Download
| Alert*
|
oval:org.secpod.oval:def:35051
Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously. If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes afte ... oval:org.secpod.oval:def:35030 This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy ... oval:org.secpod.oval:def:36489 This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Co ... oval:org.secpod.oval:def:35018 MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. The possib ... oval:org.secpod.oval:def:35090 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:35193 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to ... oval:org.secpod.oval:def:35183 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. ... oval:org.secpod.oval:def:36545 This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Defau ... oval:org.secpod.oval:def:36536 This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: Non ... oval:org.secpod.oval:def:36533 This privilege determines which user accounts can increase or decrease the size of a process's working set. Default: Users The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an applic ... oval:org.secpod.oval:def:36529 This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest Counter Measure: Assign the Deny access ... oval:org.secpod.oval:def:36508 This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: Assign the Deny ... oval:org.secpod.oval:def:35003 This policy setting allows you to set the encryption types that Kerberos is allowed to use. If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted. This policy is supporte ... oval:org.secpod.oval:def:34989 Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on ... oval:org.secpod.oval:def:35275 This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit and block events are recorded on this comput ... oval:org.secpod.oval:def:35096 This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Reducing the t ... oval:org.secpod.oval:def:35198 This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Re ... oval:org.secpod.oval:def:35308 This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Micro ... oval:org.secpod.oval:def:35248 This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" state. Counter Measure: Configure this setting depending on your organi ... oval:org.secpod.oval:def:35244 This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy setting and specify the new location, the files in that location will be us ... oval:org.secpod.oval:def:34985 This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. This policy is supported on at least Windows Server 2008 R2. Note: Block events are recorded on this computer in ... oval:org.secpod.oval:def:35412 This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Reduci ... oval:org.secpod.oval:def:35294 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ... oval:org.secpod.oval:def:35295 This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in ... oval:org.secpod.oval:def:35292 This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting, all local administrator a ... oval:org.secpod.oval:def:35171 This entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the Local Group Policy Editor. You can configure a computer so that it does not send announcements to browsers on the domain. If you do, you hide the computer from the Ne ... oval:org.secpod.oval:def:35293 This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to gr ... oval:org.secpod.oval:def:35172 Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the s ... oval:org.secpod.oval:def:35179 Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings ... oval:org.secpod.oval:def:35298 This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, ... oval:org.secpod.oval:def:35056 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ... oval:org.secpod.oval:def:35057 This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communicat ... oval:org.secpod.oval:def:35299 This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection ... oval:org.secpod.oval:def:35178 Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (in ... oval:org.secpod.oval:def:35055 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) entry to a value of 0. The possible ... oval:org.secpod.oval:def:36494 This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user ri ... oval:org.secpod.oval:def:35284 This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ... oval:org.secpod.oval:def:36493 This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other user ... oval:org.secpod.oval:def:35042 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:35163 Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest ... oval:org.secpod.oval:def:35281 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ... oval:org.secpod.oval:def:36491 This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle th ... oval:org.secpod.oval:def:36490 This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to ... oval:org.secpod.oval:def:35280 This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Power Users Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. Counter Mea ... oval:org.secpod.oval:def:35049 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) entry to a value of Disabled. The po ... oval:org.secpod.oval:def:35289 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ... oval:org.secpod.oval:def:35047 This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ... oval:org.secpod.oval:def:36499 This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ... oval:org.secpod.oval:def:36497 This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an ... oval:org.secpod.oval:def:35286 This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM & ... oval:org.secpod.oval:def:35393 This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique use ... oval:org.secpod.oval:def:35391 This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure cha ... oval:org.secpod.oval:def:35392 This policy setting controls Event Log behavior when the log file reaches its maximum size. Counter Measure: Configure this setting to Disabled. Potential Impact: If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. ... oval:org.secpod.oval:def:35038 This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ... oval:org.secpod.oval:def:35159 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ... oval:org.secpod.oval:def:35039 This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer's respective Windows logon screen. If you enable this policy setting, intruders cannot collect account names visually from the screens ... oval:org.secpod.oval:def:35157 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not con ... oval:org.secpod.oval:def:35278 This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: * None: The LDAP BIND request is issued with the options that are specified by the caller. * Negotiate signing: If Transport Layer Security/Secure Sockets Layer ... oval:org.secpod.oval:def:36488 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password co ... oval:org.secpod.oval:def:35276 This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the o ... oval:org.secpod.oval:def:36486 This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ... oval:org.secpod.oval:def:35277 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ... oval:org.secpod.oval:def:35032 This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:35029 This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers ... oval:org.secpod.oval:def:35382 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... oval:org.secpod.oval:def:35262 This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows l ... oval:org.secpod.oval:def:36471 This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share ... oval:org.secpod.oval:def:36479 This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ... oval:org.secpod.oval:def:35025 This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: ... oval:org.secpod.oval:def:35389 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not co ... oval:org.secpod.oval:def:35026 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled. The possible values for this registry entry are: ? 1 or 0. The ... oval:org.secpod.oval:def:35387 Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Conf ... oval:org.secpod.oval:def:35145 This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you enalbe this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hard ... oval:org.secpod.oval:def:35021 This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services ... oval:org.secpod.oval:def:36473 This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed ... oval:org.secpod.oval:def:35022 This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channe ... oval:org.secpod.oval:def:35264 This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the ... oval:org.secpod.oval:def:35385 Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you enable this policy, or if it is not configured, the user is prompted for a ... oval:org.secpod.oval:def:35139 This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable or do not configure this policy setting, use ... oval:org.secpod.oval:def:35019 This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encr ... oval:org.secpod.oval:def:35092 Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of c ... oval:org.secpod.oval:def:35091 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:35085 This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from downloading content updates during searches. Potential Impact: ... oval:org.secpod.oval:def:35083 This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. Microsoft recommends that you use this setting, if appropriate to your environment and your orga ... oval:org.secpod.oval:def:35084 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ ... oval:org.secpod.oval:def:35081 This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ... oval:org.secpod.oval:def:35080 This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:35089 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Counter Measure: Configure the MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (Only recommended for servers) entry t ... oval:org.secpod.oval:def:35195 Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specifie ... oval:org.secpod.oval:def:35196 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ... oval:org.secpod.oval:def:35191 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:35070 This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Even ... oval:org.secpod.oval:def:35190 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:35078 MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) entry except on computers that use IPsec filters, where this entry should be configured t ... oval:org.secpod.oval:def:35077 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure computers, where it should be configured to a value of Disabled. The possible values for this r ... oval:org.secpod.oval:def:35063 This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 prot ... oval:org.secpod.oval:def:35184 This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can ... oval:org.secpod.oval:def:35061 This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box fo ... oval:org.secpod.oval:def:35182 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ... oval:org.secpod.oval:def:35069 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ... oval:org.secpod.oval:def:36546 This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can ... oval:org.secpod.oval:def:35215 This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy sett ... oval:org.secpod.oval:def:35334 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. Counter Measure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user& ... oval:org.secpod.oval:def:35210 Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ... oval:org.secpod.oval:def:36542 This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution Assigning this user right can be a security risk. Since owners of objects have full ... oval:org.secpod.oval:def:36541 This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: ... oval:org.secpod.oval:def:35211 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:36540 This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overvie ... oval:org.secpod.oval:def:35209 Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ... oval:org.secpod.oval:def:36539 This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes. Default: Administrators, Power users. Counter Measure: Ensure that only the local Administrators group is assigned the Profile single process user right. Pote ... oval:org.secpod.oval:def:35208 This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folder ... oval:org.secpod.oval:def:35447 This policy setting specifies whether Windows apps have access to control radios. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device. ... oval:org.secpod.oval:def:35205 This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-t ... oval:org.secpod.oval:def:35448 This policy setting specifies whether Windows apps can sync with devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can sync with devices by using Settings > Privacy on the device. If you choose th ... oval:org.secpod.oval:def:35327 This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. Counter Measure: Enable the Turn off the "Publish to Web" task ... oval:org.secpod.oval:def:35445 This policy setting specifies whether Windows apps can access the microphone. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device. If you c ... oval:org.secpod.oval:def:35324 This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. If you ... oval:org.secpod.oval:def:36535 This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ... oval:org.secpod.oval:def:35446 This policy setting specifies whether Windows apps can access trusted devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device. If you ... oval:org.secpod.oval:def:35325 This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. Counter Measure: Configur ... oval:org.secpod.oval:def:36534 This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a ... oval:org.secpod.oval:def:35443 This policy setting specifies whether Windows apps can access the calendar. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device. If you choos ... oval:org.secpod.oval:def:35444 This policy setting specifies whether Windows apps can access the camera. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device. If you choose th ... oval:org.secpod.oval:def:35202 This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart c ... oval:org.secpod.oval:def:36532 This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers ... oval:org.secpod.oval:def:35441 This policy setting specifies whether Windows apps can read or send messages (text or MMS). If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device. ... oval:org.secpod.oval:def:35442 This policy setting specifies whether Windows apps can access motion data. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device. If you choose ... oval:org.secpod.oval:def:35440 This policy setting specifies whether Windows apps can access location. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device. If you choose the &a ... oval:org.secpod.oval:def:35438 This policy setting specifies whether Windows apps can access contacts. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device. If you choose the &a ... oval:org.secpod.oval:def:36527 Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ... oval:org.secpod.oval:def:35439 This policy setting specifies whether Windows apps can access email. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device. If you choose the &quo ... oval:org.secpod.oval:def:36526 This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ... oval:org.secpod.oval:def:35436 This policy setting specifies whether Windows apps can access account information. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device. ... oval:org.secpod.oval:def:35437 This policy setting specifies whether Windows apps can access call history. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Settings > Privacy on the device. If you choos ... oval:org.secpod.oval:def:35434 This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server. ... oval:org.secpod.oval:def:35435 This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this policy setting, the SMB client will reject ... oval:org.secpod.oval:def:35430 This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ... oval:org.secpod.oval:def:35431 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note: that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Wi ... oval:org.secpod.oval:def:35307 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ... oval:org.secpod.oval:def:35423 This policy setting configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections are rejected by the server. If you disable or do not configure this policy setting, new remote shell connections are allowed. Counter Measure: Configure ... oval:org.secpod.oval:def:35301 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ... oval:org.secpod.oval:def:35420 This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ... oval:org.secpod.oval:def:36509 This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ... oval:org.secpod.oval:def:36506 This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operat ... oval:org.secpod.oval:def:35416 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box. If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows d ... oval:org.secpod.oval:def:35417 This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Microso ... oval:org.secpod.oval:def:35414 This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Compute ... oval:org.secpod.oval:def:36504 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters * B ... oval:org.secpod.oval:def:35415 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over ... oval:org.secpod.oval:def:35371 This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Counter Measure: Configure this setting depending on your organization's ... oval:org.secpod.oval:def:35250 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:35259 This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs ... oval:org.secpod.oval:def:35375 This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account t ... oval:org.secpod.oval:def:35013 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure t ... oval:org.secpod.oval:def:35010 This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: * Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators an ... oval:org.secpod.oval:def:35374 This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To pre ... oval:org.secpod.oval:def:35007 This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not pr ... oval:org.secpod.oval:def:35240 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ... oval:org.secpod.oval:def:35005 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ... oval:org.secpod.oval:def:35002 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ... oval:org.secpod.oval:def:35365 Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock sc ... oval:org.secpod.oval:def:35121 This policy setting lets you configure Protected Event Logging. If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Me ... oval:org.secpod.oval:def:35242 This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to ... oval:org.secpod.oval:def:35238 This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. If you enable or do no ... oval:org.secpod.oval:def:36560 This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders ... oval:org.secpod.oval:def:35355 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... oval:org.secpod.oval:def:35232 When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. Counter Measure: Configure the Network access: Restr ... oval:org.secpod.oval:def:35112 Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed DO configure when you use custom local admin account Counter Measure: ... oval:org.secpod.oval:def:35230 Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote conne ... oval:org.secpod.oval:def:35352 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... oval:org.secpod.oval:def:35231 This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug and Play in ... oval:org.secpod.oval:def:35110 This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana ... oval:org.secpod.oval:def:35227 This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. ... oval:org.secpod.oval:def:36558 This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Note: This privilege is useful for system tuning, but i ... oval:org.secpod.oval:def:36557 This security setting determines whether a different account name is associated with the security identifier (SID) for the account ;amp;quot;Guest.;amp;quot; Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combinati ... oval:org.secpod.oval:def:36555 This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ... oval:org.secpod.oval:def:35102 This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Active session limit drop-down list. Remote Desktop ... oval:org.secpod.oval:def:35224 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ... oval:org.secpod.oval:def:35103 System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security ... oval:org.secpod.oval:def:35100 This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy s ... oval:org.secpod.oval:def:35222 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: * Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ... oval:org.secpod.oval:def:36552 This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are ... oval:org.secpod.oval:def:36551 This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Count ... oval:org.secpod.oval:def:36550 This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causi ... oval:org.secpod.oval:def:36549 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to lo ... oval:org.secpod.oval:def:36548 This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be ena ... oval:org.secpod.oval:def:35216 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this ... oval:org.secpod.oval:def:36547 This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ... oval:org.secpod.oval:def:34999 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ... oval:org.secpod.oval:def:34997 This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication request ... oval:org.secpod.oval:def:34992 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:34993 By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this ... oval:org.secpod.oval:def:34990 This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Logon Screen. ". If this policy is disabled, the name o ... oval:org.secpod.oval:def:80649 Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft websit ... oval:org.secpod.oval:def:34987 If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled Counter Measure: ... oval:org.secpod.oval:def:80647 This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is sim ... oval:org.secpod.oval:def:34983 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ... oval:org.secpod.oval:def:34982 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:34980 This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. If you configure this policy setting, ... oval:org.secpod.oval:def:34978 This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automat ... oval:org.secpod.oval:def:34979 This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Determines how far in advance (in days) users are warned that their ... oval:org.secpod.oval:def:34976 This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy settin ... oval:org.secpod.oval:def:34972 This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller w ... oval:org.secpod.oval:def:34973 This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not de ... oval:org.secpod.oval:def:36502 This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated ... oval:org.secpod.oval:def:36501 This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ... oval:org.secpod.oval:def:35407 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:35408 This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full an ... |
