Download
| Alert*
|
CCE-99768-4
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are ... CCE-99782-5 This subcategory reports changes in authorization policy including permissions (DACL) changes. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was remove ... CCE-99744-5 This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and ... CCE-93592-4 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-93746-6 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Countermeasure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user's desktop session being hijac ... CCE-99732-0 This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: ? 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in ... CCE-99755-1 Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ... CCE-99719-7 This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: ? 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ? 4615 : Invalid use of LPC port. ? 4618 : A monitored ... CCE-93400-0 Include command line in process creation events This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line ... CCE-94077-5 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services ... CCE-99805-4 Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the dev ... CCE-99722-1 This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This sub ... CCE-93241-8 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-93434-9 Enable RPC Endpoint Mapper Client Authentication This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) canno ... CCE-99779-1 This subcategory reports the creation of a process and the name of the program or user that created it. Note: These events now get audited earlier than in previous versions of Windows. The creation of smss.exe and other early processes is now audited. Default settings that cannot be altered un ... CCE-99733-8 This subcategory reports other account management events. Events for this subcategory include: ? 4782: The password hash an account was accessed. ? 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in ... CCE-93921-5 Turn on behavior monitoring This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. CCE-99712-2 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... CCE-93199-8 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-93725-0 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not ... CCE-93188-1 Turn off Windows Defender Turns off Windows Defender Real-Time Protection, and no more scans are scheduled. If you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software. If you disable or do not configure th ... CCE-99734-6 This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, ... CCE-99757-7 When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not confi ... CCE-99711-4 The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. The DLL search order can be config ... CCE-93762-3 Enumerate local users on domain-joined computers This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, ... CCE-99807-0 This policy prevents the user from showing account details (email address or user name) on the sign-in screen. If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. If you disable or do not configure this policy setting, the user may choose to sho ... CCE-93992-6 Network access: Do not allow storage of passwords and credentials for network authentication This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If you enable this policy setting, the ... CCE-99747-8 This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: ? 4608: Windows is starting up. ? 4609: Windows is shutting down. ? 4616: The system time was changed. ? 4621: Administrator recovered system f ... CCE-93868-8 Scan removable drives This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type ... CCE-99758-5 Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Countermeasure: Enable this setting. Potential Impact: Loca ... CCE-99740-3 The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 ... CCE-94105-4 Devices: Prevent users from installing printer drivers It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possi ... CCE-93765-6 Turn off app notifications on the lock screen This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users ... CCE-99797-3 This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note 2: If your organiza ... CCE-93922-3 Scan all downloaded files and attachments This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for ... CCE-99713-0 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including g ... CCE-94144-3 User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure des ... CCE-93859-7 Turn off Real-Time Monitoring Turns off Real-Time Protection prompts for known malware detection. Windows Defender alerts you when spyware or potentially unwanted software attempts to install itself or to run on your computer. If you enable this policy setting, Windows Defender will not prompt us ... CCE-99726-2 This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed pr ... CCE-99801-3 Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable ... CCE-99752-8 This subcategory reports changes in authentication policy. Events for this subcategory include: ? 4706: A new trust was created to a domain. ? 4707: A trust to a domain was removed. ? 4713: Kerberos policy was changed. ? 4716: Trusted domain information was modified. ? 4717: System security access w ... CCE-99835-1 This subcategory reports when a user account or service uses a non-sensitive privilege. A non-sensitive privilege includes the following user rights: Access Credential Manager as a trusted caller, Access this computer from the network, Add workstations to domain, Adjust memory quotas for a process, ... CCE-93798-7 Do not enumerate connected users on domain-joined computers This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do n ... CCE-94156-7 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS ... CCE-94160-9 Domain controller: LDAP server signing requirements This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. CCE-99742-9 This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: ? 4715: The audit policy (SACL) on an object was changed. ? 4719: System audit policy was changed. ? 4902: The Per-user audit policy table was created. ? 4904: An attempt was made to registe ... CCE-99705-6 This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SM ... CCE-99730-4 This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. This policy setting allows you to set the encryption types that Kerberos is allowed to use. CCE-99776-7 This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows S ... CCE-99720-5 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this ... CCE-99743-7 This subcategory reports on other system events. Events for this subcategory include: ? 5024 : The Windows Firewall Service has started successfully. ? 5025 : The Windows Firewall Service has been stopped. ? 5027 : The Windows Firewall Service was unable to retrieve the security policy from the loca ... CCE-93534-6 Turn on e-mail scanning This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently suppo ... CCE-99704-9 This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: ? 4610: An authentication package has been loaded by the Local Security Authority. ? 4611: A trusted logon process has been registered with the Local ... CCE-94150-0 Microsoft network server: Digitally sign communications (always) This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. CCE-94158-3 Shutdown: Allow system to be shut down without having to log on This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disable this pol ... CCE-99777-5 This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that ... CCE-93792-0 Turn off picture password sign-in This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting, a d ... CCE-94196-3 Turn on PIN sign-in This policy setting allows you to control whether a domain user can sign in using a PIN. If you enable this policy setting, a domain user can set up and sign in with a PIN. If you disable or don't configure this policy setting, a domain user can't set up and use a PIN. ... CCE-93145-1 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-99710-6 This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can ... CCE-93359-8 Windows Firewall: Public: Logging: Size limit (KB) Use this option to specify the size limit of the file in which Windows Firewall will write its log information. CCE-94185-6 Windows Firewall: Domain: Logging: Log dropped packets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. CCE-93761-5 Deny log on as a service This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the S ... CCE-94211-0 Create global objects This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that ... CCE-93769-8 Increase scheduling priority This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the o ... CCE-93433-1 Prevent the usage of OneDrive for file storage This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can?t access OneDrive from the OneDrive app and file picker. * Windows Store apps can?t access OneDrive using th ... CCE-93687-2 Windows Firewall: Private: Logging: Size limit (KB) Use this option to specify the size limit of the file in which Windows Firewall will write its log information. CCE-94197-1 Act as part of the operating system When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. CCE-99815-3 Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Blo ... CCE-94140-1 Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ... CCE-99760-1 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ... CCE-93154-3 Generate security audits This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, user ... CCE-93181-6 Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ... CCE-93665-8 Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ... CCE-99771-8 This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Win ... CCE-93120-4 Allow Microsoft accounts to be optional This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that ... CCE-93006-5 Create a pagefile This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of acco ... CCE-93650-0 Allow Basic authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable o ... CCE-94055-1 Deny log on as a batch job This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. When configurin ... CCE-93259-0 Take ownership of files or other objects This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right ... CCE-93612-0 Allow log on through Remote Desktop Services This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and a ... CCE-93032-1 Create a token object This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can ... CCE-94187-2 Shut down the system This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the ... CCE-94164-1 Debug programs This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be ass ... CCE-99761-9 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ... CCE-94081-7 Allow log on locally This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Servic ... CCE-93307-7 Synchronize directory service data This security setting determines which users and groups have the authority to synchronize all directory service data. CCE-99772-6 This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through a ... CCE-93736-7 Log on as a batch job When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. CCE-94056-9 Windows Firewall: Domain: Display a notification Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recom ... CCE-99785-8 Manages a Windows app's ability to share data between users who have installed the app. If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. If y ... CCE-93747-4 Windows Firewall: Private: Display a notification Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft reco ... CCE-94165-8 Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ... CCE-93141-0 Change the system time This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer?s time setting is changed, logged eve ... CCE-93164-2 Windows Firewall: Domain: Logging: Size limit (KB) Use this option to specify the size limit of the file in which Windows Firewall will write its log information. CCE-93580-9 Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ... CCE-93633-6 Force shutdown from a remote system This policy setting allows users to shut down Windows Vista?based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user ... CCE-93211-1 Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ... CCE-99823-7 Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: Specify the mode in the Options section: -Block: Potentially unwanted software ... CCE-99763-5 This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. Countermeasure: Ensure that only the loca ... CCE-93038-8 Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... CCE-93512-2 Allow Remote Shell Access This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. CCE-93573-4 Impersonate a client after authentication The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not ... CCE-94215-1 Profile single process This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if Syst ... CCE-99703-1 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... CCE-93668-2 Change the time zone This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either loc ... CCE-93619-5 Windows Firewall: Public: Logging: Name Use this option to specify the path and name of the file in which Windows Firewall will write its log information. CCE-99834-4 This policy setting sets the Attack Surface Reduction rules. Attack surface reduction helps prevent actions and apps that are typically used by exploit- seeking malware to infect machines. Fix: (1) GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender An ... CCE-99811-2 This policy setting allows you to require a pin for pairing. If you set this to Never, a pin isnt required for pairing. If you set this to First Time, the pairing ceremony for new devices will always require a PIN. If you set this to Always, all pairings will require PIN. Fix: (1) GPO: Comput ... CCE-93140-2 Deny access to this computer from the network This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on ... CCE-93256-6 Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ... CCE-94182-3 Do not display the password reveal button This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password en ... CCE-99764-3 This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-use ... CCE-99749-4 This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a network's loca ... CCE-94133-6 Windows Firewall: Private: Logging: Name Use this option to specify the path and name of the file in which Windows Firewall will write its log information. CCE-93525-4 Sign-in last interactive user automatically after a system-initiated restart This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely sav ... CCE-99737-9 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... CCE-93692-2 Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ... CCE-99780-9 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. If you disable or do not configure ... CCE-99765-0 This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities. Countermeasure: Configure this user right s ... CCE-94051-0 Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ... CCE-93721-9 Access this computer from the network This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)?based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus ( ... CCE-93830-8 Allow unencrypted traffic This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you d ... CCE-93352-3 Disallow Digest authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy s ... CCE-93239-2 Modify firmware environment values This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure tha ... CCE-93720-1 Add workstations to domain This policy setting specifies which users can add computer workstations to a specific domain. For this policy setting to take effect, it must be assigned to the user as part of the Default Domain Controller Policy for the domain. A user who has been assigned this right ca ... CCE-93035-4 Windows Firewall: Public: Display a notification Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recom ... CCE-93789-6 Windows Firewall: Domain: Logging: Name Use this option to specify the path and name of the file in which Windows Firewall will write its log information. CCE-93391-1 Windows Firewall: Domain: Logging: Log successful connections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. CCE-99728-8 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... CCE-93569-2 Create symbolic links This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much lik ... CCE-93148-5 Microsoft network server: Disconnect clients when logon hours expire This policy setting determines whether to disconnect users who are connected to the local computer outside their user account?s valid logon hours. It affects the SMB component. If you enable this policy setting, client sessions wi ... CCE-94083-3 Devices: Allowed to format and eject removable media This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administ ... CCE-93147-7 Network security: Do not store LAN Manager hash value on next password change This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stro ... CCE-94076-7 Enable computer and user accounts to be trusted for delegation This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring ... CCE-93034-7 Always install with elevated privileges Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the d ... CCE-93313-5 Back up files and directories This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programmin ... CCE-93567-6 Replace a process level token This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user ... CCE-94149-2 Create permanent shared objects This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a use ... CCE-94188-0 Perform volume maintenance tasks This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of ... CCE-94216-9 Lock pages in memory This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM ent ... CCE-93283-0 Restore files and directories This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users ... CCE-93809-2 Load and unload device drivers This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer ... CCE-93594-0 Deny log on locally This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one ... CCE-99767-6 This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note: that this setting will have no impact when applied to the domain contr ... CCE-94003-1 Accounts: Block Microsoft accounts This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the 'Users can?t add Microsoft accounts' option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft ... CCE-93604-7 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-94152-6 Interactive logon: Prompt user to change password before expiration This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. CCE-93127-9 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active ... CCE-93812-6 Domain member: Digitally sign secure channel data (when possible) This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone wh ... CCE-94103-9 Domain member: Require strong (Windows 2000 or later) session key When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain c ... CCE-93808-4 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services ... CCE-93636-9 Microsoft network client: Send unencrypted password to third-party SMB servers Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable t ... CCE-93028-9 Microsoft network server: Amount of idle time required before suspending session This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control ... CCE-93576-7 Domain member: Digitally encrypt or sign secure channel data (always) This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure ... CCE-94128-6 Require secure RPC communication Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and enc ... CCE-94132-8 Network access: Let Everyone permissions apply to anonymous users This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerat ... CCE-93631-0 Microsoft network client: Digitally sign communications (if server agrees) This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows?based networks helps to prevent sessions from being hijacked. If you enable ... CCE-93732-6 Microsoft network client: Digitally sign communications (always) This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that ser ... CCE-99792-4 Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote conne ... CCE-93448-9 Require user authentication for remote connections by using Network Level Authentication This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security ... CCE-99818-7 Allow Windows Ink Workspace Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace\Allow Windows Ink Workspace (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace!AllowWindowsInkWorkspace CCE-99736-1 If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. Valid values range from 1 to 89,400 seconds (24 hours). The setting has no effect if the wait time is set to zero or no screen saver has bee ... CCE-99727-0 If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. CCE-99739-5 This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver will run if the followin ... |
