Download
| Alert*
|
CCE-11431-4
The "Default behavior for AutoRun" machine setting should be configured correctly. CCE-10857-1 Windows Firewall should allow or block inbound connections by default as appropriate for the Private Profile. CCE-11717-6 The "Maximum Log Size (KB)" machine setting should be configured correctly for the setup log. CCE-11028-8 The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-10775-5 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-10798-7 The 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly. CCE-10631-0 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the private profile. CCE-10518-9 The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly. CCE-11958-6 The "Turn off the Windows Messenger Customer Experience Improvement Program" machine setting should be configured correctly. CCE-10158-4 The 'Interactive logon: Display user information when the session is locked.' setting should be configured correctly. CCE-10419-0 The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-10570-0 The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly. CCE-10918-1 The "Retain old events" machine setting should be configured correctly for the application log. CCE-10229-3 The 'Network Security: Restrict NTLM: NTLM authentication in this domain' setting should be configured correctly. CCE-11587-3 The "Turn off the "Publish to Web" task for files and folders" machine setting should be configured correctly. CCE-10751-6 The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly. CCE-10691-4 The "Prevent the computer from joining a homegroup" machine setting should be configured correctly. CCE-10653-4 The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly. CCE-10921-5 The 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. CCE-12266-3 The "Disallow Digest authentication" machine setting should be configured correctly. CCE-11174-0 The "Maximum Log Size (KB)" machine setting should be configured correctly for the system log. CCE-11143-5 The "Maximum Log Size (KB)" machine setting should be configured correctly for the application log. CCE-10640-1 The 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' setting should be configured correctly. CCE-11290-4 The "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM service. CCE-11625-1 The "Offer Remote Assistance" machine setting should be configured correctly. CCE-10663-3 The "Retain old events" machine setting should be configured correctly for the security log. CCE-10817-5 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Countermeasure: Configure Network security: Allo ... CCE-10878-7 The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-11120-3 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the public profile. CCE-10109-7 The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-10087-5 The 'Network Security: Restrict NTLM: Incoming NTLM traffic' setting should be configured correctly. CCE-11867-9 The "Allow users to connect remotely using Remote Desktop Services" machine setting should be configured correctly. CCE-10881-1 The "Restrictions for Unauthenticated RPC clients" machine setting should be configured correctly. CCE-11651-7 The "Require a Password When a Computer Wakes (Plugged In)" machine setting should be configured correctly. CCE-11723-4 The "Solicited Remote Assistance" machine setting should be configured correctly. CCE-10370-5 The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-10926-4 The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. CCE-10843-1 The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly. CCE-11033-8 The "Maximum Log Size (KB)" machine setting should be configured correctly for the secirity log. CCE-11131-0 The "Allow Basic authentication" machine setting should be configured correctly for the WinRM service. CCE-10941-3 The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-10889-4 The "Turn off Search Companion content file updates" machine setting should be configured correctly. CCE-18944-9 The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-10760-7 The 'Minimum password age' setting should be configured correctly. CCE-10768-0 The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configured correctly. CCE-11833-1 The "Server Authentication Certificate Template" machine setting should be configured correctly. CCE-10992-6 The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. CCE-10745-8 The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly. CCE-11860-4 The "Allow Remote Shell Access" machine setting should be configured correctly. CCE-11055-1 The "Retain old events" machine setting should be configured correctly for the system log. CCE-11248-2 The "Allow remote access to the Plug and Play interface" machine setting should be configured correctly. CCE-11709-3 The "Do not allow drive redirection" machine setting should be configured correctly. CCE-9999-4 The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly. CCE-10804-3 The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-10997-5 Windows Firewall should allow or block inbound connections by default as appropriate for the Domain Profile. CCE-11450-4 The "Enumerate administrator accounts on elevation" machine setting should be configured correctly. CCE-10684-9 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-10454-7 The "Allow Basic authentication" machine setting should be configured correctly for the WinRM client. CCE-10794-6 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-11905-7 The "Do not allow passwords to be saved" machine setting should be configured correctly. CCE-10733-4 The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-10901-7 The 'Password must meet complexity requirements' policy should be set correctly. CCE-11992-5 The "Do not process the run once list" machine setting should be configured correctly. CCE-10372-1 The 'Minimum password length' setting should be configured correctly. CCE-11954-5 The "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM client. CCE-9992-9 The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. CCE-11046-0 The 'Account lockout threshold' setting should be configured correctly. CCE-10188-1 The 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. CCE-10789-6 The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly. CCE-10131-1 The 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. CCE-11299-5 The "Always prompt for password upon connection" machine setting should be configured correctly. CCE-12088-1 The "Require a Password When a Computer Wakes (On Battery)" machine setting should be configured correctly. CCE-10018-0 The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly. CCE-11677-2 The "Set client connection encryption level" machine setting should be configured correctly. CCE-10562-7 The 'Maximum password age' setting should be configured correctly. CCE-10865-4 The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly. CCE-10940-5 The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-10487-7 The 'Audit: Audit the access of global system objects' setting should be configured correctly. CCE-11019-7 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the domain profile. CCE-10309-3 The "Retain old events" machine setting should be configured correctly for the setup log. CCE-10742-5 The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-10780-5 The 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly. CCE-10573-4 The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. CCE-10596-5 The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-10859-7 The 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' setting should be configured correctly. CCE-10045-3 The 'Network Security: Restrict NTLM: Add server exceptions in this domain' setting should be configured correctly. CCE-10922-3 The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-10299-6 The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" machine setting should be configured correctly. CCE-9989-5 The 'Accounts: Guest account status' setting should be configured correctly. CCE-10809-2 The "Enforce password history" setting should be configured correctly. CCE-12159-0 The "Do not allow local administrators to customize permissions" machine setting should be configured correctly. CCE-10726-8 The 'Manage auditing and security log' user right should be assigned to the appropriate accounts. CCE-10534-6 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-10643-5 The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-10875-3 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-10984-3 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-10292-1 The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly. CCE-10715-1 The "RPC Endpoint Mapper Client Authentication" machine setting should be configured correctly. CCE-11036-1 The 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. CCE-10171-7 Windows Firewall should allow or block inbound connections by default as appropriate for the Public Profile. CCE-10825-8 The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. CCE-11923-0 The "Reschedule Automatic Updates scheduled installations" machine setting should be configured correctly. CCE-11332-4 The "Configure minimum PIN length for startup" machine setting should be configured correctly. CCE-11465-2 The "Allow access to BitLocker-protected fixed data drives from earlier versions of Windows" machine setting should be configured correctly. CCE-11506-3 The "Set time limit for active but idle Remote Desktop Services sessions" machine setting should be configured correctly. CCE-11341-5 The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" machine setting should be configured correctly. CCE-11326-6 The "Set time limit for active Remote Desktop Services sessions" machine setting should be configured correctly. CCE-11117-9 The "Set time limit for disconnected sessions" machine setting should be configured correctly. CCE-10019-8 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. CCE-10983-5 The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. CCE-12401-6 The "Always install with elevated privileges" machine setting should be configured correctly. CCE-10637-7 The 'Devices: Allowed to format and eject removable media' setting should be configured correctly. CCE-10750-8 The 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-10807-6 The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. CCE-10830-8 The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly. CCE-11023-9 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-10970-2 The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. CCE-11103-9 The Windows Firewall should be enabled or disabled as appropriate for the Private Profile. CCE-10978-5 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-11368-8 The "Require secure RPC communication" machine setting should be configured correctly. CCE-10399-4 The 'Account lockout duration' setting should be configured correctly. CCE-10009-9 The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly. CCE-11295-3 The "Require use of specific security layer for remote (RDP) connections" machine setting should be configured correctly. CCE-10482-8 The Windows Firewall should be enabled or disabled as appropriate for the Domain Profile. CCE-10810-0 The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-10871-2 The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. CCE-18808-6 The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-10027-1 The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly. CCE-10974-4 The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly. CCE-10297-0 The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-11050-2 The Windows Firewall should be enabled or disabled as appropriate for the Public Profile. CCE-10673-2 The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly. CCE-10557-7 The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly. CCE-11059-3 The 'Reset account lockout counter after' setting should be configured correctly. CCE-10338-2 The "Require user authentication for remote connections by using Network Level Authentication" machine setting should be configured correctly. CCE-11453-8 The "No auto-restart with logged on users for scheduled automatic updates installations" machine setting should be configured correctly. CCE-10112-1 The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configured correctly. CCE-10930-6 The 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly. CCE-10903-3 The 'Domain member: Maximum machine account password age' setting should be configured correctly. CCE-10614-6 The 'Network security: LDAP client signing requirements' setting should be configured correctly. CCE-10541-1 The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-10838-1 The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly. CCE-10788-8 The 'Interactive logon: Do not display last user name' setting should be configured correctly. CCE-10362-2 The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly. |
