[Forgot Password]
Login  Register Subscribe

23631

 
 

122183

 
 

98060

 
 

909

 
 

79198

 
 

109

Paid content will be excluded from the download.


Download | Alert*


oval:org.secpod.oval:def:35051
This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after a specified number of minutes when you next start the ...

oval:org.secpod.oval:def:35039
This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer's respective Windows logon screen. If you enable this policy setting, intruders cannot collect account names visually from the screens of desk ...

oval:org.secpod.oval:def:35275
This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit and block events are recorded on this computer ...

oval:org.secpod.oval:def:35019
This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encr ...

oval:org.secpod.oval:def:35096
This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.

oval:org.secpod.oval:def:35091
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ...

oval:org.secpod.oval:def:35082
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy setting, the WinRM client w ...

oval:org.secpod.oval:def:35334
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

oval:org.secpod.oval:def:35324
This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. If ...

oval:org.secpod.oval:def:35325
This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444.

oval:org.secpod.oval:def:35308
This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

oval:org.secpod.oval:def:35371
This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled.

oval:org.secpod.oval:def:36461
This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. If you enable this policy setting, affected users user receive Work Folders settings when they s ...

oval:org.secpod.oval:def:36460
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. If you disabl ...

oval:org.secpod.oval:def:36462
This policy setting removes Notifications and Action Center from the notification area on the taskbar. The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. If this setting is enabled, Notifications a ...

oval:org.secpod.oval:def:36455
This policy disables the functionality that converts balloons to toast notifications. If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications. Enable this policy setting if a specific app or system component tha ...

oval:org.secpod.oval:def:35365
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock scre ...

oval:org.secpod.oval:def:36453
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. If you disable this ...

oval:org.secpod.oval:def:35112
Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed DO configure when you use custom local admin account

oval:org.secpod.oval:def:35110
This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of ...

oval:org.secpod.oval:def:35179
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings i ...

oval:org.secpod.oval:def:36498
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running. Counter Measure: ...

oval:org.secpod.oval:def:35391
This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ...

oval:org.secpod.oval:def:35159
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

oval:org.secpod.oval:def:35157
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not confi ...

oval:org.secpod.oval:def:36484
This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver will run if the followin ...

oval:org.secpod.oval:def:36472
This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Auditing this setting will result in a medium or high volume of records on NPS and IAS servers. Events for thi ...

oval:org.secpod.oval:def:35389
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not conf ...

oval:org.secpod.oval:def:35387
Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Confi ...

oval:org.secpod.oval:def:35145
This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acc ...

oval:org.secpod.oval:def:36473
This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authenticatio ...

oval:org.secpod.oval:def:35139
This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable or do not configure this policy setting, users ...

oval:org.secpod.oval:def:35190
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.

oval:org.secpod.oval:def:35198
This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.

oval:org.secpod.oval:def:36544
Prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default. As a result, users cannot cr ...

oval:org.secpod.oval:def:35211
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.

oval:org.secpod.oval:def:35208
This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folders ...

oval:org.secpod.oval:def:35447
This policy setting specifies whether Windows apps have access to control radios. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the device. If you choose the "Force Al ...

oval:org.secpod.oval:def:35448
This policy setting specifies whether Windows apps can sync with devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can sync with devices by using Settings > Privacy on the device. If you choose the "Force Allow" option, Win ...

oval:org.secpod.oval:def:35445
This policy setting specifies whether Windows apps can access the microphone. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on the device. If you choose the "Force Allow" opt ...

oval:org.secpod.oval:def:35446
This policy setting specifies whether Windows apps can access trusted devices. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the device. If you choose the "Force Allow" o ...

oval:org.secpod.oval:def:35443
This policy setting specifies whether Windows apps can access the calendar. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device. If you choose the "Force Allow" option, ...

oval:org.secpod.oval:def:35444
This policy setting specifies whether Windows apps can access the camera. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device. If you choose the "Force Allow" option, Win ...

oval:org.secpod.oval:def:35202
This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart co ...

oval:org.secpod.oval:def:35441
This policy setting specifies whether Windows apps can read or send messages (text or MMS). If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device. If you choose the "Fo ...

oval:org.secpod.oval:def:35442
This policy setting specifies whether Windows apps can access motion data. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device. If you choose the "Force Allow" option, W ...

oval:org.secpod.oval:def:35440
This policy setting specifies whether Windows apps can access location. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access location by using Settings > Privacy on the device. If you choose the "Force Allow" option, Windows ...

oval:org.secpod.oval:def:35438
This policy setting specifies whether Windows apps can access contacts. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device. If you choose the "Force Allow" option, Windows ...

oval:org.secpod.oval:def:35439
This policy setting specifies whether Windows apps can access email. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access email by using Settings > Privacy on the device. If you choose the "Force Allow" option, Windows apps ...

oval:org.secpod.oval:def:35436
This policy setting specifies whether Windows apps can access account information. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access account information by using Settings > Privacy on the device. If you choose the "Force ...

oval:org.secpod.oval:def:35437
This policy setting specifies whether Windows apps can access call history. If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access call history by using Settings > Privacy on the device. If you choose the "Force Allow" option, ...

oval:org.secpod.oval:def:36525
This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. If you disable this policy s ...

oval:org.secpod.oval:def:36524
This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings. ...

oval:org.secpod.oval:def:35435
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this policy setting, the SMB client will rejec ...

oval:org.secpod.oval:def:35431
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not ...

oval:org.secpod.oval:def:36513
Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the s ...

oval:org.secpod.oval:def:36510
This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player ...

oval:org.secpod.oval:def:35416
This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows Dialog box sett ...

oval:org.secpod.oval:def:35417
Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting specifies a text message that displays to users when they log on.

oval:org.secpod.oval:def:35415
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over ...

oval:org.secpod.oval:def:35250
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.

oval:org.secpod.oval:def:35013
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure thi ...

oval:org.secpod.oval:def:35240
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.

oval:org.secpod.oval:def:35005
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

oval:org.secpod.oval:def:35248
This policy setting configures the time in minutes before a detection in the "critically failed" state to moves to either the "additional action" state or the "cleared" state.

oval:org.secpod.oval:def:35003
This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2.

oval:org.secpod.oval:def:35244
This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy setting and specify the new location, the files in that location will be use ...

oval:org.secpod.oval:def:35002
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.

oval:org.secpod.oval:def:35238
This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. If you enable or do not ...

oval:org.secpod.oval:def:35230
Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote connec ...

oval:org.secpod.oval:def:35227
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. ...

oval:org.secpod.oval:def:34985
This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller.

oval:org.secpod.oval:def:34982
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ...

oval:org.secpod.oval:def:34980
This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. The naming format for servers on this exception list ...

oval:org.secpod.oval:def:34976
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. The naming format for servers on this exception li ...

oval:org.secpod.oval:def:35412
This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.

oval:org.secpod.oval:def:36500
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast notifications on the lock screen are ...

oval:org.secpod.oval:def:35407
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ...

oval:org.secpod.oval:def:35294
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file rea ...

oval:org.secpod.oval:def:35295
This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Note Older operating systems and some thi ...

oval:org.secpod.oval:def:35053
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. I ...

oval:org.secpod.oval:def:35292
By default, all administrator accounts are displayed when you attempt to elevate a running application.

oval:org.secpod.oval:def:35293
This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment. The Network access: ...

oval:org.secpod.oval:def:35290
Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not configure it, users can see and cha ...

oval:org.secpod.oval:def:35291
This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a certificate chain that can be successfully valida ...

oval:org.secpod.oval:def:35058
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify w ...

oval:org.secpod.oval:def:35059
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery. If you disa ...

oval:org.secpod.oval:def:35298
This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, th ...

oval:org.secpod.oval:def:35056
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

oval:org.secpod.oval:def:35057
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communicati ...

oval:org.secpod.oval:def:35299
This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connecti ...

oval:org.secpod.oval:def:35055
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)

oval:org.secpod.oval:def:35284
This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user names on the workstations in your environment. This policy setting al ...

oval:org.secpod.oval:def:35042
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not config ...

oval:org.secpod.oval:def:35281
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file rea ...

oval:org.secpod.oval:def:35280
This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges.

oval:org.secpod.oval:def:35049
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

oval:org.secpod.oval:def:35047
This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called "Network access: Remotely acce ...

oval:org.secpod.oval:def:35289
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includi ...

oval:org.secpod.oval:def:35048
MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)

oval:org.secpod.oval:def:35045
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

oval:org.secpod.oval:def:35288
This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, t ...

oval:org.secpod.oval:def:35286
LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ...

oval:org.secpod.oval:def:35030
This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy s ...

oval:org.secpod.oval:def:35038
This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerate the names of domain accounts and network shares. An unauthorized ...

oval:org.secpod.oval:def:35036
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)

oval:org.secpod.oval:def:35278
This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transport Layer Security/Secure Sockets Layer (TLS/SSL ...

oval:org.secpod.oval:def:35037
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the add ...

oval:org.secpod.oval:def:35034
This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case i ...

oval:org.secpod.oval:def:35276
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the ...

oval:org.secpod.oval:def:35277
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ...

oval:org.secpod.oval:def:35032
This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy ...

oval:org.secpod.oval:def:35029
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers ...

oval:org.secpod.oval:def:35261
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read ...

oval:org.secpod.oval:def:35020
This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provide a password-distinct from their domain password-every time that they use a key, then it will be more difficult for an a ...

oval:org.secpod.oval:def:35262
This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disable this policy setting to restrict the ability to shut down the computer to ...

oval:org.secpod.oval:def:35260
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. If ...

oval:org.secpod.oval:def:35027
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

oval:org.secpod.oval:def:35025
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote clien ...

oval:org.secpod.oval:def:35026
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

oval:org.secpod.oval:def:35023
Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate.

oval:org.secpod.oval:def:35265
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall p ...

oval:org.secpod.oval:def:35021
This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. ...

oval:org.secpod.oval:def:35022
This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. Microsoft reco ...

oval:org.secpod.oval:def:35264
This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used.

oval:org.secpod.oval:def:35018
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)

oval:org.secpod.oval:def:35097
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a data recovery agent can ...

oval:org.secpod.oval:def:35092
It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possibility of such an event, only administrators should be a ...

oval:org.secpod.oval:def:35093
This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.

oval:org.secpod.oval:def:35090
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not config ...

oval:org.secpod.oval:def:35098
This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can't add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain acco ...

oval:org.secpod.oval:def:35085
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.

oval:org.secpod.oval:def:35086
Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not configure it, users can see and cha ...

oval:org.secpod.oval:def:35084
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\sy ...

oval:org.secpod.oval:def:35081
This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to tre ...

oval:org.secpod.oval:def:35080
This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows-based networks helps to prevent sessions from being hijacked. If you enable this policy setting, the Microsoft network client will use signing only if ...

oval:org.secpod.oval:def:35089
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

oval:org.secpod.oval:def:35070
This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called "Network access: Remotely accessible registry paths," the setting with that sa ...

oval:org.secpod.oval:def:35078
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.

oval:org.secpod.oval:def:35079
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

oval:org.secpod.oval:def:35077
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

oval:org.secpod.oval:def:35063
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

oval:org.secpod.oval:def:35061
This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

oval:org.secpod.oval:def:35069
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconne ...

oval:org.secpod.oval:def:35066
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled. If y ...

oval:org.secpod.oval:def:35335
Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay set ...

oval:org.secpod.oval:def:35336
This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run ...

oval:org.secpod.oval:def:35327
This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders.

oval:org.secpod.oval:def:35314
This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent readin ...

oval:org.secpod.oval:def:35307
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop-d ...

oval:org.secpod.oval:def:35300
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting t ...

oval:org.secpod.oval:def:35301
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ...

oval:org.secpod.oval:def:35136
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. If you ena ...

oval:org.secpod.oval:def:35375
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account to ...

oval:org.secpod.oval:def:35374
This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ...

oval:org.secpod.oval:def:35128
Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, which ...

oval:org.secpod.oval:def:35125
This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimentations. If you disable this policy setti ...

oval:org.secpod.oval:def:35363
This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be very dangerous to add othe ...

oval:org.secpod.oval:def:35121
This policy setting lets you configure Protected Event Logging. If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Mes ...

oval:org.secpod.oval:def:35357
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the ...

oval:org.secpod.oval:def:35116
Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the ...

oval:org.secpod.oval:def:35358
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitL ...

oval:org.secpod.oval:def:35355
This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most cons ...

oval:org.secpod.oval:def:35113
When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not configure this s ...

oval:org.secpod.oval:def:35111
Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 characters Maximum: 64 characters Default: 14 characters ...

oval:org.secpod.oval:def:35354
Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don't con ...

oval:org.secpod.oval:def:35352
This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user nam ...

oval:org.secpod.oval:def:35346
Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7.

oval:org.secpod.oval:def:35105
This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. If you select the "Use default recovery message and URL" option, the default BitLocker recovery message and URL will ...

oval:org.secpod.oval:def:35102
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Active session limit drop-down list. Remote Desktop ...

oval:org.secpod.oval:def:35103
This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this policy setting increases security, most public Web sites that are secured with TLS or SSL do not support th ...

oval:org.secpod.oval:def:35100
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy se ...

oval:org.secpod.oval:def:35101
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ...

oval:org.secpod.oval:def:35340
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. I ...

oval:org.secpod.oval:def:35338
This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to associate a unique organizational identifier ...

oval:org.secpod.oval:def:35515
This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed pr ...

oval:org.secpod.oval:def:35516
This subcategory reports when a handle to an object is opened or closed. Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL. Handle Manipulation events are only generated for object types where the corresponding Object Access subca ...

oval:org.secpod.oval:def:35514
This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers. Events for this subcategory include: - 4909: The local policy settings for the TBS were changed. - 4910: The group policy settings for the T ...

oval:org.secpod.oval:def:35511
This subcategory reports when a process terminates. Events for this subcategory include: - 4689: A process has exited. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: ...

oval:org.secpod.oval:def:35512
This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - 4610: An authentication package has been loaded by the Local Security Authority. - 4611: A trusted logon process has been registered with ...

oval:org.secpod.oval:def:35510
This subcategory reports when kernel objects such as processes and mutexes are accessed. Only kernel objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. Typically kernel objects are only given SACLs if the AuditBaseObjects or AuditB ...

oval:org.secpod.oval:def:35508
This subcategory reports changes in authentication policy. Events for this subcategory include: - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: S ...

oval:org.secpod.oval:def:35509
This subcategory reports when replication between two domain controllers begins and ends. Events for this subcategory include: - 4932: Synchronization of a replica of an Active Directory naming context has begun. - 4933: Synchronization of a replica of an Active Directory naming context has ...

oval:org.secpod.oval:def:35506
This subcategory reports the addition and removal of objects from WFP, including startup filters. These events can be very high in volume. Events for this subcategory include: - 4709: IPsec Services was started. - 4710: IPsec Services was disabled. - 4711: May contain any one of the fo ...

oval:org.secpod.oval:def:35507
This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug programs, Enable computer and user accounts to be trusted fo ...

oval:org.secpod.oval:def:35504
This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and ...

oval:org.secpod.oval:def:35505
This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, acc ...

oval:org.secpod.oval:def:35502
This subcategory reports the creation of a process and the name of the program or user that created it. Note: These events now get audited earlier than in previous versions of Windows. The creation of smss.exe and other early processes is now audited. Default settings that cannot be altered unt ...

oval:org.secpod.oval:def:35503
This subcategory reports when packets are dropped by Windows Filtering Platform (WFP). These events can be very high in volume. Events for this subcategory include: - 5152: The Windows Filtering Platform blocked a packet. - 5153: A more restrictive Windows Filtering Platform filter has bloc ...

oval:org.secpod.oval:def:35500
This subcategory reports remote procedure call (RPC) connection events. Events for this subcategory include: - 5712: A Remote Procedure Call (RPC) was attempted. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the ...

oval:org.secpod.oval:def:35501
This subcategory reports when a file share is accessed. By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses a file share object that has a specified system access control list (SACL), effectively enabling auditing to t ...

oval:org.secpod.oval:def:35173
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will n ...

oval:org.secpod.oval:def:35171
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)

oval:org.secpod.oval:def:35172
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the sta ...

oval:org.secpod.oval:def:35178
Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (ins ...

oval:org.secpod.oval:def:35162
This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. If you disable or do not ...

oval:org.secpod.oval:def:35163
Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest ve ...

oval:org.secpod.oval:def:35168
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you will be able to add additional settings, remove the default settings, or both. If you disable this policy setting, the compute ...

oval:org.secpod.oval:def:35169
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For ...

oval:org.secpod.oval:def:35167
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "Allow certificate-based data recovery agent" check box is used to specif ...

oval:org.secpod.oval:def:36495
If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. Valid values range from 1 to 89,400 seconds (24 hours). The setting has no effect if the wait time is set to zero or no screen saver has bee ...

oval:org.secpod.oval:def:35393
This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique use ...

oval:org.secpod.oval:def:35392
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file rea ...

oval:org.secpod.oval:def:35158
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ...

oval:org.secpod.oval:def:35155
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

oval:org.secpod.oval:def:36487
If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. Counter Measure: Configure this policy setting to Enabled so that when the other screen saver ...

oval:org.secpod.oval:def:35156
Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate.

oval:org.secpod.oval:def:35382
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elev ...

oval:org.secpod.oval:def:35140
Enables or disables the automatic download and update of map data. If you enable this setting the automatic download and update of map data is turned off. If you disable this setting the automatic download and update of map data is turned on. If you don't configure this setting the autom ...

oval:org.secpod.oval:def:36471
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share ...

oval:org.secpod.oval:def:35388
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.

oval:org.secpod.oval:def:36476
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are ...

oval:org.secpod.oval:def:36475
Enables desktop screen savers. If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. If you do not configure ...

oval:org.secpod.oval:def:35385
Specifies whether or not the user is prompted for a password when the system resumes from sleep.

oval:org.secpod.oval:def:35195
This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ...

oval:org.secpod.oval:def:35196
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. ...

oval:org.secpod.oval:def:35193
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to t ...

oval:org.secpod.oval:def:35191
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

oval:org.secpod.oval:def:35184
This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CD-ROM media. When this policy setting is enabled and no one is logged on interactively ...

oval:org.secpod.oval:def:35185
This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored. If the Audit: Audit the use ...

oval:org.secpod.oval:def:35182
This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL before they log on to Windows unless they use a smart card for ...

oval:org.secpod.oval:def:35183
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)

oval:org.secpod.oval:def:35215
This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If you enable this policy setting, the Stored User Names and Passwords feature of Windows does not store passwords and credentials.

oval:org.secpod.oval:def:35212
This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards.

oval:org.secpod.oval:def:35455
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the Bit ...

oval:org.secpod.oval:def:35213
This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted b ...

oval:org.secpod.oval:def:35210
This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditin ...

oval:org.secpod.oval:def:35452
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the Bit ...

oval:org.secpod.oval:def:35209
This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session.

oval:org.secpod.oval:def:36538
This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB server will be disconnected when the client's logon hou ...

oval:org.secpod.oval:def:35205
This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server.

oval:org.secpod.oval:def:36532
This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers no longer change their passwords, an attack ...

oval:org.secpod.oval:def:35434
This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server ...

oval:org.secpod.oval:def:35430
This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ...

oval:org.secpod.oval:def:35423
This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands.

oval:org.secpod.oval:def:35421
Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ...

oval:org.secpod.oval:def:36511
Antivirus programs are mandatory in many environments and provide a strong defense against attack. The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, this policy setting configures Windows to call the ...

oval:org.secpod.oval:def:35422
This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, the hibernation file (Hiberfil.sys) is z ...

oval:org.secpod.oval:def:35420
This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run once the next time the client comput ...

oval:org.secpod.oval:def:36509
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Microsoft Windows 2000 or la ...

oval:org.secpod.oval:def:35419
This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ...

oval:org.secpod.oval:def:35414
This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local drives are shared they are left vul ...

oval:org.secpod.oval:def:36504
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecuti ...

oval:org.secpod.oval:def:36503
This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed. ...

oval:org.secpod.oval:def:35492
This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume. Events for this subcategory include: - 5031: The Windows Firewall Service blocked an application from accepting incoming connections on the network. - 5154: The Windows Filtering Pla ...

oval:org.secpod.oval:def:35493
This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows ...

oval:org.secpod.oval:def:35490
This subcategory reports changes in authorization policy including permissions (DACL) changes. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was remo ...

oval:org.secpod.oval:def:35491
This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This service is used by Windows Firewall and by Microsoft OneCare. Events for this subcategory include: - 4944: The following policy was active when the Windows Firewall started. - 4945: ...

oval:org.secpod.oval:def:35016
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall po ...

oval:org.secpod.oval:def:35259
This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be audited. If the Audit: Audit the access of global system objects setting is enabl ...

oval:org.secpod.oval:def:35017
This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch keyboard (such as used by slates) is not available in the pre-boot environment whe ...

oval:org.secpod.oval:def:35498
This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application group. If you enable this Audit policy setting, administrators can track events to detect m ...

oval:org.secpod.oval:def:35499
This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This sub ...

oval:org.secpod.oval:def:35496
This subcategory reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controll ...

oval:org.secpod.oval:def:35255
This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authe ...

oval:org.secpod.oval:def:35497
This subcategory reports encrypt or decrypt calls into the data protections application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Events for this subcategory include: - 4692: Backup of data protection master key was attempted. ...

oval:org.secpod.oval:def:35010
This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and s ...

oval:org.secpod.oval:def:35494
This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - 4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time was changed. - 4621: Administrator ...

oval:org.secpod.oval:def:35495
This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs). Events for this subcategory include: - 4665: An attempt was made to create an application client context. - 4666: An application attempted an ...

oval:org.secpod.oval:def:35007
Specifies whether or not the user is prompted for a password when the system resumes from sleep.

oval:org.secpod.oval:def:35481
This subcategory reports the results of AuthIP during Extended Mode negotiations. Events for this subcategory include: - 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or re ...

oval:org.secpod.oval:def:35482
This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A computer account was created. - 4742: A computer account was changed. - 4743: A ...

oval:org.secpod.oval:def:35480
This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : Invalid use of LPC port. - 4618 ...

oval:org.secpod.oval:def:35489
This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, ...

oval:org.secpod.oval:def:35006
This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secure ...

oval:org.secpod.oval:def:35487
This subcategory reports other account management events. Events for this subcategory include: - 4782: The password hash an account was accessed. - 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowledgebase article "Description of security events in Windows V ...

oval:org.secpod.oval:def:35488
This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy ...

oval:org.secpod.oval:def:35243
Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication pro ...

oval:org.secpod.oval:def:35001
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ...

oval:org.secpod.oval:def:35485
This subcategory reports detailed information about the information replicating between domain controllers. These events can be very high in volume. Events for this subcategory include: - 4928: An Active Directory replica source naming context was established. - 4929 : An Active Directory r ...

oval:org.secpod.oval:def:35486
This subcategory reports when Certification Services operations are performed. Events for this subcategory include: - 4868: The certificate manager denied a pending certificate request. - 4869: Certificate Services received a resubmitted certificate request. - 4870: Certificate Service ...

oval:org.secpod.oval:def:35241
This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authe ...

oval:org.secpod.oval:def:35483
This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. Refer to the ...

oval:org.secpod.oval:def:35000
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds

oval:org.secpod.oval:def:35242
This policy setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. It affects the SMB component. If you enable this policy setting, client sessions with the SMB service will be forcibly disconnected when the client's log ...

oval:org.secpod.oval:def:35484
This subcategory reports when SAM objects are accessed. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: http://support.microsoft.com/kb/947226.

oval:org.secpod.oval:def:35470
This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Events for this subcategory include: - 4646: IKE DoS-prevention mode started. - 4650: An IPsec Main Mode security association was establish ...

oval:org.secpod.oval:def:35471
This subcategory is not used.

oval:org.secpod.oval:def:35478
This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - 4649: A replay attack was detected. ...

oval:org.secpod.oval:def:35476
This subcategory reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting will not cause auditing of any events. It determines whether to audit the ...

oval:org.secpod.oval:def:35477
This subcategory reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting will not cause auditing of any events. It determines whether to audi ...

oval:org.secpod.oval:def:35232
When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to sha ...

oval:org.secpod.oval:def:35474
This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects. Events for this subcategory include: - 4671: An application attempted to access a blocked ordinal through the TBS. - 4691: Indirect access to an object was requested. - 4698: A sch ...

oval:org.secpod.oval:def:35475
This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the compu ...

oval:org.secpod.oval:def:35472
This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that ...

oval:org.secpod.oval:def:35473
This subcategory reports when a user account or service uses a non-sensitive privilege. A non-sensitive privilege includes the following user rights: Access Credential Manager as a trusted caller, Access this computer from the network, Add workstations to domain, Adjust memory quotas for a process, ...

oval:org.secpod.oval:def:35231
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug an ...

oval:org.secpod.oval:def:35469
This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations. - 4654: An IPsec Quick Mode negotiation failed. Events for this subcategory include: - 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, ...

oval:org.secpod.oval:def:35228
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. ...

oval:org.secpod.oval:def:35225
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection.

oval:org.secpod.oval:def:35467
This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified ...

oval:org.secpod.oval:def:35468
This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local compute ...

oval:org.secpod.oval:def:35224
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

oval:org.secpod.oval:def:35222
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC p ...

oval:org.secpod.oval:def:36551
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. ...

oval:org.secpod.oval:def:35216
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this p ...

oval:org.secpod.oval:def:36547
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default settin ...

oval:org.secpod.oval:def:34998
This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The "Allow data recovery agent" check box is used to specify whether a data recovery agent ...

oval:org.secpod.oval:def:34999
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

oval:org.secpod.oval:def:34996
This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or w ...

oval:org.secpod.oval:def:34997
When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2.

oval:org.secpod.oval:def:34995
This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this poli ...

oval:org.secpod.oval:def:34992
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not config ...

oval:org.secpod.oval:def:34993
By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this po ...

oval:org.secpod.oval:def:34990
This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screen ...

oval:org.secpod.oval:def:34989
This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the DEL command). - AllowAllPaths. Allows access to all files and folders ...

oval:org.secpod.oval:def:34987
Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this ...

oval:org.secpod.oval:def:34988
The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be lo ...

oval:org.secpod.oval:def:34983
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

oval:org.secpod.oval:def:34984
This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property settings that control how users can configure BitLocker. Choose "Allow users to apply BitLocker prote ...

oval:org.secpod.oval:def:34981
This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading ...

oval:org.secpod.oval:def:34978
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the ...

oval:org.secpod.oval:def:34979
This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.

oval:org.secpod.oval:def:34975
This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. ...

oval:org.secpod.oval:def:34972
When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel ...

oval:org.secpod.oval:def:34973
The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when it is invoked during startup.

oval:org.secpod.oval:def:36501
This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The compute ...

oval:org.secpod.oval:def:35408
This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. ...

oval:org.secpod.oval:def:35405
This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.

oval:org.secpod.oval:def:35403
This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due ...

oval:org.secpod.oval:def:35052
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable thi ...

oval:org.secpod.oval:def:35050
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.

oval:org.secpod.oval:def:35054
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)

oval:org.secpod.oval:def:35296
Use this option to specify the path and name of the file in which Windows Firewall will write its log information.

oval:org.secpod.oval:def:35297
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. When the policy setting is enabled: -Windows X ...

oval:org.secpod.oval:def:35041
This policy setting allows you to specify the time of day at which to check for definition updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for definition updates ...

oval:org.secpod.oval:def:35283
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable ...

oval:org.secpod.oval:def:35040
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. If you enable this setting, archive files less t ...

oval:org.secpod.oval:def:35282
This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting, the proxy server will be bypassed for the specified addresses. If you d ...

oval:org.secpod.oval:def:35287
This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on ...

oval:org.secpod.oval:def:35046
This policy setting allows you to manage the deployment operations of app packages when the user is logged in under special profiles. Deployment operation refers to adding, registering, staging, updating or removing an app package. Special profiles refer to profiles with the following types: ...

oval:org.secpod.oval:def:35285
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any ...

oval:org.secpod.oval:def:35043
Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. If this setting is enabled, the background and accent colors of Windows will be set to the specified colors ...

oval:org.secpod.oval:def:35044
This policy setting allows you to configure definition updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalware engine present. If you disable this setting, def ...

oval:org.secpod.oval:def:35272
This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, protocol recognition will be disabled.

oval:org.secpod.oval:def:35031
Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting requires users to log on to a computer with a smart card. Note: This setting applies to Windows 2000 computers ...

oval:org.secpod.oval:def:35273
This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable definitions that are causing false positive reports. You must have conf ...

oval:org.secpod.oval:def:35270
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: ...

oval:org.secpod.oval:def:35271
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. If you enable this policy setting, Windows is prevented from installing, or updating the device driver for, any device that is not described by either the "Allow ...

oval:org.secpod.oval:def:35279
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: T ...

oval:org.secpod.oval:def:35035
This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. If this policy setting is enabled, when the computer has at least one active connection to the Internet, a new automatic connection attempt to the ...

oval:org.secpod.oval:def:35274
This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this Group Policy setting to grant access to all the computers to particular ...

oval:org.secpod.oval:def:35033
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume dev ...

oval:org.secpod.oval:def:35269
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable this ...

oval:org.secpod.oval:def:35028
This setting determines the consent behavior of Windows Error Reporting. If Consent level is set to "Always ask before sending data", Windows will prompt the user for consent to send reports. If Consent level is set to "Send parameters", the minimum data required to check for an existing solution ...

oval:org.secpod.oval:def:35267
This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a Logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user must ...

oval:org.secpod.oval:def:35268
This policy setting defines processes from which outbound network traffic will not be inspected. Process names should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a process path and name. As an examp ...

oval:org.secpod.oval:def:35266
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface. ...

oval:org.secpod.oval:def:35024
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied when you turn on BitLocker. If you enable this p ...

oval:org.secpod.oval:def:35263
This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not co ...

oval:org.secpod.oval:def:35094
Use this option to specify the size limit of the file in which Windows Firewall will write its log information.

oval:org.secpod.oval:def:35095
Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user.

oval:org.secpod.oval:def:35099
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.

oval:org.secpod.oval:def:35083
Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system.

oval:org.secpod.oval:def:35087
This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will not be created.

oval:org.secpod.oval:def:35088
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)

oval:org.secpod.oval:def:35074
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames

oval:org.secpod.oval:def:35075
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged

oval:org.secpod.oval:def:35072
This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable floppy media. If this policy setting is enabled and no one is logged on ...

oval:org.secpod.oval:def:35073
This setting lets you configure how domain joined computers become registered as devices. When you enable this setting, domain joined computers automatically and silently get registered as devices with Azure Active Directory. Note: Additional requirements may apply on certain Windows SKUs. R ...

oval:org.secpod.oval:def:35071
This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications o ...

oval:org.secpod.oval:def:35076
This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM UI won't be available to users.

oval:org.secpod.oval:def:35064
This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string r ...

oval:org.secpod.oval:def:35062
This policy setting allows you to audit NTLM authentication in a domain from this domain controller. This policy is supported on at least Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsof ...

oval:org.secpod.oval:def:35060
This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the "Operational" Log located under the Applications and Services Log/Microsoft/Windows/NTLM.

oval:org.secpod.oval:def:35067
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)

oval:org.secpod.oval:def:35068
Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. If you disable or do not configure this setting, access to the Store application is allowed.

oval:org.secpod.oval:def:35065
This policy setting allows you to configure definition updates when the computer is running on battery power. If you enable or do not configure this setting, definition updates will occur as usual regardless of power state. If you disable this setting, definition updates will be turned off w ...

oval:org.secpod.oval:def:35333
This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure this setting, raw write notifications will be enabled. If you disable this setting, raw write notifications be disabled.

oval:org.secpod.oval:def:35331
Maximum PIN length configures the maximum number of characters allowed for the work PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, which ...

oval:org.secpod.oval:def:35332
This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With soft ...

oval:org.secpod.oval:def:35330
This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 indicates that no telemetry data from OS components is sent to Microsoft. Setting a value of 0 is applicable to enterprise and server devices only. Setting a value of 0 for other devices is equ ...

oval:org.secpod.oval:def:35328
This policy setting determines the cipher suites used by the SMB client. If you enable this policy setting, cipher suites are prioritized in the order specified. If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure th ...

oval:org.secpod.oval:def:35329
This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. If you disable or do not configure this policy setting, the system p ...

oval:org.secpod.oval:def:35326
Disable turns off the launch of all apps from the Windows Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will be also be disabled. Enable turns all of it back on.

oval:org.secpod.oval:def:35322
This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0. Default: 0.

oval:org.secpod.oval:def:35323
Use this policy setting to configure use of Remote Passport. Remote Passport provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Passport requires that the desktop be Azure AD joined and that the companion device has a Passport ...

oval:org.secpod.oval:def:35320
This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools.

oval:org.secpod.oval:def:35321
This setting lets you decide whether employees can browse using InPrivate website browsing. Turning this setting on, or not configuring it, lets employees use InPrivate browsing on the corporate network. Turning this setting off stops employees from using InPrivate website browsing.

oval:org.secpod.oval:def:35319
This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops employees from ignoring the SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, o ...

oval:org.secpod.oval:def:35317
This setting lets you configure your corporate Home pages for domain-joined devices. Your employees can change this setting. Turning this setting on lets you configure one or more corporate Home pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pag ...

oval:org.secpod.oval:def:35318
This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites. Turning this setting on stops employees from ignoring the SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not con ...

oval:org.secpod.oval:def:35315
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If yo ...

oval:org.secpod.oval:def:35316
This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. If you enable this setting, you can't move or install Windows apps on volumes that are not the system volume. If you disable or do not ...

oval:org.secpod.oval:def:35313
This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be ...

oval:org.secpod.oval:def:35311
This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest definition update has definitions for a threat involving that file, the service will receive all o ...

oval:org.secpod.oval:def:35312
This policy setting allows you to control what information is shared with Bing in Search. If you enable this policy setting, you can specify one of four settings, which users won't be able to change: -User info and location: Share a user's search history, some Microsoft account info, and ...

oval:org.secpod.oval:def:35310
This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring ...

oval:org.secpod.oval:def:35309
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "Start layout" group will not be synced. Use the option "Allow users ...

oval:org.secpod.oval:def:35306
This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a ...

oval:org.secpod.oval:def:35304
This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Pol ...

oval:org.secpod.oval:def:35305
This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable this setting, the network protection will be disabled.

oval:org.secpod.oval:def:35302
This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a w ...

oval:org.secpod.oval:def:35303
This policy setting allows you to specify an intranet server to host updates from the Microsoft Update Web site. You can then use this update service location to automatically update computers on your network. The Automatic Updates client will search this service for updates that apply to the comput ...

oval:org.secpod.oval:def:35130
This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). If you enable this setting AM UI won't show reboot notifications.

oval:org.secpod.oval:def:35372
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you d ...

oval:org.secpod.oval:def:35370
This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Po ...

oval:org.secpod.oval:def:36469
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through a ...

oval:org.secpod.oval:def:35379
This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not config ...

oval:org.secpod.oval:def:35137
This policy setting prevents Windows Tips from being shown to users. If you enable this policy setting, users will no longer see Windows tips. If you disable or do not configure this policy setting, users may see contextual popups explaining how to use Windows. Microsoft uses diagnostic and ...

oval:org.secpod.oval:def:35138
This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do no ...

oval:org.secpod.oval:def:36468
This policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine. If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the ...

oval:org.secpod.oval:def:35377
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. If you enable this policy setting, queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. ...

oval:org.secpod.oval:def:35135
This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots," "Connect to networks shared by my contacts," and "Enable paid services". "Connect to suggested open hotspots" enables Windows to automatically connect users to open hotspots ...

oval:org.secpod.oval:def:36467
Use this policy setting to configure the use of uppercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If you disable or do not configure this policy s ...

oval:org.secpod.oval:def:35378
This policy setting defines a list of TCP port numbers from which network traffic inspection will be disabled. Port numbers should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a TCP port number. As an ...

oval:org.secpod.oval:def:36466
Use this policy setting to configure the use of special characters in the Microsoft Passport for PIN. Allowable special characters are: ! ' # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` ~ . If you enable this policy setting, Microsoft Passport for Work requires users to include at l ...

oval:org.secpod.oval:def:35133
This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. If this policy setting is disabled or is n ...

oval:org.secpod.oval:def:36465
Use this policy setting to configure the use of lowercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one lowercase letter in their PIN. If you disable or do not configure this policy s ...

oval:org.secpod.oval:def:35134
This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. Conversely it means that Push Button is NOT allowed. If this policy setting is disabled or is not configured, by default Push ...

oval:org.secpod.oval:def:35376
Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. If this setting is set to a nonzero value, then Start uses ...

oval:org.secpod.oval:def:36464
Use this policy setting to configure the use of digits in the Microsoft Passport for PIN. If you enable or do not configure this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If you disable this policy setting, Mic ...

oval:org.secpod.oval:def:36463
If you enable this policy and set it to Start menu or full screen Start, Start will be that size and users will be unable to change the size of Start in Settings. If you disable or don't configure this policy setting, Windows will automatically select the size based on hardware form factor ...

oval:org.secpod.oval:def:35131
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.

oval:org.secpod.oval:def:35373
Use this option to specify the path and name of the file in which Windows Firewall will write its log information.

oval:org.secpod.oval:def:35132
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, ...

oval:org.secpod.oval:def:35129
This policy setting specifies whether Cortana is allowed on the device. If you enable or don't configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off. When Cortana is off, users will still be able to use search to fi ...

oval:org.secpod.oval:def:36459
Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the ...

oval:org.secpod.oval:def:35360
This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule ...

oval:org.secpod.oval:def:35361
This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitoring for file and program activity will be disabled.

oval:org.secpod.oval:def:35368
This policy setting allows you to control whether or not Search can perform queries on the web over metered connections, and if the web results are displayed in Search. If you enable this policy setting, queries won't be performed on the web over metered connections and web results won't be disp ...

oval:org.secpod.oval:def:35126
This policy setting determines the cipher suites used by the SMB server. If you enable this policy setting, cipher suites are prioritized in the order specified. If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure th ...

oval:org.secpod.oval:def:36458
Maximum PIN length configures the maximum number of characters allowed for the work PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, which ...

oval:org.secpod.oval:def:35369
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don't configure this policy setting, ...

oval:org.secpod.oval:def:35127
Specifies the Start layout for users. This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. To use this setting, yo ...

oval:org.secpod.oval:def:36457
This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not preserved through PIN reset. The value must be betwee ...

oval:org.secpod.oval:def:35366
This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned.

oval:org.secpod.oval:def:35124
This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. If this is enabled, search and Cortana can access location information.

oval:org.secpod.oval:def:36456
This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0. Default: 0. Counte ...

oval:org.secpod.oval:def:35367
This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified def ...

oval:org.secpod.oval:def:36454
This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this pol ...

oval:org.secpod.oval:def:35122
Prevent users' app data from moving to another location when an app is moved or installed on another location. If you enable this setting, all users' app data will stay on the system volume, regardless of where the app is installed. If you disable or do not configure this set ...

oval:org.secpod.oval:def:35364
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the dr ...

oval:org.secpod.oval:def:35123
Microsoft Passport for Work enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However users must still configure a work PIN to use in case of failures. If you enable this policy setting, Microsoft Passport for Work allows the use biomet ...

oval:org.secpod.oval:def:35362
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. If you enable or do not conf ...

oval:org.secpod.oval:def:35120
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, ...

oval:org.secpod.oval:def:36452
Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, which ...

oval:org.secpod.oval:def:35119
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools. If you enable this policy setting, ...

oval:org.secpod.oval:def:35359
This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. Logging will be limited to not more often than one event per the defined interval. The interval value is defined in minutes. The default interval is 60 minut ...

oval:org.secpod.oval:def:35117
Manages a Windows app's ability to share data between users who have installed the app. If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage AP ...

oval:org.secpod.oval:def:35118
This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Windows Store apps with Windows Runtime API access directly from web content cannot be launched; Windows Store apps withou ...

oval:org.secpod.oval:def:35350
This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an e ...

oval:org.secpod.oval:def:35115
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) If you disable or do not configure this policy setting, the default ECC curve or ...

oval:org.secpod.oval:def:35356
This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in ...

oval:org.secpod.oval:def:35353
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define ad ...

oval:org.secpod.oval:def:35351
This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time ...

oval:org.secpod.oval:def:35108
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. If you disable this policy settin ...

oval:org.secpod.oval:def:35109
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matches the configured spec ...

oval:org.secpod.oval:def:35106
This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x2) Send all samples automatically

oval:org.secpod.oval:def:35348
This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable ...

oval:org.secpod.oval:def:35107
This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. If you enable this setting, a catch-up scan will occur after the specified ...

oval:org.secpod.oval:def:35349
This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedul ...

oval:org.secpod.oval:def:38614
When you shutdown a PC with Fast Startup turned on, Windows saves the current system state and the contents of memory to a file called hiberfil.sys and then it shuts down the computer. Later, when you turn on the computer, rather than performing a full load of the entire system, Windows reads only t ...

oval:org.secpod.oval:def:35104
Allows or denies development of Windows Store applications and installing them directly from an IDE. If you enable this setting and enable the "Allow all trusted apps to install" Group Policy, you can develop Windows Store apps and install them directly from an IDE. If y ...

oval:org.secpod.oval:def:35347
This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. If you disable or do not ...

oval:org.secpod.oval:def:35344
This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable o ...

oval:org.secpod.oval:def:35345
This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains t ...

oval:org.secpod.oval:def:35342
When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is not configured, WDigest authentication is disabled in Windo ...

oval:org.secpod.oval:def:35343
This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. If you disable or do not configure this policy setting, use ...

oval:org.secpod.oval:def:35341
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.

oval:org.secpod.oval:def:35339
Enable LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx

oval:org.secpod.oval:def:35337
This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a threat alert level. The value contains t ...

oval:org.secpod.oval:def:35513
This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - 4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt ...

oval:org.secpod.oval:def:35174
The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a use ...

oval:org.secpod.oval:def:35170
A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. If you enable this policy setting, only devices with a usable TPM provision Microsoft Passport for Work. If you disable this policy setting, all ...

oval:org.secpod.oval:def:35177
This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day (default) (0x1) Sunda ...

oval:org.secpod.oval:def:35175
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (O ...

oval:org.secpod.oval:def:35176
This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }" ...

oval:org.secpod.oval:def:35160
This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not ...

oval:org.secpod.oval:def:35161
This policy setting determines which subsystems are used to support applications in your environment. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on th ...

oval:org.secpod.oval:def:35166
This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order. Possible values are: "InternalDefinitionUpdateServer", "Micr ...

oval:org.secpod.oval:def:35164
This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttling of CPU utilization. The default value is 50. ...

oval:org.secpod.oval:def:35165
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service startup. If you disable this setting or do not configure this setting, ...

oval:org.secpod.oval:def:35151
Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed

oval:org.secpod.oval:def:36483
Specifies the Start layout for users. This setting lets you specify the Start layout for users and prevents them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout PowerShell cmdlet. To use this settin ...

oval:org.secpod.oval:def:35394
Use this option to specify the size limit of the file in which Windows Firewall will write its log information.

oval:org.secpod.oval:def:35152
This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not configure this policy setting, KMS client activation dat ...

oval:org.secpod.oval:def:36482
This policy setting allows you to prevent Search, Share, Start, Devices, and Settings from appearing when the mouse is pointing to the upper-right corner of the screen. If you enable this policy setting, Search, Share, Start, Devices, and Settings will no longer appear when the mouse is poi ...

oval:org.secpod.oval:def:36481
This policy setting allows you to remove Security and Maintenance from the system control area. If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area. If you disable or do not configure this policy setting, the Securit ...

oval:org.secpod.oval:def:35150
This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. If you e ...

oval:org.secpod.oval:def:35390
This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be e ...

oval:org.secpod.oval:def:35399
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting, archive files will be scanned to the directory depth level specified. ...

oval:org.secpod.oval:def:35397
This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performance reasons need to have scanning disabled for a pa ...

oval:org.secpod.oval:def:35398
This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not c ...

oval:org.secpod.oval:def:35153
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications ...

oval:org.secpod.oval:def:35395
This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can't access OneDrive from the OneDrive app and file picker. * Windows Store apps can't access OneDrive using the WinRT API. * OneDrive doesn't appea ...

oval:org.secpod.oval:def:35154
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)

oval:org.secpod.oval:def:35396
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setting, the antimalware service will always remain running even if ...

oval:org.secpod.oval:def:35383
This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly ...

oval:org.secpod.oval:def:36470
This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe. Counter Measure: Enable this setting. Potential Impact: If you enable this policy setting, a message will display when users try to use a registry editor that informs the ...

oval:org.secpod.oval:def:35380
This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. If you disable this setting, scheduled scans will run at th ...

oval:org.secpod.oval:def:35381
If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days. The restart timer can be configured to start with any value from 15 to 180 minutes. When the timer ...

oval:org.secpod.oval:def:35148
This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's pre ...

oval:org.secpod.oval:def:35149
Microsoft Passport for Work is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. If you enable or do not configure this policy setting, the device provisions Microsoft Pas ...

oval:org.secpod.oval:def:35146
Enables or disables the automatic download of app updates on PCs running Windows 8. If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. If you don't configure this setting, the a ...

oval:org.secpod.oval:def:35147
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.

oval:org.secpod.oval:def:35386
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the following settings will be used (in order): 1. Internet Ex ...

oval:org.secpod.oval:def:35144
This setting specifies the number of past PINs that can be associated to a user account that can't be reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not preserved through PIN reset. The value must be between 0 t ...

oval:org.secpod.oval:def:35142
This setting lets you decide whether an employee's LocalHost IP address shows while making phone calls using the WebRTC protocol. Turning this setting on hides an employee's LocalHost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an ...

oval:org.secpod.oval:def:35384
This policy setting defines threats which will be excluded from detection during network traffic inspection. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a Threat ID. As an example, a T ...

oval:org.secpod.oval:def:35143
This policy setting specifies what happens when Microsoft Edge opens a new tab. By default, a new tab page appears. If you disable this policy setting, Microsoft Edge opens a new, empty tab. Employees can't change this option. If you enable or don't configure this policy settin ...

oval:org.secpod.oval:def:35194
Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx

oval:org.secpod.oval:def:35192
This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Win ...

oval:org.secpod.oval:def:35199
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a max ...

oval:org.secpod.oval:def:35197
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings. If you enable this policy setting, the "AppSync" group will not be synced. Use the option "Allow users to turn app syncing on" so th ...

oval:org.secpod.oval:def:35180
This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you enable or do not configure this setting, unique items defined in Group Policy and in p ...

oval:org.secpod.oval:def:35181
This policy setting allows you to define the number of days after which a catch-up definition update will be required. By default, the value of this setting is 1 day. If you enable this setting, a catch-up definition update will occur after the specified number of days. If you disable or do ...

oval:org.secpod.oval:def:35188
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted pass ...

oval:org.secpod.oval:def:35189
Use this option to specify the path and name of the file in which Windows Firewall will write its log information.

oval:org.secpod.oval:def:35186
This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.

oval:org.secpod.oval:def:35187
This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the f ...

oval:org.secpod.oval:def:35456
This setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. Turning this setting on automatically opens all intranet sites using Internet Explorer 11. Turn ...

oval:org.secpod.oval:def:35214
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.

oval:org.secpod.oval:def:35457
This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. Turning this setting on, or not configuring it, lets your employees see search suggestions in the Address bar. Turning this setting off stops employees from seeing search suggestions i ...

oval:org.secpod.oval:def:35454
This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. Turning this setting on lets your employees send Do Not Track headers. Turning this setting off, or not configuring it, stops your employees from sending Do Not Track headers.

oval:org.secpod.oval:def:35453
This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. Turning this setting on, or not configuring it, turns on SmartScreen Filter. Turning this sett ...

oval:org.secpod.oval:def:35450
This setting lets you decide whether employees can save their passwords locally, using Password Manager. Turning this setting on, or not configuring it, lets your employees use Password Manager. Turning this setting off stops your employees from using Password Manager.

oval:org.secpod.oval:def:35451
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configuration\Administrative ...

oval:org.secpod.oval:def:35207
This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. If you disable or do not configure this setting, a default size ...

oval:org.secpod.oval:def:35449
This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. If you do not configure this policy setting, users will be able to choose whether or not to use enhanced anti-spoofing on supported devices. If you enable this policy setting, Windows wi ...

oval:org.secpod.oval:def:35206
This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting, a process scan will be initiated when real-time protection ...

oval:org.secpod.oval:def:35203
This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If you enable this setting, checks for definition updates will ...

oval:org.secpod.oval:def:35204
This policy setting allows you to configure the automatic scan which starts after a definition update has occurred. If you enable or do not configure this setting, a scan will start following a definition update. If you disable this setting, a scan will not start following a definition updat ...

oval:org.secpod.oval:def:35201
This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2 = Full Scan If you enable this setting, the scan type will be set to the specified value. If you disable or do not configure this setting, the def ...

oval:org.secpod.oval:def:36531
This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setting requires that files be downloaded to NTFS disk parti ...

oval:org.secpod.oval:def:35200
This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representa ...

oval:org.secpod.oval:def:36530
Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. If you disable or do not configure this setting, access to the Store application is allowed. Counter Measure: Configure this setting dependi ...

oval:org.secpod.oval:def:36528
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. Typically, users can either click the Unblock button in the file's Property sheet or select a check box in the Security Warning dialog. If the zone information is removed, use ...

oval:org.secpod.oval:def:36523
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this ...

oval:org.secpod.oval:def:36522
This policy setting allows the Apps view to be opened by default when the user goes to Start. If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen. If you disable ...

oval:org.secpod.oval:def:35432
This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions: Run a full scan Download the latest virus and spyware definitions Download Standalone System Sweeper If you enable or do not configure ...

oval:org.secpod.oval:def:36521
This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. If you enable this policy setting, the Start screen will appear on the display the user is using w ...

oval:org.secpod.oval:def:35433
If you enable this policy setting, users are required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a user first need to press CTRL+ALT+DEL.

oval:org.secpod.oval:def:36520
This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. This policy setting is only applied when the Apps view is set as the default view for Start. If you enable this policy setting, searching f ...

oval:org.secpod.oval:def:36519
This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start a ...

oval:org.secpod.oval:def:35429
Set the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this setting, set the amount of seconds you want the system to wait until a reboot. If you disable or do not configure this setting, ...

oval:org.secpod.oval:def:36518
This policy setting allows pinning apps to Start by default, when they are included by AppID on the list. Counter Measure: Configure this setting depending on your organization's requirements. Potential Impact: Apps are not automatically pinned to Start. ...

oval:org.secpod.oval:def:36517
This policy setting allows desktop apps to be listed first in the Apps view in Start. If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choo ...

oval:org.secpod.oval:def:35427
This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, ...

oval:org.secpod.oval:def:35428
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be scanned.

oval:org.secpod.oval:def:36516
This policy setting allows you to prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key + X. If you enable this policy setting, the Command Prompt will always be listed in that m ...

oval:org.secpod.oval:def:35425
This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this policy setting, you can specify one of three SafeSearch settings, which users won't be able to change: -Strict: Filter out adult text, images, and videos from sear ...

oval:org.secpod.oval:def:36515
This policy setting allows you to prevent the last app and the list of recent apps from appearing when the mouse is pointing to the upper-left corner of the screen. If you enable this policy setting, the user will no longer be able to switch to recent apps using the mouse. The user will st ...

oval:org.secpod.oval:def:35426
This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Po ...

oval:org.secpod.oval:def:36514
Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user. Counter Measure: Configure ...

oval:org.secpod.oval:def:35424
Enter "0" to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. By default, the Group Policy client waits five minutes before running logon scripts. This helps create a r ...

oval:org.secpod.oval:def:35418
This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expe ...

oval:org.secpod.oval:def:35251
When running in restricted mode, participating apps do not expose credentials to remote computers (regardless of the delegation method). Restricted mode may limit access to resources located on other servers or networks beyond the target computer because credentials are not delegated. Participat ...

oval:org.secpod.oval:def:35258
This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this policy setting to specify access permissions to all the computers to particular user ...

oval:org.secpod.oval:def:35014
This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. If you disable this policy ...

oval:org.secpod.oval:def:35256
This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, users will not be able to pau ...

oval:org.secpod.oval:def:35257
This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, definition updates will be downloaded from Microsoft Update. ...

oval:org.secpod.oval:def:35015
Specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hot links that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if ...

oval:org.secpod.oval:def:35254
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting ...

oval:org.secpod.oval:def:35252
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files will not be scanned.

oval:org.secpod.oval:def:35011
This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting, a domain user can set up and use a p ...

oval:org.secpod.oval:def:35253
This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Po ...

oval:org.secpod.oval:def:35009
This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the antimalware service will load as a normal priority task. If you disa ...

oval:org.secpod.oval:def:35249
This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent mu ...

oval:org.secpod.oval:def:35008
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.

oval:org.secpod.oval:def:35247
This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or d ...

oval:org.secpod.oval:def:35245
This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled.

oval:org.secpod.oval:def:35246
This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not co ...

oval:org.secpod.oval:def:35004
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.

oval:org.secpod.oval:def:35239
This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, packed executables will not be scanned.

oval:org.secpod.oval:def:35236
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this polic ...

oval:org.secpod.oval:def:35237
This policy configures Windows software trace preprocessor (WPP Software Tracing) components.

oval:org.secpod.oval:def:35234
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling this ...

oval:org.secpod.oval:def:35235
This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Gr ...

oval:org.secpod.oval:def:35233
This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabl ...

oval:org.secpod.oval:def:36562
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that l ...

oval:org.secpod.oval:def:36561
Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the ...

oval:org.secpod.oval:def:35229
If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the "Allow users to log on using b ...

oval:org.secpod.oval:def:35460
This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. Turning this setting on, or not configuring it, lets employees use Autofill in form fields. Turning this setting off stops employees from using Autofill in form fi ...

oval:org.secpod.oval:def:35226
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to se ...

oval:org.secpod.oval:def:35223
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.

oval:org.secpod.oval:def:35465
Use this policy setting to configure the use of uppercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If you disable or do not configure this policy setting, Mi ...

oval:org.secpod.oval:def:35466
Enable this policy in order to defer upgrades for up to eight months. You can also choose to delay updates for up to one month. If you do not delay updates, your PC will remain up to date with security updates as they become available. If an issue arises with an update or upgrade, selec ...

oval:org.secpod.oval:def:35221
This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. ...

oval:org.secpod.oval:def:35463
Use this policy setting to configure the use of lowercase letters in the Microsoft Passport for PIN. If you enable this policy setting, Microsoft Passport for Work requires users to include at least one lowercase letter in their PIN. If you disable or do not configure this policy setting, Mi ...

oval:org.secpod.oval:def:35464
Use this policy setting to configure the use of special characters in the Microsoft Passport for PIN. Allowable special characters are: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~ . If you enable this policy setting, Microsoft Passport for Work requires users to include at l ...

oval:org.secpod.oval:def:35461
This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. Turning this setting on lets Microsoft Edge look for the Enterprise Mode Site List XML file. This file includes the sites and ...

oval:org.secpod.oval:def:35220
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.

oval:org.secpod.oval:def:35462
Use this policy setting to configure the use of digits in the Microsoft Passport for PIN. If you enable or do not configure this policy setting, Microsoft Passport for Work requires users to include at least one uppercase letter in their PIN. If you disable this policy setting, Microsoft Pas ...

oval:org.secpod.oval:def:35218
This policy setting allows you to configure a domain controller to request compound authentication. Note: For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled. If you en ...

oval:org.secpod.oval:def:35219
This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Mo ...

oval:org.secpod.oval:def:35458
This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. Turning this setting on, or not configuring it, turns on the Pop-up Blocker, which stops pop-ups from appearing. Turning this setting off turns off Pop-up Blocker and l ...

oval:org.secpod.oval:def:35459
This setting lets you configure how your company deals with cookies. Turning this setting on lets you decide to: Allow all cookies (default). Allows all cookies from all websites. Block only 3rd-party cookies. Blocks only cookies from 3rd-party websites. Block all cookies. Blocks all ...

oval:org.secpod.oval:def:35217
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vul ...

oval:org.secpod.oval:def:34994
Use this option to specify the size limit of the file in which Windows Firewall will write its log information.

oval:org.secpod.oval:def:34991
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.

oval:org.secpod.oval:def:34986
This policy setting allows you to specify the search server that Windows uses to find updates for device drivers. If you enable this policy setting, you can select whether Windows searches Windows Update (WU), searches a Managed Server, or a combination of both. Note that if both are specifi ...

oval:org.secpod.oval:def:34977
This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block ...

oval:org.secpod.oval:def:34974
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this policy setting, ...

oval:org.secpod.oval:def:35413
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.

oval:org.secpod.oval:def:35410
This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Pol ...

oval:org.secpod.oval:def:35411
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by d ...

oval:org.secpod.oval:def:35409
This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within th ...

oval:org.secpod.oval:def:35406
This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments wil ...

oval:org.secpod.oval:def:35404
This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values: (0x0) Ev ...

oval:org.secpod.oval:def:35401
This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. If you disable or do not configure this setting, items will be k ...

oval:org.secpod.oval:def:35402
This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as: 1 - Error 2 - Warning 3 - Info 4 - Debug

oval:org.secpod.oval:def:35400
This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the valu ...

oval:org.secpod.oval:def:36488
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password co ...

oval:org.secpod.oval:def:36526
This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ...

oval:org.secpod.oval:def:36557
This security setting determines whether a different account name is associated with the security identifier (SID) for the account &amp;quot;Guest.&amp;quot; Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combinati ...

oval:org.secpod.oval:def:36492
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time ...

oval:org.secpod.oval:def:36490
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to ...

oval:org.secpod.oval:def:36529
This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest Counter Measure: Assign the Deny access ...

oval:org.secpod.oval:def:36493
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other user ...

oval:org.secpod.oval:def:36491
This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren&amp;apos;t designed to handle th ...

oval:org.secpod.oval:def:36497
This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an ...

oval:org.secpod.oval:def:36496
This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer&amp;apos;s system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. This user right is ...

oval:org.secpod.oval:def:36480
This security setting determines whether a user can undock a portable computer from its docking station without logging on. If this policy is enabled, the user must log on before removing the portable computer from its docking station. If this policy is disabled, the user may remove the portable co ...

oval:org.secpod.oval:def:36489
This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Co ...

oval:org.secpod.oval:def:36486
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ...

oval:org.secpod.oval:def:36485
This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. Default: Administrators. Counter Measure: Ensure that only the local Administrators group is assigned the Profile system performance user right. Potential Impact: ...

oval:org.secpod.oval:def:36477
This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In ...

oval:org.secpod.oval:def:36474
This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. Counter Measure: Configure this user right so that no account ...

oval:org.secpod.oval:def:36546
This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can ...

oval:org.secpod.oval:def:36545
This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Defau ...

oval:org.secpod.oval:def:36543
This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is sim ...

oval:org.secpod.oval:def:36542
This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution Assigning this user right can be a security risk. Since owners of objects have full ...

oval:org.secpod.oval:def:36541
This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: ...

oval:org.secpod.oval:def:36540
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overvie ...

oval:org.secpod.oval:def:36533
This privilege determines which user accounts can increase or decrease the size of a process&amp;apos;s working set. Default: Users The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an applic ...

oval:org.secpod.oval:def:36527
Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ...

oval:org.secpod.oval:def:36512
This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access mem ...

oval:org.secpod.oval:def:36508
This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: Assign the Deny ...

oval:org.secpod.oval:def:36507
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kerne ...

oval:org.secpod.oval:def:36506
This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operat ...

oval:org.secpod.oval:def:36505
This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or unde ...

oval:org.secpod.oval:def:36559
Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft websit ...

oval:org.secpod.oval:def:36558
This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Note: This privilege is useful for system tuning, but i ...

oval:org.secpod.oval:def:36552
This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are ...

oval:org.secpod.oval:def:36550
This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causi ...

oval:org.secpod.oval:def:36549
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to lo ...

oval:org.secpod.oval:def:36502
This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated ...

oval:org.secpod.oval:def:36494
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user ri ...

oval:org.secpod.oval:def:36499
This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ...

oval:org.secpod.oval:def:36479
This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ...

oval:org.secpod.oval:def:36478
This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. Note: This security setting does not apply to the System, Local Service, or ...

oval:org.secpod.oval:def:36539
This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes. Default: Administrators, Power users. Counter Measure: Ensure that only the local Administrators group is assigned the Profile single process user right. Pote ...

oval:org.secpod.oval:def:36536
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: Non ...

oval:org.secpod.oval:def:36534
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a ...

oval:org.secpod.oval:def:36560
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders ...

oval:org.secpod.oval:def:36556
This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. Default: None Counter Measure: Assign the Deny log on as a batch job u ...

oval:org.secpod.oval:def:36553
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separ ...

oval:org.secpod.oval:def:36548
This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be ena ...

oval:org.secpod.oval:def:36535
This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ...

oval:org.secpod.oval:def:36554
This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less ...

oval:org.secpod.oval:def:36555
This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ...

oval:org.secpod.oval:def:35479
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audit ...

CPE    1
cpe:/o:microsoft:windows_10
CCE    653
CCE-44430-7
CCE-42514-0
CCE-42295-6
CCE-43218-7
...
*XCCDF
xccdf_org.secpod_benchmark_general_Windows_10

© 2013 SecPod Technologies