Download
| Alert*
|
oval:org.secpod.oval:def:14593
The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces. If your current wired network deployment enforces 802.1X authentication, the DOT3SVC service should be configured to run for establishing Layer 2 connectivity and/or providing acce ... oval:org.secpod.oval:def:14577 Specifies a set of parameters for controlling the Windows NTP Client. NtpServer: The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of "dnsName,flags" where flags is a hexadecimal bitmask of the flags for that host. For more information, see t ... oval:gov.nist.usgcb.windowsseven:def:145 Performs networking tasks associated with configuration and maintenance of homegroups. If this service is stopped or disabled, your computer will be unable to detect other homegroups and your homegroup might not work properly. It is recommended that you keep this service running. Fix: (1) GPO: NOT ... oval:gov.nist.usgcb.windowsseven:def:117 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ... oval:gov.nist.usgcb.windowsseven:def:261 By default administrator accounts are not displayed when attempting to elevate a running application. If you enable this policy setting, all local administrator accounts on the machine will be displayed so the user can choose one and enter the correct password. If you disable this policy setting, ... oval:gov.nist.usgcb.windowsseven:def:278 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconnect ... oval:gov.nist.usgcb.windowsseven:def:258 Sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program ... oval:gov.nist.usgcb.windowsseven:def:113 This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the opera ... oval:gov.nist.USGCB.win7firewall:def:20921 The Private Profile is used only if a local administrator changes the profile for a computer connected previously to a public network (using a Public Profile). Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fire ... oval:gov.nist.usgcb.windowsseven:def:130 The default IPsec exemptions that were present in Windows XP and Windows 2000 except for the Internet Key Exchange (IKE) exemption were removed from Windows Server 2003. The IKE exemption is specific to source and destination port UDP 500. IKE always receives this type of packet from any source addr ... oval:gov.nist.usgcb.windowsseven:def:212 This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a netw ... oval:gov.nist.usgcb.windowsseven:def:134 This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery It enables or disables the Internet Router Discover ... oval:org.secpod.oval:def:14748 This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. Saved credentials of users may be compromised if this privilege is ... oval:gov.nist.usgcb.windowsseven:def:245 This setting forces the user to log on to the computer using the classic logon screen. By default, a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Logon\Always use ... oval:gov.nist.USGCB.win7firewall:def:20910 The Domain Profile is used when the computer is connected to a network and is authenticated to a domain controller. Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall ... oval:gov.nist.usgcb.windowsseven:def:118 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ ... oval:gov.nist.USGCB.win7firewall:def:20905 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Default: No Fix: (1) GPO: Computer Configuration\Windows Settings\Securit ... oval:gov.nist.usgcb.windowsseven:def:107 Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on ... oval:gov.nist.usgcb.windowsseven:def:123 IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. Microsoft recommends to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable ... oval:gov.nist.usgcb.windowsseven:def:119 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: * Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ... oval:gov.nist.usgcb.windowsseven:def:250 This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. If you enable this policy setting, log files will be generated. If you disable this policy setting, log files will not be generated. If you do not configure ... oval:gov.nist.usgcb.windowsseven:def:279 Specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes ... oval:gov.nist.usgcb.windowsseven:def:129 This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime Fix: (1) GPO: Computer Configu ... oval:gov.nist.usgcb.windowsseven:def:137 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is ... oval:gov.nist.USGCB.win7firewall:def:20932 The Public Profile is the default profile for a computer connected to a public network but not connected to a domain controller. This should be the most restricted profile. Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security ... oval:gov.nist.USGCB.win7firewall:def:20933 The Public Profile is the default profile for a computer connected to a public network but not connected to a domain controller. This should be the most restricted profile. Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security ... oval:gov.nist.usgcb.windowsseven:def:218 This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 Wi-Fi, through the Windows Portable Device API (WPD), and via USB Flash drives. Additiona ... oval:gov.nist.usgcb.windowsseven:def:238 Specifies whether Search Companion should automatically download content updates during local and Internet searches. When the user searches the local machine or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used ... oval:gov.nist.USGCB.win7firewall:def:20915 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Default: No Fix: (1) GPO: Computer Configuration\Windows Setting ... oval:gov.nist.USGCB.win7firewall:def:20924 The Private Profile is used only if a local administrator changes the profile for a computer connected previously to a public network (using a Public Profile). Default: Block Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fi ... oval:gov.nist.usgcb.windowsseven:def:142 The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping or disabling this service may cause already installed Bluetooth devices to fail to operate properly and prevent new devices from being discovered or associated. Fix: (1) GPO: NOT AVAILABLE (2) REG: HKEY ... oval:gov.nist.USGCB.win7firewall:def:20926 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Default: No Fix: (1) GPO: Computer Configuration\Windows Setting ... oval:gov.nist.USGCB.win7firewall:def:20911 The Domain Profile is used when the computer is connected to a network and is authenticated to a domain controller. Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall ... oval:gov.nist.usgcb.windowsseven:def:268 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:gov.nist.USGCB.win7firewall:def:20935 The Public Profile is the default profile for a computer connected to a public network but not connected to a domain controller. This should be the most restricted profile. Default: Block Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Securi ... oval:gov.nist.usgcb.windowsseven:def:253 Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you leave this policy setting enabled, Users will be able to use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is s ... oval:gov.nist.usgcb.windowsseven:def:102 This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM & ... oval:gov.nist.USGCB.win7firewall:def:20931 The Public Profile is the default profile for a computer connected to a public network but not connected to a domain controller. This should be the most restricted profile. Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security ... oval:gov.nist.usgcb.windowsseven:def:246 Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when the system resumes from sleep. If you disable this policy, the user is not prompted for a password when ... oval:org.secpod.oval:def:14553 This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections will be rejected by the server. If you disable o ... oval:gov.nist.usgcb.windowsseven:def:100202 Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use it for controlling their computers remotely. Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop s ... oval:org.secpod.oval:def:14701 This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security settings is used to enable or disable certificate rules, a type of software restriction policies rule. With software restriction poli ... oval:gov.nist.usgcb.windowsseven:def:106 This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not de ... oval:gov.nist.usgcb.windowsseven:def:265 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:gov.nist.usgcb.windowsseven:def:277 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop-down ... oval:org.secpod.oval:def:14749 This security setting determines if users' private keys require a password to be used. The options are: User input is not required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Public ... oval:gov.nist.usgcb.windowsseven:def:275 Specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. By default, ... oval:gov.nist.usgcb.windowsseven:def:116 This policy setting controls the behavior of application installation detection for the computer. The options are: * Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and ... oval:gov.nist.usgcb.windowsseven:def:214 This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the l ... oval:gov.nist.usgcb.windowsseven:def:135 Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for ... oval:gov.nist.USGCB.win7firewall:def:20916 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Default: No Fix: (1) GPO: Computer Configuration\Windows Settings\Securit ... oval:gov.nist.USGCB.win7firewall:def:20913 The Domain Profile is used when the computer is connected to a network and is authenticated to a domain controller. Default: Block Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewa ... oval:gov.nist.usgcb.windowsseven:def:247 Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when the system resumes from sleep. If you disable this policy, the user is not prompted for a password when ... oval:gov.nist.usgcb.windowsseven:def:272 Controls whether passwords can be saved on this computer from Remote Desktop Connection. If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Conne ... oval:gov.nist.USGCB.win7firewall:def:20909 The Domain Profile is used when the computer is connected to a network and is authenticated to a domain controller. Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall ... oval:org.secpod.oval:def:14796 Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, ... oval:gov.nist.usgcb.windowsseven:def:213 This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: throu ... oval:gov.nist.usgcb.windowsseven:def:139 The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in th ... oval:gov.nist.usgcb.windowsseven:def:287 If this setting is enabled Windows Error Reporting events will not be logged to the system event log. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Er ... oval:gov.nist.USGCB.win7firewall:def:20914 The Domain Profile is used when the computer is connected to a network and is authenticated to a domain controller. Default: Allow Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewa ... oval:gov.nist.usgcb.windowsseven:def:122 Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed. This entry determines whether the automatic logon fea ... oval:gov.nist.USGCB.win7firewall:def:20927 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Default: No Fix: (1) GPO: Computer Configuration\Windows Settings\Securit ... oval:gov.nist.usgcb.windowsseven:def:127 Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Paramete ... oval:gov.nist.usgcb.windowsseven:def:221 This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug and Play interface ... oval:org.secpod.oval:def:14661 Windows Server operating systems support 8.3 file name formats for backward compatibility with16-bit applications. The 8.3 file name convention is a naming format that allows file names up to eight characters long. The registry value entry NtfsDisable8dot3NameCreation was added to the template file ... oval:gov.nist.usgcb.windowsseven:def:100205 Ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts. If you enable ... oval:gov.nist.usgcb.windowsseven:def:136 Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen - saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someon ... oval:gov.nist.usgcb.windowsseven:def:294 Allows Web-based programs to install software on the computer without notifying the user. By default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation. This setting suppresses the warnin ... oval:gov.nist.usgcb.windowsseven:def:120 This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: * Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and st ... oval:org.secpod.oval:def:14558 This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user's Windows credentials. Note: This policy affects nonlogon authentication tasks only. As a security best practice, ... oval:gov.nist.usgcb.windowsseven:def:121 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ... oval:gov.nist.USGCB.win7firewall:def:20922 The Private Profile is used only if a local administrator changes the profile for a computer connected previously to a public network (using a Public Profile). Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fire ... oval:org.secpod.oval:def:14811 Ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and servic ... oval:gov.nist.usgcb.windowsseven:def:132 Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its ... oval:gov.nist.usgcb.windowsseven:def:297 This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be displayed to the user when the user logs on with cached credenti ... oval:gov.nist.usgcb.windowsseven:def:296 This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users. If yo ... oval:gov.nist.usgcb.windowsseven:def:210 Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... oval:gov.nist.usgcb.windowsseven:def:267 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ... oval:gov.nist.USGCB.win7firewall:def:20936 The Public Profile is the default profile for a computer connected to a public network but not connected to a domain controller. This should be the most restricted profile. Default: Allow Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Securi ... oval:gov.nist.USGCB.win7firewall:def:20904 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Default: No Fix: (1) GPO: Computer Configuration\Windows Setting ... oval:gov.nist.USGCB.win7firewall:def:20925 The Private Profile is used only if a local administrator changes the profile for a computer connected previously to a public network (using a Public Profile). Default: Allow Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fi ... oval:gov.nist.usgcb.windowsseven:def:248 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy, users o ... oval:gov.nist.USGCB.win7firewall:def:20920 The Private Profile is used only if a local administrator changes the profile for a computer connected previously to a public network (using a Public Profile). Default: Yes Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fire ... oval:gov.nist.usgcb.windowsseven:def:100 This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in ... oval:gov.nist.usgcb.windowsseven:def:114 This policy setting controls the behavior of the elevation prompt for administrators. The options are: * Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constraine ... oval:org.secpod.oval:def:14674 This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. Fix: (1) GPO: Computer Configuration\Windo ... oval:org.secpod.oval:def:14678 This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or unde ... oval:gov.nist.usgcb.windowsseven:def:115 This policy setting controls the behavior of the elevation prompt for standard users. The options are: * Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the oper ... oval:gov.nist.usgcb.windowsseven:def:104 This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 prot ... oval:gov.nist.usgcb.windowsseven:def:45 This security setting determines whether a user can undock a portable computer from its docking station without logging on. If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable co ... oval:gov.nist.usgcb.windowsseven:def:40 This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: Non ... oval:gov.nist.usgcb.windowsseven:def:42 This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are ... oval:gov.nist.usgcb.windowsseven:def:20010 This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In ... oval:gov.nist.usgcb.windowsseven:def:20013 Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network. You can configure a computer so that it does not send announcements to browsers on the domain. If you do, you hide the computer from the Network Browser list; it doe ... oval:gov.nist.usgcb.windowsseven:def:20012 Allowing source routed network traffic allows attackers to obscure their identity and location. IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. Vulnerability: Source routing allows a computer that sends a pack ... oval:gov.nist.usgcb.windowsseven:def:47 This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is sim ... oval:gov.nist.usgcb.windowsseven:def:48 This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: ... oval:gov.nist.usgcb.windowsseven:def:20019 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. * Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... oval:gov.nist.usgcb.windowsseven:def:20014 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is ... oval:gov.nist.usgcb.windowsseven:def:20016 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback (2 ... oval:gov.nist.usgcb.windowsseven:def:55 This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs ... oval:gov.nist.usgcb.windowsseven:def:56 This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or rest ... oval:gov.nist.usgcb.windowsseven:def:57 Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ... oval:gov.nist.usgcb.windowsseven:def:51 This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ... oval:gov.nist.usgcb.windowsseven:def:52 This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: Ena ... oval:gov.nist.usgcb.windowsseven:def:21 This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other user ... oval:gov.nist.usgcb.windowsseven:def:22 This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kerne ... oval:gov.nist.usgcb.windowsseven:def:24 This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user ri ... oval:gov.nist.usgcb.windowsseven:def:20 This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operat ... oval:gov.nist.usgcb.windowsseven:def:29 This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Fix: (1) GPO: Computer Configuration ... oval:gov.nist.usgcb.windowsseven:def:26 This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. Default: None. Fix: (1) GPO: Computer Configuration\Windows Settings\Secur ... oval:gov.nist.usgcb.windowsseven:def:27 This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. Note: This security setting does not apply to the System, Local Service, or ... oval:gov.nist.usgcb.windowsseven:def:32 Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ... oval:gov.nist.usgcb.windowsseven:def:33 This privilege determines which user accounts can increase or decrease the size of a process's working set. Default: Users The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an applicatio ... oval:gov.nist.usgcb.windowsseven:def:34 This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Defau ... oval:gov.nist.usgcb.windowsseven:def:35 This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a ... oval:gov.nist.usgcb.windowsseven:def:30 This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ... oval:gov.nist.usgcb.windowsseven:def:31 This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causi ... oval:gov.nist.usgcb.windowsseven:def:36 This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access mem ... oval:gov.nist.usgcb.windowsseven:def:39 This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be ena ... oval:gov.nist.usgcb.windowsseven:def:80 This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, t ... oval:gov.nist.usgcb.windowsseven:def:82 This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the ba ... oval:gov.nist.usgcb.windowsseven:def:87 This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to gr ... oval:gov.nist.usgcb.windowsseven:def:89 This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ... oval:gov.nist.usgcb.windowsseven:def:83 This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be ... oval:gov.nist.usgcb.windowsseven:def:86 This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ... oval:gov.nist.usgcb.windowsseven:def:90 This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access. Restricting access over named pipes such as COMNAP and LOCATOR helps prevent unauthorized access to the network. The table in the Vulnerability section lists default na ... oval:gov.nist.usgcb.windowsseven:def:91 This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ... oval:gov.nist.usgcb.windowsseven:def:60 Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of c ... oval:gov.nist.usgcb.windowsseven:def:67 This setting controls the maximum password age that a machine account may have. This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. Important This setting applies to Windows 2000 computers, but it is not available thr ... oval:gov.nist.usgcb.windowsseven:def:61 This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can ... oval:gov.nist.usgcb.windowsseven:def:62 This value determines if access to the floppy drive is restricted to locally logged-on users. 1 = restricted This security setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively log ... oval:gov.nist.usgcb.windowsseven:def:69 This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Logon Screen. ". If this policy is disabled, the name of t ... oval:gov.nist.usgcb.windowsseven:def:70 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ... oval:gov.nist.usgcb.windowsseven:def:71 This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Fix: ( ... oval:gov.nist.usgcb.windowsseven:def:76 This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: * No Action * Lock Workstation * Force Logoff * Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog bo ... oval:gov.nist.usgcb.windowsseven:def:78 This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:gov.nist.usgcb.windowsseven:def:72 This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. The logon banner should be titled with a warning label containing the name of the owning organiz ... oval:gov.nist.usgcb.windowsseven:def:73 All previous users' logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on . If a domain controller is unavailable and a user's logon information is cached, the user is prompted with a mess ... oval:gov.nist.usgcb.windowsseven:def:75 Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, ... oval:gov.nist.usgcb.windowsseven:def:6 This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum passw ... oval:gov.nist.usgcb.windowsseven:def:5 This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ... oval:gov.nist.usgcb.windowsseven:def:8 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least ... oval:gov.nist.usgcb.windowsseven:def:7 This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ... oval:gov.nist.usgcb.windowsseven:def:10 This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ... oval:gov.nist.usgcb.windowsseven:def:11 This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separ ... oval:gov.nist.usgcb.windowsseven:def:12 This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Note: This privilege is useful for system tuning, but i ... oval:gov.nist.usgcb.windowsseven:def:13 Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft websit ... oval:gov.nist.usgcb.windowsseven:def:18 This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. This user right is def ... oval:gov.nist.usgcb.windowsseven:def:19 This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to ... oval:gov.nist.usgcb.windowsseven:def:14 This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ... oval:gov.nist.usgcb.windowsseven:def:15 This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders ... oval:gov.nist.usgcb.windowsseven:def:16 This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Co ... oval:gov.nist.usgcb.windowsseven:def:17 This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time ... oval:gov.nist.usgcb.windowsseven:def:2 The maximum number of failed attempts that can occur before the account is locked out This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout dura ... oval:gov.nist.usgcb.windowsseven:def:1 This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ... oval:gov.nist.usgcb.windowsseven:def:4 This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ... oval:gov.nist.usgcb.windowsseven:def:3 This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less ... oval:gov.nist.USGCB.win7firewall:def:20923 The Private Profile is used when the computer is connected to a network and is authenticated to a domain controller. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\P ... oval:gov.nist.USGCB.win7firewall:def:20912 The Domain Profile is used when the computer is connected to a network and is authenticated to a domain controller. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Do ... |
