Download
| Alert*
oval:org.secpod.oval:def:8782
The User Account Control: Detect application installations and prompt for elevation setting should be configured correctly. This policy setting controls the behavior of application installation detection for the computer. The options are: * Enabled: (Default for home) When an application installati ... oval:org.secpod.oval:def:8836 The Network security: LAN Manager authentication level setting should be configured correctly. LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sh ... oval:org.secpod.oval:def:8762 The User Account Control: Run all administrators in Admin Approval Mode setting should be configured correctly. This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The option ... oval:org.secpod.oval:def:8806 The Restrictions for Unauthenticated RPC clients machine setting should be configured correctly. If you enable this setting, it directs the RPC Runtime on an RPC server to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticat ... oval:org.secpod.oval:def:8877 The Default behavior for AutoRun machine setting should be configured correctly. Sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an ... oval:org.secpod.oval:def:8895 The Set client connection encryption level machine setting should be configured correctly. Specifies whether to require the use of a specific encryption level to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this se ... oval:org.secpod.oval:def:8866 The Always prompt for password upon connection machine setting should be configured correctly. Specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, e ... oval:org.secpod.oval:def:8780 The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting should be configured correctly. This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA ci ... oval:org.secpod.oval:def:8808 The MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) setting should be configured correctly. This entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE. IP source rout ... oval:org.secpod.oval:def:8766 The RPC Endpoint Mapper Client Authentication machine setting should be configured correctly. Enabling this setting directs RPC Clients that need to communicate with the Endpoint Mapper Service to authenticate as long as the RPC call for which the endpoint needs to be resolved has authentication in ... oval:org.secpod.oval:def:8894 The Require a Password When a Computer Wakes (Plugged In) machine setting should be configured correctly. Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when ... oval:org.secpod.oval:def:8818 The User Account Control: Only elevate executables that are signed and validated setting should be configured correctly. This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can ... oval:org.secpod.oval:def:8767 The MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) setting should be configured correctly. The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Param ... oval:org.secpod.oval:def:8916 The Turn off Data Execution Prevention for Explorer machine setting should be configured correctly. This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008, Windows Vista SP1 and Windows XP SP3. If you enable this policy setting, ... oval:org.secpod.oval:def:8834 The Turn off heap termination on corruption machine setting should be configured correctly. Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Fix: ( ... oval:org.secpod.oval:def:8746 The User Account Control: Only elevate UIAccess applications that are installed in secure locations setting should be configured correctly. This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure lo ... oval:org.secpod.oval:def:8915 The Require a Password When a Computer Wakes (On Battery) machine setting should be configured correctly. Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when ... oval:org.secpod.oval:def:8876 The Turn off Autoplay for non-volume devices machine setting should be configured correctly. If this policy is enabled, autoplay will not be enabled for non-volume devices like MTP devices. If you disable or not configure this policy, autoplay will continue to be enabled for non-volume devices. F ... oval:org.secpod.oval:def:8845 The System cryptography: Force strong key protection for user keys stored on the computer setting should be configured correctly. This policy setting determines whether users private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users m ... oval:org.secpod.oval:def:8822 The Network access: Restrict anonymous access to Named Pipes and Shares setting should be configured correctly. When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network ... oval:org.secpod.oval:def:8838 The Microsoft network server: Digitally sign communications (always) setting should be configured correctly. This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from ... oval:org.secpod.oval:def:8927 The Devices: Prevent users from installing printer drivers setting should be configured correctly. It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code o ... oval:org.secpod.oval:def:8768 The Deny access to this computer from the network user right should be assigned to the appropriate accounts. This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environmen ... oval:org.secpod.oval:def:8773 The Minimum password age setting should be configured correctly. The Minimum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or ... oval:org.secpod.oval:def:8861 The Allow remote access to the Plug and Play interface machine setting should be configured correctly. This policy setting allows you to allow or deny remote access to the Plug and Play interface. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Device Installation\Allow remot ... oval:org.secpod.oval:def:8925 The Accounts: Guest account status setting should be configured correctly. This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to ... oval:org.secpod.oval:def:7902 The Maximum password age setting should be configured correctly. This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this polic ... oval:org.secpod.oval:def:7899 This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ... oval:org.secpod.oval:def:7897 The Enforce password history setting should be configured correctly. This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The ... oval:org.secpod.oval:def:7901 The Password must meet complexity requirements policy should be set correctly. This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: * Not contain the users ... oval:org.secpod.oval:def:7706 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\\SYSTEM\\Software\\Microsoft\\ Windows NT\\CurrentVersion\\Winlo ... oval:org.secpod.oval:def:7900 The Minimum password length setting should be configured correctly. This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps pass phras ... oval:org.secpod.oval:def:8787 The User Account Control: Behavior of the elevation prompt for standard users setting should be configured correctly. This policy setting controls the behavior of the elevation prompt for standard users. The options are: * Prompt for credentials: When an operation requires elevation of privilege, t ... oval:org.secpod.oval:def:8793 The Network security: Do not store LAN Manager hash value on next password change setting should be configured correctly. This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to a ... oval:org.secpod.oval:def:8829 The Microsoft network client: Digitally sign communications (always) setting should be configured correctly. This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate wit ... oval:org.secpod.oval:def:8848 The Reset account lockout counter after setting should be configured correctly. This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset ti ... oval:org.secpod.oval:def:8804 The Domain member: Digitally encrypt or sign secure channel data (always) setting should be configured correctly. This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure ... oval:org.secpod.oval:def:8724 The Network access: Let Everyone permissions apply to anonymous users setting should be configured correctly. This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to ... oval:org.secpod.oval:def:8812 The Domain member: Maximum machine account password age setting should be configured correctly. This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interv ... oval:org.secpod.oval:def:8711 The Network access: Do not allow anonymous enumeration of SAM accounts setting should be configured correctly. This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connec ... oval:org.secpod.oval:def:8744 The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting should be configured correctly. This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to e ... oval:org.secpod.oval:def:18836 The Deny log on as a batch job user right should be assigned to the appropriate accounts. This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Sc ... oval:org.secpod.oval:def:19374 The Prevent installation of removable devices machine setting should be configured correctly. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is re ... oval:org.secpod.oval:def:19589 The Turn Off the Display (Plugged In) machine setting should be configured correctly. Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the di ... oval:org.secpod.oval:def:18778 The Require user authentication for remote connections by using Network Level Authentication machine setting should be configured correctly. This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level A ... oval:org.secpod.oval:def:19624 The Require 128-bit encryption option for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting should be enabled or disabled as appropriate. This policy setting determines which behaviors are allowed for applications using the NTLM Security Suppor ... oval:org.secpod.oval:def:19186 The Require use of specific security layer for remote (RDP) connections machine setting should be configured correctly. Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connect ... oval:org.secpod.oval:def:19198 The Turn off Data Execution Prevention for HTML Help Executible machine setting should be configured correctly. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP. DEP is designed to block malicious code that takes advantage of exception-han ... oval:org.secpod.oval:def:19508 The Do not process the run once list machine setting should be configured correctly. Ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added ... oval:org.secpod.oval:def:19444 The Allow Standby States (S1-S3) When Sleeping (On Battery) machine setting should be configured correctly. Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy ... oval:org.secpod.oval:def:19456 The Allow users to connect remotely using Remote Desktop Services machine setting should be configured correctly. This policy setting allows you to configure remote access to computers using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop User ... oval:org.secpod.oval:def:18733 The Domain member: Digitally sign secure channel data (when possible) setting should be configured correctly. This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect ... oval:org.secpod.oval:def:18849 The Turn Off the Display (On Battery) machine setting should be configured correctly. Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the di ... oval:org.secpod.oval:def:8875 The Require secure RPC communication machine setting should be configured correctly. Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication ... oval:org.secpod.oval:def:19158 The Do not process the legacy run list machine setting should be configured correctly. Ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 ... oval:org.secpod.oval:def:19396 The Allow Standby States (S1-S3) When Sleeping (Plugged In) machine setting should be configured correctly. Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy ... oval:org.secpod.oval:def:8820 The Interactive logon: Prompt user to change password before expiration setting should be configured correctly. This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently ... oval:org.secpod.oval:def:7898 The Account lockout duration setting should be configured correctly. This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain un ... |