Introduction to Local Security Policy on Windows Server 2022
Local Security Policy is a comprehensive set of security configuration options built into every Windows Server installation. On Windows Server 2022, it is managed through the Local Security Policy editor (secpol.msc), which provides a graphical interface for configuring everything from password complexity requirements to audit policies and user rights assignments. For domain-joined servers, these settings are typically deployed and overridden by Group Policy Objects, but understanding the underlying policy categories is essential for designing a secure configuration baseline and for managing standalone servers that are not joined to a domain.
Opening and Navigating the Local Security Policy Editor
Open the Local Security Policy editor on Windows Server 2022:
secpol.mscThe policy is organized into the following top-level nodes:
- Account Policies — Password Policy, Account Lockout Policy, Kerberos Policy
- Local Policies — Audit Policy, User Rights Assignment, Security Options
- Windows Firewall with Advanced Security — Firewall rules and connection security rules
- Network List Manager Policies — Network location types
- Public Key Policies — Certificate trust and EFS settings
- Software Restriction Policies — Path, hash, and certificate-based software restrictions
- Application Control Policies (AppLocker) — Rule-based application whitelisting
- IP Security Policies on Local Computer — Legacy IPsec policy settings
- Advanced Audit Policy Configuration — Granular per-subcategory audit settings
Account Policies — Password Policy
The Password Policy controls the complexity, length, age, and history requirements for local accounts (and domain accounts when configured in the Default Domain Policy GPO).
Key settings and recommended values for Windows Server 2022:
- Enforce password history: 24 passwords remembered — prevents users from cycling back to previously used passwords.
- Maximum password age: 60–90 days for standard accounts. For service accounts and privileged accounts managed by LAPS, set to 0 (no expiration, managed programmatically).
- Minimum password age: 1 day — prevents users from immediately changing back to their old password to circumvent history.
- Minimum password length: 14 characters (NIST SP 800-63B recommends length over complexity).
- Password must meet complexity requirements: Enabled — requires uppercase, lowercase, digit, and special character from at least three categories.
- Store passwords using reversible encryption: Disabled — this stores passwords in a recoverable form and must never be enabled.
Configure via PowerShell (for local policy):
net accounts /minpwlen:14 /maxpwage:90 /minpwage:1 /uniquepw:24Account Policies — Account Lockout Policy
Account Lockout Policy prevents brute-force attacks by locking accounts after a configured number of failed login attempts.
- Account lockout threshold: 5–10 invalid logon attempts before lockout. Setting this too low causes excessive lockouts from mistyped passwords; setting it too high allows brute-force attacks.
- Account lockout duration: 15–30 minutes, or 0 for lockout until an administrator manually unlocks the account. Using 0 provides better security but increases help desk load.
- Reset account lockout counter after: 15 minutes — the failed attempt counter resets after this period, mitigating slow brute-force attacks that stay under the threshold.
Check current lockout policy on a domain controller:
Get-ADDefaultDomainPasswordPolicyFine-grained password policies (PSOs) in Active Directory allow different password and lockout policies for different user groups, which is particularly useful for applying stricter settings to privileged accounts:
New-ADFineGrainedPasswordPolicy `
-Name "Privileged-Accounts-PSO" `
-Precedence 10 `
-MinPasswordLength 20 `
-PasswordHistoryCount 24 `
-LockoutThreshold 3 `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:30:00" `
-ComplexityEnabled $true `
-ReversibleEncryptionEnabled $false
Add-ADFineGrainedPasswordPolicySubject `
-Identity "Privileged-Accounts-PSO" `
-Subjects "Domain Admins"Account Policies — Kerberos Policy
Kerberos Policy is only effective in the Default Domain Policy GPO on domain controllers. The settings control Kerberos ticket lifetimes and tolerances. The defaults are appropriate for most environments:
- Enforce user logon restrictions: Enabled — validates every session ticket request against the user rights on the target server.
- Maximum lifetime for service ticket: 600 minutes (10 hours)
- Maximum lifetime for user ticket: 10 hours
- Maximum lifetime for user ticket renewal: 7 days
- Maximum tolerance for computer clock synchronization: 5 minutes — if the time difference between client and DC exceeds 5 minutes, Kerberos authentication will fail. Ensure time synchronization is configured via NTP.
Local Policies — Audit Policy
Audit Policy determines which security events are written to the Windows Security event log. Windows Server 2022 supports both basic Audit Policy (under Local Policies) and the more granular Advanced Audit Policy Configuration (under the Advanced Audit Policy Configuration node). Always use Advanced Audit Policy — it provides per-subcategory control and overrides the basic settings.
Key subcategories and recommended settings:
# Configure advanced audit policy via auditpol.exe
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
# View current audit policy
auditpol /get /category:*Local Policies — User Rights Assignment
User Rights Assignment controls which users and groups have specific operating system-level privileges. These are distinct from NTFS permissions — they control system-level capabilities rather than file access.
Critical settings to harden on Windows Server 2022:
- Access this computer from the network: Remove Everyone; keep Administrators and specific service accounts.
- Allow log on locally: Limit to Administrators on servers. Remove Users and Remote Desktop Users from servers that do not need interactive logons.
- Allow log on through Remote Desktop Services: Limit to specific administrative groups.
- Act as part of the operating system: Should be empty — any account here can impersonate any security context.
- Debug programs: Remove from all accounts including Administrators on production servers.
- Deny log on locally: Add Guests, Anonymous Logon.
- Deny log on through Remote Desktop Services: Add Domain Admins (force use of PAW instead of direct RDP to domain controllers).
- Back up files and directories / Restore files and directories: Limit to dedicated backup service accounts.
- Shut down the system: Limit to Administrators.
Configure User Rights Assignment via Group Policy (applies to domain-joined servers) or through secpol.msc for standalone servers. Use secedit to script the configuration.
Local Policies — Security Options
Security Options contains a large number of individual security configuration settings. The most important ones for Windows Server 2022 hardening include:
Accounts: Administrator account status = Disabled (rename and disable the built-in)
Accounts: Guest account status = Disabled
Accounts: Rename administrator account = [custom name]
Accounts: Rename guest account = [custom name]
Interactive logon: Do not display last user name = Enabled
Interactive logon: Message text for users attempting to log on = [legal banner]
Interactive logon: Number of previous logons to cache = 0 (or 1 for laptop/field devices)
Interactive logon: Require Domain Controller authentication to unlock workstation = Enabled
Network access: Do not allow anonymous enumeration of SAM accounts = Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares = Enabled
Network access: Let Everyone permissions apply to anonymous users = Disabled
Network access: Restrict anonymous access to Named Pipes and Shares = Enabled
Network security: LAN Manager authentication level = Send NTLMv2 response only. Refuse LM and NTLM
Network security: Minimum session security for NTLM SSP:
Require NTLMv2 session security = Enabled
Require 128-bit encryption = Enabled
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing = Enabled (in high-security environments)
User Account Control: Admin Approval Mode for the Built-in Administrator = Enabled
User Account Control: Behavior of the elevation prompt for administrators = Prompt for credentials
User Account Control: Run all administrators in Admin Approval Mode = EnabledSecurity Templates (.inf Files)
Security Templates are text files with a .inf extension that define a complete security configuration baseline. They contain settings for account policies, audit policies, user rights, security options, registry values, file system permissions, and service configurations. Security Templates allow you to version-control your security configuration and apply it consistently across multiple servers.
Windows Server 2022 includes predefined security templates in C:Windowsinf, but the recommended source for current baseline templates is the Microsoft Security Compliance Toolkit (SCT), which provides tested, documented security baselines for Windows Server 2022.
A simplified example of a security template excerpt:
[Version]
signature="$CHICAGO$"
Revision=1
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 90
MinimumPasswordLength = 14
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 5
ResetLockoutCount = 15
LockoutDuration = 30
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
[Privilege Rights]
SeDenyNetworkLogonRight = *S-1-5-32-546,*S-1-5-7
SeDenyInteractiveLogonRight = *S-1-5-32-546,*S-1-5-7
SeRemoteInteractiveLogonRight = *S-1-5-32-544
[Registry Values]
MACHINESystemCurrentControlSetControlLsaLmCompatibilityLevel=4,5
MACHINESystemCurrentControlSetControlLsaNoLMHash=4,1secedit.exe — Applying, Analyzing, and Exporting Security Templates
The secedit.exe command-line tool is used to apply security templates to a system, analyze the current configuration against a template, export the current configuration to a template, and validate template syntax.
Export the current security configuration to a template file:
secedit /export /cfg C:Baselinescurrent-config.inf /areas SECURITYPOLICY USER_RIGHTS REGKEYSApply a security template to the local system:
secedit /configure /db C:Baselinessecedit.sdb /cfg C:Baselinesserver-baseline.inf /log C:Logssecedit-apply.log /verboseAnalyze the current configuration against a desired baseline template:
secedit /analyze /db C:Baselinessecedit.sdb /cfg C:Baselinesserver-baseline.inf /log C:Logssecedit-analyze.logAfter the analysis completes, open the Security Configuration and Analysis snap-in (secpol.msc parent: mmc.exe with the Security Configuration and Analysis snap-in added) to view a graphical comparison showing which settings match, which differ, and which are not defined.
Validate a template file for syntax errors before applying it:
secedit /validate C:Baselinesserver-baseline.infThe /areas parameter accepts the following values that can be combined with spaces:
SECURITYPOLICY— Account policies, audit policies, and security optionsUSER_RIGHTS— User Rights AssignmentREGKEYS— Registry key security permissionsFILESTORE— File system permissions (slow — avoid on large volumes)SERVICES— Windows services configuration
Applying a Security Template to an OU via GPO
Security templates can be applied to multiple systems at scale by importing them into a Group Policy Object’s Security Settings. This is done through the Security Configuration and Analysis or directly in the Group Policy Management Editor.
In the Group Policy Management Editor for the target GPO:
Computer Configuration > Windows Settings > Security Settings
Right-click Security Settings > Import Policy
Browse to your .inf template file
Select and importThe imported template settings merge into the GPO’s security settings. You can then link the GPO to the appropriate OU and the settings will be applied to all member servers in that OU during Group Policy refresh (every 90 minutes by default, plus a random offset of up to 30 minutes).
Force immediate Group Policy refresh on a remote server:
Invoke-GPUpdate -Computer "Server01" -ForceVerify that the policy was applied:
gpresult /r /scope computerComparing Current State with Desired State
Regular compliance verification ensures that servers have not drifted from the desired security configuration. The Security Configuration and Analysis tool provides a point-in-time comparison. For ongoing continuous compliance monitoring, consider using:
- Microsoft Desired State Configuration (DSC): Declarative configuration management that continuously enforces a desired state. The
SecurityPolicyCmdletsandAuditPolicyDSCmodules provide DSC resources for security policy settings. - CIS-CAT Assessor: Free tool from the Center for Internet Security that evaluates Windows Server against CIS Benchmarks and generates HTML/CSV compliance reports.
- Microsoft Security Compliance Toolkit: Includes the Policy Analyzer tool that compares multiple GPO backups side-by-side and highlights differences.
Export current GPO-applied settings for comparison with PowerShell:
# Get applied GPOs and their settings
Get-GPResultantSetOfPolicy -ReportType XML -Path C:Reportsrsop.xml
# Or use rsop.msc for a graphical view
rsop.mscTo detect unauthorized changes to security policy settings, enable auditing of policy changes:
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enableEvent ID 4739 (Domain Policy was changed) and Event ID 4719 (System audit policy was changed) will be generated whenever security policy is modified, providing an audit trail of policy changes.
Summary
Windows Server 2022’s Local Security Policy and Security Templates system provides a rich, scriptable framework for defining and enforcing server security configurations. Using secpol.msc for interactive configuration, secedit.exe for scripted application and analysis, and Group Policy for domain-wide deployment, administrators can maintain consistent security baselines across all servers. Combining security templates with regular compliance analysis — either through Security Configuration and Analysis, DSC, or third-party tools — ensures that servers remain in the desired security state and that any drift is quickly detected and remediated.
