being targeted with a SYN flood attack (a type of denial of service attack). When
enabled the connection responses time out more quickly in the event of an attack.
Disable Web Printing (Windows 2000/XP)
This restriction enables and disables server support for Internet printing. Internet
printing lets you display printers on Web pages so they can be viewed, managed,
and used across the Internet or an intranet.
Disable Recent Shares in Network Places (Windows 2000/XP)
This restriction stops remote shared folders from being added to Network Places
whenever you open a document in the shared folder.
Offload IP Security Task Processing (Windows 2000/XP)
This setting is used to control whether IP Security (IPSEC) tasks should be
offloaded to a network card with IP security capabilities.
Specify Users to Receive Administrative Alerts (Windows NT/2000/XP)
This setting is used to specify a list of users and/or computers that should receive
administrative alerts.
Send Plain Text Passwords (All Windows)
When connecting to some SMB servers, such as Samba and LAN Manager for
UNIX, you may be required to send unencypted password. This setting enables
that functionality.
Disable Save Password Option in Dial-Up Networking (Windows NT/2000)
When you dial a phonebook entry in Dial-Up Networking (DUN), you can use the
'Save Password' option so that your DUN password is cached and you will not
need to enter it on successive dial attempts. This key disables that option.
Restrict Anonymous User Access (Windows NT/2000/XP)
Windows has a feature where anonymous users can list domain user names and
enumerate share names. Users who want enhanced security may optionally restrict
this functionality.
Changing LAN Manager Authentication on Windows NT (Windows NT)
Windows NT supports two kinds of challenge/response authentication:
LanManager (LM) and Windows NT (NTLM). LM authentication is not as strong
as Windows NT authentication so some customers may want to disable its use,

because an attacker sniffing the network traffic could possibly attack the weaker
protocol.
Disable TCP/IP Source Routing (Windows NT 4.0)
Normally, on a computer running Windows NT 4.0, you cannot disable the source
routing feature for the TCP/IP protocol. By using this tweak it is possible to disable
it.
Hide the Active Directory Folder in My Network Places (Windows 2000)
This restriction is used to remove the Active Directory folder from My Network
Places. This still allows users to search but not browse the Active Directory.
Hide Computer from the Browser List (Windows NT/2000/XP)
If you have a secure server or workstation you wish to hide from the general
browser list, then enable this setting.
Hide Entire Network in Network Neighborhood (All Windows)
Entire Network is an option under Network Neighborhood that allows users to see
all the Workgroups and Domains on the network. Entire Network can be disabled,
so users are confined to their own Workgroup or Domain.
Hide Workgroup Content from Network Neighborhood (All Windows)
Enabling this option hides all Workgroup contents from being displayed in
Network Neighborhood.
Remove the Map and Disconnect Network Drive Options (Windows
NT/2000/XP)
Prevents users from making additional network connections by removing the Map
Network Drive and Disconnect Network Drive buttons from the toolbar in
Explorer and also removing them from the Context menu of My Computer and the
Tools menu of Explorer.
Disable Caching of Domain Password (Windows 95/98/Me)
Enabling this setting disables the caching of the domain passwords, and therefore
passwords are required to be re-entered to access any additional domain resources.
Hide Share Passwords with Asterisks (All Windows)
This setting controls whether the password typed when accessing a file share is

shown in clear text or as asterisks.
Hide Computers Near Me in Network Places (Windows 2000/Me/XP)
This setting allows you to show or hide the computers listed Near Me in My
Network Places.
Disable the Ability to Remotely Shutdown the Computer Browser Service
(Windows NT/2000/XP)
It is possible for a malicious user to shut down a computer browser, or all
computer browsers, on the same subnet. If all of the computers on the same subnet
are shut down, they can then declare their own computer the new master browser.
Automatic Hidden Shares (Windows NT/2000/XP)
When networking has been installed on a Windows machine, it will automatically
create hidden shares to the local disk drives. It is possible to disable the sharing at
run-time, but this tweak will stop the automatic sharing altogether.
Require Validation by Network for Windows Access (Windows 95/98/Me)
By default Windows 9x doesn't require a valid network username and password
combination for a user to bypass the logon and gain access to the local machine.
This functionality can be changed to require validation by the network before
allowing access.
Changing the Password Expiry Warning Period (Windows NT/2000/XP)
This entry specifies the number of days before a user's password expires that a
warning message is displayed.
Disable the Automatic Creation of a Default Network Route (Windows NT)
This tweak controls the default behavior of Windows to add a network route to
0.0.0.0 on multi-homed machines (e.g. proxy or firewall).
Home

:
Security

: Privacy


Clear the Page File at System Shutdown (Windows NT/2000/XP) Popular
Windows does not normally clear or recreate the page file. On a heavily used
system this can be both a security threat and performance drop. Enabling this
setting will cause Windows to clear the page file whenever the system is shutdown.
Reset Microsoft Word Settings and Recent Files (All Windows)
This setting can be used to reset the Word parameters back to the default if you are
experiencing problems. For example if you start Word and one of your toolbars or
menu bars is missing, or if your personalized settings are not retained.
Disable Network Messenger Service (Windows NT/2000/XP)
The Messenger service is normally used to transmit net send and Alerter service
messages between clients and servers. Recently it has been employed by marketers
for sending unsolicited advertising popups (SPAM) over the Internet. This tweak
allows you to disable this service.
Clear Download Accelerator History (All Windows)
Download Accelerator Plus (DAP) is a tool used to retrieve files from Internet
servers. It stores a history of the files downloaded and URLs visited. To increase
privacy and security this tweak allows you to clear the history.
Disable Recent Files in Media Player (All Windows)
This restriction will stop Windows Media Player from storing the names of the
played media in the recent file list.
Clear the Recent Play List in Media Player (All Windows)
This tweak allows you to clear the recent files, URL history and radio stations in
Windows Media Player.
Empty Temporary Internet Files on Exit (All Windows)
This setting controls whether Internet Explorer should delete all of the temporary
Internet files stored during the session when the browser is closed.
Clear the Cached Run Commands (All Windows)
Do you have a lot of items in the run command history on Start Menu? This tweak
will allow you to clear the most-recently-used (MRU) list.

Clear the Internet Explorer Typed Address History (All Windows) Popular
Internet Explorer caches any URLs that are typed into the address bar. This may
become a privacy issue on a shared computer, or a nuisance if there is a particular
URL you want to remove without clearing the whole history.
Disable User Tracking (Windows 2000/XP)
This setting stops Windows from recording user tracking information including
which applications a user runs and which files and documents are being accessed.
Clear the Netmeeting Call History (All Windows)
This tweak allows you to clear the stored call history in the Netmeeting drop down
list.
Home

:
Security

: Remote Access

Configure Remote Access Client Account Lockout (Windows 2000/XP)
You can use the remote access account lockout feature to specify how many times
a remote access authentication has to fail against a valid user account before the
user is denied access. Use this tweak to set the number of failed logins before the
account is locked-out and the time before the lockout is reset.
Specify the Callback Pause Period (Windows NT/2000/XP)
When callback is required or requested this setting defines how long to wait before
initiating the callback connection.
Automatically Disconnect Remote Access Callers (Windows NT/2000/XP)
Specifies the amount of idle time in minutes to wait before disconnecting the
remote access client.
Time Limit for Remote Access Authentication (Windows NT/2000/XP)
A time limit can be enforced on the period available to logon via remote access

before the connection is terminated.
Number of Remote Access Authentication Attempts (Windows NT/2000/XP)
This setting controls the number of authentication retries before a remote access
connection is terminated.
Disable Dial-In Access (Windows 95/98/Me)
It's possible for users to setup a modem on a Windows machine, and by using Dial-
up Networking allow callers to connect to the internal network. Especially in a
corporate environment this can cause a major security risk.
Automatically Use Dial-Up Networking to Logon (Windows NT/2000)
There is an option that is available on the logon dialog box and allows you to dial
into your logon server for authentication of your user account, this can be enabled
by default.
Disable the "Log on using dial-up connection" Check Box (Windows NT/2000)
During logon Windows allows users to optionally connect to a Windows domain
using dial-up networking, this tweak can be used to disable that option.
Home

:
Securit
y

: Start Menu and Taskbar


Documents and Folders
Security Settings for Documents

and Folders