Eliminate MBSA Warnings Using Default Security Settings Policy

  • Article

Another Group Policy object that I use in the "Jameson Datacenter" (a.k.a. my home lab) is one that I created a couple of years ago in order to eliminate various warnings from the Microsoft Baseline Security Advisor (MBSA).

To automatically change the default security settings in the "Jameson Datacenter", I defined a Group Policy (named Default Security Settings Policy) with the following settings:

  • Computer Configuration
    • Policies
      • Windows Settings
        • Security Settings
          • Account Policies
            • Password Policy
              • Maximum password age: 60 days
              • Minimum password age: 1 day
              • Minimum password length: 8 characters
          • Local Policies
            • Security Options
              • Network security: LAN Manager authentication level: Send NTLMv2 response only. Refuse LM & NTLM
          • System Services
            • TlntSvr
              • Startup Mode: Disabled

I don't know about you, but I haven't used Telnet in almost fifteen years -- back when I used to work on Unix systems ;-)

This Group Policy is linked to the entire domain (i.e. corp.technologytoolbox.com).

Note that I still use the Default Domain Controllers Policy to configure the security settings on the domain controllers (and thus domain accounts). In other words, the settings noted above only affect local accounts (e.g. COLOSSUS\Administrator, not TECHTOOLBOX\jjameson).