[Forgot Password]
Login  Register Subscribe

24436

 
 

131815

 
 

115532

 
 

909

 
 

90034

 
 

140

Paid content will be excluded from the download.


Download | Alert*


CCE-46768-8
"Interactive logon: Machine inactivity limit" Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Vulnerability: If a user forgets to lock their computer when they walk away it is ...

CCE-46228-3
"Domain controller: LDAP server signing requirements" This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. Vulnerability: Unsigned network traffic is susceptible to man-in-the-middle attacks. In such at ...

CCE-44499-2
"Deny access to this computer from the network" This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data o ...

CCE-47038-5
"Microsoft network server: Digitally sign communications (always)" This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. ...

CCE-45276-3
"MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Vulnerability: An attacker could use source routed packets to obscure their identity and lo ...

CCE-47309-0
"Password must meet complexity requirements" This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user ...

CCE-46230-9
"Microsoft network server: Digitally sign communications (if client agrees)" This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a conn ...

CCE-44597-3
"System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its ...

CCE-46305-9
"Network access: Do not allow anonymous enumeration of SAM accounts" This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user ...

CCE-46136-8
"Microsoft network client: Send unencrypted password to third-party SMB servers" Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable ...

CCE-46912-2
"User Account Control: Detect application installations and prompt for elevation" This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires ele ...

CCE-47154-0
"User Account Control: Run all administrators in Admin Approval Mode" This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approv ...

CCE-44520-5
"System objects: Require case insensitivity for non-Windows subsystems" This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 * subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Port ...

CCE-45743-2
"Always prompt for password upon connection" This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provid ...

CCE-46565-8
"Network security: LAN Manager authentication level" LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network ...

CCE-47000-5
"User Account Control: Admin Approval Mode for the Built-in Administrator account" This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any oper ...

CCE-47214-2
"User Account Control: Behavior of the elevation prompt for standard users" This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administ ...

CCE-45608-7
"Minimum password age" This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this se ...

CCE-46651-6
"Specify the maximum log file size (KB) (System Log)" This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilo ...

CCE-47225-8
"Always install with elevated privileges" Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the ...

CCE-44479-4
"Enforce password history" This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passw ...

CCE-45275-5
"MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Vulnerability: An attacker could use source routed packets to obscure their ident ...

CCE-46031-1
"Network security: Do not store LAN Manager hash value on next password change" This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically st ...

CCE-46760-5
"Set the default behavior for AutoRun" This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an ...

CCE-45876-0
"Turn off Data Execution Prevention for Explorer" Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Vulnerability: Data Execution Prevention is an important security feature supported by Explorer that helps to limit the ...

CCE-45279-7
"MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Vulnerability: This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes ...

CCE-44494-3
"Specify the maximum log file size (KB) (Application Log)" This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ...

CCE-46412-3
"Network access: Let Everyone permissions apply to anonymous users" This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumer ...

CCE-46911-4
"User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - En ...

CCE-47157-3
"User Account Control: Virtualize file and registry write failures to per-user locations" This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run- ...

CCE-45283-9
"MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Vulnerability: The NetBT protocol is designed not to use authenti ...

CCE-46148-3
"Interactive logon: Smart card removal behavior" This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Vulnerability: Users sometimes forget to lock their workstations when they are away from them, allowing the possibility ...

CCE-46970-0
"Turn off Autoplay" Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the ...

CCE-44703-7
"Allow log on through Remote Desktop Services" This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and ...

CCE-46993-2
"Allow user control over installs" This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete t ...

CCE-46160-8
"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication servic ...

CCE-46914-8
"Minimum password length" This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than " ...

CCE-47296-9
"Network security: Allow LocalSystem NULL session fallback" Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Vulnerability: NULL sessions are less secure because by definition they are unauthenticated. Count ...

CCE-46018-8
"Domain member: Disable machine account password changes" This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable ...

CCE-44526-2
"Specify the maximum log file size (KB) (Security Log)" This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ki ...

CCE-47152-4
"Account lockout duration" This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy se ...

CCE-44861-3
"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication servic ...

CCE-46334-9
"Microsoft network client: Digitally sign communications (if server agrees)" This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows -based networks helps to prevent sessions from being hijacked. If you ena ...

CCE-44804-3
"Impersonate a client after authentication" The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will no ...

CCE-46135-0
"Microsoft network client: Digitally sign communications (always)" This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that s ...

CCE-44496-8
"Require secure RPC communication" Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and e ...

CCE-46005-5
"Accounts: Limit local account use of blank passwords to console logon only" This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that ha ...

CCE-44911-6
"Network access: Restrict anonymous access to Named Pipes and Shares" When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonym ...

CCE-46406-5
"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Activ ...

CCE-47129-2
"Network security: LDAP client signing requirements" This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transpor ...

CCE-45486-8
"Access this computer from the network" This policy setting determines which users can connect to the computer from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Compo ...

CCE-46440-4
"Domain member: Digitally sign secure channel data (when possible)" This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone ...

CCE-47284-5
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires e ...

CCE-44650-0
"Force shutdown from a remote system" This policy setting allows users to shut down Windows Vista -based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service u ...

CCE-46913-0
"User Account Control: Only elevate UIAccess applications that are installed in secure locations" This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure location ...

CCE-47193-8
"Set client connection encryption level" This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Vulnerability: If Terminal Server client connec ...

CCE-46108-7
"Deny log on locally" This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no on ...

CCE-47272-0
"Reset account lockout counter after" This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value ...

CCE-45958-6
"Domain member: Require strong (Windows 2000 or later) session key" When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain ...

CCE-44828-2
"Create symbolic links" This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much l ...

CPE    1
cpe:/o:microsoft:windows_server_2016
*XCCDF
xccdf_org.secpod_benchmark_HIPAA_45CFR_164_Windows_Server_2016
OVAL    60
oval:org.secpod.oval:def:40205
oval:org.secpod.oval:def:40199
oval:org.secpod.oval:def:40245
oval:org.secpod.oval:def:40246
...

© SecPod Technologies