How to Configure Local Security Policy on Windows Server 2012 R2

How to Configure Local Security Policy on Windows Server 2012 R2

The Local Security Policy on Windows Server 2012 R2 is the foundation of standalone server security configuration. It governs password policies, account lockout thresholds, audit settings, user rights assignments, and security options—all without requiring Active Directory or Group Policy infrastructure. Even in domain environments, the local policy matters for workgroup servers, Tier 0 systems with specific requirements, and as the last-resort fallback when domain Group Policy is unavailable. This tutorial walks through every major section of Local Security Policy and provides recommended values for a hardened server configuration.

Prerequisites

• Local Administrator access to the Windows Server 2012 R2 system
• Understanding that domain Group Policy takes precedence over local policy for domain-joined machines
• The secpol.msc console or secedit command-line utility

Step 1: Open Local Security Policy

Launch the Local Security Policy console with administrator privileges:

secpol.msc

Alternatively, access it through Server Manager → Tools → Local Security Policy, or from an elevated command prompt. For command-line configuration, use secedit; for PowerShell, use the LocalGPO module from the Security Compliance Toolkit.

Step 2: Configure Account Policies – Password Policy

Navigate to Account Policies → Password Policy in secpol.msc. Apply the following settings:

# These registry paths show the underlying values for reference:
# Password settings are stored in the SAM and not directly in registry
# Use secedit to apply:

# Export current policy to template
secedit /export /cfg C:SecurityConfigLocalPolicy.inf /areas SECURITYPOLICY

# Edit LocalPolicy.inf in a text editor, then reimport:
secedit /configure /cfg C:SecurityConfigLocalPolicy.inf /db secedit.sdb /areas SECURITYPOLICY

Recommended password policy values for the INF template:

[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 60
MinimumPasswordLength = 14
PasswordComplexity = 1
PasswordHistorySize = 24
ClearTextPassword = 0
RequireLogonToChangePassword = 0

Step 3: Configure Account Policies – Account Lockout Policy

Navigate to Account Policies → Account Lockout Policy:

[System Access]
LockoutBadCount = 5
ResetLockoutCount = 15
LockoutDuration = 0

Setting LockoutDuration = 0 means the account stays locked until an administrator unlocks it, providing the strongest protection against password spraying attacks. In environments where availability is critical, set it to 30 minutes instead.

Step 4: Configure Local Policies – User Rights Assignment

Navigate to Local Policies → User Rights Assignment. These settings control which accounts or groups can perform privileged operations. Key settings:

[Privilege Rights]
# Allow log on locally - Administrators only (remove Users group from servers)
SeInteractiveLogonRight = *S-1-5-32-544

# Allow log on through Remote Desktop Services - Administrators only
SeRemoteInteractiveLogonRight = *S-1-5-32-544

# Deny log on locally to all service accounts and network accounts
SeDenyInteractiveLogonRight = *S-1-5-32-546,Guest

# Deny access to this computer from the network (for sensitive servers)
SeDenyNetworkLogonRight = *S-1-5-32-546

# Act as part of the OS - No one (empty)
SeTcbPrivilege =

# Load and unload device drivers - Administrators only
SeLoadDriverPrivilege = *S-1-5-32-544

# Manage auditing and security log - Administrators only
SeSecurityPrivilege = *S-1-5-32-544

# Shut down the system - Administrators only (remove Users group)
SeShutdownPrivilege = *S-1-5-32-544

# Take ownership of files or other objects - Administrators only
SeTakeOwnershipPrivilege = *S-1-5-32-544

Step 5: Configure Local Policies – Security Options

Navigate to Local Policies → Security Options. These settings cover a wide range of system behavior. Critical settings:

[Registry Values]
# Accounts: Rename administrator account
MACHINESAMSAMDomainsAccountUsersNamesAdministrator = (configured via GUI)

# Accounts: Guest account status (0=disabled)
# Configured via: net user Guest /active:no

# Interactive logon: Do not display last user name (1=enabled)
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDontDisplayLastUserName=4,1

# Interactive logon: Machine inactivity limit (seconds)
MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystemInactivityTimeoutSecs=4,900

# Interactive logon: Number of previous logons to cache (0=no caching)
MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonCachedLogonsCount=1,"0"

# Microsoft network server: Digitally sign communications (always)
MACHINESystemCurrentControlSetServicesLanManServerParametersRequireSecuritySignature=4,1

# Microsoft network client: Digitally sign communications (always)
MACHINESystemCurrentControlSetServicesLanmanWorkstationParametersRequireSecuritySignature=4,1

# Network access: Do not allow anonymous enumeration of SAM accounts (1=restricted)
MACHINESystemCurrentControlSetControlLsaRestrictAnonymousSAM=4,1

# Network security: LAN Manager authentication level (5=NTLMv2 only)
MACHINESystemCurrentControlSetControlLsaLmCompatibilityLevel=4,5

# Network security: Minimum session security for NTLM SSP (requires NTLMv2 and 128-bit)
MACHINESystemCurrentControlSetControlLsaMSV1_0NTLMMinClientSec=4,537395200
MACHINESystemCurrentControlSetControlLsaMSV1_0NTLMMinServerSec=4,537395200

Apply these via the secedit template or PowerShell registry commands:

# LAN Manager authentication level - NTLMv2 only, refuse LM and NTLM
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "LmCompatibilityLevel" -Value 5 -Type DWord

# Require SMB signing
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanManServerParameters" `
    -Name "RequireSecuritySignature" -Value 1 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesLanmanWorkstationParameters" `
    -Name "RequireSecuritySignature" -Value 1 -Type DWord

Step 6: Configure Advanced Audit Policy Settings

Navigate to Advanced Audit Policy Configuration → System Audit Policies. Configure the key subcategories:

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

Step 7: Export and Import Configurations

Export the complete local security policy for documentation and reapplication:

mkdir C:SecurityConfig
secedit /export /cfg C:SecurityConfigFullLocalPolicy.inf /areas SECURITYPOLICY USER_RIGHTS REGKEYS SERVICES

# Backup the file before making changes
Copy-Item C:SecurityConfigFullLocalPolicy.inf C:SecurityConfigFullLocalPolicy.inf.bak

Apply the configuration to another server by copying the INF file and running:

secedit /configure /cfg C:SecurityConfigFullLocalPolicy.inf `
    /db secedit.sdb `
    /areas SECURITYPOLICY USER_RIGHTS REGKEYS `
    /log C:SecurityConfigsecedit-apply.log

Step 8: Verify Applied Settings

After applying settings, verify that key controls are in place:

# Verify LM compatibility level
(Get-ItemProperty "HKLM:SYSTEMCurrentControlSetControlLsa").LmCompatibilityLevel

# Verify SMB signing requirement
(Get-ItemProperty "HKLM:SYSTEMCurrentControlSetServicesLanManServerParameters").RequireSecuritySignature

# Verify inactive session timeout
(Get-ItemProperty "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem").InactivityTimeoutSecs

# Check account lockout policy
net accounts

Summary

Local Security Policy provides granular control over the security posture of individual Windows Server 2012 R2 systems. By configuring strong password and lockout policies, restricting user rights assignments to the minimum necessary, enforcing NTLMv2-only authentication, requiring SMB signing, and enabling comprehensive audit logging, you significantly reduce the attack surface of each server. For domain environments, translate these settings into Group Policy Objects to enforce consistency across your entire server fleet and prevent local administrators from weakening the security configuration.