Download
| Alert*
|
CCE-4228-3
Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate. CCE-4183-0 Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate. CCE-5137-5 Auditing of "Policy Change: Audit Policy Change" events on failure should be enabled or disabled as appropriate. CCE-5094-8 Auditing of "Detailed Tracking: Process Creation" events on failure should be enabled or disabled as appropriate. CCE-8458-2 The "Access credential Manager as a trusted caller" user right should be assigned to the correct accounts. CCE-4662-3 The "Enforce user logon restrictions" policy should be set correctly. CCE-5039-3 Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate. CCE-4783-7 Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate. CCE-8188-5 The Windows Firewall "Allow ICMP exceptions" policy should be enabled or disabled as appropriate for the Standard Profile. CCE-4666-4 The "Maximum Service Ticket Litfetime" policy should be set correctly. CCE-8470-7 The Windows Firewall "Allow ICMP exceptions" policy should be enabled or disabled as appropriate for the Domain Profile. CCE-4423-0 Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate. CCE-4579-9 The 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate. CCE-4627-6 The required permissions for the WLAN AutoConfig service should be assigned. CCE-4702-7 The "Maximum tolerance for computer clock synchronization" policy should be set correctly. CCE-4879-3 Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate. CCE-4822-3 Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate. CCE-4516-1 Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate. CCE-4734-0 Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate. CCE-5087-2 Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate. CCE-3508-9 The "IPv6 Block of UDP 3544" setting should be configured correctly. CCE-2339-0 The behavior surrounding Anonymous SID/Name translation should be correct. CCE-2865-4 The "IPv6 Block of Protocols 41" setting should be configured correctly. CCE-5097-1 Auditing of "Account Management: User Account Management" events on failure should be enabled or disabled as appropriate. CCE-4142-6 Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate. CCE-4824-9 Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate. CCE-4941-1 User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Domain Profile. CCE-2467-9 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-2967-8 The "maximum password age" policy should meet minimum requirements. CCE-4872-8 The "log on locally" user right should be assigned to the correct accounts. CCE-5028-6 Auditing of "DS Access: Directory Service Access" events on success should be enabled or disabled as appropriate. CCE-3285-4 The "Audit the access of global system objects" policy should be set correctly. CCE-4107-9 The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly. CCE-5114-4 Auditing of "Privilege Use: Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate. CCE-2714-4 The built-in Administrator account should be correctly named. CCE-3199-7 Safe DLL Search Mode should be properly configured. CCE-3360-5 Private Profile - Apply Local Firewall Rules CCE-4205-1 Auditing of "Privilege Use: Privilege Use: Other Privilege Use Events" events on failure should be enabled or disabled as appropriate. CCE-4774-6 The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly. CCE-2462-0 The "No auto-restart for scheduled Automatic Updates installations CCE-3439-7 Domain Profile - Outbound Connections CCE-4928-8 Auditing of "Logon/Logoff: IPsec Quick Mode" events on failure should be enabled or disabled as appropriate. CCE-3251-6 The "Smart Card Removal Behavior" policy should be set correctly. CCE-4808-2 Auditing of "DS Access: Directory Service Changes" events on failure should be enabled or disabled as appropriate. CCE-3395-1 Private Profile - Inbound Connections CCE-3187-2 Domain Profile: Do not allow exceptions (SP2 only) CCE-2398-6 The "Limit local account user of blank passwords to console logon only" policy should be set correctly. CCE-3089-0 Auditing of "account logon" events on failure should be enabled or disabled as appropriate.. CCE-4916-3 Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate. CCE-4939-5 Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate. CCE-4194-7 The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly. CCE-4861-1 The "remove computer from docking station" user right should be assigned to the correct accounts. CCE-3054-4 Domain Profile: Protect all network connections (SP2 only) CCE-3261-5 IP Source Routing should be properly configured. CCE-4206-9 The log file path and name for the Windows Firewall should be configured correctly for the Private Profile. CCE-3329-0 Standard Profile: Protect all network connections (SP2 only) CCE-4982-5 Auditing of "Object Access: SAM" events on failure should be enabled or disabled as appropriate. CCE-2363-0 The "account lockout duration" policy should meet minimum requirements. CCE-4086-5 The setup log maximum size should be configured correctly. CCE-3417-3 User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Private Profile. CCE-4687-0 The "debug programs" user right should be assigned to the correct accounts. CCE-7621-6 This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With soft ... CCE-4796-9 The "increase scheduling priority" user right should be assigned to the correct accounts. CCE-5018-7 Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate. CCE-5101-1 IP Source Routing should be properly configured for IPv6. CCE-4970-0 The "synchronize directory service data" user right should be assigned to the correct accounts. CCE-3394-4 RPC Endpiont Mapper Client Authentication (SP2 only) CCE-2858-9 The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly. CCE-3405-8 Domain Profile: Allow local program exceptions CCE-3371-2 The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly. CCE-3283-9 The "Force logoff when logon hours expire" policy should be set correctly. CCE-3260-7 The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile. CCE-4271-3 The "MSS: (TCPMaxDataRetransmissions) IPv6, how many times unacknowledged data is retransmitted (3 recommended, 5 is default)" setting should be configured correctly. CCE-3414-0 The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile. CCE-4207-7 The log file size limit for the Windows Firewall should be configured correctly for the Private Profile. CCE-2825-8 The "Remotely accessible registry paths" policy should be set correctly. CCE-3953-7 The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly. CCE-3076-7 Auditing of "logon" events on success should be enabled or disabled as appropriate.. CCE-5038-5 Auditing of "Logon/Logoff: IPsec Quick Mode" events on success should be enabled or disabled as appropriate. CCE-3041-1 Auditing of "directory service access" events on success should be enabled or disabled as appropriate.. CCE-4990-8 Auditing of "Privilege Use: Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate. CCE-3272-2 The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct. CCE-4829-8 Auditing of "Object Access: Application Generated" events on failure should be enabled or disabled as appropriate. CCE-4651-6 The "Increase a Process Working Set" setting should be configured correctly. CCE-2924-9 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile. CCE-5004-7 The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly. CCE-4088-1 The "act as part of the operating system" user right should be assigned to the correct accounts. CCE-3415-7 Access to registry editing tools is set correctly. CCE-3196-3 The "when maximum log size is reached" property should be set correctly for the Security log. CCE-4140-0 Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate. CCE-3173-2 Display Last User Name in Logon Screen should be properly configured. CCE-4904-9 Kerberos and RSVP Traffic Protected by IPSec should be properly configured. CCE-3380-3 The "Named Pipes that can be accessed anonymously" policy should be set correctly. CCE-3075-9 The "Maximum machine account password age" policy should be set correctly. CCE-2519-7 The amount of idle time required before disconnecting a session should be set correctly. CCE-3271-4 The "Turn on session logging" setting should be configured correctly. CCE-4828-0 Auditing of "Object Access: Handle Manipulation" events on success should be enabled or disabled as appropriate. CCE-2376-2 The "Number of Previous Logons to Cache" policy should be set correctly. CCE-4650-8 Auditing of "Logon/Logoff: IPsec Main Mode" events on failure should be enabled or disabled as appropriate. CCE-4673-0 The "force shutdown from a remote system" user right should be assigned to the correct accounts. CCE-3426-4 Public Profile - Apply Local Connection Security Rules CCE-4915-5 The "Disable Logging" setting should be configured correctly. CCE-5016-1 Auditing of "Logon/Logoff: IPsec Main Mode" events on success should be enabled or disabled as appropriate. CCE-3086-6 Logon - Do not process the run once list CCE-4382-8 The "Impersonate a client after authentication" user right should be assigned to the correct accounts. CCE-4938-7 Auditing of "Account Management: Application Group Management" events on success should be enabled or disabled as appropriate. CCE-3266-4 This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this Group Policy setting to grant access to all the computers to particular ... CCE-3220-1 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-2650-0 Public Profile - Apply Local Firewall Rules CCE-3243-3 Auditing of "object access" events on failure should be enabled or disabled as appropriate.. CCE-3387-8 Standard Profile: Allow Remote Desktop exception (SP2 only) CCE-2839-9 The "restrict guest access to system log" policy should be set correctly. CCE-3450-4 Audit: Force audit policy subcategory settings are set correcly. CCE-4962-7 The "profile single process" user right should be assigned to the correct accounts. CCE-2322-6 Auditing of "privilege use" events on success should be enabled or disabled as appropriate.. CCE-4201-0 Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate. CCE-5047-6 Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate. CCE-3001-5 The "Shut Down system immediately if unable to log security audits" policy should be set correctly. CCE-3232-6 The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct. CCE-3330-8 The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly. CCE-3168-2 The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly. CCE-4973-4 The "bypass traverse checking" user right should be assigned to the correct accounts. CCE-4996-5 Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate. CCE-3278-9 Turn off Windows Update device driver searching CCE-3255-7 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-2838-1 The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly. CCE-3024-7 Auditing of "process tracking" events on success should be enabled or disabled as appropriate.. CCE-4898-3 The "Disable Media Player for automatic updates" policy should be set correctly. CCE-5132-6 Auditing of "Object Access: Other Object Access Events" events on success should be enabled or disabled as appropriate. CCE-4940-3 The "LDAP client signing requirements" policy should be set correctly. CCE-4963-5 The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile. CCE-5048-4 Auditing of "Account Management: Security Group Management" events on success should be enabled or disabled as appropriate. CCE-4334-9 The "access this computer from the network" user right should be assigned to the correct accounts. CCE-3954-5 The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly. CCE-8404-6 The default behavior for AutoRun should be properly configured. CCE-3288-8 The "Prevent IIS Installation" setting should be configured correctly. CCE-4093-1 Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate. CCE-3046-0 The "Turn off Untrusted Content" setting should be configured correctly. CCE-4300-0 Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate. CCE-4656-5 The "deny logon through Terminal Services" user right should be assigned to the correct accounts. CCE-4213-5 The "Minimum session security for NTLM SSP based servers" policy should be set correctly. CCE-4467-7 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-3409-0 The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile. CCE-3352-2 Standard Profile: Allow remote administration exception (SP2 only) CCE-3398-5 The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly. CCE-3121-1 The "restrict guest access to application log" policy should be set correctly. CCE-5264-7 The "Screen Saver Executable Name" setting should be configured correctly for the current user. CCE-3462-9 Standard Profile: Define port exceptions (SP2 only) CCE-4841-3 The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly. CCE-3023-9 The "Digitally Sign Server Communication (Always)" policy should be set correctly. CCE-4115-2 Auditing of "Account Management: Distribution Group Management" events on success should be enabled or disabled as appropriate. CCE-4083-2 The "log on as a batch job" user right should be assigned to the correct accounts. CCE-2927-2 Auditing of "process tracking" events on failure should be enabled or disabled as appropriate.. CCE-3309-2 Auditing of "directory service access" events on failure should be enabled or disabled as appropriate.. CCE-4569-0 The "shut down the system" user right should be assigned to the correct accounts. CCE-3287-0 Auditing of "account management" events on failure should be enabled or disabled as appropriate.. CCE-3362-1 The "Turn Off Access to All Windows Update Feature" setting should be configured correctly. CCE-4479-2 Auditing of "Policy Change: Other Policy Change Events" events on success should be enabled or disabled as appropriate. CCE-4907-2 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-4335-6 Auditing of "Object Access: Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate. CCE-3299-5 The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile. CCE-3045-2 The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly. CCE-4863-7 The "change the system time" user right should be assigned to the correct accounts. CCE-3230-0 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-2785-4 TCP/IP NetBIOS Name Release on Request Prevented should be properly configured. CCE-3166-6 Private Profile - Outbound Connections CCE-3351-4 Public Profile - Outbound Connections CCE-5034-4 The "Disable Windows Error Reporting" setting should be configured correctly. CCE-3120-3 TCP/IP Dead Gateway Detection should be properly configured. CCE-2641-9 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile. CCE-3429-8 The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services. CCE-5011-2 Auditing of "Logon/Logoff: IPsec Extended Mode" events on success should be enabled or disabled as appropriate. CCE-2719-3 Autoplay on all Drive Types should be properly configured. CCE-3240-9 The "minimum password age" policy should meet minimum requirements. CCE-3263-1 Public Profile - Inbound Connections CCE-2905-8 The "when maximum log size is reached" property should be set correctly for the Application log. CCE-4204-4 Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate. CCE-8250-3 Automatic Reboot After System Crash should be enabled or disabled as appropriate. CCE-2323-4 The "enforce password history" policy should meet minimum requirements. CCE-3177-3 The "account lockout threshold" policy should meet minimum requirements. CCE-2772-2 The "Interactive logon: Requre smart card" setting should be configured correctly. CCE-3361-3 The "Disconnect clients when logon hours expire" policy should be set correctly. CCE-5023-7 Auditing of "DS Access: Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate. CCE-4568-2 Auditing of "Object Access: Filtering Platform Connection" events on success should be enabled or disabled as appropriate. CCE-5000-5 Auditing of "Detailed Tracking: DPAPI Activity" events on success should be enabled or disabled as appropriate. CCE-3033-8 The "password must meet complexity requirments" policy should be set correctly. CCE-2883-7 The "minimum password length" policy should meet minimum requirements. CCE-3252-4 The "Digitally Sign Client Communication (Always)" policy should be set correctly. CCE-3460-3 MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted CCE-3165-8 The system log maximum size should be configured correctly. CCE-3142-7 The TCP/IP KeepAlive Time should be set correctly . CCE-3373-8 Private Profile- Firewall State CCE-5058-3 Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate. CCE-4995-7 Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate. CCE-5145-8 Auditing of "Object Access: File Share" events on failure should be enabled or disabled as appropriate. CCE-4885-0 Auditing of "Object Access: Kernel Object" events on failure should be enabled or disabled as appropriate. CCE-3067-6 System availability to Master Browser should be properly configured. CCE-3431-4 Domain Profile: Allow file and printer sharing exception (SP2 only) CCE-3138-5 The "Do not store LAN Manager hash value on next password change" policy should be set correctly. CCE-4857-9 Auditing of "Logon/Logoff: Account Lockout" events on failure should be enabled or disabled as appropriate. CCE-5020-3 The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly. CCE-5043-5 The screen saver should be enabled or disabled as appropriate for the current user. CCE-5066-6 Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate. CCE-5089-8 Auditing of "DS Access: Directory Service Replication" events on success should be enabled or disabled as appropriate. CCE-2533-8 The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile. CCE-7716-4 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. CCE-4759-7 Auditing of "Detailed Tracking: RPC Events" events on failure should be enabled or disabled as appropriate. CCE-5163-1 Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate. CCE-4869-4 Auditing of "Detailed Tracking: Process Termination" events on success should be enabled or disabled as appropriate. CCE-8516-7 The Windows Firewall inbound program exceptions list should be set appropriately for the Domain Profile. CCE-3311-8 The "store password using reversible encryption for all users in the domain" policy should be set correctly. CCE-4931-2 Auditing of "DS Access: Directory Service Access" events on failure should be enabled or disabled as appropriate. CCE-2970-2 Auditing of "logon" events on failure should be enabled or disabled as appropriate.. CCE-4691-2 Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate. CCE-7629-9 The Windows Firewall "Define inbound program exceptions" policy should be enabled or disabled as appropriate for the Domain Profile. CCE-5067-4 Auditing of "DS Access: Directory Service Changes" events on success should be enabled or disabled as appropriate. CCE-4278-8 The log file size limit for the Windows Firewall should be configured correctly for the Public Profile. CCE-4921-3 Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate. CCE-4048-5 The "modify firmware environment values" user right should be assigned to the correct accounts. CCE-3367-0 The "Sharing and security model for local accounts" policy should be set correctly. CCE-3246-6 Public Profile- Firewall State CCE-4833-0 Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate. CCE-4505-4 Auditing of "Logon/Logoff: IPsec Extended Mode" events on failure should be enabled or disabled as appropriate. CCE-2653-4 Auditing of "policy change" events on failure should be enabled or disabled as appropriate.. CCE-4868-6 Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate. CCE-4342-2 Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate. CCE-3379-5 The "Do not allow storage of credentials or .NET Passports" policy should be set correctly. CCE-4267-1 The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. CCE-5079-9 Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate. CCE-4955-1 The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly. CCE-3125-2 The "Turn off shell protocol protected mode" setting should be configured correctly. CCE-3102-1 The "Log Access For Setup Log" setting should be configured correctly. CCE-3969-3 The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly. CCE-3212-8 The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly. CCE-2457-0 The "Let Everyone permissions apply to anonymous users" policy should be set correctly. CCE-2359-8 The built-in Guest account should be correctly named. CCE-5177-1 Auditing of "Policy Change: Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate. CCE-2679-9 TCP/IP SYN Flood Attack Protection should be properly configured. CCE-3320-9 Logon - Do not process the legacy run list CCE-5131-8 Auditing of "Privilege Use: Other Privilege Use Events" events on success should be enabled or disabled as appropriate. CCE-8387-3 The "Unsigned Driver Installation Behavior" policy should be set correctly. CCE-4757-1 The "create a pagefile" user right should be assigned to the correct accounts. CCE-3222-7 Auditing of "system" events on failure should be enabled or disabled as appropriate.. CCE-3015-5 The application log maximum size should be configured correctly.. CCE-3257-3 Auditing of "privilege use" events on failure should be enabled or disabled as appropriate.. CCE-3234-2 Auditing of "account management" events on success should be enabled or disabled as appropriate.. CCE-3440-5 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile. CCE-4700-1 Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate. CCE-4867-8 The "deny logon as a service" user right should be assigned to the correct accounts. CCE-3949-5 TCP/IP PMTU Discovery should be properly configured. CCE-3486-8 The "Prevent Windows Media DRM Internet Access" setting should be configured correctly. CCE-3244-1 The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate. CCE-4877-7 Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate. CCE-4854-6 The "adjust memory quotas for a process" user right should be assigned to the correct accounts. CCE-4965-0 Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate. CCE-8342-8 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-2380-4 The "Digitally Sign Client Communication (When Possible)" policy should be set correctly. CCE-3158-3 Domain Profile: Allow remote administration CCE-3365-4 The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile. CCE-4200-2 Auditing of "Object Access: File Share" events on success should be enabled or disabled as appropriate. CCE-4988-2 The "take ownership of files or other objects" user right should be assigned to the correct accounts. CCE-4612-8 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-4889-2 The "deny logon locally" user right should be assigned to the correct accounts. CCE-4658-1 Auditing of "DS Access: Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate. CCE-4488-3 The "generate security audits" user right should be assigned to the correct accounts. CCE-4038-6 The "log on as a service" user right should be assigned to the correct accounts. CCE-3169-0 Prompt for password on resume from hibernate/suspend is set correctly. CCE-4976-7 Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate. CCE-4722-5 The "deny logon as a batch job" user right should be assigned to the correct accounts. CCE-3331-6 The "Allow remote access to the PnP interface" setting should be configured correctly. CCE-4866-0 The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services. CCE-2852-2 The "Reschedule Automatic Updates scheduled installations" should be set correctly CCE-3279-7 IRDP should be properly configured. CCE-3349-8 The "Shares that can be accessed anonymously" policy should be set correctly. CCE-3303-5 The "Audit the use of backup and restore privilege" policy should be set correctly. CCE-4020-4 The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly. CCE-3326-6 The "Allow undock without having to logon" policy should be set correctly. CCE-8389-9 Disable saving of dial-up passwords should be properly configured. CCE-4891-8 Auditing of "Detailed Tracking: RPC Events" events on success should be enabled or disabled as appropriate. CCE-4947-8 Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate. CCE-3458-7 Domain Profile: Allow Remote Desktop exception (SP2 only) CCE-7615-8 The "add workstations to domain" user right should be assigned to the correct accounts. CCE-4597-1 The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile. CCE-4285-3 The "Modify an object label" user right should be assigned to the appropriate accounts. CCE-3160-9 Restrictions for Unauthenticated RPC clients (SP2 only) CCE-3469-4 The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly. CCE-3217-7 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... CCE-4372-9 The "replace a process-level token" user right should be assigned to the correct accounts. CCE-3302-7 The security log maximum size should be configured correctly.. CCE-2778-9 Turn off Search Companion content file updates CCE-4792-8 The "Create global objects" user right should be assigned to the correct accounts. CCE-3325-8 The "Prevent Users from Installing Printer Drivers" policy should be set correctly. CCE-2964-5 Domain Profile: Allow UPnP framework exception (SP2 only) CCE-2820-9 Auditing of "account logon" events on success should be enabled or disabled as appropriate.. CCE-3436-3 Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile. CCE-4902-3 The "Create a token object" user right should be assigned to the correct accounts. CCE-4925-4 The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly. CCE-4493-3 Auditing of "Detailed Tracking: DPAPI Activity" events on failure should be enabled or disabled as appropriate. CCE-3459-5 MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged CCE-3314-2 The "Message title for users attempting to log on" policy should be set correctly. CCE-2975-1 The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services. CCE-5181-3 Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate. CCE-3292-0 The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly. CCE-4618-5 The "profile system performance" user right should be assigned to the correct accounts. CCE-2998-3 User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Public Profile. CCE-4078-2 The startup type of the Internet Connection Sharing service should be correct. CCE-2854-8 Private Profile - Apply Local Connection Security Rules CCE-5128-4 The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile. CCE-4176-4 Auditing of "DS Access: Directory Service Replication" events on failure should be enabled or disabled as appropriate. CCE-8608-2 CD Burning features in Windows Explorer should be enabled or disabled as appropriate. CCE-3239-1 ICMP Redirects should be properly configured. CCE-4629-2 The "Enable User Control Over Installs" policy should be set correctly. CCE-3456-1 The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly. CCE-3347-2 Standard Profile: Do not allow exceptions (SP2 only) CCE-4922-1 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-3072-6 Automatic Logon should be properly configured. CCE-5007-0 The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. CCE-7624-0 The "System cryptography: Force strong key protection for user keys stored on the computer" policy should be enabled or disabled as appropriate. CCE-2821-7 The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly. CCE-4166-5 Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate. CCE-2953-8 Auditing of "system" events on success should be enabled or disabled as appropriate.. CCE-2724-3 Auditing of "object access" events on success should be enabled or disabled as appropriate.. CCE-3336-5 The "Message text for users attempting to log on" policy should be set correctly. CCE-4264-8 The "allow logon through Terminal Services" user right should be assigned to the correct accounts. CCE-4704-3 The "deny access to this computer from the network" user right should be assigned to the correct accounts. CCE-3181-5 Security Audit log warning level should be properly configured. CCE-4956-9 Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate. CCE-2471-1 Enumerate administrator accounts on elevation CCE-5008-8 The "Change the time zone" user right should be assigned to the appropriate accounts. CCE-4583-1 The "Minimum session security for NTLM SSP based clients" policy should be set correctly. CCE-3225-0 The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly. CCE-5172-2 Auditing of "Policy Change: Authorization Policy Change" events on success should be enabled or disabled as appropriate. CCE-5084-9 Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate. CCE-3411-6 The "Display user information when the session is locked" setting should be configured correctly. CCE-4046-9 The "manage auditing and security log" user right should be assigned to the correct accounts. CCE-4714-2 Auditing of "Object Access: Certification Services" events on success should be enabled or disabled as appropriate. CCE-3248-2 Use of the built-in Guest account should be enabled or disabled as appropriate. CCE-4507-0 The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile. CCE-2659-1 The "restrict guest access to security log" policy should be set correctly. CCE-3300-1 Notify antivirus programs when opening attachments is set correcly. CCE-3202-9 Domain Profile: Define port exceptions (SP2 only) CCE-3457-9 Domain Profile - Apply Local Firewall Rules CCE-4363-8 Auditing of "Detailed Tracking: Process Termination" events on failure should be enabled or disabled as appropriate. CCE-2977-7 Domain Profile - Apply Local Connection Security Rules CCE-4594-8 Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate. CCE-2746-6 Auditing of "policy change" events on success should be enabled or disabled as appropriate.. CCE-4011-3 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-4639-1 The log file path and name for the Windows Firewall should be configured correctly for the Public Profile. CCE-2931-4 The "when maximum log size is reached" property should be set correctly for the System log. CCE-4616-9 Auditing of "Object Access: SAM" events on success should be enabled or disabled as appropriate. CCE-3358-9 The "Configure Automatic Updates" should be set correctly CCE-4703-5 Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate. CCE-3082-5 The startup type of the NetMeeting Remote Desktop Sharing service should be correct. CCE-3180-7 Domain Profile: Allow local port exceptions (SP2 only) CCE-3468-6 The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly. CCE-5070-8 The "Prevent users from sharing files within their profile" setting should be configured correctly. CCE-4016-2 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-4969-2 The "Behavior of the elevation prompt for standard users" setting should be configured correctly. CCE-4184-8 The "create permanent shared objects" user right should be assigned to the correct accounts. CCE-4317-4 The "lock pages in memory" user right should be assigned to the correct accounts. CCE-4071-7 The "perform volume maintenance tasks" user right should be assigned to the correct accounts. CCE-8034-1 The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts. CCE-4827-2 The "back up files and directories" user right should be assigned to the correct accounts. CCE-4948-6 The "restore files and directories" user right should be assigned to the correct accounts. CCE-4034-5 The "load and unload device drivers" user right should be assigned to the correct accounts. CCE-3307-6 The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly. CCE-3164-1 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-3233-4 The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. CCE-3032-0 Use of the built-in Administrator account should be enabled or disabled as appropriate. CCE-2715-1 The "reset account lockout counter after" policy should meet minimum requirements. CCE-4290-3 The "Password protect the screen saver" setting should be configured correctly for the current user. CCE-3050-2 The "Screen Saver Timeout" setting should be configured correctly for the current user. CCE-4781-1 The "Remotely accessible registry paths and subpaths" policy should be set correctly. |
