ChoETL.Core v1.2.1.47
[
{
"Identifier": [
{
"Identifier": "{31B2F340-016D-11D2-945F-00C04FB984F9}",
"Domain": "sos.labs"
}
],
"Name": "Default Domain Policy",
"IncludeComments": "true",
"CreatedTime": "2018-03-16T06:21:12",
"ModifiedTime": "2018-03-16T06:30:52",
"ReadTime": "2018-08-28T12:35:43.4246745Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(A;;CCLCSWRPWPLORCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCLCSWRPWPLORCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;;CCLCSWRPWPLORCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "4",
"VersionSysvol": "4",
"Enabled": "true",
"ExtensionDatas": [
{
"Extension": [
{
"Name": "ClearTextPassword",
"SettingBoolean": "false",
"Type": "Password"
},
{
"Name": "LockoutBadCount",
"SettingNumber": "0",
"Type": "Account Lockout"
},
{
"Name": "MaximumPasswordAge",
"SettingNumber": "42",
"Type": "Password"
},
{
"Name": "MinimumPasswordAge",
"SettingNumber": "0",
"Type": "Password"
},
{
"Name": "MinimumPasswordLength",
"SettingNumber": "0",
"Type": "Password"
},
{
"Name": "PasswordComplexity",
"SettingBoolean": "true",
"Type": "Password"
},
{
"Name": "PasswordHistorySize",
"SettingNumber": "0",
"Type": "Password"
},
{
"Name": "MaxClockSkew",
"SettingNumber": "5",
"Type": "Kerberos"
},
{
"Name": "MaxRenewAge",
"SettingNumber": "7",
"Type": "Kerberos"
},
{
"Name": "MaxServiceAge",
"SettingNumber": "600",
"Type": "Kerberos"
},
{
"Name": "MaxTicketAge",
"SettingNumber": "10",
"Type": "Kerberos"
},
{
"Name": "TicketValidateClient",
"SettingBoolean": "true",
"Type": "Kerberos"
}
],
"Name": "Security"
},
{
"Extension": {
"EFSSettings": {
"AllowEFS": "2",
"Options": "0",
"CacheTimeout": "0",
"KeyLen": "0"
},
"EFSRecoveryAgent": {
"IssuedTo": "Administrator",
"IssuedBy": "Administrator",
"ExpirationDate": "2118-02-20T06:28:14Z",
"CertificatePurpose": {
"Purpose": "1.3.6.1.4.1.311.10.3.4.1"
},
"Data": "0200000001000000CC0000001C0000006C0000000100000000000000000000000000000001000000320039006200390034003400340064002D0036003600340061002D0034006500340031002D0062003300350032002D0039006200620066003500380036003400380038006100640000000000000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000000300000001000000140000005EF3F3C64B3411F47CC0597D8E5170DF1A233A822000000001000000840300003082038030820268A0030201020210180B2A30F37F81A440175DE56F499B51300D06092A864886F70D01010505003050311630140603550403130D41646D696E6973747261746F72310C300A0603550407130345465331283026060355040B131F4546532046696C6520456E6372797074696F6E2043657274696669636174653020170D3138303331363036323831345A180F32313138303232303036323831345A3050311630140603550403130D41646D696E6973747261746F72310C300A0603550407130345465331283026060355040B131F4546532046696C6520456E6372797074696F6E20436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A0282010100BACF6F72C7B27CDC964A0B645050772327AE144A6F3CC9C1C1955F021D7DE953E4746F99E91062C8D0AC4703E4372706A3CA8644B0F7FA47DC7408F4C4EF1391333295AE6503278C9A8691E36A37ADF6EB2E99E166E3558992432ED9454DF085124BBEA2FD3595003ECD8E1AC7DED3A084523A9D8E8CBD747D9145700340DC5EAABB3749E2E29C5E4EF127C288CC1DE1B43C2D9A1BE7CA144E23169B61F6E2A088030FA1304183F5B762181B99A83BEA196E09278BDC2ABA12E1E1630793DA2FE4CA31F0F1F9BBE1F2F6AF559E0FF6219094BB4FC7B92C249A01E89D936643616E76800ACEED5AE082F1FABEDC22923D6ABD8BECBF6519F599817EB977CC80130203010001A354305230160603551D25040F300D060B2B0601040182370A030401302D0603551D1104263024A022060A2B060104018237140203A0140C1241646D696E6973747261746F7240736F730030090603551D1304023000300D06092A864886F70D01010505000382010100B408DD4629DC78A5E5C002ACFF5FB9BB1798689CA0879990F4472CD195001E60068D6D1C9E44E1019FAA02CE0A1E2FB10FB7159A6AA166DA8E91F3849B9200E71027317E348376CD0BED6C92932E885363506C556476223A27CF2DD4CCCB695E47E7EBF89312720420FE252D91C7F700032A5F7AA80C509E64AF89AE68D7EF086C82CDB231289A34618D6263AD3045A586B3587976E6F27C5AA024479AFE26C72F4E85F1577448D993CDD90E30883AEAEB13419904F3B42FCEFC57EE1C721FC2EDFECF8550CC04AB67F46CCFB067F69D7BBA19EB44E10C2869C3A3250CD5B8C8D041FEA04639E080F1BC6F95C11758C6A042802C8A37B2FAE447FBE24F736552"
},
"RootCertificateSettings": {
"AllowNewCAs": "true",
"TrustThirdPartyCAs": "true",
"RequireUPNNamingConstraints": "false"
}
},
"Name": "Public Key"
},
{
"Extension": null,
"Name": "Registry"
}
]
}
],
"User": [
{
"VersionDirectory": "0",
"VersionSysvol": "0",
"Enabled": "true"
}
],
"LinksTo": [
{
"SOMName": "sos",
"SOMPath": "sos.labs",
"Enabled": "true",
"NoOverride": "false"
}
]
},
{
"Identifier": [
{
"Identifier": "{36DDC97F-78D7-4A68-8EE9-E101EF56B324}",
"Domain": "sos.labs"
}
],
"Name": "BitLocker",
"IncludeComments": "true",
"CreatedTime": "2018-03-18T07:02:05",
"ModifiedTime": "2018-03-28T14:47:40",
"ReadTime": "2018-08-28T12:35:46.5810219Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-519",
"Name": "sos\\Enterprise Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "32",
"VersionSysvol": "32",
"Enabled": "true",
"ExtensionData": {
"Extension": [
{
"Name": "Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker.\n\n\t\t\t\t\t\t\tNote: You might need to set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS backup for BitLocker is available on Microsoft TechNet.\n\n\t\t\t\t\t\t\tBitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.\n\n\t\t\t\t\t\t\tIf you select the option to \"Require BitLocker backup to AD DS\" BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected, AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, BitLocker recovery information is not backed up to AD DS.\n\n\t\t\t\t\t\t\tNote: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the \"Turn on TPM backup to Active Directory Domain Services\" policy setting in System\\Trusted Platform Module Services to ensure that TPM information is also backed up.\n\t\t\t\t\t\t",
"Supported": "Windows Server 2008 and Windows Vista",
"Category": "Windows Components/BitLocker Drive Encryption",
"CheckBox": {
"Name": "Require BitLocker backup to AD DS",
"State": "Enabled"
},
"Texts": [
{
"Name": "If selected, cannot turn on BitLocker if backup fails (recommended default). "
},
{
"Name": "If not selected, can turn on BitLocker even if backup fails. Backup is not automatically retried."
},
{
"Name": null
},
{
"Name": "A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive."
},
{
"Name": "A key package contains a drive's BitLocker encryption key secured by one or more recovery passwords"
},
{
"Name": "Key packages may help perform specialized recovery when the disk is damaged or corrupted. "
}
],
"DropDownList": {
"Name": "Select BitLocker recovery information to store:",
"State": "Enabled",
"Value": {
"Name": "Recovery passwords and key packages"
}
}
},
{
"Name": "Choose how BitLocker-protected operating system drives can be recovered",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.\n\n\t\t\t\t\t\t\tThe \"Allow certificate-based data recovery agent\" check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.\n\n\t\t\t\t\t\t\tIn \"Configure user storage of BitLocker recovery information\" select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.\n\n\t\t\t\t\t\t\tSelect \"Omit recovery options from the BitLocker setup wizard\" to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.\n\n\t\t\t\t\t\t\tIn \"Save BitLocker recovery information to Active Directory Domain Services\", choose which BitLocker recovery information to store in AD DS for operating system drives. If you select \"Backup recovery password and key package\", both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select \"Backup recovery password only,\" only the recovery password is stored in AD DS.\n\n\t\t\t\t\t\t\tSelect the \"Do not enable BitLocker until recovery information is stored in AD DS for operating system drives\" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.\n\n\t\t\t\t\t\t\tNote: If the \"Do not enable BitLocker until recovery information is stored in AD DS for operating system drives\" check box is selected, a recovery password is automatically generated.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.\n\n\t\t\t\t\t\t\tIf this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.\n\n\t\t\t\t\t\t",
"Supported": "At least Windows Server 2008 R2 or Windows 7",
"Category": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
"CheckBoxes": [
{
"Name": "Allow data recovery agent",
"State": "Enabled"
},
{
"Name": "Omit recovery options from the BitLocker setup wizard",
"State": "Enabled"
},
{
"Name": "Save BitLocker recovery information to AD DS for operating system drives",
"State": "Enabled"
},
{
"Name": "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",
"State": "Enabled"
}
],
"Text": {
"Name": "Configure user storage of BitLocker recovery information:"
},
"DropDownLists": [
{
"Name": null,
"State": "Enabled",
"Value": {
"Name": "Allow 48-digit recovery password"
}
},
{
"Name": null,
"State": "Enabled",
"Value": {
"Name": "Allow 256-bit recovery key"
}
},
{
"Name": "Configure storage of BitLocker recovery information to AD DS:",
"State": "Enabled",
"Value": {
"Name": "Store recovery passwords and key packages"
}
}
]
},
{
"Name": "Require additional authentication at startup",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.\n\n\t\t\t\t\t\t\tNote: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.\n\n\t\t\t\t\t\t\tIf you want to use BitLocker on a computer without a TPM, select the \"Allow BitLocker without a compatible TPM\" check box. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.\n\n\t\t\t\t\t\t\tOn a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 4-digit to 20-digit personal identification number (PIN), or both.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.\n\n\t\t\t\t\t\t\tNote: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.\n\n\t\t\t\t\t\t",
"Supported": "At least Windows Server 2008 R2 or Windows 7",
"Category": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
"CheckBox": {
"Name": "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)",
"State": "Enabled"
},
"Texts": [
{
"Name": "Settings for computers with a TPM:"
},
{
"Name": null
}
],
"DropDownLists": [
{
"Name": "Configure TPM startup:",
"State": "Enabled",
"Value": {
"Name": "Allow TPM"
}
},
{
"Name": "Configure TPM startup PIN:",
"State": "Enabled",
"Value": {
"Name": "Allow startup PIN with TPM"
}
},
{
"Name": "Configure TPM startup key:",
"State": "Enabled",
"Value": {
"Name": "Allow startup key with TPM"
}
},
{
"Name": "Configure TPM startup key and PIN:",
"State": "Enabled",
"Value": {
"Name": "Allow startup key and PIN with TPM"
}
}
]
},
{
"Name": "Require additional authentication at startup (Windows Server 2008 and Windows Vista)",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on BitLocker.\n\n\t\t\t\t\t\t\tNote: This policy is only applicable to computers running Windows Server 2008 or Windows Vista.\n\n\t\t\t\t\t\t\tOn a computer with a compatible Trusted Platform Module (TPM), two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit startup personal identification number (PIN).\n\n\t\t\t\t\t\t\tA USB flash drive containing a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material on this USB flash drive.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, the wizard will display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with and without a TPM.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.\n\t\t\t\t\t\t",
"Supported": "Windows Server 2008 and Windows Vista",
"Category": "Windows Components/BitLocker Drive Encryption/Operating System Drives",
"CheckBox": {
"Name": "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)",
"State": "Enabled"
},
"Texts": [
{
"Name": "Settings for computers with a TPM:"
},
{
"Name": "Important: If you require the startup key, you must not allow the startup PIN. "
},
{
"Name": "If you require the startup PIN, you must not allow the startup key. Otherwise, a policy error occurs."
},
{
"Name": "Note: Do not allow both startup PIN and startup key options to hide the advanced page on a computer with a TPM."
}
],
"DropDownLists": [
{
"Name": "Configure TPM startup key:",
"State": "Enabled",
"Value": {
"Name": "Allow startup key with TPM"
}
},
{
"Name": "Configure TPM startup PIN:",
"State": "Enabled",
"Value": {
"Name": "Allow startup PIN with TPM"
}
}
]
}
],
"Name": "Registry"
}
}
],
"User": [
{
"VersionDirectory": "0",
"VersionSysvol": "0",
"Enabled": "true"
}
],
"LinksTo": [
{
"SOMName": "Workstations",
"SOMPath": "sos.labs/Workstations",
"Enabled": "true",
"NoOverride": "false"
}
]
},
{
"Identifier": [
{
"Identifier": "{5621D5FA-603B-44BB-8719-FAA5F26E8CE3}",
"Domain": "sos.labs"
}
],
"Name": "Custom Event Channel Permissions",
"IncludeComments": "true",
"CreatedTime": "2018-07-11T08:37:32",
"ModifiedTime": "2018-07-11T08:37:32",
"ReadTime": "2018-08-28T12:35:46.6591749Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-519",
"Name": "sos\\Enterprise Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "1",
"VersionSysvol": "1",
"Enabled": "true",
"ExtensionData": {
"Extension": {},
"Name": "Windows Registry"
}
}
],
"User": [
{
"VersionDirectory": "1",
"VersionSysvol": "1",
"Enabled": "true"
}
],
"LinksTo": [
{
"SOMName": "Domain Controllers",
"SOMPath": "sos.labs/Domain Controllers",
"Enabled": "true",
"NoOverride": "true"
}
]
},
{
"Identifier": [
{
"Identifier": "{6AC1786C-016F-11D2-945F-00C04fB984F9}",
"Domain": "sos.labs"
}
],
"Name": "Default Domain Controllers Policy",
"IncludeComments": "true",
"CreatedTime": "2018-03-16T06:21:12",
"ModifiedTime": "2018-07-13T04:38:17",
"ReadTime": "2018-08-28T12:35:46.6904051Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(A;;CCLCSWRPWPLORCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;;CCLCSWRPWPLORCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;;CCLCSWRPWPLORCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "4",
"VersionSysvol": "4",
"Enabled": "true",
"ExtensionDatas": [
{
"Extension": [
{
"Name": "SeAssignPrimaryTokenPrivilege",
"Members": [
{
"SID": "S-1-5-20",
"Name": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"SID": "S-1-5-19",
"Name": "NT AUTHORITY\\LOCAL SERVICE"
}
]
},
{
"Name": "SeAuditPrivilege",
"Members": [
{
"SID": "S-1-5-20",
"Name": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"SID": "S-1-5-19",
"Name": "NT AUTHORITY\\LOCAL SERVICE"
}
]
},
{
"Name": "SeBackupPrivilege",
"Members": [
{
"SID": "S-1-5-32-549",
"Name": "BUILTIN\\Server Operators"
},
{
"SID": "S-1-5-32-551",
"Name": "BUILTIN\\Backup Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeBatchLogonRight",
"Members": [
{
"SID": "S-1-5-32-559",
"Name": "BUILTIN\\Performance Log Users"
},
{
"SID": "S-1-5-32-551",
"Name": "BUILTIN\\Backup Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeChangeNotifyPrivilege",
"Members": [
{
"SID": "S-1-5-32-554",
"Name": "BUILTIN\\Pre-Windows 2000 Compatible Access"
},
{
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
},
{
"SID": "S-1-5-20",
"Name": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"SID": "S-1-5-19",
"Name": "NT AUTHORITY\\LOCAL SERVICE"
},
{
"SID": "S-1-1-0",
"Name": "Everyone"
}
]
},
{
"Name": "SeCreatePagefilePrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeDebugPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeEnableDelegationPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeIncreaseBasePriorityPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeIncreaseQuotaPrivilege",
"Members": [
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
},
{
"SID": "S-1-5-20",
"Name": "NT AUTHORITY\\NETWORK SERVICE"
},
{
"SID": "S-1-5-19",
"Name": "NT AUTHORITY\\LOCAL SERVICE"
}
]
},
{
"Name": "SeInteractiveLogonRight",
"Members": [
{
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
{
"SID": "S-1-5-32-550",
"Name": "BUILTIN\\Print Operators"
},
{
"SID": "S-1-5-32-549",
"Name": "BUILTIN\\Server Operators"
},
{
"SID": "S-1-5-32-548",
"Name": "BUILTIN\\Account Operators"
},
{
"SID": "S-1-5-32-551",
"Name": "BUILTIN\\Backup Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeLoadDriverPrivilege",
"Members": [
{
"SID": "S-1-5-32-550",
"Name": "BUILTIN\\Print Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeMachineAccountPrivilege",
"Member": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
}
},
{
"Name": "SeNetworkLogonRight",
"Members": [
{
"SID": "S-1-5-32-554",
"Name": "BUILTIN\\Pre-Windows 2000 Compatible Access"
},
{
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
{
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
},
{
"SID": "S-1-1-0",
"Name": "Everyone"
}
]
},
{
"Name": "SeProfileSingleProcessPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeRemoteShutdownPrivilege",
"Members": [
{
"SID": "S-1-5-32-549",
"Name": "BUILTIN\\Server Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeRestorePrivilege",
"Members": [
{
"SID": "S-1-5-32-549",
"Name": "BUILTIN\\Server Operators"
},
{
"SID": "S-1-5-32-551",
"Name": "BUILTIN\\Backup Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeSecurityPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeShutdownPrivilege",
"Members": [
{
"SID": "S-1-5-32-550",
"Name": "BUILTIN\\Print Operators"
},
{
"SID": "S-1-5-32-549",
"Name": "BUILTIN\\Server Operators"
},
{
"SID": "S-1-5-32-551",
"Name": "BUILTIN\\Backup Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeSystemEnvironmentPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeSystemProfilePrivilege",
"Members": [
{
"SID": "S-1-5-80-3139157870-2983391045-3678747466-658725712-1809340420",
"Name": "NT SERVICE\\WdiServiceHost"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
]
},
{
"Name": "SeSystemTimePrivilege",
"Members": [
{
"SID": "S-1-5-32-549",
"Name": "BUILTIN\\Server Operators"
},
{
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
},
{
"SID": "S-1-5-19",
"Name": "NT AUTHORITY\\LOCAL SERVICE"
}
]
},
{
"Name": "SeTakeOwnershipPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
},
{
"Name": "SeUndockPrivilege",
"Member": {
"SID": "S-1-5-32-544",
"Name": "BUILTIN\\Administrators"
}
}
],
"Name": "Security"
},
{
"Extension": [
{},
{},
{}
],
"Name": "Advanced Audit Configuration"
}
]
}
],
"User": [
{
"VersionDirectory": "0",
"VersionSysvol": "0",
"Enabled": "true"
}
],
"LinksTo": [
{
"SOMName": "Domain Controllers",
"SOMPath": "sos.labs/Domain Controllers",
"Enabled": "true",
"NoOverride": "false"
}
]
},
{
"Identifier": [
{
"Identifier": "{80C12234-9939-4F9B-BB17-7D50FDA95D92}",
"Domain": "sos.labs"
}
],
"Name": "Domain Controllers Enhanced Auditing Policy",
"IncludeComments": "true",
"CreatedTime": "2018-07-13T04:23:42",
"ModifiedTime": "2018-07-13T04:23:43",
"ReadTime": "2018-08-28T12:35:46.7685363Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-519",
"Name": "sos\\Enterprise Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "1",
"VersionSysvol": "1",
"Enabled": "true",
"ExtensionDatas": [
{
"Extension": [
{
"KeyName": "MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\AuditReceivingNTLMTraffic",
"SettingNumber": "2",
"Display": {
"Name": "Network security: Restrict NTLM: Audit Incoming NTLM Traffic",
"Units": null,
"DisplayString": "Enable auditing for all accounts"
}
},
{
"KeyName": "MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic",
"SettingNumber": "1",
"Display": {
"Name": "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers",
"Units": null,
"DisplayString": "Audit all"
}
},
{
"KeyName": "MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SCENoApplyLegacyAuditPolicy",
"SettingNumber": "1",
"Display": {
"Name": "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings",
"Units": null,
"DisplayBoolean": "true"
}
},
{
"KeyName": "MACHINE\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\AuditNTLMInDomain",
"SettingNumber": "7",
"Display": {
"Name": "Network security: Restrict NTLM: Audit NTLM authentication in this domain",
"Units": null,
"DisplayString": "Enable all"
}
}
],
"Name": "Security"
},
{
"Extension": {},
"Name": "Windows Registry"
},
{
"Extension": [
{
"Name": "Include command line in process creation events",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting determines what information is logged in security audit events when a new process has been created.\n\n\t\t\t\t\t\t\tThis setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, \"a new process has been created,\" on the workstations and servers on which this policy setting is applied.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events.\n\n\t\t\t\t\t\t\tDefault: Not configured\n\n\t\t\t\t\t\t\tNote: When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data.\n\t\t\t\t\t\t",
"Supported": "At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1",
"Category": "System/Audit Process Creation"
},
{
"Name": "Specify the maximum log file size (KB)",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting specifies the maximum size of the log file in kilobytes.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.\n\t\t\t\t\t\t",
"Supported": "At least Windows Vista",
"Category": "Windows Components/Event Log Service/Application",
"Numeric": {
"Name": "Maximum Log Size (KB)",
"State": "Enabled",
"Value": "102400"
}
},
{
"Name": "Specify the maximum log file size (KB)",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting specifies the maximum size of the log file in kilobytes.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.\n\t\t\t\t\t\t",
"Supported": "At least Windows Vista",
"Category": "Windows Components/Event Log Service/Security",
"Numeric": {
"Name": "Maximum Log Size (KB)",
"State": "Enabled",
"Value": "4194304"
}
},
{
"Name": "Specify the maximum log file size (KB)",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting specifies the maximum size of the log file in kilobytes.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.\n\t\t\t\t\t\t",
"Supported": "At least Windows Vista",
"Category": "Windows Components/Event Log Service/System",
"Numeric": {
"Name": "Maximum Log Size (KB)",
"State": "Enabled",
"Value": "102400"
}
},
{
"Name": "Allow Remote Shell Access",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting configures access to remote shells.\n\n\t\t\t\t\t\t\tIf you enable or do not configure this policy setting, new remote shell connections are accepted by the server.\n\n\t\t\t\t\t\t\tIf you set this policy to ‘disabled’, new remote shell connections are rejected by the server.\n\t\t\t\t\t\t",
"Supported": "At least Windows Vista",
"Category": "Windows Components/Windows Remote Shell"
}
],
"Name": "Registry"
}
]
}
],
"User": [
{
"VersionDirectory": "1",
"VersionSysvol": "1",
"Enabled": "false"
}
],
"LinksTo": [
{
"SOMName": "Domain Controllers",
"SOMPath": "sos.labs/Domain Controllers",
"Enabled": "true",
"NoOverride": "true"
}
]
},
{
"Identifier": [
{
"Identifier": "{F3768285-65F2-4483-9050-0ED8E69A2ECB}",
"Domain": "sos.labs"
}
],
"Name": "LAPS",
"IncludeComments": "true",
"CreatedTime": "2018-03-18T06:37:07",
"ModifiedTime": "2018-03-18T06:48:08",
"ReadTime": "2018-08-28T12:35:46.7997905Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-519",
"Name": "sos\\Enterprise Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "18",
"VersionSysvol": "18",
"Enabled": "true",
"ExtensionDatas": [
{
"Extension": [
{},
{}
],
"Name": "Software Installation"
},
{
"Extension": {},
"Name": "Name Resolution Policy"
},
{
"Extension": [
{
"Name": "Do not allow password expiration time longer than required by policy",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tWhen you enable this setting, planned password expiration longer than password age dictated by \"Password Settings\" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy.\n\n\t\t\t\t\t\t\tWhen you disable or not configure this setting, password expiration time may be longer than required by \"Password Settings\" policy.\n\t\t\t\t\t\t",
"Supported": "At least Microsoft Windows Vista or Windows Server 2003 family",
"Category": "LAPS"
},
{
"Name": "Enable local admin password management",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tEnables management of password for local administrator account\n\n\t\t\t\t\t\t\tIf you enable this setting, local administrator password is managed\n\n\t\t\t\t\t\t\tIf you disable or not configure this setting, local administrator password is NOT managed\n\t\t\t\t\t\t",
"Supported": "At least Microsoft Windows Vista or Windows Server 2003 family",
"Category": "LAPS"
},
{
"Name": "Name of administrator account to manage",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tAdministrator account name: name of the local account you want to manage password for.\n\t\t\t\t\t\t\tDO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed\n\n\t\t\t\t\t\t\tDO configure when you use custom local admin account\n\t\t\t\t\t\t",
"Supported": "At least Microsoft Windows Vista or Windows Server 2003 family",
"Category": "LAPS",
"EditText": {
"Name": "Administrator account name",
"State": "Enabled",
"Value": "SOS"
}
},
{
"Name": "Password Settings",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tConfigures password parameters\n\n\t\t\t\t\t\t\tPassword complexity: which characters are used when generating a new password\n\t\t\t\t\t\t\tDefault: Large letters + small letters + numbers + special characters\n\n\t\t\t\t\t\t\tPassword length\n\t\t\t\t\t\t\tMinimum: 8 characters\n\t\t\t\t\t\t\tMaximum: 64 characters\n\t\t\t\t\t\t\tDefault: 14 characters\n\n\t\t\t\t\t\t\tPassword age in days\n\t\t\t\t\t\t\tMinimum: 1 day\n\t\t\t\t\t\t\tMaximum: 365 days\n\t\t\t\t\t\t\tDefault: 30 days\n\t\t\t\t\t\t",
"Supported": "At least Microsoft Windows Vista or Windows Server 2003 family",
"Category": "LAPS",
"DropDownList": {
"Name": "Password Complexity",
"State": "Enabled",
"Value": {
"Name": "Large letters + small letters + numbers + specials"
}
},
"Numerics": [
{
"Name": "Password Length",
"State": "Enabled",
"Value": "14"
},
{
"Name": "Password Age (Days)",
"State": "Enabled",
"Value": "30"
}
]
}
],
"Name": "Registry"
}
]
}
],
"User": [
{
"VersionDirectory": "0",
"VersionSysvol": "0",
"Enabled": "true"
}
],
"LinksTo": [
{
"SOMName": "Workstations",
"SOMPath": "sos.labs/Workstations",
"Enabled": "true",
"NoOverride": "false"
}
]
},
{
"Identifier": [
{
"Identifier": "{F5017D73-D6EA-464A-8F2E-8C5E5DCE8B6C}",
"Domain": "sos.labs"
}
],
"Name": "Windows Event Forwarding Server",
"IncludeComments": "true",
"CreatedTime": "2018-07-11T08:34:21",
"ModifiedTime": "2018-07-11T12:16:13",
"ReadTime": "2018-08-28T12:35:46.8154164Z",
"SecurityDescriptor": [
{
"SDDL": "O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;S-1-5-21-2872888145-3513486857-3924934394-519)(A;CI;LCRPLORC;;;ED)(A;CI;LCRPLORC;;;AU)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)",
"Owner": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Group": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"PermissionsPresent": "true",
"Permissions": [
{
"#text": "false"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-519",
"Name": "sos\\Enterprise Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-9",
"Name": "NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Read"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-18",
"Name": "NT AUTHORITY\\SYSTEM"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-21-2872888145-3513486857-3924934394-512",
"Name": "sos\\Domain Admins"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Edit, delete, modify security"
},
"AccessMask": "0"
},
{
"Trustee": {
"SID": "S-1-5-11",
"Name": "NT AUTHORITY\\Authenticated Users"
},
"Type": {
"PermissionType": "Allow"
},
"Inherited": "false",
"Applicability": {
"ToSelf": "true",
"ToDescendantObjects": "false",
"ToDescendantContainers": "true",
"ToDirectDescendantsOnly": "false"
},
"Standard": {
"GPOGroupedAccessEnum": "Apply Group Policy"
},
"AccessMask": "0"
}
],
"AuditingPresent": "false"
}
],
"FilterDataAvailable": "true",
"Computer": [
{
"VersionDirectory": "3",
"VersionSysvol": "3",
"Enabled": "true",
"ExtensionData": {
"Extension": {
"Policy": {
"Name": "Configure target Subscription Manager",
"State": "Enabled",
"Explain": "\n\t\t\t\t\t\t\tThis policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.\n\n\t\t\t\t\t\t\tIf you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.\n\n\t\t\t\t\t\t\tUse the following syntax when using the HTTPS protocol:\n\t\t\t\t\t\t\tServer=https://<FQDN of the collector>:5986/wsman/SubscriptionManager/WEC,Refresh=<Refresh interval in seconds>,IssuerCA=<Thumb print of the client authentication certificate>. When using the HTTP protocol, use port 5985.\n\n\t\t\t\t\t\t\tIf you disable or do not configure this policy setting, the Event Collector computer will not be specified.\n\t\t\t\t\t\t",
"Supported": "At least Windows Vista",
"Category": "Windows Components/Event Forwarding",
"ListBox": {
"Name": "SubscriptionManagers",
"State": "Enabled",
"ExplicitValue": "false",
"Additive": "false",
"ValuePrefix": null,
"Value": {
"Element": {
"Data": "Server=http://WEV.sos.labs:5985/wsman/SubscriptionManager/WEC,Refresh=60"
}
}
}
}
},
"Name": "Registry"
}
}
],
"User": [
{
"VersionDirectory": "1",
"VersionSysvol": "1",
"Enabled": "true"
}
],
"LinksTo": [
{
"SOMName": "Domain Controllers",
"SOMPath": "sos.labs/Domain Controllers",
"Enabled": "true",
"NoOverride": "true"
}
]
}
]
