[Forgot Password]
Login  Register Subscribe

23631

 
 

115038

 
 

96125

 
 

909

 
 

78020

 
 

109

Paid content will be excluded from the download.


Download | Alert*


CCE-46343-0
"Configure registry policy processing" This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program impl ...

CCE-44499-2
"Deny access to this computer from the network" This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data o ...

CCE-50915-8
"Apply UAC restrictions to local accounts on network logons" This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is confi ...

CCE-45061-9
"Allow Basic authentication" This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable ...

CCE-45276-3
"MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Vulnerability: An attacker could use source routed packets to obscure their identity and lo ...

CCE-46027-9
"Microsoft network server: Amount of idle time required before suspending session" This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to contr ...

CCE-47309-0
"Password must meet complexity requirements" This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user ...

CCE-46219-2
"Audit Policy: DS Access: Directory Service Access" This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access ev ...

CCE-44597-3
"System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its ...

CCE-44705-2
"Create global objects" This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes th ...

CCE-46305-9
"Network access: Do not allow anonymous enumeration of SAM accounts" This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user ...

CCE-46295-2
"Allow Basic authentication" This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name ...

CCE-46136-8
"Microsoft network client: Send unencrypted password to third-party SMB servers" Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable ...

CCE-46912-2
"User Account Control: Detect application installations and prompt for elevation" This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires ele ...

CCE-47154-0
"User Account Control: Run all administrators in Admin Approval Mode" This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approv ...

CCE-44732-6
"Audit Policy: Account Logon: Credential Validation" This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is author ...

CCE-44793-8
"Password protect the screen saver" If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. Vulnerability: If a user forgets to lock their computer when they walk ...

CCE-46754-8
"Domain member: Digitally encrypt or sign secure channel data (always)" This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secur ...

CCE-46491-7
"Audit Policy: Logon-Logoff: Logoff" This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, thes ...

CCE-46147-5
"Windows Firewall: Private: Inbound connections" This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Vulnerability: If the firewall allow ...

CCE-47000-5
"User Account Control: Admin Approval Mode for the Built-in Administrator account" This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any oper ...

CCE-44695-5
"Create a pagefile" This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of ac ...

CCE-47214-2
"User Account Control: Behavior of the elevation prompt for standard users" This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administ ...

CCE-46378-6
"Allow unencrypted traffic" This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you ...

CCE-46546-8
"Domain member: Digitally encrypt secure channel data (when possible)" This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all ...

CCE-46382-8
"Enumerate local users on domain-joined computers" This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, t ...

CCE-47225-8
"Always install with elevated privileges" Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the ...

CCE-45275-5
"MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)" MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Vulnerability: An attacker could use source routed packets to obscure their ident ...

CCE-46031-1
"Network security: Do not store LAN Manager hash value on next password change" This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically st ...

CCE-45060-1
"Allow unencrypted traffic" This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you ...

CCE-47308-2
"Enable computer and user accounts to be trusted for delegation" This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configurin ...

CCE-46306-7
"Audit Policy: Policy Change: Authorization Policy Change" This subcategory reports changes in authorization policy including permissions (DACL) changes. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to ...

CCE-46703-5
"Audit Policy: Logon-Logoff: Special Logon" This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been ...

CCE-47319-9
"Lock pages in memory" This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM e ...

CCE-46911-4
"User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - En ...

CCE-46223-4
"Windows Firewall: Private: Firewall state" Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security r ...

CCE-45495-9
"Executable rules" AppLocker defines executable rules as any files with the .exe and .com extensions that are associated with an application. Because all of the default rules for the executable rule collection are based on folder paths, all files under those paths will be allowed. The following are ...

CCE-46148-3
"Interactive logon: Smart card removal behavior" This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Vulnerability: Users sometimes forget to lock their workstations when they are away from them, allowing the possibility ...

CCE-46970-0
"Turn off Autoplay" Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the ...

CCE-46078-2
"Manage auditing and security log" This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active D ...

CCE-46993-2
"Allow user control over installs" This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete t ...

CCE-45259-9
"Turn on PowerShell Script Block Logging" This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, function ...

CCE-47341-3
"Sign-in last interactive user automatically after a system-initiated restart" This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely sav ...

CCE-45489-2
"AppLocker: Executable Rules: (Default Rule) All files located in the Program Files folder" Allow all users to run executable files in the Program Files folder This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by con ...

CCE-46702-7
"Audit Policy: Account Management: Security Group Management" This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, admin ...

CCE-46518-7
"Audit Policy: System: Other System Events" This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was un ...

CCE-46176-4
"Restore files and directories" This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which user ...

CCE-45982-6
"Windows Firewall: Domain: Firewall state" Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security ru ...

CCE-46018-8
"Domain member: Disable machine account password changes" This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable ...

CCE-44880-3
"Do not allow passwords to be saved" This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Servi ...

CCE-46835-5
"Create permanent shared objects" This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a u ...

CCE-44526-2
"Specify the maximum log file size (KB) (Security Log)" This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ki ...

CCE-45492-6
"AppLocker: Executable Rules: Block Internet Explorer (Deny Everyone)" This AppLocker rules blocks everyone from using Internet Explorer. This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by configuring the desired s ...

CCE-46126-9
"Perform volume maintenance tasks" This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list o ...

CCE-46334-9
"Microsoft network client: Digitally sign communications (if server agrees)" This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows -based networks helps to prevent sessions from being hijacked. If you ena ...

CCE-44804-3
"Impersonate a client after authentication" The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will no ...

CCE-45565-9
"Join Microsoft MAPS" This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or addition ...

CCE-50918-2
"WDigest Authentication (disabling may require KB2871997)" When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is no ...

CCE-46005-5
"Accounts: Limit local account use of blank passwords to console logon only" This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that ha ...

CCE-46406-5
"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Activ ...

CCE-47129-2
"Network security: LDAP client signing requirements" This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transpor ...

CCE-47340-5
"Do not display network selection UI" This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don' ...

CCE-45394-4
"Configure local setting override for reporting to Microsoft MAPS" This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group ...

CCE-45905-7
"Audit Policy: Account Management: Computer Account Management" This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A computer account was creat ...

CCE-45966-9
"Audit Policy: Policy Change: Audit Policy Change" This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy ...

CCE-46482-6
"Audit Policy: System: IPsec Driver" This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue ...

CCE-45981-8
"Audit Policy: Privilege Use: Sensitive Privilege Use" This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug prog ...

CCE-46517-9
"Profile single process" This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if Sy ...

CCE-46653-2
"Windows Firewall: Public: Outbound connections" This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connec ...

CCE-46701-9
"Audit Policy: DS Access: Directory Service Changes" This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropria ...

CCE-46177-2
"Audit Policy: Detailed Tracking: Process Creation" This subcategory reports the creation of a process and the name of the program or user that created it. Note: These events now get audited earlier than in previous versions of Windows. The creation of smss.exe and other early processes is now au ...

CCE-45005-6
"Allow indexing of encrypted files" This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (includi ...

CCE-44650-0
"Force shutdown from a remote system" This policy setting allows users to shut down Windows Vista -based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service u ...

CCE-45368-8
"Turn on behavior monitoring" This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. Vulnerability: Disabling this settin ...

CCE-46649-0
"Windows Firewall: Domain: Inbound connections" This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Vulnerability: If the firewall allows ...

CCE-47022-9
"Increase scheduling priority" This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the ...

CCE-46917-1
"Act as part of the operating system" This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local ...

CCE-45201-1
"Enable insecure guest logons" This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this policy setting, ...

CCE-45493-4
"AppLocker: Executable Rules: Block Mozilla Firefox (Deny Everyone)" This AppLocker rules blocks everyone from using Mozilla Firefox. This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by configuring the desired setti ...

CCE-44987-6
"Back up files and directories" This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programm ...

CCE-47193-8
"Set client connection encryption level" This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Vulnerability: If Terminal Server client connec ...

CCE-45977-6
"Audit Policy: Logon-Logoff: Logon" This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a shar ...

CCE-45723-4
"Allow log on locally" This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Serv ...

CCE-46127-7
"Windows Firewall: Public: Inbound connections" This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Vulnerability: If the firewall allows ...

CCE-44828-2
"Create symbolic links" This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much l ...

CCE-47038-5
"Microsoft network server: Digitally sign communications (always)" This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. ...

CCE-46761-3
"Modify firmware environment values" This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure t ...

CCE-46023-8
"Audit Policy: System: System Integrity" This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : I ...

CCE-46230-9
"Microsoft network server: Digitally sign communications (if client agrees)" This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a conn ...

CCE-46483-4
"Audit Policy: Logon-Logoff: Account Lockout" This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. Refer to the Microsoft Knowledgebase article 'Description of security ...

CCE-45257-3
"Send file samples when further analysis is required" This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send ...

CCE-46708-4
"Disallow WinRM from storing RunAs credentials" This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsP ...

CCE-45984-2
"Windows Firewall: Private: Outbound connections" This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound conne ...

CCE-45490-0
"AppLocker: Executable Rules: (Default Rule) All files located in the Windows folder" Allow all users to run executable files in the Windows folder. This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by configuring th ...

CCE-47339-7
"Prevent enabling lock screen slide show" Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be ...

CCE-44468-7
"Boot-Start Driver Initialization Policy" This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications ...

CCE-44927-2
"Debug programs" This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be a ...

CCE-44520-5
"System objects: Require case insensitivity for non-Windows subsystems" This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 * subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Port ...

CCE-45743-2
"Always prompt for password upon connection" This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provid ...

CCE-46565-8
"Network security: LAN Manager authentication level" LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network ...

CCE-45607-9
"Turn On Virtualization Based Security" Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of ...

CCE-45608-7
"Minimum password age" This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this se ...

CCE-46216-8
"Take ownership of files or other objects" This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user righ ...

CCE-46651-6
"Specify the maximum log file size (KB) (System Log)" This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilo ...

CCE-45960-2
"Load and unload device drivers" This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or print ...

CCE-44479-4
"Enforce password history" This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passw ...

CCE-46760-5
"Set the default behavior for AutoRun" This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an ...

CCE-47123-5
"Application Identity" Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. Vulnerability: Any service or application is a potential point of attack. Therefore, you should disable or remove any unneeded services or executab ...

CCE-45876-0
"Turn off Data Execution Prevention for Explorer" Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Vulnerability: Data Execution Prevention is an important security feature supported by Explorer that helps to limit the ...

CCE-45968-5
"Audit Policy: System: Security State Change" This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time w ...

CCE-46805-8
"Disallow Autoplay for non-volume devices" This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, ...

CCE-46484-2
"Windows Firewall: Domain: Outbound connections" This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection. Vulnerability: ...

CCE-45488-4
"AppLocker: Executable Rules: (Default Rule) All files" Allow members of the local Administrators group access to run all executable files. This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by configuring the desired ...

CCE-44494-3
"Specify the maximum log file size (KB) (Application Log)" This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in ...

CCE-45279-7
"MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Vulnerability: This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes ...

CCE-46768-8
"Interactive logon: Machine inactivity limit" Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Vulnerability: If a user forgets to lock their computer when they walk away it is ...

CCE-47028-6
"Turn off heap termination on corruption" Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Vulnerability: Enabling or not configuring this sett ...

CCE-47338-9
"Prevent enabling lock screen camera" Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be ab ...

CCE-46412-3
"Network access: Let Everyone permissions apply to anonymous users" This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumer ...

CCE-45268-0
"Enable local admin password management" Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Vulnerability: Disabl ...

CCE-45491-8
"AppLocker: Executable Rules: Block Google Chrome (Deny Everyone)" This AppLocker rules blocks everyone from using Google Chrome. This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by configuring the desired setting ...

CCE-47157-3
"User Account Control: Virtualize file and registry write failures to per-user locations" This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run- ...

CCE-46496-6
"Audit Policy: Policy Change: Authentication Policy Change" This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Truste ...

CCE-47111-0
"Audit Policy: System: Security System Extension" This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the Local Security Authority. - 4611: A tr ...

CCE-44698-9
"Enable screen saver" This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver w ...

CCE-45283-9
"MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Vulnerability: The NetBT protocol is designed not to use authenti ...

CCE-44703-7
"Allow log on through Remote Desktop Services" This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and ...

CCE-46552-6
"Audit Policy: Account Management: User Account Management" This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy ...

CCE-45232-6
"Use enhanced anti-spoofing when available" This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. If you do not configure this policy setting, users will be able to choose whether or not to use enhanced anti-spoofing on supported devices. If you ...

CCE-46880-1
"Restrict Unauthenticated RPC clients" This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact ...

CCE-46914-8
"Minimum password length" This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than " ...

CCE-46160-8
"Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication servic ...

CCE-47296-9
"Network security: Allow LocalSystem NULL session fallback" Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Vulnerability: NULL sessions are less secure because by definition they are unauthenticated. Count ...

CCE-46228-3
"Domain controller: LDAP server signing requirements" This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. Vulnerability: Unsigned network traffic is susceptible to man-in-the-middle attacks. In such at ...

CCE-46771-2
"Do not allow drive redirection" This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local dri ...

CCE-46014-7
"Disallow Digest authentication" This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy ...

CCE-47152-4
"Account lockout duration" This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy se ...

CCE-45496-7
"Packaged app rules" Allows you to enable or disable Packaged app rules. Packaged apps (also known as Windows Store apps) are based on a model that ensures all the files within an app package share the same identity. With classic Win32 applications, each file within the application could have a u ...

CCE-46525-2
"Network access: Do not allow anonymous enumeration of SAM accounts and shares" This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and net ...

CCE-44861-3
"Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication servic ...

CCE-45689-7
"Generate security audits" This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, us ...

CCE-46338-0
"Network security: Allow Local System to use computer identity for NTLM" When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows ...

CCE-44884-5
"Configure Windows SmartScreen" This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs r ...

CCE-45337-3
"Scan removable drives" This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any ...

CCE-46135-0
"Microsoft network client: Digitally sign communications (always)" This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that s ...

CCE-44496-8
"Require secure RPC communication" Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and e ...

CCE-44911-6
"Network access: Restrict anonymous access to Named Pipes and Shares" When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonym ...

CCE-45486-8
"Access this computer from the network" This policy setting determines which users can connect to the computer from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Compo ...

CCE-46440-4
"Domain member: Digitally sign secure channel data (when possible)" This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone ...

CCE-45231-8
"Untrusted Font Blocking" This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and ...

CCE-47284-5
"User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires e ...

CCE-47052-6
"Domain controller: Refuse machine account password changes" This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, t ...

CCE-46891-8
"Windows Firewall: Public: Firewall state" Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security ru ...

CCE-46913-0
"User Account Control: Only elevate UIAccess applications that are installed in secure locations" This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure location ...

CCE-45349-8
"Turn on e-mail scanning" This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently sup ...

CCE-47295-1
"Create a token object" This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they c ...

CCE-46108-7
"Deny log on locally" This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no on ...

CCE-47272-0
"Reset account lockout counter after" This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value ...

CCE-45958-6
"Domain member: Require strong (Windows 2000 or later) session key" When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain ...

CCE-45973-5
"Audit Policy: Account Management: Other Account Management Events" This subcategory reports other account management events. Events for this subcategory include: - 4782: The password hash an account was accessed. - 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowled ...

CCE-50914-1
"AppLocker: Packaged app Rules: (Default Rule) All signed packaged apps (Allow Everyone)" Allow all users to run signed packaged Windows Store apps. This setting is configured by using an XML blob that is store in the registry setting for this setting. You can obtain the XML blob by configuring th ...

CCE-46184-8
"Turn off Windows Defender" Turns off Windows Defender Real-Time Protection, and no more scans are scheduled. If you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software. If you disable or do not configure ...

CPE    1
cpe:/o:microsoft:windows_server_2016
*XCCDF
xccdf_org.secpod_benchmark_general_Windows_Server_2016
OVAL    162
oval:org.secpod.oval:def:40245
oval:org.secpod.oval:def:40246
oval:org.secpod.oval:def:40243
oval:org.secpod.oval:def:40244
...

© 2013 SecPod Technologies