Download
| Alert*
|
CCE-36862-1
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\ registry key. The entry appears as MSS: (Hidde ... CCE-36125-3 Prevent the computer from joining a homegroup By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. I ... CCE-36528-8 Control use of BitLocker on removable drives This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property settings that control how users can configure BitLocker. ... CCE-37358-9 DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use ... CCE-36819-1 Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a co ... CCE-36262-4 Audit: Audit the use of Backup and Restore privilege This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is ... CCE-35971-1 Devices: Restrict CD-ROM access to locally logged-on user only This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CD-ROM media. When this ... CCE-36264-0 Interactive logon: Machine account lockout threshold The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of fai ... CCE-38225-9 Turn off Windows Location Provider This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Loc ... CCE-36913-2 Configure use of smart cards on fixed data drives This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user acces ... CCE-37028-8 Do not process the legacy run list This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHINE\Software\Micr ... CCE-37929-7 Always prompt for password upon connection This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided ... CCE-38119-4 Network access: Do not allow storage of passwords and credentials for network authentication This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If you enable this policy setting, the ... CCE-36628-6 Turn off the Windows Messenger Customer Experience Improvement Program This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. CCE-37948-7 Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ... CCE-36850-6 Provide the unique identifiers for your organization This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allow ... CCE-37067-6 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not ... CCE-36173-3 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-37346-4 Enable RPC Endpoint Mapper Client Authentication This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) canno ... CCE-37624-4 Recovery console: Allow automatic administrative logon The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when it is invoked during startup. CCE-38047-7 Network Security: Allow PKU2U authentication requests to this computer to use online identities Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for aut ... CCE-36534-6 Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ... CCE-36869-6 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-37078-3 Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack ... CCE-36884-5 Turn off Search Companion content file updates This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. CCE-36846-4 Deny write access to fixed drives not protected by BitLocker This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data dr ... CCE-37439-7 Interactive logon: Number of previous logons to cache (in case domain controller is not available) This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even ... CCE-37020-5 Configure use of hardware-based encryption for fixed data drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve ... CCE-36748-2 Do not process the run once list This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run on ... CCE-36836-5 Configure TPM platform validation profile for native UEFI firmware configurations This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a c ... CCE-37066-8 Require a Password When a Computer Wakes (Plugged In) Specifies whether or not the user is prompted for a password when the system resumes from sleep. CCE-37307-6 Recovery console: Allow floppy copy and access to all drives and all folders This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the ... CCE-37432-2 Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit v ... CCE-36922-3 MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSe ... CCE-36533-8 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-36400-0 Allow user control over installs This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete t ... CCE-36847-2 Disallow standard users from changing the PIN or password This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. ... CCE-36871-2 MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) This entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE. IP source routing is a mechanism that allows the sender to ... CCE-36351-5 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL searc ... CCE-38362-0 Turn off the offer to update to the latest version of Windows Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this sett ... CCE-37167-4 Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ... CCE-36092-5 Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ... CCE-36879-5 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\ Parameters\ registry key. The entry appea ... CCE-37061-9 Deny write access to removable drives not protected by BitLocker This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protecte ... CCE-37641-8 Allow enhanced PINs for startup This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied whe ... CCE-36844-9 Configure use of smart cards on removable data drives This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a m ... CCE-37170-8 Allow Secure Boot for integrity validation This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed ... CCE-37603-8 Choose how BitLocker-protected operating system drives can be recovered This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The ' ... CCE-35920-8 Allow Standby States (S1-S3) When Sleeping (On Battery) Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a compute ... CCE-37762-2 Choose how BitLocker-protected fixed drives can be recovered This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The 'Allow data recovery agent' ch ... CCE-37057-7 User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations ... CCE-36358-0 Choose how BitLocker-protected removable drives can be recovered This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The 'Allow data recovery a ... CCE-37166-6 Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ... CCE-37615-2 Accounts: Limit local account use of blank passwords to console logon only This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have ... CCE-37060-1 Configure use of passwords for fixed data drives This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and ... CCE-37968-5 Allow access to BitLocker-protected removable data drives from earlier versions of Windows This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Servi ... CCE-36494-3 User Account Control: Admin Approval Mode for the Built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operat ... CCE-36421-6 Turn off Data Execution Prevention for HTML Help Executible This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP. DEP is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. If you enab ... CCE-36920-7 Turn off printing over HTTP This policy setting allows you to disable the client computer?s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. CCE-37025-4 Reset platform validation data after BitLocker recovery This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed when Windows ... CCE-37775-4 Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ... CCE-38360-4 Turn off Automatic Download and Install of updates Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation ... CCE-37835-6 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services ... CCE-36526-2 Configure use of hardware-based encryption for removable data drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can ... CCE-37846-3 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6 \Parameters\ registry ... CCE-35918-2 Allow network unlock at startup This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system dr ... CCE-37063-5 Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ... CCE-36880-3 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS ... CCE-37809-1 Turn off Data Execution Prevention for Explorer Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. CCE-35907-5 Audit: Shut down system immediately if unable to log security audits This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent audit ... CCE-37993-3 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\ registry key. The en ... CCE-36865-4 User Account Control: Only elevate executables that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to ru ... CCE-37508-9 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-38240-8 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-37024-7 Enable use of BitLocker authentication requiring preboot keyboard input on slates This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch ... CCE-37035-3 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-36881-1 Require a Password When a Computer Wakes (On Battery) Specifies whether or not the user is prompted for a password when the system resumes from sleep. CCE-37281-3 Configure Solicited Remote Assistance This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messag ... CCE-37644-2 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-37179-9 Allow all trusted apps to install This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a certificate cha ... CCE-37073-4 Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ... CCE-36866-2 User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure des ... CCE-38335-6 Shutdown: Clear virtual memory pagefile This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, ... CCE-37988-3 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allo ... CCE-36852-2 Require additional authentication at startup This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you tu ... CCE-36096-6 Turn off Internet download for Web publishing and online ordering wizards This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. CCE-36499-2 Allow Remote Shell Access This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. CCE-36875-3 Turn off Autoplay Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Tu ... CCE-36837-3 Configure use of hardware-based encryption for operating system drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption ... CCE-37053-6 Configure use of passwords for removable data drives This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user ac ... CCE-36110-5 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this policy setting inc ... CCE-36840-7 Configure use of passwords for operating system drives This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements ... CCE-36863-9 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-36853-0 Use enhanced Boot Configuration Data validation profile This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you will be able to add additional settings, remove the default settings, or b ... CCE-37755-6 Network Security: Configure encryption types allowed for Kerberos This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. CCE-36788-8 Shutdown: Allow system to be shut down without having to log on This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disable this pol ... CCE-37695-4 Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ... CCE-38235-8 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Countermeasure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user's desktop session being hijac ... CCE-36512-2 Enumerate administrator accounts on elevation By default, all administrator accounts are displayed when you attempt to elevate a running application. CCE-37064-3 User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-ti ... CCE-36051-1 MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip \Parameters\ registry key. The entry ... CCE-38333-1 Interactive logon: Smart card removal behavior This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. CCE-38065-9 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears ... CCE-36535-3 MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (D ... CCE-37623-6 Network access: Sharing and security model for local accounts This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users ... CCE-36849-8 Prevent memory overwrite on restart This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitL ... CCE-36327-5 System cryptography: Force strong key protection for user keys stored on the computer This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provide a password?distinct from their ... CCE-35899-4 Allow remote access to the Plug and Play interface This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this p ... CCE-37106-2 Impersonate a client after authentication The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not ... CCE-35818-4 Access this computer from the network This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)?based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus ( ... CCE-37072-6 Allow log on through Remote Desktop Services This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and a ... CCE-35823-4 Create symbolic links This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much lik ... CCE-37954-5 Deny access to this computer from the network This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on ... CCE-36008-1 Account lockout threshold This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to an ... CCE-36923-1 Deny log on as a batch job This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on ... CCE-37877-8 Force shutdown from a remote system This policy setting allows users to shut down Windows Vista?based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user ... CCE-37029-6 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-36326-7 Network security: Do not store LAN Manager hash value on next password change This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stro ... CCE-37701-0 Devices: Allowed to format and eject removable media This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administ ... CCE-36864-7 User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administra ... CCE-36919-9 Always install with elevated privileges Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the d ... CCE-37146-8 Deny log on locally This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one ... CCE-38095-6 Network access: Shares that can be accessed anonymously This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on t ... CCE-37637-6 Interactive logon: Do not require CTRL+ALT+DEL This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL before they log ... CCE-37614-5 Domain member: Require strong (Windows 2000 or later) session key When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain c ... CCE-37567-5 Require secure RPC communication Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and enc ... CCE-35988-5 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-38258-0 Network access: Named Pipes that can be accessed anonymously This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used w ... CCE-36858-9 Network security: LDAP client signing requirements This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transport ... CCE-37553-5 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services ... CCE-37863-8 Microsoft network client: Send unencrypted password to third-party SMB servers Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable t ... CCE-36077-6 Network access: Do not allow anonymous enumeration of SAM accounts and shares This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and netwo ... CCE-36148-5 Network access: Let Everyone permissions apply to anonymous users This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerat ... CCE-37034-6 Account lockout duration This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy sett ... CCE-36347-3 Network access: Remotely accessible registry paths and sub-paths This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called 'Network access: ... CCE-37885-1 System objects: Require case insensitivity for non-Windows subsystems This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32? subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portabl ... CCE-37850-5 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active ... CCE-36883-7 Reset account lockout counter after This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value f ... CCE-36056-0 Interactive logon: Do not display last user name This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from ... CCE-36021-4 Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymou ... CCE-37194-8 Network access: Remotely accessible registry paths This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, ... CCE-36316-8 Network access: Do not allow anonymous enumeration of SAM accounts This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user n ... CCE-37222-7 Domain member: Digitally sign secure channel data (when possible) This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone wh ... |
