Download
| Alert*
|
CCE-24863-3
The startup type of the IPSEC (IPsec Policy Agent) service should be correct. CCE-24639-7 The 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly. CCE-23587-9 Domain controller: LDAP server signing requirements CCE-24134-9 The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-24243-8 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-23794-1 The Windows Audio service should be enabled or disabled as appropriate. CCE-23880-8 The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-24993-8 The "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" setting should be configured correctly. CCE-22918-7 Auditing of 'Logon-Logoff: Network Policy Server' events on failure should be enabled or disabled as appropriate. CCE-25607-3 Windows Firewall: Private: Outbound connections CCE-25455-7 The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-25585-1 The 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts. CCE-24632-2 The "Change the time zone" user right should be assigned to the appropriate accounts. CCE-24939-1 This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With soft ... CCE-23820-4 IIS Admin Service CCE-25202-3 The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-24572-0 Specify the maximum log file size (KB) CCE-24583-7 Control Event Log behavior when the log file reaches its maximum size CCE-24000-2 The Distributed Transaction Coordinator service should be enabled or disabled as appropriate. CCE-23892-3 Windows Firewall: Public: Outbound connections CCE-24231-3 The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly. CCE-23782-6 Control Event Log behavior when the log file reaches its maximum size CCE-23998-8 The "Require a Password When a Computer Wakes (On Battery)" machine setting should be configured correctly. CCE-24851-8 The 'Do not process the run once list' setting should be configured correctly. CCE-24738-7 The 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. CCE-24216-4 LPD Service CCE-24927-6 The "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" setting should be configured correctly. CCE-25274-2 The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-25213-0 Windows Firewall: Domain: Display a notification CCE-25297-3 The Application Layer Gateway Service should be enabled or disabled as appropriate. CCE-25043-1 The 'Act as part of the operating system' user right should be assigned to the appropriate accounts. CCE-24277-6 Specify the maximum log file size (KB) CCE-25176-9 The "Devices: Prevent users from installing printer drivers" setting should be configured correctly. CCE-23646-3 Control Event Log behavior when the log file reaches its maximum size CCE-23010-2 The startup type of the Network Connections service should be correct. CCE-23900-4 Windows Firewall: Public: Display a notification CCE-24490-5 Remote Access Auto Connection Manager CCE-24452-5 The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-23716-4 The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. CCE-23610-9 The startup type of the Remote Procedure Call (RPC) Locator service should be correct. CCE-24682-7 The 'Modify an object label' user right should be assigned to the appropriate accounts. CCE-24498-8 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-24633-0 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-24938-3 The 'Access this computer from the network' user right should be assigned to the appropriate accounts. CCE-23117-5 The 'Deny log on as a service' user right should be assigned to the appropriate accounts. CCE-24414-5 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-23656-2 The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-23825-3 Microsoft Software Shadow Copy Provider CCE-24550-6 The 'Remove computer from docking station' user right should be assigned to the appropriate accounts. CCE-25112-4 The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts. CCE-23972-3 The 'Create a pagefile' user right should be assigned to the appropriate accounts. CCE-25271-8 The 'Bypass traverse checking' user right should be assigned to the appropriate accounts. CCE-22742-1 The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. CCE-24185-1 The 'Change the system time' user right should be assigned to the appropriate accounts. CCE-25487-0 Set the default behavior for AutoRun CCE-25305-4 Domain controller: Allow server operators to schedule tasks CCE-24162-0 The 'Increase a process working set' user right should be assigned to the appropriate accounts. CCE-25208-0 The Windows Time service should be enabled or disabled as appropriate. CCE-23500-2 The 'Shut down the system' user right should be assigned to the appropriate accounts. CCE-25246-0 The startup type of the Remote Procedure Call (RPC) service should be correct. CCE-25491-2 The Secondary Logon service should be enabled or disabled as appropriate. CCE-23402-1 The Themes service should be enabled or disabled as appropriate. CCE-23486-4 Windows Firewall: Private: Inbound connections CCE-24048-1 The 'Generate security audits' user right should be assigned to the appropriate accounts. CCE-25234-6 The Volume Shadow Copy service should be enabled or disabled as appropriate. CCE-23353-6 The "Turn Off Access to All Windows Update Feature" setting should be configured correctly. CCE-24940-9 The "Leave Windows Installer and Group Policy Software Installation Data" machine setting should be configured correctly. CCE-23462-5 The "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" setting should be configured correctly. CCE-23921-0 The "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting should be configured correctly. CCE-25228-8 The 'Allow log on locally' user right should be assigned to the appropriate accounts. CCE-24477-2 The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts. CCE-24650-4 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-24936-7 Windows Firewall: Domain: Outbound connections CCE-23846-9 The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned. CCE-24839-3 Windows Firewall: Public: Inbound connections CCE-24043-2 Extensible Authentication Protocol CCE-23811-3 The "Set time limit for active Remote Desktop Services sessions" machine setting should be configured correctly. CCE-24696-7 System Event Notification Service CCE-22975-7 The Application Management service should be enabled or disabled as appropriate. CCE-23666-1 The Smart Card service should be enabled or disabled as appropriate. CCE-25110-8 The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly. CCE-23968-1 The startup type of the SNMP Trap Service service should be correct. CCE-24470-7 The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-25058-9 The "Netlogon share compatibility" machine setting should be configured correctly. CCE-23386-6 The 'Log on as a batch job' user right should be assigned to the appropriate accounts. CCE-24152-1 Restrict Unauthenticated RPC clients CCE-23271-0 Add workstations to domain CCE-25589-3 The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. CCE-25100-9 The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-23653-9 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-24564-7 The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-25111-6 Windows Firewall: Public: Allow unicast response CCE-24624-9 Windows Firewall: Private: Allow unicast response CCE-23850-1 The 'Create global objects' user right should be assigned to the appropriate accounts. CCE-24549-8 The 'Create symbolic links' user right should be assigned to the appropriate accounts. CCE-25009-2 Internet Connection Sharing (ICS) CCE-24148-9 The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. CCE-23359-3 The Cryptographic Services service should be enabled or disabled as appropriate. CCE-25531-5 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-24734-6 The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts. CCE-25120-7 The "Shutdown: Clear virtual memory pagefile" setting should be configured correctly. CCE-23295-9 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-24264-4 The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. CCE-23988-9 The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-23174-6 The startup type of the TCP/IP NetBIOS Helper service should be correct. CCE-22773-6 The 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly. CCE-23844-4 The 'Profile single process' user right should be assigned to the appropriate accounts. CCE-25799-8 The startup type of the Windows Management Instrumentation Driver Extensions service should be correct. CCE-24663-7 The 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. CCE-25471-4 The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly. CCE-25264-3 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-24911-0 The 'Increase scheduling priority' user right should be assigned to the appropriate accounts. CCE-25358-3 Windows Event Log CCE-25508-3 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Countermeasure: Configure Network security: Allo ... CCE-23698-4 The "Require a Password When a Computer Wakes (Plugged In)" machine setting should be configured correctly. CCE-24894-8 The Distributed Link Tracking Client service should be enabled or disabled as appropriate. CCE-24810-4 The 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. CCE-25534-9 The 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. CCE-23878-2 The "Turn off Autoplay for non-volume devices" setting should be configured correctly. CCE-24406-1 The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-23991-3 The startup type of the DHCP Client service should be correct. CCE-24712-2 The startup type of the Security Accounts Manager service should be correct. CCE-23456-7 The 'Manage auditing and security log' user right should be assigned to the appropriate accounts. CCE-24968-0 The "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" setting should be configured correctly. CCE-23603-4 The correct service permissions for the Remote Registry service should be assigned. CCE-25643-8 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-24907-8 Windows Firewall: Private: Display a notification CCE-24154-7 The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. CCE-24411-1 Specify the maximum log file size (KB) CCE-24883-1 The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned. CCE-25359-1 Windows Firewall: Domain: Allow unicast response CCE-25072-0 The startup type of the client-side Domain Name Service cache (aka DNS Client) service should be correct. CCE-25215-5 The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-25533-1 The 'Modify firmware environment values' user right should be assigned to the appropriate accounts. CCE-25408-6 The "Synchronize directory service data" setting should be configured correctly. CCE-23939-2 The 'Create a token object' user right should be assigned to the appropriate accounts. CCE-24188-5 The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-23648-9 The 'Debug programs' user right should be assigned to the appropriate accounts. CCE-24808-8 Windows Firewall: Domain: Inbound connections CCE-24150-5 The "Network security: Do not store LAN Manager hash value on next password change" setting should be configured correctly. CCE-25217-1 The "Devices: Allowed to format and eject removable media" setting should be configured correctly. CCE-24519-1 The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. CCE-25070-4 The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts. CCE-23877-4 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-23919-4 The "Always install with elevated privileges" machine setting should be configured correctly. CCE-24779-1 The 'Load and unload device drivers' user right should be assigned to the appropriate accounts. CCE-25380-7 The 'Back up files and directories' user right should be assigned to the appropriate accounts. CCE-25270-0 The 'Enable computer and user accounts to be trusted for delegation' user right should be assigned to the appropriate accounts. CCE-23829-5 The 'Lock pages in memory' user right should be assigned to the appropriate accounts. CCE-24555-5 The 'Replace a process level token' user right should be assigned to the appropriate accounts. CCE-23723-0 The 'Create permanent shared objects' user right should be assigned to the appropriate accounts. CCE-24460-8 The 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-25518-2 The 'Restore files and directories' user right should be assigned to the appropriate accounts. CCE-24740-3 The "Microsoft network client: Digitally sign communications (if server agrees)" setting should be configured correctly. CCE-23082-1 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-25198-3 The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-25466-4 The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly. CCE-24812-0 The "Domain member: Digitally sign secure channel data (when possible)" setting should be configured correctly. CCE-25803-8 The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-23704-0 The "Interactive logon: Prompt user to change password before expiration" setting should be configured correctly. CCE-24354-3 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-24465-7 The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. CCE-24783-3 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-23615-8 Windows Firewall: Private: Firewall state CCE-24870-8 The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. CCE-24969-8 The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. CCE-25350-0 Windows Firewall: Domain: Firewall state CCE-23807-1 The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-24252-9 The "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" setting should be configured correctly. CCE-24748-6 The "Interactive logon: Do not display last user name" setting should be configured correctly. CCE-25245-2 The 'Network security: LDAP client signing requirements' setting should be configured correctly. CCE-23897-2 The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly. CCE-24774-2 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-24751-0 The "Microsoft network client: Send unencrypted password to third-party SMB servers" setting should be configured correctly. |
