Download
| Alert*
|
CCE-43905-9
'Specify the time of day to run a scheduled full scan to complete remediation' (in Minutes Min:0 Max:1440) This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes pas ... CCE-42501-7 Disable: 'Support device authentication using certificate' Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerbe ... CCE-42888-8 Specify the 'Define the maximum size of downloaded files and attachments to be scanned' (IOAVMaxSize Min:0 Max:10000000 kb) This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and atta ... CCE-43903-4 'Specify the time for a daily quick scan' (ScheduleQuickScanTime in Mins Min:0 Max:1440) This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equiva ... CCE-43557-8 Disable: 'Network access: Named Pipes that can be accessed anonymously' for NullSessionPipes This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one o ... CCE-42852-4 Disable: 'Configure Solicited Remote Assistance' for fAllowToGetHelp This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Al ... CCE-42788-0 Disable: 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' for TcpMaxDataRetransmissions MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measu ... CCE-42133-9 Restore files and directories This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users ... CCE-43793-9 Disable: 'Configure use of hardware-based encryption for operating system drives' for OSHardwareEncryption This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encrypti ... CCE-42621-3 Deny access to this computer from the network This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on ... CCE-43754-1 Disable: 'Turn on network protection against exploits of known vulnerabilities' This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable th ... CCE-44133-7 Modify an object label This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this ... CCE-42340-0 'Specify the maximum log file size (KB)' (Security Log) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ... CCE-43886-1 Deny log on through Remote Desktop Services This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can acc ... CCE-43322-7 Bypass traverse checking This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a ... CCE-42846-6 Disable: 'Configure Automatic Updates' for NoAutoUpdate This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is av ... CCE-44298-8 Increase a process working set This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an a ... CCE-41562-0 Disable: 'Recovery console: Allow floppy copy and access to all drives and all folders' for setcommand This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support f ... CCE-41771-7 Increase scheduling priority This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the o ... CCE-42954-8 Disable: 'Turn off Windows Update device driver searching' for DontSearchWindowsUpdate This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note See also Turn off Windows Update device driver search prompt ... CCE-42054-7 Disable: 'Reschedule Automatic Updates scheduled installations' This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will b ... CCE-44186-5 Allow log on locally This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Servic ... CCE-43953-9 Disable: 'Network access: Shares that can be accessed anonymously' for NullSessionShares This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they ... CCE-41750-1 Disable: 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' for TcpMaxDataRetransmissions MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Co ... CCE-43255-9 'Specify the interval to run quick scans per day' (QuickScanInterval in hours Min:0 Max:24) This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 ... CCE-43755-8 Specify the 'Define the number of days before spyware definitions are considered out of date' (Days Min:0 Max:4294967295) This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date ... CCE-42917-5 Disable: 'Turn off Internet download for Web publishing and online ordering wizards' This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Counter Measure: Enable this setting Potential Impact: If this po ... CCE-43934-9 'Specify the time of day to run a scheduled scan' (ScheduleTime in Mins Min:0 Max:1440) This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalen ... CCE-43749-1 Specify the 'Define the number of days before virus definitions are considered out of date' (Threshold days for AVSignatureDue Min:0 Max:4294967295) This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are det ... CCE-44148-5 Disable: 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' for cachedlogonscount This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached loca ... CCE-43567-7 Select the 'Restrict Unauthenticated RPC clients for RestrictRemoteClients' to none This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setti ... CCE-42974-6 Disable: 'Network access: Do not allow storage of passwords and credentials for network authentication' for DisableDomainCreds This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If y ... CCE-43773-1 'Set time limit for active but idle Remote Desktop Services sessions' to never This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy ... CCE-42219-6 Disable: 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' for AutoAdminLogon MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure com ... CCE-42842-5 Disable: 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' for NTLMMinServerSec This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications t ... CCE-44311-9 Disable: 'Shutdown: Clear virtual memory pagefile' for ClearPageFileAtShutdown This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properl ... CCE-43568-5 Specify the 'Turn Off the Display (Plugged In)' in seconds (max: 4294967295) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display ... CCE-42975-3 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... CCE-42316-0 Disable: 'Create a system restore point' This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore ... CCE-42120-6 Disable: 'Interactive logon: Smart card removal behavior' for scremoveoption This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Counter Measure: Configure the Smart card removal behavior setting to Lock Workstation. ... CCE-41682-6 Disable: 'User Account Control: Switch to the secure desktop when prompting for elevation' for PromptOnSecureDesktop This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) ... CCE-42327-7 Disable: 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' for NoNameReleaseOnDemand MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Counter Measure: Configure ... CCE-42155-2 'Set time limit for disconnected sessions' to never This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By defa ... CCE-41595-0 Disable: 'Configure use of hardware-based encryption for fixed data drives' for FDVHardwareEncryption This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using h ... CCE-42437-4 Specify the 'Configure minimum PIN length for startup' (MinimumPIN Length Min:4 Max:20) This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length ... CCE-43546-1 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-42995-1 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-44442-2 'Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)' to AES 128-bit This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn ... CCE-44049-5 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-43913-3 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-42459-8 Disable: 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' for Enabled This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although ... CCE-41782-4 Disable: 'Allow Standby States (S1-S3) When Sleeping (On Battery)' Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep st ... CCE-42496-0 Disable: 'Do not allow password expiration time longer than required by policy' When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password ex ... CCE-43898-6 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-43453-0 Disable: 'User Account Control: Admin Approval Mode for the Built-in Administrator account' for FilterAdministratorToken This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account us ... CCE-41597-6 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Countermeasure: Configure Network security: Allo ... CCE-42812-8 Disable: 'Audit: Audit the use of Backup and Restore privilege' for fullprivilegeauditing This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will ... CCE-42858-1 Disable: 'User Account Control: Virtualize file and registry write failures to per-user locations' This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and w ... CCE-42075-2 Disable: 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' for ScreenSaverGracePeriod MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the ... CCE-42264-2 Disable: 'Network access: Sharing and security model for local accounts' for ForceGuest This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of ... CCE-42109-9 Specify the 'Server Authentication Certificate Template' value This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Sess ... CCE-41475-5 Disable: 'Recovery console: Allow automatic administrative logon' for securitylevel The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when i ... CCE-41795-6 Specify the 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' value MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Counter Measure: Configure the MSS: (WarningLe ... CCE-42494-5 Specify the 'Password Settings' (PasswordAgeDays: Min:1 Max:365) Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 cha ... CCE-42856-5 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-44287-1 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-41794-9 Disable: 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' for EnableICMPRedirect MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF ... CCE-43456-3 Disable: 'Enable RPC Endpoint Mapper Client Authentication' This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service p ... CCE-41763-4 Disable: 'System cryptography: Force strong key protection for user keys stored on the computer' for ForceKeyProtection This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provi ... CCE-42695-7 Disable: 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' for Hidden MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) Counter Measure: Do not configure the MSS: (Hidden) Hide C ... CCE-43340-9 Disable: 'Shutdown: Allow system to be shut down without having to log on' This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disab ... CCE-44438-0 'Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])' to AES 128-bit This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting ... CCE-41676-8 Disable: 'Require a Password When a Computer Wakes (Plugged In)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (Plugged In) to Enabled. Potential Impact: If you e ... CCE-43276-5 Disable: 'Audit: Audit the access of global system objects' for AuditBaseObjects This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be aud ... CCE-43700-4 Disable: 'Always prompt for password upon connection' This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they alrea ... CCE-44052-9 Disable: 'Require a Password When a Computer Wakes (On Battery)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you e ... CCE-41874-9 Disable: 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' for DisableIPSourceRouting MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (Disab ... CCE-42221-2 Disable: 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' for SafeDllSearchMode MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Counter Measure: Configure the MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) entry to a value of Enabl ... CCE-41787-3 Disable: 'Accounts: Limit local account use of blank passwords to console logon only' This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local account ... CCE-44305-1 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-43744-2 Disable: 'User Account Control: Only elevate executables that are signed and validated' for ValidateAdminCodeSignatures This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can c ... CCE-42220-4 Disable: 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' for NoDefaultExempt MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt ... CCE-42024-0 Disable: 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' for PerformRouterDiscovery MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the ... CCE-42314-5 Specify the 'Turn Off the Display (On Battery)' (DCSettingIndex Min:0 Max:4294967295) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off th ... CCE-41623-0 Select the 'Enforce drive encryption type on fixed data drives' for FDVEncryptionType to allow_user_to_choose This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type h ... CCE-44292-1 Disable: 'Do not process the run once list' This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list ... CCE-42589-2 Disable: 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a c ... CCE-44410-9 Disable: 'Do not allow passwords to be saved' This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Termi ... CCE-42677-5 Disable: 'Check for the latest virus and spyware definitions on startup' This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service ... CCE-44085-9 Disable: 'Turn off Data Execution Prevention' for Explorer Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Counter Measure: We recommend that you disable this policy setting unless you have to support legacy busine ... CCE-44180-8 Disable: 'Audit: Shut down system immediately if unable to log security audits' for crashonauditfail This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteri ... CCE-41614-9 Specify the 'MSS: (KeepAliveTime) How often keep-alive packets are sent' in milliseconds for KeepAliveTime MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Counter Measure: Configure the MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (3 ... CCE-42444-0 'Set time limit for active Remote Desktop Services sessions' to never This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired ... CCE-43189-0 Disable: 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' for AllowOnlineID Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to ... CCE-41998-6 Disable: 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' for DisableIPSourceRouting MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSource ... CCE-42311-1 Disable: 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' for EnableSecureUIAPaths This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location i ... CCE-44238-4 Disable: 'Do not allow drive redirection' This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ ... CCE-42894-6 Select the 'Set client connection encryption level' to low_level This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Counter Measure: Con ... CCE-41680-0 Disable: 'Windows Firewall: Domain: Logging: Log successful connections' for LogSuccessfulConnections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the ... CCE-43050-4 Impersonate a client after authentication The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not ... CCE-41582-8 'Specify the maximum log file size (KB)' (System Log) (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabyte ... CCE-43894-5 Account lockout threshold This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to an ... CCE-41581-0 Disable: 'Windows Firewall: Domain: Logging: Log dropped packets' for LogDroppedPackets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the acti ... CCE-41977-0 Take ownership of files or other objects This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right ... CCE-43916-6 Enable: 'Turn off Automatic Download and Install of updates' for AutoDownload Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automa ... CCE-42381-4 Create a pagefile This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of acco ... CCE-43655-0 Disable: 'Control System Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log an ... CCE-41528-1 Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit v ... CCE-41583-6 Disable: 'Prevent the computer from joining a homegroup' By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharin ... CCE-42069-5 Create symbolic links This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much lik ... CCE-41529-9 Disable: 'Windows Firewall: Private: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ... CCE-43535-4 Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ... CCE-44136-0 Profile single process This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if Syst ... CCE-41605-7 Create global objects This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right Users who can create global objects could affect processes that ... CCE-43086-8 Disable: 'Allow remote access to the Plug and Play interface' This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not c ... CCE-42398-8 Specify the 'Windows Firewall: Private: Logging: Size limit (KB)' for LogFileSize Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log fi ... CCE-41729-5 Disable: 'Windows Firewall: Private: Outbound connections' for DefaultOutboundAction This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. ... CCE-42703-9 Change the time zone This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either loc ... CCE-41585-1 Specify the 'Windows Firewall: Public: Logging: Size limit (KB)' for LogFileSize Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log fil ... CCE-44168-3 Disable: 'Allow user control over installs' This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations t ... CCE-43269-0 Disable: 'Allow users to pause scan' This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this ... CCE-43027-2 Disable: 'Windows Firewall: Domain: Outbound connections' for DefaultOutboundAction This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block th ... CCE-42987-8 Disable: 'Windows Firewall: Private: Allow unicast response' for DisableUnicastResponsesToMulticastBroadcast This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting ... CCE-43018-1 Disable: 'Windows Firewall: Private: Inbound connections' for DefaultInboundAction This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Coun ... CCE-44263-2 Disable: 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do ... CCE-43249-2 Create a token object This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can ... CCE-44177-4 Disable: 'Windows Firewall: Domain: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules sett ... CCE-41806-1 Access this computer from the network This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus ( ... CCE-41651-1 Disable: 'Windows Firewall: Domain: Allow unicast response' This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast resp ... CCE-43884-6 Disable: 'Windows Firewall: Public: Logging: Log successful connections' for LogSuccessfulConnections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the ... CCE-42395-4 Disable: 'Turn off downloading of print drivers over HTTP' This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over H ... CCE-42549-6 Disable: 'Turn off Automatic Download and Update of Map Data' Enables or disables the automatic download and update of map data. If you enable this setting the automatic download and update of map data is turned off. If you disable this setting the automatic download and update of map data ... CCE-43410-0 Disable: 'Check for the latest virus and spyware definitions before running a scheduled scan' This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line "mp ... CCE-44230-1 Disable: 'Windows Firewall: Private: Logging: Log successful connections' Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. ... CCE-44284-8 Shut down the system This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the ... CCE-44370-5 Log on as a service This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be ... CCE-43615-4 Log on as a batch job This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent mis ... CCE-42344-2 Disable: 'Windows Firewall: Public: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules sett ... CCE-43472-0 Disable: 'Control Event Log behavior when the log file reaches its maximum size' for Retention This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the ... CCE-42562-9 Disable: 'Windows Firewall: Public: Allow unicast response' This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast resp ... CCE-43253-4 Disable: 'Configure local setting override for scheduled scan time' This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group ... CCE-43011-6 Change the system time This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged eve ... CCE-43144-5 Disable: 'Windows Firewall: Private: Apply local connection security rules' for AllowLocalIPsecPolicyMerge This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter M ... CCE-44380-4 Disable: 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting h ... CCE-44161-8 Disable: 'Allow antimalware service to remain running always' This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setti ... CCE-41972-1 'Specify the maximum log file size (KB) (Application Log)' for MaxSize (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobyte ... CCE-42670-0 Disable: 'Turn off location' This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. ... CCE-42847-4 Force shutdown from a remote system This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user ... CCE-41566-1 Generate security audits This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users ... CCE-44150-1 Specify the 'Windows Firewall: Domain: Logging: Size limit (KB)' Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log file size will be l ... CCE-43606-3 Disable: 'Allow all trusted apps to install' This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a cer ... CCE-43389-6 Disable: 'Turn off the Windows Messenger Customer Experience Improvement Program' This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure th ... CCE-42826-8 Disable: 'Windows Firewall: Domain: Logging: Name' for LogFilePath Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the defaul ... CCE-41654-5 Disable: 'Windows Firewall: Public: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ... CCE-43619-6 Disable: 'Enumerate administrator accounts on elevation' By default, all administrator accounts are displayed when you attempt to elevate a running application. Counter Measure: Enable this policy. Potential Impact: If you enable this policy setting, all local administrator accoun ... CCE-44295-4 Modify firmware environment values This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure tha ... CCE-43331-8 Adjust memory quotas for a process This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) ... CCE-41974-7 Manage auditing and security log This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Dir ... CCE-42872-2 Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ... CCE-43826-7 Disable: 'Turn off the 'Publish to Web' task for files and folders' for NoPublishingWizard This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows fold ... CCE-41646-1 Disable: 'Windows Firewall: Domain: Apply local connection security rules' This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting ... CCE-42533-0 Specify the 'Minimum PIN length' (MinimumPINLength Min:4 Max:127) Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configure ... CCE-44171-7 Disable: 'Turn off printing over HTTP' This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. Counter Measure: Enable this setting to prevent users from submitting p ... CCE-41611-5 Disable: 'Windows Firewall: Public: Inbound connections' This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure ... CCE-43848-1 Select the 'Turn off Autoplay' for NoDriveTypeAutoRun to cd-rom_and_removable_media_drives Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a prog ... CCE-42100-8 Disable: 'Windows Firewall: Domain: Inbound connections' for DefaultInboundAction This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Count ... CCE-42313-7 Disable: 'Turn off Search Companion content file updates' This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from down ... CCE-42631-2 Disable: 'Windows Firewall: Domain: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ... CCE-42048-9 Disable: 'Windows Firewall: Private: Logging: Log dropped packets' for LogDroppedPackets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the act ... CCE-41527-3 Disable: 'Windows Firewall: Private: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules set ... CCE-41679-2 Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ... CCE-41482-1 Disable: 'Turn off Windows Location Provider' This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the ... CCE-42971-2 Disable: 'Windows Firewall: Public: Logging: Log dropped packets' for LogDroppedPackets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the acti ... CCE-41953-1 Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ... CCE-44018-0 Specify the 'Windows Firewall: Private: Logging: Name' for LogFilePath Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the de ... CCE-43659-2 Specify the 'Windows Firewall: Public: Logging: Name' for LogFilePath Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the def ... CCE-41832-7 Allow log on through Remote Desktop Services This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and a ... CCE-41501-8 Select the 'Set the default behavior for AutoRun' to do_not_execute_any_autorun_commands This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. ... CCE-42136-2 Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ... CCE-44312-7 Disable: 'Allow Remote Shell Access' This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Counter Measure: Configure Allow Remote Shell Access to Disabled. Potential Impact: If you enable this policy setti ... CCE-44192-3 Debug programs This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be ass ... CCE-44139-4 Disable: 'Control Security Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log ... CCE-43407-6 Disable: 'Windows Firewall: Public: Outbound connections' for DefaultOutboundAction This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. ... CCE-42675-9 Disable: 'Turn off the offer to update to the latest version of Windows' Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not config ... CCE-43184-1 Disable: 'Microsoft network server: Disconnect clients when logon hours expire' for enableforcedlogoff This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. It affects the SMB component. If you enable this ... CCE-43468-8 Select the 'Devices: Allowed to format and eject removable media' to administrators_only This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another comput ... CCE-43671-7 Disable: 'User Account Control: Behavior of the elevation prompt for standard users' for ConsentPromptBehaviorUser This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privile ... CCE-43657-6 Disable: 'Network security: Do not store LAN Manager hash value on next password change' for NoLMHash This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to th ... CCE-43648-5 Replace a process level token This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user ... CCE-43921-6 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-43381-3 Perform volume maintenance tasks This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of ... CCE-42840-9 Load and unload device drivers This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer ... CCE-43854-9 Deny log on locally This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one ... CCE-43438-1 Back up files and directories This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programmin ... CCE-42775-7 Disable: 'Always install with elevated privileges' Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (of ... CCE-44027-1 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-41474-8 Disable: 'Domain member: Require strong (Windows 2000 or later) session key' for requirestrongkey When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enab ... CCE-43458-9 Disable: 'Network security: LDAP client signing requirements' for LDAPClientIntegrity This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified opti ... CCE-42010-9 Specify the 'Network access: Remotely accessible registry paths' for Machine This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting ... CCE-42160-2 Specify the 'Network access: Remotely accessible registry paths and sub-paths' for Machine This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this sett ... CCE-41948-1 Disable: 'Network access: Let Everyone permissions apply to anonymous users' for EveryoneIncludesAnonymous This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to per ... CCE-41574-5 Disable: 'Interactive logon: Do not display last user name' for DontDisplayLastUserName This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this p ... CCE-42253-5 Disable: 'Microsoft network client: Digitally sign communications (if server agrees)' This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows-based networks helps to prevent sessions from being hijacked. If ... CCE-44361-4 Specify the 'Microsoft network server: Amount of idle time required before suspending session' (Mins) This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this poli ... CCE-41772-5 Disable: 'Allow users to connect remotely by using Remote Desktop Services' This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer ... CCE-43105-6 Disable: 'Network access: Restrict anonymous access to Named Pipes and Shares' for restrictnullsessaccess When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access ... CCE-43517-2 Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts' for RestrictAnonymousSAM This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections ca ... CCE-42781-5 Disable: 'Interactive logon: Do not require CTRL+ALT+DEL' This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL befo ... CCE-41557-0 Disable: 'Microsoft network client: Send unencrypted password to third-party SMB servers' for EnablePlainTextPassword Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. ... CCE-41773-3 Disable: 'Domain member: Digitally sign secure channel data (when possible)' for signsecurechannel This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic ... CCE-43628-7 Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' for RestrictAnonymous This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate do ... CCE-41840-0 Disable: 'Microsoft network client: Digitally sign communications (always)' for RequireSecuritySignature This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a ... CCE-42900-1 Disable: 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' for scenoapplylegacyauditpolicy This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy se ... CCE-42134-7 Disable: 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' for NTLMMinClientSec This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications t ... CCE-41504-2 Disable: 'Interactive logon: Prompt user to change password before expiration' for passwordexpirywarning This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn us ... CCE-42884-7 Disable: 'Microsoft network server: Digitally sign communications (always)' for requiresecuritysignature This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from usin ... CCE-42434-1 Disable: 'Accounts: Block Microsoft accounts' This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can't add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account t ... CCE-41855-8 Disable: 'System objects: Require case insensitivity for non-Windows subsystems' This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as t ... CCE-41710-5 Domain member: Maximum machine account password age This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the ... CCE-43236-9 Disable: 'Windows Firewall: Domain: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rul ... CCE-42867-2 Disable: 'No auto-restart with logged on users for scheduled automatic updates installations' This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-resta ... CCE-42914-2 Disable: 'Windows Firewall: Private: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall ru ... CCE-42837-5 Disable: 'Windows Firewall: Public: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rul ... CCE-42970-4 Accounts: Rename administrator account The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change th ... CCE-43078-5 Accounts: Rename guest account The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. ... CCE-43748-3 Account lockout duration This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy sett ... |
