As Figure 4 shows, Group Policy for Windows 8 and Windows Server 2012 includes numerous types of security settings. Most of these policies are per-machine settings found under Computer Configuration\Policies\Windows Settings\Security Settings in the Group Policy Management Editor, but there are also two types of policies found under User Configuration\Policies\Windows Settings\Security Settings as the figure shows.
The following sections briefly discuss some of these categories of security settings, including
User Rights Assignment
Security Options
User Account Control
Audit Policy
Advanced Audit Policy Configuration
AppLocker
Software Restriction Policies
Windows Firewall
User Rights Assignment settings are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment, and you can use them to control the user rights assigned to users or security groups for computers targeted by the GPO. You can use these policies to specify users and security groups who should have rights to perform different kinds of tasks affecting the security of your Windows clients and servers. For example, you can control who can
Access computers from the network
Log on locally
Shut down the system
You can also specify who should have rights to perform critical administrative tasks, such as backing up and restoring files and directories, taking ownership of files and objects, and forcing the shutdown from a remote computer.
User Rights Assignment settings for Windows 8 and Windows Server 2012 are unchanged from those in Windows 7 and Windows Server 2008 R2.
Security Options settings are found under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, and you can use them to control a wide variety of security options for computers targeted by the GPO. For example, you can
Force users to log off when their logon hours expire
Disable Ctrl+Alt+Del for logon to force smartcard logon
Force computers to halt when auditing cannot be performed on them
Windows 8 and Windows Server 2012 include four new policies in this category:
Accounts: Block Microsoft accounts This policy prevents users from adding new Microsoft accounts on this computer.
Interactive logon: Machine account threshold The computer lockout policy is enforced only on computers that have BitLocker enabled for protecting operating system volumes. You should ensure that appropriate recovery password backup policies are enabled.
Interactive logon: Machine inactivity limit Windows notices the inactivity of a logon session and if the amount of inactive time exceeds the inactivity limit, the screen saver will run, locking the session.
Microsoft network server: Attempt S4U2Self to obtain claim information This security setting is used to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-For-User-To-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain.