[Forgot Password]
Login  Register Subscribe

23631

 
 

126951

 
 

99602

 
 

909

 
 

80170

 
 

109

Paid content will be excluded from the download.


Download | Alert*


CCE-42548-8
Disable: 'Do not show feedback notifications' This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable ...

CCE-44430-7
Select the 'Let Windows apps access trusted devices' to user_is_in_control This policy setting specifies whether Windows apps can access trusted devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by u ...

CCE-42514-0
Audit Policy: Account Logon: Kerberos Authentication Service This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket ( ...

CCE-42997-7
Set the time Quiet Hours begins each day This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settin ...

CCE-44137-8
Disable: 'Domain member: Digitally encrypt secure channel data (when possible)' for sealsecurechannel This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member ...

CCE-42295-6
Disable: 'Disallow Digest authentication' This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not config ...

CCE-43218-7
Specify the 'Configure time out for detections in critically failed state' (CriticalFailureTimeout in mins Min:0 Max:4294967295) This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" s ...

CCE-42402-8
Specify the 'Configure time out for detections in recently remediated state' (RecentlyCleanedTimeout Min:0 Max:4294967295 in Mins) This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. Counter Measure: Configure this se ...

CCE-41505-9
Disable: 'Network Security: Restrict NTLM: Add server exceptions in this domain' for DCAllowedNTLMServers This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM ...

CCE-44432-3
Select the 'Let Windows apps sync with devices' to user_is_in_control This policy setting specifies whether Windows apps can sync with devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can sync with devices by using Settings & ...

CCE-42057-0
Set the time Quiet Hours ends each day This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. ...

CCE-41483-9
Disable: 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' for ClientAllowedNTLMServers This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM ...

CCE-44420-8
Select the 'Let Windows apps access account information' to user_is_in_control This policy setting specifies whether Windows apps can access account information. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account info ...

CCE-43217-9
Specify Work Folders settings This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. If you enable this policy setting, affected users user receive Work Folde ...

CCE-42777-3
Disable: 'Prevent enabling lock screen slide show' Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users wi ...

CCE-44222-8
Specify the 'Configure time out for detections requiring additional action' (in Mins Min:0 Max:4294967295) This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. Counter Measure: Configure this setting depending ...

CCE-41956-4
Disable: 'Interactive logon: Display user information when the session is locked' for DontDisplayLockedUserId This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer's respective Windows logon scree ...

CCE-43729-3
Prevent changing screen saver Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. Cou ...

CCE-44431-5
Select the 'Let Windows apps control radios' to user_is_in_control This policy setting specifies whether Windows apps have access to control radios. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by usi ...

CCE-44257-4
Disable: 'Allow Basic authentication for Windows Remote Management (WinRM) client' This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM ...

CCE-44419-0
Disable: 'Enable insecure guest logons' This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this ...

CCE-43190-8
'Specify settings for optional component installation and component repair' for LocalSourcePath This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If yo ...

CCE-44266-5
Specify the 'Interactive logon: Message text for users attempting to log on' value Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting specifies a text message that ...

CCE-43995-0
Disable: 'Turn on Information Protection Control' This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Counter Measure: Configure thi ...

CCE-43080-1
Select the 'Require use of specific security layer for remote (RDP) connections' to rdp Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this set ...

CCE-42495-2
Specify the 'Name of administrator account to manage' Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed DO configure wh ...

CCE-44429-9
Select the 'Let Windows apps access the microphone' to user_is_in_control This policy setting specifies whether Windows apps can access the microphone. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by usin ...

CCE-44263-2
Disable: 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do ...

CCE-42889-6
Disable: 'Force automatic setup for all users' This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prev ...

CCE-43775-6
Disable: 'Network Security: Restrict NTLM: Incoming NTLM traffic' for RestrictReceivingNTLMTraffic This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this compute ...

CCE-41576-0
Restrict the user from entering author mode Prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. ...

CCE-44177-4
Disable: 'Windows Firewall: Domain: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules sett ...

CCE-41707-1
Disable: 'Allow Basic authentication for Windows Remote Management (WinRM) service' This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept ...

CCE-43236-9
Disable: 'Windows Firewall: Domain: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rul ...

CCE-42867-2
Disable: 'No auto-restart with logged on users for scheduled automatic updates installations' This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-resta ...

CCE-42493-7
Disable: 'Allow input personalization' This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar info ...

CCE-42054-7
Disable: 'Reschedule Automatic Updates scheduled installations' This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will b ...

CCE-42344-2
Disable: 'Windows Firewall: Public: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules sett ...

CCE-44426-5
Select the 'Let Windows apps access motion' to user_is_in_control This policy setting specifies whether Windows apps can access motion data. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings &gt ...

CCE-44273-1
Prevent Codec Download This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player t ...

CCE-43844-0
Specify the 'Interactive logon: Machine inactivity limit' value (timeout in seconds 15-900) Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Counter Measure: Configure this p ...

CCE-41762-6
Disable: 'Domain member: Digitally encrypt or sign secure channel data (always)' for requiresignorseal This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel da ...

CCE-43034-8
Disable: 'Require user authentication for remote connections by using Network Level Authentication' This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhanc ...

CCE-42487-9
Disable showing balloon notifications as toasts This policy disables the functionality that converts balloons to toast notifications. If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. Enable this policy setting if a spe ...

CCE-43144-5
Disable: 'Windows Firewall: Private: Apply local connection security rules' for AllowLocalIPsecPolicyMerge This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter M ...

CCE-44380-4
Disable: 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting h ...

CCE-43832-5
Remove Notifications and Action Center This policy setting removes Notifications and Action Center from the notification area on the taskbar. The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. If this setting is ...

CCE-42914-2
Disable: 'Windows Firewall: Private: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall ru ...

CCE-44425-7
Select the 'Let Windows apps access messaging' to user_is_in_control This policy setting specifies whether Windows apps can read or send messages (text or MMS). If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send message ...

CCE-42715-3
Audit Policy: Logon-Logoff: Network Policy Server This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Auditing this setting will result in a medium or high volum ...

CCE-44428-1
Select the 'Let Windows apps access the camera' to user_is_in_control This policy setting specifies whether Windows apps can access the camera. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings & ...

CCE-43964-6
Disable: 'Prevent enabling lock screen camera' Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will ...

CCE-43124-7
Disable: 'Use advanced RemoteFX graphics' for RemoteApp This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not appl ...

CCE-43756-6
Turn off calls during Quiet Hours This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Ho ...

CCE-42837-5
Disable: 'Windows Firewall: Public: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rul ...

CCE-43452-2
Disable: 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' for RestrictSendingNTLMTraffic This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is suppo ...

CCE-41654-5
Disable: 'Windows Firewall: Public: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-44427-3
Select the 'Let Windows apps access the calendar' to user_is_in_control This policy setting specifies whether Windows apps can access the calendar. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Sett ...

CCE-44064-4
Disable: 'Do not allow local administrators to customize permissions' for fWritableTSCCPermTab Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from m ...

CCE-44302-8
Remove Security tab Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither ...

CCE-41646-1
Disable: 'Windows Firewall: Domain: Apply local connection security rules' This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-42860-7
Specify the 'Configure time out for detections in non-critical failed state' (NonCriticalTimeout Min:0 Max:4294967295 in Mins) This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. Counter Measure: Configure ...

CCE-44422-4
Select the 'Let Windows apps access contacts' to user_is_in_control This policy setting specifies whether Windows apps can access contacts. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Pr ...

CCE-42631-2
Disable: 'Windows Firewall: Domain: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-41527-3
Disable: 'Windows Firewall: Private: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules set ...

CCE-43813-5
Disable: 'Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections' This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where ...

CCE-44119-6
Disable: 'Allow unencrypted traffic for AllowUnencryptedTraffic' This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencr ...

CCE-44421-6
Select the 'Let Windows apps access call history' to user_is_in_control This policy setting specifies whether Windows apps can access call history. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Sett ...

CCE-43847-3
Turn off toast notifications on the lock screen This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast not ...

CCE-42991-0
Turn off Quiet Hours This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. If you disable this po ...

CCE-42554-6
Disable: 'Do not allow hardware accelerated decoding' This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a ...

CCE-41547-1
Disable: 'Network Security: Restrict NTLM: NTLM authentication in this domain' for RestrictNTLMInDomain This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. Coun ...

CCE-43812-7
Select the 'Configure H.264/AVC hardware encoding for Remote Desktop Connections' value This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you dis ...

CCE-44424-0
Select the 'Let Windows apps access location' to user_is_in_control This policy setting specifies whether Windows apps can access location. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Pr ...

CCE-42564-5
Force specific screen saver This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen s ...

CCE-42599-1
Disable: 'Allow unencrypted traffic' This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the netwo ...

CCE-41647-9
Disable: 'Network Security: Configure encryption types allowed for Kerberos' for SupportedEncryptionTypes This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Counter Measure: ...

CCE-44423-2
Select the 'Let Windows apps access email for LetAppsAccessEmail' to user_is_in_control This policy setting specifies whether Windows apps can access email. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Se ...

CCE-42066-1
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Special Logon' This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : ...

CCE-44148-5
Disable: 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' for cachedlogonscount This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached loca ...

CCE-41811-1
Ensure No Auditing for 'Audit Policy: Object Access: Registry' This subcategory reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting will not c ...

CCE-41582-8
'Specify the maximum log file size (KB)' (System Log) (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabyte ...

CCE-41737-8
Ensure No Auditing for 'Audit Policy: Object Access: Other Object Access Events' This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects. Events for this subcategory include: - 4671: An application attempted to access a blocked ordinal through th ...

CCE-42962-1
Ensure No Auditing for 'Audit Policy: Detailed Tracking: RPC Events' This subcategory reports remote procedure call (RPC) connection events. Events for this subcategory include: - 5712: A Remote Procedure Call (RPC) was attempted. Refer to the Microsoft Knowledgebase article "Description o ...

CCE-43894-5
Account lockout threshold This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to an ...

CCE-44027-1
Disable: 'Microsoft network server: Digitally sign communications (if client agrees)' for enablesecuritysignature This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing ...

CCE-43567-7
Select the 'Restrict Unauthenticated RPC clients for RestrictRemoteClients' to none This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setti ...

CCE-43062-9
Ensure Audit Success for 'Audit Policy: Detailed Tracking: Process Creation' This subcategory reports the creation of a process and the name of the program or user that created it. Note: These events now get audited earlier than in previous versions of Windows. The creation of smss.exe and oth ...

CCE-41593-5
Ensure No Auditing for 'Audit Policy: System: IPsec Driver' This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it coul ...

CCE-42974-6
Disable: 'Network access: Do not allow storage of passwords and credentials for network authentication' for DisableDomainCreds This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If y ...

CCE-41823-6
Ensure No Auditing for 'Audit Policy: Object Access: File System' This subcategory reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting w ...

CCE-41615-6
Ensure No Auditing for 'Audit Policy: Account Logon: Credential Validation' This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the doma ...

CCE-43773-1
'Set time limit for active but idle Remote Desktop Services sessions' to never This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy ...

CCE-41474-8
Disable: 'Domain member: Require strong (Windows 2000 or later) session key' for requirestrongkey When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enab ...

CCE-42317-8
Ensure Audit Success and Failure for 'Audit Policy: Account Management: Other Account Management Events' This subcategory reports other account management events. Events for this subcategory include: - 4782: The password hash an account was accessed. - 4793: The Password Policy Checking API ...

CCE-42219-6
Disable: 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' for AutoAdminLogon MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure com ...

CCE-42710-4
Disable: 'Require secure RPC communication' Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authent ...

CCE-42842-5
Disable: 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' for NTLMMinServerSec This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications t ...

CCE-43458-9
Disable: 'Network security: LDAP client signing requirements' for LDAPClientIntegrity This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified opti ...

CCE-41637-0
Ensure No Auditing for 'Audit Policy: Logon-Logoff: IPsec Quick Mode' This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations. - 4654: An IPsec Quick Mode negotiation failed. Events for this subcategory include: - 4977: During Quick Mode negotiation, I ...

CCE-43772-3
Ensure Audit Success and Failure for 'Audit Policy: System: Security System Extension' This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the ...

CCE-42975-3
Disable: 'Configure Offer Remote Assistance' for fAllowUnsolicited This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff us ...

CCE-43545-3
Notify antivirus programs when opening attachments Antivirus programs are mandatory in many environments and provide a strong defense against attack. The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, thi ...

CCE-42010-9
Specify the 'Network access: Remotely accessible registry paths' for Machine This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting ...

CCE-43655-0
Disable: 'Control System Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log an ...

CCE-42120-6
Disable: 'Interactive logon: Smart card removal behavior' for scremoveoption This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Counter Measure: Configure the Smart card removal behavior setting to Lock Workstation. ...

CCE-41813-7
Disable: 'Detect compatibility issues for applications and drivers' This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during applic ...

CCE-44037-0
Disable: 'Allow Microsoft accounts to be optional' This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Stor ...

CCE-41682-6
Disable: 'User Account Control: Switch to the secure desktop when prompting for elevation' for PromptOnSecureDesktop This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) ...

CCE-42327-7
Disable: 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' for NoNameReleaseOnDemand MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Counter Measure: Configure ...

CCE-42155-2
'Set time limit for disconnected sessions' to never This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By defa ...

CCE-41727-9
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Logoff' This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place ...

CCE-43546-1
Disable: 'Network security: LAN Manager authentication level' for LmCompatibilityLevel LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, u ...

CCE-42437-4
Specify the 'Configure minimum PIN length for startup' (MinimumPIN Length Min:4 Max:20) This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length ...

CCE-42995-1
Disable: 'User Account Control: Run all administrators in Admin Approval Mode' for EnableLUA This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - En ...

CCE-42852-4
Disable: 'Configure Solicited Remote Assistance' for fAllowToGetHelp This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Al ...

CCE-41583-6
Disable: 'Prevent the computer from joining a homegroup' By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharin ...

CCE-41529-9
Disable: 'Windows Firewall: Private: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-44049-5
Disable: 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' for EnableUIADesktopToggle This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation pr ...

CCE-43913-3
Disable: 'User Account Control: Detect application installations and prompt for elevation' for EnableInstallerDetection This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application instal ...

CCE-42788-0
Disable: 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' for TcpMaxDataRetransmissions MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measu ...

CCE-41836-8
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. E ...

CCE-43086-8
Disable: 'Allow remote access to the Plug and Play interface' This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not c ...

CCE-43184-1
Disable: 'Microsoft network server: Disconnect clients when logon hours expire' for enableforcedlogoff This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. It affects the SMB component. If you enable this ...

CCE-42950-6
Ensure No Auditing for 'Audit Policy: DS Access: Directory Service Access' This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the dire ...

CCE-42459-8
Disable: 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' for Enabled This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although ...

CCE-43909-1
Ensure No Auditing for 'Audit Policy: Policy Change: Other Policy Change Events' This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers. Events for this subcategory include: - 4909: The local policy s ...

CCE-42506-6
Disable: 'Enable Protected Event Logging' This policy setting lets you configure Protected Event Logging. If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data wi ...

CCE-42160-2
Specify the 'Network access: Remotely accessible registry paths and sub-paths' for Machine This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this sett ...

CCE-42615-5
Ensure No Auditing for 'Audit Policy: System: Security State Change' This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down ...

CCE-43224-5
Ensure Audit Success and Failure for 'Audit Policy: Privilege Use: Sensitive Privilege Use' This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directori ...

CCE-41948-1
Disable: 'Network access: Let Everyone permissions apply to anonymous users' for EveryoneIncludesAnonymous This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to per ...

CCE-43081-9
Ensure No Auditing for 'Audit Policy: Object Access: Filtering Platform Packet Drop' This subcategory reports when packets are dropped by Windows Filtering Platform (WFP). These events can be very high in volume. Events for this subcategory include: - 5152: The Windows Filtering Platform blocke ...

CCE-43453-0
Disable: 'User Account Control: Admin Approval Mode for the Built-in Administrator account' for FilterAdministratorToken This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account us ...

CCE-41574-5
Disable: 'Interactive logon: Do not display last user name' for DontDisplayLastUserName This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this p ...

CCE-41597-6
Disable: 'Network security: Allow Local System to use computer identity for NTLM' for UseMachineId When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on ...

CCE-42340-0
'Specify the maximum log file size (KB)' (Security Log) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ...

CCE-43863-0
Password protect the screen saver If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. Counter Measure: Configure this policy setting to Enabled so that when ...

CCE-43159-3
Screen saver timeout If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. Valid values range from 1 to 89,400 seconds (24 hours). The setting has no effect if the wait time is set to zero or n ...

CCE-42858-1
Disable: 'User Account Control: Virtualize file and registry write failures to per-user locations' This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and w ...

CCE-43211-2
Ensure No Auditing for 'Audit Policy: Policy Change: Filtering Platform Policy Change' This subcategory reports the addition and removal of objects from WFP, including startup filters. These events can be very high in volume. Events for this subcategory include: - 4709: IPsec Services was start ...

CCE-42253-5
Disable: 'Microsoft network client: Digitally sign communications (if server agrees)' This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows-based networks helps to prevent sessions from being hijacked. If ...

CCE-42075-2
Disable: 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' for ScreenSaverGracePeriod MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the ...

CCE-42264-2
Disable: 'Network access: Sharing and security model for local accounts' for ForceGuest This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of ...

CCE-42362-4
Disable: 'Devices: Prevent users from installing printer drivers' for AddPrinterDrivers It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your comp ...

CCE-44361-4
Specify the 'Microsoft network server: Amount of idle time required before suspending session' (Mins) This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this poli ...

CCE-43753-3
Remove CD Burning features This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. If you enable this policy setting, all features in the File Explorer that allow you to use your CD wr ...

CCE-42109-9
Specify the 'Server Authentication Certificate Template' value This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Sess ...

CCE-41475-5
Disable: 'Recovery console: Allow automatic administrative logon' for securitylevel The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when i ...

CCE-43018-1
Disable: 'Windows Firewall: Private: Inbound connections' for DefaultInboundAction This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Coun ...

CCE-44330-9
Ensure No Auditing for 'Audit Policy: Object Access: Handle Manipulation' This subcategory reports when a handle to an object is opened or closed. Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL. Handle Manipulation events are ...

CCE-41772-5
Disable: 'Allow users to connect remotely by using Remote Desktop Services' This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer ...

CCE-41562-0
Disable: 'Recovery console: Allow floppy copy and access to all drives and all folders' for setcommand This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support f ...

CCE-42930-8
Ensure No Auditing for 'Audit Policy: Account Management: Application Group Management' This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application gr ...

CCE-43105-6
Disable: 'Network access: Restrict anonymous access to Named Pipes and Shares' for restrictnullsessaccess When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access ...

CCE-42601-5
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Account Lockout' This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. Refer to the Microsoft Knowledgebase ar ...

CCE-43588-3
Ensure No Auditing for 'Audit Policy: DS Access: Directory Service Replication' This subcategory reports when replication between two domain controllers begins and ends. Events for this subcategory include: - 4932: Synchronization of a replica of an Active Directory naming context has begun. ...

CCE-43468-8
Select the 'Devices: Allowed to format and eject removable media' to administrators_only This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another comput ...

CCE-42856-5
Disable: 'Domain member: Disable machine account password changes' for disablepasswordchange This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its compute ...

CCE-41794-9
Disable: 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' for EnableICMPRedirect MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF ...

CCE-42515-7
Ensure No Auditing for 'Audit Policy: Object Access: Filtering Platform Connection' This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume. Events for this subcategory include: - 5031: The Windows Firewall Service blocked an application from ...

CCE-43456-3
Disable: 'Enable RPC Endpoint Mapper Client Authentication' This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service p ...

CCE-42977-9
Ensure No Auditing for 'Audit Policy: Object Access: File Share' This subcategory reports when a file share is accessed. By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses a file share object that has a specified sys ...

CCE-42031-5
Ensure No Auditing for 'Audit Policy: Account Management: Computer Account Management' This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A ...

CCE-41786-5
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Logon' This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes ...

CCE-42695-7
Disable: 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' for Hidden MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) Counter Measure: Do not configure the MSS: (Hidden) Hide C ...

CCE-43340-9
Disable: 'Shutdown: Allow system to be shut down without having to log on' This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disab ...

CCE-43517-2
Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts' for RestrictAnonymousSAM This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections ca ...

CCE-42781-5
Disable: 'Interactive logon: Do not require CTRL+ALT+DEL' This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL befo ...

CCE-43472-0
Disable: 'Control Event Log behavior when the log file reaches its maximum size' for Retention This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the ...

CCE-41676-8
Disable: 'Require a Password When a Computer Wakes (Plugged In)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (Plugged In) to Enabled. Potential Impact: If you e ...

CCE-42269-1
Ensure No Auditing for 'Audit Policy: Object Access: Certification Services' This subcategory reports when Certification Services operations are performed. Events for this subcategory include: - 4868: The certificate manager denied a pending certificate request. - 4869: Certificate Service ...

CCE-41557-0
Disable: 'Microsoft network client: Send unencrypted password to third-party SMB servers' for EnablePlainTextPassword Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. ...

CCE-43276-5
Disable: 'Audit: Audit the access of global system objects' for AuditBaseObjects This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be aud ...

CCE-43700-4
Disable: 'Always prompt for password upon connection' This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they alrea ...

CCE-41641-2
Ensure No Auditing for 'Audit Policy: Logon-Logoff: IPsec Main Mode' This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Events for this subcategory include: - 4646: IKE DoS-prevention mode star ...

CCE-41871-5
Ensure Audit Success and Failure for 'Audit Policy: System: System Integrity' This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading ...

CCE-43605-5
Ensure No Auditing for 'Audit Policy: Object Access: Kernel Object' This subcategory reports when kernel objects such as processes and mutexes are accessed. Only kernel objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. Typically ...

CCE-41773-3
Disable: 'Domain member: Digitally sign secure channel data (when possible)' for signsecurechannel This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic ...

CCE-43628-7
Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' for RestrictAnonymous This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate do ...

CCE-41750-1
Disable: 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' for TcpMaxDataRetransmissions MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Co ...

CCE-42706-2
Ensure No Auditing for 'Audit Policy: Object Access: Application Generated' This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs). Events for this subcategory include: - 4665: An attempt was made to cr ...

CCE-42836-7
Enable screen saver This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver wil ...

CCE-44052-9
Disable: 'Require a Password When a Computer Wakes (On Battery)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you e ...

CCE-41972-1
'Specify the maximum log file size (KB) (Application Log)' for MaxSize (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobyte ...

CCE-42210-5
Ensure No Auditing for 'Audit Policy: DS Access: Detailed Directory Service Replication' This subcategory reports detailed information about the information replicating between domain controllers. These events can be very high in volume. Events for this subcategory include: - 4928: An Active Di ...

CCE-41730-3
Ensure No Auditing for 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' This subcategory reports when a user account or service uses a non-sensitive privilege. A non-sensitive privilege includes the following user rights: Access Credential Manager as a trusted caller, Access this compute ...

CCE-42170-1
Network security: Force logoff when logon hours expire This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB ...

CCE-42019-0
Ensure No Auditing for 'Audit Policy: Logon-Logoff: IPsec Extended Mode' This subcategory reports the results of AuthIP during Extended Mode negotiations. Events for this subcategory include: - 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem ...

CCE-41840-0
Disable: 'Microsoft network client: Digitally sign communications (always)' for RequireSecuritySignature This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a ...

CCE-43157-7
Ensure No Auditing for 'Audit Policy: Account Management: Distribution Group Management' This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you ...

CCE-41787-3
Disable: 'Accounts: Limit local account use of blank passwords to console logon only' This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local account ...

CCE-43671-7
Disable: 'User Account Control: Behavior of the elevation prompt for standard users' for ConsentPromptBehaviorUser This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privile ...

CCE-42399-6
Ensure No Auditing for 'Audit Policy: System: Other System Events' This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The ...

CCE-43744-2
Disable: 'User Account Control: Only elevate executables that are signed and validated' for ValidateAdminCodeSignatures This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can c ...

CCE-43389-6
Disable: 'Turn off the Windows Messenger Customer Experience Improvement Program' This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure th ...

CCE-42900-1
Disable: 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' for scenoapplylegacyauditpolicy This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy se ...

CCE-42901-9
Ensure No Auditing for 'Audit Policy: Account Logon: Other Account Logon Events' This subcategory reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets. These events occur on the computer t ...

CCE-41677-6
Ensure No Auditing for 'Audit Policy: Privilege Use: Other Privilege Use Events' This subcategory is not used. Counter Measure: Enable Audit policy settings that support the organizational security policy for all the computers in your organization. Identify the components that you need for ...

CCE-43619-6
Disable: 'Enumerate administrator accounts on elevation' By default, all administrator accounts are displayed when you attempt to elevate a running application. Counter Measure: Enable this policy. Potential Impact: If you enable this policy setting, all local administrator accoun ...

CCE-42220-4
Disable: 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' for NoDefaultExempt MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt ...

CCE-42024-0
Disable: 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' for PerformRouterDiscovery MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the ...

CCE-43657-6
Disable: 'Network security: Do not store LAN Manager hash value on next password change' for NoLMHash This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to th ...

CCE-43826-7
Disable: 'Turn off the 'Publish to Web' task for files and folders' for NoPublishingWizard This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows fold ...

CCE-42872-2
Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ...

CCE-41830-1
Specify the 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' for FDVDiscoveryVolumeType This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Win ...

CCE-43536-2
Store passwords using reversible encryption This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords th ...

CCE-42134-7
Disable: 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' for NTLMMinClientSec This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications t ...

CCE-41611-5
Disable: 'Windows Firewall: Public: Inbound connections' This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure ...

CCE-44292-1
Disable: 'Do not process the run once list' This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list ...

CCE-44194-9
Ensure No Auditing for 'Audit Policy: DS Access: Directory Service Changes' This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change au ...

CCE-42435-8
Ensure No Auditing for 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This service is used by Windows Firewall and by Microsoft OneCare. Events for this subcategory include: - ...

CCE-42775-7
Disable: 'Always install with elevated privileges' Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (of ...

CCE-42798-9
Disable: 'Devices: Restrict CD-ROM access to locally logged-on user only' for AllocateCDRoms This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access rem ...

CCE-42100-8
Disable: 'Windows Firewall: Domain: Inbound connections' for DefaultInboundAction This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Count ...

CCE-42313-7
Disable: 'Turn off Search Companion content file updates' This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from down ...

CCE-44410-9
Disable: 'Do not allow passwords to be saved' This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Termi ...

CCE-43704-6
Ensure No Auditing for 'Audit Policy: Detailed Tracking: Process Termination' This subcategory reports when a process terminates. Events for this subcategory include: - 4689: A process has exited. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista ...

CCE-41504-2
Disable: 'Interactive logon: Prompt user to change password before expiration' for passwordexpirywarning This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn us ...

CCE-43416-7
Ensure No Auditing for 'Audit Policy: Policy Change: Authentication Policy Change' This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos poli ...

CCE-42884-7
Disable: 'Microsoft network server: Digitally sign communications (always)' for requiresecuritysignature This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from usin ...

CCE-42907-6
Ensure No Auditing for 'Audit Policy: Detailed Tracking: DPAPI Activity' This subcategory reports encrypt or decrypt calls into the data protections application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Events for this subcategor ...

CCE-41679-2
Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ...

CCE-42411-9
Ensure No Auditing for 'Audit Policy: Policy Change: Authorization Policy Change' This subcategory reports changes in authorization policy including permissions (DACL) changes. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - ...

CCE-41953-1
Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ...

CCE-44180-8
Disable: 'Audit: Shut down system immediately if unable to log security audits' for crashonauditfail This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteri ...

CCE-42674-2
Audit Policy: Object Access: Detailed File Share This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any conn ...

CCE-42444-0
'Set time limit for active Remote Desktop Services sessions' to never This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired ...

CCE-41501-8
Select the 'Set the default behavior for AutoRun' to do_not_execute_any_autorun_commands This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. ...

CCE-42136-2
Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ...

CCE-44312-7
Disable: 'Allow Remote Shell Access' This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Counter Measure: Configure Allow Remote Shell Access to Disabled. Potential Impact: If you enable this policy setti ...

CCE-42113-1
Ensure No Auditing for 'Audit Policy: Object Access: SAM' This subcategory reports when SAM objects are accessed. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: http://supp ...

CCE-44139-4
Disable: 'Control Security Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log ...

CCE-42410-1
Ensure Audit Success and Failure for 'Audit Policy: Account Management: User Account Management' This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or chan ...

CCE-43130-4
Ensure No Auditing for 'Audit Policy: Account Management: Security Group Management' This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audi ...

CCE-42311-1
Disable: 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' for EnableSecureUIAPaths This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location i ...

CCE-42675-9
Disable: 'Turn off the offer to update to the latest version of Windows' Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not config ...

CCE-41710-5
Domain member: Maximum machine account password age This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the ...

CCE-44238-4
Disable: 'Do not allow drive redirection' This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ ...

CCE-42894-6
Select the 'Set client connection encryption level' to low_level This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Counter Measure: Con ...

CCE-43921-6
Disable: 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' for ConsentPromptBehaviorAdmin This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged ac ...

CCE-41528-1
Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit v ...

CCE-42970-4
Accounts: Rename administrator account The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change th ...

CCE-43078-5
Accounts: Rename guest account The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. ...

CCE-42381-4
Create a pagefile This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of acco ...

CCE-42621-3
Deny access to this computer from the network This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on ...

CCE-43050-4
Impersonate a client after authentication The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not ...

CCE-43750-9
Lock pages in memory This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM ent ...

CCE-41977-0
Take ownership of files or other objects This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right ...

CCE-43381-3
Perform volume maintenance tasks This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of ...

CCE-42069-5
Create symbolic links This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much lik ...

CCE-41605-7
Create global objects This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right Users who can create global objects could affect processes that ...

CCE-42133-9
Restore files and directories This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users ...

CCE-43886-1
Deny log on through Remote Desktop Services This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can acc ...

CCE-43322-7
Bypass traverse checking This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a ...

CCE-43454-8
Enable computer and user accounts to be trusted for delegation This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring ...

CCE-44298-8
Increase a process working set This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an a ...

CCE-43249-2
Create a token object This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can ...

CCE-41806-1
Access this computer from the network This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus ( ...

CCE-41771-7
Increase scheduling priority This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the o ...

CCE-44284-8
Shut down the system This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the ...

CCE-44186-5
Allow log on locally This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Servic ...

CCE-44370-5
Log on as a service This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be ...

CCE-43615-4
Log on as a batch job This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent mis ...

CCE-41566-1
Generate security audits This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users ...

CCE-43854-9
Deny log on locally This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one ...

CCE-44295-4
Modify firmware environment values This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure tha ...

CCE-43331-8
Adjust memory quotas for a process This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) ...

CCE-43648-5
Replace a process level token This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user ...

CCE-43470-4
Accounts: Administrator account status This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note that this setting will have no ...

CCE-44313-5
Create permanent shared objects This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a use ...

CCE-42840-9
Load and unload device drivers This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer ...

CCE-44136-0
Profile single process This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if Syst ...

CCE-44133-7
Modify an object label This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this ...

CCE-42847-4
Force shutdown from a remote system This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user ...

CCE-41974-7
Manage auditing and security log This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Dir ...

CCE-43438-1
Back up files and directories This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programmin ...

CCE-43428-2
Deny log on as a batch job This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on ...

CCE-44172-5
Deny log on as a service This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the S ...

CCE-44315-0
Act as part of the operating system This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local o ...

CCE-41832-7
Allow log on through Remote Desktop Services This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and a ...

CCE-44192-3
Debug programs This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be ass ...

CCE-43535-4
Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ...

CCE-42778-1
Reset account lockout counter after This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value f ...

CCE-43748-3
Account lockout duration This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy sett ...

CCE-41870-7
Ensure No Auditing for 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' This subcategory reports generated by Kerberos ticket request processes on the domain controller that is authoritative for the domain account. Events for this subcategory include: - 4769: A Kerberos service ...

CPE    1
cpe:/o:microsoft:windows_10
*XCCDF
xccdf_org.secpod_benchmark_NIST_800_171_R1_Windows_10
OVAL    286
oval:org.secpod.oval:def:35051
oval:org.secpod.oval:def:35179
oval:org.secpod.oval:def:36498
oval:org.secpod.oval:def:35391
...

© 2013 SecPod Technologies