Download
| Alert*
oval:org.secpod.oval:def:8738
The User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop setting should be configured correctly. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevat ... oval:org.secpod.oval:def:8836 The Network security: LAN Manager authentication level setting should be configured correctly. LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sh ... oval:org.secpod.oval:def:8782 The User Account Control: Detect application installations and prompt for elevation setting should be configured correctly. This policy setting controls the behavior of application installation detection for the computer. The options are: * Enabled: (Default for home) When an application installati ... oval:org.secpod.oval:def:8790 The Network security: Allow Local System to use computer identity for NTLM setting should be configured correctly. This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. This policy is supported on at least Windows 7 o ... oval:org.secpod.oval:def:8762 The User Account Control: Run all administrators in Admin Approval Mode setting should be configured correctly. This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The option ... oval:org.secpod.oval:def:8898 The Maximum Log Size (KB) machine setting should be configured correctly for the setup log. maximum size (in bytes) of setup log" Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB) (2) KEY: HKLM\SOFTWARE\Policies\Mi ... oval:org.secpod.oval:def:8777 The Domain member: Disable machine account password changes setting should be configured correctly. This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its ... oval:org.secpod.oval:def:8736 The Audit: Audit the access of global system objects setting should be configured correctly. This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objec ... oval:org.secpod.oval:def:8806 The Restrictions for Unauthenticated RPC clients machine setting should be configured correctly. If you enable this setting, it directs the RPC Runtime on an RPC server to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticat ... oval:org.secpod.oval:def:8774 The MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) setting should be configured correctly. The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\T ... oval:org.secpod.oval:def:8878 The Enumerate administrator accounts on elevation machine setting should be configured correctly. By default administrator accounts are not displayed when attempting to elevate a running application. If you enable this policy setting, all local administrator accounts on the machine will be displaye ... oval:org.secpod.oval:def:8907 The Do not allow passwords to be saved machine setting should be configured correctly. Controls whether passwords can be saved on this computer from Remote Desktop Connection. If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no lon ... oval:org.secpod.oval:def:8926 The Accounts: Limit local account use of blank passwords to console logon only setting should be configured correctly. This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable t ... oval:org.secpod.oval:def:8899 The Solicited Remote Assistance machine setting should be configured correctly. This policy setting allows you to enable or disable Solicited (Ask for) Remote Assistance on this computer. If you enable this policy, users on this computer can use e-mail or file transfer to ask someone for help. Also ... oval:org.secpod.oval:def:8877 The Default behavior for AutoRun machine setting should be configured correctly. Sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an ... oval:org.secpod.oval:def:8858 The Maximum Log Size (KB) machine setting should be configured correctly for the system log. This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum ... oval:org.secpod.oval:def:8757 The MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers setting should be configured correctly. The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\ ... oval:org.secpod.oval:def:8895 The Set client connection encryption level machine setting should be configured correctly. Specifies whether to require the use of a specific encryption level to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this se ... oval:org.secpod.oval:def:8866 The Always prompt for password upon connection machine setting should be configured correctly. Specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, e ... oval:org.secpod.oval:def:8780 The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting should be configured correctly. This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA ci ... oval:org.secpod.oval:def:8885 The Turn off the Publish to Web task for files and folders machine setting should be configured correctly. Specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web, are available from File and Folder Tasks in Windows folders ... oval:org.secpod.oval:def:8766 The RPC Endpoint Mapper Client Authentication machine setting should be configured correctly. Enabling this setting directs RPC Clients that need to communicate with the Endpoint Mapper Service to authenticate as long as the RPC call for which the endpoint needs to be resolved has authentication in ... oval:org.secpod.oval:def:8747 The Interactive logon: Smart card removal behavior setting should be configured correctly. This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: * No Action * Lock Workstation * Force Logoff * Disconnect if a r ... oval:org.secpod.oval:def:8894 The Require a Password When a Computer Wakes (Plugged In) machine setting should be configured correctly. Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when ... oval:org.secpod.oval:def:8897 The Do not allow drive redirection machine setting should be configured correctly. Specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drive ... oval:org.secpod.oval:def:8818 The User Account Control: Only elevate executables that are signed and validated setting should be configured correctly. This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can ... oval:org.secpod.oval:def:8710 The MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. setting should be configured correctly. The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\IPSEC\\ registry key. The entry ... oval:org.secpod.oval:def:8908 The Turn off the Windows Messenger Customer Experience Improvement Program machine setting should be configured correctly. Specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, u ... oval:org.secpod.oval:def:8723 The Network access: Do not allow storage of passwords and credentials for network authentication setting should be configured correctly. This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentica ... oval:org.secpod.oval:def:8737 The MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes setting should be configured correctly. The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\ registry key. T ... oval:org.secpod.oval:def:8769 The MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) setting should be configured correctly. The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ registry key. The entry appears as ... oval:org.secpod.oval:def:8850 The Set time limit for disconnected sessions machine setting should be configured correctly. This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session ... oval:org.secpod.oval:def:8809 The Turn off Search Companion content file updates machine setting should be configured correctly. Specifies whether Search Companion should automatically download content updates during local and Internet searches. When the user searches the local machine or the Internet, Search Companion occasion ... oval:org.secpod.oval:def:8792 The Network access: Sharing and security model for local accounts setting should be configured correctly. This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign ... oval:org.secpod.oval:def:8823 The MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) setting should be configured correctly. The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Serv ... oval:org.secpod.oval:def:8892 The Offer Remote Assistance machine setting should be configured correctly. This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy, users on this computer can get help from their corporate technical support staff using ... oval:org.secpod.oval:def:8715 The User Account Control: Switch to the secure desktop when prompting for elevation setting should be configured correctly. This policy setting controls whether the elevation request prompt is displayed on the interactive users desktop or the secure desktop. The options are: * Enabled: (Default) Al ... oval:org.secpod.oval:def:8763 The Prevent the computer from joining a homegroup machine setting should be configured correctly. By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting ... oval:org.secpod.oval:def:8746 The User Account Control: Only elevate UIAccess applications that are installed in secure locations setting should be configured correctly. This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure lo ... oval:org.secpod.oval:def:8756 The Recovery console: Allow floppy copy and access to all drives and all folders setting should be configured correctly. This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: * AllowWildCards. Enables wild ... oval:org.secpod.oval:def:8731 The Shutdown: Allow system to be shut down without having to log on setting should be configured correctly. This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon scre ... oval:org.secpod.oval:def:8915 The Require a Password When a Computer Wakes (On Battery) machine setting should be configured correctly. Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when ... oval:org.secpod.oval:def:8785 The MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) setting should be configured correctly. The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentCo ... oval:org.secpod.oval:def:8819 The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting should be configured correctly. This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be ... oval:org.secpod.oval:def:8855 The Maximum Log Size (KB) machine setting should be configured correctly for the application log. This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the ma ... oval:org.secpod.oval:def:8803 The User Account Control: Virtualize file and registry write failures to per-user locations setting should be configured correctly. This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates application ... oval:org.secpod.oval:def:8822 The Network access: Restrict anonymous access to Named Pipes and Shares setting should be configured correctly. When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network ... oval:org.secpod.oval:def:8838 The Microsoft network server: Digitally sign communications (always) setting should be configured correctly. This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from ... oval:org.secpod.oval:def:8927 The Devices: Prevent users from installing printer drivers setting should be configured correctly. It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code o ... oval:org.secpod.oval:def:8880 The Set time limit for active but idle Remote Desktop Services sessions machine setting should be configured correctly. This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnec ... oval:org.secpod.oval:def:8768 The Deny access to this computer from the network user right should be assigned to the appropriate accounts. This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environmen ... oval:org.secpod.oval:def:8835 The Microsoft network server: Disconnect clients when logon hours expire setting should be configured correctly. This policy setting determines whether to disconnect users who are connected to the local computer outside their user accounts valid logon hours. It affects the SMB component. If you ena ... oval:org.secpod.oval:def:8844 The Maximum Log Size (KB) machine setting should be configured correctly for the secirity log. This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maxim ... oval:org.secpod.oval:def:8797 The Network Security: Configure encryption types allowed for Kerberos setting should be configured correctly. Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites. This policy is sup ... oval:org.secpod.oval:def:8773 The Minimum password age setting should be configured correctly. The Minimum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or ... oval:org.secpod.oval:def:8842 The User Account Control: Admin Approval Mode for the Built-in Administrator account setting should be configured correctly. This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses A ... oval:org.secpod.oval:def:8729 The Recovery console: Allow automatic administrative logon setting should be configured correctly. The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery ... oval:org.secpod.oval:def:8861 The Allow remote access to the Plug and Play interface machine setting should be configured correctly. This policy setting allows you to allow or deny remote access to the Plug and Play interface. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Device Installation\Allow remot ... oval:org.secpod.oval:def:8925 The Accounts: Guest account status setting should be configured correctly. This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to ... oval:org.secpod.oval:def:18997 Windows Firewall should allow or block inbound connections by default as appropriate for the Domain Profile. This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow ... oval:org.secpod.oval:def:7902 The Maximum password age setting should be configured correctly. This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this polic ... oval:org.secpod.oval:def:7899 This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ... oval:org.secpod.oval:def:7897 The Enforce password history setting should be configured correctly. This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The ... oval:org.secpod.oval:def:7901 The Password must meet complexity requirements policy should be set correctly. This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: * Not contain the users ... oval:org.secpod.oval:def:18927 Windows Firewall should allow or block inbound connections by default as appropriate for the Private Profile. This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allo ... oval:org.secpod.oval:def:7706 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\\SYSTEM\\Software\\Microsoft\\ Windows NT\\CurrentVersion\\Winlo ... oval:org.secpod.oval:def:18940 The Domain member: Digitally encrypt secure channel data (when possible) setting should be configured correctly. This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the dom ... oval:org.secpod.oval:def:18960 The Retain old events machine setting should be configured correctly for the application log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: ... oval:org.secpod.oval:def:18962 The Windows Firewall: Private: Apply local connection security rules setting should be configured correctly. This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Fix: (1) G ... oval:org.secpod.oval:def:7900 The Minimum password length setting should be configured correctly. This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps pass phras ... oval:org.secpod.oval:def:18928 The Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers setting should be configured correctly. This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is support ... oval:org.secpod.oval:def:18942 The Deny log on through Remote Desktop Services user right should be assigned to the appropriate accounts. This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts ... oval:org.secpod.oval:def:8755 The Devices: Allowed to format and eject removable media setting should be configured correctly. This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on anothe ... oval:org.secpod.oval:def:8772 The Deny log on locally user right should be assigned to the appropriate accounts. This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:I ... oval:org.secpod.oval:def:8841 The User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting should be configured correctly. This policy setting controls the behavior of the elevation prompt for administrators. The options are: * Elevate without prompting: Allows privileged accounts ... oval:org.secpod.oval:def:8787 The User Account Control: Behavior of the elevation prompt for standard users setting should be configured correctly. This policy setting controls the behavior of the elevation prompt for standard users. The options are: * Prompt for credentials: When an operation requires elevation of privilege, t ... oval:org.secpod.oval:def:8793 The Network security: Do not store LAN Manager hash value on next password change setting should be configured correctly. This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to a ... oval:org.secpod.oval:def:8829 The Microsoft network client: Digitally sign communications (always) setting should be configured correctly. This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate wit ... oval:org.secpod.oval:def:8716 The Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting should be configured correctly. This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy setti ... oval:org.secpod.oval:def:8788 The Interactive logon: Do not require CTRL+ALT+DEL setting should be configured correctly. This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, u ... oval:org.secpod.oval:def:8848 The Reset account lockout counter after setting should be configured correctly. This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset ti ... oval:org.secpod.oval:def:19067 The Windows Firewall should be enabled or disabled as appropriate for the Private Profile. Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any ... oval:org.secpod.oval:def:18901 The Windows Firewall: Domain: Apply local firewall rules setting should be configured correctly. This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\W ... oval:org.secpod.oval:def:18806 The Windows Firewall should be enabled or disabled as appropriate for the Domain Profile. Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any ... oval:org.secpod.oval:def:19478 The Reschedule Automatic Updates scheduled installations machine setting should be configured correctly. Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously. If the status is set to Enabled, ... oval:org.secpod.oval:def:18878 The Manage auditing and security log user right should be assigned to the appropriate accounts. This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of a ... oval:org.secpod.oval:def:19288 The No auto-restart with logged on users for scheduled automatic updates installations machine setting should be configured correctly. Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing t ... oval:org.secpod.oval:def:18749 The Windows Firewall: Public: Apply local firewall rules setting should be configured correctly. This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\W ... oval:org.secpod.oval:def:18744 The Windows Firewall: Private: Apply local firewall rules setting should be configured correctly. This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\ ... oval:org.secpod.oval:def:8804 The Domain member: Digitally encrypt or sign secure channel data (always) setting should be configured correctly. This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure ... oval:org.secpod.oval:def:8751 The Network security: LDAP client signing requirements setting should be configured correctly. This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: * None. The LDAP BIND request is issued with the caller-specified ... oval:org.secpod.oval:def:8724 The Network access: Let Everyone permissions apply to anonymous users setting should be configured correctly. This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to ... oval:org.secpod.oval:def:8812 The Domain member: Maximum machine account password age setting should be configured correctly. This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interv ... oval:org.secpod.oval:def:8760 The Interactive logon: Message text for users attempting to log on setting should be configured correctly. Microsoft recommends that you use this setting, if appropriate to your environment and your organizations business requirements, to help protect end user computers. This policy setting specifi ... oval:org.secpod.oval:def:8711 The Network access: Do not allow anonymous enumeration of SAM accounts setting should be configured correctly. This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connec ... oval:org.secpod.oval:def:8727 The Microsoft network server: Amount of idle time required before suspending session setting should be configured correctly. This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administr ... oval:org.secpod.oval:def:8744 The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting should be configured correctly. This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to e ... oval:org.secpod.oval:def:18798 The Allow Basic authentication machine setting should be configured correctly for the WinRM client. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authenticat ... oval:org.secpod.oval:def:19085 The Allow Basic authentication machine setting should be configured correctly for the WinRM service. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service ... oval:org.secpod.oval:def:19627 The Require 128-bit encryption option for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers setting should be enabled or disabled as appropriate. This security setting allows a server to require the negotiation of message confidentiality (encryption), ... oval:org.secpod.oval:def:18895 The Devices: Restrict CD-ROM access to locally logged-on user only setting should be configured correctly. This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed ... oval:org.secpod.oval:def:19624 The Require 128-bit encryption option for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting should be enabled or disabled as appropriate. This policy setting determines which behaviors are allowed for applications using the NTLM Security Suppor ... oval:org.secpod.oval:def:18778 The Require user authentication for remote connections by using Network Level Authentication machine setting should be configured correctly. This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level A ... oval:org.secpod.oval:def:18773 The Retain old events machine setting should be configured correctly for the setup log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: (1) GP ... oval:org.secpod.oval:def:19186 The Require use of specific security layer for remote (RDP) connections machine setting should be configured correctly. Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connect ... oval:org.secpod.oval:def:18771 The Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box machine setting should be configured correctly. This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box. If you en ... oval:org.secpod.oval:def:19183 The Allow unencrypted traffic machine setting should be configured correctly for the WinRM service. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM s ... oval:org.secpod.oval:def:8830 The Microsoft network client: Digitally sign communications (if server agrees) setting should be configured correctly. This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows-based networks helps to prevent ... oval:org.secpod.oval:def:19079 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the public profile. Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbo ... oval:org.secpod.oval:def:19508 The Do not process the run once list machine setting should be configured correctly. Ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added ... oval:org.secpod.oval:def:19205 The Set time limit for active Remote Desktop Services sessions machine setting should be configured correctly. This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy ... oval:org.secpod.oval:def:19569 The Do not allow local administrators to customize permissions machine setting should be configured correctly. Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administr ... oval:org.secpod.oval:def:19441 The Server Authentication Certificate Template machine setting should be configured correctly. This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is neede ... oval:org.secpod.oval:def:19456 The Allow users to connect remotely using Remote Desktop Services machine setting should be configured correctly. This policy setting allows you to configure remote access to computers using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop User ... oval:org.secpod.oval:def:19214 The Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box machine setting should be configured correctly. This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut D ... oval:org.secpod.oval:def:19452 The Allow Remote Shell Access machine setting should be configured correctly. Configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections will be rejected by the server. If you disable or do not configure this policy setting, new remote sh ... oval:org.secpod.oval:def:19210 The Configure minimum PIN length for startup machine setting should be configured correctly. This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum l ... oval:org.secpod.oval:def:18836 The Deny log on as a batch job user right should be assigned to the appropriate accounts. This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Sc ... oval:org.secpod.oval:def:18846 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the private profile. Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inb ... oval:org.secpod.oval:def:19014 Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the domain profile. Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbo ... oval:org.secpod.oval:def:19492 The Allow unencrypted traffic machine setting should be configured correctly for the WinRM client. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM cli ... oval:org.secpod.oval:def:19586 The Disallow Digest authentication machine setting should be configured correctly. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication ... oval:org.secpod.oval:def:19600 The Always install with elevated privileges machine setting should be configured correctly. Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs th ... oval:org.secpod.oval:def:18886 The MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) setting should be configured correctly. The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Lanmanserver\\Parameter ... oval:org.secpod.oval:def:18764 The Network Security: Restrict NTLM: NTLM authentication in this domain setting should be configured correctly. This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. ... oval:org.secpod.oval:def:18883 The Audit: Shut down system immediately if unable to log security audits setting should be configured correctly. This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Co ... oval:org.secpod.oval:def:19295 The Allow access to BitLocker-protected fixed data drives from earlier versions of Windows machine setting should be configured correctly. This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Serve ... oval:org.secpod.oval:def:18733 The Domain member: Digitally sign secure channel data (when possible) setting should be configured correctly. This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect ... oval:org.secpod.oval:def:18853 The Retain old events machine setting should be configured correctly for the security log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: (1) ... oval:org.secpod.oval:def:18735 The Network Security: Restrict NTLM: Add server exceptions in this domain setting should be configured correctly. This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the Network Security: Restri ... oval:org.secpod.oval:def:19021 The Windows Firewall: Domain: Apply local connection security rules setting should be configured correctly. This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Fix: (1) GP ... oval:org.secpod.oval:def:18848 The Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication setting should be configured correctly. This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the Network Security: Restrict N ... oval:org.secpod.oval:def:18748 Windows Firewall should allow or block inbound connections by default as appropriate for the Public Profile. This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow ... oval:org.secpod.oval:def:18747 The Interactive logon: Display user information when the session is locked setting should be configured correctly. This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computers respective Windows logon s ... oval:org.secpod.oval:def:8875 The Require secure RPC communication machine setting should be configured correctly. Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication ... oval:org.secpod.oval:def:19034 The Retain old events machine setting should be configured correctly for the system log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: (1) G ... oval:org.secpod.oval:def:19030 The Windows Firewall should be enabled or disabled as appropriate for the Public Profile. Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any ... oval:org.secpod.oval:def:18739 The Network Security: Restrict NTLM: Incoming NTLM traffic setting should be configured correctly. This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the ... oval:org.secpod.oval:def:8820 The Interactive logon: Prompt user to change password before expiration setting should be configured correctly. This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently ... oval:org.secpod.oval:def:7898 The Account lockout duration setting should be configured correctly. This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain un ... oval:org.secpod.oval:def:8833 The Microsoft network server: Digitally sign communications (if client agrees) setting should be configured correctly. This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no sig ... oval:org.secpod.oval:def:8739 The Domain member: Require strong (Windows 2000 or later) session key setting should be configured correctly. When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. ... oval:org.secpod.oval:def:8779 The Interactive logon: Do not display last user name setting should be configured correctly. This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computers respective Windows logon screen. Enable th ... oval:org.secpod.oval:def:8795 The Microsoft network client: Send unencrypted password to third-party SMB servers setting should be configured correctly. Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encrypt ... |