Download
| Alert*
|
CCE-9222-1
The 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly. CCE-8844-3 The 'Allow Standby States (S1-S3) When Sleeping (On Battery)' setting should be configured correctly. CCE-10183-2 The 'Prevent the computer from joining a homegroup' setting should be configured correctly. CCE-9136-3 The 'Account lockout threshold' setting should be configured correctly. CCE-8460-8 The 'Create symbolic links' user right should be assigned to the appropriate accounts. CCE-9381-5 The 'System cryptography: Force strong key protection for user keys stored on the computer' setting should be configured correctly. CCE-9463-1 The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-9983-8 The 'Do not process the legacy run list' setting should be configured correctly. CCE-10714-4 The setup log maximum size should be configured correctly. CCE-9295-7 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-9370-8 The 'Password must meet complexity requirements' policy should be set correctly. CCE-9500-0 The 'Retain old events' setting should be configured correctly for the security log. CCE-8817-9 The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly. CCE-9801-2 The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly. CCE-9670-1 The 'Require a Password When a Computer Wakes (Plugged In)' setting should be configured correctly. CCE-9212-2 The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-8654-6 The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly. CCE-9266-8 The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly. CCE-9439-1 The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly. CCE-10769-8 The "Allow remote access to the PnP interface" setting should be configured correctly. CCE-8714-8 The 'Accounts: Guest account status' setting should be configured correctly. CCE-8804-7 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-8560-5 The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly. CCE-9831-9 The "Turn off Windows Customer Experience Improvement Program" setting should be configured correctly. CCE-9330-2 The 'Minimum password age' setting should be configured correctly. CCE-9107-4 The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-8655-3 The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-9244-5 The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-9304-7 The 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly. CCE-9342-7 The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly. CCE-9501-8 The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly. CCE-9487-0 The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-9876-4 The "Enable User Control Over Installs" policy should be set correctly. CCE-9829-3 The 'Require a Password When a Computer Wakes (On Battery)' setting should be configured correctly. CCE-9456-5 The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-9418-5 The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. CCE-9938-2 The 'Enumerate administrator accounts on elevation' setting should be configured correctly. CCE-8562-1 The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly. CCE-9301-3 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-9193-4 The 'Maximum password age' setting should be configured correctly. CCE-9253-6 The 'Access this computer from the network' user right should be assigned to the appropriate accounts. CCE-9336-9 The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts. CCE-10779-7 The 'Encryption Level' option for the Remote Desktop Services 'Set client connection encryption level' setting should be configured correctly. CCE-10103-0 The 'Always prompt for password upon connection' setting should be configured correctly. CCE-8789-0 The 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly. CCE-9189-2 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-8945-8 The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-10154-3 The 'Do not process the run once list' setting should be configured correctly. CCE-9348-4 The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly. CCE-9707-1 The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-9674-3 The 'Turn off Internet download for Web publishing and online ordering wizards' setting should be configured correctly. CCE-8513-4 The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly. CCE-9496-1 The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-9247-8 Rights to access DCOM applications should be assigned as appropriate. CCE-9616-4 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-9458-1 The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configured correctly. CCE-9506-7 User-intiated solicitations for remote assistance (aka the 'Solicited Remote Assistance' setting) should be enabled or disabled as appropriate. CCE-9274-2 The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-8811-2 The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-9357-5 The 'Minimum password length' setting should be configured correctly. CCE-9395-5 The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-8591-0 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. CCE-10156-8 The 'Maximum Log Size (KB)' setting should be configured correctly for the system log. CCE-8807-0 The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-8467-3 The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts. CCE-9532-3 The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly. CCE-9918-4 The 'Turn off Data Execution Prevention for Explorer' setting should be configured correctly. CCE-9967-1 This definition tests the the maximum allowed size of the security log is at least as big as the supplied value. CCE-9736-0 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-9021-7 The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-9603-2 The 'Maximum Log Size (KB)' setting should be configured correctly for the application log. CCE-10519-7 The 'Permit remote control of this computer' option for the 'Solicited Remote Assistance' setting should be configured correctly. CCE-10061-0 The 'Turn off printing over HTTP' setting should be configured correctly. CCE-10655-9 The "Turn off Autoplay for non-volume devices" setting should be configured correctly. CCE-9528-1 The 'Turn off Autoplay' setting should be configured correctly. CCE-9053-0 The 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows ' setting should be configured correctly. CCE-8806-2 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-8581-1 The BitLocker 'Provide the unique identifiers for your organization' setting should be enabled or disabled as appropriate. CCE-9211-4 The 'Deny write access to removable data drives not protected by BitLocker' setting should be configured correctly. CCE-9200-7 The BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for operating system drives. CCE-8688-4 The minimum number of characters required for the BitLocker startup PIN used with the Trusted Platform Module (TPM) should be set correctly. CCE-9220-5 The 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows ' setting should be configured correctly. CCE-9062-1 The BitLocker 'Object identifier' setting should be configured correctly. CCE-8278-4 The 'Choose how BitLocker-protected operating system drives can be recovered' setting should be enabled or disabled as appropriate. CCE-10527-0 The default behavior for AutoRun should be properly configured. CCE-8899-7 The BitLocker 'Prevent memory overwrite on restart' setting should be configured correctly. CCE-9540-6 The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-10077-6 The 'Allow Remote Shell Access' setting should be configured correctly. CCE-8912-8 The "enforce password history" policy should meet minimum requirements. CCE-10140-2 The 'Turn off Search Companion content file updates' setting should be configured correctly. CCE-8303-0 The BitLocker 'Require additional authentication at startup' setting should be enabled or disabled as appropriate.. CCE-9770-9 The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly. CCE-8487-1 The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. CCE-8995-3 The 'Control use of Bitlocker on removable drives' setting should be configured correctly. CCE-10608-8 The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. CCE-9144-7 The BitLocker 'Configure use of passwords for fixed data drives' setting should be configured correctly. CCE-8721-3 The BitLocker 'Configure use of smart cards on fixed data drives' setting should be configured correctly. CCE-9503-4 The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. CCE-10181-6 The 'RPC Endpoint Mapper Client Authentication' setting should be configured correctly. CCE-9191-8 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-9089-4 The BitLocker 'Allow enhanced PINs for startup' setting should be configured correctly. CCE-9858-2 The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. CCE-8745-2 The 'Choose how BitLocker-protected fixed drives can be recovered' setting should be enabled or disabled as appropriate. CCE-9141-3 The BitLocker 'Configure use of passwords for removable data drives' setting should be configured correctly. CCE-8719-7 The 'Deny write access to fixed drives not protected by BitLocker' setting should be configured correctly. CCE-8613-2 The 'Choose how BitLocker-protected removable drives can be recovered' setting should be enabled or disabled as appropriate. CCE-10753-2 The 'Maximum ticket time (value)' option for the 'Solicited Remote Assistance' setting should be configured correctly. CCE-9067-0 The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. CCE-8648-8 The BitLocker 'Configure use of smart cards on removable data drives' setting should be enabled or disabled as appropriate. CCE-8818-7 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-8937-5 The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly. CCE-8958-1 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-8813-8 The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. CCE-9239-5 The 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-8868-2 The 'Devices: Allowed to format and eject removable media' setting should be configured correctly. CCE-9534-9 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-9387-2 The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-8825-2 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-9375-7 The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly. CCE-9317-9 The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-8936-7 The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-9196-7 The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly. CCE-9449-0 The 'Interactive logon: Do not display last user name' setting should be configured correctly. CCE-9218-9 The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly. CCE-9123-1 The 'Domain member: Maximum machine account password age' setting should be configured correctly. CCE-9249-4 The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly. CCE-9768-3 The 'Network security: LDAP client signing requirements' setting should be configured correctly. CCE-9265-0 The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly. CCE-9432-6 The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configured correctly. CCE-9386-4 The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly. CCE-9156-1 The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly. CCE-9121-5 The 'Network access: Remotely accessible registry paths' setting should be configured correctly. CCE-9319-5 The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. CCE-9400-3 The 'Reset account lockout counter after' setting should be configured correctly. CCE-9308-8 The 'Account lockout duration' setting should be configured correctly. |
