Download
| Alert*
|
CCE-22873-4
Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... CCE-22206-7 Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate. CCE-22850-2 Set the default behavior for AutoRun CCE-21820-6 Auditing of 'Detailed Tracking: RPC Events' events on failure should be enabled or disabled as appropriate. CCE-22666-2 The 'Do not process the run once list' setting should be configured correctly. CCE-22436-0 The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-22982-3 The "Configure use of smart cards on removable data drives" machine setting should be configured correctly. CCE-22798-3 Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate. CCE-21591-3 The "Do not send additional data" setting should be configured correctly. CCE-22184-6 Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate. CCE-22632-4 Specify the maximum log file size (KB) CCE-22150-7 The "Turn off Autoplay for non-volume devices" setting should be configured correctly. CCE-22906-2 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-23454-2 Auditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate. CCE-23017-7 Windows Firewall: Public: Logging: Log dropped packets CCE-23180-3 Windows Firewall: Private: Outbound connections CCE-21831-3 The "Turn Off the Display (Plugged In)" machine setting should be configured correctly. CCE-23104-3 Turn off the "Order Prints" picture task CCE-22349-5 The "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" setting should be configured correctly. CCE-22294-3 The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-22534-2 Auditing of 'DS Access: Directory Service Access' events on success should be enabled or disabled as appropriate. CCE-23127-4 The "Always prompt for password upon connection" machine setting should be configured correctly. CCE-22303-2 The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-21635-8 The "Require a Password When a Computer Wakes (Plugged In)" machine setting should be configured correctly. CCE-22437-8 Auditing of "Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate. CCE-21612-7 Choose how BitLocker-protected removable drives can be recovered This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The 'Allow data recovery a ... CCE-21844-6 Auditing of 'Object Access: Detailed File Share' events on failure should be enabled or disabled as appropriate. CCE-23192-8 The 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts. CCE-21999-8 The 'Audit: Audit the access of global system objects' setting should be configured correctly. CCE-22490-7 The "Allow Basic authentication" machine setting should be configured correctly for the WinRM service. CCE-21590-5 Configure use of passwords for fixed data drives This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and ... CCE-22183-8 The "Turn off downloading of print drivers over HTTP" machine setting should be configured correctly. CCE-22905-4 Auditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate. CCE-22402-2 The 'Account lockout duration' setting should be configured correctly. CCE-21855-2 Auditing of 'Logon-Logoff: IPsec Quick Mode' events on success should be enabled or disabled as appropriate. CCE-22425-3 The "Choose drive encryption method and cipher strength" machine setting should be configured correctly. CCE-22993-0 Windows Firewall: Public: Allow unicast response CCE-22558-1 Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate. CCE-21394-2 Reschedule Automatic Updates scheduled installations This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after ... CCE-22204-2 Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate. CCE-23336-1 Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate. CCE-21701-8 Disallow WinRM from storing RunAs credentials CCE-21152-4 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... CCE-22182-0 The "Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)" machine setting should be configured correctly. CCE-22731-4 Interactive logon: Machine account lockout threshold CCE-22129-1 The "Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com" machine setting should be configured correctly. CCE-22777-7 Allow Secure Boot for integrity validation CCE-22359-4 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-22589-6 Set 6to4 State CCE-22909-6 The "Enforce password history" setting should be configured correctly. CCE-21810-7 Windows Firewall: Domain: Logging: Log successful connections CCE-23227-2 Specify the search server for device driver updates CCE-22630-8 Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on failure should be enabled or disabled as appropriate. CCE-21627-5 The "Allow Standby States (S1-S3) When Sleeping (On Battery)" machine setting should be configured correctly. CCE-22886-6 The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts. CCE-22676-1 The 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. CCE-22863-5 Enable RPC Endpoint Mapper Client Authentication CCE-22950-0 The "Shutdown: Clear virtual memory pagefile" setting should be configured correctly. CCE-22324-8 Windows Firewall: Domain: Outbound connections CCE-22578-9 The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-22301-6 The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly. CCE-21920-4 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Countermeasure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user's desktop session being hijac ... CCE-22688-6 The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts. CCE-22412-1 Turn off Automatic Download of updates CCE-21516-0 The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. CCE-22060-8 The "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" setting should be configured correctly. CCE-22458-4 Windows Firewall: Domain: Logging: Size limit (KB) CCE-22181-2 Windows Firewall: Public: Outbound connections CCE-22960-9 The 'Increase scheduling priority' user right should be assigned to the appropriate accounts. CCE-21471-8 Auditing of 'DS Access: Detailed Directory Service Replication' events on failure should be enabled or disabled as appropriate. CCE-22567-2 The "Password must meet complexity requirements" setting should be configured correctly. CCE-23062-3 The "Turn off the Windows Messenger Customer Experience Improvement Program" machine setting should be configured correctly. CCE-21626-7 Enumerate local users on domain-joined computers CCE-22446-9 Disable: 'Configure use of hardware-based encryption for fixed data drives' for FDVHardwareEncryption This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using h ... CCE-22469-1 The 'Modify an object label' user right should be assigned to the appropriate accounts. CCE-21396-7 The "Require domain users to elevate when setting a network's location" machine setting should be configured correctly. CCE-21460-1 Windows Firewall: Private: Logging: Name CCE-23096-1 Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate. CCE-22291-9 The "Change the time zone" user right should be assigned to the appropriate accounts. CCE-23073-0 Auditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate. CCE-22787-6 The 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' setting should be configured correctly. CCE-21736-4 Control Event Log behavior when the log file reaches its maximum size CCE-21638-2 The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-21921-2 The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly. CCE-22919-5 Turn off access to the Store CCE-22624-1 Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate. CCE-21801-6 The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-21617-6 The 'Create a pagefile' user right should be assigned to the appropriate accounts. CCE-22854-4 Auditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate. CCE-22877-5 Windows Firewall: Private: Display a notification CCE-21910-5 This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the users password for authentication purposes. Passwords that are stored with reversible encryption are e ... CCE-21508-7 The 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly. CCE-21726-5 Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate. CCE-21956-8 Auditing of 'DS Access: Directory Service Changes' events on success should be enabled or disabled as appropriate. CCE-23349-4 Boot-Start Driver Initialization Policy CCE-22319-8 The 'Allow Remote Shell Access' setting should be configured correctly. CCE-23447-6 Windows Firewall: Private: Logging: Size limit (KB) CCE-23036-7 Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate. CCE-21629-1 Allow user control over installs CCE-23100-1 The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly. CCE-21968-3 The 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly. CCE-22481-6 The "Turn off Registration if URL connection is referring to Microsoft.com" machine setting should be configured correctly. CCE-22648-0 The BitLocker 'Configure use of smart cards on fixed data drives' setting should be configured correctly. CCE-21802-4 The "Deny write access to removable drives not protected by BitLocker" machine setting should be configured correctly. CCE-22580-5 Configure use of hardware-based encryption for removable data drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can ... CCE-22187-9 The "Prohibit Access of the Windows Connect Now wizards" machine setting should be configured correctly. CCE-22350-3 Enable indexing uncached Exchange folders CCE-22876-7 Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate. CCE-23521-8 Windows Firewall: Domain: Logging: Name CCE-23158-9 The "Set time limit for active but idle Remote Desktop Services sessions" machine setting should be configured correctly. CCE-22285-1 The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly. CCE-22592-0 The 'Maximum password age' setting should be configured correctly. CCE-22199-4 Configure Automatic Updates This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the net ... CCE-22384-2 The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-21791-9 The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. CCE-23578-8 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Countermeasure: Configure Network security: Allo ... CCE-21836-2 The "Do not use temporary folders per session" machine setting should be configured correctly. CCE-23124-1 The 'Turn off Data Execution Prevention for Explorer' setting should be configured correctly. CCE-22637-3 Control Event Log behavior when the log file reaches its maximum size CCE-22539-1 The 'Turn off printing over HTTP' setting should be configured correctly. CCE-22130-9 The "Prevent Automatic Updates" machine setting should be configured correctly. CCE-22308-1 Require additional authentication at startup This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you tu ... CCE-21826-3 Windows Firewall: Private: Inbound connections CCE-22438-6 Auditing of 'Account Logon: Kerberos Authentication Service' events on failure should be enabled or disabled as appropriate. CCE-22163-0 Allow all trusted apps to install CCE-23589-5 Choose how BitLocker-protected operating system drives can be recovered This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The ' ... CCE-23566-3 The 'Bypass traverse checking' user right should be assigned to the appropriate accounts. CCE-21453-6 The "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting should be configured correctly. CCE-23159-7 The "Turn off Automatic Root Certificates Update" machine setting should be configured correctly. CCE-21660-6 The "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" setting should be configured correctly. CCE-22491-5 The "Turn off Microsoft Peer-to-Peer Networking Services" machine setting should be configured correctly. CCE-22152-3 The 'Turn off Internet download for Web publishing and online ordering wizards' setting should be configured correctly. CCE-21792-7 The "Prohibit non-administrators from applying vendor signed updates" machine setting should be configured correctly. CCE-22381-8 Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate. CCE-22054-1 The "Allow enhanced PINs for startup" machine setting should be configured correctly. CCE-22611-8 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-21671-3 The 'Account lockout threshold' setting should be configured correctly. CCE-21694-5 Prevent installation of devices using drivers that match these device setup classes This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any ... CCE-22723-1 Auditing of 'Logon-Logoff: Other Logon/Logoff Events' events on failure should be enabled or disabled as appropriate. CCE-23641-4 The "Turn off handwriting recognition error reporting" machine setting should be configured correctly. CCE-23028-4 Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate. CCE-21550-9 Allow users to connect remotely by using Remote Desktop Services CCE-23565-5 Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate. CCE-21959-2 The 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly. CCE-22548-2 The "Accounts: Guest account status" setting should be configured correctly. CCE-22964-1 Configure registry policy processing CCE-21562-4 The "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." setting should be configured correctly. CCE-23201-7 Windows Firewall: Domain: Allow unicast response CCE-22843-7 Auditing of "Audit object access" events on sucess should be enabled or disabled as appropriate. CCE-22658-9 The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-23103-5 The "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" setting should be configured correctly. CCE-22976-5 The 'Access this computer from the network' user right should be assigned to the appropriate accounts. CCE-21256-3 Windows Firewall: Private: Logging: Log dropped packets CCE-23319-7 The "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM service. CCE-23021-9 Restrict Unauthenticated RPC clients CCE-22244-8 This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a data recovery ... CCE-22267-9 Windows Firewall: Public: Logging: Name CCE-22858-5 The "Turn off game updates" machine setting should be configured correctly. CCE-21432-0 The 'Create global objects' user right should be assigned to the appropriate accounts. CCE-21707-5 The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider" machine setting should be configured correctly. CCE-23251-2 Set Teredo State CCE-21248-0 The "Turn off shell protocol protected mode" setting should be configured correctly. CCE-21530-1 Windows Firewall: Public: Logging: Log successful connections CCE-21990-7 The 'Change the system time' user right should be assigned to the appropriate accounts. CCE-21816-4 Auditing of 'Privilege Use: Non Sensitive Privilege Use' events on success should be enabled or disabled as appropriate. CCE-22617-5 The "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" setting should be configured correctly. CCE-22921-1 The "Minimum password length" setting should be configured correctly. CCE-22462-6 Customize Warning Messages The 'Display warning message before sharing control' policy setting allows you to specify a custom message to display before a user shares control of his or her computer. The 'Display warning message before connecting' policy setting allows you to specify a custom messag ... CCE-21696-0 The "Do not allow passwords to be saved" machine setting should be configured correctly. CCE-22210-9 Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate. CCE-21903-0 Specify settings for optional component installation and component repair This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy se ... CCE-21949-3 Turn off the "Publish to Web" task for files and folders CCE-23240-5 The 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. CCE-22519-3 The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-22748-8 The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" setting should be configured correctly. CCE-21771-1 The "Always use classic logon" machine setting should be configured correctly. CCE-22387-5 Windows Firewall: Domain: Inbound connections CCE-22331-3 The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. CCE-21927-9 The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-22834-6 The "Extend Point and Print connection to search Windows Update and use alternate connection if needed" setting should be configured correctly. CCE-22475-8 The "Allow Basic authentication" machine setting should be configured correctly for the WinRM service. CCE-22168-9 The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. CCE-22966-6 The "Configure minimum PIN length for startup" machine setting should be configured correctly. CCE-21761-2 The "Disable Logging" setting should be configured correctly. CCE-22463-4 The "Turn off Windows Customer Experience Improvement Program" machine setting should be configured correctly. CCE-23120-9 Windows Firewall: Private: Logging: Log successful connections CCE-21719-0 The "Do not send a Windows error report when a generic driver is installed on a device" machine setting should be configured correctly. CCE-23623-2 Specify the 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' for RDVDiscoveryVolumeType This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2 ... CCE-23264-5 The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. CCE-23241-3 This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audit ... CCE-22157-2 The "Require a Password When a Computer Wakes (On Battery)" machine setting should be configured correctly. CCE-23253-8 The 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. CCE-22351-1 Auditing of 'Account Logon: Other Account Logon Events' events on failure should be enabled or disabled as appropriate. CCE-21785-1 The "Turn off Search Companion content file updates" machine setting should be configured correctly. CCE-22890-8 Auditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate. CCE-22581-3 Specify the maximum log file size (KB) CCE-21807-3 Turn on Responder (RSPNDR) driver This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a comput ... CCE-22288-5 Turn off the Store application CCE-23381-7 The 'Act as part of the operating system' user right should be assigned to the appropriate accounts. CCE-21883-4 The "Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point" machine setting should be configured correctly. CCE-22242-2 Control Event Log behavior when the log file reaches its maximum size CCE-21641-6 Turn on PIN sign-in CCE-21687-9 The 'Log on as a batch job' user right should be assigned to the appropriate accounts. CCE-22528-4 Specify the maximum log file size (KB) CCE-22121-8 Configure use of hardware-based encryption for operating system drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption ... CCE-23167-0 The "Disallow Digest authentication" machine setting should be configured correctly. CCE-23558-0 Auditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate. CCE-21894-1 The 'Increase a process working set' user right should be assigned to the appropriate accounts. CCE-22460-0 Windows Firewall: Public: Logging: Size limit (KB) CCE-21675-4 The "Enumerate administrator accounts on elevation" setting should be enabled or disabled as appropriate. CCE-21905-5 Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate. CCE-22517-7 Windows Firewall: Public: Inbound connections CCE-21215-9 Minimize the number of simultaneous connections to the Internet or a Windows Domain CCE-22156-4 Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate. CCE-22166-3 The 'Create symbolic links' user right should be assigned to the appropriate accounts. CCE-22859-3 Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate. CCE-23133-2 The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-22639-9 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-21740-6 The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. CCE-21774-5 The 'Generate security audits' user right should be assigned to the appropriate accounts. CCE-21895-8 The 'Profile single process' user right should be assigned to the appropriate accounts. CCE-23391-6 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-25575-2 Do not display the password reveal button CCE-22847-8 The "Set client connection encryption level" machine setting should be configured correctly. CCE-22057-4 The "Turn off handwriting personalization data sharing" setting should be configured correctly. CCE-23145-6 The 'Modify firmware environment values' user right should be assigned to the appropriate accounts. CCE-23058-1 The "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" setting should be configured correctly. CCE-23289-2 Auditing of "Audit policy change" events on sucess should be enabled or disabled as appropriate. CCE-21982-4 The 'Debug programs' user right should be assigned to the appropriate accounts. CCE-23217-3 The "Turn off location scripting" machine setting should be configured correctly. CCE-22082-2 The 'Create a token object' user right should be assigned to the appropriate accounts. CCE-21534-3 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-20903-1 The "Allow unencrypted traffic" machine setting should be configured correctly for the WinRM service. CCE-22029-3 The "Prevent device metadata retrieval from the Internet" machine setting should be configured correctly. CCE-22311-5 The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly. CCE-23063-1 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-23450-0 Windows Firewall: Domain: Display a notification CCE-21798-4 Auditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate. CCE-22902-1 Auditing of 'Logon-Logoff: IPsec Extended Mode' events on success should be enabled or disabled as appropriate. CCE-22466-7 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-23327-0 The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-22553-2 The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly. CCE-21391-8 The 'Shut down the system' user right should be assigned to the appropriate accounts. CCE-22706-6 Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack ... CCE-22913-8 The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-22729-8 The "Allow the use of biometrics" machine setting should be configured correctly. CCE-23218-1 The 'Log on as a service' user right should be assigned to the appropriate accounts. CCE-21788-5 The 'Manage auditing and security log' user right should be assigned to the appropriate accounts. CCE-21840-4 The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-23529-1 The BitLocker 'Configure use of passwords for removable data drives' setting should be configured correctly. CCE-22028-5 Windows Firewall: Public: Display a notification CCE-22686-0 The "Route all traffic through the internal network" setting should be configured correctly. CCE-22126-7 The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly. CCE-21458-5 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-22565-6 Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate. CCE-22421-2 The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly. CCE-21545-9 Specify the maximum log file size (KB) CCE-22577-1 Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate. CCE-23260-3 Configure Microsoft Active Protection Service Reporting CCE-23604-2 Auditing of 'Detailed Tracking: Process Termination' events on success should be enabled or disabled as appropriate. CCE-22936-9 The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-22916-1 The "Turn off Internet File Association service" machine setting should be configured correctly. CCE-23088-8 The "Do not allow drive redirection" setting should be configured correctly for Terminal Services. CCE-21887-5 The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts. CCE-22562-3 Do not enumerate connected users on domain-joined computers CCE-21789-3 Prevent Internet Explorer security prompt for Windows Installer scripts CCE-23317-1 Configure Solicited Remote Assistance This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messag ... CCE-22453-5 The "Report when logon server was not available during user logon" machine setting should be configured correctly. CCE-22246-3 Turn off app notifications on the lock screen CCE-23505-1 Auditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate. CCE-21645-7 Configure Windows SmartScreen This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run ... CCE-21996-4 Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate. CCE-22102-8 The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. CCE-22378-4 Auditing of 'Logon-Logoff: IPsec Main Mode' events on failure should be enabled or disabled as appropriate. CCE-21875-0 The 'Prevent the computer from joining a homegroup' setting should be configured correctly. CCE-23030-0 Windows Firewall: Domain: Logging: Log dropped packets CCE-23163-9 The 'Enable/Disable PerfTrack' setting should be configured correctly. CCE-21427-0 Configure use of passwords for operating system drives This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements ... CCE-22320-6 The "Allow remote access to the Plug and Play interface" machine setting should be configured correctly. CCE-23261-1 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-23076-3 Auditing of 'Detailed Tracking: DPAPI Activity' events on success should be enabled or disabled as appropriate. CCE-23296-7 The 'Allow log on locally' user right should be assigned to the appropriate accounts. CCE-22915-3 The 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. CCE-23198-5 Audit Policy: Account Logon: Credential Validation This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authorit ... CCE-22829-6 The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly. CCE-21414-8 The 'Minimum password age' setting should be configured correctly. CCE-22893-2 Prohibit connection to non-domain networks when connected to domain authenticated network CCE-22310-7 The "Turn off Windows Update device driver searching" machine setting should be configured correctly. CCE-22124-2 Auditing of 'Privilege Use: Other Privilege Use Events' events on failure should be enabled or disabled as appropriate. CCE-22696-9 The "Turn on session logging" machine setting should be configured correctly. CCE-22949-2 The "Turn Off the Display (On Battery)" machine setting should be configured correctly. CCE-22003-8 Windows Firewall: Private: Allow unicast response CCE-22442-8 This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with t ... CCE-22465-9 Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate. CCE-23372-6 Turn on Mapper I/O (LLTDIO) driver This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth e ... CCE-22783-5 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-21940-2 The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly. CCE-22575-5 The "Prevent Windows from sending an error report when a device driver requests additional software during installation" machine setting should be configured correctly. CCE-23442-7 The 'Restore files and directories' user right should be assigned to the appropriate accounts. CCE-23181-1 The 'Load and unload device drivers' user right should be assigned to the appropriate accounts. CCE-23193-6 The "Devices: Allowed to format and eject removable media" setting should be configured correctly. CCE-23314-8 The 'Back up files and directories' user right should be assigned to the appropriate accounts. CCE-21703-4 The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. CCE-22141-6 The 'Create permanent shared objects' user right should be assigned to the appropriate accounts. CCE-23258-7 The 'Enable computer and user accounts to be trusted for delegation' user right should be assigned to the appropriate accounts. CCE-23549-9 The "Network security: Force logoff when logon hours expire" setting should be configured correctly. CCE-22243-0 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-22472-5 The 'Replace a process level token' user right should be assigned to the appropriate accounts. CCE-22816-3 The 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-21994-9 The 'Lock pages in memory' user right should be assigned to the appropriate accounts. CCE-22116-8 The "Always install with elevated privileges" machine setting should be configured correctly. CCE-22904-7 The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts. CCE-22552-4 The "Network security: Do not store LAN Manager hash value on next password change" setting should be configured correctly. CCE-23007-8 The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-22428-7 The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. CCE-22538-3 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-22386-7 The "Domain member: Digitally sign secure channel data (when possible)" setting should be configured correctly. CCE-22749-6 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-21863-6 The "Microsoft network client: Digitally sign communications (if server agrees)" setting should be configured correctly. CCE-22707-4 The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. CCE-22447-7 The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-21504-6 The 'Network access: Remotely accessible registry paths' setting should be configured correctly. CCE-22786-8 The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. CCE-22097-0 The "Accounts: Rename administrator account" setting should be configured correctly. CCE-23597-8 The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly. CCE-22679-5 The "Require secure RPC communication" machine setting should be configured correctly. CCE-22096-2 The "No auto-restart with logged on users for scheduled automatic updates installations" machine setting should be configured correctly. CCE-22973-2 The "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" setting should be configured correctly. CCE-23522-6 The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-21399-1 The "Accounts: Rename guest account" setting should be configured correctly. CCE-22405-5 The "Microsoft network client: Send unencrypted password to third-party SMB servers" setting should be configured correctly. CCE-21714-1 Windows Firewall: Private: Firewall state CCE-23400-5 The 'Network security: LDAP client signing requirements' setting should be configured correctly. CCE-23090-4 Windows Firewall: Domain: Firewall state CCE-23257-9 The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly. CCE-22977-3 The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly. CCE-21892-5 The "Interactive logon: Prompt user to change password before expiration" setting should be configured correctly. CCE-22615-9 The "Interactive logon: Do not display last user name" setting should be configured correctly. CCE-21359-5 Windows Firewall: Public: Firewall state CCE-21665-5 Accounts: Block Microsoft accounts CCE-22541-7 The 'Reset account lockout counter after' setting should be configured correctly. CCE-21621-8 The 'Domain member: Maximum machine account password age' setting should be configured correctly. CCE-21546-7 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-21523-6 The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly. CCE-22585-4 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-21766-1 Enable screen saver CCE-21525-1 Screen saver timeout CCE-21963-4 The "Password protect the screen saver" setting should be configured correctly for the default user. |
