[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96078

 
 

909

 
 

78009

 
 

109

Paid content will be excluded from the download.


Download | Alert*


CCE-42066-1
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Special Logon' This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : ...

CCE-41680-0
Disable: 'Windows Firewall: Domain: Logging: Log successful connections' for LogSuccessfulConnections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the ...

CCE-42778-1
Reset account lockout counter after This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value f ...

CCE-42525-6
Disable: 'Prevent users app data from being stored on non-system volumes' Prevent users' app data from moving to another location when an app is moved or installed on another location. If you enable this setting, all users' app data will stay on the system volume, regardless of where th ...

CCE-42480-4
Disable: 'Allows development of Windows Store apps and installing them from an integrated development environment (IDE) for AllowDevelopmentWithoutDevLicense' Allows or denies development of Windows Store applications and installing them directly from an IDE. If you enable this setting ...

CCE-43785-5
Disable: 'Allow real-time definition updates based on reports to Microsoft MAPS' This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest definition updat ...

CCE-41582-8
'Specify the maximum log file size (KB)' (System Log) (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabyte ...

CCE-43992-7
Disable: 'Don't search the web or display web results in Search over metered connections' This policy setting allows you to control whether or not Search can perform queries on the web over metered connections, and if the web results are displayed in Search. If you enable this policy setting, q ...

CCE-42985-2
'Specify the day of the week to run a scheduled scan' for ScheduleDay to every_day This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the ...

CCE-44430-7
Select the 'Let Windows apps access trusted devices' to user_is_in_control This policy setting specifies whether Windows apps can access trusted devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by u ...

CCE-43894-5
Account lockout threshold This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to an ...

CCE-44027-1
Disable: 'Microsoft network server: Digitally sign communications (if client agrees)' for enablesecuritysignature This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing ...

CCE-42514-0
Audit Policy: Account Logon: Kerberos Authentication Service This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket ( ...

CCE-42887-0
Disable: 'Turn on process scanning whenever real-time protection is enabled' This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not config ...

CCE-43567-7
Select the 'Restrict Unauthenticated RPC clients for RestrictRemoteClients' to none This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setti ...

CCE-43062-9
Ensure Audit Success for 'Audit Policy: Detailed Tracking: Process Creation' This subcategory reports the creation of a process and the name of the program or user that created it. Note: These events now get audited earlier than in previous versions of Windows. The creation of smss.exe and oth ...

CCE-43750-9
Lock pages in memory This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM ent ...

CCE-41593-5
Ensure No Auditing for 'Audit Policy: System: IPsec Driver' This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it coul ...

CCE-42974-6
Disable: 'Network access: Do not allow storage of passwords and credentials for network authentication' for DisableDomainCreds This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If y ...

CCE-41823-6
Ensure No Auditing for 'Audit Policy: Object Access: File System' This subcategory reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting w ...

CCE-44441-4
Disable: 'Allow employees to send Do Not Track headers for DoNotTrack' This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. Turning this setting on lets your employees send Do Not Track headers. Turning this setting off, or not ...

CCE-44452-1
Select the 'Require uppercase letters for PIN' to allow Use this policy setting to configure the use of uppercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. I ...

CCE-43904-2
Disable: 'Specify additional definition sets for network traffic inspection' This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, wher ...

CCE-42547-0
Disable: 'Turn off Microsoft consumer experiences' for DisableWindowsConsumerFeatures This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. If you enable this policy setting, users will no longer see personalized recommendations from ...

CCE-42854-0
Disable: 'Lsass.exe audit mode' for AuditLevel Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx Counter Measure: Enable and configure this setting. Potential Impact: ...

CCE-42501-7
Disable: 'Support device authentication using certificate' Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerbe ...

CCE-42188-3
Disable: 'MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames' for NtfsDisable8dot3NameCreation MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames Counter Measure: Configure the MSS: (NtfsDisable8dot3Nam ...

CCE-42710-4
Disable: 'Require secure RPC communication' Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authent ...

CCE-42295-6
Disable: 'Disallow Digest authentication' This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not config ...

CCE-41486-2
Disable: 'Microsoft network server: Server SPN target name validation level' for SMBServerNameHardeningLevel This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client compu ...

CCE-43458-9
Disable: 'Network security: LDAP client signing requirements' for LDAPClientIntegrity This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified opti ...

CCE-42536-3
Disable: 'Allow Cortana' on the device' This policy setting specifies whether Cortana is allowed on the device. If you enable or don't configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off. When Cortana is off, use ...

CCE-42491-1
Specify the 'Configure log access (legacy) - Event Log Service\Security' (SDDL String) value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enab ...

CCE-43412-6
Disable: 'Process Exclusions for outbound traffic' for Nis_Consumers_IPS_Exclusions_Processes_executable_Path_and_Name This policy setting defines processes from which outbound network traffic will not be inspected. Process names should be added under the Options for this setting. Each entry must ...

CCE-43806-9
Disable: 'Don't allow SmartScreen Filter warning overrides' This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites. Turning this setting on stops employees from ignoring the SmartScreen Filter warnings and blocks them fro ...

CCE-43772-3
Ensure Audit Success and Failure for 'Audit Policy: System: Security System Extension' This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the ...

CCE-42438-2
Select the 'Enforce drive encryption type on removable data drives' to allow_user_to_choose This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if th ...

CCE-43545-3
Notify antivirus programs when opening attachments Antivirus programs are mandatory in many environments and provide a strong defense against attack. The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, thi ...

CCE-43218-7
Specify the 'Configure time out for detections in critically failed state' (CriticalFailureTimeout in mins Min:0 Max:4294967295) This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" s ...

CCE-43425-8
Disable: 'Prevent installation of devices not described by other policy settings' This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. If you enable this policy setting, Windows is prevented from installing, or up ...

CCE-42316-0
Disable: 'Create a system restore point' This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore ...

CCE-42120-6
Disable: 'Interactive logon: Smart card removal behavior' for scremoveoption This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Counter Measure: Configure the Smart card removal behavior setting to Lock Workstation. ...

CCE-42678-3
Select the 'Define the order of sources for downloading definition updates' to internaldefinitionupdateserver This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string e ...

CCE-42983-7
Disable: 'Request compound authentication' This policy setting allows you to configure a domain controller to request compound authentication. Note: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" mu ...

CCE-44169-1
'Specify the day of the week to run a scheduled full scan to complete remediation' for Scan_ScheduleDay This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to ne ...

CCE-41969-7
'Specify the time to check for definition updates' (ScheduleTime in mins Min:0 Max:1440) This policy setting allows you to specify the time of day at which to check for definition updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equi ...

CCE-41682-6
Disable: 'User Account Control: Switch to the secure desktop when prompting for elevation' for PromptOnSecureDesktop This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) ...

CCE-42271-7
Turn on PowerShell Transcription This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any ...

CCE-41505-9
Disable: 'Network Security: Restrict NTLM: Add server exceptions in this domain' for DCAllowedNTLMServers This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM ...

CCE-42730-2
Disable: 'Disallow standard users from changing the PIN or password' This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on B ...

CCE-44221-0
Disable: 'Turn on reparse point scanning' This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slow ...

CCE-43915-8
Disable: 'Turn on dynamic Content URI Rules for Windows store apps' This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on ...

CCE-44432-3
Select the 'Let Windows apps sync with devices' to user_is_in_control This policy setting specifies whether Windows apps can sync with devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can sync with devices by using Settings & ...

CCE-44443-0
Disable: 'Send all intranet sites to Internet Explorer 11' for SendIntranetTraffictoInternetExplorer This setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. ...

CCE-42057-0
Set the time Quiet Hours ends each day This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. ...

CCE-43892-9
Disable: 'Turn off the advertising ID' This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. If you disable or d ...

CCE-43839-0
Hide mechanisms to remove zone information This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. Typically, users can either click the Unblock button in the file's Property sheet or select a check box in the Security Warning dia ...

CCE-42327-7
Disable: 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' for NoNameReleaseOnDemand MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Counter Measure: Configure ...

CCE-42155-2
'Set time limit for disconnected sessions' to never This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By defa ...

CCE-41595-0
Disable: 'Configure use of hardware-based encryption for fixed data drives' for FDVHardwareEncryption This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using h ...

CCE-41727-9
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Logoff' This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place ...

CCE-43902-6
Disable: 'Configure local setting override for the time of day to run a scheduled full scan to complete remediation' This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. ...

CCE-42545-4
'Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) for EncryptionMethodWithXtsFdv' for XTS-AES 128-bit This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you tur ...

CCE-42852-4
Disable: 'Configure Solicited Remote Assistance' for fAllowToGetHelp This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Al ...

CCE-41956-4
Disable: 'Interactive logon: Display user information when the session is locked' for DontDisplayLockedUserId This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer's respective Windows logon scree ...

CCE-42144-6
Disable: 'Turn off the Store application' Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. If you disable or do not configure this setting, access to the Store application is allowed. Counter Measure: Enable th ...

CCE-42401-0
Disable: 'Disable help tips' Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user. Counter Measure: Co ...

CCE-42447-3
Configure Default consent This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-do ...

CCE-44454-7
Require lowercase letters Use this policy setting to configure the use of lowercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one lowercase letter in their PIN. If you disable or do not configure th ...

CCE-41529-9
Disable: 'Windows Firewall: Private: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-44049-5
Disable: 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' for EnableUIADesktopToggle This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation pr ...

CCE-43913-3
Disable: 'User Account Control: Detect application installations and prompt for elevation' for EnableInstallerDetection This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application instal ...

CCE-41836-8
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Other Logon/Logoff Events' This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. E ...

CCE-41605-7
Create global objects This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right Users who can create global objects could affect processes that ...

CCE-44136-0
Profile single process This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if Syst ...

CCE-43414-2
Disable: 'Turn on catch-up full scan' This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the ...

CCE-42863-1
'Specify the scan type to use for a scheduled scan' for ScanParameters to quick_scan This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2 = Full Scan If you enable this setting, the scan type will be se ...

CCE-42133-9
Restore files and directories This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users ...

CCE-42996-9
Disable: 'Turn off heap termination on corruption' Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Counter Measure: Disable this setting de ...

CCE-42621-3
Deny access to this computer from the network This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on ...

CCE-43086-8
Disable: 'Allow remote access to the Plug and Play interface' This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not c ...

CCE-43184-1
Disable: 'Microsoft network server: Disconnect clients when logon hours expire' for enableforcedlogoff This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. It affects the SMB component. If you enable this ...

CCE-42950-6
Ensure No Auditing for 'Audit Policy: DS Access: Directory Service Access' This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the dire ...

CCE-42436-6
Disable: 'Windows Firewall: Public: Apply local connection security rules' for AllowLocalIPsecPolicyMerge This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Me ...

CCE-43841-6
Disable: 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' for AuthenticodeEnabled This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software ...

CCE-42582-7
Disable: 'Turn off KMS Client Online AVS Validation' This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not co ...

CCE-41782-4
Disable: 'Allow Standby States (S1-S3) When Sleeping (On Battery)' Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep st ...

CCE-44167-5
Specify the 'Configure WPP tracing level' (min:0 max:4294967295) This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as: 1 - Error 2 - Warning 3 - Info 4 - Debug Counter Measure: ...

CCE-42160-2
Specify the 'Network access: Remotely accessible registry paths and sub-paths' for Machine This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this sett ...

CCE-43114-8
Select the 'Configure Windows SmartScreen' for EnableSmartScreen to turn_off_smartscreen This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some in ...

CCE-41838-4
Disable: 'Interactive logon: Require smart card' for scforceoption Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting requires users to log on to a computer with a ...

CCE-43996-8
Disable: 'Scan removable drives' This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned dur ...

CCE-44419-0
Disable: 'Enable insecure guest logons' This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this ...

CCE-43321-9
Disable: 'Deny write access to fixed drives not protected by BitLocker' This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all f ...

CCE-41718-8
Disable: 'Turn off Event Viewer 'Events.asp' links' Specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hot links that activate the Internet browser when clicked. In addition, "More Informa ...

CCE-42869-8
'Specify the interval to check for definition updates' (SignatureUpdateInterval Min:0 Max:24) This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every ...

CCE-43247-6
Do not show recent apps when the mouse is pointing to the upper-left corner of the screen This policy setting allows you to prevent the last app and the list of recent apps from appearing when the mouse is pointing to the upper-left corner of the screen. If you enable this policy setting, the user ...

CCE-43898-6
Disable: 'Network security: Allow LocalSystem NULL session fallback' Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Counter Measure: Configure Network security: Allow LocalSystem NULL session fallback ...

CCE-41597-6
Disable: 'Network security: Allow Local System to use computer identity for NTLM' for UseMachineId When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on ...

CCE-43754-1
Disable: 'Turn on network protection against exploits of known vulnerabilities' This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable th ...

CCE-41729-5
Disable: 'Windows Firewall: Private: Outbound connections' for DefaultOutboundAction This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. ...

CCE-42340-0
'Specify the maximum log file size (KB)' (Security Log) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ...

CCE-42812-8
Disable: 'Audit: Audit the use of Backup and Restore privilege' for fullprivilegeauditing This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will ...

CCE-43863-0
Password protect the screen saver If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. Counter Measure: Configure this policy setting to Enabled so that when ...

CCE-42858-1
Disable: 'User Account Control: Virtualize file and registry write failures to per-user locations' This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and w ...

CCE-42505-8
Specify the 'Configure log access (legacy) - Event Log Service\Setup (SDDL String)' value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log i ...

CCE-42703-9
Change the time zone This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either loc ...

CCE-41607-3
Disable: 'Choose how BitLocker-protected removable drives can be recovered' for RDVRecovery This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. ...

CCE-42253-5
Disable: 'Microsoft network client: Digitally sign communications (if server agrees)' This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows-based networks helps to prevent sessions from being hijacked. If ...

CCE-41660-2
Disable: 'Allow Secure Boot for integrity validation' This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digi ...

CCE-44047-9
Automatically send memory dumps for OS-generated error reports This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other tha ...

CCE-42075-2
Disable: 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' for ScreenSaverGracePeriod MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the ...

CCE-42264-2
Disable: 'Network access: Sharing and security model for local accounts' for ForceGuest This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of ...

CCE-43080-1
Select the 'Require use of specific security layer for remote (RDP) connections' to rdp Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this set ...

CCE-42495-2
Specify the 'Name of administrator account to manage' Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed DO configure wh ...

CCE-42362-4
Disable: 'Devices: Prevent users from installing printer drivers' for AddPrinterDrivers It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your comp ...

CCE-43454-8
Enable computer and user accounts to be trusted for delegation This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring ...

CCE-41901-0
Disable: 'Require additional authentication at startup' for UseAdvancedStartup This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This pol ...

CCE-43269-0
Disable: 'Allow users to pause scan' This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this ...

CCE-44361-4
Specify the 'Microsoft network server: Amount of idle time required before suspending session' (Mins) This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this poli ...

CCE-44406-7
Disable: 'Display notifications to clients when they need to perform actions' This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions: Run a full scan Download the latest virus and spyware definitions ...

CCE-43027-2
Disable: 'Windows Firewall: Domain: Outbound connections' for DefaultOutboundAction This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block th ...

CCE-42109-9
Specify the 'Server Authentication Certificate Template' value This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Sess ...

CCE-43125-4
Disable: 'Scan packed executables' This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, pack ...

CCE-41475-5
Disable: 'Recovery console: Allow automatic administrative logon' for securitylevel The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when i ...

CCE-43214-6
Disable: 'Configure local setting override for maximum percentage of CPU utilization' This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. If you enable this setting, the local p ...

CCE-42527-2
Disable: 'Allow search and Cortana to use location' This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. If this is enabled, search and Cortana can access location information. Counter Measure: Configure this setting depen ...

CCE-43994-3
Disable: 'Configure local setting override for turn on behavior monitoring' This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority ove ...

CCE-44165-9
Specify the 'Turn on removal of items from scan history folder' for PurgeItemsAfterDelay (Days Min:0 Max:4294967295) This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items ...

CCE-42987-8
Disable: 'Windows Firewall: Private: Allow unicast response' for DisableUnicastResponsesToMulticastBroadcast This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting ...

CCE-43018-1
Disable: 'Windows Firewall: Private: Inbound connections' for DefaultInboundAction This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Coun ...

CCE-44330-9
Ensure No Auditing for 'Audit Policy: Object Access: Handle Manipulation' This subcategory reports when a handle to an object is opened or closed. Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL. Handle Manipulation events are ...

CCE-43787-1
Specify the 'Process Exclusions' (executable names) This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added un ...

CCE-44263-2
Disable: 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do ...

CCE-44298-8
Increase a process working set This privilege determines which user accounts can increase or decrease the size of a process's working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an a ...

CCE-42889-6
Disable: 'Force automatic setup for all users' This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prev ...

CCE-43663-4
Disable: 'Point and Print Restrictions' for Restricted This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain ...

CCE-43896-0
Disable: 'Specify threats upon which default action should not be taken when detected' for Threats_ThreatIdDefaultAction This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for th ...

CCE-43850-7
Disable: 'Specify threat alert levels at which default action should not be taken when detected' This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat alert levels should be added under the Options for this setting. Each entr ...

CCE-41795-6
Specify the 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' value MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Counter Measure: Configure the MSS: (WarningLe ...

CCE-43249-2
Create a token object This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can ...

CCE-41562-0
Disable: 'Recovery console: Allow floppy copy and access to all drives and all folders' for setcommand This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support f ...

CCE-43752-5
Disable: 'Configure local setting override for schedule scan day' This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Pol ...

CCE-42930-8
Ensure No Auditing for 'Audit Policy: Account Management: Application Group Management' This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application gr ...

CCE-43105-6
Disable: 'Network access: Restrict anonymous access to Named Pipes and Shares' for restrictnullsessaccess When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access ...

CCE-42601-5
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Account Lockout' This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. Refer to the Microsoft Knowledgebase ar ...

CCE-41651-1
Disable: 'Windows Firewall: Domain: Allow unicast response' This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast resp ...

CCE-43861-4
Show the Apps view automatically when the user goes to Start This policy setting allows the Apps view to be opened by default when the user goes to Start. If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the A ...

CCE-44450-5
Select the 'Require lowercase letters' for LowercaseLetters to allow Use this policy setting to configure the use of lowercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one lowercase letter in the ...

CCE-41707-1
Disable: 'Allow Basic authentication for Windows Remote Management (WinRM) service' This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept ...

CCE-42856-5
Disable: 'Domain member: Disable machine account password changes' for disablepasswordchange This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its compute ...

CCE-43236-9
Disable: 'Windows Firewall: Domain: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rul ...

CCE-42503-3
Disable: 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Windows Store apps wit ...

CCE-42395-4
Disable: 'Turn off downloading of print drivers over HTTP' This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over H ...

CCE-41551-3
'Specify the search server for device driver updates' for DriverServerSelection to search_windows_update This policy setting allows you to specify the search server that Windows uses to find updates for device drivers. If you enable this policy setting, you can select whether Windows searches W ...

CCE-42549-6
Disable: 'Turn off Automatic Download and Update of Map Data' Enables or disables the automatic download and update of map data. If you enable this setting the automatic download and update of map data is turned off. If you disable this setting the automatic download and update of map data ...

CCE-42186-7
Disable: 'Register domain joined computers as devices' This setting lets you configure how domain joined computers become registered as devices. When you enable this setting, domain joined computers automatically and silently get registered as devices with Azure Active Directory. Note: Addi ...

CCE-42538-9
Disable: 'Turn off Auto Exclusions' Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Automatic exclusions are delivered ...

CCE-44287-1
Disable: 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' for ProtectionMode This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and sha ...

CCE-43917-4
Access Credential Manager as a trusted caller This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities. ...

CCE-42821-9
Maximum PIN length Maximum PIN length configures the maximum number of characters allowed for the work PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or ...

CCE-42867-2
Disable: 'No auto-restart with logged on users for scheduled automatic updates installations' This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-resta ...

CCE-41771-7
Increase scheduling priority This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the o ...

CCE-43456-3
Disable: 'Enable RPC Endpoint Mapper Client Authentication' This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service p ...

CCE-43808-5
Disable: 'Turn off Developer Tools' for AllowDeveloperTools This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from usi ...

CCE-43543-8
Disable: 'Disallow WinRM from storing RunAs credentials' This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUs ...

CCE-42954-8
Disable: 'Turn off Windows Update device driver searching' for DontSearchWindowsUpdate This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note See also Turn off Windows Update device driver search prompt ...

CCE-42493-7
Disable: 'Allow input personalization' This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar info ...

CCE-43410-0
Disable: 'Check for the latest virus and spyware definitions before running a scheduled scan' This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line "mp ...

CCE-44045-3
Disable: 'Start the scheduled scan only when computer is on but not in use' This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on bu ...

CCE-44230-1
Disable: 'Windows Firewall: Private: Logging: Log successful connections' Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. ...

CCE-42262-6
Do not preserve zone information in file attachments This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy settin ...

CCE-42031-5
Ensure No Auditing for 'Audit Policy: Account Management: Computer Account Management' This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A ...

CCE-44284-8
Shut down the system This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the ...

CCE-44186-5
Allow log on locally This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Servic ...

CCE-41763-4
Disable: 'System cryptography: Force strong key protection for user keys stored on the computer' for ForceKeyProtection This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provi ...

CCE-42586-8
Disable: 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)' MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) Counter Measure: Enable and configure this setting. Potential Impact: TCP/IP traffic could be inaccurately detected as a ...

CCE-43615-4
Log on as a batch job This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent mis ...

CCE-42695-7
Disable: 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' for Hidden MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) Counter Measure: Do not configure the MSS: (Hidden) Hide C ...

CCE-44438-0
'Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])' to AES 128-bit This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting ...

CCE-43517-2
Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts' for RestrictAnonymousSAM This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections ca ...

CCE-43419-1
Disable: 'Prohibit connection to non-domain networks when connected to domain authenticated network' for fBlockNonDomain This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled ...

CCE-42575-1
Disable: 'Honor cipher suite order' This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cip ...

CCE-43833-3
Set the 'Allow Telemetry' to Security This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 indicates that no telemetry data from OS components is sent to Microsoft. Setting a value of 0 is applicable to enterprise and server devices only. Settin ...

CCE-42344-2
Disable: 'Windows Firewall: Public: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules sett ...

CCE-42070-3
Disable: 'Configure TPM platform validation profile for BIOS-based firmware configurations' for Enabled This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the comp ...

CCE-43472-0
Disable: 'Control Event Log behavior when the log file reaches its maximum size' for Retention This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the ...

CCE-44449-7
Select the 'Require digits for PIN' to allow Use this policy setting to configure the use of digits in the Microsoft Passport for PIN. If you enable or do not configure this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If ...

CCE-41676-8
Disable: 'Require a Password When a Computer Wakes (Plugged In)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (Plugged In) to Enabled. Potential Impact: If you e ...

CCE-43966-1
Disable: 'Run full scan on mapped network drives' This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned. C ...

CCE-44042-0
Disable: 'Configure local setting override for the scan type to use for a scheduled scan' This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. If you enable this setting, the local p ...

CCE-44273-1
Prevent Codec Download This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player t ...

CCE-42562-9
Disable: 'Windows Firewall: Public: Allow unicast response' This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast resp ...

CCE-42771-6
Disable: 'Turn on e-mail scanning' This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are curr ...

CCE-41785-7
'Choose default folder for recovery password (DefaultRecoveryFolderPath)' This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This pol ...

CCE-43844-0
Specify the 'Interactive logon: Machine inactivity limit' value (timeout in seconds 15-900) Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Counter Measure: Configure this p ...

CCE-44164-2
'Specify the maximum depth to scan archive files' (ArchiveMaxDepth Min:0 Max:4294967295) This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enabl ...

CCE-43276-5
Disable: 'Audit: Audit the access of global system objects' for AuditBaseObjects This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be aud ...

CCE-42006-7
Disable: 'Allow deployment operations in special profiles' This policy setting allows you to manage the deployment operations of app packages when the user is logged in under special profiles. Deployment operation refers to adding, registering, staging, updating or removing an app package. ...

CCE-43034-8
Disable: 'Require user authentication for remote connections by using Network Level Authentication' This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhanc ...

CCE-43700-4
Disable: 'Always prompt for password upon connection' This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they alrea ...

CCE-43953-9
Disable: 'Network access: Shares that can be accessed anonymously' for NullSessionShares This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they ...

CCE-41641-2
Ensure No Auditing for 'Audit Policy: Logon-Logoff: IPsec Main Mode' This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Events for this subcategory include: - 4646: IKE DoS-prevention mode star ...

CCE-42139-6
Disable: 'Prevent memory overwrite on restart' This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies onl ...

CCE-42551-2
Disable: 'Don't allow WebRTC to share the LocalHost IP address' This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. Turning this setting on hides an employee's LocalHost IP address while making phone calls using WebRT ...

CCE-44380-4
Disable: 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting h ...

CCE-41750-1
Disable: 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' for TcpMaxDataRetransmissions MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Co ...

CCE-43628-7
Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' for RestrictAnonymous This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate do ...

CCE-43496-9
Disable: 'Prevent installation of devices using drivers that match these device setup classes' for DenyDeviceClasses This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy s ...

CCE-42914-2
Disable: 'Windows Firewall: Private: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall ru ...

CCE-44425-7
Select the 'Let Windows apps access messaging' to user_is_in_control This policy setting specifies whether Windows apps can read or send messages (text or MMS). If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send message ...

CCE-42836-7
Enable screen saver This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver wil ...

CCE-41972-1
'Specify the maximum log file size (KB) (Application Log)' for MaxSize (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobyte ...

CCE-43463-9
Set the 'Boot-Start Driver Initialization Policy' to good_only This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the foll ...

CCE-41874-9
Disable: 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' for DisableIPSourceRouting MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (Disab ...

CCE-42486-1
Specify the 'Define the number of days after which a catch-up scan is forced' (Number of scans Min:2 Max:20) This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 c ...

CCE-42847-4
Force shutdown from a remote system This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user ...

CCE-43831-7
Specify the 'Assign a default credential provider(Enter the CLSID of a credential provider)' This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selecte ...

CCE-42117-2
Disable: 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' for AuditReceivingNTLMTraffic This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in ...

CCE-44173-3
Disable: 'Scan all downloaded files and attachments' This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, ...

CCE-43606-3
Disable: 'Allow all trusted apps to install' This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a cer ...

CCE-41730-3
Ensure No Auditing for 'Audit Policy: Privilege Use: Non Sensitive Privilege Use' This subcategory reports when a user account or service uses a non-sensitive privilege. A non-sensitive privilege includes the following user rights: Access Credential Manager as a trusted caller, Access this compute ...

CCE-42170-1
Network security: Force logoff when logon hours expire This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB ...

CCE-43964-6
Disable: 'Prevent enabling lock screen camera' Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will ...

CCE-42019-0
Ensure No Auditing for 'Audit Policy: Logon-Logoff: IPsec Extended Mode' This subcategory reports the results of AuthIP during Extended Mode negotiations. Events for this subcategory include: - 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem ...

CCE-43779-8
Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key+X This policy setting allows you to prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see whe ...

CCE-44040-4
Disable: 'Don't search the web or display web results in Search' This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. If you enable this policy setting, queries won't be performed on the web and web resul ...

CCE-43842-4
Disable: 'Turn on raw volume write notifications' This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure this setting, raw write notifications will be enabled. If you disable this setting, raw write notification ...

CCE-44053-7
Specify the 'Define proxy server for connecting to the network for ProxyServer' (Proxyserver name) This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates and MAPS reporting. If the named proxy fails o ...

CCE-44162-6
Select the 'Configure monitoring for incoming and outgoing file and program activity' value This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming a ...

CCE-41787-3
Disable: 'Accounts: Limit local account use of blank passwords to console logon only' This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local account ...

CCE-44305-1
Disable: 'Interactive logon: Require Domain Controller authentication to unlock workstation' for ForceUnlockLogon Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines ...

CCE-41994-5
Turn on PowerShell Script Block Logging This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - wh ...

CCE-42399-6
Ensure No Auditing for 'Audit Policy: System: Other System Events' This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The ...

CCE-43744-2
Disable: 'User Account Control: Only elevate executables that are signed and validated' for ValidateAdminCodeSignatures This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can c ...

CCE-43389-6
Disable: 'Turn off the Windows Messenger Customer Experience Improvement Program' This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure th ...

CCE-42780-7
Specify the 'Define the number of days after which a catch-up definition update is required' (Update Cathup Interval Days: Min:0 Max: 4294967295) This policy setting allows you to define the number of days after which a catch-up definition update will be required. By default, the value of this sett ...

CCE-42901-9
Ensure No Auditing for 'Audit Policy: Account Logon: Other Account Logon Events' This subcategory reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets. These events occur on the computer t ...

CCE-43221-1
Turn off the Store application Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. If you disable or do not configure this setting, access to the Store application is allowed. Counter Measure: Configure this setting dep ...

CCE-43452-2
Disable: 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' for RestrictSendingNTLMTraffic This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is suppo ...

CCE-41654-5
Disable: 'Windows Firewall: Public: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-43619-6
Disable: 'Enumerate administrator accounts on elevation' By default, all administrator accounts are displayed when you attempt to elevate a running application. Counter Measure: Enable this policy. Potential Impact: If you enable this policy setting, all local administrator accoun ...

CCE-44295-4
Modify firmware environment values This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure tha ...

CCE-42220-4
Disable: 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' for NoDefaultExempt MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt ...

CCE-44427-3
Select the 'Let Windows apps access the calendar' to user_is_in_control This policy setting specifies whether Windows apps can access the calendar. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Sett ...

CCE-44064-4
Disable: 'Do not allow local administrators to customize permissions' for fWritableTSCCPermTab Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from m ...

CCE-43755-8
Specify the 'Define the number of days before spyware definitions are considered out of date' (Days Min:0 Max:4294967295) This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date ...

CCE-42024-0
Disable: 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' for PerformRouterDiscovery MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the ...

CCE-41974-7
Manage auditing and security log This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Dir ...

CCE-42544-7
Disable: 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared ...

CCE-43657-6
Disable: 'Network security: Do not store LAN Manager hash value on next password change' for NoLMHash This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to th ...

CCE-43826-7
Disable: 'Turn off the 'Publish to Web' task for files and folders' for NoPublishingWizard This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows fold ...

CCE-43781-4
Disable: 'Do not sync start settings' for DisableStartLayoutSettingSync Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "Start ...

CCE-43250-0
Disable: 'Restrict delegation of credentials to remote servers' When running in restricted mode, participating apps do not expose credentials to remote computers (regardless of the delegation method). Restricted mode may limit access to resources located on other servers or networks beyond the targ ...

CCE-44434-9
Force Start to be either full screen size or menu size If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings. If you disable or don't configure this policy setting, Windows will automaticall ...

CCE-41623-0
Select the 'Enforce drive encryption type on fixed data drives' for FDVEncryptionType to allow_user_to_choose This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type h ...

CCE-41830-1
Specify the 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' for FDVDiscoveryVolumeType This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Win ...

CCE-43935-6
Disable: 'Monitor file and program activity on your computer' This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitori ...

CCE-42533-0
Specify the 'Minimum PIN length' (MinimumPINLength Min:4 Max:127) Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configure ...

CCE-42579-3
Disable: 'Enable local admin password management' Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Counter Measure ...

CCE-42860-7
Specify the 'Configure time out for detections in non-critical failed state' (NonCriticalTimeout Min:0 Max:4294967295 in Mins) This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. Counter Measure: Configure ...

CCE-44171-7
Disable: 'Turn off printing over HTTP' This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. Counter Measure: Enable this setting to prevent users from submitting p ...

CCE-43837-4
Remove the Security and Maintenance icon This policy setting allows you to remove Security and Maintenance from the system control area. If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. If you disable or do not configure this p ...

CCE-43043-9
Disable: 'Allow network unlock at startup' This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operatin ...

CCE-42993-6
Disable: 'Configure Group Policy Caching' for EnableLogonOptimization This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. T ...

CCE-44445-5
Disable: 'Turn off Pop-up Blocker' This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. Turning this setting on, or not configuring it, turns on the Pop-up Blocker, which stops pop-ups from appearing. Turning this settin ...

CCE-42435-8
Ensure No Auditing for 'Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This service is used by Windows Firewall and by Microsoft OneCare. Events for this subcategory include: - ...

CCE-44160-0
Disable: 'Prevent the usage of OneDrive for file storage' This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can't access OneDrive from the OneDrive app and file picker. * Windows Store apps can't access ...

CCE-43428-2
Deny log on as a batch job This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on ...

CCE-43219-5
Disable: 'Randomize scheduled task times' This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest vir ...

CCE-42775-7
Disable: 'Always install with elevated privileges' Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (of ...

CCE-43848-1
Select the 'Turn off Autoplay' for NoDriveTypeAutoRun to cd-rom_and_removable_media_drives Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a prog ...

CCE-42100-8
Disable: 'Windows Firewall: Domain: Inbound connections' for DefaultInboundAction This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Count ...

CCE-43802-8
Disable: 'Disable installing Windows apps on non-system volumes' This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. If you enable this setting, you can't move or install Windows apps on volumes th ...

CCE-42313-7
Disable: 'Turn off Search Companion content file updates' This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from down ...

CCE-43272-4
Disable: 'Allow definition updates from Microsoft Update' This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, defin ...

CCE-42631-2
Disable: 'Windows Firewall: Domain: Apply local firewall rules' for AllowLocalPolicyMerge This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-43481-1
Specify the 'Define addresses to bypass proxy server' value (Proxy Server Address) This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this ...

CCE-42048-9
Disable: 'Windows Firewall: Private: Logging: Log dropped packets' for LogDroppedPackets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the act ...

CCE-44410-9
Disable: 'Do not allow passwords to be saved' This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Termi ...

CCE-42677-5
Disable: 'Check for the latest virus and spyware definitions on startup' This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service ...

CCE-44456-2
Require uppercase letters Use this policy setting to configure the use of uppercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If you disable or do not configure th ...

CCE-43704-6
Ensure No Auditing for 'Audit Policy: Detailed Tracking: Process Termination' This subcategory reports when a process terminates. Events for this subcategory include: - 4689: A process has exited. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista ...

CCE-44051-1
Disable: 'Threat ID Exclusions' This policy setting defines threats which will be excluded from detection during network traffic inspection. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation o ...

CCE-42555-3
Expiration This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0. Default: 0. Counter Me ...

CCE-41527-3
Disable: 'Windows Firewall: Private: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules set ...

CCE-42884-7
Disable: 'Microsoft network server: Digitally sign communications (always)' for requiresecuritysignature This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from usin ...

CCE-42907-6
Ensure No Auditing for 'Audit Policy: Detailed Tracking: DPAPI Activity' This subcategory reports encrypt or decrypt calls into the data protections application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Events for this subcategor ...

CCE-43813-5
Disable: 'Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections' This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where ...

CCE-44323-4
Disable: 'Configure local setting override for reporting to Microsoft MAPS' This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority ove ...

CCE-44421-6
Select the 'Let Windows apps access call history' to user_is_in_control This policy setting specifies whether Windows apps can access call history. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Sett ...

CCE-42411-9
Ensure No Auditing for 'Audit Policy: Policy Change: Authorization Policy Change' This subcategory reports changes in authorization policy including permissions (DACL) changes. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - ...

CCE-42971-2
Disable: 'Windows Firewall: Public: Logging: Log dropped packets' for LogDroppedPackets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the acti ...

CCE-41482-1
Disable: 'Turn off Windows Location Provider' This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the ...

CCE-42542-1
Disable: 'Prefer PIN pairing' This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. If this pol ...

CCE-44018-0
Specify the 'Windows Firewall: Private: Logging: Name' for LogFilePath Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the de ...

CCE-44180-8
Disable: 'Audit: Shut down system immediately if unable to log security audits' for crashonauditfail This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteri ...

CCE-41614-9
Specify the 'MSS: (KeepAliveTime) How often keep-alive packets are sent' in milliseconds for KeepAliveTime MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Counter Measure: Configure the MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (3 ...

CCE-43252-6
Disable: 'Scan archive files' This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files ...

CCE-43659-2
Specify the 'Windows Firewall: Public: Logging: Name' for LogFilePath Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the def ...

CCE-42444-0
'Set time limit for active Remote Desktop Services sessions' to never This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired ...

CCE-41832-7
Allow log on through Remote Desktop Services This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and a ...

CCE-43933-1
Specify the 'Define the rate of detection events for logging' (Minutes Min:0 Max:10000000) This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. Logging will be limited to not more often than one event per the ...

CCE-44436-4
Disable: 'Turn off Password Manager' This setting lets you decide whether employees can save their passwords locally, using Password Manager. Turning this setting on, or not configuring it, lets your employees use Password Manager. Turning this setting off stops your employees from using Pa ...

CCE-42991-0
Turn off Quiet Hours This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. If you disable this po ...

CCE-43372-2
Prevent access to registry editing tools This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe. Counter Measure: Enable this setting. Potential Impact: If you enable this policy setting, a message will display when users try to use a registry edito ...

CCE-41501-8
Select the 'Set the default behavior for AutoRun' to do_not_execute_any_autorun_commands This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. ...

CCE-42531-4
Disable: 'Start Layout' Specifies the Start layout for users. This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. ...

CCE-41547-1
Disable: 'Network Security: Restrict NTLM: NTLM authentication in this domain' for RestrictNTLMInDomain This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. Coun ...

CCE-44312-7
Disable: 'Allow Remote Shell Access' This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Counter Measure: Configure Allow Remote Shell Access to Disabled. Potential Impact: If you enable this policy setti ...

CCE-42113-1
Ensure No Auditing for 'Audit Policy: Object Access: SAM' This subcategory reports when SAM objects are accessed. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: http://supp ...

CCE-42577-7
Disable: 'Toggle user control over Insider builds' for AllowBuildPreview This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices avail ...

CCE-43648-5
Replace a process level token This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user ...

CCE-42433-3
Disable: 'Choose how BitLocker-protected fixed drives can be recovered' for FDVRecovery This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "A ...

CCE-43470-4
Accounts: Administrator account status This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note that this setting will have no ...

CCE-43189-0
Disable: 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' for AllowOnlineID Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to ...

CCE-44447-1
Disable: 'Turn off Autofill' This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. Turning this setting on, or not configuring it, lets employees use Autofill in form fields. Turning this setting off stops employees ...

CCE-43130-4
Ensure No Auditing for 'Audit Policy: Account Management: Security Group Management' This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audi ...

CCE-42564-5
Force specific screen saver This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen s ...

CCE-42773-2
'Specify the day of the week to check for definition updates' to everyday This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the fol ...

CCE-41998-6
Disable: 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' for DisableIPSourceRouting MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSource ...

CCE-42311-1
Disable: 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' for EnableSecureUIAPaths This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location i ...

CCE-43800-2
Start Layout Specifies the Start layout for users. This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. To use this sett ...

CCE-43078-5
Accounts: Rename guest account The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. ...

CCE-42675-9
Disable: 'Turn off the offer to update to the latest version of Windows' Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not config ...

CCE-43748-3
Account lockout duration This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy sett ...

CCE-41710-5
Domain member: Maximum machine account password age This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the ...

CCE-41525-7
Disable: 'Configure use of hardware-based encryption for removable data drives' for RDVHardwareEncryption This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. ...

CCE-44238-4
Disable: 'Do not allow drive redirection' This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ ...

CCE-42599-1
Disable: 'Allow unencrypted traffic' This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the netwo ...

CCE-41987-9
Specify the 'Force a specific background and accent color for PersonalColors_Accent' (Color Code) Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. If this s ...

CCE-42137-0
Disable: 'Path Exclusions' This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where t ...

CCE-42553-8
Specify the 'PIN History' (number of past PINs Min:0 Max:50) This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not ...

CCE-43811-9
Disable: 'Use Remote Passport' Use this policy setting to configure use of Remote Passport. Remote Passport provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Passport requires that the desktop be Azure AD joined and that the ...

CCE-41647-9
Disable: 'Network Security: Configure encryption types allowed for Kerberos' for SupportedEncryptionTypes This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Counter Measure: ...

CCE-42882-1
Allow Windows Runtime apps to revoke enterprise data Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is prot ...

CCE-42686-6
Disable: 'Use enhanced Boot Configuration Data validation profile' This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you will be able to add additional settings, remove the default se ...

CCE-44325-9
Disable: 'Scan network files' This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be ...

CCE-44423-2
Select the 'Let Windows apps access email for LetAppsAccessEmail' to user_is_in_control This policy setting specifies whether Windows apps can access email. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Se ...

CCE-42818-5
Disable: 'Pin Apps to Start when installed' This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. Counter Measure: Enable and configure this setting. Potential Impact: Users will need to manually locate and pin apps to Start.

CCE-44039-6
Specify the 'Force a specific Start background' (Min:0 Max:20) Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it ...

CCE-42502-5
Disable: 'Allow a Windows app to share application data between users' Manages a Windows app's ability to share data between users who have installed the app. If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the Sha ...

CCE-43050-4
Impersonate a client after authentication The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not ...

CCE-43446-4
Specify the 'DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL)' value syntax This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for ...

CCE-42548-8
Disable: 'Do not show feedback notifications' This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable ...

CCE-44148-5
Disable: 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' for cachedlogonscount This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached loca ...

CCE-41811-1
Ensure No Auditing for 'Audit Policy: Object Access: Registry' This subcategory reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting will not c ...

CCE-41857-4
Disable: 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. If this policy setting is enabled, when the compute ...

CCE-42141-2
Enable: 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' for EnableDeadGWDetect MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) Counter Measure: Enable this setting. Potential Impact: ...

CCE-44453-9
Require digits Use this policy setting to configure the use of digits in the Microsoft Passport for PIN. If you enable or do not configure this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If you disable this policy setting, Mic ...

CCE-41737-8
Ensure No Auditing for 'Audit Policy: Object Access: Other Object Access Events' This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects. Events for this subcategory include: - 4671: An application attempted to access a blocked ordinal through th ...

CCE-42962-1
Ensure No Auditing for 'Audit Policy: Detailed Tracking: RPC Events' This subcategory reports remote procedure call (RPC) connection events. Events for this subcategory include: - 5712: A Remote Procedure Call (RPC) was attempted. Refer to the Microsoft Knowledgebase article "Description o ...

CCE-43411-8
Disable: 'Devices: Allow undock without having to log on' for undockwithoutlogon This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a Logon requirement and allow use of an external hardware ej ...

CCE-42537-1
Disable: 'Suppresses reboot notifications' This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). If you enable this setting AM UI won't show reboot notifications. Counter Measure: Configure this setting de ...

CCE-43807-7
Disable: 'Don't allow SmartScreen Filter warning overrides for unverified files' This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops employees from ignoring the SmartScreen Filter warnings ...

CCE-41615-6
Ensure No Auditing for 'Audit Policy: Account Logon: Credential Validation' This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the doma ...

CCE-42997-7
Set the time Quiet Hours begins each day This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settin ...

CCE-43773-1
'Set time limit for active but idle Remote Desktop Services sessions' to never This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy ...

CCE-44137-8
Disable: 'Domain member: Digitally encrypt secure channel data (when possible)' for sealsecurechannel This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member ...

CCE-43905-9
'Specify the time of day to run a scheduled full scan to complete remediation' (in Minutes Min:0 Max:1440) This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes pas ...

CCE-41474-8
Disable: 'Domain member: Require strong (Windows 2000 or later) session key' for requirestrongkey When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enab ...

CCE-43215-3
Disable: 'Configure local setting override for monitoring file and program activity on your computer' This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable t ...

CCE-42317-8
Ensure Audit Success and Failure for 'Audit Policy: Account Management: Other Account Management Events' This subcategory reports other account management events. Events for this subcategory include: - 4782: The password hash an account was accessed. - 4793: The Password Policy Checking API ...

CCE-41581-0
Disable: 'Windows Firewall: Domain: Logging: Log dropped packets' for LogDroppedPackets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the acti ...

CCE-42779-9
Disable: 'Configure local administrator merge behavior' for lists This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you enable or do not co ...

CCE-41977-0
Take ownership of files or other objects This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right ...

CCE-43784-8
Disable: 'Always send compound authentication first' This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies "KDC support for ...

CCE-44331-7
Disable: 'Time (in seconds) to force reboot when required for policy changes to take effect' for ForceReboot Set the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this setting, set the amou ...

CCE-44126-1
Disable: 'Do not enumerate connected users on domain-joined computers' This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you di ...

CCE-42219-6
Disable: 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' for AutoAdminLogon MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure com ...

CCE-43991-9
Disable: 'Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.' This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of s ...

CCE-43916-6
Enable: 'Turn off Automatic Download and Install of updates' for AutoDownload Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automa ...

CCE-43893-7
Disable: 'Configure local setting override to turn off Intrusion Prevention System' This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy. If you enable this setting, th ...

CCE-42888-8
Specify the 'Define the maximum size of downloaded files and attachments to be scanned' (IOAVMaxSize Min:0 Max:10000000 kb) This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and atta ...

CCE-41735-2
Disable: 'Enable use of BitLocker authentication requiring preboot keyboard input on slates' This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-s ...

CCE-42842-5
Disable: 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' for NTLMMinServerSec This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications t ...

CCE-44311-9
Disable: 'Shutdown: Clear virtual memory pagefile' for ClearPageFileAtShutdown This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properl ...

CCE-41561-2
Disable: 'Interactive logon: Machine account lockout threshold' for MaxDevicePasswordFailedAttempts The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. ...

CCE-43568-5
Specify the 'Turn Off the Display (Plugged In)' in seconds (max: 4294967295) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display ...

CCE-41637-0
Ensure No Auditing for 'Audit Policy: Logon-Logoff: IPsec Quick Mode' This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations. - 4654: An IPsec Quick Mode negotiation failed. Events for this subcategory include: - 4977: During Quick Mode negotiation, I ...

CCE-42381-4
Create a pagefile This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of acco ...

CCE-42975-3
Disable: 'Configure Offer Remote Assistance' for fAllowUnsolicited This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff us ...

CCE-42600-7
Select the 'Enforce drive encryption type on operating system drives' to allow_user_to_choose This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if ...

CCE-42056-2
Disable: 'Turn on catch-up quick scan' This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at th ...

CCE-42010-9
Specify the 'Network access: Remotely accessible registry paths' for Machine This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting ...

CCE-43903-4
'Specify the time for a daily quick scan' (ScheduleQuickScanTime in Mins Min:0 Max:1440) This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equiva ...

CCE-42546-2
Disable: 'Do not show Windows Tips' This policy setting prevents Windows Tips from being shown to users. If you enable this policy setting, users will no longer see Windows tips. If you disable or do not configure this policy setting, users may see contextual popups explaining how to use Wi ...

CCE-43655-0
Disable: 'Control System Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log an ...

CCE-42500-9
Specify the 'ECC Curve Order' value (ECC curve names) This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) If you disable or do not ...

CCE-43805-1
Specify the 'Configure corporate Home pages' (ProvisionedHomePages URLS) value This setting lets you configure your corporate Home pages for domain-joined devices. Your employees can change this setting. Turning this setting on lets you configure one or more corporate Home pages. If this settin ...

CCE-42189-1
Disable: 'MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged' for TcpMaxConnectResponseRetransmissions MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged Counter Measur ...

CCE-43557-8
Disable: 'Network access: Named Pipes that can be accessed anonymously' for NullSessionPipes This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one o ...

CCE-42402-8
Specify the 'Configure time out for detections in recently remediated state' (RecentlyCleanedTimeout Min:0 Max:4294967295 in Mins) This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. Counter Measure: Configure this se ...

CCE-41813-7
Disable: 'Detect compatibility issues for applications and drivers' This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during applic ...

CCE-44037-0
Disable: 'Allow Microsoft accounts to be optional' This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Stor ...

CCE-44455-4
Require special characters Use this policy setting to configure the use of special characters in the Microsoft Passport for PIN. Allowable special characters are: ! ' # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ . If you enable this policy setting, Microsoft Passport for Work requi ...

CCE-44048-7
Disable: 'Always automatically restart at the scheduled time for AlwaysAutoRebootAtScheduledTime' If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days. ...

CCE-41483-9
Disable: 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' for ClientAllowedNTLMServers This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM ...

CCE-41715-4
Disable: 'Set IP Stateless Autoconfiguration Limits State' This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconf ...

CCE-41528-1
Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit v ...

CCE-42862-3
Disable: 'IP address range Exclusions' for Nis_Consumers_IPS_Exclusions_Ip_Ranges_Ip_Range This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. ...

CCE-42490-3
Specify the 'Configure log access (legacy) - Event Log Service\System' (SDDL String) value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descr ...

CCE-42178-4
Select the 'Devices: Restrict floppy access to locally logged-on user only' to only_administrators This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is ...

CCE-43413-4
Remove computer from docking station This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory ...

CCE-44322-6
Select the 'Set the SafeSearch setting for Search' to strict This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this policy setting, you can specify one of three SafeSearch settings, which users won't be able to change: ...

CCE-44420-8
Select the 'Let Windows apps access account information' to user_is_in_control This policy setting specifies whether Windows apps can access account information. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account info ...

CCE-43546-1
Disable: 'Network security: LAN Manager authentication level' for LmCompatibilityLevel LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, u ...

CCE-42437-4
Specify the 'Configure minimum PIN length for startup' (MinimumPIN Length Min:4 Max:20) This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length ...

CCE-42995-1
Disable: 'User Account Control: Run all administrators in Admin Approval Mode' for EnableLUA This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - En ...

CCE-43217-9
Specify Work Folders settings This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. If you enable this policy setting, affected users user receive Work Folde ...

CCE-43426-6
Disable: 'Turn on protocol recognition' This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, proto ...

CCE-43381-3
Perform volume maintenance tasks This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of ...

CCE-42777-3
Disable: 'Prevent enabling lock screen slide show' Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users wi ...

CCE-44222-8
Specify the 'Configure time out for detections requiring additional action' (in Mins Min:0 Max:4294967295) This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. Counter Measure: Configure this setting depending ...

CCE-43119-7
Disable: 'Configure local setting override for scheduled quick scan time' This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority ...

CCE-41583-6
Disable: 'Prevent the computer from joining a homegroup' By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharin ...

CCE-42984-5
List desktop apps first in the Apps view This policy setting allows desktop apps to be listed first in the Apps view in Start. If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be ...

CCE-43729-3
Prevent changing screen saver Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. Cou ...

CCE-41968-9
'Specify the maximum size of archive files to be scanned' (ArchiveMaxSize Min:0 Max:4294967295 in KB) This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and ...

CCE-41681-8
Disable: 'Allow antimalware service to startup with normal priority' This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the an ...

CCE-42069-5
Create symbolic links This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much lik ...

CCE-42023-2
Disable: 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)' for DisableSavePassword MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended) Counter Measure: Enable this setting. Potential Impact: Users will need ...

CCE-44431-5
Select the 'Let Windows apps control radios' to user_is_in_control This policy setting specifies whether Windows apps have access to control radios. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by usi ...

CCE-43936-4
Disable: 'Turn on heuristics' This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. ...

CCE-42217-0
Disable: 'Enable headless UI mode' This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM UI won't be available to users. Counter Measure: Configure this setting depending on your organization's requirements. ...

CCE-43535-4
Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ...

CCE-44442-2
'Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)' to AES 128-bit This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn ...

CCE-44257-4
Disable: 'Allow Basic authentication for Windows Remote Management (WinRM) client' This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM ...

CCE-42840-9
Load and unload device drivers This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer ...

CCE-42788-0
Disable: 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' for TcpMaxDataRetransmissions MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measu ...

CCE-43838-2
Specify the 'Maximum PIN length' (MaximumPINLength Min:4 Max:127) Maximum PIN length configures the maximum number of characters allowed for the work PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configu ...

CCE-42557-9
History This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not preserved through PIN reset. The value must be betwe ...

CCE-42326-9
Disable: 'MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)' MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) Counter Measure: Disable this setting. Potential Impact: Remot ...

CCE-41594-3
Specify the 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' for RDVDiscoveryVolumeType This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2 ...

CCE-43793-9
Disable: 'Configure use of hardware-based encryption for operating system drives' for OSHardwareEncryption This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encrypti ...

CCE-42459-8
Disable: 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' for Enabled This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although ...

CCE-43909-1
Ensure No Auditing for 'Audit Policy: Policy Change: Other Policy Change Events' This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers. Events for this subcategory include: - 4909: The local policy s ...

CCE-43551-1
Disable: 'Enumerate local users on domain-joined computers' This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this po ...

CCE-41804-6
Select the 'Configure Default consent' to always_ask_before_sending_data This setting determines the consent behavior of Windows Error Reporting. If Consent level is set to "Always ask before sending data", Windows will prompt the user for consent to send reports. If Consent level is set to "Sen ...

CCE-43864-8
Disable: 'Provide the unique identifiers for your organization' for IdentificationField This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification fi ...

CCE-42506-6
Disable: 'Enable Protected Event Logging' This policy setting lets you configure Protected Event Logging. If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data wi ...

CCE-42398-8
Specify the 'Windows Firewall: Private: Logging: Size limit (KB)' for LogFileSize Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log fi ...

CCE-42615-5
Ensure No Auditing for 'Audit Policy: System: Security State Change' This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down ...

CCE-43190-8
'Specify settings for optional component installation and component repair' for LocalSourcePath This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If yo ...

CCE-42074-5
Disable: 'MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)' for AutoReboot MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) Counter ...

CCE-42496-0
Disable: 'Do not allow password expiration time longer than required by policy' When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password ex ...

CCE-43224-5
Ensure Audit Success and Failure for 'Audit Policy: Privilege Use: Sensitive Privilege Use' This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directori ...

CCE-41948-1
Disable: 'Network access: Let Everyone permissions apply to anonymous users' for EveryoneIncludesAnonymous This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to per ...

CCE-42172-7
Disable: 'Turn off app notifications on the lock screen' This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy se ...

CCE-43081-9
Ensure No Auditing for 'Audit Policy: Object Access: Filtering Platform Packet Drop' This subcategory reports when packets are dropped by Windows Filtering Platform (WFP). These events can be very high in volume. Events for this subcategory include: - 5152: The Windows Filtering Platform blocke ...

CCE-43028-0
Disable: 'Turn off access to the Store' This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the com ...

CCE-41574-5
Disable: 'Interactive logon: Do not display last user name' for DontDisplayLastUserName This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this p ...

CCE-43453-0
Disable: 'User Account Control: Admin Approval Mode for the Built-in Administrator account' for FilterAdministratorToken This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account us ...

CCE-44407-5
Disable: 'Require trusted path for credential entry' If you enable this policy setting, users are required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a ...

CCE-44133-7
Modify an object label This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this ...

CCE-44046-1
Disable help tips Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user. Counter Measure: Configure this sett ...

CCE-43159-3
Screen saver timeout If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. Valid values range from 1 to 89,400 seconds (24 hours). The setting has no effect if the wait time is set to zero or n ...

CCE-44266-5
Specify the 'Interactive logon: Message text for users attempting to log on' value Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting specifies a text message that ...

CCE-43886-1
Deny log on through Remote Desktop Services This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can acc ...

CCE-42528-0
Disable: 'Disable pre-release features or settings' for EnableConfigFlighting This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows M ...

CCE-43211-2
Ensure No Auditing for 'Audit Policy: Policy Change: Filtering Platform Policy Change' This subcategory reports the addition and removal of objects from WFP, including startup filters. These events can be very high in volume. Events for this subcategory include: - 4709: IPsec Services was start ...

CCE-41478-9
Disable: 'Prevent installation of devices that match any of these device IDs' for DenyDeviceIDs This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any othe ...

CCE-41585-1
Specify the 'Windows Firewall: Public: Logging: Size limit (KB)' for LogFileSize Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log fil ...

CCE-43995-0
Disable: 'Turn on Information Protection Control' This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Counter Measure: Configure thi ...

CCE-44168-3
Disable: 'Allow user control over installs' This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations t ...

CCE-43322-7
Bypass traverse checking This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a ...

CCE-44220-2
Disable: 'Configure local setting override for the removal of items from Quarantine folder' This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. ...

CCE-42846-6
Disable: 'Configure Automatic Updates' for NoAutoUpdate This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is av ...

CCE-43246-8
Search just apps from the Apps view This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. This policy setting is only applied when the Apps view is set as the default view for Start. If you enable this policy ...

CCE-43753-3
Remove CD Burning features This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. If you enable this policy setting, all features in the File Explorer that allow you to use your CD wr ...

CCE-44429-9
Select the 'Let Windows apps access the microphone' to user_is_in_control This policy setting specifies whether Windows apps can access the microphone. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by usin ...

CCE-44451-3
Select the 'Require special characters in PIN' to allow Use this policy setting to configure the use of special characters in the Microsoft Passport for PIN. Allowable special characters are: ! " # $ % &amp; ' ( ) * + , - . / : ; &lt; = &gt; ? @ [ \ ] ^ _ ` { | } ~ . If you enable this policy ...

CCE-42298-0
Disable: 'Interactive logon: Message title for users attempting to log on' for LegalNoticeCaption Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting allows text to ...

CCE-42504-1
Specify the 'Configure log access (legacy) - Event Log Service\Application' (SDDL String) value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this ...

CCE-44286-3
Disable: 'Allow indexing of encrypted files' This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components ...

CCE-41870-7
Ensure No Auditing for 'Audit Policy: Account Logon: Kerberos Service Ticket Operations' This subcategory reports generated by Kerberos ticket request processes on the domain controller that is authoritative for the domain account. Events for this subcategory include: - 4769: A Kerberos service ...

CCE-41772-5
Disable: 'Allow users to connect remotely by using Remote Desktop Services' This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer ...

CCE-42820-1
Disable: 'Sign-in last interactive user automatically after a system-initiated restart' This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device ...

CCE-42539-7
Disable: 'Turn on PowerShell Script Block Logging' for EnableScriptBlockLogging This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of ...

CCE-43873-9
Disable: 'Configure TPM platform validation profile for native UEFI firmware configurations' for Enabled This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the com ...

CCE-43775-6
Disable: 'Network Security: Restrict NTLM: Incoming NTLM traffic' for RestrictReceivingNTLMTraffic This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this compute ...

CCE-43809-3
Disable: 'Turn off InPrivate browsing' This setting lets you decide whether employees can browse using InPrivate website browsing. Turning this setting on, or not configuring it, lets employees use InPrivate browsing on the corporate network. Turning this setting off stops employees from us ...

CCE-43960-4
Disable: 'Prevent installation of removable devices' This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial ...

CCE-41576-0
Restrict the user from entering author mode Prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. ...

CCE-44177-4
Disable: 'Windows Firewall: Domain: Display a notification' for DisableNotifications Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules sett ...

CCE-42494-5
Specify the 'Password Settings' (PasswordAgeDays: Min:1 Max:365) Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 cha ...

CCE-41806-1
Access this computer from the network This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus ( ...

CCE-43588-3
Ensure No Auditing for 'Audit Policy: DS Access: Directory Service Replication' This subcategory reports when replication between two domain controllers begins and ends. Events for this subcategory include: - 4932: Synchronization of a replica of an Active Directory naming context has begun. ...

CCE-43468-8
Select the 'Devices: Allowed to format and eject removable media' to administrators_only This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another comput ...

CCE-43884-6
Disable: 'Windows Firewall: Public: Logging: Log successful connections' for LogSuccessfulConnections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the ...

CCE-43070-2
Disable: 'Allow the use of biometrics' If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also conf ...

CCE-43929-9
Disable: 'Configure use of passwords for operating system drives' for OSPassphrase This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enfo ...

CCE-43213-8
Disable: 'Turn on behavior monitoring' This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. Counter Measure: Configure ...

CCE-42526-4
Disable: 'Use biometrics' Microsoft Passport for Work enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a work PIN to use in case of failures. If you enable this policy setting, Microsoft Passport for ...

CCE-42481-2
Specify the 'Configure pre-boot recovery message and URL' value for RecoveryKeyMessage This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. If you select the "Use defaul ...

CCE-43259-1
Disable: 'Configure use of passwords for removable data drives' for RDVPassphrase This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can b ...

CCE-43786-3
Select the 'Set what information is shared in Search' to user_info_and_location This policy setting allows you to control what information is shared with Bing in Search. If you enable this policy setting, you can specify one of four settings, which users won't be able to change: -User i ...

CCE-44166-7
Specify the 'Configure removal of items from Quarantine folder' (PurgeItemsAfterDelay in days Min:0 Max:10000000) This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarant ...

CCE-42690-8
'Configure use of passwords for fixed data drives for FDVPassphrase' to false This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requ ...

CCE-43993-5
Disable: 'Do not display network selection UI' for DontDisplayNetworkSelectionUI This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without ...

CCE-43115-5
Disable: 'Do not connect to any Windows Update Internet locations' Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other se ...

CCE-41794-9
Disable: 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' for EnableICMPRedirect MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF ...

CCE-42515-7
Ensure No Auditing for 'Audit Policy: Object Access: Filtering Platform Connection' This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume. Events for this subcategory include: - 5031: The Windows Firewall Service blocked an application from ...

CCE-42977-9
Ensure No Auditing for 'Audit Policy: Object Access: File Share' This subcategory reports when a file share is accessed. By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses a file share object that has a specified sys ...

CCE-43751-7
'Specify intranet Microsoft update service location' (WUStatusServer) This policy setting allows you to specify an intranet server to host updates from the Microsoft Update Web site. You can then use this update service location to automatically update computers on your network. The Automatic Updat ...

CCE-91301-2
"Turn On Fast Startup" When you shutdown a PC with Fast Startup turned on, Windows saves the current system state and the contents of memory to a file called hiberfil.sys and then it shuts down the computer. Later, when you turn on the computer, rather than performing a full load of the entire syst ...

CCE-42054-7
Disable: 'Reschedule Automatic Updates scheduled installations' This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will b ...

CCE-41786-5
Ensure No Auditing for 'Audit Policy: Logon-Logoff: Logon' This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes ...

CCE-44163-4
Disable: 'Configure local setting override for monitoring for incoming and outgoing file activity' This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this settin ...

CCE-44370-5
Log on as a service This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be ...

CCE-43340-9
Disable: 'Shutdown: Allow system to be shut down without having to log on' This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disab ...

CCE-42138-8
Disable: 'Allow definition updates when running on battery power' This policy setting allows you to configure definition updates when the computer is running on battery power. If you enable or do not configure this setting, definition updates will occur as usual regardless of power state. I ...

CCE-43122-1
Specify the 'Configure Windows software trace preprocessor components' (WppTracingComponents Min:0 Max:4294967295) This policy configures Windows software trace preprocessor (WPP Software Tracing) components. Counter Measure: Configure this setting depending on your organization's requirem ...

CCE-42781-5
Disable: 'Interactive logon: Do not require CTRL+ALT+DEL' This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL befo ...

CCE-43810-1
Specify the 'PIN Expiration' (in days Min:0 Max:730) This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy ...

CCE-43220-3
Search, Share, Start, Devices, and Settings don't appear when the mouse is pointing to the upper-right corner of the screen This policy setting allows you to prevent Search, Share, Start, Devices, and Settings from appearing when the mouse is pointing to the upper-right corner of the screen. If yo ...

CCE-44426-5
Select the 'Let Windows apps access motion' to user_is_in_control This policy setting specifies whether Windows apps can access motion data. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings &gt ...

CCE-42269-1
Ensure No Auditing for 'Audit Policy: Object Access: Certification Services' This subcategory reports when Certification Services operations are performed. Events for this subcategory include: - 4868: The certificate manager denied a pending certificate request. - 4869: Certificate Service ...

CCE-42552-0
Disable: 'Open a new tab with an empty tab' This policy setting specifies what happens when Microsoft Edge opens a new tab. By default, a new tab page appears. If you disable this policy setting, Microsoft Edge opens a new, empty tab. Employees can't change this option. If you ...

CCE-41557-0
Disable: 'Microsoft network client: Send unencrypted password to third-party SMB servers' for EnablePlainTextPassword Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. ...

CCE-41762-6
Disable: 'Domain member: Digitally encrypt or sign secure channel data (always)' for requiresignorseal This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel da ...

CCE-42127-1
Disable: 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' for AuditNTLMInDomain This policy setting allows you to audit NTLM authentication in a domain from this domain controller. This policy is supported on at least Windows Server 2008 R2. Note: Audit events are ...

CCE-43253-4
Disable: 'Configure local setting override for scheduled scan time' This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group ...

CCE-43011-6
Change the system time This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged eve ...

CCE-43930-7
Disable: 'Deny write access to removable drives not protected by BitLocker' for RDVDenyWriteAccess This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data dri ...

CCE-44437-2
Disable: 'Turn on convenience PIN sign-in' This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies ...

CCE-42585-0
Disable: 'MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)' for AutoShareWks MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) Counter Measure: Do not configure the MSS: (AutoShareWks) En ...

CCE-42487-9
Disable showing balloon notifications as toasts This policy disables the functionality that converts balloons to toast notifications. If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. Enable this policy setting if a spe ...

CCE-41871-5
Ensure Audit Success and Failure for 'Audit Policy: System: System Integrity' This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading ...

CCE-43144-5
Disable: 'Windows Firewall: Private: Apply local connection security rules' for AllowLocalIPsecPolicyMerge This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter M ...

CCE-41773-3
Disable: 'Domain member: Digitally sign secure channel data (when possible)' for signsecurechannel This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic ...

CCE-43605-5
Ensure No Auditing for 'Audit Policy: Object Access: Kernel Object' This subcategory reports when kernel objects such as processes and mutexes are accessed. Only kernel objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. Typically ...

CCE-43832-5
Remove Notifications and Action Center This policy setting removes Notifications and Action Center from the notification area on the taskbar. The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. If this setting is ...

CCE-42706-2
Ensure No Auditing for 'Audit Policy: Object Access: Application Generated' This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs). Events for this subcategory include: - 4665: An attempt was made to cr ...

CCE-44448-9
Specify the 'Configure the Enterprise Mode Site List' (SiteList) This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. Turning this setting on lets Microsoft Edge look for the En ...

CCE-44052-9
Disable: 'Require a Password When a Computer Wakes (On Battery)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you e ...

CCE-43843-2
Turn off the offer to update to the latest version of Windows Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting ...

CCE-44161-8
Disable: 'Allow antimalware service to remain running always' This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setti ...

CCE-41995-2
Minimum PIN length Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or t ...

CCE-43889-5
Disable: 'WDigest Authentication (disabling may require KB2871997)' When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this s ...

CCE-42670-0
Disable: 'Turn off location' This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. ...

CCE-42715-3
Audit Policy: Logon-Logoff: Network Policy Server This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Auditing this setting will result in a medium or high volum ...

CCE-44319-2
Disable: 'Configure Logon Script Delay' Enter "0" to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. By default, the Group Policy client waits five minutes before run ...

CCE-43745-9
Show Start on the display the user is using when they press the Windows logo key This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. If you enable this polic ...

CCE-42210-5
Ensure No Auditing for 'Audit Policy: DS Access: Detailed Directory Service Replication' This subcategory reports detailed information about the information replicating between domain controllers. These events can be very high in volume. Events for this subcategory include: - 4928: An Active Di ...

CCE-41566-1
Generate security audits This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users ...

CCE-44150-1
Specify the 'Windows Firewall: Domain: Logging: Size limit (KB)' Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log file size will be l ...

CCE-43854-9
Deny log on locally This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one ...

CCE-42221-2
Disable: 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' for SafeDllSearchMode MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Counter Measure: Configure the MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) entry to a value of Enabl ...

CCE-44428-1
Select the 'Let Windows apps access the camera' to user_is_in_control This policy setting specifies whether Windows apps can access the camera. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings & ...

CCE-43124-7
Disable: 'Use advanced RemoteFX graphics' for RemoteApp This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not appl ...

CCE-41840-0
Disable: 'Microsoft network client: Digitally sign communications (always)' for RequireSecuritySignature This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a ...

CCE-42859-9
Disable: 'Do not sync Apps' for DisableAppSyncSettingSync Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "AppSync" group will not be synced. ...

CCE-43756-6
Turn off calls during Quiet Hours This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Ho ...

CCE-42837-5
Disable: 'Windows Firewall: Public: Firewall state' for EnableFirewall Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rul ...

CCE-43157-7
Ensure No Auditing for 'Audit Policy: Account Management: Distribution Group Management' This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you ...

CCE-42583-5
Disable: 'Turn on PowerShell Transcription' for EnableTranscripting This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShel ...

CCE-43255-9
'Specify the interval to run quick scans per day' (QuickScanInterval in hours Min:0 Max:24) This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 ...

CCE-42694-0
Disable: 'Use a hardware security device' A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. If you enable this policy setting, only devices with a usable TPM provision Microsoft Passport for Work. ...

CCE-43671-7
Disable: 'User Account Control: Behavior of the elevation prompt for standard users' for ConsentPromptBehaviorUser This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privile ...

CCE-43865-5
Ensure No Auditing for 'Audit Policy: Policy Change: Audit Policy Change' This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - ...

CCE-44439-8
Select the 'Turn off the SmartScreen Filter' for EnabledV9 to Off This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. Turning this setting on, or not ...

CCE-42485-3
Select the 'Send file samples when further analysis is required' for SubmitSamplesConsent to always_prompt This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send sa ...

CCE-42826-8
Disable: 'Windows Firewall: Domain: Logging: Name' for LogFilePath Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the defaul ...

CCE-42900-1
Disable: 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' for scenoapplylegacyauditpolicy This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy se ...

CCE-44219-4
Disable: 'Enable Group Policy Caching for Servers' for EnableLogonOptimizationOnServerSKU This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this policy setting, Group Policy caches policy information after every backgroun ...

CCE-43830-9
Specify the 'Cipher suite order (Lanman Workstation) for CipherSuiteOrder (CSV of CipherSuites)' value This policy setting determines the cipher suites used by the SMB client. If you enable this policy setting, cipher suites are prioritized in the order specified. If you enable this policy ...

CCE-41677-6
Ensure No Auditing for 'Audit Policy: Privilege Use: Other Privilege Use Events' This subcategory is not used. Counter Measure: Enable Audit policy settings that support the organizational security policy for all the computers in your organization. Identify the components that you need for ...

CCE-44041-2
Disable: 'Port number Exclusions' This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. Port numbers should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string represe ...

CCE-43331-8
Adjust memory quotas for a process This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) ...

CCE-42774-0
Prevent users from customizing their Start Screen This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customiz ...

CCE-43901-8
Disable: 'Do not allow locations on removable drives to be added to libraries' This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition ...

CCE-43382-1
Disable: 'Configure local setting override for scanning all downloaded files and attachments' for LocalSettingOverrideDisableIOAVProtection This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Gro ...

CCE-41537-2
Disable: 'Control use of BitLocker on removable drives' for RDVConfigureBDE This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property settings that control ho ...

CCE-44302-8
Remove Security tab Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither ...

CCE-42917-5
Disable: 'Turn off Internet download for Web publishing and online ordering wizards' This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Counter Measure: Enable this setting Potential Impact: If this po ...

CCE-42872-2
Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ...

CCE-42314-5
Specify the 'Turn Off the Display (On Battery)' (DCSettingIndex Min:0 Max:4294967295) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off th ...

CCE-42676-7
'Specify the maximum percentage of CPU utilization during a scan' (AvgCPULoadFactor % Min:0 Max:100) This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A val ...

CCE-41646-1
Disable: 'Windows Firewall: Domain: Apply local connection security rules' This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting ...

CCE-42981-1
Enable: 'Turn on definition retirement' for DisableSignatureRetirement This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to ...

CCE-44050-3
Disable: 'Apply UAC restrictions to local accounts on network logons' This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password ...

CCE-44457-0
Disable: 'Defer Upgrades and Updates' for DeferUpgrade Enable this policy in order to defer upgrades for up to eight months. You can also choose to delay updates for up to one month. If you do not delay updates, your PC will remain up to date with security updates as they become available. ...

CCE-43536-2
Store passwords using reversible encryption This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords th ...

CCE-42556-1
Disable: 'Turn off Automatic Download of updates on Win8 machines' Enables or disables the automatic download of app updates on PCs running Windows 8. If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app ...

CCE-42883-9
Disable: 'Turn on scan after signature update' This policy setting allows you to configure the automatic scan which starts after a definition update has occurred. If you enable or do not configure this setting, a scan will start following a definition update. If you disable this setting, a ...

CCE-43814-3
Disable: 'Disable all apps from Windows Store' Disable turns off the launch of all apps from the Windows Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will be also be disabled. Enable turns all of it back on. Counter Measure: Configure this setting ...

CCE-43438-1
Back up files and directories This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programmin ...

CCE-42134-7
Disable: 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' for NTLMMinClientSec This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications t ...

CCE-43295-5
Disable: 'Allow enhanced PINs for startup' This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is ...

CCE-43849-9
Disable: 'Do not process the legacy run list' This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHIN ...

CCE-44292-1
Disable: 'Do not process the run once list' This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list ...

CCE-44324-2
Disable: 'Configure local setting override to turn on real-time protection' This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take pri ...

CCE-41611-5
Disable: 'Windows Firewall: Public: Inbound connections' This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure ...

CCE-44194-9
Ensure No Auditing for 'Audit Policy: DS Access: Directory Service Changes' This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change au ...

CCE-42819-3
Disable: 'Extension Exclusions' This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be ...

CCE-44422-4
Select the 'Let Windows apps access contacts' to user_is_in_control This policy setting specifies whether Windows apps can access contacts. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings &gt; Pr ...

CCE-42970-4
Accounts: Rename administrator account The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change th ...

CCE-42589-2
Disable: 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a c ...

CCE-42543-9
Disable: 'Require PIN pairing' This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. Conversely it means that Push Button is NOT allowed. If this policy setting is disabled or is ...

CCE-42798-9
Disable: 'Devices: Restrict CD-ROM access to locally logged-on user only' for AllocateCDRoms This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access rem ...

CCE-43151-0
Disable: 'Configure use of smart cards on fixed data drives' for FDVAllowUserCert This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can b ...

CCE-44433-1
Disable: 'Use enhanced anti-spoofing when available' for EnhancedAntiSpoofing This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. If you do not configure this policy setting, users will be able to choose whether or not to use enhanced anti-s ...

CCE-43934-9
'Specify the time of day to run a scheduled scan' (ScheduleTime in Mins Min:0 Max:1440) This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalen ...

CCE-41504-2
Disable: 'Interactive logon: Prompt user to change password before expiration' for passwordexpirywarning This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn us ...

CCE-43416-7
Ensure No Auditing for 'Audit Policy: Policy Change: Authentication Policy Change' This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos poli ...

CCE-42112-3
Disable: 'Validate smart card certificate usage rule compliance' for CertificateOID This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is ...

CCE-44085-9
Disable: 'Turn off Data Execution Prevention' for Explorer Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Counter Measure: We recommend that you disable this policy setting unless you have to support legacy busine ...

CCE-44172-5
Deny log on as a service This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the S ...

CCE-42861-5
Specify the 'Display additional text to clients when they need to perform an action' value (text) This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For ex ...

CCE-44315-0
Act as part of the operating system This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local o ...

CCE-42434-1
Disable: 'Accounts: Block Microsoft accounts' This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can't add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account t ...

CCE-41679-2
Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ...

CCE-43923-2
Disable: 'Include command line in process creation events' This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the c ...

CCE-44444-8
Disable: 'Turn off address bar search suggestions' This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. Turning this setting on, or not configuring it, lets your employees see search suggestions in the Address bar. Turning this setting ...

CCE-44119-6
Disable: 'Allow unencrypted traffic for AllowUnencryptedTraffic' This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencr ...

CCE-41953-1
Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ...

CCE-41700-6
Disable: 'Turn off picture password sign-in' This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy ...

CCE-42772-4
Specify the 'Define file shares for downloading definition updates' (File Shares Sources) This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-se ...

CCE-43801-0
Select the 'Untrusted Font Blocking' to block_untrusted_fonts_and_log_events This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 mo ...

CCE-43847-3
Turn off toast notifications on the lock screen This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast not ...

CCE-43275-7
Specify the 'DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax' value (SDDL String) This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for ...

CCE-43429-0
Disable: 'Allow notifications to disable definitions based reports to Microsoft MAPS' This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notificat ...

CCE-42674-2
Audit Policy: Object Access: Detailed File Share This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any conn ...

CCE-44459-6
Deploy Code Integrity Policy This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine. If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To ...

CCE-41855-8
Disable: 'System objects: Require case insensitivity for non-Windows subsystems' This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as t ...

CCE-43703-8
Disable: 'Configure use of smart cards on removable data drives' for RDVAllowUserCert This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity ...

CCE-43749-1
Specify the 'Define the number of days before virus definitions are considered out of date' (Threshold days for AVSignatureDue Min:0 Max:4294967295) This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are det ...

CCE-42554-6
Disable: 'Do not allow hardware accelerated decoding' This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a ...

CCE-41988-7
Disable: 'Initiate definition update on startup' for DisableUpdateOnStartupWithoutEngine This policy setting allows you to configure definition updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, definition updates will be initiated on ...

CCE-42136-2
Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ...

CCE-43812-7
Select the 'Configure H.264/AVC hardware encoding for Remote Desktop Connections' value This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you dis ...

CCE-44192-3
Debug programs This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be ass ...

CCE-41844-2
Disable: 'Disallow Autoplay for non-volume devices' This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this p ...

CCE-44139-4
Disable: 'Control Security Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log ...

CCE-42410-1
Ensure Audit Success and Failure for 'Audit Policy: Account Management: User Account Management' This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or chan ...

CCE-42685-8
Disable: 'Choose how BitLocker-protected operating system drives can be recovered' for OSRecovery This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you t ...

CCE-43120-5
Disable: 'Automatically send memory dumps for OS-generated error reports' This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional dat ...

CCE-44424-0
Select the 'Let Windows apps access location' to user_is_in_control This policy setting specifies whether Windows apps can access location. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings &gt; Pr ...

CCE-43407-6
Disable: 'Windows Firewall: Public: Outbound connections' for DefaultOutboundAction This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. ...

CCE-43869-7
Disable: 'LSA Protection' Enable LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx Counter Measure: Enable and configure this setting. Potential Impact: Some unprotected LSA processes will be unable to function.

CCE-42652-8
Disable: 'Do not display the password reveal button' This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the ...

CCE-42114-9
Disable: 'Reset platform validation data after BitLocker recovery' This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed w ...

CCE-42761-7
Disable: 'Customize Warning Messages' for UseCustomMessages The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. The "Display warning message before connecting" policy setting a ...

CCE-42530-6
Specify the 'Cipher suite order (Lanman Server)' value This policy setting determines the cipher suites used by the SMB server. If you enable this policy setting, cipher suites are prioritized in the order specified. If you enable this policy setting and do not specify at least one supporte ...

CCE-44170-9
Pin Apps to Start when installed This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Apps are not automatically pinned to ...

CCE-44313-5
Create permanent shared objects This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a use ...

CCE-42576-9
Disable: 'Use Microsoft Passport' for Work Microsoft Passport for Work is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. If you enable or do not configure this policy ...

CCE-42247-7
Profile system performance This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. When configuring ...

CCE-42894-6
Select the 'Set client connection encryption level' to low_level This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Counter Measure: Con ...

CCE-42663-5
Specify the 'System settings: Optional subsystems' value This policy setting determines which subsystems are used to support applications in your environment. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line fee ...

CCE-43921-6
Disable: 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' for ConsentPromptBehaviorAdmin This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged ac ...

CCE-44446-3
Select the 'Configure Cookies' to allow_all_cookies This setting lets you configure how your company deals with cookies. Turning this setting on lets you decide to: Allow all cookies (default). Allows all cookies from all websites. Block only 3rd-party cookies. Blocks only cookies from ...

CPE    1
cpe:/o:microsoft:windows_10
*XCCDF
xccdf_org.secpod_benchmark_general_Windows_10
OVAL    653
oval:org.secpod.oval:def:35052
oval:org.secpod.oval:def:35294
oval:org.secpod.oval:def:35295
oval:org.secpod.oval:def:35053
...

© 2013 SecPod Technologies