測。

User Account Control: Detect application installations and prompt for elevation

This policy setting controls the behavior of application installation detection for the computer.

The options are:

• Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.

• Disabled: Application installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary.

2052使用者帳戶控制: 僅針對已簽署與驗證過的可執行檔,提升其權限

此原則設定會強制公開金鑰基礎結構 (PKI) 簽章檢查任何要求提升權限的互動式應用程式。企業的系統管理員可透過將憑證新增至本機電腦的受信任的發行者憑證存放區,來控制允許執行哪些應用程式。

選項如下:

• 已啟用: 允許指定的可執行檔執行之前,強制執行 PKI 憑證路徑驗證。

• 已停用: (預設值) 允許指定的可執行檔執行之前,不強制執行 PKI 憑證路徑驗證。

User Account Control: Only elevate executable files that are signed and validated

This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers.

The options are:

• Enabled: Enforces the PKI certification path validation for a given executable file before it is permitted to run.

• Disabled: (Default) Does not enforce PKI certification path validation before a given executable file is permitted to run.

2053使用者帳戶控制: 僅針對在安全位置安裝的 UIAccess 應用程式,提升其權限

此原則設定會控制要求以使用者介面協助工具 (UIAccess) 完整性層級執行的應用程式必須位於檔案系統中的安全位置。安全位置僅限於下列目錄:

- …\Program Files\,包含子目錄
- …\Windows\system32\
- …\Program Files (x86)\,包含 64 位元 Windows 版本的子目錄

注意: 不論此安全性設定的狀態為何,Windows 都會針對任何要求以 UIAccess 整合層級執行的互動式應用程式,強制執行公開金鑰基礎結構 (PKI) 簽章檢查。

選項如下:

• 已啟用: (預設值) 如果應用程式位於檔案系統的安全位置,只會以 UIAccess 整合執行。

• 已停用: 即使應用程式不是位於檔案系統的安全位置,也會以 UIAccess 整合執行。

User Account Control: Only elevate UIAccess applications that are installed in secure locations

This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:

- …\Program Files\, including subfolders
- …\Windows\system32\
- …\Program Files (x86)\, including subfolders for 64-bit versions of Windows

Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.

The options are:

• Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.

• Disabled: An application runs with UIAccess integrity even if it does not reside in a secure location in the file system.

2054使用者帳戶控制: 開啟管理員核准模式

此原則設定會控制電腦的所有使用者帳戶控制 (UAC) 原則設定行為。如果變更此原則設定,必須重新啟動電腦。

選項如下:

• 已啟用: (預設值) 啟用管理員核准模式。必須啟用此原則,而且必須以適當的方式設定相關的 UAC 原則設定,才能允許內建的 Administrator 帳戶以及所有其他屬於 Administrators 群組成員的使用者在管理員核准模式中執行。

• 已停用: 會停用管理員核准模式及所有相關的 UAC 原則設定。注意: 如果停用此原則設定,資訊安全中心會通知您作業系統的整體安全性已降低。

User Account Control: Turn on Admin Approval Mode

This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer.

The options are:

• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.

• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.

2055使用者帳戶控制: 提示提升權限時切換到安全桌面

此原則設定會控制提升權限要求提示是顯示在互動式使用者桌面或是安全桌面。

選項如下:

• 已啟用: (預設值) 不論系統管理員與標準使用者的提示行為原則設定為何,所有提升權限要求都會顯示在安全桌面上

• 已停用: 所有提升權限要求都會顯示在互動式使用者桌面。會使用系統管理員與標準使用者的提示行為原則設定。

User Account Control: Switch to the secure desktop when prompting for elevation

This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop.

The options are:

• Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.

• Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used.

2056使用者帳戶控制: 將檔案及登錄寫入失敗虛擬化並儲存至每一使用者位置

此原則設定會控制是否將應用程式寫入失敗重新導向到已定義的登錄和檔案系統位置。此原則設定可減少那些以系統管理員身分執行,並將執行階段應用程式資料寫入至 %ProgramFiles%、%Windir%、%Windir%\system32 或 HKLM\Software 的應用程式。

選項如下:

• 已啟用: (預設值) 在執行階段將應用程式寫入失敗重新導向到檔案系統與登錄中已定義的使用者位置。

• 已停用: 將資料寫入至受保護位置的應用程式失敗。

User Account Control: Virtualize file and registry write failures to per-user locations

This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.

The options are:

• Enabled: (Default) Application write failures are redirected at run time to defined user locations for both the file system and registry.

• Disabled: Applications that write data to protected locations fail.

2057建立符號連結

此特殊權限會決定使用者是否可以從登入的電腦建立符號連結。

預設值: Administrator

警告: 此特殊權限僅能授與信任的使用者。在並非設計來處理符號連結的應用程式中,符號連結會導致安全性風險。

注意:
此設定可搭配 symlink filesystem 設定使用,透過使用命令列公用程式來控制電腦上允許的 symlinks 類型,可操縱上述設定。如需有關 fsutil 和符號連結的詳細資訊,請在命令列輸入 'fsutil behavior set symlinkevaluation /?'。
Create Symbolic Links

This privilege determines if the user can create a symbolic link from the computer he is logged on to.

Default: Administrator

WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.

Note
This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
2058修改物件標籤

此特殊權限可決定哪些使用者帳戶可修改物件 (例如,檔案、登錄機碼或由其他使用者擁有的處理程序) 的完整性標籤。在使用者帳戶下執行的處理程序不需要此特殊權限,即可修改該使用者擁有之物件的標籤。

預設值: 無
Modify an object label

This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege.

Default: None
2059使用者帳戶控制: 允許 UIAccess 應用程式不使用安全桌面來提示提升權限。

此原則設定控制使用者介面協助工具 (UIAccess 或 UIA) 程式在標準使用者使用提升權限提示時,是否自動停用安全桌面。

• 已啟用: UIA 程式,包括 Windows 遠端協助在內的 UIA 程式,可自動停用提升權限提示的安全桌面。如果您未停用 [使用者帳戶控制: 提示提升權限時切換到安全桌面] 原則設定,提示會出現在互動式使用者的桌面上,而非安全桌面。

• 已停用: (預設值) 只有互動式桌面的使用者才能停用安全桌面,或是停用 [使用者帳戶控制: 提示提升權限時切換到安全桌面] 原則設定才能停用安全桌面。

User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.

This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user.

• Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you do not disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.

• Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.

2060在備份/還原時,認證管理員會使用此設定。帳戶不應該擁有此權限,因為它只會被指派給 Winlogon。如果此權限指定給其他實體,則使用者儲存的認證可能會被洩露。 This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.
2061變更時區

此使用者權限決定哪些使用者與群組可以變更電腦顯示本地時間時使用的時區,也就是指電腦的系統時間加時差。系統時間本身是絕對的,而且不受時區變更的影響。

此使用者權限是定義在工作站與伺服器的預設網域控制站群組原則物件 (GPO) 以及本機安全性原則中。

預設值: Administrators、Users
Change the Time Zone

This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of the workstations and servers.

Default: Administrators, Users
2062增加處理程序工作組

此權限決定哪些使用者帳戶可以增加或減少處理程序的工作組大小。

預設值: Users

處理程序的工作組是實體 RAM 記憶體中的處理程序目前可見的記憶體頁面組。這些頁面是常駐的,且可讓應用程式使用而不會觸發分頁錯誤。工作組的大小下限與上限可以影響處理程序的虛擬記憶體分頁行為。

警告: 增加處理程序的工作組大小會減少系統其他部分可用的實體記憶體總數。
Increase a process working set

This privilege determines which user accounts can increase or decrease the size of a process’s working set.

Default: Users

The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process.

Warning: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the system.
2063網路安全性: 限制 NTLM: 送往遠端伺服器的連出 NTLM 流量

此原則設定允許您拒絕或稽核從此 Windows 7 或此 Windows Server 2008 R2 電腦到任何 Windows 遠端伺服器的連出 NTLM 流量。

如果您選取 [全部允許] 或是未設定此原則設定,用戶端電腦可以使用 NTLM 驗證對遠端伺服器驗證身分識別。

如果您選取 [全部稽核],用戶端電腦會記錄每個 NTLM 驗證要求到遠端伺服器的事件,這可讓您識別從用戶端電腦收到 NTLM 驗證要求的伺服器。

如果您選取 [全部拒絕],用戶端電腦無法使用 NTLM 驗證來驗證對遠端伺服器的身分識別。您可以使用 [網路安全性: 限制 NTLM: 新增 NTLM 驗證的遠端伺服器例外] 原則設定來定義允許用戶端使用 NTLM 驗證的遠端伺服器清單。

必須至少是 Windows 7 或 Windows Server 2008 R2 才支援此原則。

注意: 稽核與封鎖事件會記錄在此電腦上的 "Operational" 記錄中,此記錄位於 Applications and Services Log/Microsoft/Windows/NTLM。

Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server.

If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote server by using NTLM authentication.

If you select "Audit all," the client computer logs an event for each NTLM authentication request to a remote server. This allows you to identify those servers receiving NTLM authentication requests from the client computer.

If you select "Deny all," the client computer cannot authenticate identities to a remote server by using NTLM authentication. You can use the "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" policy setting to define a list of remote servers to which clients are allowed to use NTLM authentication.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Audit and block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

2064網路安全性: 限制 NTLM: 連入 NTLM 流量

此原則設定允許您拒絕或允許連入 NTLM 流量。

如果您選取 [全部允許],或是不設定此原則設定,伺服器將允許所有的 NTLM 驗證要求。

如果選取 [拒絕所有網域帳戶],則伺服器會拒絕網域登入的 NTLM 驗證要求,並顯示 NTLM 封鎖的錯誤,但是允許本機帳戶登入。

如果選取 [拒絕所有帳戶],伺服器將會拒絕連入流量的 NTLM 驗證要求,並顯示 NTLM 封鎖的錯誤。

必須至少是 Windows 7 或 Windows Server 2008 R2 才支援此原則。

注意: 封鎖事件會記錄在此電腦上的 "Operational" 記錄中,此記錄位於 Applications and Services Log/Microsoft/Windows/NTLM。

Network security: Restrict NTLM: Incoming NTLM traffic

This policy setting allows you to deny or allow incoming NTLM traffic.

If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests.

If you select "Deny all domain accounts," the server will deny NTLM authentication requests for domain logon and display an NTLM blocked error, but allow local account logon.

If you select "Deny all accounts," the server will deny NTLM authentication requests from incoming traffic and display an NTLM blocked error.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

2065網路安全性: 限制 NTLM: 這個網域的 NTLM 驗證

這個原則設定允許您拒絕或允許這個網域控制站所屬網域中的 NTLM 驗證。這個原則不會影響到這個網域控制站的互動式登入。

如果選取 [已停用] 或不設定此原則設定,網域控制站將允許網域中所有的 NTLM 傳遞驗證要求。

如果選取 [拒絕網域伺服器的網域帳戶],則網域控制站會拒絕對網域中所有伺服器之使用網域帳戶的所有 NTLM 驗證登入嘗試,並傳回 NTLM 被封鎖的錯誤,除非伺服器名稱位於「網路安全性: 限制 NTLM: 新增這個網域的伺服器例外」原則設定的例外清單中。

如果選取 [拒絕網域帳戶],則網域控制站會拒絕來自網域帳戶的所有 NTLM 驗證登入嘗試,並傳回 NTLM 被封鎖的錯誤,除非伺服器名稱位於「網路安全性: 限制 NTLM: 新增這個網域中 NTLM 驗證的伺服器例外」原則設定的例外清單中。

如果選取 [拒絕網域伺服器],則網域控制站會拒絕網域中所有伺服器的 NTLM 驗證要求,並傳回 NTLM 被封鎖的錯誤,除非伺服器名稱位於「網路安全性: 限制 NTLM: 新增這個網域中 NTLM 驗證的伺服器例外」原則設定的例外清單中。

如果選取 [全部拒絕],則網域控制站將拒絕來自其伺服器的所有 NTLM 傳遞驗證要求,並傳回 NTLM 被封鎖的錯誤,除非伺服器名稱位於「網路安全性: 限制 NTLM: 新增這個網域中 NTLM 驗證的伺服器例外」原則設定的例外清單中。

必須至少是 Windows Server 2008 R2 才支援此原則。

注意: 封鎖事件是記錄在此電腦上的 "Operational" 記錄中,此記錄是位於 Applications and Services Log/Microsoft/Windows/NTLM。

Network security: Restrict NTLM: NTLM authentication in this domain

This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller.

If you select "Disabled" or do not configure this policy setting, the domain controller will allow all NTLM pass-through authentication requests within the domain.

If you select "Deny for domain accounts to domain servers" the domain controller will deny all NTLM authentication logon attempts to all servers in the domain that are using domain accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

If you select "Deny for domain account" the domain controller will deny all NTLM authentication logon attempts from domain accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

If you select "Deny for domain servers" the domain controller will deny NTLM authentication requests to all servers in the domain and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

If you select "Deny all," the domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and return an NTLM blocked error unless the server name is on the exception list in the "Network security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain" policy setting.

This policy is supported on at least Windows Server 2008 R2.

Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

2066網路安全性: 限制 NTLM: 新增 NTLM 驗證的遠端伺服器例外

如果設定了「網路安全性: 限制 NTLM: 送往遠端伺服器的連出 NTLM 流量」原則設定,則這個原則設定可讓您建立允許用戶端使用 NTLM 驗證的遠端伺服器例外清單。

如果設定這個原則設定,則您可以定義允許用戶端使用 NTLM 驗證的遠端伺服器清單。

如果未設定這個原則設定,則不會套用任何例外。

這個例外清單的伺服器命名格式為完整網域名稱 (FQDN) 或應用程式使用的 NetBIOS 伺服器名稱,一行只能列出一個名稱。若要確保所有應用程式使用的例外名稱位於清單中,並確保例外正確,伺服器名稱應該同時以兩個名稱格式列出。在字串的任何位置中都可以使用單個星號 (*) 以做為萬用字元。

Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured.

If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication.

If you do not configure this policy setting, no exceptions will be applied.

The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats . A single asterisk (*) can be used anywhere in the string as a wildcard character.

2067網路安全性: 限制 NTLM: 新增這個網域的伺服器例外

如果設定了「網路安全性: 限制 NTLM: 拒絕這個網域的 NTLM 驗證」,則這個原則設定會允許您建立這個網域的伺服器例外清單,以允許用戶端可針對清單中的伺服器使用 NTLM 傳遞驗證。

如果設定這個原則設定,則您可以定義這個網域中允許用戶端可使用 NTLM 驗證的伺服器清單。

如果未設定這個原則設定,則不會套用任何例外。

此例外清單的伺服器命名格式為完整網域名稱 (FQDN) 或呼叫的應用程式使用的 NetBIOS 伺服器名稱,一行只能列出一個名稱。字串的開頭或結尾可使用單個星號 (*) 以做為萬用字元。

Network security: Restrict NTLM: Add server exceptions in this domain

This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set.

If you configure this policy setting, you can define a list of servers in this domain to which clients are allowed to use NTLM authentication.

If you do not configure this policy setting, no exceptions will be applied.

The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the calling application listed one per line. A single asterisk (*) can be used at the beginning or end of the string as a wildcard character.

2068網路安全性: 允許 LocalSystem NULL 工作階段回復

使用 LocalSystem 時,允許 NTLM 回復 NULL 工作階段。

Windows Vista (含) 以前版本的預設值是 TRUE,Windows 7 為 FALSE。

Network security: Allow LocalSystem NULL session fallback

Allow NTLM to fall back to NULL session when used with LocalSystem.

The default is TRUE up to Windows Vista and FALSE in Windows 7.

2069網路安全性: 設定 Kerberos 允許的加密類型

這個原則允許您設定允許 Kerberos 使用的加密類型。

如果未選取,則不允許加密類型。這個設定可能會影響與用戶端電腦或者服務和應用程式的相容性。允許多個選取項目。

必須至少是 Windows 7 或 Windows Server 2008 R2 才支援此原則。

Network security: Configure encryption types allowed for Kerberos

This policy setting allows you to set the encryption types that Kerberos is allowed to use.

If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

2071網路安全性: 允許對此電腦的 PKU2U 驗證要求使用線上身分識別。

在已加入網域的電腦上預設會關閉此原則。這樣便不會允許使用線上身分識別來向已加入網域的電腦驗證。

Network security: Allow PKU2U authentication requests to this computer to use online identities.

This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine.

2072網路安全性: 限制 NTLM: 稽核連入 NTLM 流量

這個原則設定允許您稽核連入 NTLM 流量。

如果選取 [停用],或是未設定此原則設定,伺服器將不會記錄連入 NTLM 流量的事件。

如果選取 [啟用網域帳戶的稽核],則當「網路安全性: 限制 NTLM: 連入 NTLM 流量」原則設定是設定為 [拒絕所有網域帳戶] 選項時,伺服器會針對被封鎖的 NTLM 傳遞驗證要求記錄事件。

如果選取 [啟用所有帳戶的稽核],則當「網路安全性: 限制 NTLM: 連入 NTLM 流量」原則設定是設定為 [拒絕所有帳戶] 選項時,伺服器會針對被封鎖的所有 NTLM 驗證要求記錄事件。

必須至少是 Windows 7 或 Windows Server 2008 R2 才支援此原則。

注意: 稽核事件會記錄在此電腦上的 "Operational" 記錄中,此記錄位於 Applications and Services Log/Microsoft/Windows/NTLM。

Network security: Restrict NTLM: Audit Incoming NTLM Traffic

This policy setting allows you to audit incoming NTLM traffic.

If you select "Disable", or do not configure this policy setting, the server will not log events for incoming NTLM traffic.

If you select "Enable auditing for domain accounts", the server will log events for NTLM pass-through authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all domain accounts" option.

If you select "Enable auditing for all accounts", the server will log events for all NTLM authentication requests that would be blocked when the "Network Security: Restrict NTLM: Incoming NTLM traffic" policy setting is set to the "Deny all accounts" option.

This policy is supported on at least Windows 7 or Windows Server 2008 R2.

Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

2073網路安全性: 限制 NTLM: 稽核這個網域的 NTLM 驗證

這個原則設定允許您在這個網域控制站中的網域稽核 NTLM 驗證。

如果選取 [停用] 或未設定這個原則設定,則網域控制站將不會記錄這個網域中 NTLM 驗證的事件。

如果選取 [啟用網域伺服器的網域帳戶],則當 NTLM 驗證被拒是因為「網路安全性: 限制 NTLM: 在這個網域中的 NTLM 驗證」原則設定中選取 [拒絕網域伺服器的網域帳戶] 時,網域控制站將會針對網域伺服器之網域帳戶的 NTLM 驗證登入嘗試記錄事件。

如果選取 [啟用網域帳戶],則當 NTLM 驗證被拒是因為「網路安全性: 限制 NTLM: 這個網域的 NTLM 驗證」原則設定中選取 [拒絕網域帳戶] 時,網域控制站會針對使用網域帳戶的 NTLM 驗證登入嘗試來記錄事件。

如果選取 [啟用網域伺服器],則當 NTLM 驗證被拒是因為「網路安全性: 限制 NTLM: 這個網域的 NTLM 驗證」原則設定中選取 [拒絕網域伺服器] 時,網域控制站會針對網域中對所有伺服器的 NTLM 驗證要求來記錄事件。

如果選取 [全部啟用],網域控制站將會針對來自其伺服器的 NTLM 傳遞驗證要求記錄事件,以及針對其帳戶被拒是因為「網路安全性: 限制 NTLM: 這個網域的 NTLM 驗證」原則設定中選取 [全部拒絕] 來記錄事件。

必須至少是 Windows Server 2008 R2 才支援此原則。

注意: 稽核事件會記錄在此電腦上的 "Operational" 記錄中,此記錄位於 Applications and Services Log/Microsoft/Windows/NTLM。

Network security: Restrict NTLM: Audit NTLM authentication in this domain

This policy setting allows you to audit NTLM authentication in a domain from this domain controller.

If you select "Disable" or do not configure this policy setting, the domain controller will not log events for NTLM authentication in this domain.

If you select "Enable for domain accounts to domain servers," the domain controller will log events for NTLM authentication logon attempts for domain accounts to domain servers when NTLM authentication would be denied because "Deny for domain accounts to domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

If you select "Enable for domain accounts," the domain controller will log events for NTLM authentication logon attempts that use domain accounts when NTLM authentication would be denied because "Deny for domain accounts" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

If you select "Enable for domain servers" the domain controller will log events for NTLM authentication requests to all servers in the domain when NTLM authentication would be denied because "Deny for domain servers" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

If you select "Enable all" the domain controller will log events for NTLM pass-through authentication requests from its servers and for its accounts which would be denied because "Deny all" is selected in the "Network security: Restrict NTLM: NTLM authentication in this domain" policy setting.

This policy is supported on at least Windows Server 2008 R2.

Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

2074網路安全性: 允許 Local System 對 NTLM 使用電腦身分識別

這個原則設定允許使用交涉的 Local System 服務在還原使用 NTLM 驗證時,使用電腦身分識別。

如果啟用這個原則設定,以 Local System 執行且使用交涉的服務會使用電腦身分識別。這可能會造成 Windows 作業系統之間的某些驗證要求失敗並記錄錯誤。

若停用此原則設定,以 Local System 執行且使用交涉的服務在還原使用 NTLM 驗證時將會匿名驗證。

根據預設值,Windows 7 與更新版本的作業系統上會啟用此原則。

根據預設值,Windows Vista 上會停用此原則。

Windows Vista 或 Windows Server 2008 或更新的作業系統才支援此原則。

注意: Windows Vista 或 Windows Server 2008 未在群組原則中公開此設定。

Network security: Allow Local System to use computer identity for NTLM

This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication.

If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.

If you disable this policy setting, services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.

By default, this policy is enabled on Windows 7 and above.

By default, this policy is disabled on Windows Vista.

This policy is supported on at least Windows Vista or Windows Server 2008.

Note: Windows Vista or Windows Server 2008 do not expose this setting in Group Policy.

2075Microsoft 網路伺服器: 伺服器 SPN 目標名稱驗證層級

此原則設定控制具有共用資料夾的電腦或印表機 (伺服器) 在服務主體名稱 (SPN) 上執行的驗證層級,SPN 是用戶端電腦在使用伺服器訊息區 (SMB) 通訊協定來建立工作階段時所提供。

伺服器訊息區 (SMB) 通訊協定是檔案及列印共用和其他網路作業 (例如遠端 Windows 系統管理) 的基礎。SMB 通訊協定支援驗證 SMB 用戶端提供的驗證 blob 中的 SMB 伺服器服務主體名稱 (SPN),以防止針對 SMB 伺服器的類別攻擊 (稱為 SMB 轉送攻擊)。此設定將同時影響 SMB1 與 SMB2。

此安全性設定可決定 SMB 伺服器在服務主體名稱 (SPN) 上執行的驗證層級,SPN 是 SMB 用戶端嘗試建立與 SMB 伺服器的工作階段時所提供。

選項如下:

關閉 – SMB 伺服器不需要或不會驗證 SMB 用戶端的 SPN。

如果是用戶端所提供則接受 – SMB 伺服器將會接受和驗證 SMB 用戶端提供的 SPN,並允許當該 SPN 符合 SMB 伺服器本身的 SPN 清單時,建立工作階段。如果 SPN 不相符,將會拒絕該 SMB 用戶端的工作階段要求。

用戶端的要求 - SMB 用戶端「必須」在工作階段設定中傳送 SPN 名稱,而且提供的 SPN 名稱「必須」符合被要求建立連線的 SMB 伺服器。如果用戶端未提供任何 SPN,或是提供的 SPN 不相符,則會拒絕該工作階段。

預設值: 關閉

所有的 Windows 作業系統都支援用戶端 SMB 元件與伺服器端 SMB 元件。這個設定會影響伺服器 SMB 行為,而且應該小心評估和測試其執行,以防止檔案與列印服務功能的中斷。如需執行和使用此設定來保護 SMB 伺服器安全的其他資訊,請參閱 Microsoft 網站 (https://go.microsoft.com/fwlink/?LinkId=144505)。
Microsoft network server: Server SPN target name validation level

This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol.

The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2.

This security setting determines the level of validation a SMB server performs on the service principal name (SPN) provided by the SMB client when trying to establish a session to an SMB server.

The options are:

Off – the SPN is not required or validated by the SMB server from a SMB client.

Accept if provided by client – the SMB server will accept and validate the SPN provided by the SMB client and allow a session to be established if it matches the SMB server’s list of SPN’s for itself. If the SPN does NOT match, the session request for that SMB client will be denied.

Required from client - the SMB client MUST send a SPN name in session setup, and the SPN name provided MUST match the SMB server that is being requested to establish a connection. If no SPN is provided by client, or the SPN provided does not match, the session is denied.

Default: Off

All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affects the server SMB behavior, and its implementation should be carefully evaluated and tested to prevent disruptions to file and print serving capabilities. Additional information on implementing and using this to secure your SMB servers can be found at the Microsoft website (https://go.microsoft.com/fwlink/?LinkId=144505).
2076Microsoft 網路伺服器: 嘗試 S4U2Self 以取得宣告資訊

此安全性設定是為了支援執行 Windows 8 之前的 Windows 版本且嘗試存取需要使用者宣告之檔案共用的用戶端。此設定會決定本機檔案伺服器是否將嘗試使用 Kerberos Service-For-User-To-Self (S4U2Self) 功能,以從用戶端的帳戶網域取得網路用戶端主體的宣告。只有在檔案伺服器利用使用者宣告來控制檔案存取,以及檔案伺服器將支援之用戶端主體的帳戶所在網域中含有執行 Windows 8 以前之 Windows 版本的用戶端電腦及網域控制站時,才應將此設定設為啟用。

此設定應設為自動 (預設值),檔案伺服器才會自動評估使用者是否需要宣告。只有在本機檔案存取原則包含使用者宣告時,系統管理員才需將此設定明確設為「啟用」。

啟用此安全性設定時,Windows 檔案伺服器會檢查驗證的網路用戶端主體的存取權杖,並判斷宣告資訊是否存在。如果宣告不存在,檔案伺服器將會使用 Kerberos S4U2Self 功能以嘗試連絡用戶端帳戶網域中的 Windows Server 2012 網域控制站,並為用戶端主體取得支援宣告的存取權杖。可能需要支援宣告的權杖,才能存取已套用宣告型存取控制原則的檔案或資料夾。

如果停用此設定,Windows 檔案伺服器將不會嘗試為用戶端主體取得支援宣告的存取權杖。

預設值: 自動。
Microsoft network server: Attempt S4U2Self to obtain claim information

This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be set to enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts may be in a domain which has client computers and domain controllers running a version of Windows prior to Windows 8.

This setting should be set to automatic (default) so that the file server can automatically evaluate whether claims are needed for the user. An administrator would want to set this setting explicitly to “Enabled” only if there are local file access policies that include user claims.

When enabled this security setting will cause the Windows file server to examine the access token of an authenticated network client principal and determine if claim information is present. If claims are not present the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain, and obtain a claims-enabled access token for the client principal. A claims-enabled token may be needed to access files or folders which have claim-based access control policy applied.

If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal.

Default: Automatic.
2077帳戶: 封鎖 Microsoft 帳戶

此原則設定可防止使用者在此電腦上新增 Microsoft 帳戶。

若選取 [使用者無法新增 Microsoft 帳戶] 選項,使用者將無法在此電腦上建立新的 Microsoft 帳戶、從本機帳戶切換為 Microsoft 帳戶,或將網域帳戶關聯到 Microsoft 帳戶。若您必須在您的企業中限制 Microsoft 帳戶的使用,此為偏好的選項。

若選取 [使用者無法新增 Microsoft 帳戶或以 Microsoft 帳戶登入] 選項,現有的 Microsoft 帳戶使用者將無法登入 Windows。選取此選項可能會使此電腦的現有系統管理員無法登入並管理系統。

若停用或不設定此原則 (建議做法),使用者將可以在 Windows 使用 Microsoft 帳戶。
Accounts: Block Microsoft accounts

This policy setting prevents users from adding new Microsoft accounts on this computer.

If you select the "Users can’t add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.

If you select the "Users can’t add or log on with Microsoft accounts" option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.

If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
2078互動式登入: 電腦帳戶閾值。

只會在啟用 Bitlocker 以保護 OS 磁碟區的電腦上強制執行電腦鎖定原則。請確定已啟用適當的修復密碼備份原則。

此安全性設定決定了導致電腦鎖定的失敗登入嘗試次數。要修復鎖定的電腦,只能在主控台提供修復金鑰。您可以設定介於 1 到 999 之間的失敗登入嘗試值。如果將值設定為 0,電腦將永遠不會鎖定。1 到 3 的值將被解譯為 4。

在工作站或成員伺服器上,在按下 CTRL+ALT+DELETE 要登入或要解除鎖定受保護的螢幕保護裝置時若輸入錯誤的密碼,都算是失敗的登入嘗試。

只會在啟用 Bitlocker 以保護 OS 磁碟區的電腦上強制執行電腦鎖定原則。請確定已啟用適當的修復密碼備份原則。

預設值: 0。
Interactive logon: Machine account threshold.

The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled.

This security setting determines the number of failed logon attempts that causes the machine to be locked out. A locked out machine can only be recovered by providing recovery key at console. You can set the value between 1 and 999 failed logon attempts. If you set the value to 0, the machine will never be locked out. Values from 1 to 3 will be interpreted as 4.

Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password protected screen savers counts as failed logon attempts.

The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that the appropriate recovery password backup policies are enabled.

Default: 0.
2079互動式登入: 電腦未使用時間限制。

Windows 會監控登入工作階段的未使用時間,而且會在未使用時間超過未使用時間限制時執行螢幕保護裝置並鎖定該工作階段。

預設值: 不強制。
Interactive logon: Machine inactivity limit.

Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

Default: not enforced.
2080為相同工作階段中的另一個使用者取得模擬權杖。

將此權限指派給使用者,即可允許代表該使用者執行的程式取得在相同工作階段中以互動方式登入之其他使用者的模擬權杖,惟呼叫者必須有該工作階段使用者的模擬權杖。不適用於電腦 Windows 用戶端/伺服器,因為其中的使用者會取得個別的工作階段。
Obtain an impersonation token for another user in the same session.

Assigning this privilege to a user allows programs running on behalf of that user to obtain an impersonation token of other users who interactively logged on within the same session provided the caller has an impersonation token of the session user. Not applicable within desktop windows client/server where every user gets a separate session.
2081網路存取: 限制允許對 SAM 發出遠端呼叫的用戶端3

此原則設定可讓您限制對 SAM 的遠端 RPC 連線。

若未選取,將會使用預設安全性描述元。

Windows Server 2016 以上的作業系統版本才支援此原則。

Network access: Restrict clients allowed to make remote calls to SAM

This policy setting allows you to restrict remote rpc connections to SAM.

If not selected, the default security descriptor will be used.

This policy is supported on at least Windows Server 2016.

2082互動式登入: 不要在登入期間顯示使用者名稱
此安全性設定可決定於 Windows 登入時、輸入驗證後,以及顯示電腦桌面前,是否顯示登入此電腦之人員的使用者名稱。
若啟用此原則,則不會顯示使用者名稱。

若停用此原則,則會顯示使用者名稱。

預設: 停用。


Interactive logon: Don't display username at sign-in
This security setting determines whether the username of the person signing in to this PC appears at Windows sign-in, after credentials are entered, and before the PC desktop is shown.
If this policy is enabled, the username will not be shown.

If this policy is disabled, the username will be shown.

Default: Disabled.


57343您即將變更此服務的安全性設定。變更服務的預設安全性,可能會因為此服務和相依於該服務的其他服務之間的設定不一致而造成問題。

要繼續嗎?
You are about to change the security settings for this service. Changing the default security for the service could cause problems due to inconsistent configuration between this service and other services that rely on it.

Do you want to continue?
57345您正準備要將新的範本資訊匯入這台電腦的本機電腦原則。這將會變更您電腦的安全性設定值。您要繼續嗎? You are about to import new template information into the local computer policy for this computer. Doing so will change your computer security settings. Do you want to continue?
57346正在設定電腦安全性 Configuring Computer Security
57350目前的安全性設定資料庫: 本機原則資料庫 %s Current Security Configuration Database: Local Policy Database %s
57351目前的安全性設定資料庫: 私人資料庫 %s Current Security Configuration Database: Private Database %s
57352正在產生分析資訊 Generating analysis information
57353匯入失敗 Import Failed
57354定義的子項目 Subitems defined
57355無法使用 Not Available
57356新增服務 New Service
57357正在設定: Configuring:
57358新增檔案(&F)...
將新檔案或資料夾加到這個範本
Add &File...
Adds a new file or folder to this template
57359新增這個檔案或資料夾到範本: Add this file or folder to the template:
57360新增檔案或資料夾 Add a file or folder
57361Microsoft Corporation Microsoft Corporation
5736210.0 10.0
57363安全性範本是一個 MMC 嵌入式管理單元,它能為安全性範本檔案提供編輯功能。 Security Templates is an MMC snap-in that provides editing capabilities for security template files.
57364安全性設定及分析是 MMC 嵌入式管理單元,它能使用安全性範本檔案,為 Windows 電腦提供安全性設定及分析功能。 Security Configuration and Analysis is an MMC snap-in that provides security configuration and analysis for Windows computers using security template files.
57365安全性設定值延伸嵌入式管理單元能擴充群組原則嵌入式管理單元,為您定義網域中電腦的安全性原則。 The Security Settings Extension snap-in extends the Group Policy snap-in and helps you define security policies for computers in your domain.
57366匯入原則(&I)...
將範本檔案匯入到這個原則物件。
&Import Policy...
Import a template file into this policy object.
57367匯出原則(&X)...
從這個原則匯出範本到檔案。
E&xport policy...
Export template from this policy to a file.
57368檔案 %s 已經存在。
您要覆寫它嗎?
File %s already exists.
Do you want to overwrite it?
57369成功 Success
57370失敗 Failure
57371沒有稽核 No auditing
57372Windows 無法更新原則。 Windows cannot update the policies.
57373Windows 無法複製區段 Windows cannot copy the section
57374選取要新增的檔案 Select File to Add
57375開啟資料庫 Open database
57376建立資料庫 Create Database
57377匯出原則到 Export Policy To
57378匯入原則自 Import Policy From
57380匯入範本 Import Template
57381匯出範本到 Export Template To
57384Windows 無法開啟本機原則資料庫。 Windows cannot open the local policy database.
57385本機原則資料庫 Local Policy Database
57386無法從安全性設定及分析嵌入式管理單元編輯本機安全性設定資料庫。請使用群組原則嵌入式管理單元來編輯本機安全性設定值。 The local security settings database cannot be edited from the Security Configuration and Analysis snap-in. Use the Group Policy snap-in to edit the local security settings.
57387\help\75393cf0-f17a-453d-98a9-592b009289c2.chm \help\75393cf0-f17a-453d-98a9-592b009289c2.chm
57388\help\1da6be45-e97d-4584-bbf9-356d319f20c2.chm \help\1da6be45-e97d-4584-bbf9-356d319f20c2.chm
57389\help\941b4573-563f-45fd-8a2f-0b8a197a5d2c.chm \help\941b4573-563f-45fd-8a2f-0b8a197a5d2c.chm
57390\help\sceconcepts.chm::/75393cf0-f17a-453d-98a9-592b009289c2.htm \help\sceconcepts.chm::/75393cf0-f17a-453d-98a9-592b009289c2.htm
57391\help\scmconcepts.chm::/1da6be45-e97d-4584-bbf9-356d319f20c2.htm \help\scmconcepts.chm::/1da6be45-e97d-4584-bbf9-356d319f20c2.htm
57392\help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htm \help\secsetconcepts.chm::/941b4573-563f-45fd-8a2f-0b8a197a5d2c.htm
57394您電腦上有新的原則設定值。您要更新有效原則的檢視嗎? There are new policy settings on your computer. Do you want to update your view of the effective policy?
57395%s 上的電腦設定 Computer setting on %s
57396無法建立這個資料庫,因為沒有選取任何範本檔案。
開啟現存的資料庫在 [安全性設定及分析] 領域項目上按一下滑鼠右鍵。選擇 [開啟資料庫] 選擇資料庫,並按下 [開啟] 建立新的資料庫 在 [安全性設定及分析] 領域項目上按一下滑鼠右鍵。 選擇 [開啟資料庫]。 輸入新的資料庫名稱,並按下 [開啟]。選擇要匯入的安全性設定檔,並按下 [開啟]。
This database couldn't be created because no template file was selected.
To Open an Existing DatabaseRight click on the Security Configuration and Analysis scope item. Choose Open Database Choose a database and press OPEN To Create a New Database Right click on the Security Configuration and Analysis scope item. Choose Open Database. Type in a new database name and press OPEN. Choose a security configuration file to import and press OPEN.
57397以可繼承的權限取代所有子機碼的現有權限(&R) &Replace existing permissions on all subkeys with inheritable permissions
57398將可繼承的權限傳播到所有子機碼(&P) &Propagate inheritable permissions to all subkeys
57399不允許取代這個機碼的權限(&D) &Do not allow permissions on this key to be replaced
57400設定 %s 的成員資格 Configure Membership for %s
57401票證有效期限: Ticket expires in:
57402票證不會到期。 Ticket doesn't expire.
57403票證更新有效期限: Ticket renewal expires in:
57404已經停用票證更新。 Ticket renewal is disabled.
57405容錯最大值: Maximum tolerance:
57407不適用 Not Applicable
57410使用者和群組名稱 User and group names
57411新增使用者或群組 Add User or Group
57412不中斷用戶端連線: Do not disconnect clients:
57413閒置時間超過以下限制時,將中斷連線: Disconnect when idle time exceeds:
57414不要快取登入: Do not cache logons:
57415快取: Cache:
57416密碼到期前這麼多天,開始這項提示: Begin prompting this many days before password expires:
57418設定這個機碼然後(&C) &Configure this key then
57419無法儲存萬用位置描述 Could not save global location description
57420無法儲存位置描述 Could not save location description
57421重新載入
重新載入安全性原則
Reload
Reload the security policy
57422您要在重新載入前,先將變更儲存到 %1 嗎? Save changes to %1 before reloading it?
57423本機安全性設定 Local Security Settings
57425WSecEdit 本機安全性設定類別 WSecEdit Local Security Settings Class
57428[本機安全性設定] 嵌入式管理單元會協助您定義本機系統的安全性。 The Local Security Settings snap-in helps you define security on the local system.
57430WSecEdit RSOP 安全性設定類別 WSecEdit RSOP Security Settings Class
57431[RSOP 安全性設定延伸] 嵌入式管理單元會擴充 RSOP 嵌入式管理單元,並協助您檢視在您網域上的電腦安全性原則。 The RSOP Security Settings Extension snap-in extends the RSOP snap-in and helps you view resultant security policies for computers in your domain.
57435套用(&A) &Apply
57436無法判定套用到這台機器的群組原則安全性設定。
嘗試從本機安全性原則資料庫(%%windir%%\security\database\secedit.sdb) 抓取這些設定時傳回錯誤:%s
將會顯示所有的本機安全性設定,但不會指出定安全性設定是否已定義在群組原則中
任何透過這個使用者介面修改的本機安全性設定可能會被網域等級的原則所覆寫。
The Group Policy security settings that apply to this machine could not be determined.
The error returned when trying to retrieve these settings from the local security policy database (%%windir%%\security\database\secedit.sdb) was: %s
All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
Any local security setting modified through this User Interface may subsequently be overridden by domain-level policies.
57437無法判定套用到這台機器的群組原則安全性設定。
嘗試從本機安全性原則資料庫(%%windir%%\security\database\secedit.sdb) 抓取這些設定時收到錯誤:%s
將會顯示所有的本機安全性設定,但不會指出定安全性設定是否已定義在群組原則中
任何透過這個使用者介面修改的本機安全性設定可能會被網域等級的原則所覆寫。
The Group Policy security settings that apply to this machine could not be determined.
The error received when trying to retrieve these settings from the local policy database (%%windir%%\security\database\secedit.sdb) was: %s
All local security settings will be displayed, but no indication will be given as to whether or not a given security setting is defined by Group Policy.
57438記錄檔: Log file:
57439原則名稱 Policy Name
57440設定 Setting
57441原則 %1 已正確套用。 The policy %1 was correctly applied.
57442在設定這個物件的子系時發生錯誤。(或是原則引擎嘗試設定指定原則設定的子系時發生失敗。) 請參閱 %windir%\security\logs\winlogon.log 取得其他資訊 There was an error configuring a child of this object. (or The policy engine attempted and failed to configure the child of a specific policy setting.) For more information, see %windir%\security\logs\winlogon.log
57443原則 %1 導致下列錯誤 %2。請參看在目標電腦上的 %windir%\security\logs\winlogon.log 來取得其他資訊。 The policy %1 resulted in the following error %2. For more information, see %windir%\security\logs\winlogon.log on the target machine.
57444原則 %1 導致不正確的狀態,而且已被記錄。請參看在目標電腦上的 %%windir%%\security\logs\winlogon.log 來取得其他資訊。 The policy %1 resulted in an invalid status and was logged. See %%windir%%\security\logs\winlogon.log on the target machine for more information.
57445原則引擎並未嘗試設定。請參看在目標電腦上的 %windir%\security\logs\winlogon.log 來取得其他資訊。 The policy engine did not attempt to configure the setting. For more information, see %windir%\security\logs\winlogon.log on the target machine.
57446檢視安全性(&V)... &View Security...
57447無法將範本匯出到 %1。
傳回錯誤: %2
Couldn't export template to %1.
The error returned was: %2
57448您要將變更儲存到安全性資料庫嗎? Save changes to Security Database?
57449拒絕透過遠端桌面服務登入 Deny log on through Remote Desktop Services
57450允許透過遠端桌面服務登入 Allow log on through Remote Desktop Services
57451無法新增範本搜尋路徑 Couldn't add template search path
57453\Security\Logs \Security\Logs
57454這個群組原則的安全性部分只能在 PDC 模擬器中編輯。 The security portion of this group policy may only be edited on the PDC Emulator.
57455這個設定與執行 Windows 2000 Service Pack 1 以前版本的電腦不相容。電腦必須執行較新版本作業系統,才能套用含有這個設定的群組原則物件。 This setting is not compatible with computers running Windows 2000 Service Pack 1 or earlier. Apply Group Policy objects containing this setting only to computers running a later version of the operating system.
57456在刪除 %1 之前,請將內容頁全部關閉 Close all property pages before deleting %1
57457數值必須介於 %d 及 %d 之間 Value must be between %d and %d
57458網路存取: 允許匿名 SID/名稱轉譯 Network access: Allow anonymous SID/Name translation
57459系統管理員必須有本機登入權。 Administrators must be granted the logon local right.
57460您不能拒絕所有使用者或是系統管理員的本機登入權。 You cannot deny all users or administrator(s) from logging on locally.
57461有些帳戶無法轉譯。 Some accounts cannot be translated.
57462如果要套用您的變更或關閉這個內容表,請關閉所有次要的視窗程式。 To apply your changes or close this property sheet, close all secondary windows.
57463無法開啟視窗。Windows 無法建立內容表的 UI 執行緒。 The window cannot be opened. Windows cannot create a UI thread for the property sheet.
57464\help\lpeconcepts.chm::/29a1325e-50b4-4963-a36e-979caa9ea094.htm \help\lpeconcepts.chm::/29a1325e-50b4-4963-a36e-979caa9ea094.htm
57465這是什麼? What's this?
57466sct sct
57467\help\29a1325e-50b4-4963-a36e-979caa9ea094.chm \help\29a1325e-50b4-4963-a36e-979caa9ea094.chm
57468數值必須介於 %d 及 %d 之間或是 0 Value must be between %d and %d or 0
57469此設定只會影響 Windows Server 2003 之前的作業系統。 This setting affects only operating systems earlier than Windows Server 2003.
57470修改這個設定可能影響與用戶端、服務及應用程式間的相容性。
%1
Modifying this setting may affect compatibility with clients, services, and applications.
%1
57471如需其他資訊,請參閱%1。(Q%2!lu!) For more information, see %1. (Q%2!lu!)
57472您即將變更這個設定到一個可能影響與用戶端、服務及應用程式間相容性的數值。

%1

是否要繼續這個變更?
You are about to change this setting to a value that may affect compatibility with clients, services, and applications.

%1

Do you want to continue with the change?
57473將驗證特殊權限授予 Administrators 及 SERVICE 之後,必須再授予模擬用戶端 Administrators and SERVICE must be granted the impersonate client after authentication privilege
57474如果已設定其他原則以覆寫類別層級稽核原則,可能不會強制執行此設定。
%1
This setting might not be enforced if other policy is configured to override category level audit policy.
%1
57475如需詳細資訊,請參閱安全性原則技術參考中的 %1。 For more information, see %1 in the Security Policy Technical Reference.
58000沒有此動作的解說文字 No explain text for this action
58003將在下列時間之後鎖定電腦 Machine will be locked after
58100管理集中存取原則...
新增/移除此範本的集中存取原則
Manage Central Access Policies...
Add/Remove Central Access Policies to this template
58107此存取原則包含下列原則規則: This Access Policy includes the following Policy rules:
58108狀態 Status
58109正在從 Active Directory 下載集中存取原則... Downloading central access policies from active directory...
58110錯誤: 無法下載集中存取原則 Error: Central access policies could not be downloaded
58111已就緒... Ready...
58113找不到此集中存取原則。它可能已自 Active Directory 刪除,或含有無效的設定。請在 Active Directory 管理中心 (AD AC) 還原此原則,或從設定中移除此原則。 This central access policy could not be found. It may have been deleted from Active Directory or have invalid settings. Restore this policy in Active Directory Administrative Center (AD AC) or remove it from the configuration.
59001帳戶: 限制使用空白密碼的本機帳戶僅能登入到主控台 Accounts: Limit local account use of blank passwords to console logon only
59002稽核: 稽核通用系統物件的存取 Audit: Audit the access of global system objects
59003稽核: 稽核備份與還原權限的使用 Audit: Audit the use of Backup and Restore privilege
59004稽核: 當無法記錄安全性稽核時,系統立即關機 Audit: Shut down system immediately if unable to log security audits
59005裝置: 防止使用者安裝印表機驅動程式 Devices: Prevent users from installing printer drivers
59010裝置: 允許卸除而不須登入 Devices: Allow undock without having to log on
59011網域控制站: 允許伺服器操作者排程工作 Domain controller: Allow server operators to schedule tasks
59012網域控制站: 拒絕電腦帳戶密碼變更 Domain controller: Refuse machine account password changes
59013網域控制站: LDAP 伺服器簽章要求 Domain controller: LDAP server signing requirements
59015要求簽章 Require signing
59016網域成員: 停用電腦帳戶密碼變更 Domain member: Disable machine account password changes
59017網域成員: 最長電腦帳戶密碼有效期 Domain member: Maximum machine account password age
59018網域成員: 安全通道資料加以數位加密或簽章 (自動) Domain member: Digitally encrypt or sign secure channel data (always)
59019網域成員: 安全通道資料加以數位加密 (可能的話) Domain member: Digitally encrypt secure channel data (when possible)
59020網域成員: 安全通道資料加以數位簽章 (自動) Domain member: Digitally sign secure channel data (when possible)
59021網域成員: 要求增強式 (Windows 2000 或更新) 工作階段金鑰 Domain member: Require strong (Windows 2000 or later) session key
59022互動式登入: 不要求按 CTRL+ALT+DEL 鍵 Interactive logon: Do not require CTRL+ALT+DEL
59023互動式登入: 不要顯示上次登入 Interactive logon: Don't display last signed-in
59024互動式登入: 在工作階段被封鎖時顯示使用者資訊 Interactive logon: Display user information when the session is locked
59025使用者顯示名稱、網域和使用者名稱 User display name, domain and user names
59026僅使用者顯示名稱 User display name only
59027不要顯示使用者資訊 Do not display user information
59028互動式登入: 給登入使用者的訊息本文 Interactive logon: Message text for users attempting to log on
59029互動式登入: 給登入使用者的訊息標題 Interactive logon: Message title for users attempting to log on
59030互動式登入: 網域控制站無法使用時,要快取的先前登入次數 Interactive logon: Number of previous logons to cache (in case domain controller is not available)
59031互動式登入: 在密碼到期前提示使用者變更密碼 Interactive logon: Prompt user to change password before expiration
59032互動式登入: 要求網域控制站驗證以解除鎖定工作站 Interactive logon: Require Domain Controller authentication to unlock workstation
59033互動式登入: 要求必須使用 Windows Hello 企業版或智慧卡 Interactive logon: Require Windows Hello for Business or smart card
59034互動式登入: 智慧卡移除操作 Interactive logon: Smart card removal behavior
59035沒有動作 No Action
59036鎖定工作站 Lock Workstation
59037強制登出 Force Logoff
59038如果是遠端桌面服務工作階段則中斷連線 Disconnect if a remote Remote Desktop Services session
59039Microsoft 網路用戶端: 數位簽章用戶端的通訊 (自動) Microsoft network client: Digitally sign communications (always)
59040Microsoft 網路用戶端: 數位簽章用戶端的通訊 (如果伺服器同意) Microsoft network client: Digitally sign communications (if server agrees)
59041Microsoft 網路用戶端: 傳送未加密的密碼到其他廠商的 SMB 伺服器 Microsoft network client: Send unencrypted password to third-party SMB servers
59042Microsoft 網路伺服器: 暫停工作階段前,要求的閒置時間 Microsoft network server: Amount of idle time required before suspending session
59043Microsoft 網路伺服器: 數位簽章伺服器的通訊 (自動) Microsoft network server: Digitally sign communications (always)
59044Microsoft 網路伺服器: 數位簽章伺服器的通訊 (如果用戶端同意) Microsoft network server: Digitally sign communications (if client agrees)
59045Microsoft 網路伺服器: 當登入時數到期時,中斷用戶端連線 Microsoft network server: Disconnect clients when logon hours expire
59046網路存取: 不允許存放網路驗證的密碼與認證 Network access: Do not allow storage of passwords and credentials for network authentication
59047網路存取: 不允許 SAM 帳戶的匿名列舉 Network access: Do not allow anonymous enumeration of SAM accounts
59048網路存取: 不允許 SAM 帳戶和共用的匿名列舉 Network access: Do not allow anonymous enumeration of SAM accounts and shares
59049網路存取: 讓 Everyone 權限套用到匿名使用者 Network access: Let Everyone permissions apply to anonymous users
59050網路存取: 限制匿名存取具名管道和共用 Network access: Restrict anonymous access to Named Pipes and Shares
59051網路存取: 可以匿名存取的具名管道 Network access: Named Pipes that can be accessed anonymously
59052網路存取: 可以匿名存取的共用 Network access: Shares that can be accessed anonymously
59053網路存取: 可遠端存取的登錄路徑及子路徑 Network access: Remotely accessible registry paths and sub-paths
59054網路存取: 可遠端存取的登錄路徑 Network access: Remotely accessible registry paths
59055網路存取: 共用和安全性模式用於本機帳戶 Network access: Sharing and security model for local accounts
59056傳統 - 本機使用者以自身身分驗證 Classic - local users authenticate as themselves
59057僅適用於來賓 - 本機使用者以 Guest 驗證 Guest only - local users authenticate as Guest
59058網路安全性: 下次密碼變更時不儲存 LAN Manager 雜湊數值 Network security: Do not store LAN Manager hash value on next password change
59059網路安全性: LAN Manager 驗證等級 Network security: LAN Manager authentication level
59060傳送 LM 和 NTLM 回應 Send LM & NTLM responses
59061傳送 LM 和 NTLM - 如有交涉,使用 NTLMv2 工作階段安全性 Send LM & NTLM - use NTLMv2 session security if negotiated
59062只傳送 NTLM 回應 Send NTLM response only
59063只傳送 NTLMv2 回應 Send NTLMv2 response only
59064只傳送 NTLMv2 回應。拒絕 LM Send NTLMv2 response only. Refuse LM
59065只傳送 NTLMv2 回應。拒絕 LM 和 NTLM Send NTLMv2 response only. Refuse LM & NTLM
59066網路安全性: NTLM SSP 為主的 (包含安全 RPC) 用戶端的最小工作階段安全性 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
59067網路安全性: NTLM SSP 為主的 (包含安全 RPC) 伺服器的最小工作階段安全性 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
59070要求 NTLMv2 工作階段安全性 Require NTLMv2 session security
59071要求 128 位元加密 Require 128-bit encryption
59072網路安全性: LDAP 用戶端簽章要求 Network security: LDAP client signing requirements
59074交涉簽章 Negotiate signing
59076修復主控台: 允許自動系統管理登入 Recovery console: Allow automatic administrative logon
59077修復主控台: 允許軟碟複製以及存取所有磁碟和所有資料夾 Recovery console: Allow floppy copy and access to all drives and all folders
59078關機: 允許不登入就將系統關機 Shutdown: Allow system to be shut down without having to log on
59079關機: 清除虛擬記憶體分頁檔 Shutdown: Clear virtual memory pagefile
59080系統物件: 加強內部系統物件的預設權限 (例如:符號連結) System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
59081系統物件: 系統管理員群組成員所建立物件的預設擁有者 System objects: Default owner for objects created by members of the Administrators group
59082系統管理員群組 Administrators group
59083物件建立者 Object creator
59084系統物件: 要求不區分大小寫用於非 Windows 子系統 System objects: Require case insensitivity for non-Windows subsystems
59085系統密碼編譯: 使用 FIPS 相容演算法於加密,雜湊,以及簽章 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
59086系統密碼編譯: 對使用者儲存在電腦上的金鑰強制使用增強式金鑰保護 System cryptography: Force strong key protection for user keys stored on the computer
59087當新金鑰被儲存及使用時,不要求使用者的輸入 User input is not required when new keys are stored and used
59088金鑰第一次使用時提示使用者輸入 User is prompted when the key is first used
59089使用者必須在每次使用金鑰時輸入密碼 User must enter a password each time they use a key
59090系統設定: 於軟體限制原則對 Windows 可執行檔使用憑證規則 System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
59091系統設定: 選擇性的子系統 System settings: Optional subsystems
59092登入 logons
59093 days
59094分鐘 minutes
59095 seconds
59096DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦啟動限制 DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
59097DCOM: 以 Security Descriptor Definition Language (SDDL) 語法表示的電腦存取限制 DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
59098裝置: CD-ROM 存取只限於登入本機的使用者 Devices: Restrict CD-ROM access to locally logged-on user only
59099裝置: 允許格式化以及退出抽取式媒體 Devices: Allowed to format and eject removable media
59100Administrators Administrators
59101Administrators 以及 Power Users Administrators and Power Users
59102Administrators 以及 Interactive Users Administrators and Interactive Users
59103裝置: 軟碟機存取只限於登入本機的使用者 Devices: Restrict floppy access to locally logged-on user only
59104稽核: 強制執行稽核原則子類別設定 (Windows Vista 或更新的版本) 以覆寫稽核原則類別設定 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
59105網路安全性: 限制 NTLM: 送往遠端伺服器的連出 NTLM 流量 Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
59106全部允許 Allow all
59107全部拒絕 Deny all
59108網路安全性: 限制 NTLM: 連入 NTLM 流量 Network security: Restrict NTLM: Incoming NTLM traffic
59110拒絕所有網域帳戶 Deny all domain accounts
59111拒絕所有帳戶 Deny all accounts
59112網路安全性: 限制 NTLM: 這個網域中的 NTLM 驗證 Network security: Restrict NTLM: NTLM authentication in this domain
59113停用 Disable
59114拒絕網域伺服器的網域帳戶 Deny for domain accounts to domain servers
59115拒絕網域帳戶 Deny for domain accounts
59116拒絕網域伺服器 Deny for domain servers
59118網路安全性: 限制 NTLM: 新增 NTLM 驗證的遠端伺服器例外 Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
59119網路安全性: 限制 NTLM: 新增這個網域的伺服器例外 Network security: Restrict NTLM: Add server exceptions in this domain
59120網路安全性: 允許 LocalSystem NULL 工作階段回復 Network security: Allow LocalSystem NULL session fallback
59121網路安全性: 設定 Kerberos 允許的加密類型 Network security: Configure encryption types allowed for Kerberos
59122DES_CBC_CRC DES_CBC_CRC
59123DES_CBC_MD5 DES_CBC_MD5
59124RC4_HMAC_MD5 RC4_HMAC_MD5
59125AES128_HMAC_SHA1 AES128_HMAC_SHA1
59126AES256_HMAC_SHA1 AES256_HMAC_SHA1
59127未來的加密類型 Future encryption types
59129網路安全性: 允許對此電腦的 PKU2U 驗證要求使用線上身分識別。

Network security: Allow PKU2U authentication requests to this computer to use online identities.

59130全部稽核 Audit all
59131網路安全性: 限制 NTLM: 稽核連入 NTLM 流量 Network security: Restrict NTLM: Audit Incoming NTLM Traffic
59132網路安全性: 限制 NTLM: 稽核這個網域的 NTLM 驗證 Network security: Restrict NTLM: Audit NTLM authentication in this domain
59133網路安全性: 允許 Local System 對 NTLM 使用電腦身分識別 Network security: Allow Local System to use computer identity for NTLM
59135啟用網域帳戶的稽核 Enable auditing for domain accounts
59136啟用所有帳戶的稽核 Enable auditing for all accounts
59138啟用網域伺服器的網域帳戶 Enable for domain accounts to domain servers
59139啟用網域帳戶 Enable for domain accounts
59140啟用網域伺服器 Enable for domain servers
59141全部啟用 Enable all
59142Microsoft 網路伺服器: 伺服器 SPN 目標名稱驗證層級 Microsoft network server: Server SPN target name validation level
59143關閉 Off
59144如果是用戶端所提供則接受 Accept if provided by client
59145用戶端的要求 Required from client
59146Microsoft 網路伺服器: 嘗試 S4U2Self 以取得宣告資訊 Microsoft network server: Attempt S4U2Self to obtain claim information
59147預設 Default
59150帳戶: 封鎖 Microsoft 帳戶 Accounts: Block Microsoft accounts
59151此原則已停用 This policy is disabled
59152使用者無法新增 Microsoft 帳戶 Users can't add Microsoft accounts
59153使用者無法新增 Microsoft 帳戶或以 Microsoft 帳戶登入 Users can't add or log on with Microsoft accounts
59154互動式登入: 電腦帳戶鎖定閾值 Interactive logon: Machine account lockout threshold
59155互動式登入: 電腦未使用時間限制 Interactive logon: Machine inactivity limit
59156無效的登入嘗試 invalid logon attempts
59157網路存取: 限制允許對 SAM 發出遠端呼叫的用戶端 Network access: Restrict clients allowed to make remote calls to SAM
59158互動式登入: 不要在登入期間顯示使用者名稱 Interactive logon: Don't display username at sign-in

EXIF

File Name:wsecedit.dll.mui
Directory:%WINDIR%\WinSxS\amd64_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_99bb753fde72a3eb\
File Size:179 kB
File Permissions:rw-rw-rw-
File Type:Win32 DLL
File Type Extension:dll
MIME Type:application/octet-stream
Machine Type:Intel 386 or later, and compatibles
Time Stamp:0000:00:00 00:00:00
PE Type:PE32
Linker Version:14.10
Code Size:0
Initialized Data Size:182784
Uninitialized Data Size:0
Entry Point:0x0000
OS Version:10.0
Image Version:10.0
Subsystem Version:6.0
Subsystem:Windows GUI
File Version Number:10.0.15063.0
Product Version Number:10.0.15063.0
File Flags Mask:0x003f
File Flags:(none)
File OS:Windows NT 32-bit
Object File Type:Dynamic link library
File Subtype:0
Language Code:Chinese (Traditional)
Character Set:Unicode
Company Name:Microsoft Corporation
File Description:安全性設定 UI 模組
File Version:10.0.15063.0 (WinBuild.160101.0800)
Internal Name:WSECEDIT
Legal Copyright:© Microsoft Corporation. All rights reserved.
Original File Name:WSecEdit.dll.mui
Product Name:Microsoft® Windows® Operating System
Product Version:10.0.15063.0
Directory:%WINDIR%\WinSxS\x86_microsoft-windows-s..gement-ui.resources_31bf3856ad364e35_10.0.15063.0_zh-tw_3d9cd9bc261532b5\

What is wsecedit.dll.mui?

wsecedit.dll.mui is Multilingual User Interface resource file that contain Chinese (Traditional) language for file wsecedit.dll (安全性設定 UI 模組).

File version info

File Description:安全性設定 UI 模組
File Version:10.0.15063.0 (WinBuild.160101.0800)
Company Name:Microsoft Corporation
Internal Name:WSECEDIT
Legal Copyright:© Microsoft Corporation. All rights reserved.
Original Filename:WSecEdit.dll.mui
Product Name:Microsoft® Windows® Operating System
Product Version:10.0.15063.0
Translation:0x404, 1200