Download
| Alert*
|
CCE-3055-1
The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile. CCE-2906-6 Auditing of "account management" events on failure should be enabled or disabled as appropriate.. CCE-4390-1 Prompt for password on resume from hibernate/suspend should be set correctly. CCE-3176-5 Domain Profile: Allow UPnP framework exception (SP2 only) CCE-2808-4 The "Remote Control Settings" policy should be set correctly for Terminal Services. CCE-2293-9 The "Enable User to Patch Elevated Products" policy should be set correctly. CCE-3247-4 Domain Profile: Allow file and printer sharing exception (SP2 only) CCE-3066-8 Dr. Watson Crash Dumps should be properly configured. CCE-3274-8 The TCP/IP NetBIOS Helper service should be enabled or disabled as appropriate. CCE-2764-9 The "Screen Saver Timeout" setting should be configured correctly for the default user. CCE-3103-9 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile. CCE-3141-9 Domain Profile: Allow ICMP exceptions (SP2 only) CCE-2100-6 Auditing of "logon" events on success should be enabled or disabled as appropriate.. CCE-3213-6 Standard Profile: Allow Remote Desktop exception (SP2 only) CCE-2643-5 The "Anonymous access to the security event log" policy should be set correctly. CCE-3284-7 Standard Profile: Protect all network connections (SP2 only) CCE-2862-1 Membership in the Power Users group should be assigned to the appropriate accounts. CCE-3114-6 The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly . CCE-3198-9 The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile. CCE-3092-4 Always Wait for the Network at Computer Startup and Logon should be properly configured. CCE-3258-1 Domain Profile: Allow local port exceptions (SP2 only) CCE-2472-9 The "Message text for users attempting to log on" policy should be set correctly. CCE-8374-1 CD Burning features in Windows Explorer should be enabled or disabled as appropriate. CCE-2933-0 Auditing of "directory service access" events on success should be enabled or disabled as appropriate.. CCE-2956-1 RPC Endpiont Mapper Client Authentication (SP2 only) CCE-2336-6 The "when maximum log size is reached" property should be set correctly for the Security log. CCE-2971-0 Auditing of "policy change" events on success should be enabled or disabled as appropriate.. CCE-2896-9 The startup type of the NetMeeting Remote Desktop Sharing service should be correct. CCE-3136-9 Membership in the Remote Desktop Users group should be assigned to the appropriate accounts. CCE-2343-2 Auditing of "logon" events on failure should be enabled or disabled as appropriate.. CCE-2573-4 The "Message title for users attempting to log on" policy should be set correctly. CCE-2777-1 The "when maximum log size is reached" property should be set correctly for the System log. CCE-3151-8 The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly. CCE-2961-1 The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. CCE-3174-0 The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile. CCE-1840-8 The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled. CCE-3124-5 The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. CCE-2354-9 The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services. CCE-2851-4 The "Shut Down system immediately if unable to log security audits" policy should be set correctly. CCE-3304-3 Domain Profile: Allow Remote Desktop exception (SP2 only) CCE-2776-3 Automatic Logon should be properly configured. CCE-2693-0 The security log maximum size should be configured correctly.. CCE-3014-8 The "when maximum log size is reached" property should be set correctly for the Application log. CCE-2890-2 The "Anonymous access to the system event log" policy should be set correctly. CCE-2996-7 The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly. CCE-2682-3 The required auditing for %SystemDrive% directory should be enabled. CCE-2925-6 CD-ROM Autorun should be properly configured. CCE-4838-9 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. CCE-3157-5 The amount of idle time required before disconnecting a session should be set correctly. CCE-3119-5 The "Anonymous access to the application event log" policy should be set correctly. CCE-2794-6 The "restrict guest access to security log" policy should be set correctly. CCE-2345-7 The "restrict guest access to system log" policy should be set correctly. CCE-3134-4 The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile. CCE-3097-3 The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly. CCE-2259-0 Auditing of "object access" events on success should be enabled or disabled as appropriate.. CCE-7528-3 The "Configure Automatic Updates" setting should be configured correctly. CCE-2913-2 Auditing of "privilege use" events on success should be enabled or disabled as appropriate.. CCE-2959-5 The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services. CCE-2707-8 The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile. CCE-4262-2 The "Prevent IIS Installation" setting should be configured correctly. CCE-3085-8 The "Unsigned Driver Installation Behavior" policy should be set correctly. CCE-3012-2 The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services. CCE-3179-9 Standard Profile: Do not allow exceptions (SP2 only) CCE-3280-5 The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile. CCE-3194-8 Domain Profile: Do not allow exceptions (SP2 only) CCE-2828-2 Domain Profile: Allow local program exceptions CCE-2559-3 The TCP/IP KeepAlive Time should be set correctly . CCE-2116-2 The "restrict guest access to application log" policy should be set correctly. CCE-2866-2 Domain Profile: Define port exceptions (SP2 only) CCE-2889-4 The "store password using reversible encryption for all users in the domain" policy should be set correctly. CCE-5025-2 The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly. CCE-3000-7 The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. CCE-2453-9 The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly . CCE-3129-4 The "Limit Number of Connections" policy should be set correctly for Terminal Services. CCE-4849-6 The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services. CCE-2816-7 Auditing of "process tracking" events on success should be enabled or disabled as appropriate.. CCE-3084-1 The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly. CCE-2476-0 Domain Profile: Allow remote administration CCE-3231-8 Standard Profile: Define port exceptions (SP2 only) CCE-2904-1 The application log maximum size should be configured correctly.. CCE-2174-1 The screen saver should be enabled or disabled as appropriate for the current user. CCE-3011-4 The "Enable User to Use Media Source While Elevated" policy should be set correctly. CCE-3117-9 The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer. CCE-2980-1 The "Screen Saver Timeout" setting should be configured correctly for the current user. CCE-2796-1 The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled. CCE-3170-8 The "Screen Saver Executable Name" setting should be configured correctly for the current user. CCE-4500-5 The "Password protect the screen saver" setting should be configured correctly for the current user. CCE-2867-0 Auditing of "account logon" events on success should be enabled or disabled as appropriate.. CCE-2690-6 Membership in the Backup Operators group should be assigned to the appropriate accounts. CCE-2878-7 Auditing of "system" events on success should be enabled or disabled as appropriate.. CCE-3094-0 The "Enable User Control Over Installs" policy should be set correctly. CCE-3018-9 The "Maximum machine account password age" policy should be set correctly. CCE-3154-2 Domain Profile: Protect all network connections (SP2 only) CCE-2939-7 Auditing of "process tracking" events on failure should be enabled or disabled as appropriate.. CCE-8515-9 The "Windows Firewall: Define program exceptions" policy should be configured correctly for the Domain Profile. CCE-2723-5 the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly. CCE-2992-6 The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly. CCE-2954-6 Standard Profile: Allow remote administration exception (SP2 only) CCE-3006-4 The system log maximum size should be configured correctly.. CCE-7583-8 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Block (default) . CCE-8440-0 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Countermeasure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you conf ... CCE-2949-6 This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connecti ... CCE-8364-2 This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru ... CCE-7598-6 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-5032-8 This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ... CCE-3040-3 This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note: that this setting will have no impact when applied to the domain controller organizational unit via group policy because domain ... CCE-2846-4 This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time ... CCE-3273-0 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ... CCE-2735-9 This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive chara ... CCE-2994-2 This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default settin ... CCE-2920-7 This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can crack passwords, the m ... CCE-2923-1 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Countermeasure: Configure this policy setting to a value suitable for your organization, such as the default value of "%SYSTEMROOT%\System32\LogFiles\firewall\domainfw.log. P ... CCE-2958-7 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ... CCE-2986-8 This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The compute ... CCE-2439-8 This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Counte ... CCE-2965-2 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Countermeasure: Configure this policy setting to "Yes&quo ... CCE-8147-1 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default) . CCE-2972-8 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Countermeasure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and this ... CCE-2767-2 This policy setting determines which users or processes can generate audit records in the Security log. Countermeasure: Ensure that only the Service and Network Service accounts have the Generate security audits user right assigned to them. Potential Impact: None. This is the default confi ... CCE-2444-8 MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended) Countermeasure: Enable this setting. Potential Impact: Users will need to retype their password each time a dial-up connection is made. CCE-2419-0 MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) Countermeasure: Configure the MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) entry ... CCE-3090-8 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Countermeasure: Configure this policy setting to "Yes". Pote ... CCE-2981-9 This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Microsoft Windows 2000 or la ... CCE-2701-1 This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Countermeasure: Configure the Interactive logon: Prompt user to ... CCE-2928-0 This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, lo ... CCE-2466-1 This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setti ... |
