Download
| Alert*
|
oval:org.secpod.oval:def:14723
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "Allow certificate-based data recovery agent" check box is used to ... oval:org.secpod.oval:def:14587 This policy setting allows you to enable or disable Solicited (Ask for) Remote Assistance on this computer. If you enable this policy, users on this computer can use e-mail or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer ... oval:org.secpod.oval:def:14581 This policy setting allows you to enable or disable Solicited (Ask for) Remote Assistance on this computer. If you enable this policy, users on this computer can use e-mail or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer ... oval:org.secpod.oval:def:14652 This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setti ... oval:gov.nist.usgcb.windowsseven:def:117 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ... oval:org.secpod.oval:def:14667 Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate. Fix: (1) GPO: Computer Confi ... oval:gov.nist.usgcb.windowsseven:def:108 This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows l ... oval:gov.nist.usgcb.windowsseven:def:261 By default administrator accounts are not displayed when attempting to elevate a running application. If you enable this policy setting, all local administrator accounts on the machine will be displayed so the user can choose one and enter the correct password. If you disable this policy setting, ... oval:gov.nist.usgcb.windowsseven:def:278 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconnect ... oval:gov.nist.usgcb.windowsseven:def:258 Sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program ... oval:gov.nist.usgcb.windowsseven:def:113 This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the opera ... oval:gov.nist.usgcb.windowsseven:def:252 Enabling this setting directs RPC Clients that need to communicate with the Endpoint Mapper Service to authenticate as long as the RPC call for which the endpoint needs to be resolved has authentication information. Disabling this setting will cause RPC Clients that need to communicate with the End ... oval:org.secpod.oval:def:14801 The Windows Customer Experience Improvement Program will collect information about your hardware configuration and how you use our software and services to identify trends and usage patterns. We will not collect your name, address, or any other personally identifiable information. There are no surve ... oval:gov.nist.usgcb.windowsseven:def:130 The default IPsec exemptions that were present in Windows XP and Windows 2000 except for the Internet Key Exchange (IKE) exemption were removed from Windows Server 2003. The IKE exemption is specific to source and destination port UDP 500. IKE always receives this type of packet from any source addr ... oval:gov.nist.usgcb.windowsseven:def:291 This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008, Windows Vista SP1 and Windows XP SP3. If you enable this policy setting, Internet Explorer will not opt-in to Data Execution Prevention on platforms that support the SetPro ... oval:gov.nist.usgcb.windowsseven:def:134 This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery It enables or disables the Internet Router Discover ... oval:org.secpod.oval:def:14698 This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. If you en ... oval:gov.nist.usgcb.windowsseven:def:118 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ ... oval:gov.nist.usgcb.windowsseven:def:107 Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on ... oval:gov.nist.usgcb.windowsseven:def:123 IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. Microsoft recommends to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable ... oval:gov.nist.usgcb.windowsseven:def:119 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: * Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ... oval:gov.nist.usgcb.windowsseven:def:236 Specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This setting affects the client side of Internet printing only. It does not prevent this machine from acting as an Internet Printin ... oval:gov.nist.usgcb.windowsseven:def:259 Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and ... oval:gov.nist.usgcb.windowsseven:def:295 Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer. It permits installations to complete that otherwise would be halted due to a security violation. The security features ... oval:gov.nist.usgcb.windowsseven:def:105 This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if message int ... oval:org.secpod.oval:def:14684 This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker pro ... oval:gov.nist.usgcb.windowsseven:def:137 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is ... oval:org.secpod.oval:def:14675 This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled. If you ... oval:gov.nist.usgcb.windowsseven:def:234 Specifies whether Windows should download a list of providers for the Web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded f ... oval:org.secpod.oval:def:14646 This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a data recovery ... oval:org.secpod.oval:def:14623 This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additi ... oval:gov.nist.usgcb.windowsseven:def:238 Specifies whether Search Companion should automatically download content updates during local and Internet searches. When the user searches the local machine or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used ... oval:org.secpod.oval:def:14756 This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full an ... oval:gov.nist.usgcb.windowsseven:def:268 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:14642 This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier ... oval:gov.nist.usgcb.windowsseven:def:102 This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM & ... oval:gov.nist.usgcb.windowsseven:def:246 Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when the system resumes from sleep. If you disable this policy, the user is not prompted for a password when ... oval:org.secpod.oval:def:14732 This policy setting determines which users or groups can access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this policy setting to specify access permissions to all the computers to particular users for ... oval:org.secpod.oval:def:14553 This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections will be rejected by the server. If you disable o ... oval:gov.nist.usgcb.windowsseven:def:106 This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not de ... oval:org.secpod.oval:def:14724 This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLock ... oval:org.secpod.oval:def:14691 This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify whic ... oval:gov.nist.usgcb.windowsseven:def:265 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:gov.nist.usgcb.windowsseven:def:277 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop-down ... oval:org.secpod.oval:def:14749 This security setting determines if users' private keys require a password to be used. The options are: User input is not required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public ... oval:gov.nist.usgcb.windowsseven:def:275 Specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. By default, ... oval:gov.nist.usgcb.windowsseven:def:116 This policy setting controls the behavior of application installation detection for the computer. The options are: * Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and ... oval:gov.nist.usgcb.windowsseven:def:135 Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for ... oval:org.secpod.oval:def:14619 This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "Allow certificate-based data recovery agent" check box is used to ... oval:gov.nist.usgcb.windowsseven:def:247 Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when the system resumes from sleep. If you disable this policy, the user is not prompted for a password when ... oval:gov.nist.usgcb.windowsseven:def:112 This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. ... oval:gov.nist.usgcb.windowsseven:def:249 This policy setting allows you to enable or disable Solicited (Ask for) Remote Assistance on this computer. If you enable this policy, users on this computer can use e-mail or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer ... oval:org.secpod.oval:def:14591 Specifies whether to require the use of a specific encryption level to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote connect ... oval:org.secpod.oval:def:14760 This policy setting controls Event Log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events are not written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, ... oval:gov.nist.usgcb.windowsseven:def:139 The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in th ... oval:org.secpod.oval:def:14708 This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For ... oval:gov.nist.usgcb.windowsseven:def:122 Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed. This entry determines whether the automatic logon fea ... oval:gov.nist.usgcb.windowsseven:def:110 For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Soc ... oval:gov.nist.usgcb.windowsseven:def:127 Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Paramete ... oval:gov.nist.usgcb.windowsseven:def:221 This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug and Play interface ... oval:gov.nist.usgcb.windowsseven:def:100205 Ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. If you enable ... oval:gov.nist.usgcb.windowsseven:def:136 Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen - saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someon ... oval:gov.nist.usgcb.windowsseven:def:109 This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and i ... oval:gov.nist.usgcb.windowsseven:def:120 This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: * Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and st ... oval:gov.nist.usgcb.windowsseven:def:121 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ... oval:org.secpod.oval:def:14726 This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy sett ... oval:org.secpod.oval:def:14811 Ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and servic ... oval:gov.nist.usgcb.windowsseven:def:260 If this policy is enabled, autoplay will not be enabled for non-volume devices like MTP devices. If you disable or not configure this policy, autoplay will continue to be enabled for non-volume devices. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\AutoPlay Poli ... oval:org.secpod.oval:def:14655 This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-on ... oval:org.secpod.oval:def:14707 This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting t ... oval:gov.nist.usgcb.windowsseven:def:132 Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its ... oval:gov.nist.usgcb.windowsseven:def:267 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:gov.nist.usgcb.windowsseven:def:266 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:org.secpod.oval:def:14658 This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a data recovery age ... oval:org.secpod.oval:def:14690 This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy ... oval:org.secpod.oval:def:14656 This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authenti ... oval:gov.nist.usgcb.windowsseven:def:271 By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this policy s ... oval:org.secpod.oval:def:14647 This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authenti ... oval:gov.nist.usgcb.windowsseven:def:100 This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in ... oval:gov.nist.usgcb.windowsseven:def:114 This policy setting controls the behavior of the elevation prompt for administrators. The options are: * Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constraine ... oval:org.secpod.oval:def:14674 This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. Fix: (1) GPO: Computer Configuration\Windo ... oval:gov.nist.usgcb.windowsseven:def:115 This policy setting controls the behavior of the elevation prompt for standard users. The options are: * Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the oper ... oval:gov.nist.usgcb.windowsseven:def:104 This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 prot ... oval:gov.nist.usgcb.windowsseven:def:111 This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory object ... oval:gov.nist.usgcb.windowsseven:def:103 This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS ... oval:gov.nist.usgcb.windowsseven:def:20013 Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network. You can configure a computer so that it does not send announcements to browsers on the domain. If you do, you hide the computer from the Network Browser list; it doe ... oval:gov.nist.usgcb.windowsseven:def:20012 Allowing source routed network traffic allows attackers to obscure their identity and location. IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. Vulnerability: Source routing allows a computer that sends a pack ... oval:gov.nist.usgcb.windowsseven:def:20019 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. * Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... oval:gov.nist.usgcb.windowsseven:def:20018 This policy setting allows you to set the encryption types that Kerberos is allowed to use. If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted. This policy is supporte ... oval:gov.nist.usgcb.windowsseven:def:20014 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is ... oval:gov.nist.usgcb.windowsseven:def:20017 This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to authenticate to the domain joined machine in Windows 7. Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In pr ... oval:gov.nist.usgcb.windowsseven:def:20016 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback (2 ... oval:gov.nist.usgcb.windowsseven:def:56 This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or rest ... oval:gov.nist.usgcb.windowsseven:def:57 Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ... oval:gov.nist.usgcb.windowsseven:def:51 This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ... oval:gov.nist.usgcb.windowsseven:def:52 This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Ena ... oval:gov.nist.usgcb.windowsseven:def:23 This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. ... oval:gov.nist.usgcb.windowsseven:def:29 This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Fix: (1) GPO: Computer Configuration ... oval:gov.nist.usgcb.windowsseven:def:25 This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest Fix: (1) GPO: Computer Configuration\Windows ... oval:gov.nist.usgcb.windowsseven:def:26 This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. Default: None. Fix: (1) GPO: Computer Configuration\Windows Settings\Secur ... oval:gov.nist.usgcb.windowsseven:def:28 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to lo ... oval:gov.nist.usgcb.windowsseven:def:32 Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ... oval:gov.nist.usgcb.windowsseven:def:30 This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ... oval:gov.nist.usgcb.windowsseven:def:82 This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the ba ... oval:gov.nist.usgcb.windowsseven:def:87 This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to gr ... oval:gov.nist.usgcb.windowsseven:def:88 Network access: Do not allow storage of credentials or .NET Passports for network authentication This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not st ... oval:gov.nist.usgcb.windowsseven:def:89 This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ... oval:gov.nist.usgcb.windowsseven:def:86 This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ... oval:gov.nist.usgcb.windowsseven:def:90 This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access. Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network. The table in the Vulnerability section lists default na ... oval:gov.nist.usgcb.windowsseven:def:91 This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ... oval:gov.nist.usgcb.windowsseven:def:92 This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Even ... oval:gov.nist.usgcb.windowsseven:def:93 When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. The server service restricts unauthenticated clients acces ... oval:gov.nist.usgcb.windowsseven:def:94 This security setting determines which network shares can accessed by anonymous users. Default: None specified. This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be a ... oval:gov.nist.usgcb.windowsseven:def:95 This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ... oval:gov.nist.usgcb.windowsseven:def:65 This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channe ... oval:gov.nist.usgcb.windowsseven:def:66 Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified ... oval:gov.nist.usgcb.windowsseven:def:67 This setting controls the maximum password age that a machine account may have. This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. Important This setting applies to Windows 2000 computers, but it is not available thr ... oval:gov.nist.usgcb.windowsseven:def:68 This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller w ... oval:gov.nist.usgcb.windowsseven:def:61 This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can ... oval:gov.nist.usgcb.windowsseven:def:69 This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Logon Screen. ". If this policy is disabled, the name of t ... oval:gov.nist.usgcb.windowsseven:def:70 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ... oval:gov.nist.usgcb.windowsseven:def:76 This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: * No Action * Lock Workstation * Force Logoff * Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog bo ... oval:gov.nist.usgcb.windowsseven:def:79 If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled. Fix: (1) GPO: Com ... oval:gov.nist.usgcb.windowsseven:def:73 All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on . If a domain controller is unavailable and a user's logon information is cached, the user is prompted with a mess ... oval:gov.nist.usgcb.windowsseven:def:75 Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, ... oval:gov.nist.usgcb.windowsseven:def:6 This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum passw ... oval:gov.nist.usgcb.windowsseven:def:5 This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ... oval:gov.nist.usgcb.windowsseven:def:8 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least ... oval:gov.nist.usgcb.windowsseven:def:7 This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ... oval:gov.nist.usgcb.windowsseven:def:10 This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ... oval:gov.nist.usgcb.windowsseven:def:14 This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ... oval:gov.nist.usgcb.windowsseven:def:2 The maximum number of failed attempts that can occur before the account is locked out This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout dura ... oval:gov.nist.usgcb.windowsseven:def:1 This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ... oval:gov.nist.usgcb.windowsseven:def:4 This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ... oval:gov.nist.usgcb.windowsseven:def:3 This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less ... |
