【導(dǎo)讀】below.Microsoft,ActiveDirectory,Authenticode,MS-DOS,Win32,Windows,WindowsServer,WindowsVista,and. owners.

　　

【正文】 presents a logon failure, and identify if a lock was in effect on the account at the time of the logon attempt. (If your environment includes multiple versions of Windows, you will need to monitor for event IDs specific to each version, such as event ID 539.) Reset account lockout counter after This policy setting determines the length of time before the Account lockout threshold setting resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold setting is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. If you leave this policy setting at its default value or configure the value to an interval that is too long, this may make your environment vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the anization, which will lock out their accounts as described earlier in this appendix. If no policy is determined to reset the account lockout, this is a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users are locked out for a set period until all of the accounts are unlocked automatically. The remended setting value of 15 minutes was determined as a reasonable amount of time that users are likely to accept, which should help to minimize the number of calls to the help desk. Users should be aware of the length of time they must wait before 8 Windows Server 2020 Security Guide attempting to log on so that they only need to call the help desk if they have an extremely urgent need to regain access to their puter. Domain Controller and Member Server Policy Settings The security settings in this section of the appendix apply to domain controllers and member servers in the domain. Many remendations are the same for both domain controllers and member servers. However, some settings apply only to domain controllers. These settings are applied through the Computer Configuration node in the Group Policy Object Editor. Within this node, these settings appear in the Windows Settings and Administrative Templates subnodes. Computer Configuration\Windows Settings The following setting groups appear in the Computer Configuration\Windows Settings\Security Settings\Local Policies subdirectory, and are discussed in this appendix: ?? Audit Policy Settings Note Audit Policy Settings are described separately in this appendix. ?? User Rights Assignment Settings ?? Security Options Settings The following setting groups appear in the Computer Configuration\Windows Settings\Security Settings subdirectory: ?? Event Log Security Settings User Rights Assignment Settings In conjunction with many of the privileged groups in Windows Server 2020, you can assign a number of user rights to specific users or groups. These rights would typically be assigned to perform a specific administrative task or tasks without giving full administrative control to that user or group. To set the value of a user right to No one, enable the setting but do not add any users or groups to it. To set the value of a user right to Not Defined, do not enable the setting. You can configure the user rights assignment settings in Windows Server 2020 at the following location in the Group Policy Object Editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment The following table summarizes user rights assignment setting remendations for user rights that begin with the letters A through E. Remendations are provided for both domain controllers and member servers in the two types of secure environments that are discussed in this guide. The following subsections provide more detailed information about each setting. 10 Windows Server 2020 Security Guide Remendations for user rights that begin with the rest of the letters in the alphabet are summarized in Table A5, and additional detailed information about those user rights is provided in the subsections after that table. Note Many features in IIS require certain accounts such as IIS_WPG, IIS IUSR_ComputerName, and IWAM_ComputerName to have specific privileges. For more information about what user rights are required by accounts that are related to IIS, see IIS and Builtin Accounts (IIS ). User Rights A – E The following table summarizes the values and remendations for user rights assignment settings that start with the letters A through E in Windows Server 2020 for domain controllers and member servers. The subsections after the table provide more detailed information about each setting. Table A4. Windows Server 2020 User Rights Assignment Setting Remendations, A – E Setting EC domain controller SSLF domain controller EC member server SSLF member server Access credential Manager as a trusted caller Not Defined No One Not Defined No One Access this puter from the work (SeNetworkLogonRight) Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS Administrators, Authenticated Users Administrators, Authenticated Users Act as part of the operating system (SeTcbPrivilege) No One No One No One No One Add workstations to domain Administrators Administrators Not Defined Not Defined Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) Not Defined LOCAL SERVICE, NETWORK SERVICE, Administrators Not Defined LOCAL SERVICE, NETWORK SERVICE, Administrators Allow log on locally Not Defined Administrators Administrators Administrators Allow log on through Terminal Services (SeRemoteInteractiveLogonRight) Administrators Administrators Administrators Administrators 錯(cuò)誤 !使用“開始”選項(xiàng)卡將 Heading 1,h1 應(yīng)